2240bf5fb5d80938b0676c46ef9f84bc1739c32f60c473ff85e530ae0eca2818

Analysis

max time kernel
207s
max time network
202s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
04-07-2024 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XMouseButton.exe
Size

2.9MB
MD5

2e9725bc1d71ad1b8006dfc5a2510f88
SHA1

6e1f7d12881696944bf5e030a7d131b969de0c6c
SHA256

2240bf5fb5d80938b0676c46ef9f84bc1739c32f60c473ff85e530ae0eca2818
SHA512

62bd9cde806f83f911f1068b452084ef2adc01bc0dec2d0f668a781cc0d94e39f6e35618264d8796ca205724725abd40429f463017e6ca5caf7d683429f82d39
SSDEEP

49152:n65SJw48kZN+nCYk7c44+Y0hdwn4Km2A5aT/pVE0hYYajihV2Qso0SWMrboF:tfpeno4oY0QZm2dlNJsrHM4

Score

7^/10

discovery link pdf persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4840	XMouseButtonControl.exe
2336	XMouseButtonControl.exe
4588	XMouseButtonControl.exe

Loads dropped DLL 24 IoCs

pid	Process
1452	XMouseButton.exe
1452	XMouseButton.exe
1452	XMouseButton.exe
1452	XMouseButton.exe
1452	XMouseButton.exe
1452	XMouseButton.exe
1452	XMouseButton.exe
1452	XMouseButton.exe
4840	XMouseButtonControl.exe
4840	XMouseButtonControl.exe
4680	XMouseButton.exe
4680	XMouseButton.exe
4680	XMouseButton.exe
4680	XMouseButton.exe
4680	XMouseButton.exe
4680	XMouseButton.exe
4680	XMouseButton.exe
4680	XMouseButton.exe
2336	XMouseButtonControl.exe
2336	XMouseButtonControl.exe
4680	XMouseButton.exe
4680	XMouseButton.exe
4588	XMouseButtonControl.exe
4588	XMouseButtonControl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XMouseButtonControl = "C:\\Program Files\\Highresolution Enterprises\\X-Mouse Button Control\\XMouseButtonControl.exe /notportable /delay"	XMouseButton.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XMouseButtonControl = "C:\\Program Files\\Highresolution Enterprises\\X-Mouse Button Control\\XMouseButtonControl.exe /notportable /delay"	XMouseButton.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 23 IoCs

description	ioc	Process
File created	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonHook.dll	XMouseButton.exe
File opened for modification	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\ChangeLog.txt	XMouseButton.exe
File opened for modification	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\X-Mouse Button Control User Guide.pdf	XMouseButton.exe
File created	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\License.txt	XMouseButton.exe
File created	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\X-Mouse Button Control User Guide.pdf	XMouseButton.exe
File opened for modification	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\BugTrapU-x64.dll	XMouseButton.exe
File opened for modification	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\changelog.txt	XMouseButton.exe
File created	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\uninstaller.exe	XMouseButton.exe
File created	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\License.txt	XMouseButton.exe
File opened for modification	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonHook.dll	XMouseButton.exe
File opened for modification	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\License.txt	XMouseButton.exe
File created	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\BugTrapU-x64.dll	XMouseButton.exe
File created	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\uninstaller.exe	XMouseButton.exe
File created	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe	XMouseButton.exe
File created	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe	XMouseButton.exe
File created	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\BugTrapU-x64.dll	XMouseButton.exe
File created	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\ChangeLog.txt	XMouseButton.exe
File created	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\X-Mouse Button Control User Guide.pdf	XMouseButton.exe
File opened for modification	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\changelog.txt	XMouseButton.exe
File opened for modification	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\uninstaller.exe	XMouseButton.exe
File opened for modification	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe	XMouseButton.exe
File created	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonHook.dll	XMouseButton.exe
File created	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\ChangeLog.txt	XMouseButton.exe

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

resource	yara_rule
behavioral1/files/0x000100000002aa50-594.dat	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000100000002aa4a-612.dat	nsis_installer_1
behavioral1/files/0x000100000002aa4a-612.dat	nsis_installer_2

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies Control Panel 5 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Control Panel\Desktop	XMouseButton.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Control Panel\Desktop\LowLevelHooksTimeout = "1000"	XMouseButton.exe
Key created	\REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Control Panel\Desktop	XMouseButton.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Control Panel\Desktop\LowLevelHooksTimeout = "1000"	XMouseButton.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Control Panel\Desktop\LowLevelHooksTimeout = "200"	XMouseButtonControl.exe

