Analysis
-
max time kernel
67s -
max time network
69s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 01:34
Static task
static1
Behavioral task
behavioral1
Sample
AutoClicker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
AutoClicker.exe
Resource
win10v2004-20240508-en
General
-
Target
AutoClicker.exe
-
Size
844KB
-
MD5
7ecfc8cd7455dd9998f7dad88f2a8a9d
-
SHA1
1751d9389adb1e7187afa4938a3559e58739dce6
-
SHA256
2e67d5e7d96aec62a9dda4c0259167a44908af863c2b3af2a019723205abba9e
-
SHA512
cb05e82b17c0f7444d1259b661f0c1e6603d8a959da7475f35078a851d528c630366916c17a37db1a2490af66e5346309177c9e31921d09e7e795492868e678d
-
SSDEEP
12288:GaWzgMg7v3qnCiWErQohh0F49CJ8lnybQg9BFg9UmTRHlM:BaHMv6CGrjBnybQg+mmhG
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2620 POWERPNT.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4184 msedge.exe 4184 msedge.exe 4060 msedge.exe 4060 msedge.exe 4820 identity_helper.exe 4820 identity_helper.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 912 AutoClicker.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
pid Process 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 912 AutoClicker.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 912 AutoClicker.exe 912 AutoClicker.exe 912 AutoClicker.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2620 POWERPNT.EXE 2620 POWERPNT.EXE 2620 POWERPNT.EXE 2620 POWERPNT.EXE 912 AutoClicker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 912 wrote to memory of 4060 912 AutoClicker.exe 101 PID 912 wrote to memory of 4060 912 AutoClicker.exe 101 PID 4060 wrote to memory of 4872 4060 msedge.exe 102 PID 4060 wrote to memory of 4872 4060 msedge.exe 102 PID 4060 wrote to memory of 1936 4060 msedge.exe 103 PID 4060 wrote to memory of 1936 4060 msedge.exe 103 PID 4060 wrote to memory of 1936 4060 msedge.exe 103 PID 4060 wrote to memory of 1936 4060 msedge.exe 103 PID 4060 wrote to memory of 1936 4060 msedge.exe 103 PID 4060 wrote to memory of 1936 4060 msedge.exe 103 PID 4060 wrote to memory of 1936 4060 msedge.exe 103 PID 4060 wrote to memory of 1936 4060 msedge.exe 103 PID 4060 wrote to memory of 1936 4060 msedge.exe 103 PID 4060 wrote to memory of 1936 4060 msedge.exe 103 PID 4060 wrote to memory of 1936 4060 msedge.exe 103 PID 4060 wrote to memory of 1936 4060 msedge.exe 103 PID 4060 wrote to memory of 1936 4060 msedge.exe 103 PID 4060 wrote to memory of 1936 4060 msedge.exe 103 PID 4060 wrote to memory of 1936 4060 msedge.exe 103 PID 4060 wrote to memory of 1936 4060 msedge.exe 103 PID 4060 wrote to memory of 1936 4060 msedge.exe 103 PID 4060 wrote to memory of 1936 4060 msedge.exe 103 PID 4060 wrote to memory of 1936 4060 msedge.exe 103 PID 4060 wrote to memory of 1936 4060 msedge.exe 103 PID 4060 wrote to memory of 1936 4060 msedge.exe 103 PID 4060 wrote to memory of 1936 4060 msedge.exe 103 PID 4060 wrote to memory of 1936 4060 msedge.exe 103 PID 4060 wrote to memory of 1936 4060 msedge.exe 103 PID 4060 wrote to memory of 1936 4060 msedge.exe 103 PID 4060 wrote to memory of 1936 4060 msedge.exe 103 PID 4060 wrote to memory of 1936 4060 msedge.exe 103 PID 4060 wrote to memory of 1936 4060 msedge.exe 103 PID 4060 wrote to memory of 1936 4060 msedge.exe 103 PID 4060 wrote to memory of 1936 4060 msedge.exe 103 PID 4060 wrote to memory of 1936 4060 msedge.exe 103 PID 4060 wrote to memory of 1936 4060 msedge.exe 103 PID 4060 wrote to memory of 1936 4060 msedge.exe 103 PID 4060 wrote to memory of 1936 4060 msedge.exe 103 PID 4060 wrote to memory of 1936 4060 msedge.exe 103 PID 4060 wrote to memory of 1936 4060 msedge.exe 103 PID 4060 wrote to memory of 1936 4060 msedge.exe 103 PID 4060 wrote to memory of 1936 4060 msedge.exe 103 PID 4060 wrote to memory of 1936 4060 msedge.exe 103 PID 4060 wrote to memory of 1936 4060 msedge.exe 103 PID 4060 wrote to memory of 4184 4060 msedge.exe 104 