Automated Malware Analysis Report for Mousotronsetup

ID: 68736 Sample Name: Mousotronsetup.exe Cookbook: default.jbs Time: 02:00:32 Date: 19/07/2018 Version: 23.0.0 Table of Contents

Table of Contents 2 Analysis Report 4 Overview 4 General Information 4 Detection 4 Confidence 4 Classification 5 Analysis Advice 5 Signature Overview 6 AV Detection: 6 Spreading: 6 Networking: 6 Key, Mouse, Clipboard, Microphone and Screen Capturing: 6 System Summary: 6 Data Obfuscation: 7 Persistence and Installation Behavior: 7 Boot Survival: 7 Hooking and other Techniques for Hiding and Protection: 7 Malware Analysis System Evasion: 7 Anti Debugging: 8 HIPS / PFW / Operating System Protection Evasion: 8 Language, Device and Operating System Detection: 8 Behavior Graph 8 Simulations 9 Behavior and APIs 9 Antivirus Detection 9 Initial Sample 9 Dropped Files 9 Unpacked PE Files 9 Domains 9 URLs 9 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 9 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 Dropped Files 10 Screenshots 11 Startup 11 Created / dropped Files 11 Contacted Domains/Contacted IPs 14 Contacted Domains 14 Contacted IPs 14 Static File Info 14 General 14 File Icon 15 Static PE Info 15 General 15 Entrypoint Preview 15 Copyright Joe Security LLC 2018 Page 2 of 31 Data Directories 16 Sections 16 Resources 17 Imports 17 Version Infos 17 Possible Origin 17 Network Behavior 18 Code Manipulations 18 Statistics 18 Behavior 18 System Behavior 18 Analysis Process: Mousotronsetup.exe PID: 3448 Parent PID: 3040 18 General 18 File Activities 19 File Created 19 File Deleted 19 File Written 19 File Read 19 Analysis Process: Mousotronsetup.tmp PID: 3472 Parent PID: 3448 20 General 20 File Activities 20 File Created 20 File Moved 21 File Written 21 File Read 23 Registry Activities 23 Key Created 23 Key Value Created 24 Analysis Process: Mousotron.exe PID: 3552 Parent PID: 3472 25 General 25 File Activities 25 Registry Activities 25 Key Value Created 25 Key Value Modified 25 Disassembly 31 Code Analysis 31

Overview

General Information

Joe Sandbox Version: 23.0.0 Analysis ID: 68736 Start time: 02:00:32 Joe Sandbox Product: CloudBasic Start date: 19.07.2018 Overall analysis duration: 0h 7m 11s Hypervisor based Inspection enabled: false Report type: light Sample file name: Mousotronsetup.exe Cookbook file name: default.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Number of analysed new started processes analysed: 5 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies HCA enabled EGA enabled HDC enabled Analysis stop reason: Timeout Detection: SUS Classification: sus26.spyw.winEXE@5/11@0/0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 52.7% (good quality ratio 44.5%) Quality average: 73.3% Quality standard deviation: 35.9% HCA Information: Successful, ratio: 57% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Correcting counters for adjusted boot time Found application associated with file extension: .exe

Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtQueryValueKey calls found.

Detection

Strategy Score Range Reporting Detection

Threshold 26 0 - 100 Report FP / FN

Confidence

Threshold 2 0 - 5 true

Classification

Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook Copyright Joe Security LLC 2018 Page 5 of 31 Sample searches for specific file, try point organization specific fake files to the analysis machine

Signature Overview

• AV Detection • Spreading • Networking • Key, Mouse, Clipboard, Microphone and Screen Capturing • System Summary • Data Obfuscation • Persistence and Installation Behavior • Boot Survival • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection

Click to jump to signature section

AV Detection:

Antivirus detection for unpacked file

Spreading:

Enumerates the file system

Contains functionality to enumerate / list files inside a directory

Networking:

Urls found in memory or binary data

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Contains functionality for read data from the clipboard

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Installs a global mouse hook

System Summary:

Dropped file seen in connection with other malware

Contains functionality to communicate with device drivers

Contains functionality to shutdown / reboot the system

Creates mutexes

Detected potential crypto function

Found potential string decryption / allocating functions

PE file contains executable resources (Code or Archives)

PE file contains strange resources

Sample file is different than original file name gathered from version info

Sample reads its own file content

Classification label

Contains functionality to check free disk space

Contains functionality to instantiate COM classes

Contains functionality to load and extract PE file embedded resources

Creates files inside the program directory

Creates files inside the user directory

Creates temporary files

Parts of this applications are using Borland Delphi (Probably coded in Delphi)

Reads ini files

Reads software policies

Reads the Windows registered organization settings

Spawns processes

Uses an in-process (OLE) Automation server

Reads the Windows registered owner settings

Executable creates window controls seldom found in malware

Found GUI installer (many successful clicks)

Found graphical window changes (likely an installer)

Found installer window with terms and condition text

Creates a directory in C:\Program Files

Creates a software uninstall entry

Submission file is bigger than most known malware samples

Contains modern PE file flags such as dynamic base (ASLR) or NX

Data Obfuscation:

Contains functionality to dynamically determine API calls

PE file contains sections with non-standard names

Uses code obfuscation techniques (call, push, ret)

Persistence and Installation Behavior:

Drops PE files

Boot Survival:

Stores files to the Windows start menu directory

Hooking and other Techniques for Hiding and Protection:

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Extensive use of GetProcAddress (often used to hide API calls)

Disables application error messsages (SetErrorMode)

Malware Analysis System Evasion:

Enumerates the file system

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found large amount of non-executed APIs

Queries keyboard layouts

Contains functionality to enumerate / list files inside a directory

Contains functionality to query system information

Program exit points

Queries a list of all running processes

Checks for debuggers (devices)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to launch a program with higher privileges

Contains functionality to add an ACL to a security descriptor

Contains functionality to create a new security descriptor

May try to detect the Windows Explorer process (often used for injection)

Language, Device and Operating System Detection:

Contains functionality locales information (e.g. system language)

Queries the volume information (name, serial number etc) of a device

Contains functionality to create pipes for IPC

Contains functionality to query local / system time

Contains functionality to query the account / user name

Contains functionality to query time zone information

Contains functionality to query windows version

Behavior Graph

Hide Legend Behavior Graph Legend: ID: 68736 Sample: Mousotronsetup.exe Process Startdate: 19/07/2018 Architecture: WINDOWS Signature Score: 26 Created File DNS/IP Info

Dropped file seen in Antivirus detection Is Dropped connection with other started for unpacked file malware Is Windows Process

Number of created Registry Values

Mousotronsetup.exe Number of created Files

Visual Basic 2 Delphi

dropped Java

.Net C# or VB.NET C:\Users\HERBBL~1\...\Mousotronsetup.tmp, PE32 started C, C++ or other language