Modifies registry class 46 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Settings\DefaultIcon	XMouseButton.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Settings\DefaultIcon\ = "C:\\Program Files\\Highresolution Enterprises\\X-Mouse Button Control\\XMouseButtonControl.exe,0"	XMouseButton.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xmbclp	XMouseButton.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xmbcs	XMouseButton.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application or Window Profile\shell\open\command\ = "\"C:\\Program Files\\Highresolution Enterprises\\X-Mouse Button Control\\XMouseButtonControl.exe\" /import:\"%1\""	XMouseButton.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Settings	XMouseButton.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Settings\ = "X-Mouse Button Control Settings"	XMouseButton.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Settings\shell	XMouseButton.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\shell\open	XMouseButton.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application or Window Profile\shell\open\command	XMouseButton.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Settings\shell\open	XMouseButton.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\DefaultIcon	XMouseButton.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xmbcp\ = "X-Mouse Button Control Settings"	XMouseButton.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Settings\shell\ = "open"	XMouseButton.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\shell\open\command	XMouseButton.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\shell\open\command\ = "\"C:\\Program Files\\Highresolution Enterprises\\X-Mouse Button Control\\XMouseButtonControl.exe\" /install:\"%1\""	XMouseButton.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Settings\shell\open\command	XMouseButton.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xmbclp	XMouseButton.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application or Window Profile\shell	XMouseButton.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application or Window Profile\DefaultIcon	XMouseButton.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xmbcp	XMouseButton.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\shell\open\command\ = "\"C:\\Program Files\\Highresolution Enterprises\\X-Mouse Button Control\\XMouseButtonControl.exe\" /install:\"%1\""	XMouseButton.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Settings\shell\open\command\ = "\"C:\\Program Files\\Highresolution Enterprises\\X-Mouse Button Control\\XMouseButtonControl.exe\" /profile:\"%1\""	XMouseButton.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\shell	XMouseButton.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xmbcp	XMouseButton.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xmbcs\ = "X-Mouse Button Control Application or Window Profile"	XMouseButton.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application or Window Profile\shell\open\command	XMouseButton.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Settings\shell\open\command	XMouseButton.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xmbclp\ = "X-Mouse Button Control Language Pack"	XMouseButton.exe
Key created	\REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application or Window Profile	XMouseButton.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application or Window Profile\ = "X-Mouse Button Control Application or Window Profile"	XMouseButton.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\ = "X-Mouse Button Control Language Pack"	XMouseButton.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\DefaultIcon\ = "C:\\Program Files\\Highresolution Enterprises\\X-Mouse Button Control\\XMouseButtonControl.exe,0"	XMouseButton.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Settings\shell\open\command\ = "\"C:\\Program Files\\Highresolution Enterprises\\X-Mouse Button Control\\XMouseButtonControl.exe\" /profile:\"%1\""	XMouseButton.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\shell\open\command	XMouseButton.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xmbclp\ = "X-Mouse Button Control Language Pack"	XMouseButton.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack	XMouseButton.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\shell\ = "open"	XMouseButton.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application or Window Profile\DefaultIcon\ = "C:\\Program Files\\Highresolution Enterprises\\X-Mouse Button Control\\XMouseButtonControl.exe,0"	XMouseButton.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application or Window Profile\shell\open	XMouseButton.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application or Window Profile\shell\open\command\ = "\"C:\\Program Files\\Highresolution Enterprises\\X-Mouse Button Control\\XMouseButtonControl.exe\" /import:\"%1\""	XMouseButton.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xmbcp\ = "X-Mouse Button Control Settings"	XMouseButton.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xmbcs	XMouseButton.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xmbcs\ = "X-Mouse Button Control Application or Window Profile"	XMouseButton.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application or Window Profile\shell\ = "open"	XMouseButton.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E	XMouseButtonControl.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 040000000100000010000000d5e98140c51869fc462c8975620faa780f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1900000001000000100000001f7e750b566b128ac0b8d6576d2a70a52000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	XMouseButtonControl.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 5c0000000100000004000000000800001900000001000000100000001f7e750b566b128ac0b8d6576d2a70a503000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1d0000000100000010000000e3f9af952c6df2aaa41706a77a44c2031400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f76200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e0b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b002000430041000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df1040000000100000010000000d5e98140c51869fc462c8975620faa782000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	XMouseButtonControl.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4732	msedge.exe
4732	msedge.exe
3476	msedge.exe
3476	msedge.exe
2628	identity_helper.exe
2628	identity_helper.exe
3728	msedge.exe
3728	msedge.exe
2944	msedge.exe
2944	msedge.exe
4592	msedge.exe
4592	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4588	XMouseButtonControl.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe

Suspicious use of FindShellTrayWindow 55 IoCs

pid	Process
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
4840	XMouseButtonControl.exe
3476	msedge.exe
4840	XMouseButtonControl.exe
4588	XMouseButtonControl.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
4840	XMouseButtonControl.exe
4840	XMouseButtonControl.exe
4588	XMouseButtonControl.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4840	XMouseButtonControl.exe
4840	XMouseButtonControl.exe
4840	XMouseButtonControl.exe
4840	XMouseButtonControl.exe
4680	XMouseButton.exe
2336	XMouseButtonControl.exe
2336	XMouseButtonControl.exe
4588	XMouseButtonControl.exe
4588	XMouseButtonControl.exe
4588	XMouseButtonControl.exe
4588	XMouseButtonControl.exe
3588	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3476 wrote to memory of 4040	3476	msedge.exe	81
PID 3476 wrote to memory of 4040	3476	msedge.exe	81
PID 3476 wrote to memory of 1500	3476	msedge.exe	82
PID 3476 wrote to memory of 1500	3476	msedge.exe	82
PID 3476 wrote to memory of 1500	3476	msedge.exe	82
PID 3476 wrote to memory of 1500	3476	msedge.exe	82
PID 3476 wrote to memory of 1500	3476	msedge.exe	82
PID 3476 wrote to memory of 1500	3476	msedge.exe	82
PID 3476 wrote to memory of 1500	3476	msedge.exe	82
PID 3476 wrote to memory of 1500	3476	msedge.exe	82
PID 3476 wrote to memory of 1500	3476	msedge.exe	82
PID 3476 wrote to memory of 1500	3476	msedge.exe	82
PID 3476 wrote to memory of 1500	3476	msedge.exe	82
PID 3476 wrote to memory of 1500	3476	msedge.exe	82
PID 3476 wrote to memory of 1500	3476	msedge.exe	82
PID 3476 wrote to memory of 1500	3476	msedge.exe	82
PID 3476 wrote to memory of 1500	3476	msedge.exe	82
PID 3476 wrote to memory of 1500	3476	msedge.exe	82
PID 3476 wrote to memory of 1500	3476	msedge.exe	82
PID 3476 wrote to memory of 1500	3476	msedge.exe	82
PID 3476 wrote to memory of 1500	3476	msedge.exe	82
PID 3476 wrote to memory of 1500	3476	msedge.exe	82
PID 3476 wrote to memory of 1500	3476	msedge.exe	82
PID 3476 wrote to memory of 1500	3476	msedge.exe	82
PID 3476 wrote to memory of 1500	3476	msedge.exe	82
PID 3476 wrote to memory of 1500	3476	msedge.exe	82
PID 3476 wrote to memory of 1500	3476	msedge.exe	82
PID 3476 wrote to memory of 1500	3476	msedge.exe	82
PID 3476 wrote to memory of 1500	3476	msedge.exe	82
PID 3476 wrote to memory of 1500	3476	msedge.exe	82
PID 3476 wrote to memory of 1500	3476	msedge.exe	82
PID 3476 wrote to memory of 1500	3476	msedge.exe	82
PID 3476 wrote to memory of 1500	3476	msedge.exe	82
PID 3476 wrote to memory of 1500	3476	msedge.exe	82
PID 3476 wrote to memory of 1500	3476	msedge.exe	82
PID 3476 wrote to memory of 1500	3476	msedge.exe	82
PID 3476 wrote to memory of 1500	3476	msedge.exe	82
PID 3476 wrote to memory of 1500	3476	msedge.exe	82
PID 3476 wrote to memory of 1500	3476	msedge.exe	82
PID 3476 wrote to memory of 1500	3476	msedge.exe	82
PID 3476 wrote to memory of 1500	3476	msedge.exe	82
PID 3476 wrote to memory of 1500	3476	msedge.exe	82
PID 3476 wrote to memory of 4732	3476	msedge.exe	83
PID 3476 wrote to memory of 4732	3476	msedge.exe	83
PID 3476 wrote to memory of 1472	3476	msedge.exe	84
PID 3476 wrote to memory of 1472	3476	msedge.exe	84
PID 3476 wrote to memory of 1472	3476	msedge.exe	84
PID 3476 wrote to memory of 1472	3476	msedge.exe	84
PID 3476 wrote to memory of 1472	3476	msedge.exe	84
PID 3476 wrote to memory of 1472	3476	msedge.exe	84
PID 3476 wrote to memory of 1472	3476	msedge.exe	84
PID 3476 wrote to memory of 1472	3476	msedge.exe	84
PID 3476 wrote to memory of 1472	3476	msedge.exe	84
PID 3476 wrote to memory of 1472	3476	msedge.exe	84
PID 3476 wrote to memory of 1472	3476	msedge.exe	84
PID 3476 wrote to memory of 1472	3476	msedge.exe	84
PID 3476 wrote to memory of 1472	3476	msedge.exe	84
PID 3476 wrote to memory of 1472	3476	msedge.exe	84
PID 3476 wrote to memory of 1472	3476	msedge.exe	84
PID 3476 wrote to memory of 1472	3476	msedge.exe	84
PID 3476 wrote to memory of 1472	3476	msedge.exe	84
PID 3476 wrote to memory of 1472	3476	msedge.exe	84
PID 3476 wrote to memory of 1472	3476	msedge.exe	84
PID 3476 wrote to memory of 1472	3476	msedge.exe	84

C:\Users\Admin\AppData\Local\Temp\XMouseButton.exe
"C:\Users\Admin\AppData\Local\Temp\XMouseButton.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies registry class
PID:1452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.highrez.co.uk/scripts/postinstall.asp?package=XMouse&major=2&minor=20&build=5&revision=0&platform=x64
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa26523cb8,0x7ffa26523cc8,0x7ffa26523cd8
  2⤵
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,17923622408955583373,3348432846797482407,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1956 /prefetch:2
  2⤵
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,17923622408955583373,3348432846797482407,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1404 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1948,17923622408955583373,3348432846797482407,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:8
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,17923622408955583373,3348432846797482407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:1032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,17923622408955583373,3348432846797482407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,17923622408955583373,3348432846797482407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
  2⤵
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,17923622408955583373,3348432846797482407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,17923622408955583373,3348432846797482407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:4276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,17923622408955583373,3348432846797482407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:3360
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1948,17923622408955583373,3348432846797482407,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6208 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2628

C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe
"C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe" /Installed /notportable
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4840

