2240bf5fb5d80938b0676c46ef9f84bc1739c32f60c473ff85e530ae0eca2818

Analysis

max time kernel
179s
max time network
369s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
11-11-2024 21:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XMouseButtonControlSetup.2.20.5.exe
Size

2.9MB
MD5

2e9725bc1d71ad1b8006dfc5a2510f88
SHA1

6e1f7d12881696944bf5e030a7d131b969de0c6c
SHA256

2240bf5fb5d80938b0676c46ef9f84bc1739c32f60c473ff85e530ae0eca2818
SHA512

62bd9cde806f83f911f1068b452084ef2adc01bc0dec2d0f668a781cc0d94e39f6e35618264d8796ca205724725abd40429f463017e6ca5caf7d683429f82d39
SSDEEP

49152:n65SJw48kZN+nCYk7c44+Y0hdwn4Km2A5aT/pVE0hYYajihV2Qso0SWMrboF:tfpeno4oY0QZm2dlNJsrHM4

Score

10^/10

discovery persistence ransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>K4gRct9sP+lAzZFhFRKpuynR3PLHKs9r5nxhnCneuqd1OUCEjd0EB6RA427DL8lIv35Euzr75h+pOd3J6zL6COsqOaqgkiO67EKr8J6LeETfQfn3XPMcqxmSZyLBKgzl1g7W0e9CDnuNK2NxkNoNvKarSqZgXoxUlVrQRUAGjFTw7TCT3UjJiDF/Co30Lvyzbgsu3+T0fw82uIP89I+x08Qq2YJ3F9tC9okAkX+VkzLur8bjkIzl2V8FiGZCLj9IR+ERjJpj0DffE5sgffrkeqLXhkf69fCZrfAnQ3Lhux2gZtbd8GlIlH26U5txcYYai9cuWXDxDlxxHmlvrjw2pQ==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Extracted

Path

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML

Ransom Note

Attention ! All your files have been encrypted. Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets. That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us. Getting a decryption of your files is - SIMPLY task. That all what you need: 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] 2. For test, decrypt 2 small files, to be sure that we can decrypt you files. 3. Pay our services. 4. GET software with passwords for decrypt you files. 5. Make measures to prevent this type situations again. IMPORTANT(1) Do not try restore files without our help, this is useless, and can destroy you data permanetly. IMPORTANT(2) We Cant hold you decryption passwords forever. ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. Your ID_KEY: M91HaMMTAcpdYPA9mHENhEuUSrN/RBzZxLbN350AT9LROA2GDBmwQQNl7WVzBm1niWUHSdKFqPqR8oGg54IY+p/uJQ9vc8MNkTPsME5fbKvVV3cFXQ6CbAKmkT+3PoKLNttevV5//l3cO4dKXrB5PaQEU7guL4JGiOmMpCmrPDC+ix5Oom08UFn1PnMAyEyWdDinw+pGLHsh+ikIhUiovVt+N94Q7aJX3HFtG7Azv519rvBn+mDlcTmfQZEfPqBm3+NeBTrJ5gZfOrll3JRj+HJiJvHKI2p9Jw1lYV9uLtTt/VJya5K0H929O31Et+euiAjZ7O5fG+KVL6jjcdrH+A==ZW4tVVM=

Emails

[email protected]

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1272	Process not Found
1784	XMouseButtonControl.exe

Loads dropped DLL 9 IoCs

pid	Process
2060	XMouseButtonControlSetup.2.20.5.exe
2060	XMouseButtonControlSetup.2.20.5.exe
2060	XMouseButtonControlSetup.2.20.5.exe
2060	XMouseButtonControlSetup.2.20.5.exe
2060	XMouseButtonControlSetup.2.20.5.exe
2060	XMouseButtonControlSetup.2.20.5.exe
2060	XMouseButtonControlSetup.2.20.5.exe
1784	XMouseButtonControl.exe
1784	XMouseButtonControl.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XMouseButtonControl = "C:\\Program Files\\Highresolution Enterprises\\X-Mouse Button Control\\XMouseButtonControl.exe /notportable /delay"	XMouseButtonControlSetup.2.20.5.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
80	raw.githubusercontent.com
83	raw.githubusercontent.com
84	raw.githubusercontent.com
85	raw.githubusercontent.com
109	raw.githubusercontent.com
110	raw.githubusercontent.com
78	raw.githubusercontent.com
79	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\X-Mouse Button Control User Guide.pdf	XMouseButtonControlSetup.2.20.5.exe
File opened for modification	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\changelog.txt	XMouseButtonControlSetup.2.20.5.exe
File created	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\uninstaller.exe	XMouseButtonControlSetup.2.20.5.exe
File created	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe	XMouseButtonControlSetup.2.20.5.exe
File created	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonHook.dll	XMouseButtonControlSetup.2.20.5.exe
File created	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\BugTrapU-x64.dll	XMouseButtonControlSetup.2.20.5.exe
File created	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\License.txt	XMouseButtonControlSetup.2.20.5.exe
File created	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\ChangeLog.txt	XMouseButtonControlSetup.2.20.5.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XMouseButtonControlSetup.2.20.5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x00050000000195b5-133.dat	nsis_installer_1
behavioral1/files/0x00050000000195b5-133.dat	nsis_installer_2

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop	XMouseButtonControlSetup.2.20.5.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\LowLevelHooksTimeout = "1000"	XMouseButtonControlSetup.2.20.5.exe

