hxxps://gamejolt[.]com/games/win8-1-sim/348598

Analysis

max time kernel
900s
max time network
888s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
10/10/2024, 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gamejolt.com/games/win8-1-sim/348598

Score

8^/10

defense_evasion discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1836	clicker-pl.exe

Loads dropped DLL 3 IoCs

pid	Process
1836	clicker-pl.exe
1836	clicker-pl.exe
1836	clicker-pl.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\clicker-pl.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	clicker-pl.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 831756.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\clicker-pl.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
4424	msedge.exe
4424	msedge.exe
904	msedge.exe
904	msedge.exe
3840	msedge.exe
3840	msedge.exe
3564	identity_helper.exe
3564	identity_helper.exe
716	msedge.exe
4580	msedge.exe
4580	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1836	clicker-pl.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4812	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4812	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1836	clicker-pl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 904 wrote to memory of 2920	904	msedge.exe	78
PID 904 wrote to memory of 2920	904	msedge.exe	78
PID 904 wrote to memory of 1568	904	msedge.exe	79
PID 904 wrote to memory of 1568	904	msedge.exe	79
PID 904 wrote to memory of 1568	904	msedge.exe	79
PID 904 wrote to memory of 1568	904	msedge.exe	79
PID 904 wrote to memory of 1568	904	msedge.exe	79
PID 904 wrote to memory of 1568	904	msedge.exe	79
PID 904 wrote to memory of 1568	904	msedge.exe	79
PID 904 wrote to memory of 1568	904	msedge.exe	79
PID 904 wrote to memory of 1568	904	msedge.exe	79
PID 904 wrote to memory of 1568	904	msedge.exe	79
PID 904 wrote to memory of 1568	904	msedge.exe	79
PID 904 wrote to memory of 1568	904	msedge.exe	79
PID 904 wrote to memory of 1568	904	msedge.exe	79
PID 904 wrote to memory of 1568	904	msedge.exe	79
PID 904 wrote to memory of 1568	904	msedge.exe	79
PID 904 wrote to memory of 1568	904	msedge.exe	79
PID 904 wrote to memory of 1568	904	msedge.exe	79
PID 904 wrote to memory of 1568	904	msedge.exe	79
PID 904 wrote to memory of 1568	904	msedge.exe	79
PID 904 wrote to memory of 1568	904	msedge.exe	79
PID 904 wrote to memory of 1568	904	msedge.exe	79
PID 904 wrote to memory of 1568	904	msedge.exe	79
PID 904 wrote to memory of 1568	904	msedge.exe	79
PID 904 wrote to memory of 1568	904	msedge.exe	79
PID 904 wrote to memory of 1568	904	msedge.exe	79
PID 904 wrote to memory of 1568	904	msedge.exe	79
PID 904 wrote to memory of 1568	904	msedge.exe	79
PID 904 wrote to memory of 1568	904	msedge.exe	79
PID 904 wrote to memory of 1568	904	msedge.exe	79
PID 904 wrote to memory of 1568	904	msedge.exe	79
PID 904 wrote to memory of 1568	904	msedge.exe	79
PID 904 wrote to memory of 1568	904	msedge.exe	79
PID 904 wrote to memory of 1568	904	msedge.exe	79
PID 904 wrote to memory of 1568	904	msedge.exe	79
PID 904 wrote to memory of 1568	904	msedge.exe	79
PID 904 wrote to memory of 1568	904	msedge.exe	79
PID 904 wrote to memory of 1568	904	msedge.exe	79
PID 904 wrote to memory of 1568	904	msedge.exe	79
PID 904 wrote to memory of 1568	904	msedge.exe	79
PID 904 wrote to memory of 1568	904	msedge.exe	79
PID 904 wrote to memory of 4424	904	msedge.exe	80
PID 904 wrote to memory of 4424	904	msedge.exe	80
PID 904 wrote to memory of 4936	904	msedge.exe	81
PID 904 wrote to memory of 4936	904	msedge.exe	81
PID 904 wrote to memory of 4936	904	msedge.exe	81
PID 904 wrote to memory of 4936	904	msedge.exe	81
PID 904 wrote to memory of 4936	904	msedge.exe	81
PID 904 wrote to memory of 4936	904	msedge.exe	81
PID 904 wrote to memory of 4936	904	msedge.exe	81
PID 904 wrote to memory of 4936	904	msedge.exe	81
PID 904 wrote to memory of 4936	904	msedge.exe	81
PID 904 wrote to memory of 4936	904	msedge.exe	81
PID 904 wrote to memory of 4936	904	msedge.exe	81
PID 904 wrote to memory of 4936	904	msedge.exe	81
PID 904 wrote to memory of 4936	904	msedge.exe	81
PID 904 wrote to memory of 4936	904	msedge.exe	81
PID 904 wrote to memory of 4936	904	msedge.exe	81
PID 904 wrote to memory of 4936	904	msedge.exe	81
PID 904 wrote to memory of 4936	904	msedge.exe	81
PID 904 wrote to memory of 4936	904	msedge.exe	81
PID 904 wrote to memory of 4936	904	msedge.exe	81
PID 904 wrote to memory of 4936	904	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gamejolt.com/games/win8-1-sim/348598
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe178c3cb8,0x7ffe178c3cc8,0x7ffe178c3cd8
  2⤵
  PID:2920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,18011396165938442192,15956992283090859262,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1968 /prefetch:2
  2⤵
  PID:1568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,18011396165938442192,15956992283090859262,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1956,18011396165938442192,15956992283090859262,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,18011396165938442192,15956992283090859262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,18011396165938442192,15956992283090859262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1956,18011396165938442192,15956992283090859262,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,18011396165938442192,15956992283090859262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,18011396165938442192,15956992283090859262,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:1436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,18011396165938442192,15956992283090859262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,18011396165938442192,15956992283090859262,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:1156
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,18011396165938442192,15956992283090859262,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1956,18011396165938442192,15956992283090859262,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaService --field-trial-handle=1956,18011396165938442192,15956992283090859262,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,18011396165938442192,15956992283090859262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:3848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,18011396165938442192,15956992283090859262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,18011396165938442192,15956992283090859262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1912 /prefetch:1
  2⤵
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1956,18011396165938442192,15956992283090859262,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  PID:2504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1956,18011396165938442192,15956992283090859262,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5932 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,18011396165938442192,15956992283090859262,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3040 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2080