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3748

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2052

C:\Users\Admin\AppData\Local\Temp\XMouseButton.exe
"C:\Users\Admin\AppData\Local\Temp\XMouseButton.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C "C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe" /exit
  2⤵
  PID:2280
- - C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe
    "C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe" /exit
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.highrez.co.uk/scripts/postinstall.asp?package=XMouse&major=2&minor=20&build=5&revision=0&platform=x64
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa26523cb8,0x7ffa26523cc8,0x7ffa26523cd8
  2⤵
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,501814538429419983,7679349131253699,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1968 /prefetch:2
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,501814538429419983,7679349131253699,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,501814538429419983,7679349131253699,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,501814538429419983,7679349131253699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:3012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,501814538429419983,7679349131253699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:3448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,501814538429419983,7679349131253699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,501814538429419983,7679349131253699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,501814538429419983,7679349131253699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4396 /prefetch:1
  2⤵
  PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,501814538429419983,7679349131253699,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,501814538429419983,7679349131253699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,501814538429419983,7679349131253699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:1
  2⤵
  PID:1520

C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe
"C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe" /Installed /notportable
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Control Panel
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4828

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\BugTrapU-x64.dll

Filesize
364KB

MD5
80d5f32b3fc515402b9e1fe958dedf81

SHA1
a80ffd7907e0de2ee4e13c592b888fe00551b7e0

SHA256
0ab8481b44e7d2f0d57b444689aef75b61024487a5cf188c2fc6b8de919b040a

SHA512
1589246cd480326ca22c2acb1129a3a90edf13b75031343061f0f4ed51580dfb890862162a65957be9026381bb24475fec6ddcb86692c5961a24b18461e5f1f0

Download Submit
C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\ChangeLog.txt

Filesize
78KB

MD5
bbf19f056a0f189c98dc94fd94c9ab89

SHA1
b29ca97f9aea83ee9360531b1b5ef56a7d3db9bd

SHA256
049e799f3327a573049fac686ea7db5f26a49dbd072c8c143077a59c971b6199

SHA512
6f62addf269bf460678f172c279c036453902078f9274d2a43e9e8b2640458d18a2820dc983c34682466c062259158cffc490d9bbe7ffdc467487d9dadf0f55e

Download Submit
C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\License.txt

Filesize
1KB

MD5
c3613330b14e201e47ff7ea97f3f41e6

SHA1
e50d66555b51a7ff3f5750320b08e9f42e4d4f22

SHA256
55f224b0f4ab60e2fe4934bb2ad1a2a5cb95b8e3a3cf85a85d61a0a579fab950

SHA512
ec0379388e133760ced87cff1ed960c6fb5804dd1096d59e7bfd2ec49ea67f53f53fb04bed7933105e13db25b300987233b293dc5cd163755a392436f39f9298

Download Submit
C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\X-Mouse Button Control User Guide.pdf

Filesize
1.1MB

MD5
58d10e30337cbb6b018edfd88801fc9f

SHA1
bbc109dde85037999a242bb82d4cf7f1b49f946c

SHA256
eb81a7161f8a9b6aac8977380476f901d426b700c5ae16aa2e0e098d85f89d23

SHA512
870a56c0272e91ca0879c0c0c386aac11fb2b813edd6b3998dea5199520eaa32a99c5e0a6113be642066aa742a297e27b0370b568f1ce6dc186fe5905aea7d37

Download Submit
C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe

Filesize
1.7MB

MD5
bb632bc4c4414303c783a0153f6609f7

SHA1
eb16bf0d8ce0af4d72dff415741fd0d7aac3020e

SHA256
7cc348f8d2ee10264e136425059205cf2c17493b4f3f6a43af024aecb926d8c8

SHA512
15b34efe93d53e54c1527705292fbf145d6757f10dd87bc787dc40bf02f0d641468b95c571f7037417f2f626de2afcd68b5d82214e27e9e622ab0475633e9de5

Download Submit
C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonHook.dll

Filesize
1.0MB

MD5
d62a4279ebba19c9bf0037d4f7cbf0bc

SHA1
5257d9505cca6b75fe55dfdaf2ea83a7d2d28170

SHA256
c845e808dc035329a7c95c846413a7afb9976f09872ba3c05dfa5f492156eef0

SHA512
6895a12cddc41bf516279b1235fca238b0b3b0cef2cc25abe14a9160ed23f5bde3d476f885d674537febc7de7eb58b0824d96153c626e1563a5a8a1887fb5323

Download Submit
C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\uninstaller.exe

Filesize
74KB

MD5
bfffc38fff05079b15a5317e279dc7a9

SHA1
0c18db954f11646d65d0300e58fefcd9ff7634de

SHA256
c4e59737ffd988ef4bc7a62e3316a470b1b09a9889f65908110fba3d7b1c6500

SHA512
d30220e024ac242285ea757006e7da3874e5f889951de226d48c372a6a8701b76d4a917134ecc1e72c6c3a8d43444762288e7134a25d837e9f43d972675c81d6

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Highresolution Enterprises\X-Mouse Button Control\Uninstall.lnk

