Analysis
-
max time kernel
180s -
max time network
202s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
13/09/2022, 13:21
Static task
static1
Behavioral task
behavioral1
Sample
XMouseButtonControlSetup.2.19.2.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
XMouseButtonControlSetup.2.19.2.exe
Resource
win10v2004-20220812-en
General
-
Target
XMouseButtonControlSetup.2.19.2.exe
-
Size
2.6MB
-
MD5
1303890f3577db2f931323d10aad43d0
-
SHA1
782cd048deaad6b13da71fd2f4e3596e145bb188
-
SHA256
bc99080acc10eeb1c8379719c86c652221f3f6d1bff104a2ca32d6326154c636
-
SHA512
92db9b2d83c02337ff793c2ae2258bbd7c7a8c34e0f7149fd13c48310ac1637ffbe01dfc0d3b26c8b04877456bd6b168af94d4dbe5161dcc61e2a5580b559157
-
SSDEEP
49152:8W14xRLQGdJFJlAJLHo1Ztg0QRqUUyZOPb4R1onpLC70jQnh8zpZMzIJ/nJ1NM:8WsdJPlAdH8ZOsUUXT4oRh8hUpkIJ/n+
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 756 XMouseButtonControl.exe -
Loads dropped DLL 12 IoCs
pid Process 4276 XMouseButtonControlSetup.2.19.2.exe 4276 XMouseButtonControlSetup.2.19.2.exe 4276 XMouseButtonControlSetup.2.19.2.exe 4276 XMouseButtonControlSetup.2.19.2.exe 4276 XMouseButtonControlSetup.2.19.2.exe 4276 XMouseButtonControlSetup.2.19.2.exe 4276 XMouseButtonControlSetup.2.19.2.exe 4276 XMouseButtonControlSetup.2.19.2.exe 4276 XMouseButtonControlSetup.2.19.2.exe 4276 XMouseButtonControlSetup.2.19.2.exe 756 XMouseButtonControl.exe 756 XMouseButtonControl.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XMouseButtonControlSetup.2.19.2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XMouseButtonControl = "C:\\Program Files\\Highresolution Enterprises\\X-Mouse Button Control\\XMouseButtonControl.exe /notportable /delay" XMouseButtonControlSetup.2.19.2.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\License.txt XMouseButtonControlSetup.2.19.2.exe File created C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\ChangeLog.txt XMouseButtonControlSetup.2.19.2.exe File created C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\X-Mouse Button Control User Guide.pdf XMouseButtonControlSetup.2.19.2.exe File opened for modification C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\changelog.txt XMouseButtonControlSetup.2.19.2.exe File created C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\uninstaller.exe XMouseButtonControlSetup.2.19.2.exe File created C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe XMouseButtonControlSetup.2.19.2.exe File created C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonHook.dll XMouseButtonControlSetup.2.19.2.exe File created C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\BugTrapU-x64.dll XMouseButtonControlSetup.2.19.2.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\24b17e88-3fcc-463f-8015-a2f8226c3ee7.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220913152306.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies Control Panel 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\LowLevelHooksTimeout = "1000" XMouseButtonControlSetup.2.19.2.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop XMouseButtonControlSetup.2.19.2.exe -
Modifies registry class 34 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.xmbcs XMouseButtonControlSetup.2.19.2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.xmbclp XMouseButtonControlSetup.2.19.2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\DefaultIcon\ = "C:\\Program Files\\Highresolution Enterprises\\X-Mouse Button Control\\XMouseButtonControl.exe,0" XMouseButtonControlSetup.2.19.2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xmbcs\ = "X-Mouse Button Control Application Settings" XMouseButtonControlSetup.2.19.2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application Settings\ = "X-Mouse Button Control Application Settings" XMouseButtonControlSetup.2.19.2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Profile