Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MouseSpeedSetup64.exe

Overview

General Information

Sample name:MouseSpeedSetup64.exe
Analysis ID:1631238
MD5:5a44282c781228d23c449b53e357dce6
SHA1:8c855113247650fd207a87b74f3ecd5a0fea74e2
SHA256:3a22ad3b3933661ec162a215ac00d7a500a20fe7a4dd650321fc20f4f8a6be35
Infos:

Detection

Score:42
Range:0 - 100
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking mutex)
Hides threads from debuggers
PE file has nameless sections
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to debug other processes
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • MouseSpeedSetup64.exe (PID: 7288 cmdline: "C:\Users\user\Desktop\MouseSpeedSetup64.exe" MD5: 5A44282C781228D23C449B53E357DCE6)
    • MouseSpeedSetup64.tmp (PID: 7304 cmdline: "C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmp" /SL5="$10448,8599110,832512,C:\Users\user\Desktop\MouseSpeedSetup64.exe" MD5: 424E825128092BC7D46AEE44E00BCEF2)
      • MouseSpeed64.exe (PID: 7792 cmdline: "C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exe" /r MD5: 541BFD03F56C93AE0A569247FEE3DFFD)
      • mssLicChk.exe (PID: 7876 cmdline: "C:\Program Files\MouseSpeedSwitcher\mssLicChk.exe" MD5: 8E22EE7BB869FA2EF45CAF8695F3C97D)
        • conhost.exe (PID: 7884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • MouseSpeed64.exe (PID: 7992 cmdline: "C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exe" MD5: 541BFD03F56C93AE0A569247FEE3DFFD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Program Files\MouseSpeedSwitcher\MouseSpeed.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmp, ProcessId: 7304, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpsMouseSpeed

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: MouseSpeedSetup64.exeVirustotal: Detection: 29%Perma Link
Source: MouseSpeedSetup64.exeReversingLabs: Detection: 25%
Source: MouseSpeedSetup64.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcherJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\unins000.datJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\is-EPBMO.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\is-P9EHV.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\is-4CP3A.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\is-6D38A.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\HelpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\Help\ImagesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\Help\Images\is-CJ98I.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\Help\Images\is-6OFE2.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\Help\Images\is-1TUUN.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\Help\Images\is-TG7S8.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\Help\Images\is-JG537.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\Help\Images\is-M1I69.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\Help\Images\is-8Q2MQ.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\Help\Images\is-958FM.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\Help\Images\is-KUDBE.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\Help\Images\is-T9LIC.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\Help\Images\is-Q9M2B.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\Help\Images\is-45LKD.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\Help\Images\is-L7CQ0.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\Help\is-1G7E4.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\Help\is-KTMC3.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\is-R8Q04.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\unins000.msgJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7CFF650A-4E8E-4213-96CA-868259103331}_is1Jump to behavior
Source: MouseSpeedSetup64.exeStatic PE information: certificate valid
Source: unknownHTTPS traffic detected: 88.99.26.79:443 -> 192.168.2.4:63631 version: TLS 1.2
Source: MouseSpeedSetup64.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Sources\My Software\Main\MouseSpeed\Sources\Release\x64\MouseSpeed64.pdb source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003183750.00007FF755779000.00000002.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3534833699.00007FF755779000.00000002.00000001.01000000.00000008.sdmp
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_004797E0 FindFirstFileW,GetLastError,GetLastError,GetLastError,GetLastError,9_2_004797E0
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_02BB66B0 FindFirstFileA,FindNextFileA,FindClose,9_2_02BB66B0
Source: global trafficTCP traffic: 192.168.2.4:63628 -> 1.1.1.1:53
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /files/mss_version.txt HTTP/1.1User-Agent: MouseSSUpdateCheckHost: www.gphotoshow.comCache-Control: no-cache
Source: global trafficDNS traffic detected: DNS query: www.gphotoshow.com
Source: MouseSpeedSetup64.exe, is-R8Q04.tmp.1.dr, MouseSpeedSetup64.tmp.0.dr, is-P9EHV.tmp.1.dr, is-EPBMO.tmp.1.drString found in binary or memory: http://ccsca2021.crl.certum.pl/ccsca2021.crl0s
Source: MouseSpeedSetup64.exe, is-R8Q04.tmp.1.dr, MouseSpeedSetup64.tmp.0.dr, is-P9EHV.tmp.1.dr, is-EPBMO.tmp.1.drString found in binary or memory: http://ccsca2021.ocsp-certum.com05
Source: MouseSpeedSetup64.exe, is-R8Q04.tmp.1.dr, MouseSpeedSetup64.tmp.0.dr, is-P9EHV.tmp.1.dr, is-EPBMO.tmp.1.drString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: MouseSpeedSetup64.exe, is-R8Q04.tmp.1.dr, MouseSpeedSetup64.tmp.0.dr, is-P9EHV.tmp.1.dr, is-EPBMO.tmp.1.drString found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: MouseSpeedSetup64.exe, is-R8Q04.tmp.1.dr, MouseSpeedSetup64.tmp.0.dr, is-P9EHV.tmp.1.dr, is-EPBMO.tmp.1.drString found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://digitalriver.com/DigitalRight/activateLicense
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://digitalriver.com/DigitalRight/generateKey
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://digitalriver.com/DigitalRight/validateLicense
Source: mssLicChk.exe, 00000009.00000002.3533522744.00000000023E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://drh.digitalriver.com/cs
Source: mssLicChk.exe, 00000009.00000002.3533522744.00000000023D0000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3533522744.00000000023E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://drh.digitalriver.com/cs.