Filesize
1KB

MD5
7a28702dd428d24a01d2c2810c421f4a

SHA1
1229aee3412881e10d594091f529adb04e49ac5f

SHA256
4a0c7c872dacc7615c96064fe89df94a1bc49e89f3dd7893c63cd93d2f9126fb

SHA512
a344189040a8112fdde59a641b18749cb5a8d2a0b7e4cc45d614becab11b4e6c96bb69ead39e0556f22809c9543949b1420021d5ac35dee27e3f18edab813d33

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Highresolution Enterprises\X-Mouse Button Control\Whats New.lnk

Filesize
1KB

MD5
4aef619eb95195631d0162e77aea71c1

SHA1
9d9824e6a92c66ad1c6e3a7757f2a6b7862726a3

SHA256
8abbf8e292c6d59870fcf0bc7c963fa49ce8374952882f8cc1742a91073ac6c8

SHA512
e5c39f0c65016b10b10b9f299c30e1d997b715a61a3aabdeecbbe6c0a3767bf7ee3ef769ae0c42b2d980c3abf26564d84d8fc2d1cd5c8bacdbd9a5c189481f21

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Highresolution Enterprises\X-Mouse Button Control\X-Mouse Button Control User Guide.lnk

Filesize
1KB

MD5
99575747358398e7fa6901fd6236d8ce

SHA1
0e2c2d09c6ea6c436db626fa8a37d4cbdbe32b8a

SHA256
b2e7eb0d7159ee8cd23a6a2c1690dc419532d358044c66df1bdb8db9cbd9ccb3

SHA512
910fe4458fbd581d5de403292e97a5b2adcff7ffdda4fefb8fd44a26342c680d555fe30b4d1f25d019f4c41753491b1787a3025fdae6f9474dfc7ea1f5baf53f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\30069012ED3CF5DB92F9F4FC78D55E2D_87238437CEFCADF00F1385E31A888EF4

Filesize
1KB

MD5
dd17c7a895e5940b658c0593c6fcc669

SHA1
1c18ddc02ef4ab98d6159ef1745b57fba448e82d

SHA256
70b7e1bf206c5854f38a3aef19fc7942abcc1f3fc9ef8d1c90b198b05e549abb

SHA512
4ddfbeca293da66fa65ff2dff1c04d5f4f9dbb7605a42f23c5c78c6566787766a1034ae9228831b9b4d73f42bb1cd1f7e3d8325ef4805d6d0587cb8026f1b085

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\68FAF71AF355126BCA00CE2E73CC7374_E5F521CA60C5ED8C2B4E2BF399FE2061

Filesize
1KB

MD5
4a56acbb7d3a71283c3c27ee8fe69cdb

SHA1
2607355db6e76060023f61431c3f38457e51d12a

SHA256
6d7edde9d9ebc8cfe28c1cb07f8a5c4e4b2655194a289a8e69640739de8b08dc

SHA512
651f955b900d42a3128eeaa4eab4386498823ce6d3aacbcd52e2b606fe98166d639df892e2442b0428b7b83b1e696b795ef2f63c2e1387085c88599be86ab7f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\856FDBDDFEAC90A3D62D621EBF196637

Filesize
770B

MD5
f59fe5c24d1c274725775161394efd6b

SHA1
b76adc2f6815d26f69df4c4acedbe82496fe0597

SHA256
591ab31defc1de696497438637a0b6cf876a7235ecb44824228a6f07db7ff670

SHA512
da421a1b0a9893bf97a199aa5035a0e27f0442f57b0da611838b108361b85ff509230ef84749c46428d4e27bff7a4ad5a1cf2fb2965ea68526bfb7356e1e1134

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\30069012ED3CF5DB92F9F4FC78D55E2D_87238437CEFCADF00F1385E31A888EF4

Filesize
412B

MD5
51cd669c20a1080a17a8758b3c073f78

SHA1
90248909fa545a4013f5122d25d8a7753ef82f32

SHA256
1ae49f9e8682e54cdcc4697e20c68ba72ad40b5b50cbb3cfc6b50a721114fa6c

SHA512
41276eec1af87adc4339d68d155707a75eb180c3c59a0b9738c0bea19f1804c12cc5c03b878371a82f91e00b77cf6cc3d2c9e5707027fc38ce634b9058c4f8d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4E4160FB650E5091C535216313A4ECD3_D6B0CED803064392468B7B1ABDEE0900

Filesize
420B

MD5
3620ddaa8fa766ef2ef47532d46fa007

SHA1
b02692a9b66179513b17f3400344c5f93bba81e7

SHA256
bc5b188cecf2af0a9e17a67a8d0c8c36424aaf5ef8c05254dee708af5a33bcf5

SHA512
b8ef622ddaabaff0ece128b068e6fbfdb9fe57715f0b7731e82d1ab95b6ec61241d5281ddc6d186d8b87f29956e57f70a5908b471ab0f37f81de6e52631a11e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\68FAF71AF355126BCA00CE2E73CC7374_E5F521CA60C5ED8C2B4E2BF399FE2061

Filesize
412B

MD5
c1820020848c6a4f4e27a9931ca69f53

SHA1
31c84f80b37f30c5c0060c9ad6d9d5f95bbffcce

SHA256
63c7e07e2e39e144313cce36e17d583129f2e5dc0a6cfaeb93b1b000a9a3f8fa

SHA512
06265a90404b3031f7198c2638cf66910ca2487afad4fec2959a18963bc33913901b84d006c2d72d2e97d1c46a5d32397c7b684ad68343cd5a00e5cbdabae726