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004C4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4812

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2916

C:\Users\Admin\Downloads\clicker-pl.exe
"C:\Users\Admin\Downloads\clicker-pl.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d30a5618854b9da7bcfc03aeb0a594c4

SHA1
7f37105d7e5b1ecb270726915956c2271116eab7

SHA256
3494c446aa3cb038f1d920b26910b7fe1f4286db78cb3f203ad02cb93889c1a8

SHA512
efd488fcd1729017a596ddd2950bff07d5a11140cba56ff8e0c62ef62827b35c22857bc4f5f5ea11ccc2e1394c0b3ee8651df62a25e66710f320e7a2cf4d1a77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
03a56f81ee69dd9727832df26709a1c9

SHA1
ab6754cc9ebd922ef3c37b7e84ff20e250cfde3b

SHA256
65d97e83b315d9140f3922b278d08352809f955e2a714fedfaea6283a5300e53

SHA512
e9915f11e74c1bcf7f80d1bcdc8175df820af30f223a17c0fe11b6808e5a400550dcbe59b64346b7741c7c77735abefaf2c988753e11d086000522a05a0f7781

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
4ea47d69fe94e96e2b36a11356b7342c

SHA1
d4a1fdceb7268bdbbbe88f8eef9f9bd34daf8666

SHA256
c61e22d20c64d19b30b834c70e9485aa7d9df1a73ca40e32aba734bac004a3ab

SHA512
0225524e1c6053ec6efd03640fc185a5eddecec8d7bb8fbd0bd9c02752c53461cd5ae02b110b5319773c5efe89027b03df437e5f398588cd7840791d5517fc18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
e15cfefdae659b32fd2f1ad7e44c3d5f