Source: MouseSpeedSetup64.exe, is-R8Q04.tmp.1.dr, MouseSpeedSetup64.tmp.0.dr, is-P9EHV.tmp.1.dr, is-EPBMO.tmp.1.drString found in binary or memory: http://repository.certum.pl/ccsca2021.cer0
Source: MouseSpeedSetup64.exe, is-R8Q04.tmp.1.dr, MouseSpeedSetup64.tmp.0.dr, is-P9EHV.tmp.1.dr, is-EPBMO.tmp.1.drString found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: MouseSpeedSetup64.exe, is-R8Q04.tmp.1.dr, MouseSpeedSetup64.tmp.0.dr, is-P9EHV.tmp.1.dr, is-EPBMO.tmp.1.drString found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: MouseSpeedSetup64.exe, is-R8Q04.tmp.1.dr, MouseSpeedSetup64.tmp.0.dr, is-P9EHV.tmp.1.dr, is-EPBMO.tmp.1.drString found in binary or memory: http://repository.certum.pl/ctsca2021.cer0A
Source: MouseSpeed64.exe, 00000008.00000000.1995337562.00007FF756F3C000.00000080.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF756881000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF756881000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000000.2053610351.00007FF756F3C000.00000080.00000001.01000000.00000008.sdmp, is-P9EHV.tmp.1.drString found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: MouseSpeed64.exe, 00000008.00000000.1995337562.00007FF756F3C000.00000080.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF756881000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF756881000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000000.2053610351.00007FF756F3C000.00000080.00000001.01000000.00000008.sdmp, is-P9EHV.tmp.1.drString found in binary or memory: http://s.symcd.com06
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: mssLicChk.exe, 00000009.00000002.3534274757.0000000002C1C000.00000002.00001000.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: MouseSpeedSetup64.exe, is-R8Q04.tmp.1.dr, MouseSpeedSetup64.tmp.0.dr, is-P9EHV.tmp.1.dr, is-EPBMO.tmp.1.drString found in binary or memory: http://subca.ocsp-certum.com01
Source: MouseSpeedSetup64.exe, is-R8Q04.tmp.1.dr, MouseSpeedSetup64.tmp.0.dr, is-P9EHV.tmp.1.dr, is-EPBMO.tmp.1.drString found in binary or memory: http://subca.ocsp-certum.com02
Source: MouseSpeedSetup64.exe, is-R8Q04.tmp.1.dr, MouseSpeedSetup64.tmp.0.dr, is-P9EHV.tmp.1.dr, is-EPBMO.tmp.1.drString found in binary or memory: http://subca.ocsp-certum.com05
Source: MouseSpeed64.exe, 00000008.00000000.1995337562.00007FF756F3C000.00000080.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF756881000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF756881000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000000.2053610351.00007FF756F3C000.00000080.00000001.01000000.00000008.sdmp, is-P9EHV.tmp.1.drString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: MouseSpeed64.exe, 00000008.00000000.1995337562.00007FF756F3C000.00000080.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF756881000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF756881000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000000.2053610351.00007FF756F3C000.00000080.00000001.01000000.00000008.sdmp, is-P9EHV.tmp.1.drString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: MouseSpeed64.exe, 00000008.00000000.1995337562.00007FF756F3C000.00000080.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF756881000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF756881000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000000.2053610351.00007FF756F3C000.00000080.00000001.01000000.00000008.sdmp, is-P9EHV.tmp.1.drString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: mssLicChk.exe, 00000009.00000002.3534274757.0000000002C1C000.00000002.00001000.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://webservice.digitalright.digitalriver.com/DigitalRight
