| File name: | with-editor.exe |
| Full analysis: | https://app.any.run/tasks/88d862c5-6462-4928-a7c0-5321028d6ee9 |
| Verdict: | Malicious activity |
| Analysis date: | May 17, 2024, 01:05:55 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | AF5E828D540131192C4467424306A35E |
| SHA1: | 76E1BB985E723A68AA89A4BEFBC6BD4F13E0B6EE |
| SHA256: | 5E0CCD493F01F7CDE38BD8B42AD3AB0FADD00B1970F9F1B7E8204DFDC000436F |
| SSDEEP: | 98304:Y6CiIA0iKNDLV0Yz5Q0I9sxAEGZSdsAFh8XVf8cZsPyQubnwyxKK/MPHQpIZytw0:0n44KtNMaeBf9Yl |
MALICIOUS
Drops the executable file immediately after the start
- with-editor.exe (PID: 3964)
- with-editor.tmp (PID: 3980)
SUSPICIOUS
Executable content was dropped or overwritten
- with-editor.exe (PID: 3964)
- with-editor.tmp (PID: 3980)
Reads the Windows owner or organization settings
- with-editor.tmp (PID: 3980)
INFO
Checks supported languages
- with-editor.exe (PID: 3964)
- with-editor.tmp (PID: 3980)
- ReMouse.exe (PID: 4036)
- tinytask-1-77.exe (PID: 1060)
- wmpnscfg.exe (PID: 2268)
Reads the computer name
- with-editor.tmp (PID: 3980)
- ReMouse.exe (PID: 4036)
- wmpnscfg.exe (PID: 2268)
Create files in a temporary directory
- with-editor.exe (PID: 3964)
- ReMouse.exe (PID: 4036)
Creates files or folders in the user directory
- with-editor.tmp (PID: 3980)
Creates a software uninstall entry
- with-editor.tmp (PID: 3980)
Reads mouse settings
- ReMouse.exe (PID: 4036)
Drops the executable file immediately after the start
- chrome.exe (PID: 2312)
- chrome.exe (PID: 2072)
Executable content was dropped or overwritten
- chrome.exe (PID: 2072)
- chrome.exe (PID: 2312)
The process uses the downloaded file
- chrome.exe (PID: 3500)
- chrome.exe (PID: 2072)
Manual execution by a user
- chrome.exe (PID: 2072)
- wmpnscfg.exe (PID: 2268)
Application launched itself
- chrome.exe (PID: 2072)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Inno Setup installer (77.7) |
|---|---|---|
| .exe | | | Win32 Executable Delphi generic (10) |
| .dll | | | Win32 Dynamic Link Library (generic) (4.6) |
| .exe | | | Win32 Executable (generic) (3.1) |
| .exe | | | Win16/32 Executable Delphi generic (1.4) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 1992:06:19 22:22:17+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 41472 |
| InitializedDataSize: | 17920 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xaa98 |
| OSVersion: | 1 |
| ImageVersion: | 6 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 5.5.1.0 |
| ProductVersionNumber: | 5.5.1.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | This installation was built with Inno Setup. |
| CompanyName: | AutomaticSolution Software |
| FileDescription: | ReMouse |
| FileVersion: | ReMouse Standard V5. |
| LegalCopyright: | AutomaticSolution Software |
| ProductName: | ReMouse Standard |
| ProductVersion: | Standard V5.5.1 |
Total processes
70
Monitored processes
35
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 312 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --mojo-platform-channel-handle=1600 --field-trial-handle=1140,i,10752877855465193154,9972882738169576945,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 109.0.5414.120 Modules
| |||||||||||||||
| 676 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --mojo-platform-channel-handle=3756 --field-trial-handle=1140,i,10752877855465193154,9972882738169576945,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 109.0.5414.120 Modules
| |||||||||||||||
| 928 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=109.0.5414.120 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x6e6d8b38,0x6e6d8b48,0x6e6d8b54 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 109.0.5414.120 Modules
| |||||||||||||||
| 1008 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --mojo-platform-channel-handle=3464 --field-trial-handle=1140,i,10752877855465193154,9972882738169576945,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 109.0.5414.120 Modules
| |||||||||||||||
| 1060 | "C:\Users\admin\Downloads\tinytask-1-77.exe" | C:\Users\admin\Downloads\tinytask-1-77.exe | — | chrome.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: www.tinytask.net Exit code: 0 Version: 1, 77, 0, 0 Modules
| |||||||||||||||
| 1072 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1528 --field-trial-handle=1140,i,10752877855465193154,9972882738169576945,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 109.0.5414.120 Modules
| |||||||||||||||
| 1080 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2184 --field-trial-handle=1140,i,10752877855465193154,9972882738169576945,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 109.0.5414.120 Modules
| |||||||||||||||
| 1312 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --mojo-platform-channel-handle=4072 --field-trial-handle=1140,i,10752877855465193154,9972882738169576945,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 109.0.5414.120 Modules
| |||||||||||||||
| 2012 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2132 --field-trial-handle=1140,i,10752877855465193154,9972882738169576945,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 109.0.5414.120 Modules
| |||||||||||||||
| 2072 | "C:\Program Files\Google\Chrome\Application\chrome.exe" "--disable-features=OptimizationGuideModelDownloading,OptimizationHintsFetching,OptimizationTargetPrediction,OptimizationHints" | C:\Program Files\Google\Chrome\Application\chrome.exe | explorer.exe | ||||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 109.0.5414.120 Modules
| |||||||||||||||
Total events
11 082
Read events
10 918
Write events
151
Delete events
13
Modification events
| (PID) Process: | (3980) with-editor.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Owner |
Value: 8C0F0000DC8C5963F6A7DA01 | |||
| (PID) Process: | (3980) with-editor.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | SessionHash |
Value: 6440D33ADFE8660BFFF25081FB8DED877A77B86E076577FB83560B4F669DC6B4 | |||
| (PID) Process: | (3980) with-editor.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Sequence |
Value: 1 | |||
| (PID) Process: | (3980) with-editor.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | RegFiles0000 |
Value: C:\Users\admin\AppData\Roaming\AutomaticSolution Software\ReMouse Standard\ReMouse.exe | |||
| (PID) Process: | (3980) with-editor.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | RegFilesHash |
Value: 42375D6146A70365BC1743FE7053E2126BEB1BA8F9193225B22357FF875C0714 | |||
| (PID) Process: | (3980) with-editor.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\ReMouse Standard_is1 |
| Operation: | write | Name: | Inno Setup: Setup Version |
Value: 5.5.9 (a) | |||
| (PID) Process: | (3980) with-editor.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\ReMouse Standard_is1 |
| Operation: | write | Name: | Inno Setup: App Path |
Value: C:\Users\admin\AppData\Roaming\AutomaticSolution Software\ReMouse Standard | |||
| (PID) Process: | (3980) with-editor.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\ReMouse Standard_is1 |
| Operation: | write | Name: | InstallLocation |
Value: C:\Users\admin\AppData\Roaming\AutomaticSolution Software\ReMouse Standard\ | |||
| (PID) Process: | (3980) with-editor.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\ReMouse Standard_is1 |
| Operation: | write | Name: | Inno Setup: Icon Group |
Value: ReMouse Standard | |||
| (PID) Process: | (3980) with-editor.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\ReMouse Standard_is1 |
| Operation: | write | Name: | Inno Setup: User |
Value: admin | |||
Executable files
23
Suspicious files
197
Text files
48
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3980 | with-editor.tmp | C:\Users\admin\AppData\Roaming\AutomaticSolution Software\ReMouse Standard\is-J7T63.tmp | executable | |
MD5:F3B864B4FC3E090E8AD3EAD18A2C20F3 | SHA256:B5DFB4E59F1764BAD01615D94ACE06B7C45D4D51D36BBC0F9CBAFC2762E47906 | |||
| 3964 | with-editor.exe | C:\Users\admin\AppData\Local\Temp\is-9N7GG.tmp\with-editor.tmp | executable | |
MD5:832DAB307E54AA08F4B6CDD9B9720361 | SHA256:CC783A04CCBCA4EDD06564F8EC88FE5A15F1E3BB26CEC7DE5E090313520D98F3 | |||
| 3980 | with-editor.tmp | C:\Users\admin\AppData\Roaming\AutomaticSolution Software\ReMouse Standard\is-8KD7C.tmp | executable | |
MD5:1FF440C02E3CB1DA2BDEEB8507FB5455 | SHA256:A5B2AA3D341689C17207383E320BB4661D6194E38323152B000F11D74C829995 | |||
| 3980 | with-editor.tmp | C:\Users\admin\AppData\Roaming\AutomaticSolution Software\ReMouse Standard\unins000.exe | executable | |
MD5:95EDCB135FD8AE184FF9B604BEB77F13 | SHA256:4C62259F8797612FD58E154FF9E5BA7FE114BCBF5FD310F2C9B2A013F2B84013 | |||
| 3980 | with-editor.tmp | C:\Users\admin\AppData\Roaming\AutomaticSolution Software\ReMouse Standard\is-885S3.tmp | executable | |
MD5:95EDCB135FD8AE184FF9B604BEB77F13 | SHA256:4C62259F8797612FD58E154FF9E5BA7FE114BCBF5FD310F2C9B2A013F2B84013 | |||
| 3980 | with-editor.tmp | C:\Users\admin\AppData\Roaming\AutomaticSolution Software\ReMouse Standard\ReMouse.exe | executable | |
MD5:F3B864B4FC3E090E8AD3EAD18A2C20F3 | SHA256:B5DFB4E59F1764BAD01615D94ACE06B7C45D4D51D36BBC0F9CBAFC2762E47906 | |||
| 3980 | with-editor.tmp | C:\Users\admin\AppData\Roaming\AutomaticSolution Software\ReMouse Standard\is-AFEQ2.tmp | executable | |
MD5:6FC61A2907F2E39A1E450D7801ECAE43 | SHA256:4E31D3155A3408805C91D1714BB45DE7847E77780BF3D91F3405FEB3EF9AC15B | |||
| 3980 | with-editor.tmp | C:\Users\admin\AppData\Roaming\AutomaticSolution Software\ReMouse Standard\conf\help.chm | binary | |
MD5:92EDBD5A48B9CDCEE8D6B9B0CC36030C | SHA256:AA43E6F744A00987FD779291D9318CF689C198972E46ABB779F4166D7C571BC9 | |||
| 3980 | with-editor.tmp | C:\Users\admin\AppData\Roaming\AutomaticSolution Software\ReMouse Standard\is-F0QC4.tmp | executable | |
MD5:043D82ED60C8B516FC59F76251272ED3 | SHA256:84D7624E1E4B7E3152609F5ADF1A3260DA18D43EF0C25BD0D0468D405AD73FB7 | |||
| 3980 | with-editor.tmp | C:\Users\admin\AppData\Roaming\AutomaticSolution Software\ReMouse Standard\ReMouse-Task.exe | executable | |
MD5:043D82ED60C8B516FC59F76251272ED3 | SHA256:84D7624E1E4B7E3152609F5ADF1A3260DA18D43EF0C25BD0D0468D405AD73FB7 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
67
DNS requests
100
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
2312 | chrome.exe | 142.250.185.67:443 | clientservices.googleapis.com | GOOGLE | US | whitelisted |
2072 | chrome.exe | 239.255.255.250:1900 | — | — | — | unknown |
2312 | chrome.exe | 74.125.143.84:443 | accounts.google.com | GOOGLE | US | unknown |
2312 | chrome.exe | 216.58.206.68:443 | www.google.com | GOOGLE | US | whitelisted |
2312 | chrome.exe | 142.250.184.227:443 | www.gstatic.com | GOOGLE | US | whitelisted |
2312 | chrome.exe | 142.250.185.206:443 | apis.google.com | GOOGLE | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
clientservices.googleapis.com |
| whitelisted |
accounts.google.com |
| shared |
www.google.com |
| whitelisted |
www.gstatic.com |
| whitelisted |
apis.google.com |
| whitelisted |
play.google.com |
| whitelisted |
update.googleapis.com |
| unknown |
encrypted-tbn0.gstatic.com |
| whitelisted |
lh5.googleusercontent.com |
| whitelisted |
thetinytask.com |
| unknown |