PID 4060 wrote to memory of 4184 4060 msedge.exe 104 PID 4060 wrote to memory of 1780 4060 msedge.exe 105 PID 4060 wrote to memory of 1780 4060 msedge.exe 105 PID 4060 wrote to memory of 1780 4060 msedge.exe 105 PID 4060 wrote to memory of 1780 4060 msedge.exe 105 PID 4060 wrote to memory of 1780 4060 msedge.exe 105 PID 4060 wrote to memory of 1780 4060 msedge.exe 105 PID 4060 wrote to memory of 1780 4060 msedge.exe 105 PID 4060 wrote to memory of 1780 4060 msedge.exe 105 PID 4060 wrote to memory of 1780 4060 msedge.exe 105 PID 4060 wrote to memory of 1780 4060 msedge.exe 105 PID 4060 wrote to memory of 1780 4060 msedge.exe 105 PID 4060 wrote to memory of 1780 4060 msedge.exe 105 PID 4060 wrote to memory of 1780 4060 msedge.exe 105 PID 4060 wrote to memory of 1780 4060 msedge.exe 105 PID 4060 wrote to memory of 1780 4060 msedge.exe 105 PID 4060 wrote to memory of 1780 4060 msedge.exe 105 PID 4060 wrote to memory of 1780 4060 msedge.exe 105 PID 4060 wrote to memory of 1780 4060 msedge.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\AutoClicker.exe"C:\Users\Admin\AppData\Local\Temp\AutoClicker.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.remouse.com/2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe31d446f8,0x7ffe31d44708,0x7ffe31d447183⤵PID:4872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,13579118937451860568,3726002024977878238,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:23⤵PID:1936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,13579118937451860568,3726002024977878238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:4184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,13579118937451860568,3726002024977878238,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:83⤵PID:1780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13579118937451860568,3726002024977878238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:13⤵PID:4960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13579118937451860568,3726002024977878238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:13⤵PID:4408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13579118937451860568,3726002024977878238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:13⤵PID:4440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,13579118937451860568,3726002024977878238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:83⤵PID:5084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,13579118937451860568,3726002024977878238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:4820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13579118937451860568,3726002024977878238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4380 /prefetch:13⤵PID:4896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13579118937451860568,3726002024977878238,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:13⤵PID:4368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13579118937451860568,3726002024977878238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:13⤵PID:4856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13579118937451860568,3726002024977878238,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:13⤵PID:4620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13579118937451860568,3726002024977878238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:13⤵PID:1944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13579118937451860568,3726002024977878238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:13⤵PID:3748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13579118937451860568,3726002024977878238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:13⤵PID:640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13579118937451860568,3726002024977878238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:13⤵PID:2096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13579118937451860568,3726002024977878238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:13⤵PID:4316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13579118937451860568,3726002024977878238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:13⤵PID:4712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13579118937451860568,3726002024977878238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:13⤵PID:3756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13579118937451860568,3726002024977878238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:13⤵PID:3608
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "C:\Users\Admin\Desktop\SubmitRemove.pot"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2620
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3376
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4704
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5a8e767fd33edd97d306efb6905f93252
SHA1a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA51207b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241
-
Filesize
152B
MD5439b5e04ca18c7fb02cf406e6eb24167
SHA1e0c5bb6216903934726e3570b7d63295b9d28987
SHA256247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2
-
Filesize
5KB
MD518d9587404afce45b3e32965ef597130
SHA125d4bdd2cb8b66d73cea435c9718fd8b2e3944e8
SHA25670b41916ad0cc48a17d8921771683460263ba66e8aa3d319cafea8114ea6488f
SHA512aa0a759417ee14838fd734e95de77178c7a94e8cec32f6d382cdca21a2957e198d3b4a74ed864f9b4d48557f38747ebd63de077c1ec60deda38220e719f730e2
-
Filesize
6KB
MD55388a1827b6c08ae70c71a61420dcdc5
SHA1a4e1b6764b39b23403e6c02ac0d22c444b2a908a
SHA2568f6066adf2fe05b2d9d5a176850c67cce4ce7d46359111b7b4a592c3f24e49ae
SHA512f380a5dd867a8e0308f296c3bd211b0ab0b11ea5b6756d76564cd44e79a91d47abd226faf3511e76af7a18686b8b071fd7e62fec26a616cc8c995108776e05d0
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5f0f28aaef3ac21f06ee4926ea96b7376
SHA1bd30e7f8d17f6e6a4afa8abb2a84c4bf71c2c4dc
SHA2561e666e2c22ed7fa0272133bd86b6dc1c9211d4eacf032d19443af1ff13a99db0
SHA5124c5be844eedd03a9dc70c0f0e7e52f92a52c868c3dfc43c458dc2b6d9c3e646ee7da564a1073aa36f2d2c6eb1c4e5330e0bd40cff8415524d0bbce980ae7a3fc
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD553d917f045b45e10bcc14cf019b7621c
SHA19c0e37f1cd786ecf164935e71a08a2bf0ec36a98
SHA2565851729bcb75cefbd59725cbe46a2c381c5af1b8519c9da70627b237030c823a
SHA5120def45ff3d73e4dc638b0e1dcaba068cbc27a720e1dedb454de5f1830c7c0437dfc64900de8746f0bdf283bc45592cbfd139172cf4cdd54796980277c75a5bc5
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\f3df91c436730d7a37c58d5f25d9bf4a56fa3a34.tbres
Filesize4KB
MD56c6d11e9fa9da4a9abb4f9ae41164a7c
SHA149d2523f3d4074c80554972cfa4a2c8dd22ee8f2
SHA25676438cc2de7c0471c01ace0ee500d6b873eb31a25e7f242767d8ae50219b8d5e
SHA5122e31a00835c798b4752ea79549b44af517e4f0fb1d4ea9d3e0e1f51a5d4e954eb2c9f05e990f4c215f7670acaedb59013746275aa1bc850186673e029e1324c6
-
Filesize
53B
MD59fc316cbe8318252302157d8f80269e1
SHA18007646ed851b7775b2b642a08c80bdc876fdcd4
SHA25625c69f887a1fdb22fdf08bfee4d8c124df474cd9d65d26097bf4728c3158beb3
SHA51281682312adb2647f7aa58438a0a0ec8b8d26a0fab42dea87912d1b4ae6caf4ff52326fc74df80d90917e473904f6a5eba70eb71a4cbb6a7e1d969a799d2333ac
-
Filesize
4KB
MD5a20254ea7f9ef810c1681fa314edaa28
SHA1fdd3040411043fa1d93efd4298db8668458b6fb8
SHA2565375290e66a20bff81fb4d80346756f2d442184789681297cd1b84446a3fe80d
SHA5124c52a7f77930e6f1bfaa1fee7e39133f74675a8666902c71be752758a29d8d167157e34f89f729ab29855990bc41757a11031adc7560c4d6b9cd77000bbcf87c
-
Filesize
4KB
MD51111e06679f96ff28c1e229b06ce7b41
SHA19fe5a6c6014b561060a640d0db02a303a35b8832
SHA25659d5e9106e907fa61a560294a51c14abcde024fdd690e41a7f4d6c88db7287a6
SHA512077aff77bbf827b9920cf53dff38427475e590c07ab8901fc34ce7b7fb9e9409207e53aff06fa7d1e3984bcf127507d0fc19284d8e7203c76d67c9b98c1c8f37