Is malicious

Mousotronsetup.tmp

29 24

dropped dropped

C:\Program Files\Mousotron\is-MT9NN.tmp, PE32 C:\Program Files\Mousotron\is-VKG7F.tmp, PE32 started

Mousotron.exe

Installs a global keyboard hook

Behavior and APIs

Time Type Description 02:01:03 API Interceptor 1x Sleep call for process: Mousotronsetup.tmp modified 02:01:11 API Interceptor 1x Sleep call for process: Mousotronsetup.exe modified

Antivirus Detection

Initial Sample

Source Detection Scanner Label Link Mousotronsetup.exe 0% virustotal Browse

Dropped Files

Source Detection Scanner Label Link C:\Program Files\Mousotron\is-MT9NN.tmp 0% virustotal Browse C:\Program Files\Mousotron\is-MT9NN.tmp 3% metadefender Browse C:\Users\HERBBL~1\AppData\Local\Temp\is-IRJT7.tmp\Mousotronsetup.tmp 0% virustotal Browse C:\Users\HERBBL~1\AppData\Local\Temp\is-IRJT7.tmp\Mousotronsetup.tmp 0% metadefender Browse

Unpacked PE Files

Source Detection Scanner Label Link 1.3.Mousotronsetup.exe.12d8000.0.unpack 100% Avira TR/Patched.Ren.Gen 2.2.Mousotronsetup.tmp.400000.3.unpack 100% Avira TR/Dropper.Gen 1.1.Mousotronsetup.exe.400000.0.unpack 100% Avira TR/Dropper.Gen 1.1.Mousotronsetup.exe.1920000.1.unpack 100% Avira TR/ATRAPS.Gen 1.2.Mousotronsetup.exe.400000.2.unpack 100% Avira TR/Dropper.Gen 2.1.Mousotronsetup.tmp.400000.0.unpack 100% Avira TR/Dropper.Gen

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs Copyright Joe Security LLC 2018 Page 9 of 31 No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

Associated Sample Match Name / URL SHA 256 Detection Link Context C:\Users\HERBBL~1\AppData\Local\Temp\is- Your_understanding_a 39d147add00560635284e02cceb malicious Browse IRJT7.tmp\Mousotronsetup.tmp nd_cooperation_is_gr 58145680d72cd550eb4d6e54cfc eatly_appreciated_sy 06f4a593e3 nonyms.exe WRMNLzRmzr.exe 3bec35909514fb5d0901f7566784 malicious Browse c25337e9a0f31db87dd7e04e0de a9480527e facture_431977465.doc 3d79a1434f800716979d20d0a00 malicious Browse 921db84ee95c396f0ece71fb8b9c 21b2feebe facture_ref_EM001192 86924cee9a17e077b0a28e1a11d malicious Browse _09.07.2018.pdf.exe 5d5cafe539d99421d01acb3c2ac 405cf2721f keyword.exe 7f78f25db85a5978ec86c752dcaff malicious Browse 4204d872c8647834f753126a9c4 0b6056d5 http://mail.what-is- malicious Browse humankindness.info/d l/facture_431977465.doc Cliente.exe b8a042ffbe68bc3b7bf6fb84a6124 malicious Browse 3dbe5d9600540970f7b8bd81a06 817ff23c facture_ref_EM001192 86924cee9a17e077b0a28e1a11d malicious Browse _09.07.2018.pdf.exe 5d5cafe539d99421d01acb3c2ac 405cf2721f https://clients.chim malicious Browse e.aws/win/releases/C hime.4.13.8659.exe facture_431977465.doc 3d79a1434f800716979d20d0a00 malicious Browse 921db84ee95c396f0ece71fb8b9c 21b2feebe AnalyticsEdgeBasicIn cc72c28b826cc388cdea083ad75 malicious Browse staller.exe 787249bbcaeb9f1c6c11477b8e9 eaf3178878 facture_ref_EM001192 86924cee9a17e077b0a28e1a11d malicious Browse _09.07.2018.pdf.exe 5d5cafe539d99421d01acb3c2ac 405cf2721f Setup.exe 1670d4948cd7354ce8b2b77bde2 malicious Browse 41dc0cdb8920d4ff0a64209c0bfe 943aad8da SD_Maid_4.7.6.apk.exe 7f78f25db85a5978ec86c752dcaff malicious Browse 4204d872c8647834f753126a9c4 0b6056d5 F9LAbxcXhQ.exe ed1ea75dd62295487a3d34c7515 malicious Browse 5ddd14a0e577bbb442b6cccc610 d60031b409

Startup

System is w7 Mousotronsetup.exe (PID: 3448 cmdline: 'C:\Users\user\Desktop\Mousotronsetup.exe' MD5: 7C2BF8C76CE2D4966F8D63E4135F1431) Mousotronsetup.tmp (PID: 3472 cmdline: 'C:\Users\HERBBL~1\AppData\Local\Temp\is-IRJT7.tmp\Mousotronsetup.tmp' /SL5='$9015C,887698,57856,C:\Users\user \Desktop\Mousotronsetup.exe' MD5: 832DAB307E54AA08F4B6CDD9B9720361) Mousotron.exe (PID: 3552 cmdline: C:\Program Files\Mousotron\Mousotron.exe MD5: F408966415ED05DA3E419748249E2E27) cleanup

Created / dropped Files

C:\Program Files\Mousotron\is-26VR9.tmp Process: C:\Users\user\AppData\Local\Temp\is-IRJT7.tmp\Mousotronsetup.tmp File Type: MS Windows HtmlHelp Data Size (bytes): 130728 Entropy (8bit): 7.839222293472913 Encrypted: false MD5: B3F9D60826934D86C9060C6E7E12699B SHA1: 1B5667D031C61360FBDB27C3B4A4192DDEF4805B SHA-256: 7A8C727B636018252C0EFCAF9CB7AFCE33D780E6392FA9F37572139AB8D372E0 SHA-512: 3CB6375BCEAA2588FBB91BA36C76DFCE0FD68FC2CB93F938E3953D9C435EADAF1D3EC7379CCA9F0EB01CC36 AACA8F848900862C58AD0DCA4227DF7EC60F6278D Copyright Joe Security LLC 2018 Page 11 of 31 C:\Program Files\Mousotron\is-26VR9.tmp Malicious: false Reputation: low

