Source: RKKO3T4hSU.exe |
Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
Source: RKKO3T4hSU.exe, 00000000.00000002.681137900.0000000001033000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://forum.median-xl.com/viewtopic.php?f=4&t=3702 |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\RKKO3T4hSU.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\RKKO3T4hSU.exe |
Jump to behavior |
Source: RKKO3T4hSU.exe, 00000000.00000002.681153272.000000000105C000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: GetRawInputDatac |
|
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00B1CB26 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, |
0_2_00B1CB26 |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00A92344 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW, |
0_2_00A92344 |
Source: RKKO3T4hSU.exe, 00000000.00000002.680662270.0000000000B44000.00000040.00000001.01000000.00000003.sdmp |
String found in binary or memory: This is a third-party compiled AutoIt script. |
|
Source: RKKO3T4hSU.exe, 00000000.00000002.680662270.0000000000B44000.00000040.00000001.01000000.00000003.sdmp |
String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer" |
|
Source: RKKO3T4hSU.exe |
Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
Source: RKKO3T4hSU.exe, 00000000.00000002.680990722.0000000000EE3000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: FV_ORIGINALFILENAME vs RKKO3T4hSU.exe |
Source: RKKO3T4hSU.exe, 00000000.00000002.680990722.0000000000EE3000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilename vs RKKO3T4hSU.exe |
Source: RKKO3T4hSU.exe, 00000000.00000002.681832599.000000000322F000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: FV_ORIGINALFILENAME?| vs RKKO3T4hSU.exe |
Source: RKKO3T4hSU.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: RKKO3T4hSU.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: RKKO3T4hSU.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: RKKO3T4hSU.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00A9E800 |
0_2_00A9E800 |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00A9E060 |
0_2_00A9E060 |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00A91287 |
0_2_00A91287 |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00A9FE40 |
0_2_00A9FE40 |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00AA70FE |
0_2_00AA70FE |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00AA6841 |
0_2_00AA6841 |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00AC6452 |
0_2_00AC6452 |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00AA8968 |
0_2_00AA8968 |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00ABDAF5 |
0_2_00ABDAF5 |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00AB1604 |
0_2_00AB1604 |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00B17E0D |
0_2_00B17E0D |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00ABBF26 |
0_2_00ABBF26 |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00AC6F36 |
0_2_00AC6F36 |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00A91287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,73CD4310,NtdllDialogWndProc_W, |
0_2_00A91287 |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00A91290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient, |
0_2_00A91290 |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00A93633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow, |
0_2_00A93633 |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00B1D4A8 GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W, |
0_2_00B1D4A8 |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00A9189B NtdllDialogWndProc_W, |
0_2_00A9189B |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00B1C8F9 NtdllDialogWndProc_W, |
0_2_00B1C8F9 |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00B1C8CA NtdllDialogWndProc_W, |
0_2_00B1C8CA |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00B1D422 NtdllDialogWndProc_W, |
0_2_00B1D422 |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00B1C9A8 ClientToScreen,NtdllDialogWndProc_W, |
0_2_00B1C9A8 |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00B1C5E7 SendMessageW,NtdllDialogWndProc_W, |
0_2_00B1C5E7 |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00B1C928 NtdllDialogWndProc_W, |
0_2_00B1C928 |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00B1C502 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W, |
0_2_00B1C502 |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00B1C973 NtdllDialogWndProc_W, |
0_2_00B1C973 |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00A916B5 NtdllDialogWndProc_W, |
0_2_00A916B5 |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00B1CAE6 GetWindowLongW,NtdllDialogWndProc_W, |
0_2_00B1CAE6 |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00A916DE GetParent,NtdllDialogWndProc_W, |
0_2_00A916DE |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00B1C216 PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W, |
0_2_00B1C216 |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00A9167D NtdllDialogWndProc_W, |
0_2_00A9167D |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00B1C668 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W, |
0_2_00B1C668 |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00B1BF9A NtdllDialogWndProc_W, |
0_2_00B1BF9A |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00B1BFF6 ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W, |
0_2_00B1BFF6 |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00B1D7F6 NtdllDialogWndProc_W, |
0_2_00B1D7F6 |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00B1CB26 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, |
0_2_00B1CB26 |
Source: RKKO3T4hSU.exe |
Virustotal: Detection: 11% |
Source: RKKO3T4hSU.exe |
Metadefender: Detection: 14% |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00AF3C99 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, |
0_2_00AF3C99 |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Mutant created: \Sessions\1\BaseNamedObjects\D2Stats-Singleton |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00A94FE9 FindResourceExW,LoadResource,SizeofResource,LockResource, |
0_2_00A94FE9 |
Source: classification engine |
Classification label: mal56.spyw.evad.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Window detected: Number of UI elements: 24 |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00BD5AD0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect, |
0_2_00BD5AD0 |
Source: initial sample |
Static PE information: section name: UPX0 |
Source: initial sample |
Static PE information: section name: UPX1 |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00A94A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,KiUserCallbackDispatcher,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, |
0_2_00A94A35 |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Window / User API: threadDelayed 6680 |
Jump to behavior |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Window / User API: foregroundWindowGot 608 |
Jump to behavior |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Window / User API: foregroundWindowGot 1054 |
Jump to behavior |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Last function: Thread delayed |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00AC5BFC RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer, |
0_2_00AC5BFC |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00BD5AD0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect, |
0_2_00BD5AD0 |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00AC9922 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, |
0_2_00AC9922 |
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe |
Code function: 0_2_00A94A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,KiUserCallbackDispatcher,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, |
0_2_00A94A35 |
Source: RKKO3T4hSU.exe, 00000000.00000002.680662270.0000000000B44000.00000040.00000001.01000000.00000003.sdmp |
Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning |
Source: RKKO3T4hSU.exe |
Binary or memory string: Shell_TrayWnd |