XMouseButtonControlSetup.2.19.2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application Settings\shell\open\command\ = "\"C:\\Program Files\\Highresolution Enterprises\\X-Mouse Button Control\\XMouseButtonControl.exe\" /import:\"%1\"" XMouseButtonControlSetup.2.19.2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\DefaultIcon XMouseButtonControlSetup.2.19.2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\ = "X-Mouse Button Control Language Pack" XMouseButtonControlSetup.2.19.2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\shell\open XMouseButtonControlSetup.2.19.2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application Settings XMouseButtonControlSetup.2.19.2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.xmbcp XMouseButtonControlSetup.2.19.2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Profile\ = "X-Mouse Button Control Profile" XMouseButtonControlSetup.2.19.2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Profile\DefaultIcon XMouseButtonControlSetup.2.19.2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application Settings\shell\ = "open" XMouseButtonControlSetup.2.19.2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application Settings\DefaultIcon XMouseButtonControlSetup.2.19.2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Profile\shell XMouseButtonControlSetup.2.19.2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\shell\ = "open" XMouseButtonControlSetup.2.19.2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\shell\open\command XMouseButtonControlSetup.2.19.2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\shell\open\command\ = "\"C:\\Program Files\\Highresolution Enterprises\\X-Mouse Button Control\\XMouseButtonControl.exe\" /install:\"%1\"" XMouseButtonControlSetup.2.19.2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Profile\shell\ = "open" XMouseButtonControlSetup.2.19.2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Profile\DefaultIcon\ = "C:\\Program Files\\Highresolution Enterprises\\X-Mouse Button Control\\XMouseButtonControl.exe,0" XMouseButtonControlSetup.2.19.2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\shell XMouseButtonControlSetup.2.19.2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xmbclp\ = "X-Mouse Button Control Language Pack" XMouseButtonControlSetup.2.19.2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack XMouseButtonControlSetup.2.19.2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Profile\shell\open\command XMouseButtonControlSetup.2.19.2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Profile\shell\open XMouseButtonControlSetup.2.19.2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Profile\shell\open\command\ = "\"C:\\Program Files\\Highresolution Enterprises\\X-Mouse Button Control\\XMouseButtonControl.exe\" /profile:\"%1\"" XMouseButtonControlSetup.2.19.2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application Settings\shell\open XMouseButtonControlSetup.2.19.2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xmbcp\ = "X-Mouse Button Control Profile" XMouseButtonControlSetup.2.19.2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application Settings\shell XMouseButtonControlSetup.2.19.2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application Settings\DefaultIcon\ = "C:\\Program Files\\Highresolution Enterprises\\X-Mouse Button Control\\XMouseButtonControl.exe,0" XMouseButtonControlSetup.2.19.2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application Settings\shell\open\command XMouseButtonControlSetup.2.19.2.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4576 msedge.exe 4576 msedge.exe 8 msedge.exe 8 msedge.exe 4788 identity_helper.exe 4788 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 8 msedge.exe 8 msedge.exe 8 msedge.exe 8 msedge.exe 8 msedge.exe 8 msedge.exe 8 msedge.exe 8 msedge.