C:\Program Files\Mousotron\is-MT9NN.tmp

Process: C:\Users\user\AppData\Local\Temp\is-IRJT7.tmp\Mousotronsetup.tmp File Type: PE32 executable (GUI) Intel 80386, for MS Windows Size (bytes): 2316544 Entropy (8bit): 6.535859419731659 Encrypted: false MD5: F408966415ED05DA3E419748249E2E27 SHA1: 47DE34078DBB4DBBB0E7081C3D08379ED9B8FA98 SHA-256: 23EA7D028F47C5B9CA2E167A3E88F4685F108FEF9F059753A49D0B2233AA7DC0 SHA-512: BE077CD254CA3234E94E7AE85C16CED0C7B7062C87E78EEBFF3D2CB193F9F63E3B85D3D98AC97956B9417BC84 758CC03C9D4C3E85DBF4C657CFBE5C78D44FD81 Malicious: true Antivirus: Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 3%, Browse Reputation: low

C:\Program Files\Mousotron\is-NFGHH.tmp Process: C:\Users\user\AppData\Local\Temp\is-IRJT7.tmp\Mousotronsetup.tmp File Type: HTML document, ASCII text, with CRLF line terminators Size (bytes): 148 Entropy (8bit): 5.249764551507883 Encrypted: false MD5: AF0270C93C1A82642FF2437C21BFD0D6 SHA1: B3053AEF7BAA2A1AAD8CDF8C32D50509A9A1E170 SHA-256: 90BEA63FF6FD2FCCEB9752A997C4B83DC403DC08898D380FE07847F95A41EDAB SHA-512: C658981A14EED2F908D314860184C91876DF02F9A2A50821219B75EB7B0F9D73CE8F044EC4B7DAA0D4365C52FF5 0680D4BC9B3A748BD871076BE32FBEACF5E0E Malicious: false Reputation: low

C:\Program Files\Mousotron\is-VKG7F.tmp Process: C:\Users\user\AppData\Local\Temp\is-IRJT7.tmp\Mousotronsetup.tmp File Type: PE32 executable (GUI) Intel 80386, for MS Windows Size (bytes): 725161 Entropy (8bit): 6.524799610295483 Encrypted: false MD5: 36199BF963EF3F01AA85221391F6FA3B SHA1: 419225AC46C2B4035D8D23AA83CAC76540B62B6A SHA-256: B2BDF38EC62B755002AC301929E924423774474521FA37622FD9005C7B2A6B00 SHA-512: 7045FBCD6A83AAC5FDB7C7FDF96D6226D99E6EF62F60CCBFA126D18961E70E844B6C0F6AA4BE2D047035EF615 BC364239AE5FCD82CB9C89D9E4CCA9DC760126F Malicious: false Reputation: low

C:\Program Files\Mousotron\unins000.dat Process: C:\Users\user\AppData\Local\Temp\is-IRJT7.tmp\Mousotronsetup.tmp File Type: data Size (bytes): 2781 Entropy (8bit): 4.00999169959047 Encrypted: false MD5: E3084BE7C3BE700E573B9803B98796F1 SHA1: 2CECF30653B408895E52F324F91D49F27B6DD16F SHA-256: 60CE9B9591FC051FE2EECEB028B59D49347D66279D8D19894A5970994838A296 SHA-512: 6136FF91B1C4685FA45CD8017C2E7A7A6DE71BDCDE9C26105D15D86E55994A83DAE1BA0ECD9D22E27EDA24B85 56128DE8745CCD3C87EBC893DB40DA14D56FD9A Malicious: false Reputation: low

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mousotron\Mousotron Help.lnk Process: C:\Users\user\AppData\Local\Temp\is-IRJT7.tmp\Mousotronsetup.tmp File Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Jul 19 00:01:03 2018, mtime=Thu Jul 19 00:01:03 2018, atime=Thu Feb 2 08:34:20 2017, length=130728, window=hide Size (bytes): 995 Copyright Joe Security LLC 2018 Page 12 of 31 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mousotron\Mousotron Help.lnk Entropy (8bit): 4.438864109489038 Encrypted: false MD5: 735BBFE7571DC256112A2D5461DD08AD SHA1: 8BD3EB74A2E06FB497108C5746FBECF741EB7284 SHA-256: EF1B5FA3A2AFDF29AE978DDAA413047E2E4243C35AC2E2B2159259D7898DB075 SHA-512: 297DA9ADFFA51EF16E95C34904FB615DCF3DC77070A0DD746E30FC5AEE21C532698CC4CA626F9D191AFAF4DA6 4824900A6B20FD7A7A01DF81872E9D7CB06E775 Malicious: false Reputation: low

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mousotron\Mousotron.lnk Process: C:\Users\user\AppData\Local\Temp\is-IRJT7.tmp\Mousotronsetup.tmp File Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Jul 19 00:01:03 2018, mtime=Thu Jul 19 00:01:03 2018, atime=Thu Feb 2 12:55:26 2017, length=2316544, window=hide Size (bytes): 995 Entropy (8bit): 4.432328525766599 Encrypted: false MD5: 48ECB57F16F5F3E2453065CB7D062178 SHA1: CD018C98082B6565005D9A76DA5ADF7F489511E5 SHA-256: 8BCF4F694EA65AA3661522DE5820F41C5807AAB40575A65C5B9F84AA44F2F624 SHA-512: 630F4F5316516D2B55206825FFAA63205499F767D3755809690268CB920173C7854295283AB9FA8EBC9AB755E6AB6 93BE4A112D18C41678228E02ABF360F3092 Malicious: false Reputation: low

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mousotron\Uninstall Mousotron.lnk Process: C:\Users\user\AppData\Local\Temp\is-IRJT7.tmp\Mousotronsetup.tmp File Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Jul 19 00:01:03 2018, mtime=Thu Jul 19 00:01:03 2018, atime=Thu Jul 19 00:00:47 2018, length=725157, window=hide Size (bytes): 990 Entropy (8bit): 4.413766292760118 Encrypted: false MD5: 137F56C7D5200996B4B9E5CA9160A68F SHA1: 4B81D2B12EE25BBEB63043F4E144859568E77332 SHA-256: BE126AEF0041382142ABB689535DB14C4D5A35B68F63DD8549EB1C37577B92B6 SHA-512: 04547106CEB9B5F9516B9E4B29A8C9F8C67F62D589D1FA0A3BEE58C695E42BC042899F7BA6C4938616A91E1E64 D660F463E4097115EDA9B2EC9B7F66E7D28466 Malicious: false Reputation: low

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mousotron\Visit BlackSun Website.lnk Process: C:\Users\user\AppData\Local\Temp\is-IRJT7.tmp\Mousotronsetup.tmp File Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Jul 19 00:01:03 2018, mtime=Thu Jul 19 00:01:03 2018, atime=Thu May 12 18:03:02 2005, length=148, window=hide Size (bytes): 1040 Entropy (8bit): 4.4523065904566055 Encrypted: false MD5: 2D5BB40D184940754E759C7DD0802B95 SHA1: 05BD25E388B5C3FA7C5B71DF8460BDD240752A65 SHA-256: AD0438AE150776438FE91AFC859C8CEC2FB872B64118D179B18591955F4B9155 SHA-512: 0A8CCC8BB8E96A8816599DF3FDC02C1FF4D91CAA5E62970521CF81CDC651A6CA7DF5B93638E5666786032C6A55 262B3C7B4B3886642AFC1BCC8DF847543AB3CF Malicious: false Reputation: low