SHA1
db736ee4b7bda479d7059ef72fda495122e10890

SHA256
465b0484b4e557b35114fcf6f752772526b541978763ec4005136ea3944ea24e

SHA512
c8631944c4856e171635d91c957329b06c9a8822cfe601fecea3b5533dd249cfd5d1fd70d2ef23fefc9132e2387421868ef2b6ae5fc12f48b7809882db21d450

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
75faabe40869ecf6c055dcc23256632f

SHA1
e82d42e1b487065ef03dcc9204557e31c49353ab

SHA256
6e5a6e28427e6a4e4d22b497b07cda2522a19d363c360bbadde3e4e416b03b6f

SHA512
0e4acbba2878e99f387cd90d058a6d02f415a9bcd8700732e300c48d9a48e1cab702019f56bd3b72b261f4e07e35061f4694c837d9717b92dab4b62209d9976b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
52d2ef051e15ef382331210ddea3e75e

SHA1
78a38e7327344e5f44c7e597f01f9799df2567e0

SHA256
86bf3ae8740da5e3137afcc9fa9ef98ba9d0b47829bf93e207eeef49bacd0eed

SHA512
ec4e31bf4fd1cc53779e907dbdf759c9dfb53ff1ee9a427730f76e8379bfa41d39772621e9f97ef7eb00a9c89756cc0f295c5558b0ddbbd5774828f8b0edcc26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
731edaf77a88f59b9a00093b930f91d5

SHA1
76733dcb473c75280fc942f60f0293b065ea1912

SHA256
1b20027e7b6934d5d604986dbcd75549247a7f2a0875fb55bd0c87ed62067bc5

SHA512
514f0e840cdc20bf16d670381b430a6058e515a9b15583d291f49be3f09ea5399d7183c3fde898f5ed14ba16d6afc5a90c21ec721a8ae4593b922cae84d6d1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
01dfb301e2d6f7fc60573cfe414be70b

SHA1
a42530c1f9648fe13af5e35a137b52e0945db54f

SHA256
6bbd7bb5762dc23416eaaedd2c0e623ca63642edbb462aad883ad6ea1c622b10

SHA512
7a31956e9c96c6dfd0ef9536c203db7df2b01b8ebb877c59e6ca62a2fe16c5f21634f702479adb83b7733bd5f59ae98764ae13728ae176736bc4b5cf0888939e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b100ce9b1d1da703fc48e22918382769

SHA1
d5d007847d9495478c82212ae468f84570d188f2

SHA256
0fa2d8cd57e79fa9e3b0987cf53a311c2fb4b5000ee4c78a91cfa4e9a4b3ea72

SHA512
75c3eb2f9e9f741d12e036586bb1e0abb365fc988a5b7b76c73f873e58f620895c431ca0f6154b447ba8e66acc85c08414f6063e6fb205caebbeeefe7c2fb36c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
56fb3ca0c9b2ea284b6f51ad54a08cb4

SHA1
b618d98fa29a17eb7307a5d6bd9169ebd0758508

SHA256
2cc6caeb72958232e2b1e17b7c77700da8f1ae672d732f569631d07cd420a4f2

SHA512
14b776ddfad79ad985b71c8445b45512315f9373305ab9be705eb1b17b94cd15014dba8514f2283434cff1c68fed5bc6cfddd202f26a0ae0a4ae486209904e94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6901b38a20d6d69706419f8038c1dad4

SHA1
9db9b6bc07756f0eb77e1e671d458c8a4a5dac97

SHA256
0d73c56a405993615226147a3037cd302842aeb4383dfdda422f61a8a4400792

SHA512
cd03eca511e0ce78e93e9615a468b3162bf1d156433fca1e4e3488d422b5a6fa2ff6577cce3a53c859e2497eac6faa471b6baf076e9201b1cf30039539813326