Source: mssLicChk.exe, 00000009.00000002.3534274757.0000000002C1C000.00000002.00001000.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://webservice.digitalright.digitalriver.com/xsd
Source: MouseSpeedSetup64.exe, is-R8Q04.tmp.1.dr, MouseSpeedSetup64.tmp.0.dr, is-P9EHV.tmp.1.dr, is-EPBMO.tmp.1.drString found in binary or memory: http://www.certum.pl/CPS0
Source: mssLicChk.exe, 00000009.00000002.3533522744.0000000002473000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000003.2031779941.00000000024B9000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3531573000.0000000000189000.00000004.00000010.00020000.00000000.sdmp, MouseSpeed64.exe, 0000000B.00000002.3534916173.00007FF7557D8000.00000002.00000001.01000000.00000008.sdmp, is-4CP3A.tmp.1.dr, is-1G7E4.tmp.1.drString found in binary or memory: http://www.gphotoshow.com
Source: MouseSpeed64.exeString found in binary or memory: http://www.gphotoshow.com/buyup-ms.asp
Source: MouseSpeed64.exeString found in binary or memory: http://www.gphotoshow.com/checkupdate.asp?sw=mss
Source: MouseSpeed64.exe, 00000008.00000002.2003183750.00007FF755779000.00000002.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3534833699.00007FF755779000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.gphotoshow.com/checkupdate.asp?sw=mss%s&major=%d&minor=%d&build=%d&beta=%d&sk=%sBuildTemp
Source: MouseSpeedSetup64.exe, 00000000.00000003.2064966832.00000000021EE000.00000004.00001000.00020000.00000000.sdmp, MouseSpeedSetup64.exe, 00000000.00000003.2064966832.0000000002200000.00000004.00001000.00020000.00000000.sdmp, MouseSpeedSetup64.exe, 00000000.00000003.1684161385.0000000002500000.00000004.00001000.00020000.00000000.sdmp, MouseSpeedSetup64.tmp, 00000001.00000003.2062757790.00000000008D0000.00000004.00000020.00020000.00000000.sdmp, MouseSpeedSetup64.tmp, 00000001.00000003.2060788271.0000000000C9D000.00000004.00001000.00020000.00000000.sdmp, MouseSpeedSetup64.tmp, 00000001.00000003.2060537052.000000000376F000.00000004.00001000.00020000.00000000.sdmp, MouseSpeedSetup64.tmp, 00000001.00000003.1690064451.0000000003490000.00000004.00001000.00020000.00000000.sdmp, MouseSpeedSetup64.tmp, 00000001.00000003.2060788271.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, MouseSpeedSetup64.tmp, 00000001.00000003.2062734500.0000000000911000.00000004.00000020.00020000.00000000.sdmp, MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003261466.00007FF7557D8000.00000002.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3534916173.00007FF7557D8000.00000002.00000001.01000000.00000008.sdmp, is-6D38A.tmp.1.dr, is-4CP3A.tmp.1.drString found in binary or memory: http://www.gphotoshow.com/contact.htm
Source: MouseSpeedSetup64.exe, 00000000.00000003.2064966832.00000000021EE000.00000004.00001000.00020000.00000000.sdmp, MouseSpeedSetup64.exe, 00000000.00000003.2064966832.0000000002200000.00000004.00001000.00020000.00000000.sdmp, MouseSpeedSetup64.exe, 00000000.00000003.1684161385.0000000002500000.00000004.00001000.00020000.00000000.sdmp, MouseSpeedSetup64.tmp, 00000001.00000003.2062757790.00000000008D0000.00000004.00000020.00020000.00000000.sdmp, MouseSpeedSetup64.tmp, 00000001.00000003.2060788271.0000000000C9D000.00000004.00001000.00020000.00000000.sdmp, MouseSpeedSetup64.tmp, 00000001.00000003.2060537052.000000000376F000.00000004.00001000.00020000.00000000.sdmp, MouseSpeedSetup64.tmp, 00000001.00000003.1690064451.0000000003490000.00000004.00001000.00020000.00000000.sdmp, MouseSpeedSetup64.tmp, 00000001.00000003.2060788271.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, MouseSpeedSetup64.tmp, 00000001.00000003.2062734500.0000000000911000.00000004.00000020.00020000.00000000.sdmp, is-6D38A.tmp.1.drString found in binary or memory: http://www.gphotoshow.com/contact.htm).