C:\Users\HERBBL~1\AppData\Local\Temp\is-IRJT7.tmp\Mousotronsetup.tmp

Process: C:\Users\user\Desktop\Mousotronsetup.exe File Type: PE32 executable (GUI) Intel 80386, for MS Windows Size (bytes): 713728 Entropy (8bit): 6.516598351135674 Encrypted: false MD5: 832DAB307E54AA08F4B6CDD9B9720361 SHA1: EBD007FB7482040ECF34339E4BF917209C1018DF SHA-256: CC783A04CCBCA4EDD06564F8EC88FE5A15F1E3BB26CEC7DE5E090313520D98F3

SHA-512: 358D43522FD460EB1511708E4DF22EA454A95E5BC3C4841931027B5FA3FB1DDA05D496D8AD0A8B92 79B99E6BE74220FE243DB8F08EF49845E9FB35C350EF4B49 Malicious: true Antivirus: Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse Joe Sandbox View: Filename: Your_understanding_and_cooperation_is_greatly_appreciated_synonyms.exe, Detection: malicious, Browse Filename: WRMNLzRmzr.exe, Detection: malicious, Browse Filename: facture_431977465.doc, Detection: malicious, Browse Filename: facture_ref_EM001192_09.07.2018.pdf.exe, Detection: malicious, Browse Filename: keyword.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: Cliente.exe, Detection: malicious, Browse Filename: facture_ref_EM001192_09.07.2018.pdf.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: facture_431977465.doc, Detection: malicious, Browse Filename: AnalyticsEdgeBasicInstaller.exe, Detection: malicious, Browse Filename: facture_ref_EM001192_09.07.2018.pdf.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: SD_Maid_4.7.6.apk.exe, Detection: malicious, Browse Filename: F9LAbxcXhQ.exe, Detection: malicious, Browse

Reputation: moderate, very likely benign file

C:\Users\user\Desktop\Mousotron.lnk Process: C:\Users\user\AppData\Local\Temp\is-IRJT7.tmp\Mousotronsetup.tmp File Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Thu Jul 19 00:01:03 2018, mtime=Thu Jul 19 00:01:03 2018, atime=Thu Feb 2 12:55:26 2017, length=2316544, window=hide Size (bytes): 1055 Entropy (8bit): 4.410942835120012 Encrypted: false MD5: 2AD920C8EB2DBDC7FDDD934C336B38B5 SHA1: 50D250C9C7C481045CA3EFB884112737119F1FA8 SHA-256: 1D77932F5734EDFA72F037B705E973091B5690F3290358767E81643FD8846E1C SHA-512: 6B8456F8DDEF7DE66F16543B8A5EB22521236A124D813F8F8D9350FDF0C27874A6076204F64F2A1DFBBBF136E61 DDB56550B7BAC0C33439B5D59C85A2227B18C Malicious: false Reputation: low

Contacted Domains/Contacted IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

General

File type: PE32 executable (GUI) Intel 80386, for MS Windows Entropy (8bit): 7.984536549547672 TrID: Win32 Executable (generic) a (10002005/4) 98.84% Inno Setup installer (109748/4) 1.08% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% File name: Mousotronsetup.exe File size: 1165067 MD5: 7c2bf8c76ce2d4966f8d63e4135f1431 SHA1: 73e5cc4b5c6970b9c6fe4391067883bde79ab97a

SHA256: ccb492cd5d982a0a94db2835ef22c2c928e0e37979d28c d84b2ee25e47a4b1ff SHA512: 2853e4aa42a49146ec7ab6d8abe2e12f9fcd37e001632f8 57e59d4117ffcedf4d677d9b2bae45bc5fda83b0f14771bc a40a5d0ac5667b7ee1375e04c6411fd43 File Content Preview: MZP...... @...... !..L.!.. This program must be run under Win32..$7......

File Icon

Static PE Info

General Entrypoint: 0x40aa98 Entrypoint Section: CODE Digitally signed: false Imagebase: 0x400000 Subsystem: windows gui Image File Characteristics: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED DLL Characteristics: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT Time Stamp: 0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 1 OS Version Minor: 0 File Version Major: 1 File Version Minor: 0 Subsystem Version Major: 1 Subsystem Version Minor: 0 Import Hash: 2fb819a19fe4dee5c03e8c6a79342f79

Entrypoint Preview

Instruction push ebp mov ebp, esp add esp, FFFFFFC4h push ebx push esi push edi xor eax, eax mov dword ptr [ebp-10h], eax mov dword ptr [ebp-24h], eax call 00007F42A9182EC3h call 00007F42A91840CAh call 00007F42A9184431h call 00007F42A918484Ch call 00007F42A91867EBh call 00007F42A9189182h call 00007F42A91892E9h xor eax, eax push ebp push 0040B169h push dword ptr fs:[eax] mov dword ptr fs:[eax], esp xor edx, edx push ebp push 0040B132h push dword ptr fs:[edx] Copyright Joe Security LLC 2018 Page 15 of 31 Instruction mov dword ptr fs:[edx], esp mov eax, dword ptr [0040D014h] call 00007F42A9189DBBh call 00007F42A91899A6h cmp byte ptr [0040C234h], 00000000h je 00007F42A918A89Eh call 00007F42A9189EB8h xor eax, eax call 00007F42A9183BB9h lea edx, dword ptr [ebp-10h] xor eax, eax call 00007F42A9186DFBh mov edx, dword ptr [ebp-10h] mov eax, 0040DE30h call 00007F42A9182F5Ah push 00000002h push 00000000h push 00000001h mov ecx, dword ptr [0040DE30h] mov dl, 01h mov eax, 00407808h call 00007F42A91876B6h mov dword ptr [0040DE34h], eax xor edx, edx push ebp push 0040B0EAh push dword ptr fs:[edx] mov dword ptr fs:[edx], esp call 00007F42A9189E16h mov dword ptr [0040DE3Ch], eax

