2240bf5fb5d80938b0676c46ef9f84bc1739c32f60c473ff85e530ae0eca2818

Analysis

max time kernel
70s
max time network
72s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2024 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XMouse_Button_Control_V2.20.5.exe
Size

2.9MB
MD5

2e9725bc1d71ad1b8006dfc5a2510f88
SHA1

6e1f7d12881696944bf5e030a7d131b969de0c6c
SHA256

2240bf5fb5d80938b0676c46ef9f84bc1739c32f60c473ff85e530ae0eca2818
SHA512

62bd9cde806f83f911f1068b452084ef2adc01bc0dec2d0f668a781cc0d94e39f6e35618264d8796ca205724725abd40429f463017e6ca5caf7d683429f82d39
SSDEEP

49152:n65SJw48kZN+nCYk7c44+Y0hdwn4Km2A5aT/pVE0hYYajihV2Qso0SWMrboF:tfpeno4oY0QZm2dlNJsrHM4

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2836	XMouseButtonControl.exe
2352	XMouseButtonControl.exe

Loads dropped DLL 12 IoCs

pid	Process
3844	XMouse_Button_Control_V2.20.5.exe
3844	XMouse_Button_Control_V2.20.5.exe
3844	XMouse_Button_Control_V2.20.5.exe
3844	XMouse_Button_Control_V2.20.5.exe
3844	XMouse_Button_Control_V2.20.5.exe
3844	XMouse_Button_Control_V2.20.5.exe
3844	XMouse_Button_Control_V2.20.5.exe
3844	XMouse_Button_Control_V2.20.5.exe
2836	XMouseButtonControl.exe
2836	XMouseButtonControl.exe
2352	XMouseButtonControl.exe
2352	XMouseButtonControl.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XMouseButtonControl = "C:\\Program Files\\Highresolution Enterprises\\X-Mouse Button Control\\XMouseButtonControl.exe /notportable /delay"	XMouse_Button_Control_V2.20.5.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\changelog.txt	XMouse_Button_Control_V2.20.5.exe
File created	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\uninstaller.exe	XMouse_Button_Control_V2.20.5.exe
File created	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe	XMouse_Button_Control_V2.20.5.exe
File created	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonHook.dll	XMouse_Button_Control_V2.20.5.exe
File created	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\BugTrapU-x64.dll	XMouse_Button_Control_V2.20.5.exe
File created	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\License.txt	XMouse_Button_Control_V2.20.5.exe
File created	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\ChangeLog.txt	XMouse_Button_Control_V2.20.5.exe
File created	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\X-Mouse Button Control User Guide.pdf	XMouse_Button_Control_V2.20.5.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XMouse_Button_Control_V2.20.5.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop	XMouse_Button_Control_V2.20.5.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\LowLevelHooksTimeout = "1000"	XMouse_Button_Control_V2.20.5.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Settings\shell\ = "open"	XMouse_Button_Control_V2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Settings\shell\open\command	XMouse_Button_Control_V2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\shell\open\command\ = "\"C:\\Program Files\\Highresolution Enterprises\\X-Mouse Button Control\\XMouseButtonControl.exe\" /install:\"%1\""	XMouse_Button_Control_V2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Settings\shell\open\command\ = "\"C:\\Program Files\\Highresolution Enterprises\\X-Mouse Button Control\\XMouseButtonControl.exe\" /profile:\"%1\""	XMouse_Button_Control_V2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack	XMouse_Button_Control_V2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xmbcs	XMouse_Button_Control_V2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application or Window Profile	XMouse_Button_Control_V2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application or Window Profile\shell\ = "open"	XMouse_Button_Control_V2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application or Window Profile\shell\open\command	XMouse_Button_Control_V2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\shell\ = "open"	XMouse_Button_Control_V2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\DefaultIcon	