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57fd1d.TMP

Filesize
371B

MD5
6b0eef030ccd3dbb4b9e270c16f328a6

SHA1
95e4137164b228f565c6968ba9174e46e6eface9

SHA256
19e5fe5e423605128682d3afa5d406e4d06c292e53ad5f1c134a3d67ce1e56a6

SHA512
1e7e1d4a6f5cd64a70fa51cf8d093341c4b95e0d5284f6da14f149dd8a3773a04abed9fe0cffa6f6d7b4105f11759fb959bb8cd8f5fcd3b7409279239d21fa52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
afc678823c1bd44364becd20bb044b7b

SHA1
a82165202ee46f03f33128ebff09748a9ee7a71d

SHA256
215b720add90aaf26fb79b944d57cb211ccc6b669c246c6930153c24d61f4f43

SHA512
8cdb4654919e98b5280140794cf5604f00bbc0529d9c8e19141009af3ec74cb07af6e4b7cafdb4d1c04a3847968e6c9df7b4737f7ddfeb6547e3ac7e1b47aa93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2e90685014371e18a7dd8730bb93df96

SHA1
99f4a5c0ca3dfe9b433988bc91d7c917735ff45c

SHA256
0653040ac4c4d06663c31ff97a12f83d8c6392c867ac01f3ce0215d6579c522d

SHA512
2dee85b0dfd42dfecf498a4dbd64a1c49a92eca3ff7cf19c578f554d9e9eed6b11c342c3a2d9a3ed376f4afa0b3a6325b96b4fcd720066170058531545d07985

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
404334e7f4f617a05b9f6fda6f1b1fbf

SHA1
7740d73c28e58b1faff1a24255d821c8a6cc202a

SHA256
d4428b2fd38a2b3ac2b7f50e718824466a5f785786522249a14e6cee135c59ce

SHA512
179ee006b57fcc9e8ea05441adf8a2ac5bdbd8bb795badb71da877642cbf333f722c60fc2374fc711821a51e195c30c9470ea409cc4ae03b93fd76a02b4b7f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt7441.tmp\KcButton.mfx

Filesize
40KB

MD5
3da4871c30d5ff752053c1bf8fd37f58

SHA1
b89b066c903959a1a7f7647f37318e6b259af083

SHA256
aefcc0db7d2d78d59b60feb2b06a92aea219e16ced12c67c3bfd713970e8a4c0

SHA512
250b75473ef54145d912e0f6d4a5cb5cb194612ee4a503d6c070c965d11c07c4d37a922d9f86615c02e7cbf20cad76d58055b790c1ad693c4843e90ad95b492d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt7441.tmp\mmf2d3d9.dll

Filesize
1.1MB

MD5
22284d6bb382967ff72363f828050e13

SHA1
5c98e25d24aacafffded9353c9526be0128c6dbd

SHA256
9eaa342059785bd584df956574c637e6d0e6016a099221a56e0397f8c86cd93f

SHA512
2e5a5bf115b1d2a07d0647b6f4925ab84301ca6354e3f3beb8d44f51900ff21b06b97b23128160fd94dfd33116d03094ca47c49143ae98473eaaed441f9705b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt7441.tmp\mmfs2.dll

Filesize
459KB

MD5
4cf7bb74d8104280b7e986f4df21109d

SHA1
edc21a43136afddbf4786593e84b934d40591b74

SHA256
c0d56cefb509e5600ac6b430adcaf53b81881d3fff4e62b7ede158d66d826622

SHA512
2bbac48354657659795697e67508d777ee595348e1fb3d4b6c65d8618c346b3be0052b1e2e2fe669dcca19c3c00d59d1833acc21d88a97efbde2694935e3c292

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 831756.crdownload

Filesize
2.2MB

MD5
9d82dce3d56494676aebcbf0e6a32bb7

SHA1
293fd782f38f3f9f281f830ee51630a622b9b358

SHA256
95718dd528a1d967640abd1c3925ce9dfff5275c26caa304ca73500dfed7d8d6

SHA512
200151b5a990496dbccba0621c202cfde291c70a9debe5faed6f56786a551a77011542dccfffb6a6de6c1477ad515ce30e5a715e3e5fceb2f1309d48ed1d77d7

Download Submit
C:\Users\Admin\Downloads\clicker-pl.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit