File name:

Virus.Win32.MouseMX.exe

Full analysis: https://app.any.run/tasks/b817eb53-2279-4bb0-b83c-ad91759fe503
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: August 18, 2024, 03:09:19
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

0825404394AB2FF375C9B7F54C584DA0

SHA1:

3E28063F7A1C2695910384DC36F9C61F7EAC10EC

SHA256:

A7E91C5F61C76363722D1E31FA302174EA041CAB8470B40C8C65CC6524BBD6E0

SSDEEP:

768:K/rH83fikoTMIzKAmQfLJtFVm6JEaB6sSAm9u1PBqKZrWDdu:W8KzyPQfLJtnTJqsSAxTPlad

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • Virus.Win32.MouseMX.exe (PID: 6336)

    • Actions looks like stealing of personal data

      • Virus.Win32.MouseMX.exe (PID: 6336)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • Virus.Win32.MouseMX.exe (PID: 6336)

    • Process drops legitimate windows executable

      • Virus.Win32.MouseMX.exe (PID: 6336)

    • Executable content was dropped or overwritten

      • Virus.Win32.MouseMX.exe (PID: 6336)

  • INFO

    • Checks supported languages

      • Virus.Win32.MouseMX.exe (PID: 6336)

    • Failed to create an executable file in Windows directory

      • Virus.Win32.MouseMX.exe (PID: 6336)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 3 (89.3)
.exe | Win32 Executable Delphi generic (4.8)
.dll | Win32 Dynamic Link Library (generic) (2.2)
.exe | Win32 Executable (generic) (1.5)
.exe | Win16/32 Executable Delphi generic (0.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 40960
InitializedDataSize: 18944
UninitializedDataSize: -
EntryPoint: 0xab1c
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start virus.win32.mousemx.exe

Process information

PID
CMD
Path
Indicators
Parent process
6336"C:\Users\admin\AppData\Local\Temp\Virus.Win32.MouseMX.exe" C:\Users\admin\AppData\Local\Temp\Virus.Win32.MouseMX.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\virus.win32.mousemx.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
44
Read events
36
Write events
8
Delete events
0

Modification events

(PID) Process:(6336) Virus.Win32.MouseMX.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mouse_MX2
Operation:writeName:Name
Value:
Mouse MX
(PID) Process:(6336) Virus.Win32.MouseMX.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mouse_MX2
Operation:writeName:Version
Value:
1.1
(PID) Process:(6336) Virus.Win32.MouseMX.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mouse_MX2
Operation:writeName:Type
Value:
virus
(PID) Process:(6336) Virus.Win32.MouseMX.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mouse_MX2
Operation:writeName:Country
Value:
Polska
(PID) Process:(6336) Virus.Win32.MouseMX.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mouse_MX2
Operation:writeName:City
Value:
Tarnów
(PID) Process:(6336) Virus.Win32.MouseMX.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mouse_MX2
Operation:writeName:Date
Value:
9.11.2004
(PID) Process:(6336) Virus.Win32.MouseMX.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mouse_MX2
Operation:writeName:Infection
Value:
8/18/2024
(PID) Process:(6336) Virus.Win32.MouseMX.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Rundll32
Value:
C:\WINDOWS\System\Rundll32~.exe /out
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6336Virus.Win32.MouseMX.exeC:\Mouse_MX\FileSyncConfig.exeexecutable
MD5:F3D599FCE8EDED3BDFD228836270813C
SHA256:24E76FE67435E9C7C1AA9EC22D736DE3873FBD2E880D8AE716DFFEC0E146FC53
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
29
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6584
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
2208
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6164
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
3268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
2680
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3260
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2208
svchost.exe
40.126.32.133:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
2208
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
6584
backgroundTaskHost.exe
20.103.156.88:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 172.217.18.14
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
login.live.com
  • 40.126.32.133
  • 20.190.160.22
  • 20.190.160.20
  • 40.126.32.76
  • 40.126.32.138
  • 40.126.32.140
  • 40.126.32.134
  • 40.126.32.68
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
arc.msn.com
  • 20.103.156.88
whitelisted
slscr.update.microsoft.com
  • 40.68.123.157
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.13
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Virus.Win32.MouseMX.exe