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 756 XMouseButtonControl.exe 8 msedge.exe 8 msedge.exe 8 msedge.exe 8 msedge.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 756 XMouseButtonControl.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 756 XMouseButtonControl.exe 756 XMouseButtonControl.exe 756 XMouseButtonControl.exe 756 XMouseButtonControl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4276 wrote to memory of 5008 4276 XMouseButtonControlSetup.2.19.2.exe 103 PID 4276 wrote to memory of 5008 4276 XMouseButtonControlSetup.2.19.2.exe 103 PID 4276 wrote to memory of 5008 4276 XMouseButtonControlSetup.2.19.2.exe 103 PID 8 wrote to memory of 1612 8 msedge.exe 108 PID 8 wrote to memory of 1612 8 msedge.exe 108 PID 8 wrote to memory of 980 8 msedge.exe 112 PID 8 wrote to memory of 980 8 msedge.exe 112 PID 8 wrote to memory of 980 8 msedge.exe 112 PID 8 wrote to memory of 980 8 msedge.exe 112 PID 8 wrote to memory of 980 8 msedge.exe 112 PID 8 wrote to memory of 980 8 msedge.exe 112 PID 8 wrote to memory of 980 8 msedge.exe 112 PID 8 wrote to memory of 980 8 msedge.exe 112 PID 8 wrote to memory of 980 8 msedge.exe 112 PID 8 wrote to memory of 980 8 msedge.exe 112 PID 8 wrote to memory of 980 8 msedge.exe 112 PID 8 wrote to memory of 980 8 msedge.exe 112 PID 8 wrote to memory of 980 8 msedge.exe 112 PID 8 wrote to memory of 980 8 msedge.exe 112 PID 8 wrote to memory of 980 8 msedge.exe 112 PID 8 wrote to memory of 980 8 msedge.exe 112 PID 8 wrote to memory of 980 8 msedge.exe 112 PID 8 wrote to memory of 980 8 msedge.exe 112 PID 8 wrote to memory of 980 8 msedge.exe 112 PID 8 wrote to memory of 980 8 msedge.exe 112 PID 8 wrote to memory of 980 8 msedge.exe 112 PID 8 wrote to memory of 980 8 msedge.exe 112 PID 8 wrote to memory of 980 8 msedge.exe 112 PID 8 wrote to memory of 980 8 msedge.exe 112 PID 8 wrote to memory of 980 8 msedge.exe 112 PID 8 wrote to memory of 980 8 msedge.exe 112 PID 8 wrote to memory of 980 8 msedge.exe 112 PID 8 wrote to memory of 980 8 msedge.exe 112 PID 8 wrote to memory of 980 8 msedge.exe 112 PID 8 wrote to memory of 980 8 msedge.exe 112 PID 8 wrote to memory of 980 8 msedge.exe 112 PID 8 wrote to memory of 980 8 msedge.exe 112 PID 8 wrote to memory of 980 8 msedge.exe 112 PID 8 wrote to memory of 980 8 msedge.exe 112 PID 8 wrote to memory of 980 8 msedge.exe 112 PID 8 wrote to memory of 980 8 msedge.exe 112 PID 8 wrote to memory of 980 8 msedge.exe 112 PID 8 wrote to memory of 980 8 msedge.exe 112 PID 8 wrote to memory of 980 8 msedge.exe 112 PID 8 wrote to memory of 980 8 msedge.exe 112 PID 8 wrote to memory of 4576 8 msedge.exe 113 PID 8 wrote to memory of 4576 8 msedge.exe 113 PID 8 wrote to memory of 4108 8 msedge.exe 114 PID 8 wrote to memory of 4108 8 msedge.exe 114 PID 8 wrote to memory of 4108 8 msedge.exe 114 PID 8 wrote to memory of 4108 8 msedge.exe 114 PID 8 wrote to memory of 4108 8 msedge.exe 114 PID 8 wrote to memory of 4108 8 msedge.exe 114 PID 8 wrote to memory of 4108 8 msedge.exe 114 PID 8 wrote to memory of 4108 8 msedge.exe 114 PID 8 wrote to memory of 4108 8 msedge.exe 114 PID 8 wrote to memory of 4108 8 msedge.exe 114 PID 8 wrote to memory of 4108 8 msedge.exe 114 PID 8 wrote to memory of 4108 8 msedge.exe 114 PID 8 wrote to memory of 4108 8 msedge.exe 114 PID 8 wrote to memory of 4108 8 msedge.exe 114 PID 8 wrote to memory of 4108 8 msedge.exe 114 PID 8 wrote to memory of 4108 8 msedge.exe 114 PID 8 wrote to memory of 4108 8 msedge.