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3B9B3821-A076-11EF-B666-DEF96DC0BBD1} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application or Window Profile\DefaultIcon	XMouseButtonControlSetup.2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application or Window Profile\shell\open	XMouseButtonControlSetup.2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Settings	XMouseButtonControlSetup.2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xmbclp	XMouseButtonControlSetup.2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\shell	XMouseButtonControlSetup.2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\shell\open\command	XMouseButtonControlSetup.2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application or Window Profile	XMouseButtonControlSetup.2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application or Window Profile\ = "X-Mouse Button Control Application or Window Profile"	XMouseButtonControlSetup.2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application or Window Profile\shell\open\command\ = "\"C:\\Program Files\\Highresolution Enterprises\\X-Mouse Button Control\\XMouseButtonControl.exe\" /import:\"%1\""	XMouseButtonControlSetup.2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Settings\shell\ = "open"	XMouseButtonControlSetup.2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Settings\shell\open\command\ = "\"C:\\Program Files\\Highresolution Enterprises\\X-Mouse Button Control\\XMouseButtonControl.exe\" /profile:\"%1\""	XMouseButtonControlSetup.2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack	XMouseButtonControlSetup.2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\DefaultIcon	XMouseButtonControlSetup.2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Settings\shell	XMouseButtonControlSetup.2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\shell\open	XMouseButtonControlSetup.2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application or Window Profile\shell	XMouseButtonControlSetup.2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application or Window Profile\DefaultIcon\ = "C:\\Program Files\\Highresolution Enterprises\\X-Mouse Button Control\\XMouseButtonControl.exe,0"	XMouseButtonControlSetup.2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xmbcp\ = "X-Mouse Button Control Settings"	XMouseButtonControlSetup.2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Settings\DefaultIcon\ = "C:\\Program Files\\Highresolution Enterprises\\X-Mouse Button Control\\XMouseButtonControl.exe,0"	XMouseButtonControlSetup.2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\shell\open\command\ = "\"C:\\Program Files\\Highresolution Enterprises\\X-Mouse Button Control\\XMouseButtonControl.exe\" /install:\"%1\""	XMouseButtonControlSetup.2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xmbcs\ = "X-Mouse Button Control Application or Window Profile"	XMouseButtonControlSetup.2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Settings\shell\open\command	XMouseButtonControlSetup.2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\shell\ = "open"	XMouseButtonControlSetup.2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application or Window Profile\shell\ = "open"	XMouseButtonControlSetup.2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application or Window Profile\shell\open\command	XMouseButtonControlSetup.2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Settings\DefaultIcon	XMouseButtonControlSetup.2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\ = "X-Mouse Button Control Language Pack"	XMouseButtonControlSetup.2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Settings\shell\open	XMouseButtonControlSetup.2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xmbcs	XMouseButtonControlSetup.2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xmbcp	XMouseButtonControlSetup.2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Settings\ = "X-Mouse Button Control Settings"	XMouseButtonControlSetup.2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xmbclp\ = "X-Mouse Button Control Language Pack"	XMouseButtonControlSetup.2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\DefaultIcon\ = "C:\\Program Files\\Highresolution Enterprises\\X-Mouse Button Control\\XMouseButtonControl.exe,0"	XMouseButtonControlSetup.2.20.5.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1892	chrome.exe
1892	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
1324	iexplore.exe
1784	XMouseButtonControl.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe

Suspicious use of SendNotifyMessage 33 IoCs

pid	Process
1784	XMouseButtonControl.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1784	XMouseButtonControl.exe
1324	iexplore.exe
1324	iexplore.exe
2640	IEXPLORE.EXE
2640	IEXPLORE.EXE
1784	XMouseButtonControl.exe
1784	XMouseButtonControl.exe
1784	XMouseButtonControl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 2640	1324	iexplore.exe	33
PID 1324 wrote to memory of 2640	1324	iexplore.exe	33
PID 1324 wrote to memory of 2640	1324	iexplore.exe	33
PID 1324 wrote to memory of 2640	1324	iexplore.exe	33
PID 1892 wrote to memory of 1768	1892	chrome.exe	36
PID 1892 wrote to memory of 1768	1892	chrome.exe	36
PID 1892 wrote to memory of 1768	1892	chrome.exe	36
PID 1892 wrote to memory of 2580	1892	chrome.exe	38
PID 1892 wrote to memory of 2580	1892	chrome.exe	38
PID 1892 wrote to memory of 2580	1892	chrome.exe	38
PID 1892 wrote to memory of 2580	1892	chrome.exe	38
PID 1892 wrote to memory of 2580	1892	chrome.exe	38
PID 1892 wrote to memory of 2580	1892	chrome.exe	38
PID 1892 wrote to memory of 2580	1892	chrome.exe	38
PID 1892 wrote to memory of 2580	1892	chrome.exe	38
PID 1892 wrote to memory of 2580	1892	chrome.exe	38
PID 1892 wrote to memory of 2580	1892	chrome.exe	38
PID 1892 wrote to memory of 2580	1892	chrome.exe	38
PID 1892 wrote to memory of 2580	1892	chrome.exe	38
PID 1892 wrote to memory of 2580	1892	chrome.exe	38
PID 1892 wrote to memory of 2580	1892	chrome.exe	38
PID 1892 wrote to memory of 2580	1892	chrome.exe	38
PID 1892 wrote to memory of 2580	1892	chrome.exe	38
PID 1892 wrote to memory of 2580	1892	chrome.exe	38
PID 1892 wrote to memory of 2580	1892	chrome.exe	38
PID 1892 wrote to memory of 2580	1892	chrome.exe	38
PID 1892 wrote to memory of 2580	1892	chrome.exe	38
PID 1892 wrote to memory of 2580	1892	chrome.exe	38
PID 1892 wrote to memory of 2580	1892	chrome.exe	38
PID 1892 wrote to memory of 2580	1892	chrome.exe	38
PID 1892 wrote to memory of 2580	1892	chrome.exe	38
PID 1892 wrote to memory of 2580	1892	chrome.exe	38
PID 1892 wrote to memory of 2580	1892	chrome.exe	38
PID 1892 wrote to memory of 2580	1892	chrome.exe	38
PID 1892 wrote to memory of 2580	1892	chrome.exe	38
PID 1892 wrote to memory of 2580	1892	chrome.exe	38
PID 1892 wrote to memory of 2580	1892	chrome.exe	38
PID 1892 wrote to memory of 2580	1892	chrome.exe	38
PID 1892 wrote to memory of 2580	1892	chrome.exe	38
PID 1892 wrote to memory of 2580	1892	chrome.exe	38
PID 1892 wrote to memory of 2580	1892	chrome.exe	38
PID 1892 wrote to memory of 2580	1892	chrome.exe	38
PID 1892 wrote to memory of 2580	1892	chrome.exe	38
PID 1892 wrote to memory of 2580	1892	chrome.exe	38
PID 1892 wrote to memory of 2580	1892	chrome.exe	38
PID 1892 wrote to memory of 2580	1892	chrome.exe	38
PID 1892 wrote to memory of 1756	1892	chrome.exe	39
PID 1892 wrote to memory of 1756	1892	chrome.exe	39
PID 1892 wrote to memory of 1756	1892	chrome.exe	39
PID 1892 wrote to memory of 2388	1892	chrome.exe	40
PID 1892 wrote to memory of 2388	1892	chrome.exe	40
PID 1892 wrote to memory of 2388	1892	chrome.exe	40
PID 1892 wrote to memory of 2388	1892	chrome.exe	40
PID 1892 wrote to memory of 2388	1892	chrome.exe	40
PID 1892 wrote to memory of 2388	1892	chrome.exe	40
PID 1892 wrote to memory of 2388	1892	chrome.exe	40
PID 1892 wrote to memory of 2388	1892	chrome.exe	40
PID 1892 wrote to memory of 2388	1892	chrome.exe	40
PID 1892 wrote to memory of 2388	1892	chrome.exe	40
PID 1892 wrote to memory of 2388	1892	chrome.exe	40
PID 1892 wrote to memory of 2388	1892	chrome.exe	40
PID 1892 wrote to memory of 2388	1892	chrome.exe	40
PID 1892 wrote to memory of 2388	1892	chrome.exe	40
PID 1892 wrote to memory of 2388	1892	chrome.exe	40