XMouse_Button_Control_V2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xmbcs\ = "X-Mouse Button Control Application or Window Profile"	XMouse_Button_Control_V2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Settings\shell	XMouse_Button_Control_V2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Settings\DefaultIcon\ = "C:\\Program Files\\Highresolution Enterprises\\X-Mouse Button Control\\XMouseButtonControl.exe,0"	XMouse_Button_Control_V2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xmbclp\ = "X-Mouse Button Control Language Pack"	XMouse_Button_Control_V2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application or Window Profile\shell	XMouse_Button_Control_V2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application or Window Profile\shell\open\command\ = "\"C:\\Program Files\\Highresolution Enterprises\\X-Mouse Button Control\\XMouseButtonControl.exe\" /import:\"%1\""	XMouse_Button_Control_V2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Settings	XMouse_Button_Control_V2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\shell	XMouse_Button_Control_V2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application or Window Profile\shell\open	XMouse_Button_Control_V2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\shell\open\command	XMouse_Button_Control_V2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\DefaultIcon\ = "C:\\Program Files\\Highresolution Enterprises\\X-Mouse Button Control\\XMouseButtonControl.exe,0"	XMouse_Button_Control_V2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xmbcp	XMouse_Button_Control_V2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xmbcp\ = "X-Mouse Button Control Settings"	XMouse_Button_Control_V2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Settings\ = "X-Mouse Button Control Settings"	XMouse_Button_Control_V2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xmbclp	XMouse_Button_Control_V2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\shell\open	XMouse_Button_Control_V2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application or Window Profile\ = "X-Mouse Button Control Application or Window Profile"	XMouse_Button_Control_V2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application or Window Profile\DefaultIcon	XMouse_Button_Control_V2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application or Window Profile\DefaultIcon\ = "C:\\Program Files\\Highresolution Enterprises\\X-Mouse Button Control\\XMouseButtonControl.exe,0"	XMouse_Button_Control_V2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\ = "X-Mouse Button Control Language Pack"	XMouse_Button_Control_V2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Settings\DefaultIcon	XMouse_Button_Control_V2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Settings\shell\open	XMouse_Button_Control_V2.20.5.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E	XMouseButtonControl.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 040000000100000010000000d5e98140c51869fc462c8975620faa780f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1900000001000000100000001f7e750b566b128ac0b8d6576d2a70a52000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	XMouseButtonControl.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 5c0000000100000004000000000800001900000001000000100000001f7e750b566b128ac0b8d6576d2a70a503000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1d0000000100000010000000e3f9af952c6df2aaa41706a77a44c2031400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f76200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e0b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b002000430041000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df1040000000100000010000000d5e98140c51869fc462c8975620faa782000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	XMouseButtonControl.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1468	msedge.exe
1468	msedge.exe
1720	msedge.exe