Data Directories

Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0xe000 0x97c .idata IMAGE_DIRECTORY_ENTRY_RESOURCE 0x12000 0x2c00 .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x0 0x0 IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x10000 0x18 .rdata IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics CODE 0x1000 0xa1d0 0xa200 False 0.602502893519 data 6.64374902859 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ DATA 0xc000 0x250 0x400 False 0.3037109375 data 2.74012451302 IMAGE_SCN_CNT_INITIALIZE D_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ BSS 0xd000 0xe94 0x0 False 0 empty 0.0 IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .idata 0xe000 0x97c 0xa00 False 0.41796875 data 4.48607624623 IMAGE_SCN_CNT_INITIALIZE D_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Copyright Joe Security LLC 2018 Page 16 of 31 Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .tls 0xf000 0x8 0x0 False 0 empty 0.0 IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .rdata 0x10000 0x18 0x200 False 0.05078125 dBase IV DBT of 0.190488766435 IMAGE_SCN_CNT_INITIALIZE \320\[email protected], blocks size D_DATA, 4255752, next free block index IMAGE_SCN_MEM_SHARED, 4255744 IMAGE_SCN_MEM_READ .reloc 0x11000 0x91c 0x0 False 0 empty 0.0 IMAGE_SCN_CNT_INITIALIZE D_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ .rsrc 0x12000 0x2c00 0x2c00 False 0.333185369318 data 4.58160091191 IMAGE_SCN_CNT_INITIALIZE D_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name RVA Size Type Language Country RT_ICON 0x12354 0x128 GLS_BINARY_LSB_FIRST Dutch Netherlands RT_ICON 0x1247c 0x568 GLS_BINARY_LSB_FIRST Dutch Netherlands RT_ICON 0x129e4 0x2e8 data Dutch Netherlands RT_ICON 0x12ccc 0x8a8 data Dutch Netherlands RT_STRING 0x13574 0x2f2 data RT_STRING 0x13868 0x30c data RT_STRING 0x13b74 0x2ce data RT_STRING 0x13e44 0x68 data RT_STRING 0x13eac 0xb4 data RT_STRING 0x13f60 0xae data RT_RCDATA 0x14010 0x2c data RT_GROUP_ICON 0x1403c 0x3e MS Windows icon resource - 4 icons, 16x16, 16-colors English United States RT_VERSION 0x1407c 0x4f4 data English United States RT_MANIFEST 0x14570 0x62c XML document text English United States

Imports

DLL Import kernel32.dll DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle user32.dll MessageBoxA oleaut32.dll VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen advapi32.dll RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA kernel32.dll WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetVersion, GetUserDefaultLangID, GetSystemInfo, GetSystemDirectoryA, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle user32.dll TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA comctl32.dll InitCommonControls advapi32.dll AdjustTokenPrivileges

Version Infos

Description Data LegalCopyright FileVersion CompanyName Blacksun Software Comments This installation was built with Inno Setup. ProductName Mousotron ProductVersion 12.1 FileDescription Mousotron Setup Translation 0x0000 0x04b0

Possible Origin

Language of compilation system Country where language is spoken Map

Dutch Netherlands

English United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

• Mousotronsetup.exe • Mousotronsetup.tmp • Mousotron.exe

Click to jump to process

System Behavior

Analysis Process: Mousotronsetup.exe PID: 3448 Parent PID: 3040

General

Start time: 02:00:46 Start date: 19/07/2018 Path: C:\Users\user\Desktop\Mousotronsetup.exe Wow64 process (32bit): false Commandline: 'C:\Users\user\Desktop\Mousotronsetup.exe' Imagebase: 0x400000 File size: 1165067 bytes MD5 hash: 7C2BF8C76CE2D4966F8D63E4135F1431 Copyright Joe Security LLC 2018 Page 18 of 31 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\HERBBL~1\AppData\Local\Temp\is-IRJT7.tmp read data or list normal directory file | success or wait 1 40981B CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\HERBBL~1\AppData\Local\Temp\is-IRJT7.tmp\Mousotrons read attributes | normal synchronous io success or wait 1 407A39 CreateFileA etup.tmp synchronize | non alert | non generic write directory file

File Deleted

Source File Path Completion Count Address Symbol C:\Users\HERBBL~1\AppData\Local\Temp\is-IRJT7.tmp\Mousotronsetup.tmp success or wait 1 409474 DeleteFileA

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\HERBBL~1\AppData\Local\Temp\is- unknown 713728 4d 5a 50 00 02 00 00 MZP...... @..... success or wait 1 407B60 WriteFile IRJT7.tmp\Mousotronsetup.tmp 00 04 00 0f 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!..This program 00 00 40 00 1a 00 00 must be run under 00 00 00 00 00 00 00 Win32..$7 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 01 00 00 ...... ba 10 00 0e 1f b4 09 ...... cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Users\user\Desktop\Mousotronsetup.exe unknown 64 success or wait 1 407AC4 ReadFile C:\Users\user\Desktop\Mousotronsetup.exe unknown 4 success or wait 2 407AC4 ReadFile C:\Users\user\Desktop\Mousotronsetup.exe unknown 4 success or wait 4 407AC4 ReadFile C:\Users\user\Desktop\Mousotronsetup.exe unknown 4 success or wait 2 407AC4 ReadFile

General

Start time: 02:00:47 Start date: 19/07/2018 Path: C:\Users\user\AppData\Local\Temp\is-IRJT7.tmp\Mousotronsetup.tmp Wow64 process (32bit): false Commandline: 'C:\Users\HERBBL~1\AppData\Local\Temp\is-IRJT7.tmp\Mousotronsetup.tmp' /SL5='$90 15C,887698,57856,C:\Users\user\Desktop\Mousotronsetup.exe' Imagebase: 0x400000 File size: 713728 bytes MD5 hash: 832DAB307E54AA08F4B6CDD9B9720361 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\HERBBL~1\AppData\Local\Temp\is-BNI3L.tmp read data or list normal directory file | success or wait 1 4541D7 CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\HERBBL~1\AppData\Local\Temp\is-BNI3L.tmp\_isetup read data or list normal directory file | success or wait 1 47DF38 CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Program Files\Mousotron read data or list normal directory file | success or wait 1 452EF2 CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\ProgramData\Mousotron read data or list normal directory file | success or wait 1 452EF2 CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Program Files\Mousotron\unins000.dat read attributes | normal synchronous io success or wait 1 47640E CreateFileA synchronize | non alert | non generic read | directory file generic write C:\Program Files\Mousotron\is-VKG7F.tmp read attributes | normal synchronous io success or wait 1 450F4D CreateFileA synchronize | non alert | non generic read | directory file generic write C:\Program Files\Mousotron\is-MT9NN.tmp read attributes | normal synchronous io success or wait 1 450F4D CreateFileA synchronize | non alert | non generic read | directory file generic write C:\Program Files\Mousotron\is-26VR9.tmp read attributes | normal synchronous io success or wait 1 450F4D CreateFileA synchronize | non alert | non generic read | directory file generic write C:\Program Files\Mousotron\is-Q6789.tmp read attributes | normal synchronous io success or wait 1 450F4D CreateFileA synchronize | non alert | non generic read | directory file generic write C:\Program Files\Mousotron\is-NFGHH.tmp read attributes | normal synchronous io success or wait 1 450F4D CreateFileA synchronize | non alert | non generic read | directory file generic write