Source: MouseSpeed64.exeString found in binary or memory: http://www.gphotoshow.com/files/mss_version.txt
Source: MouseSpeed64.exe, 00000008.00000002.2003183750.00007FF755779000.00000002.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3534833699.00007FF755779000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.gphotoshow.com/files/mss_version.txtNetwork
Source: MouseSpeed64.exeString found in binary or memory: http://www.gphotoshow.com/lp.php?par=%s
Source: MouseSpeed64.exe, 00000008.00000002.2003183750.00007FF755779000.00000002.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3534833699.00007FF755779000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.gphotoshow.com/lp.php?par=%sSendRegInfoToServer
Source: MouseSpeed64.exeString found in binary or memory: http://www.gphotoshow.com/lu.php?par=%s
Source: MouseSpeed64.exe, 00000008.00000002.2003183750.00007FF755779000.00000002.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3534833699.00007FF755779000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.gphotoshow.com/lu.php?par=%sSendUnRegInfoToServer
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003183750.00007FF755779000.00000002.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3534833699.00007FF755779000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.gphotoshow.com/mss_purchase.php
Source: mssLicChk.exe, 00000009.00000002.3533522744.0000000002449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.gphotoshow.com1W
Source: MouseSpeedSetup64.exe, 00000000.00000003.1684161385.0000000002500000.00000004.00001000.00020000.00000000.sdmp, MouseSpeedSetup64.tmp, 00000001.00000003.1690064451.0000000003490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.gphotoshow.com2http://www.gphotoshow.com2http://www.gphotoshow.com.
Source: MouseSpeedSetup64.tmp, 00000001.00000003.2060788271.0000000000D46000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.gphotoshow.com9j
Source: mssLicChk.exe, 00000009.00000002.3533522744.0000000002473000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.gphotoshow.com;
Source: MouseSpeedSetup64.exe, 00000000.00000003.2064966832.0000000002246000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.gphotoshow.comAh$
Source: mssLicChk.exe, 00000009.00000002.3533522744.0000000002449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.gphotoshow.comF
Source: mssLicChk.exe, 00000009.00000002.3533522744.0000000002473000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.gphotoshow.comX
Source: mssLicChk.exe, 00000009.00000002.3533522744.00000000023E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.gphotoshow.comdSwitcher
Source: mssLicChk.exe, 00000009.00000002.3533522744.0000000002473000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.gphotoshow.comed
Source: mssLicChk.exe, 00000009.00000002.3533522744.0000000002473000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.gphotoshow.comervic
Source: mssLicChk.exe, 00000009.00000002.3533522744.00000000023E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.gphotoshow.comhotoshow.com
Source: mssLicChk.exe, 00000009.00000002.3533522744.00000000023E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.gphotoshow.comhotoshow.combW
Source: MouseSpeed64.exe, 00000008.00000002.2003183750.00007FF755779000.00000002.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3534833699.00007FF755779000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.gphotoshow.comhttp://www.gphotoshow.com/contact.htmhttp://www.gphotoshow.com/buyup-ms.asp
Source: mssLicChk.exe, 00000009.00000002.3533522744.0000000002473000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.gphotoshow.comi
Source: mssLicChk.exe, 00000009.00000002.3533522744.00000000023E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.gphotoshow.coms
Source: MouseSpeedSetup64.exe, 00000000.00000003.2064966832.0000000002200000.00000004.00001000.00020000.00000000.sdmp, MouseSpeedSetup64.tmp, 00000001.00000003.2060788271.0000000000C96000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.kymoto.org
Source: MouseSpeedSetup64.exe, 00000000.00000003.2064966832.00000000021EE000.00000004.00001000.00020000.00000000.sdmp, MouseSpeedSetup64.exe, 00000000.00000003.1684161385.0000000002500000.00000004.00001000.00020000.00000000.sdmp, MouseSpeedSetup64.tmp, 00000001.00000003.2060788271.0000000000C9D000.00000004.00001000.00020000.00000000.sdmp, MouseSpeedSetup64.tmp, 00000001.00000003.2060537052.000000000376F000.00000004.00001000.00020000.00000000.sdmp, MouseSpeedSetup64.tmp, 00000001.00000003.1690064451.0000000003490000.00000004.00001000.00020000.00000000.sdmp, unins000.msg.1.drString found in binary or memory: http://www.kymoto.orgAbout
Source: MouseSpeed64.exe, 00000008.00000000.1995337562.00007FF756F3C000.00000080.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF756881000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF756881000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000000.2053610351.00007FF756F3C000.00000080.00000001.01000000.00000008.sdmp, is-P9EHV.tmp.1.drString found in binary or memory: https://d.symcb.com/cps0%
Source: MouseSpeed64.exe, 00000008.00000000.1995337562.00007FF756F3C000.00000080.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF756881000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF756881000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000000.2053610351.00007FF756F3C000.00000080.00000001.01000000.00000008.sdmp, is-P9EHV.tmp.1.drString found in binary or memory: https://d.symcb.com/rpa0