1720	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2836	XMouseButtonControl.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
2836	XMouseButtonControl.exe
1720	msedge.exe
2836	XMouseButtonControl.exe
2836	XMouseButtonControl.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
2836	XMouseButtonControl.exe
2836	XMouseButtonControl.exe
2836	XMouseButtonControl.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2836	XMouseButtonControl.exe
2836	XMouseButtonControl.exe
2836	XMouseButtonControl.exe
2836	XMouseButtonControl.exe
2352	XMouseButtonControl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2704	1720	msedge.exe	106
PID 1720 wrote to memory of 2704	1720	msedge.exe	106
PID 1720 wrote to memory of 3676	1720	msedge.exe	107
PID 1720 wrote to memory of 3676	1720	msedge.exe	107
PID 1720 wrote to memory of 3676	1720	msedge.exe	107
PID 1720 wrote to memory of 3676	1720	msedge.exe	107
PID 1720 wrote to memory of 3676	1720	msedge.exe	107
PID 1720 wrote to memory of 3676	1720	msedge.exe	107
PID 1720 wrote to memory of 3676	1720	msedge.exe	107
PID 1720 wrote to memory of 3676	1720	msedge.exe	107
PID 1720 wrote to memory of 3676	1720	msedge.exe	107
PID 1720 wrote to memory of 3676	1720	msedge.exe	107
PID 1720 wrote to memory of 3676	1720	msedge.exe	107
PID 1720 wrote to memory of 3676	1720	msedge.exe	107
PID 1720 wrote to memory of 3676	1720	msedge.exe	107
PID 1720 wrote to memory of 3676	1720	msedge.exe	107
PID 1720 wrote to memory of 3676	1720	msedge.exe	107
PID 1720 wrote to memory of 3676	1720	msedge.exe	107
PID 1720 wrote to memory of 3676	1720	msedge.exe	107
PID 1720 wrote to memory of 3676	1720	msedge.exe	107
PID 1720 wrote to memory of 3676	1720	msedge.exe	107
PID 1720 wrote to memory of 3676	1720	msedge.exe	107
PID 1720 wrote to memory of 3676	1720	msedge.exe	107
PID 1720 wrote to memory of 3676	1720	msedge.exe	107
PID 1720 wrote to memory of 3676	1720	msedge.exe	107
PID 1720 wrote to memory of 3676	1720	msedge.exe	107
PID 1720 wrote to memory of 3676	1720	msedge.exe	107
PID 1720 wrote to memory of 3676	1720	msedge.exe	107
PID 1720 wrote to memory of 3676	1720	msedge.exe	107
PID 1720 wrote to memory of 3676	1720	msedge.exe	107
PID 1720 wrote to memory of 3676	1720	msedge.exe	107
PID 1720 wrote to memory of 3676	1720	msedge.exe	107
PID 1720 wrote to memory of 3676	1720	msedge.exe	107
PID 1720 wrote to memory of 3676	1720	msedge.exe	107
PID 1720 wrote to memory of 3676	1720	msedge.exe	107
PID 1720 wrote to memory of 3676	1720	msedge.exe	107
PID 1720 wrote to memory of 3676	1720	msedge.exe	107
PID 1720 wrote to memory of 3676	1720	msedge.exe	107
PID 1720 wrote to memory of 3676	1720	msedge.exe	107
PID 1720 wrote to memory of 3676	1720	msedge.exe	107
PID 1720 wrote to memory of 3676	1720	msedge.exe	107
PID 1720 wrote to memory of 3676	1720	msedge.exe	107
PID 1720 wrote to memory of 1468	1720	msedge.exe	108
PID 1720 wrote to memory of 1468	1720	msedge.exe	108
PID 1720 wrote to memory of 4048	1720	msedge.exe	109
PID 1720 wrote to memory of 4048	1720	msedge.exe	109
PID 1720 wrote to memory of 4048	1720	msedge.exe	109
PID 1720 wrote to memory of 4048	1720	msedge.exe	109
PID 1720 wrote to memory of 4048	1720	msedge.exe	109
PID 1720 wrote to memory of 4048	1720	msedge.exe	109
PID 1720 wrote to memory of 4048	1720	msedge.exe	109
PID 1720 wrote to memory of 4048	1720	msedge.exe	109
PID 1720 wrote to memory of 4048	1720	msedge.exe	109
PID 1720 wrote to memory of 4048	1720	msedge.exe	109
PID 1720 wrote to memory of 4048	1720	msedge.exe	109
PID 1720 wrote to memory of 4048	1720	msedge.exe	109
PID 1720 wrote to memory of 4048	1720	msedge.exe	109
PID 1720 wrote to memory of 4048	1720	msedge.exe	109
PID 1720 wrote to memory of 4048	1720	msedge.exe	109
PID 1720 wrote to memory of 4048	1720	msedge.exe	109
PID 1720 wrote to memory of 4048	1720	msedge.exe	109
PID 1720 wrote to memory of 4048	1720	msedge.exe	109
PID 1720 wrote to memory of 4048	1720	msedge.exe	109
PID 1720 wrote to memory of 4048	1720	msedge.exe	109