Copyright Joe Security LLC 2018 Page 20 of 31 Source File Path Access Attributes Options Completion Count Address Symbol C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mousotron read data or list normal directory file | success or wait 1 452EF2 CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point

Source File Path Completion Count Address Symbol

File Moved

Source Old File Path New File Path Completion Count Address Symbol C:\Program Files\Mousotron\is-VKG7F.tmp C:\Program Files\Mousotron\unins000.exe success or wait 1 45340B MoveFileA C:\Program Files\Mousotron\is-MT9NN.tmp C:\Program Files\Mousotron\Mousotron.exe success or wait 1 45340B MoveFileA C:\Program Files\Mousotron\is-26VR9.tmp C:\Program Files\Mousotron\Mousotron.chm success or wait 1 45340B MoveFileA C:\Program Files\Mousotron\is-Q6789.tmp C:\Program Files\Mousotron\Mousotron.log success or wait 1 45340B MoveFileA C:\Program Files\Mousotron\is-NFGHH.tmp C:\Program Files\Mousotron\Blacksun Software.html success or wait 1 45340B MoveFileA

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files\Mousotron\is-VKG7F.tmp unknown 4 49 6e 55 6e InUn success or wait 1 4510A8 WriteFile C:\Program Files\Mousotron\is-VKG7F.tmp unknown 20 04 b2 a7 a8 f1 d3 4b ...... K....W...... I success or wait 2 4510A8 WriteFile 13 f6 f3 c5 57 ed be ac 97 fc b9 96 49 C:\Program Files\Mousotron\is-VKG7F.tmp unknown 11356 49 6e 6e 6f 20 53 65 Inno Setup Messages success or wait 2 4510A8 WriteFile 74 75 70 20 4d 65 73 (5.5.3)...... 73 61 67 65 73 20 28 ...... \,...... &About Set 35 2e 35 2e 33 29 00 up....%1 version 00 00 00 00 00 00 00 %2..%3....%1 home 00 00 00 00 00 00 00 page:..%4..About 00 00 00 00 00 00 00 Setup.You must be logged 00 00 00 00 00 00 00 in as an administrator 00 00 00 00 00 00 00 when installing this 00 dd 00 00 00 5c 2c program..The following 00 00 a3 d3 ff ff 9d 01 applications are usin db c6 26 41 62 6f 75 74 20 53 65 74 75 70 2e 2e 2e 00 25 31 20 76 65 72 73 69 6f 6e 20 25 32 0d 0a 25 33 0d 0a 0d 0a 25 31 20 68 6f 6d 65 20 70 61 67 65 3a 0d 0a 25 34 00 00 41 62 6f 75 74 20 53 65 74 75 70 00 59 6f 75 20 6d 75 73 74 20 62 65 20 6c 6f 67 67 65 64 20 69 6e 20 61 73 20 61 6e 20 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 20 77 68 65 6e 20 69 6e 73 74 61 6c 6c 69 6e 67 20 74 68 69 73 20 70 72 6f 67 72 61 6d 2e 00 54 68 65 20 66 6f 6c 6c 6f 77 69 6e 67 20 61 70 70 6c 69 63 61 74 69 6f 6e 73 20 61 72 65 20 75 73 69 6e

Copyright Joe Security LLC 2018 Page 21 of 31 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files\Mousotron\is-MT9NN.tmp unknown 65536 4d 5a 50 00 02 00 00 MZP...... @..... success or wait 36 4510A8 WriteFile 00 04 00 0f 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!..This program 00 00 40 00 1a 00 00 must be run under 00 00 00 00 00 00 00 Win32..$7 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 01 00 00 ...... ba 10 00 0e 1f b4 09 cd ...... 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C:\Program Files\Mousotron\is-26VR9.tmp unknown 65536 49 54 53 46 03 00 00 ITSF....`...... =P...... |.{ success or wait 2 4510A8 WriteFile 00 60 00 00 00 01 00 ...... ".....|.{...... "..`... 00 00 3d 50 d1 87 13 ...... x...... T...... 04 00 00 10 fd 01 7c aa ...... 7b d0 11 9e 0c 00 a0 ITSP....T...... c9 22 e6 ec 11 fd 01 7c ...... j..].!.. aa 7b d0 11 9e 0c 00 ....."..T...... PMGLX. a0 c9 22 e6 ec 60 00 ...... /..../#IDXHDR.. 00 00 00 00 00 00 18 .l.../#ITBITS.. 00 00 00 00 00 00 00 78 00 00 00 00 00 00 00 54 10 00 00 00 00 00 00 cc 10 00 00 00 00 00 00 fe 01 00 00 00 00 00 00 a8 fe 01 00 00 00 00 00 00 00 00 00 00 00 00 00 49 54 53 50 01 00 00 00 54 00 00 00 0a 00 00 00 00 10 00 00 02 00 00 00 01 00 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 ff ff ff ff 01 00 00 00 09 04 00 00 6a 92 02 5d 2e 21 d0 11 9d f9 00 a0 c9 22 e6 ec 54 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 50 4d 47 4c 58 0b 00 00 00 00 00 00 ff ff ff ff ff ff ff ff 01 2f 00 00 00 08 2f 23 49 44 58 48 44 52 01 89 96 6c a0 00 08 2f 23 49 54 42 49 54 53 00 00

Copyright Joe Security LLC 2018 Page 22 of 31 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files\Mousotron\is-NFGHH.tmp unknown 148 3c 48 54 4d 4c 3e 0d .... success or wait 1 4510A8 WriteFile 0a 3c 48 45 41 44 3e Blacksun 0d 0a 3c 54 49 54 4c Software.. 45 3e 42 6c 61 63 6b .... 48 54 54 50 2d 45 51 .... 55 49 56 3d 22 72 65 66 72 65 73 68 22 20 43 4f 4e 54 45 4e 54 3d 22 30 3b 20 55 52 4c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 62 6c 61 63 6b 73 75 6e 73 6f 66 74 77 61 72 65 2e 63 6f 6d 22 3e 0d 0a 0d 0a 3c 2f 48 45 41 44 3e 0d 0a 0d 0a 3c 2f 48 54 4d 4c 3e C:\Program Files\Mousotron\unins000.dat unknown 448 00 00 00 00 00 00 00 ...... success or wait 2 4510A8 WriteFile 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C:\Program Files\Mousotron\unins000.dat unknown 12 51 07 00 00 ae f8 ff ff Q...... f success or wait 2 4510A8 WriteFile ec aa 96 66