Source: MouseSpeed64.exe, 00000008.00000000.1995337562.00007FF756F3C000.00000080.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF756881000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF756881000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000000.2053610351.00007FF756F3C000.00000080.00000001.01000000.00000008.sdmp, is-P9EHV.tmp.1.drString found in binary or memory: https://d.symcb.com/rpa0.
Source: MouseSpeed64.exe, 00000008.00000000.1995337562.00007FF756F3C000.00000080.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF756881000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF756881000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000000.2053610351.00007FF756F3C000.00000080.00000001.01000000.00000008.sdmp, is-P9EHV.tmp.1.drString found in binary or memory: https://enigmaprotector.com/taggant/spv.crl0
Source: MouseSpeed64.exe, 00000008.00000000.1995337562.00007FF756F3C000.00000080.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF756881000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF756881000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000000.2053610351.00007FF756F3C000.00000080.00000001.01000000.00000008.sdmp, is-P9EHV.tmp.1.drString found in binary or memory: https://enigmaprotector.com/taggant/user.crl0
Source: MouseSpeedSetup64.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: MouseSpeedSetup64.exe, is-R8Q04.tmp.1.dr, MouseSpeedSetup64.tmp.0.dr, is-P9EHV.tmp.1.dr, is-EPBMO.tmp.1.drString found in binary or memory: https://www.certum.pl/CPS0
Source: MouseSpeed64.exe, 0000000B.00000002.3534367836.000001E433260000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gphotoshow.com/
Source: MouseSpeed64.exe, 0000000B.00000002.3534367836.000001E433260000.00000004.00000020.00020000.00000000.sdmp, MouseSpeed64.exe, 0000000B.00000002.3533507508.000001E431386000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gphotoshow.com/files/mss_version.txt
Source: MouseSpeed64.exe, 0000000B.00000002.3534367836.000001E433260000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gphotoshow.com/files/mss_version.txtWQ
Source: MouseSpeed64.exeString found in binary or memory: https://www.gphotoshow.com/mousess-upgrade.html
Source: MouseSpeed64.exe, 00000008.00000002.2003183750.00007FF755779000.00000002.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3534833699.00007FF755779000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://www.gphotoshow.com/mousess-upgrade.html%s?swkey=%s&ec=1help
Source: MouseSpeedSetup64.exe, 00000000.00000003.1686124573.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, MouseSpeedSetup64.exe, 00000000.00000003.1685414145.0000000002500000.00000004.00001000.00020000.00000000.sdmp, MouseSpeedSetup64.tmp, 00000001.00000000.1687704191.0000000000401000.00000020.00000001.01000000.00000004.sdmp, MouseSpeedSetup64.tmp.0.dr, is-EPBMO.tmp.1.drString found in binary or memory: https://www.innosetup.com/
Source: MouseSpeedSetup64.exe, 00000000.00000003.1686124573.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, MouseSpeedSetup64.exe, 00000000.00000003.1685414145.0000000002500000.00000004.00001000.00020000.00000000.sdmp, MouseSpeedSetup64.tmp, 00000001.00000000.1687704191.0000000000401000.00000020.00000001.01000000.00000004.sdmp, MouseSpeedSetup64.tmp.0.dr, is-EPBMO.tmp.1.drString found in binary or memory: https://www.remobjects.com/ps
Source: unknownNetwork traffic detected: HTTP traffic on port 63631 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 63631
Source: unknownHTTPS traffic detected: 88.99.26.79:443 -> 192.168.2.4:63631 version: TLS 1.2
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_0046EA10 GetTickCount,CreateThread,CloseHandle,GetTickCount,Sleep,GetCurrentThreadId,LoadCursorA,GetAsyncKeyState,GetSystemMetrics,GetSystemMetrics,ShowWindow,UpdateWindow,SetTimer,type_info::name,SetEnvironmentVariableA,9_2_0046EA10
Source: MouseSpeed64.exeBinary or memory string: GetRawInputData failed 2, error: %d

System Summary

barindex
PE file has nameless sections
Source: is-P9EHV.tmp.1.drStatic PE information: section name:
Source: is-P9EHV.tmp.1.drStatic PE information: section name:
Source: is-P9EHV.tmp.1.drStatic PE information: section name:
Source: is-P9EHV.tmp.1.drStatic PE information: section name:
Source: is-P9EHV.tmp.1.drStatic PE information: section name:
Source: is-P9EHV.tmp.1.drStatic PE information: section name:
Source: is-P9EHV.tmp.1.drStatic PE information: section name:
Source: is-P9EHV.tmp.1.drStatic PE information: section name:
Source: is-P9EHV.tmp.1.drStatic PE information: section name:
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_0047C1A0: CreateFileW,DeviceIoControl,CloseHandle,9_2_0047C1A0
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_0042E9E09_2_0042E9E0
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_004B95E29_2_004B95E2
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_0042FD809_2_0042FD80
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_004A43519_2_004A4351
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_004A65F89_2_004A65F8
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_004186309_2_00418630
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_004707709_2_00470770