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\XMouseButtonControlSetup.2.19.2.exe"C:\Users\Admin\AppData\Local\Temp\XMouseButtonControlSetup.2.19.2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\SysWOW64\certutil.execertutil -delstore root "82 53 30 f1 fa 00 53 f0 03 5a 19 83 63 cd f3 78 22 1d d7 7f"2⤵PID:5008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.highrez.co.uk/scripts/postinstall.asp?package=XMouse&major=2&minor=19&build=2&revision=0&platform=x641⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffa034d46f8,0x7ffa034d4708,0x7ffa034d47182⤵PID:1612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,2564232263828853453,11095119237927515523,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:22⤵PID:980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,2564232263828853453,11095119237927515523,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,2564232263828853453,11095119237927515523,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3048 /prefetch:82⤵PID:4108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2564232263828853453,11095119237927515523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:12⤵PID:3188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2564232263828853453,11095119237927515523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:12⤵PID:2248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2096,2564232263828853453,11095119237927515523,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5484 /prefetch:82⤵PID:4712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2564232263828853453,11095119237927515523,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2892 /prefetch:12⤵PID:2256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2564232263828853453,11095119237927515523,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:12⤵PID:4276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2564232263828853453,11095119237927515523,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:12⤵PID:1052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2564232263828853453,11095119237927515523,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2596 /prefetch:12⤵PID:2732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2564232263828853453,11095119237927515523,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:12⤵PID:3620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2564232263828853453,11095119237927515523,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:12⤵PID:3468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2096,2564232263828853453,11095119237927515523,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6252 /prefetch:82⤵PID:3144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,2564232263828853453,11095119237927515523,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6340 /prefetch:82⤵PID:5032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
PID:1696 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf0,0xf4,0xfc,0x108,0xdc,0x7ff745485460,0x7ff745485470,0x7ff7454854803⤵PID:4536
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,2564232263828853453,11095119237927515523,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6340 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4788
-
-
C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe"C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe" /Installed /notportable1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:756
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4104
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
364KB
MD580d5f32b3fc515402b9e1fe958dedf81
SHA1a80ffd7907e0de2ee4e13c592b888fe00551b7e0
SHA2560ab8481b44e7d2f0d57b444689aef75b61024487a5cf188c2fc6b8de919b040a
SHA5121589246cd480326ca22c2acb1129a3a90edf13b75031343061f0f4ed51580dfb890862162a65957be9026381bb24475fec6ddcb86692c5961a24b18461e5f1f0
-
Filesize
364KB
MD580d5f32b3fc515402b9e1fe958dedf81
SHA1a80ffd7907e0de2ee4e13c592b888fe00551b7e0
SHA2560ab8481b44e7d2f0d57b444689aef75b61024487a5cf188c2fc6b8de919b040a
SHA5121589246cd480326ca22c2acb1129a3a90edf13b75031343061f0f4ed51580dfb890862162a65957be9026381bb24475fec6ddcb86692c5961a24b18461e5f1f0