C:\Users\Admin\AppData\Local\Temp\XMouse_Button_Control_V2.20.5.exe
"C:\Users\Admin\AppData\Local\Temp\XMouse_Button_Control_V2.20.5.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
PID:3844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.highrez.co.uk/scripts/postinstall.asp?package=XMouse&major=2&minor=20&build=5&revision=0&platform=x64
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x130,0x134,0x138,0x10c,0x13c,0x7ffec65246f8,0x7ffec6524708,0x7ffec6524718
  2⤵
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,3473891847866246224,15883504391374096391,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
  2⤵
  PID:3676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,3473891847866246224,15883504391374096391,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,3473891847866246224,15883504391374096391,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
  2⤵
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,3473891847866246224,15883504391374096391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,3473891847866246224,15883504391374096391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:4076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,3473891847866246224,15883504391374096391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:3028

C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe
"C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe" /Installed /notportable
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5100

C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe
"C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe" /notportable
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\BugTrapU-x64.dll

Filesize
364KB

MD5
80d5f32b3fc515402b9e1fe958dedf81

SHA1
a80ffd7907e0de2ee4e13c592b888fe00551b7e0

SHA256
0ab8481b44e7d2f0d57b444689aef75b61024487a5cf188c2fc6b8de919b040a

SHA512
1589246cd480326ca22c2acb1129a3a90edf13b75031343061f0f4ed51580dfb890862162a65957be9026381bb24475fec6ddcb86692c5961a24b18461e5f1f0

Download Submit
C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe

Filesize
1.7MB

MD5
bb632bc4c4414303c783a0153f6609f7

SHA1
eb16bf0d8ce0af4d72dff415741fd0d7aac3020e

SHA256
7cc348f8d2ee10264e136425059205cf2c17493b4f3f6a43af024aecb926d8c8

SHA512
15b34efe93d53e54c1527705292fbf145d6757f10dd87bc787dc40bf02f0d641468b95c571f7037417f2f626de2afcd68b5d82214e27e9e622ab0475633e9de5

Download Submit
C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonHook.dll

Filesize
1.0MB

MD5
d62a4279ebba19c9bf0037d4f7cbf0bc

SHA1
5257d9505cca6b75fe55dfdaf2ea83a7d2d28170

SHA256
c845e808dc035329a7c95c846413a7afb9976f09872ba3c05dfa5f492156eef0

SHA512
6895a12cddc41bf516279b1235fca238b0b3b0cef2cc25abe14a9160ed23f5bde3d476f885d674537febc7de7eb58b0824d96153c626e1563a5a8a1887fb5323

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\126ee78e-3acf-4080-8554-2e7f40b09566.tmp

Filesize
6KB

MD5
5aa62f92273173911ffc27220ee068cd

SHA1
150ce9852bd17f31dca1f0c26802a79cae8ad7d7

SHA256
2a62c9adc21eb8ee09b3f077dde5bb915a6c3bbd564e0ffb821da3d08c343a9e

SHA512
857dbb7c121e106ffa62097262568ee264484f5b5675a399b3f624c45018eff30e3473b7bdbc45b3f61151012c4c1e7c586e36eb9c2b5a7f254961d13d9c18e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
dfa5224ffffa1ae77c18d43a25baf3c6

SHA1
36a448580ed0ee9f66f6e7ee42694dbf7d8d5498

SHA256
312d07970570d8ced68dc3b737f1169891bd09faf717108bce333afc9e96d691

SHA512
22d902602ff36cf49ce4e9096ca9ff43cbd3f65483e7e0df75e7d2f5e854b3004b4c9fac1912c044fbe2d094d34a0dddbc53aa0927da73e9e5a3ce4bded760dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
2199b1f7f20d2d9f839866b38f18020b

SHA1
ece62ccaefd8a1396f46354ae30e1276ae5deecd

SHA256
6e50f2885b19f5993413982ca69defb27b9fad97ffa14c90455822727c07fee8

SHA512
6523000351ecfadd3fca74e55129f9d9ae9517379991472b3c099e505f8a5b1d56f3b6370308bd50c136d728e859c416bbf4cfff21be134fb31e303c7cb64944

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bcf771ebb3609bedf9cd0a674070a67b

SHA1
3f90c4d8b1846e4632ad81e68fdc0a030f9c23b8

SHA256
a819f7f9fae145322d95b691a6bf389788c22b0050fea35bc29c07ad25306c49

SHA512
cee17aced5cd47ff12f46635d17b61d577d6bbfa3d3ad85284dd9f821a67c30b97f8e6ec3bfd3bdf91e9d241b8f2abc905db83bfc9d959f29f5f3a4d662f08d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7a5836311c3e21224dafcb77e44c99ac

SHA1
f091bcbd5c484d6ebbcb91655a971bed7a5b7b88

SHA256
a614998a2a97ec61e67e2a0baa3461f94c5eeb5a1036de5e68622b60d8fe5782

SHA512
52a3a32b76c197c92284c74cf04de405727b78650f1c6bb4a3103251446d1f8e21ff0a02b3fbb7bbc991b755dcdccbc5e9285e59197d14e071274292921525a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyB45E.tmp\InstallOptions.dll