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\856FDBDDFEAC90A3D62D621EBF196637

Filesize
178B

MD5
4bc6d9d3ce4f0f4dd0bfa8b3692d481f

SHA1
fb5b8937781c4c64819361bf35b5be0cc2d15116

SHA256
f1aed7f0b465e6b50a2409f93109836723f8391a427ac98e5d430c97d2e8db3d

SHA512
e54f7ddb83177b04b090461efb5fb730bd4b0c54bfd589c2349b2f3dea0f8a0e4c35dec877672f93610d31c5a81ead56a83011e4b6bb20a9fd5d49cc0ef7fcf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5c4605aed5013f25a162a5054965829c

SHA1
4cec67cbc5ec1139df172dbc7a51fe38943360cf

SHA256
5c16c584cda1f348a7030e9cab6e9db9e8e47a283dd19879f8bb6d75e170827f

SHA512
bf2a5602fde0de143f9df334249fef2e36af7abeda389376a20d7613e9ccad59f2ca0447576ac1ed60ecf6ab1526c37e68c4614d79ae15c53e1774d325b4036f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3066a8b5ee69aa68f709bdfbb468b242

SHA1
a591d71a96bf512bd2cfe17233f368e48790a401

SHA256
76f6f3fcef4b1d989542e7c742ff73810c24158ac4e086cbd54f13b430cc4434

SHA512
ad4d30c7be9466a797943230cb9f2ca98f76bf0f907728a0fa5526de1ed23cd5cf81b130ee402f7b3bb5de1e303b049d2867d98cf2039b5d8cb177d7a410b257

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
72f3f35054bbf42d37e1816b029daea7

SHA1
3d116367ac77e445fbb7820e5ff658bebe231d98

SHA256
18e283dbab71fc1d5a81902f1d7962b48b855c06dc380e7cb755d90a6e200f81

SHA512
7db753020ad498c9ed85cd12c107e45a4c2875b6d32043c5a941915dc69eb5af96d39d5505530d6ca4b6be593caa6a034c26c1204307e4f3b1f8b99efd40fa48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc60369f4d6650ebb023fec64c931991

SHA1
bb15c6a1c9ce16062aeb3692296aa495291b0dcb

SHA256
687ca0e9c947c8578150eb118276d471b533488b5e8fc9c6f812690433df7984

SHA512
313db9d2a78a5c3c5164e3b89a0e670260e046cd45aec1a5b6a44aa786f339337b09a810a6bc96863da307a37aa0f42a5993841b253d6433e5487b5a7fe5f0cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
3bdcd7227ecd1d47e8509a32fe30b5c4

SHA1
4261c3f8b967141132383ae3cf88b1d2b1800847

SHA256
a9f4405027c7baf93ba06f3b423f3e32719bf4f53da3705e6da6a567d33b2328

SHA512
a8f1b88473a020c1cb6234b3de82f408f2b45a738ee172ac3b1b576cc6a326792facacb18c8e2629bac261c7912c95d23f22b4e849a9bf13790864516f6228d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
624B

MD5
44c0961b02e3e36835054cad9db5e1ef

SHA1
d84b708fa3a32af6429723554251f6d8170eb740

SHA256
beaf71ca85c126b0c534bfd6074465d5627fd9e192bd7a8751a4bc8e36c5f57b

SHA512
7d4fb4ce6a8a7b105d9f4fe4c4fd78a50a514bb20ffc7b8f062b23eeb23aa66e757cdc36abb11f91cec0b17c9ada64e04c872114ab8da70d00e0752aaead2e37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
64cc823b7307b3afc0ab35594f9e174b

SHA1
6634f67907258ff339b16813cc134b3536ea47ee

SHA256
e694d62e93e363e078725e49403778d335a729c3f11e1651bee1a250783fa033

SHA512
a1e474f70d021d97d872bbaf98c97c5ed359124744bebf9c88ba3d7b8eb297d24523af942d89be5732b40c98ad4f28dfc7790d5c7d8a108c6bf2e9352fbddca2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
28c3577673d86bf23c4c24525ce960a6

SHA1
cc424fa0512473a5d2fdb560de3eafda6e45b2fd

SHA256
4a4c3cfda277719d9a6ae75a14f641fe8e3e6ae1bf0c17e2fdf4fbf39b3561c9

SHA512
6c01eea527471d1e1b28e955a8aebcc32476dd2c8a4408f4af1b9067b3e508c171cc9027b4929f1965cb79d4a9a8b15870ba70fba153a228b70987eb84bfc887

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
43a5d683ebfd09ac8422ce16a6d63c75

SHA1
d6dc6d607dd0331be2326a71ae108234b69eb04f

SHA256
06576ab094bce0f899d1f683ae944d16e1fe64b564ba06e56adc3ac964a3acab

SHA512
3e515dbaaf1a8f9eb5c8195e137ccdd8d167379634a4976c4503373e798260357b2647cd3878bfa54cbd370e9e918acd0e7eef3ce08207596ed7b837f08ec548

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
bb5c9b651964398f00d1039a30276bf5

