File name:

IO-Auto-Clicker-m.exe

Full analysis: https://app.any.run/tasks/32c5cb28-9384-4214-a4b9-49e14a04ac04
Verdict: Malicious activity
Analysis date: August 21, 2024, 19:28:10
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

4665494CE6D2A842C56065EDEC0531EA

SHA1:

5AE832C4BFC0FC9667EA8C95991C56F347C06FD8

SHA256:

0D7D58C3C547CF60749D0A0511F595D61BDE47D1B167317124FCEEA025D815E2

SSDEEP:

786432:XE03TnLZRyb7YTI5rb1QLebJ/BKOvyWuMQ3Uw:XDLZIbFX1bbJ/BzvyWq3Uw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • IO-Auto-Clicker-m.exe (PID: 6500)
      • IO-Auto-Clicker-m.tmp (PID: 6520)

    • Drops the executable file immediately after the start

      • IO-Auto-Clicker-m.exe (PID: 6500)
      • IO-Auto-Clicker-m.tmp (PID: 6520)

    • Reads the Windows owner or organization settings

      • IO-Auto-Clicker-m.tmp (PID: 6520)

    • Checks for external IP

      • IO-Auto-Clicker-m.tmp (PID: 6520)
      • svchost.exe (PID: 2256)

  • INFO

    • Create files in a temporary directory

      • IO-Auto-Clicker-m.exe (PID: 6500)
      • IO-Auto-Clicker-m.tmp (PID: 6520)

    • Checks supported languages

      • IO-Auto-Clicker-m.exe (PID: 6500)
      • IO-Auto-Clicker-m.tmp (PID: 6520)

    • Reads the computer name

      • IO-Auto-Clicker-m.tmp (PID: 6520)

    • Reads the software policy settings

      • IO-Auto-Clicker-m.tmp (PID: 6520)

    • Reads the machine GUID from the registry

      • IO-Auto-Clicker-m.tmp (PID: 6520)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:06:03 08:09:11+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741376
InitializedDataSize: 46592
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 1.2.0.0
ProductVersionNumber: 1.2.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Wonkru Media (OPC) Private Limited
FileDescription: IO Auto Clicker Setup
FileVersion: 1.2.0
LegalCopyright: Copyright 2023 Wonkru Media (OPC) Private Limited
OriginalFileName:
ProductName: IO Auto Clicker
ProductVersion: 1.2.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start io-auto-clicker-m.exe io-auto-clicker-m.tmp svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6500"C:\Users\admin\AppData\Local\Temp\IO-Auto-Clicker-m.exe" C:\Users\admin\AppData\Local\Temp\IO-Auto-Clicker-m.exe
explorer.exe
User:
admin
Company:
Wonkru Media (OPC) Private Limited
Integrity Level:
MEDIUM
Description:
IO Auto Clicker Setup
Exit code:
2
Version:
1.2.0
Modules
Images
c:\users\admin\appdata\local\temp\io-auto-clicker-m.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6520"C:\Users\admin\AppData\Local\Temp\is-POCC8.tmp\IO-Auto-Clicker-m.tmp" /SL5="$603C8,56857909,788992,C:\Users\admin\AppData\Local\Temp\IO-Auto-Clicker-m.exe" C:\Users\admin\AppData\Local\Temp\is-POCC8.tmp\IO-Auto-Clicker-m.tmp
IO-Auto-Clicker-m.exe
User:
admin
Company:
Wonkru Media (OPC) Private Limited
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
2
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-pocc8.tmp\io-auto-clicker-m.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
Total events
3 780
Read events
3 771
Write events
5
Delete events
4

Modification events

(PID) Process:(6520) IO-Auto-Clicker-m.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
781900004196514B00F4DA01
(PID) Process:(6520) IO-Auto-Clicker-m.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
5CA1ACA5A373D509E6380DD745FEE675E25017FDB5B292C9D0967D6D3F7521FD
(PID) Process:(6520) IO-Auto-Clicker-m.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(6520) IO-Auto-Clicker-m.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Wonkru Media\IO Auto Clicker
Operation:writeName:DistId
Value:
default
(PID) Process:(6520) IO-Auto-Clicker-m.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Wonkru Media\IO Auto Clicker
Operation:writeName:tid
Value:
c4dddc9ea7fd5c9a75ee59991bd9e466
(PID) Process:(6520) IO-Auto-Clicker-m.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:Sequence
Value:

(PID) Process:(6520) IO-Auto-Clicker-m.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:SessionHash
Value:
ꅜꖬ玣৕㣦휍﹅痦僢ﴗ늵즒雐浽甿ﴡ
(PID) Process:(6520) IO-Auto-Clicker-m.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:Owner
Value:
(PID) Process:(6520) IO-Auto-Clicker-m.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete keyName:(default)
Value:
Executable files
3
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
6520IO-Auto-Clicker-m.tmpC:\Users\admin\AppData\Local\Temp\is-LMQVB.tmp\PEInjector.dllexecutable
MD5:A4CF124B21795DFD382C12422FD901CA
SHA256:9E371A745EA2C92C4BA996772557F4A66545ED5186D02BB2E73E20DC79906EC7
6520IO-Auto-Clicker-m.tmpC:\Users\admin\AppData\Local\Temp\is-LMQVB.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
6500IO-Auto-Clicker-m.exeC:\Users\admin\AppData\Local\Temp\is-POCC8.tmp\IO-Auto-Clicker-m.tmpexecutable
MD5:2B8060F91FE37C12EB22BDD89BE5689E
SHA256:8B6AD6EC22D1045B60F8CA096FB20FBBA3C69755E99C7B790F6AEFC196770D39
6520IO-Auto-Clicker-m.tmpC:\Users\admin\AppData\Local\Temp\Setup Log 2024-08-21 #001.txttext
MD5:55316F01B9CD7868A31BCD2880CC0F2F
SHA256:DF3354703709A2A26B1B575C3DAA71902D5AE36CAC465D3ED3FDFD92DA04C546
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
16
DNS requests
6
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
34.160.111.145:443
https://ifconfig.me/ip
unknown
text
14 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4200
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3272
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
6520
IO-Auto-Clicker-m.tmp
34.160.111.145:443
ifconfig.me
GOOGLE
US
unknown
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4324
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
3272
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.142
whitelisted
ifconfig.me
  • 34.160.111.145
shared

Threats

PID
Process
Class
Message
2256
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Lookup Domain (ifconfig .me)
6520
IO-Auto-Clicker-m.tmp
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup SSL/TLS Certificate (ifconfig .me)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
IO-Auto-Clicker-m.exe