hxxps://cdn[.]discordapp[.]com/attachments/1257544830133866517/1265488126835560542/AutoClickers[.]exe?ex=66a1b129&is=66a05fa9&hm=c51d89e066e485cabd5026583188ec3ce0d2c238fe0ade5a7d47751904d6b9a6&

Resubmissions

24/07/2024, 02:30

240724-cy9q6aweqa 8

24/07/2024, 02:23

240724-cvcbgssgrn 8

Analysis

max time kernel
145s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24/07/2024, 02:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1257544830133866517/1265488126835560542/AutoClickers.exe?ex=66a1b129&is=66a05fa9&hm=c51d89e066e485cabd5026583188ec3ce0d2c238fe0ade5a7d47751904d6b9a6&

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
5740	AutoClickers.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000800000002347b-43.dat	autoit_exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoClickers.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings	taskmgr.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 185709.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4948	msedge.exe
4948	msedge.exe
2404	msedge.exe
2404	msedge.exe
4252	identity_helper.exe
4252	identity_helper.exe
5620	msedge.exe
5620	msedge.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5740	AutoClickers.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	5972	taskmgr.exe
Token: SeSystemProfilePrivilege	5972	taskmgr.exe
Token: SeCreateGlobalPrivilege	5972	taskmgr.exe
Token: 33	5972	taskmgr.exe
Token: SeIncBasePriorityPrivilege	5972	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
5740	AutoClickers.exe
5740	AutoClickers.exe
5740	AutoClickers.exe
5740	AutoClickers.exe
5740	AutoClickers.exe
5740	AutoClickers.exe
5740	AutoClickers.exe
5740	AutoClickers.exe
5740	AutoClickers.exe
5740	AutoClickers.exe
5740	AutoClickers.exe
5740	AutoClickers.exe
5740	AutoClickers.exe
5740	AutoClickers.exe
5740	AutoClickers.exe
5740	AutoClickers.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
5740	AutoClickers.exe
5740	AutoClickers.exe
5740	AutoClickers.exe
5740	AutoClickers.exe
5740	AutoClickers.exe
5740	AutoClickers.exe
5740	AutoClickers.exe
5740	AutoClickers.exe
5740	AutoClickers.exe
5740	AutoClickers.exe
5740	AutoClickers.exe
5740	AutoClickers.exe
5740	AutoClickers.exe
5740	AutoClickers.exe
5740	AutoClickers.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 3420	2404	msedge.exe	85
PID 2404 wrote to memory of 3420	2404	msedge.exe	85
PID 2404 wrote to memory of 3428	2404	msedge.exe	86
PID 2404 wrote to memory of 3428	2404	msedge.exe	86
PID 2404 wrote to memory of 3428	2404	msedge.exe	86
PID 2404 wrote to memory of 3428	2404	msedge.exe	86
PID 2404 wrote to memory of 3428	2404	msedge.exe	86
PID 2404 wrote to memory of 3428	2404	msedge.exe	86
PID 2404 wrote to memory of 3428	2404	msedge.exe	86
PID 2404 wrote to memory of 3428	2404	msedge.exe	86
PID 2404 wrote to memory of 3428	2404	msedge.exe	86
PID 2404 wrote to memory of 3428	2404	msedge.exe	86
PID 2404 wrote to memory of 3428	2404	msedge.exe	86
PID 2404 wrote to memory of 3428	2404	msedge.exe	86
PID 2404 wrote to memory of 3428	2404	msedge.exe	86
PID 2404 wrote to memory of 3428	2404	msedge.exe	86
PID 2404 wrote to memory of 3428	2404	msedge.exe	86
PID 2404 wrote to memory of 3428	2404	msedge.exe	86
PID 2404 wrote to memory of 3428	2404	msedge.exe	86
PID 2404 wrote to memory of 3428	2404	msedge.exe	86
PID 2404 wrote to memory of 3428	2404	msedge.exe	86
PID 2404 wrote to memory of 3428	2404	msedge.exe	86
PID 2404 wrote to memory of 3428	2404	msedge.exe	86
PID 2404 wrote to memory of 3428	2404	msedge.exe	86
PID 2404 wrote to memory of 3428	2404	msedge.exe	86
PID 2404 wrote to memory of 3428	2404	msedge.exe	86
PID 2404 wrote to memory of 3428	2404	msedge.exe	86
PID 2404 wrote to memory of 3428	2404	msedge.exe	86
PID 2404 wrote to memory of 3428	2404	msedge.exe	86
PID 2404 wrote to memory of 3428	2404	msedge.exe	86
PID 2404 wrote to memory of 3428	2404	msedge.exe	86
PID 2404 wrote to memory of 3428	2404	msedge.exe	86
PID 2404 wrote to memory of 3428	2404	msedge.exe	86
PID 2404 wrote to memory of 3428	2404	msedge.exe	86
PID 2404 wrote to memory of 3428	2404	msedge.exe	86
PID 2404 wrote to memory of 3428	2404	msedge.exe	86
PID 2404 wrote to memory of 3428	2404	msedge.exe	86
PID 2404 wrote to memory of 3428	2404	msedge.exe	86
PID 2404 wrote to memory of 3428	2404	msedge.exe	86
PID 2404 wrote to memory of 3428	2404	msedge.exe	86
PID 2404 wrote to memory of 3428	2404	msedge.exe	86
PID 2404 wrote to memory of 3428	2404	msedge.exe	86
PID 2404 wrote to memory of 4948	2404	msedge.exe	87
PID 2404 wrote to memory of 4948	2404	msedge.exe	87
PID 2404 wrote to memory of 3212	2404	msedge.exe	88
PID 2404 wrote to memory of 3212	2404	msedge.exe	88
PID 2404 wrote to memory of 3212	2404	msedge.exe	88
PID 2404 wrote to memory of 3212	2404	msedge.exe	88
PID 2404 wrote to memory of 3212	2404	msedge.exe	88
PID 2404 wrote to memory of 3212	2404	msedge.exe	88
PID 2404 wrote to memory of 3212	2404	msedge.exe	88
PID 2404 wrote to memory of 3212	2404	msedge.exe	88
PID 2404 wrote to memory of 3212	2404	msedge.exe	88
PID 2404 wrote to memory of 3212	2404	msedge.exe	88
PID 2404 wrote to memory of 3212	2404	msedge.exe	88
PID 2404 wrote to memory of 3212	2404	msedge.exe	88
PID 2404 wrote to memory of 3212	2404	msedge.exe	88
PID 2404 wrote to memory of 3212	2404	msedge.exe	88
PID 2404 wrote to memory of 3212	2404	msedge.exe	88
PID 2404 wrote to memory of 3212	2404	msedge.exe	88
PID 2404 wrote to memory of 3212	2404	msedge.exe	88
PID 2404 wrote to memory of 3212	2404	msedge.exe	88
PID 2404 wrote to memory of 3212	2404	msedge.exe	88
PID 2404 wrote to memory of 3212	2404	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1257544830133866517/1265488126835560542/AutoClickers.exe?ex=66a1b129&is=66a05fa9&hm=c51d89e066e485cabd5026583188ec3ce0d2c238fe0ade5a7d47751904d6b9a6&
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff8ffb46f8,0x7fff8ffb4708,0x7fff8ffb4718
  2⤵
  PID:3420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,11495931791610542781,11532825366205560474,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
  2⤵
  PID:3428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,11495931791610542781,11532825366205560474,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,11495931791610542781,11532825366205560474,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
  2⤵
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,11495931791610542781,11532825366205560474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,11495931791610542781,11532825366205560474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,11495931791610542781,11532825366205560474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,11495931791610542781,11532825366205560474,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,11495931791610542781,11532825366205560474,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,11495931791610542781,11532825366205560474,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,11495931791610542781,11532825366205560474,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5776 /prefetch:8
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,11495931791610542781,11532825366205560474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:1940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,11495931791610542781,11532825366205560474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:2676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,11495931791610542781,11532825366205560474,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2072,11495931791610542781,11532825366205560474,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6432 /prefetch:8
  2⤵
  PID:1452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,11495931791610542781,11532825366205560474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:5528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,11495931791610542781,11532825366205560474,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5620
- C:\Users\Admin\Downloads\AutoClickers.exe
  "C:\Users\Admin\Downloads\AutoClickers.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,11495931791610542781,11532825366205560474,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4808 /prefetch:2
  2⤵
  PID:1836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1500

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3968

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5972

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\3278165d-5ee6-4e62-897e-56d33298f624.tmp

Filesize
12KB

MD5
5455b212a5c78943a539962a86641f8b

SHA1
8c748d53a1bf9f1e88538a795131fd3ab6f46c41

SHA256
94e4bfcc90d84e55c08fe50a9d80d4bdc21fe088c1efb71540df51405a45301c

SHA512
28eb36d17f7c50cde558c2d2003c6f94eaf56b57119fa3810622e14b5af49dc1a8f0e27acc8b74b15dc4ecce67c58040d8c7ae6e31fe18ade6973d5dbfedd523

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eaaad45aced1889a90a8aa4c39f92659

SHA1
5c0130d9e8d1a64c97924090d9a5258b8a31b83c

SHA256
5e3237f26b6047f64459cd5d3a6bc3563e2642b98d75b97011c93e0a9bd26f3b

SHA512
0db1c6bdb51f4e6ba5ef4dc12fc73886e599ab28f1eec5d943110bc3d856401ca31c05baa9026dd441b69f3de92307eb77d93f089ba6e2b84eea6e93982620e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3ee50fb26a9d3f096c47ff8696c24321

SHA1
a8c83e798d2a8b31fec0820560525e80dfa4fe66

SHA256
d80ec29cb17280af0c7522b30a80ffa19d1e786c0b09accfe3234b967d23eb6f

SHA512
479c0d2b76850aa79b58f9e0a8ba5773bd8909d915b98c2e9dc3a95c0ac18d7741b2ee571df695c0305598d89651c7aef2ff7c2fedb8b6a6aa30057ecfc872c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
89c910265a76e59263a04085040c1382

SHA1
2f59f943312381589a23d7fcd3d1f90d821a76e1

SHA256
cb64970f8666a03ce69176a2dc43cb3c44e57382a1b93d1b499fe001b2f63216

SHA512
5082ced5e15a514fdb56a3bce2d2b1eb3488ad3bd6c87feb64ffd16661d90b6ec7fcbdd5424441010ce0229b5f0986e8e4fa99b1a9a56f017c76adfc627f266e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
88c42cbd8f6e170e077bc331d81c2876

SHA1
88e0be749ff5484dba54ec68cd82772d19e61752

SHA256
695f00b46dbc1d36bdaec80817c743dd43d64bdbbe178472dc054bd19926346f

SHA512
611047f6520ee0b156651258e24251f84d710924134e079880c436d4d8eaf805805b62af8ed4defd4b25c986aa1f655f9a56576982f7eea6521b00049875610c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
35a8a982786b0f23fab0bdb17b0d6b34

SHA1
0fa62337df126da88d6465c7e2f50681e5c39dd7

SHA256
cb88c33a8996c12b01dddd658fdcfe8f6e9f2115876294c8701ec1675cef39b5

SHA512
2d9606fe7982435b90cdeb0e8b52feda0723e0f2ef7b7eedd68a551c659b9a8820bb0b58d4277a35fadaf778af8987fa33c99f6e13d98213c278950177a025e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cda7b648666c4508b3f8d09f7a09178f

SHA1
68c7cdadefe4ba79f3902077f1333716b916eb4e

SHA256
c4bc7579cdc5d918a5c5709061450abf6fa24e972613aef0fa9ff6a255db0285

SHA512
cd7cbe702e7b1ef9dc187177603a62ce7dfb741edd577f24df29e10106f71623d7c1d41558ed65766434dd61e3aba424c25faa3f17674304821736d43212897f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
9b49786958062ae2d35fe7d05f28b83e

SHA1
f459498e916aa18b931b76bd2b419737d54f87fc

SHA256
9d100432a2d8dad2f1e29011080f98f4498a9247b3e0360e329965c043bd3e99

SHA512
29854378928bc5f483b5450afb2a1545b094290662a088ef58f4629c0d33e317e9fbf1a51600123521e94fbfc23560d6f0c02dc3c1a1f83044d30497d8a1996d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 185709.crdownload

Filesize
939KB

MD5
27d5a6c9274255cf89b38f28480edcf0

SHA1
88036bf7a8956dd7f7e53ffabb6d29a7508060dc

SHA256
cbe005a1b13a85b5f6bed4fa213e1bb837b222521f8e83ac3879d5bf791d5288

SHA512
46997fde9001405998beca19ee0be329743dc5aee7cda525add25309c795dfee0e5859ef4c4b1bf9e1cdce21f2ac5e90f1f336ee1f0b9e5372581c7f254ec075

Download Submit
memory/5972-117-0x000001C134410000-0x000001C134411000-memory.dmp

Filesize
4KB

Download
memory/5972-127-0x000001C134410000-0x000001C134411000-memory.dmp

Filesize
4KB

Download
memory/5972-126-0x000001C134410000-0x000001C134411000-memory.dmp

Filesize
4KB

Download
memory/5972-125-0x000001C134410000-0x000001C134411000-memory.dmp

Filesize
4KB

Download
memory/5972-124-0x000001C134410000-0x000001C134411000-memory.dmp

Filesize
4KB

Download
memory/5972-123-0x000001C134410000-0x000001C134411000-memory.dmp

Filesize
4KB

Download
memory/5972-122-0x000001C134410000-0x000001C134411000-memory.dmp

Filesize
4KB

Download
memory/5972-121-0x000001C134410000-0x000001C134411000-memory.dmp

Filesize
4KB

Download
memory/5972-116-0x000001C134410000-0x000001C134411000-memory.dmp

Filesize
4KB

Download
memory/5972-115-0x000001C134410000-0x000001C134411000-memory.dmp

Filesize
4KB

Download