SHA1
54c4787a84017e239a4e7a7f846e495e1d115bd4

SHA256
ef2e1561108a1f98d68fe464b056af0d2d39f5d37a9ba98a349f6ebe12fe1593

SHA512
f0c890ed935142a8aba4fb9e5a3500c190b748d2404ea648e75bc86d32f7922534663643485c6261352642705b82df714f97d5f54782a7ae0236006e322601ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
881b0a2f9f5666dd483c1ebe168cb282

SHA1
4ee348c884072986b2f994898dd2197cd9c877f6

SHA256
1c0f3ce826379a1048480b5060efbe977baf4b0380a6ca7e7da484e5462e0796

SHA512
2da7132ea6556018211733279f69bc97c6ae98dc100c1e4673325cb6291185f12a9fef412a190eee1f7d80d3632dba4c75e5629c32f952f67a507009bc35dd84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
530B

MD5
e8861e4a81be6cd3e843aded3c5b9e84

SHA1
4b57749bfc0c70c78100c97bbdc910d759cd4b66

SHA256
3e530f6a9b5d0e23d9c65e322d08caa2f30bc7b5c2016b119b895747577ab235

SHA512
0178d7cb03d2c1603a284f258c94682a420d60e5b4b8c8fbd7766f736d91d845360fe96e26083461e47be4121f9fb705d79879ec6b2f4bf4c1abf15e6d0dc503

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e94bb803-abd5-4115-8ffe-2ac7a0a7e697.tmp

Filesize
2KB

MD5
b8851ea2351ff06fcb208dda3a00e29d

SHA1
0d2253f95791f77c51bfaa3377c005e13ac4e37d

SHA256
1a4d28dd5b8b7037cd9fcd25a96cdd7e9530d405a4fb2571864eecb27997eeeb

SHA512
991479919dd0ec47e2a1b6e4b564ca601483b7f4995a2ba7d08c9c52a6684f2aac1298bc676775ae28e6bb449beebdf5cb0e1c026eee3c458bfabd5ea0c90b5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bdd8aa2a8916136d0f0cfc7754f3cd4a

SHA1
a5a2fcbd92c65075e4d63f7e76d049a438d423d2

SHA256
ea28a236ea0a1151ad56f2c49e2e5e2081b91361a05273bf2946377fcd00fea2

SHA512
a5ea61715aaa2eb78b6e9e4c89058afc0dcb5698da952bf0fb03379d26bf55cf33d99f7e8077690e513a40446a40b59fbeeb62e06b4eba2064b0e732e9f47c05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f32158088376f74c69758cb85e2e31a9

SHA1
649c859b6cbce7ae34bb460909620fa5c3d9b0ca

SHA256
c03c9c0859a0692b06ff31e8589404294aa276a8b2a1e888e23a4218de859e31

SHA512
eeef3b3ec8b89b35a6c5b842b8cddba1144caa754915eac1507f43e963c7ca322c5ab289519d194afdf33971ad91d424fb742ef3697d6900a42413aea86b1981

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
11KB

MD5
cae59a2181c9112847a7a621e2cb4413

SHA1
3ae3393aeeca128777d6c10156cf289335369bca

SHA256
b4c73c80cd3080f5d401beeb866af1719a7e0c11bac0f86aac75ccffe631121d

SHA512
fab027e9faa8f1d11a6901dce90e231713719a8e7ecc6d28ce578df738fa8efd04ea84adce4d095a2b7d8568b518eab74227b912649e993eae7d6535c8fb0974

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg3D2A.tmp\InstallOptions.dll

Filesize
14KB

MD5
d753362649aecd60ff434adf171a4e7f

SHA1
3b752ad064e06e21822c8958ae22e9a6bb8cf3d0

SHA256
8f24c6cf0b06d18f3c07e7bfca4e92afce71834663746cfaa9ddf52a25d5c586

SHA512
41bf41add275867553fa3bd8835cd7e2a2a362a2d5670ccbfad23700448bad9fe0f577fb6ee9d4eb81dfc10d463b325b8a873fe5912eb580936d4ad96587aa6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg3D2A.tmp\ShellExecAsUser.dll

Filesize
7KB

MD5
86a81b9ab7de83aa01024593a03d1872

SHA1
8fd7c645e6e2cb1f1bcb97b3b5f85ce1660b66be

SHA256
27d61cacd2995f498ba971b3b2c53330bc0e9900c9d23e57b2927aadfdee8115

SHA512
cc37bd5d74d185077bdf6c4a974fb29922e3177e2c5971c664f46c057aad1236e6f3f856c5d82f1d677c29896f0e3e71283ef04f886db58abae151cb27c827ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg3D2A.tmp\System.dll

Filesize
10KB

MD5
56a321bd011112ec5d8a32b2f6fd3231

SHA1
df20e3a35a1636de64df5290ae5e4e7572447f78

SHA256
bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1

SHA512
5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg3D2A.tmp\ioSpecial.ini

Filesize
696B

MD5
a6d76fb6d9d1b54ce746b9f2ed977a42

SHA1
efd4fdd796d511110129c26d86538b1090d45cf3

SHA256
96e9471ae63575c479299c42f1db23e2a71e9a40638313ecf5fbb7e732cd0751

SHA512
907e1f08265858a71f5e59e177e9949ba371135df9a45d403d7542bf00e5bcf623b2c7ea3ccf05dab18aff00b1377449f91c64ac76e42614de08b142972fee5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg3D2A.tmp\ioSpecial.ini