-
Filesize
1.6MB
MD59350c5cf61a4d3d68177fad54acfd87c
SHA194efd3a9e28e1725613f6b8d833a111301ab5a16
SHA2566724f9cf0d51776930cd37ad14b51940697999e75454890fe71e4432bad78465
SHA51236a3be074b6c1f332aac081f6ca6ce9fd459fd8e21677f0755de612d2d9f2ec6bb4bd50425b6c151c4998116830d70bb117ec299fab47bdbde39d2235f25cda5
-
Filesize
976KB
MD5565a650cc52c3343e4de345bfc01463d
SHA1b0a81ce1daf0b3ee6bd165faaee758339f756ebd
SHA256bd843694f06d0e2766116eda600416ee3aa8ac4401951f1f2091d145d2d07d06
SHA5127e9eaf5e883de96ecc89a34714585e8de8a32565562107ff7f7e8feb7f1db0655fcc67a6c07202e2c3c4c9cc583915e9eb73402c625bf45e5903db92f6a1ece8
-
Filesize
976KB
MD5565a650cc52c3343e4de345bfc01463d
SHA1b0a81ce1daf0b3ee6bd165faaee758339f756ebd
SHA256bd843694f06d0e2766116eda600416ee3aa8ac4401951f1f2091d145d2d07d06
SHA5127e9eaf5e883de96ecc89a34714585e8de8a32565562107ff7f7e8feb7f1db0655fcc67a6c07202e2c3c4c9cc583915e9eb73402c625bf45e5903db92f6a1ece8
-
Filesize
14KB
MD5d753362649aecd60ff434adf171a4e7f
SHA13b752ad064e06e21822c8958ae22e9a6bb8cf3d0
SHA2568f24c6cf0b06d18f3c07e7bfca4e92afce71834663746cfaa9ddf52a25d5c586
SHA51241bf41add275867553fa3bd8835cd7e2a2a362a2d5670ccbfad23700448bad9fe0f577fb6ee9d4eb81dfc10d463b325b8a873fe5912eb580936d4ad96587aa6d
-
Filesize
14KB
MD5d753362649aecd60ff434adf171a4e7f
SHA13b752ad064e06e21822c8958ae22e9a6bb8cf3d0
SHA2568f24c6cf0b06d18f3c07e7bfca4e92afce71834663746cfaa9ddf52a25d5c586
SHA51241bf41add275867553fa3bd8835cd7e2a2a362a2d5670ccbfad23700448bad9fe0f577fb6ee9d4eb81dfc10d463b325b8a873fe5912eb580936d4ad96587aa6d
-
Filesize
7KB
MD586a81b9ab7de83aa01024593a03d1872
SHA18fd7c645e6e2cb1f1bcb97b3b5f85ce1660b66be
SHA25627d61cacd2995f498ba971b3b2c53330bc0e9900c9d23e57b2927aadfdee8115
SHA512cc37bd5d74d185077bdf6c4a974fb29922e3177e2c5971c664f46c057aad1236e6f3f856c5d82f1d677c29896f0e3e71283ef04f886db58abae151cb27c827ac
-
Filesize
7KB
MD586a81b9ab7de83aa01024593a03d1872
SHA18fd7c645e6e2cb1f1bcb97b3b5f85ce1660b66be
SHA25627d61cacd2995f498ba971b3b2c53330bc0e9900c9d23e57b2927aadfdee8115
SHA512cc37bd5d74d185077bdf6c4a974fb29922e3177e2c5971c664f46c057aad1236e6f3f856c5d82f1d677c29896f0e3e71283ef04f886db58abae151cb27c827ac
-
Filesize
10KB
MD556a321bd011112ec5d8a32b2f6fd3231
SHA1df20e3a35a1636de64df5290ae5e4e7572447f78
SHA256bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1
SHA5125354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3
-
Filesize
10KB
MD556a321bd011112ec5d8a32b2f6fd3231
SHA1df20e3a35a1636de64df5290ae5e4e7572447f78
SHA256bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1
SHA5125354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3
-
Filesize
9KB
MD5f832e4279c8ff9029b94027803e10e1b
SHA1134ff09f9c70999da35e73f57b70522dc817e681
SHA2564cd17f660560934a001fc8e6fdcea50383b78ca129fb236623a9666fcbd13061
SHA512bf92b61aa267e3935f0ea7f47d8d96f09f016e648c2a7e7dcd5ecc47da864e824c592098c1e39526b643bd126c5c99d68a7040411a4cf68857df629f24d4107d
-
Filesize
9KB
MD5f832e4279c8ff9029b94027803e10e1b
SHA1134ff09f9c70999da35e73f57b70522dc817e681
SHA2564cd17f660560934a001fc8e6fdcea50383b78ca129fb236623a9666fcbd13061
SHA512bf92b61aa267e3935f0ea7f47d8d96f09f016e648c2a7e7dcd5ecc47da864e824c592098c1e39526b643bd126c5c99d68a7040411a4cf68857df629f24d4107d
-
Filesize
6KB
MD5428c3a07fba184367a5085e46e4a790b
SHA1f2de6cd4ec99ab784d18914a21de9d919a450089
SHA2563b15c6e4ca42036d7424f93ea0806a2d35220d65faaf2bd2479a54258f631b55
SHA512b34e1266e949d7cc5cdb7a809c3ca42652a1bb1ec72d83218604cb01b3118bbb42bfcaebc6134c4e6eb43fb566539414a49c1a0cd23a6c84da7c1c4b56ba2ab6
-
Filesize
6KB
MD5428c3a07fba184367a5085e46e4a790b
SHA1f2de6cd4ec99ab784d18914a21de9d919a450089
SHA2563b15c6e4ca42036d7424f93ea0806a2d35220d65faaf2bd2479a54258f631b55
SHA512b34e1266e949d7cc5cdb7a809c3ca42652a1bb1ec72d83218604cb01b3118bbb42bfcaebc6134c4e6eb43fb566539414a49c1a0cd23a6c84da7c1c4b56ba2ab6