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_0048288C9_2_0048288C
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_004708969_2_00470896
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_004A0A409_2_004A0A40
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_00416A509_2_00416A50
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_00456A709_2_00456A70
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_00470B209_2_00470B20
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_00482D219_2_00482D21
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_00418E609_2_00418E60
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_004830BF9_2_004830BF
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_0049F13A9_2_0049F13A
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_0047D2809_2_0047D280
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_004834919_2_00483491
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_0049F68B9_2_0049F68B
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_004A37AB9_2_004A37AB
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_004838799_2_00483879
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_004B9BBF9_2_004B9BBF
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_00483DE09_2_00483DE0
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_02B3A3B09_2_02B3A3B0
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_02B3C3F09_2_02B3C3F0
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_02B385809_2_02B38580
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_02AFABA09_2_02AFABA0
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_02AF2C109_2_02AF2C10
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_02AF94109_2_02AF9410
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_02B3DF309_2_02B3DF30
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: String function: 0048EF4A appears 33 times
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: String function: 02AA5170 appears 43 times
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: String function: 02B81340 appears 46 times
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: String function: 0048B070 appears 53 times
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: String function: 00426910 appears 34 times
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: String function: 00486EE3 appears 79 times
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: String function: 00480483 appears 40 times
Source: MouseSpeedSetup64.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-EPBMO.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: MouseSpeedSetup64.exe, 00000000.00000003.2064966832.0000000002228000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs MouseSpeedSetup64.exe
Source: MouseSpeedSetup64.exe, 00000000.00000003.1686124573.000000007FE35000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs MouseSpeedSetup64.exe
Source: MouseSpeedSetup64.exe, 00000000.00000003.1685414145.00000000025F8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs MouseSpeedSetup64.exe
Source: MouseSpeedSetup64.exe, 00000000.00000000.1683700639.00000000004C6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs MouseSpeedSetup64.exe
Source: MouseSpeedSetup64.exeBinary or memory string: OriginalFileName vs MouseSpeedSetup64.exe
Source: MouseSpeedSetup64.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: is-P9EHV.tmp.1.drStatic PE information: Section: ZLIB complexity 0.9984462671446384
Source: is-P9EHV.tmp.1.drStatic PE information: Section: ZLIB complexity 0.9972005208333333
Source: is-R8Q04.tmp.1.drStatic PE information: Section: .rypx ZLIB complexity 0.9994786342727804
Source: classification engineClassification label: mal42.evad.winEXE@10/54@1/1
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_0047C7E0 GetDiskFreeSpaceExW,9_2_0047C7E0
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpFile created: C:\Program Files\MouseSpeedSwitcherJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7884:120:WilError_03
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeMutant created: \Sessions\1\BaseNamedObjects\RAL9D27B8A8
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeMutant created: \Sessions\1\BaseNamedObjects\9D27B8A8::WK
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeMutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: -656393972-36392253. Number: 0
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeMutant created: \Sessions\1\BaseNamedObjects\GPGSMouseSpeedMutex
Source: C:\Users\user\Desktop\MouseSpeedSetup64.exeFile created: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmpJump to behavior
Source: C:\Users\user\Desktop\MouseSpeedSetup64.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\MouseSpeedSetup64.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpFile read: C:\Program Files\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\MouseSpeedSetup64.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: MouseSpeedSetup64.exeVirustotal: Detection: 29%
Source: MouseSpeedSetup64.exeReversingLabs: Detection: 25%
Source: MouseSpeedSetup64.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\MouseSpeedSetup64.exeFile read: C:\Users\user\Desktop\MouseSpeedSetup64.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\MouseSpeedSetup64.exe "C:\Users\user\Desktop\MouseSpeedSetup64.exe"