C:\Users\Admin\AppData\Local\Temp\XMouseButtonControlSetup.2.20.5.exe
"C:\Users\Admin\AppData\Local\Temp\XMouseButtonControlSetup.2.20.5.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
PID:2060

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.highrez.co.uk/scripts/postinstall.asp?package=XMouse&major=2&minor=20&build=5&revision=0&platform=x64
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1324 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2640

C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe
"C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe" /Installed /notportable
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6cb9758,0x7fef6cb9768,0x7fef6cb9778
  2⤵
  PID:1768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1372,i,17628568849319250300,17940026720250154042,131072 /prefetch:2
  2⤵
  PID:2580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1372,i,17628568849319250300,17940026720250154042,131072 /prefetch:8
  2⤵
  PID:1756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1632 --field-trial-handle=1372,i,17628568849319250300,17940026720250154042,131072 /prefetch:8
  2⤵
  PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2304 --field-trial-handle=1372,i,17628568849319250300,17940026720250154042,131072 /prefetch:1
  2⤵
  PID:2228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2316 --field-trial-handle=1372,i,17628568849319250300,17940026720250154042,131072 /prefetch:1
  2⤵
  PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3196 --field-trial-handle=1372,i,17628568849319250300,17940026720250154042,131072 /prefetch:2
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 --field-trial-handle=1372,i,17628568849319250300,17940026720250154042,131072 /prefetch:2
  2⤵
  PID:1972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1244 --field-trial-handle=1372,i,17628568849319250300,17940026720250154042,131072 /prefetch:2
  2⤵
  PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3280 --field-trial-handle=1372,i,17628568849319250300,17940026720250154042,131072 /prefetch:1
  2⤵
  PID:2264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1396 --field-trial-handle=1372,i,17628568849319250300,17940026720250154042,131072 /prefetch:8
  2⤵
  PID:276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3548 --field-trial-handle=1372,i,17628568849319250300,17940026720250154042,131072 /prefetch:8
  2⤵
  PID:1916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3728 --field-trial-handle=1372,i,17628568849319250300,17940026720250154042,131072 /prefetch:8
  2⤵
  PID:952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3708 --field-trial-handle=1372,i,17628568849319250300,17940026720250154042,131072 /prefetch:1
  2⤵
  PID:2036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3572 --field-trial-handle=1372,i,17628568849319250300,17940026720250154042,131072 /prefetch:1
  2⤵
  PID:2708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2160 --field-trial-handle=1372,i,17628568849319250300,17940026720250154042,131072 /prefetch:1
  2⤵
  PID:1924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 --field-trial-handle=1372,i,17628568849319250300,17940026720250154042,131072 /prefetch:8
  2⤵
  PID:2988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3668 --field-trial-handle=1372,i,17628568849319250300,17940026720250154042,131072 /prefetch:1
  2⤵
  PID:1036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2640 --field-trial-handle=1372,i,17628568849319250300,17940026720250154042,131072 /prefetch:8
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4004 --field-trial-handle=1372,i,17628568849319250300,17940026720250154042,131072 /prefetch:1
  2⤵
  PID:880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=1372,i,17628568849319250300,17940026720250154042,131072 /prefetch:8
  2⤵
  PID:2268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4136 --field-trial-handle=1372,i,17628568849319250300,17940026720250154042,131072 /prefetch:8
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4152 --field-trial-handle=1372,i,17628568849319250300,17940026720250154042,131072 /prefetch:8
  2⤵
  PID:1180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4276 --field-trial-handle=1372,i,17628568849319250300,17940026720250154042,131072 /prefetch:8
  2⤵
  PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4284 --field-trial-handle=1372,i,17628568849319250300,17940026720250154042,131072 /prefetch:8
  2⤵
  PID:656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4296 --field-trial-handle=1372,i,17628568849319250300,17940026720250154042,131072 /prefetch:8
  2⤵
  PID:2940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2684 --field-trial-handle=1372,i,17628568849319250300,17940026720250154042,131072 /prefetch:8
  2⤵
  PID:1352
- C:\Users\Admin\Downloads\Rensenware.exe
  "C:\Users\Admin\Downloads\Rensenware.exe"
  2⤵
  PID:2132
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
    dw20.exe -x -s 428
    3⤵
    PID:2704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=2344 --field-trial-handle=1372,i,17628568849319250300,17940026720250154042,131072 /prefetch:1
  2⤵
  PID:2144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2388 --field-trial-handle=1372,i,17628568849319250300,17940026720250154042,131072 /prefetch:8
  2⤵
  PID:1148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2440 --field-trial-handle=1372,i,17628568849319250300,17940026720250154042,131072 /prefetch:8
  2⤵
  PID:1584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4196 --field-trial-handle=1372,i,17628568849319250300,17940026720250154042,131072 /prefetch:8
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4368 --field-trial-handle=1372,i,17628568849319250300,17940026720250154042,131072 /prefetch:8
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2496 --field-trial-handle=1372,i,17628568849319250300,17940026720250154042,131072 /prefetch:8
  2⤵
  PID:2604
- C:\Users\Admin\Downloads\Fantom.exe
  "C:\Users\Admin\Downloads\Fantom.exe"
  2⤵
  PID:3004
- - C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
    "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
    3⤵
    PID:2876