Filesize
709B

MD5
1c509e4d02d40ed5d01a076046b36b22

SHA1
3320916408b34b4874e780dd571685a299c81671

SHA256
d5829ac02fa01acb14779853fcaf01e7a2abe7d159f33b6ae56d88037793459b

SHA512
2ddeb92386172ac3bb1399caad71fec6dadd8eab3da6e06156cdfdcc6fbbe3d57ed0259c779bacbffe2c058f82ff4ef0d9e01e8de37df734c6fafc685dfdea2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg3D2A.tmp\ioSpecial.ini

Filesize
726B

MD5
8d275630d39627223e67a16dcc6528ae

SHA1
b392fa2172171b9abbdc823e46fa50b7dcec02dc

SHA256
6732ce6fb5d96003cb9a30e7c53fe295566e531d618d333f77f452c6dea012d9

SHA512
33605cddd79cba51315370ff53cc469453adc0a4b138e2975077ab71f9f7cf8c4dfdf018000d4ff2fc33af10f4807baca0dc4c68cc88b92f264e292ecb2c56ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg3D2A.tmp\nsDialogs.dll

Filesize
9KB

MD5
f832e4279c8ff9029b94027803e10e1b

SHA1
134ff09f9c70999da35e73f57b70522dc817e681

SHA256
4cd17f660560934a001fc8e6fdcea50383b78ca129fb236623a9666fcbd13061

SHA512
bf92b61aa267e3935f0ea7f47d8d96f09f016e648c2a7e7dcd5ecc47da864e824c592098c1e39526b643bd126c5c99d68a7040411a4cf68857df629f24d4107d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspB69B.tmp\ExecCmd.dll

Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspB69B.tmp\ioSpecial.ini

Filesize
762B

MD5
8a4d8564685296a3fc1bda42fcbf378b

SHA1
c6cb204aee3642bdf88efdae3bd322f3d4c53151

SHA256
8cbc2bcb5d96c2f244d8856d98405c0100055fcafcd3c6dea0385e56c3948e1e

SHA512
e91d65c8e7ee1d7351445e838f41d528f228433c9277725aa09a60c3aa2eab2b15535df9237a41d50ddad068af2bfce9943053308c245600e4a384814d294fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspB69B.tmp\ioSpecial.ini

Filesize
709B

MD5
5f29ec75ff1a8ed02e06e5070083d21b

SHA1
c82391ffefeb3eb6253d1d8d9cca44a6d7c975bf

SHA256
87a3a37498cace4bcbea0177184379a975458752c7650aad926155d1956538ca

SHA512
f994a89d5989b61388a93b6695552757de09114041605394ea02fee5d0b42eadadd8ae99d1dc0fbd913da2d650d956d8ace9569b0091707cb1d8008bb4b35ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspB69B.tmp\modern-wizard.bmp

Filesize
25KB

MD5
cbe40fd2b1ec96daedc65da172d90022

SHA1
366c216220aa4329dff6c485fd0e9b0f4f0a7944

SHA256
3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

SHA512
62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

Download Submit
C:\Users\Admin\AppData\Roaming\Highresolution Enterprises\XMouseButtonControl\Persist.xmbcps

Filesize
16B

MD5
4ae71336e44bf9bf79d2752e234818a5

SHA1
e129f27c5103bc5cc44bcdf0a15e160d445066ff

SHA256
374708fff7719dd5979ec875d56cd2286f6d3cf7ec317a3b25632aab28ec37bb

SHA512
0b6cbac838dfe7f47ea1bd0df00ec282fdf45510c92161072ccfb84035390c4da743d9c3b954eaa1b0f86fc9861b23cc6c8667ab232c11c686432ebb5c8c3f27

Download Submit
C:\Users\Admin\AppData\Roaming\Highresolution Enterprises\XMouseButtonControl\XMouseButtonControl.log

Filesize
1KB

MD5
ef2745e49a162b2c5475ecee528fa167

SHA1
98aa700e2348cca0a2962ad4605a5f60cb8ba7dc

SHA256
cd198d37e53431dfdcfb03b98ed237ec03023dca0c9dcd57cce85f4405e74b8f

SHA512
5d72d7989ef5fb781b03d84f4d7b08dfbbb9969e79d836b174852b8c1f508d57b89f457a33a036f40cb849f2b1233eea476315c80556adf2fac8b9ae3000a2e2

Download Submit
C:\Users\Admin\AppData\Roaming\Highresolution Enterprises\XMouseButtonControl\XMouseButtonControl.log

Filesize
1KB

MD5
b383f911d8f794bbbb5ddbcf2adedba4

SHA1
43116c8ae11b41b8cc274f09f0b8353a916707c9

SHA256
d8ae651eebb9ea3aedaed41ef8b9f8602f38768a67303fbe2e0e28ae4d31cd39

SHA512
d5edfee068d2f2e88a17e8cd02dd5bc3a83f078b5003d27294c0b784332d34c80668eece033b6ae5c2e105d6a26f9498d6c7d260aea04e64d636032a81c13c46

Download Submit