Source: C:\Users\user\Desktop\MouseSpeedSetup64.exeProcess created: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmp "C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmp" /SL5="$10448,8599110,832512,C:\Users\user\Desktop\MouseSpeedSetup64.exe"
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpProcess created: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exe "C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exe" /r
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpProcess created: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exe "C:\Program Files\MouseSpeedSwitcher\mssLicChk.exe"
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpProcess created: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exe "C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exe"
Source: C:\Users\user\Desktop\MouseSpeedSetup64.exeProcess created: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmp "C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmp" /SL5="$10448,8599110,832512,C:\Users\user\Desktop\MouseSpeedSetup64.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpProcess created: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exe "C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exe" /rJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpProcess created: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exe "C:\Program Files\MouseSpeedSwitcher\mssLicChk.exe"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpProcess created: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exe "C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exe"Jump to behavior
Source: C:\Users\user\Desktop\MouseSpeedSetup64.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\MouseSpeedSetup64.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\MouseSpeedSetup64.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\MouseSpeedSetup64.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\MouseSpeedSetup64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: msftedit.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: windows.globalization.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: bcp47mrm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: globinputhost.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: windows.ui.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: inputhost.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: version.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: wininet.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: wldp.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: profapi.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeSection loaded: mpr.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeSection loaded: sfc.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeSection loaded: wldp.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeSection loaded: wininet.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeSection loaded: amsi.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeSection loaded: profapi.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeSection loaded: version.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeSection loaded: inetmib1.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeSection loaded: snmpapi.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: version.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: wininet.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: wldp.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: profapi.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: devobj.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: netutils.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: schannel.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
Source: Mouse Speed Switcher 64-bit.lnk.1.drLNK file: ..\..\..\..\..\..\Program Files\MouseSpeedSwitcher\MouseSpeed64.exe
Source: Mouse Speed Switcher Help.lnk.1.drLNK file: ..\..\..\..\..\..\Program Files\MouseSpeedSwitcher\Help\index.htm
Source: Configure Mouse Speed Switcher 64-bit.lnk.1.drLNK file: ..\..\..\..\..\..\Program Files\MouseSpeedSwitcher\MouseSpeed64.exe
Source: Uninstall Mouse Speed Switcher.lnk.1.drLNK file: ..\..\..\..\..\..\Program Files\MouseSpeedSwitcher\unins000.exe
Source: Mouse Speed Switcher 64-bit.lnk0.1.drLNK file: ..\..\..\Program Files\MouseSpeedSwitcher\MouseSpeed64.exe
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpWindow found: window name: TMainFormJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpAutomated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpAutomated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpAutomated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpAutomated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpAutomated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpAutomated click: I accept the agreement
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeAutomated click: OK
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLLJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeWindow detected: Number of UI elements: 60