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3068

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1924

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x480
1⤵
PID:3052

C:\Users\Admin\Downloads\Fantom.exe
"C:\Users\Admin\Downloads\Fantom.exe"
1⤵
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML

Filesize
1KB

MD5
a5f3a751430c79f9cb1b99d8879bdb5d

SHA1
f3c3af803187c82fb76bd4be06f461a7eeb5013d

SHA256
a1ed7976a5e3339338d287bc505bafbb1a1ee45caa7379896ca12d21d87c8a4d

SHA512
c9d927ad08a4a4ce5674160c543564d037621ce6e262c9a3fa392f7bf309adecb8a4770afedb72f6783b2c56e65725c4925d1df30f09984dc9c9d661bfd13d7e

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML

Filesize
1KB

MD5
59203971fb7b127a848c45df4d8ff2cc

SHA1
7c5ba18d5a12dbe4e2cd08983659434b81a010e8

SHA256
a76cb1a2f014a81b8c51bddd833c3ef395bcb5534efdc53d3b801424a72f440a

SHA512
cc693abcbe0dab2e04e8b101895398590cdcf7f725bf005a579b6217ec637996b04f5fad8515d2fb83f4525cf9329b33a4ea0ec5f8f5cb7447b87b8c24eae671

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
160B

MD5
8e6d390dac641654645111cbed8ed564

SHA1
77589f1ee736cbdd9e31c65b056d2db9ae0fd99a

SHA256
6e90996ba43bfccb3000396df65e966612f9df927fded7bc463edadd05aec0d8

SHA512
8287fce007962c0838b460254579e8b464f3dcb6e11faa4970a4d85625d52fc6cca06f88d281e04f23df85f667456cad8b0d19a715e21f78c53a1b7048950d56

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
160B

MD5
7a3df8d185cf619097fc7cea62df3f40

SHA1
ff86c3dec4f95a2617f14732a1c091218e0413a3

SHA256
6ffa1f0807b1aacb445c67368e2bd3819ee8a1b671cbf4ad8c5b5103a1386de4

SHA512
ebbd70b132eb6239f96d20289cc6b6db26204ff633d99baff5b3cbabb1edb0db22caa5caa31bfa50da954b2198179b3911951b82b354f4826060c89e93b17295

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
95f1330a863e24859d54944bb3daf798

SHA1
f8a8e61e7627fc544f89da53e9a16bc3331fcf34

SHA256
c5a7ef431ab1642d8d3cf3d84f910da3c12dc82839a3098b45fcbff0e09cac7a

SHA512
d070f3af69e03403450be1f0f995008d8354878c6aade29299950ba0e11fb22ecda10fea910ebacc467c18847037d7295d022278f0e40bd43e60e5acbae07103

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
9354d435e981a2237b235e3dcb2f4487

SHA1
f90546e1b1b2c87d6667a97ccd08bb831bb08a73

SHA256
86db967efcac82031f837288eb215d0ab07cbe081e5a4d4a7f133a4d75219b3e

SHA512
452cee43cad30009f3667bb271aad2a2f745c14412a55bb94e62fc197ca6cdafae2920f6d6ab0b69f3808bd7a34ff741b15a57e36a00b845dd459823fdcccdbb

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
d811c6f93aa276aa16849f941bcaf549

SHA1
e80429cad8711c096d0234582356e269224f25b5

SHA256
dd33e5a13dce76ceb2894bbfbcb0c353bd15edfdfa32d0b898fd3bfdab883e8c

SHA512
f37383c41e9edceb46d20751e1c8ebed5bdae9e08e3b388f5d91c5b40adcfabc7c1eba7cd90807f2c2cf525ac312c0890a483e68a96e26dd2394a9e38ab289dd

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
438efc509d9027a5dd1cf980a2ce17a8

SHA1
ab4537558704f716a1ddf5130bb9f9aa192f826c

SHA256
69a28ecf8270faa5073be0bd30d020551759f368cf97ca2764620d76ffc0416d

SHA512
72523137413ae2c57e6cbf7e77e76d41d201a7a5a6c7b76987e0ab933caad79350cf3fa38dec77d827ddbec41af6222666d1255e88e3abbe3b67e258a9595209

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
1d89352d383caf1fe617faaaaddae951

SHA1
5d1924f0cd9f3b2cc5e82cef458a6c30c5d457c7

SHA256
f746ca27e28d020fde53112ef074d538b986116e5172098288c6128d190047db

SHA512
e98d770ced7660a3f53559d6fe8165ea00546f76169ae5f6e804f5843b03bcaaf6d0c69ab5aa560f8175e258aece44418658910940caec398c82746de2a7d4c9