Filesize
14KB

MD5
d753362649aecd60ff434adf171a4e7f

SHA1
3b752ad064e06e21822c8958ae22e9a6bb8cf3d0

SHA256
8f24c6cf0b06d18f3c07e7bfca4e92afce71834663746cfaa9ddf52a25d5c586

SHA512
41bf41add275867553fa3bd8835cd7e2a2a362a2d5670ccbfad23700448bad9fe0f577fb6ee9d4eb81dfc10d463b325b8a873fe5912eb580936d4ad96587aa6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyB45E.tmp\ShellExecAsUser.dll

Filesize
7KB

MD5
86a81b9ab7de83aa01024593a03d1872

SHA1
8fd7c645e6e2cb1f1bcb97b3b5f85ce1660b66be

SHA256
27d61cacd2995f498ba971b3b2c53330bc0e9900c9d23e57b2927aadfdee8115

SHA512
cc37bd5d74d185077bdf6c4a974fb29922e3177e2c5971c664f46c057aad1236e6f3f856c5d82f1d677c29896f0e3e71283ef04f886db58abae151cb27c827ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyB45E.tmp\System.dll

Filesize
10KB

MD5
56a321bd011112ec5d8a32b2f6fd3231

SHA1
df20e3a35a1636de64df5290ae5e4e7572447f78

SHA256
bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1

SHA512
5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyB45E.tmp\ioSpecial.ini

Filesize
696B

MD5
72051df0208a1a16572ebd53eb3cafbc

SHA1
a10aa543ad59338756eefe06a5c61834959c72f5

SHA256
5e9a0f4ee88db89684396c17aa4e091474a0ecaa6b2e0e5016ad89160ff2437e

SHA512
62d8b69ce16eae3bb1655100f504c32e44ea1516719aac898c95729bd6f68c46f6e5d7518ba8357645530537c96869bec2376f5c9347dc37a45bb2b78f4392ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyB45E.tmp\ioSpecial.ini

Filesize
710B

MD5
f51c2da8d66ea01ae0aa87029db34b24

SHA1
e444cb44825b52bbc56bbbb6f59bec5de15c61b9

SHA256
0096e7385d14f0798240a1f65aa4cb40c14955253677a1dd101057fae7cea90f

SHA512
1ca58e71895d263530ff5ce49b1d3cf6d31b4511ab5e08b03200236fbbf3e96b63fc67f6f0360daec6ae03bf877c04da9f8521529e70c4a9785d9bcb11867bf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyB45E.tmp\ioSpecial.ini

Filesize
765B

MD5
1ad44e1845f63007faaa670affd6ce7d

SHA1
acd7cb03c036f217741e3301e13e80b2c20e1343

SHA256
ab052b0ddf0d21885bd0bc884007daff8f4b8c8e00be4a60352a7f0542424606

SHA512
069e3d32588d36a3c51d944a38185a357d86ac7f0f763e26bdb86665df2d847ec13e5fbcd86a8eaf55652b0dc7c9332995db1de22e67bf65a5df37a5dadb5e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyB45E.tmp\nsDialogs.dll

Filesize
9KB

MD5
f832e4279c8ff9029b94027803e10e1b

SHA1
134ff09f9c70999da35e73f57b70522dc817e681

SHA256
4cd17f660560934a001fc8e6fdcea50383b78ca129fb236623a9666fcbd13061

SHA512
bf92b61aa267e3935f0ea7f47d8d96f09f016e648c2a7e7dcd5ecc47da864e824c592098c1e39526b643bd126c5c99d68a7040411a4cf68857df629f24d4107d

Download Submit
C:\Users\Admin\AppData\Roaming\Highresolution Enterprises\XMouseButtonControl\XMouseButtonControl.log

Filesize
1KB

MD5
b411168d906ceb7e1fe9013ab3b9c488

SHA1
e1269e3a011adb562b88bd307857eced09158133

SHA256
7d24e7f87d660cee3fa57e95f192d8eff71d07a75ae3ab7a6990517e22807423

SHA512
206cf104b02d28d4234f1da1e1be762e3b395d38644173ac178f6985cdcdf0f1b61f3f70ab8fe25001dad793eb6d0e214fb624c873db995b72e47930c273a960

Download Submit