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Users\user\Desktop\Mousotronsetup.exe unknown 64 success or wait 1 450FD8 ReadFile C:\Users\user\Desktop\Mousotronsetup.exe unknown 4 success or wait 2 450FD8 ReadFile C:\Users\user\Desktop\Mousotronsetup.exe unknown 4 success or wait 4 450FD8 ReadFile C:\Users\user\Desktop\Mousotronsetup.exe unknown 4 success or wait 2 450FD8 ReadFile C:\Users\HERBBL~1\AppData\Local\Temp\is-IRJT7.tmp\Mousotronsetup.tmp unknown 16384 success or wait 1 450FD8 ReadFile C:\Users\user\Desktop\Mousotronsetup.exe unknown 4 success or wait 4 450FD8 ReadFile C:\Users\user\Desktop\Mousotronsetup.exe unknown 1 success or wait 17 450FD8 ReadFile

Registry Activities

Key Created

Source Key Path Completion Count Address Symbol HKEY_USERS\Software\Blacksun success or wait 1 42E265 RegCreateKeyExA Copyright Joe Security LLC 2018 Page 23 of 31 Source Key Path Completion Count Address Symbol HKEY_USERS\Software\Blacksun\Mousotron success or wait 1 42E265 RegCreateKeyExA HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Mousotron_is1 success or wait 1 42E265 RegCreateKeyExA

Key Value Created

Source Key Path Name Type Data Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFTWARE\Mi Inno Setup: Setup unicode 5.5.9 (a) success or wait 1 46FC84 RegSetValueExA crosoft\Windows\CurrentVersion Version \Uninstall\Mousotron_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Mi Inno Setup: App unicode C:\Program Files\Mousotron success or wait 1 46FC84 RegSetValueExA crosoft\Windows\CurrentVersion Path \Uninstall\Mousotron_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Mi InstallLocation unicode C:\Program Files\Mousotron\ success or wait 1 46FC84 RegSetValueExA crosoft\Windows\CurrentVersion \Uninstall\Mousotron_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Mi Inno Setup: Icon unicode Mousotron success or wait 1 46FC84 RegSetValueExA crosoft\Windows\CurrentVersion Group \Uninstall\Mousotron_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Mi Inno Setup: User unicode Herb Blackburn success or wait 1 46FC84 RegSetValueExA crosoft\Windows\CurrentVersion \Uninstall\Mousotron_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Mi Inno Setup: unicode desktopicon success or wait 1 46FC84 RegSetValueExA crosoft\Windows\CurrentVersion Selected Tasks \Uninstall\Mousotron_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Mi Inno Setup: unicode quicklaunchicon success or wait 1 46FC84 RegSetValueExA crosoft\Windows\CurrentVersion Deselected Tasks \Uninstall\Mousotron_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Mi Inno Setup: unicode default success or wait 1 46FC84 RegSetValueExA crosoft\Windows\CurrentVersion Language \Uninstall\Mousotron_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Mi DisplayName unicode Mousotron 12.1 success or wait 1 46FC84 RegSetValueExA crosoft\Windows\CurrentVersion \Uninstall\Mousotron_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Mi UninstallString unicode "C:\Program Files\Mousotron\un success or wait 1 46FC84 RegSetValueExA crosoft\Windows\CurrentVersion ins000.exe" \Uninstall\Mousotron_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Mi QuietUninstallString unicode "C:\Program Files\Mousotron\un success or wait 1 46FC84 RegSetValueExA crosoft\Windows\CurrentVersion ins000.exe" /SILENT \Uninstall\Mousotron_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Mi DisplayVersion unicode 12.1 success or wait 1 46FC84 RegSetValueExA crosoft\Windows\CurrentVersion \Uninstall\Mousotron_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Mi Publisher unicode Blacksun Software success or wait 1 46FC84 RegSetValueExA crosoft\Windows\CurrentVersion \Uninstall\Mousotron_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Mi URLInfoAbout unicode http://www.blacksunsoftware.com success or wait 1 46FC84 RegSetValueExA crosoft\Windows\CurrentVersion \Uninstall\Mousotron_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Mi HelpLink unicode http://www.blacksunsoftware.com success or wait 1 46FC84 RegSetValueExA crosoft\Windows\CurrentVersion \Uninstall\Mousotron_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Mi URLUpdateInfo unicode http://www.blacksunsoftware.com success or wait 1 46FC84 RegSetValueExA crosoft\Windows\CurrentVersion \Uninstall\Mousotron_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Mi NoModify dword 1 success or wait 1 46FCE4 RegSetValueExA crosoft\Windows\CurrentVersion \Uninstall\Mousotron_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Mi NoRepair dword 1 success or wait 1 46FCE4 RegSetValueExA crosoft\Windows\CurrentVersion \Uninstall\Mousotron_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Mi InstallDate unicode 20180719 success or wait 1 46FC84 RegSetValueExA crosoft\Windows\CurrentVersion \Uninstall\Mousotron_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Mi MajorVersion dword 12 success or wait 1 46FCE4 RegSetValueExA crosoft\Windows\CurrentVersion \Uninstall\Mousotron_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Mi MinorVersion dword 1 success or wait 1 46FCE4 RegSetValueExA crosoft\Windows\CurrentVersion \Uninstall\Mousotron_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Mi VersionMajor dword 12 success or wait 1 46FCE4 RegSetValueExA crosoft\Windows\CurrentVersion \Uninstall\Mousotron_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Mi VersionMinor dword 1 success or wait 1 46FCE4 RegSetValueExA crosoft\Windows\CurrentVersion \Uninstall\Mousotron_is1

Copyright Joe Security LLC 2018 Page 24 of 31 Source Key Path Name Type Data Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFTWARE\Mi EstimatedSize dword 3087 success or wait 1 46FCE4 RegSetValueExA crosoft\Windows\CurrentVersion \Uninstall\Mousotron_is1

Analysis Process: Mousotron.exe PID: 3552 Parent PID: 3472

General

Start time: 02:01:07 Start date: 19/07/2018 Path: C:\Program Files\Mousotron\Mousotron.exe Wow64 process (32bit): false Commandline: C:\Program Files\Mousotron\Mousotron.exe Imagebase: 0x400000 File size: 2316544 bytes MD5 hash: F408966415ED05DA3E419748249E2E27 Has administrator privileges: true Programmed in: Borland Delphi Reputation: low