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
7035e1b929b6ee1346278abaf9a22057

SHA1
4f14b8a0d0977286bc42196a3787915f163b3143

SHA256
012894f21a496053d2df4b0dcd10069047bfaf311e4d572e4d7c9fdddc641fd1

SHA512
8440f297f6c51becd5591eb25d03fa45ea9c3ea4bcb0cda3a918a417c44d5c0feff71729cc1651d25e97cdc7194b94352db246b1bb85eb7600e7d4f8b68ebe4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79e055ac119802522a91278fd916f44c

SHA1
c7c66f86085d612fc068d25a23fc997f8feb3ed0

SHA256
c184e2948b71d9c3ebf2e4c78dd4fa3297150e532dd741e31782dac2d6493f10

SHA512
4c577474825fd9ea1922e049185c60d91408abdf9b9617c90c5e0b79c2de7527d7fd700b7e093027d3e7893af565fc3ba443cd3036459639de4eab1a002c1f73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\336608f4-9caf-441c-a6de-b04b6933ffc8.tmp

Filesize
352KB

MD5
3b9f57887003f752c63167e6b29acf90

SHA1
7ec41cb8ff80729aed50a6184502c3771404ff9d

SHA256
dd832727e90e66ba42fe85a7f0e47df26d8a5f0411661dc272a2f51dd9f474d7

SHA512
765e19f315db1aac73f3662b114713fd8adf890ffe6a693e5a9420359f1b8c641953402526235ef53e44122fdd524332ede8704eec989dcbbcbc6f8dd6d3911c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\03a3ef0f-56f4-422c-b809-45562dd6c0eb.tmp

Filesize
6KB

MD5
d4775c7d30ee73a423ed985cd4c774ee

SHA1
0f23af410102648039efd2aa95e25b73011fe194

SHA256
1f7f737d3ea2d7da8a35eb76f657dcd6f3a0525707731db9aa9daaa5e3451e19

SHA512
da6eb406c59b79228292796c6fc277b13f91f2a0ba64b840b69475cf6c90319e728cc4cf2d675dff9b11579b4c71558ce65f42043306f5085ca7c44d1259aa9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
2e9c7cefadaf438456b3b9ea135b98fb

SHA1
9393fb6dcbdec659bde94826ab437f845b8e2618

SHA256
4abe0d83010178384d105e10c7f8056c8cffbde99c810f9230b3635bfc560eee

SHA512
7ca76d93fb7af09599d45680dd0ae3e768f6c1f73cc553d86e4efb1e7e92f51986159cc2d76902e8f378593c7d45321ba85a951f68374185c087f7e6526fcc56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
96d1fa1c1b1361c953d18cbc8b597ef2

SHA1
ed6d7d97520a1f65ef734d3113698b2a9f49234c

SHA256
61bfb6bcdd441ae5dbcd87dee74068f4fe7bbf5a785ff37f1d4fa5fd36045e8f

SHA512
3fc25b99fee5189979ef434b65879fd0528fae63182ae5546fc94d9a19978ce168b29fa307c967a8a37435ef93b1224529d9c520f09b29c21586d9d718beec50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
6670ba0829b3fa43504f32127ada8e5b

SHA1
20f7873a35ab3df110aa0b02f334b4ab73fd9b60

SHA256
b85a36018a2f14611eb099ad69ff74accd0ac49bc7e1857a77083b003beae9e9

SHA512
74c315c27c9f80af1b93d4caf7043a361c09cb017f89a09494911da12f7469318f1b8474c275aca7da22ddc155a984c82961be7f9cf10fd175ecb93e1a2f456a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
527B

MD5
3e3408974863940427485e5510e195e5

SHA1
8bcbb49939abb0f2327bae7ec6dc2c7577cca739

SHA256
7cc6bd42db4c31439c54e15143327024a81f6e6d2e4c51fd71c63ee3cb84181e

SHA512
07ee3bc1f5ba069fccbd3d937d37c5764773f99f11ee9a909cfb374ae36f0ef94e42709f5dd26f1401057cdfd46e15f4a94581dbbef92899a6b623399131d1c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1013B

MD5
23b7c62a16ca80685b0cc788d37aa4cc

SHA1
a4ec544bbcc791e3c8800b54eb1d4cd5de8bd44f

SHA256
850ea08b022f3c10432ba2eb99633afc9d8646e3fa8d3c1e9fd40f565391dc8a

SHA512
33f7dbc6f76332fe560218831d10fde4967ac731d8229d31f05629d14e4d8eb1ac161c57648cecf9d32431aaab45fa012085b084761f8726d9959b59435bdd46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1017B

MD5
ab605438d54cb2644aee905b49af1b58

SHA1
33dd40f1f6e5635f47afe8306df363d1b32f7577

SHA256
c3353edd1efd0599add789c658700a35dd34e18991b224573f622b50b430bbb3

SHA512
b8fb6143efdfbeae8646c6fdd8129b4ca5fdd7e2b7d9a143a0a21ed446eda21516b1be8e86bc63f05c39e6d45437f7e1bbb3044ef290a9beb9e08f89f01c884a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
23a9c9ad53e82e1e5aaedd0efce8ecf4

SHA1
1da22a989a110e60cd9a0890fe30fd0e3d5b0abf

SHA256
536010b2141441cce50dc487a0551657b1737ff9e560413ffea74ac8fe21bab8

SHA512
0c9d90d8ffbebd322653d310f8e570fba48059d5bd5e40eec29334e3def322863c382caa01d1ecee1d7e06a33b15ace3e9416ee8907cc7fde6ca47f43bd4139c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1017B