File Activities

Source File Path Offset Length Completion Count Address Symbol

Registry Activities

Key Value Created

Source Key Path Name Type Data Completion Count Address Symbol HKEY_USERS\Software\Blacksun\Mousotron Running unicode -1 success or wait 1 468B43 RegSetValueExW HKEY_USERS\Software\Blacksun\Mousotron Distance unicode 12 success or wait 1 468B43 RegSetValueExW HKEY_USERS\Software\Blacksun\Mousotron Time unicode 1 success or wait 1 468B43 RegSetValueExW HKEY_USERS\Software\Blacksun\Mousotron Idle unicode 0 success or wait 1 468B43 RegSetValueExW HKEY_USERS\Software\Blacksun\Mousotron Keystrokes unicode 1 success or wait 1 468B43 RegSetValueExW HKEY_USERS\Software\Blacksun\Mousotron Leftclicks unicode 1 success or wait 1 468B43 RegSetValueExW HKEY_USERS\Software\Blacksun\Mousotron Rightclicks unicode 0 success or wait 1 468B43 RegSetValueExW HKEY_USERS\Software\Blacksun\Mousotron Xclicks1 unicode 0 success or wait 1 468B43 RegSetValueExW HKEY_USERS\Software\Blacksun\Mousotron Xclicks2 unicode 0 success or wait 1 468B43 RegSetValueExW HKEY_USERS\Software\Blacksun\Mousotron Midclicks unicode 0 success or wait 1 468B43 RegSetValueExW HKEY_USERS\Software\Blacksun\Mousotron Dblclicks unicode 0 success or wait 1 468B43 RegSetValueExW HKEY_USERS\Software\Blacksun\Mousotron Mousewheel unicode 0 success or wait 1 468B43 RegSetValueExW

Key Value Modified

Source Key Path Name Type Old Data New Data Completion Count Address Symbol HKEY_USERS\Software\Blacksu Time unicode 1 2 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 12 17 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 2 3 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 17 24 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 3 4 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 24 31 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 4 5 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 31 42 success or wait 1 468B43 RegSetValueExW n\Mousotron

Copyright Joe Security LLC 2018 Page 25 of 31 Source Key Path Name Type Old Data New Data Completion Count Address Symbol HKEY_USERS\Software\Blacksu Time unicode 5 6 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 42 52 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 6 7 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 52 55 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 7 8 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 55 58 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 8 9 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 58 60 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 9 10 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 60 62 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 10 11 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 62 68 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 11 12 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 68 73 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 12 13 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 73 80 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 13 14 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 80 87 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 14 15 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 87 92 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 15 16 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 92 98 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 16 17 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 98 103 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 17 18 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 103 109 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 18 19 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 109 114 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 19 20 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 114 119 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 20 21 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 119 127 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Rightclicks unicode 0 1 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Keystrokes unicode 1 2 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Leftclicks unicode 1 2 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 21 22 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 127 140 success or wait 1 468B43 RegSetValueExW n\Mousotron Copyright Joe Security LLC 2018 Page 26 of 31 Source Key Path Name Type Old Data New Data Completion Count Address Symbol HKEY_USERS\Software\Blacksu Time unicode 22 23 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 140 148 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 23 24 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 148 157 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 24 25 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 157 166 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 25 26 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 166 171 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 26 27 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 171 176 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 27 28 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 176 187 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 28 29 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 187 199 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 29 30 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 199 203 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 30 31 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 203 208 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 31 32 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 208 214 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 32 33 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 214 219 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 33 34 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 219 225 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 34 35 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 225 231 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 35 36 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 231 233 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 36 37 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 233 236 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 37 38 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 236 244 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 38 39 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 244 252 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 39 40 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 252 256 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 40 41 success or wait 1 468B43 RegSetValueExW n\Mousotron Copyright Joe Security LLC 2018 Page 27 of 31 Source Key Path Name Type Old Data New Data Completion Count Address Symbol HKEY_USERS\Software\Blacksu Distance unicode 256 259 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 41 42 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 259 266 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 42 43 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Rightclicks unicode 1 2 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Keystrokes unicode 2 3 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Leftclicks unicode 2 3 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 43 44 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 266 272 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 44 45 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 272 274 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 45 46 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 274 276 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 46 47 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 276 278 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 47 48 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 278 286 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 48 49 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 286 294 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 49 50 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 294 298 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 50 51 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 298 302 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 51 52 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 302 306 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 52 53 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 306 311 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 53 54 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 311 315 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 54 55 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 315 319 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 55 56 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 319 322 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 56 57 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 322 325 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 57 58 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 325 332 success or wait 1 468B43 RegSetValueExW n\Mousotron Copyright Joe Security LLC 2018 Page 28 of 31 Source Key Path Name Type Old Data New Data Completion Count Address Symbol HKEY_USERS\Software\Blacksu Time unicode 58 59 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 332 338 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 59 60 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 338 348 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 60 61 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 348 358 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 61 62 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 358 360 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 62 63 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 360 362 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 63 64 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 362 369 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Rightclicks unicode 2 3 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Keystrokes unicode 3 4 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Leftclicks unicode 3 4 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 64 65 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 369 380 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 65 66 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 380 388 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 66 67 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 388 396 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 67 68 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 396 404 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 68 69 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 404 412 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 69 70 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 412 420 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 70 71 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 420 426 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 71 72 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 426 433 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 72 73 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 433 434 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 73 74 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 434 436 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 74 75 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 436 440 success or wait 1 468B43 RegSetValueExW n\Mousotron Copyright Joe Security LLC 2018 Page 29 of 31 Source Key Path Name Type Old Data New Data Completion Count Address Symbol HKEY_USERS\Software\Blacksu Time unicode 75 76 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 440 444 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 76 77 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 77 78 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 444 452 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 78 79 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 452 460 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 79 80 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 460 467 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 80 81 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 467 474 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 81 82 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 474 480 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 82 83 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 480 487 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 83 84 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 487 490 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 490 494 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 84 85 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 85 86 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 494 501 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Rightclicks unicode 3 4 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Keystrokes unicode 4 5 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Leftclicks unicode 4 5 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 86 87 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 501 516 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 87 88 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 516 525 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 88 89 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 525 528 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 89 90 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 528 531 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 90 91 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 531 536 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 91 92 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 536 542 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 92 93 success or wait 1 468B43 RegSetValueExW n\Mousotron Copyright Joe Security LLC 2018 Page 30 of 31 Source Key Path Name Type Old Data New Data Completion Count Address Symbol HKEY_USERS\Software\Blacksu Distance unicode 542 551 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 93 94 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 551 561 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 94 95 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 561 563 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 95 96 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 563 565 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 96 97 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 565 572 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 97 98 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 572 579 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 98 99 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 579 586 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 99 100 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 586 592 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Time unicode 100 101 success or wait 1 468B43 RegSetValueExW n\Mousotron HKEY_USERS\Software\Blacksu Distance unicode 592 600 success or wait 1 468B43 RegSetValueExW n\Mousotron

Disassembly

Code Analysis