MD5
0855d7975a482238cd861f6bb210277a

SHA1
60b0361594b44837740b0ad708272eaaa1977428

SHA256
196918c78b66c63067e3784e0fd46b6ac442b49716979feac10bbe93dacfc3c1

SHA512
eaa22d8333969276fb16037819f6e4c756e02203aa29eea87a547630e9dece0a20be3a713f1140bd7d82261de7c8f87fa4a31ac3e8cb57bb1db70ab332445176

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1017B

MD5
ccc274355f2f88ccb08055ca4eb93df1

SHA1
6d96edc7a78db8ba210828d7843f039936b4f2ba

SHA256
c452b79afc7a874a20213b314f17d89f01ab7de9d4c43f0544aa7a87aae66bc8

SHA512
27118e8807143f29dc8e95fe627a881e3c6e1429ad3f14e7c8c2ff6643ffbc957b286ce14e1692e1824a65f96d2d2ebbf075ea1954e6882ab8536db90f754dd4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity~RFf7a9d29.TMP

Filesize
1017B

MD5
efa7cf182b03e4f4d0432585a47d7069

SHA1
916b4f37930877866507fc7360721d5dbe340f15

SHA256
152bec78dfc359f1c84d375d5772d3c2a8a0fbf950928abf307554d8774f5147

SHA512
7eb7fa68a0a64e2769c80b3d76cdd9a767300756dffa7a99392e09b55679ce841d8549fab1b24c90c757aac8867e214af5093708505e83c30683a101fdb47c33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a8a04ac6baf5750393a448d3125766e7

SHA1
a116fc9dbf41db393a7651cb349dc4cbad0d9614

SHA256
04a00c1cf75721af738d0460a16cc077eed42e0fcb3750e21da92de327aae7e9

SHA512
36d8841e107f1ff3adf78a037c67e71b2aee9b7d14e6547a8dfec0d314ba71326a747cc7bd6f6b7ecbe1213ea406417f5f7ed2469265c442642773c65c9274b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
27bf9d24c638a4d5a434434ecfc4fa09

SHA1
b07c997cdb68e41f5116cbb559e128c9f629ceb8

SHA256
71357dd530e18f537bb012842c9b8be810035a01ebe4636bdcb02773f760513b

SHA512
c31dc1003cb7dcd9e2c1c5d15cbdd3379d695ef5f43533ffde3d2f751992a9cbd5fa6972e6af71606f4cc7a182b82a7ccf200dd1c8b3e878357fabed9c65451e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
68fd73353d185799abf22d63718c928b

SHA1
18c24d70e4c0221ab1af50d091cd726991235b85

SHA256
b280de49925feda59fbf8f5ad8a3008b5d4001f93ff3bf5cd69519adf32646f6

SHA512
af3b23900509ea0ef034b80dfb33dce455932e1c7a0d135f7b605d590b187b5124256fd1ac790efe1f7b06eece67caa2942e207742d3c43f569d1d4b3bcdac7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
30a7951f9b449376b078439f85be14d9

SHA1
33c747724be4d96ff2c731699c39ef05dd8a2f5f

SHA256
b9e45df3accdb1d937419c61e194c91e38c7bf62d6e3784b4d916f178cbc2a81

SHA512
cc64c1685ce7e7e0c641be58c23fef41dd9b83d540c3f6c65d5fac63d53a244ab1368ff652a93c35a6c0ff9c44060d89209671203e1109bb55fa0fb413af8e2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9a13fc724db10ae145dccb5b7b361eeb

SHA1
327f423d274094a8f870aee207304aa55120885c

SHA256
ff0ad3cabdfd92bee0a09baf275e5ab70e7b9cc45a502efe2b9718b2228dbaa9

SHA512
0e6021812a1a0ce936377d0a7415499b3f4c75ff81c358ad79cdeb0ba35aa7254d7d3d90b2b5b46735ff8f6981cdd145314c82fa49875c45f273265f3a8abd86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
196e891c30a4707a53a96b61dfe99eb8

SHA1
55e0167370ddb3eeb63da274bf66b96c1b14fa5c

SHA256
252959c846f37aaad28b09d7d3689dccf52478a0c879cec991484193c75ca143

SHA512
f58533ac101723ee4b7184b0160c2b1af84b13fe206b0469c45c9fd182e99553412423b150c8b3f4bc52587110ee46d5d976227855d9b83519d94a62a97aea1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
352KB

MD5
d900634116c8c6ed9d9705baab529df8

SHA1
e992ba17ca885df68d275e7fee9ae76f03dc334b

SHA256
ba843549f1a1fb59c2d4108acdd0297adb547a967e6e841ab62231e091a504d8

SHA512
59f092411339a49d8221978281223bb2717cb6c6f805423ad6929f8f2cacf949077849bd4045bf94dc05e014549bae0bd9ba4e21f230d4a87ed3b57905913a29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
82KB

MD5
8c83a2e2f650ca74c80c4c79a3864a0a

SHA1
09e6d937a329b736e8e3118801d4e8700ae15c23

SHA256
d1f02f21dab04251b6073e645fc8552e7a541c93e3983d694212dc44a75f35bb

SHA512
58edad67b2fff6ab03850e776f2852e0119531f297d58f4796a9031c8cb2998138140559d608873e8f111d128f545081d0c355902cc18f44ab70c7dbce91e008

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
74KB

MD5
bbc6faeea580b54d3ebcc58b560a1e8a

SHA1
5b7136c4fa605814f3a17ca3aa4ca62cf9ce477b

SHA256
f829c7c336f54c4b3499e974c7ece1fb7af01f3b1c99d4dbae36fbe55465977c

SHA512
723e8a27fde13ed5ad6209135bd0c14550c49a21e7e7db7dd4f1ff42bdfb46cdb030c8f111614c4be81f0d7241780d4609b78e1ef322636b5dc53f0a4134a9a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5FDE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar603E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjCFDF.tmp\ioSpecial.ini

Filesize
696B

MD5
cb7cead16ef36795161b70a6f78a09ce

SHA1
602f1fc779c27f3e9ddf4736138361da7e5ec7d5

SHA256
e14a915fbf2b666e28a9164142b2c5003020cfedac113df71bd17c4ba45c032b

SHA512
472ab816fb73f4abc91df271329f839c5ec81140351f7bebf04a710313a0a193ac10b56965c4e209d128a937c6a6f86c6cc038981fa7fd8238054009a302ccf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjCFDF.tmp\ioSpecial.ini

Filesize
726B

MD5
0409290bc112e35d8bacd40302d62f66

SHA1
b93f7b7874bb0edd64434f9eae0b78aae01614b5

SHA256
b2e967dc9853495a8d018ce15bd5ca8534aab2771e92ebdd7f7ea3f94bdb01b5

SHA512
54163e1f28aecc333e64eac2aa89097d2997dc837828081931f7dff5d2d67f5601e74668fad0ae1b4803c9aa99826899b1458578776a0e377ab8d8538af6ec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjCFDF.tmp\ioSpecial.ini

Filesize
709B

MD5
9a6155f09e5e7316de9dd6246d87dddd

SHA1
ec8ff0b082188308dcf940595ef5aa3b45dee223

SHA256
ed3e3ccbc50df3649618271345c140c9141357fe218bc5e8284fd7fc676a75a4

SHA512
9129b9f454686fa85644e1ca5b2bde87b052a73413ac74ffd1c77cd8ceac3ab2999156217fd6448132c5c77ca1a087f32766d00e4c74ec50964c531506abaea2

Download Submit
C:\Users\Admin\Downloads\Fantom.exe

Filesize
261KB

MD5
7d80230df68ccba871815d68f016c282

SHA1
e10874c6108a26ceedfc84f50881824462b5b6b6

SHA256
f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

SHA512
64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

Download Submit
C:\Users\Admin\Downloads\Rensenware.exe

Filesize
96KB

MD5
60335edf459643a87168da8ed74c2b60

SHA1
61f3e01174a6557f9c0bfc89ae682d37a7e91e2e

SHA256
7bf5623f0a10dfa148a35bebd899b7758612f1693d2a9910f716cf15a921a76a

SHA512
b4e5e4d4f0b4a52243d6756c66b4fe6f4b39e64df7790072046e8a3dadad3a1be30b8689a1bab8257cc35cb4df652888ddf62b4e1fccb33e1bbf1f5416d73efb

Download Submit
\Program Files\Highresolution Enterprises\X-Mouse Button Control\BugTrapU-x64.dll

Filesize
364KB

MD5
80d5f32b3fc515402b9e1fe958dedf81

SHA1
a80ffd7907e0de2ee4e13c592b888fe00551b7e0

SHA256
0ab8481b44e7d2f0d57b444689aef75b61024487a5cf188c2fc6b8de919b040a

SHA512
1589246cd480326ca22c2acb1129a3a90edf13b75031343061f0f4ed51580dfb890862162a65957be9026381bb24475fec6ddcb86692c5961a24b18461e5f1f0

Download Submit
\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe

Filesize
1.7MB

MD5
bb632bc4c4414303c783a0153f6609f7

SHA1
eb16bf0d8ce0af4d72dff415741fd0d7aac3020e

SHA256
7cc348f8d2ee10264e136425059205cf2c17493b4f3f6a43af024aecb926d8c8

SHA512
15b34efe93d53e54c1527705292fbf145d6757f10dd87bc787dc40bf02f0d641468b95c571f7037417f2f626de2afcd68b5d82214e27e9e622ab0475633e9de5

Download Submit
\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonHook.dll

Filesize
1.0MB

MD5
d62a4279ebba19c9bf0037d4f7cbf0bc

SHA1
5257d9505cca6b75fe55dfdaf2ea83a7d2d28170

SHA256
c845e808dc035329a7c95c846413a7afb9976f09872ba3c05dfa5f492156eef0

SHA512
6895a12cddc41bf516279b1235fca238b0b3b0cef2cc25abe14a9160ed23f5bde3d476f885d674537febc7de7eb58b0824d96153c626e1563a5a8a1887fb5323

Download Submit
\Program Files\Highresolution Enterprises\X-Mouse Button Control\uninstaller.exe

Filesize
74KB

MD5
bfffc38fff05079b15a5317e279dc7a9

SHA1
0c18db954f11646d65d0300e58fefcd9ff7634de

SHA256
c4e59737ffd988ef4bc7a62e3316a470b1b09a9889f65908110fba3d7b1c6500

SHA512
d30220e024ac242285ea757006e7da3874e5f889951de226d48c372a6a8701b76d4a917134ecc1e72c6c3a8d43444762288e7134a25d837e9f43d972675c81d6

Download Submit
\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
21KB

MD5
fec89e9d2784b4c015fed6f5ae558e08

SHA1
581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

SHA256
489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

SHA512
e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

Download Submit
\Users\Admin\AppData\Local\Temp\nsjCFDF.tmp\InstallOptions.dll

Filesize
14KB

MD5
d753362649aecd60ff434adf171a4e7f

SHA1
3b752ad064e06e21822c8958ae22e9a6bb8cf3d0

SHA256
8f24c6cf0b06d18f3c07e7bfca4e92afce71834663746cfaa9ddf52a25d5c586

SHA512
41bf41add275867553fa3bd8835cd7e2a2a362a2d5670ccbfad23700448bad9fe0f577fb6ee9d4eb81dfc10d463b325b8a873fe5912eb580936d4ad96587aa6d

Download Submit
\Users\Admin\AppData\Local\Temp\nsjCFDF.tmp\ShellExecAsUser.dll

Filesize
7KB

MD5
86a81b9ab7de83aa01024593a03d1872

SHA1
8fd7c645e6e2cb1f1bcb97b3b5f85ce1660b66be

SHA256
27d61cacd2995f498ba971b3b2c53330bc0e9900c9d23e57b2927aadfdee8115

SHA512
cc37bd5d74d185077bdf6c4a974fb29922e3177e2c5971c664f46c057aad1236e6f3f856c5d82f1d677c29896f0e3e71283ef04f886db58abae151cb27c827ac

Download Submit
\Users\Admin\AppData\Local\Temp\nsjCFDF.tmp\System.dll

Filesize
10KB

MD5
56a321bd011112ec5d8a32b2f6fd3231

SHA1
df20e3a35a1636de64df5290ae5e4e7572447f78

SHA256
bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1

SHA512
5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

Download Submit
\Users\Admin\AppData\Local\Temp\nsjCFDF.tmp\nsDialogs.dll

Filesize
9KB

MD5
f832e4279c8ff9029b94027803e10e1b

SHA1
134ff09f9c70999da35e73f57b70522dc817e681

SHA256
4cd17f660560934a001fc8e6fdcea50383b78ca129fb236623a9666fcbd13061

SHA512
bf92b61aa267e3935f0ea7f47d8d96f09f016e648c2a7e7dcd5ecc47da864e824c592098c1e39526b643bd126c5c99d68a7040411a4cf68857df629f24d4107d

Download Submit
memory/2060-233-0x00000000002A0000-0x00000000002A2000-memory.dmp

Filesize
8KB

Download
memory/2316-1666-0x0000000001EA0000-0x0000000001ED2000-memory.dmp

Filesize
200KB

Download
memory/2316-1667-0x0000000001F10000-0x0000000001F42000-memory.dmp

Filesize
200KB

Download
memory/2876-1799-0x0000000000230000-0x000000000023C000-memory.dmp

Filesize
48KB

Download
memory/3004-1426-0x0000000001FF0000-0x000000000201B000-memory.dmp

Filesize
172KB

Download
memory/3004-1458-0x0000000001FF0000-0x000000000201B000-memory.dmp

Filesize
172KB

Download
memory/3004-1456-0x0000000001FF0000-0x000000000201B000-memory.dmp

Filesize
172KB

Download
memory/3004-1454-0x0000000001FF0000-0x000000000201B000-memory.dmp

Filesize
172KB

Download
memory/3004-1452-0x0000000001FF0000-0x000000000201B000-memory.dmp

Filesize
172KB

Download
memory/3004-1448-0x0000000001FF0000-0x000000000201B000-memory.dmp

Filesize
172KB

Download
memory/3004-1446-0x0000000001FF0000-0x000000000201B000-memory.dmp

Filesize
172KB

Download
memory/3004-1444-0x0000000001FF0000-0x000000000201B000-memory.dmp

Filesize
172KB

Download
memory/3004-1442-0x0000000001FF0000-0x000000000201B000-memory.dmp

Filesize
172KB

Download
memory/3004-1438-0x0000000001FF0000-0x000000000201B000-memory.dmp

Filesize
172KB

Download
memory/3004-1436-0x0000000001FF0000-0x000000000201B000-memory.dmp

Filesize
172KB

Download
memory/3004-1432-0x0000000001FF0000-0x000000000201B000-memory.dmp

Filesize
172KB

Download
memory/3004-1414-0x0000000001FF0000-0x000000000201B000-memory.dmp

Filesize
172KB

Download
memory/3004-1460-0x0000000001FF0000-0x000000000201B000-memory.dmp

Filesize
172KB

Download
memory/3004-1464-0x0000000001FF0000-0x000000000201B000-memory.dmp

Filesize
172KB

Download
memory/3004-1466-0x0000000001FF0000-0x000000000201B000-memory.dmp

Filesize
172KB

Download
memory/3004-1468-0x0000000001FF0000-0x000000000201B000-memory.dmp

Filesize
172KB

Download
memory/3004-1440-0x0000000001FF0000-0x000000000201B000-memory.dmp

Filesize
172KB

Download
memory/3004-1430-0x0000000001FF0000-0x000000000201B000-memory.dmp

Filesize
172KB

Download
memory/3004-1416-0x0000000001FF0000-0x000000000201B000-memory.dmp

Filesize
172KB

Download
memory/3004-1418-0x0000000001FF0000-0x000000000201B000-memory.dmp

Filesize
172KB

Download
memory/3004-1420-0x0000000001FF0000-0x000000000201B000-memory.dmp

Filesize
172KB

Download
memory/3004-1792-0x00000000021E0000-0x00000000021EE000-memory.dmp

Filesize
56KB

Download
memory/3004-1422-0x0000000001FF0000-0x000000000201B000-memory.dmp

Filesize
172KB

Download
memory/3004-1424-0x0000000001FF0000-0x000000000201B000-memory.dmp

Filesize
172KB

Download
memory/3004-1428-0x0000000001FF0000-0x000000000201B000-memory.dmp

Filesize
172KB

Download
memory/3004-1408-0x0000000001FF0000-0x000000000201B000-memory.dmp

Filesize
172KB

Download
memory/3004-1410-0x0000000001FF0000-0x000000000201B000-memory.dmp

Filesize
172KB

Download
memory/3004-1462-0x0000000001FF0000-0x000000000201B000-memory.dmp

Filesize
172KB

Download
memory/3004-1450-0x0000000001FF0000-0x000000000201B000-memory.dmp

Filesize
172KB

Download
memory/3004-1434-0x0000000001FF0000-0x000000000201B000-memory.dmp

Filesize
172KB

Download
memory/3004-1412-0x0000000001FF0000-0x000000000201B000-memory.dmp

Filesize
172KB

Download
memory/3004-1407-0x0000000001FF0000-0x000000000201B000-memory.dmp

Filesize
172KB

Download
memory/3004-1406-0x0000000001FF0000-0x0000000002022000-memory.dmp

Filesize
200KB

Download
memory/3004-1398-0x00000000003D0000-0x0000000000402000-memory.dmp

Filesize
200KB

Download