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcherJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\unins000.datJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\is-EPBMO.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\is-P9EHV.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\is-4CP3A.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\is-6D38A.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\HelpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\Help\ImagesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\Help\Images\is-CJ98I.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\Help\Images\is-6OFE2.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\Help\Images\is-1TUUN.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\Help\Images\is-TG7S8.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\Help\Images\is-JG537.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\Help\Images\is-M1I69.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\Help\Images\is-8Q2MQ.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\Help\Images\is-958FM.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\Help\Images\is-KUDBE.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\Help\Images\is-T9LIC.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\Help\Images\is-Q9M2B.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\Help\Images\is-45LKD.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\Help\Images\is-L7CQ0.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\Help\is-1G7E4.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\Help\is-KTMC3.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\is-R8Q04.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDirectory created: C:\Program Files\MouseSpeedSwitcher\unins000.msgJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7CFF650A-4E8E-4213-96CA-868259103331}_is1Jump to behavior
Source: MouseSpeedSetup64.exeStatic PE information: certificate valid
Source: MouseSpeedSetup64.exeStatic file information: File size 9459216 > 1048576
Source: MouseSpeedSetup64.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Sources\My Software\Main\MouseSpeed\Sources\Release\x64\MouseSpeed64.pdb source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003183750.00007FF755779000.00000002.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3534833699.00007FF755779000.00000002.00000001.01000000.00000008.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeUnpacked PE file: 8.2.MouseSpeed64.exe.7ff755710000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;Unknown_Section5:EW;Unknown_Section6:EW;.rsrc:R;Unknown_Section8:EW;Unknown_Section9:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;Unknown_Section5:R;Unknown_Section6:R;.rsrc:R;Unknown_Section8:EW;Unknown_Section9:EW;
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeUnpacked PE file: 11.2.MouseSpeed64.exe.7ff755710000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;Unknown_Section5:EW;Unknown_Section6:EW;.rsrc:R;Unknown_Section8:EW;Unknown_Section9:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;Unknown_Section5:R;Unknown_Section6:R;.rsrc:R;Unknown_Section8:EW;Unknown_Section9:EW;
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_0042FD80 CreateThread,LoadStringA,LoadStringW,GetCurrentProcessId,swprintf,OpenMutexA,swprintf,CreateMutexA,GetLastError,WaitForSingleObject,swprintf,FindWindowA,Sleep,_strlen,SendMessageA,ReleaseMutex,GetEnvironmentVariableA,_memset,swprintf,SetEnvironmentVariableA,GetLastError,swprintf,WaitForInputIdle,GetCurrentProcessId,swprintf,OpenMutexA,GetCurrentThread,SetThreadPriority,LoadLibraryA,GetProcAddress,GetVersionExA,GetCurrentProcessId,swprintf,CreateMutexA,GetLastError,swprintf,SetEnvironmentVariableA,9_2_0042FD80
Source: initial sampleStatic PE information: section where entry point is pointing to: .chdkvl
Source: MouseSpeedSetup64.exeStatic PE information: section name: .didata
Source: MouseSpeedSetup64.tmp.0.drStatic PE information: section name: .didata
Source: is-EPBMO.tmp.1.drStatic PE information: section name: .didata
Source: is-P9EHV.tmp.1.drStatic PE information: section name:
Source: is-P9EHV.tmp.1.drStatic PE information: section name:
Source: is-P9EHV.tmp.1.drStatic PE information: section name:
Source: is-P9EHV.tmp.1.drStatic PE information: section name:
Source: is-P9EHV.tmp.1.drStatic PE information: section name:
Source: is-P9EHV.tmp.1.drStatic PE information: section name:
Source: is-P9EHV.tmp.1.drStatic PE information: section name:
Source: is-P9EHV.tmp.1.drStatic PE information: section name:
Source: is-P9EHV.tmp.1.drStatic PE information: section name:
Source: is-R8Q04.tmp.1.drStatic PE information: section name: .vpagdj
Source: is-R8Q04.tmp.1.drStatic PE information: section name: .lpsqb
Source: is-R8Q04.tmp.1.drStatic PE information: section name: .bjwcg
Source: is-R8Q04.tmp.1.drStatic PE information: section name: .adwo
Source: is-R8Q04.tmp.1.drStatic PE information: section name: .chdkvl
Source: is-R8Q04.tmp.1.drStatic PE information: section name: .pdlzaj
Source: is-R8Q04.tmp.1.drStatic PE information: section name: .ociduz
Source: is-R8Q04.tmp.1.drStatic PE information: section name: .tonw
Source: is-R8Q04.tmp.1.drStatic PE information: section name: .rypx
Source: is-R8Q04.tmp.1.drStatic PE information: section name: .hqwvjo
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_004988C6 push esp; retn 004Eh9_2_004988D5
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_00494AE7 push edi; ret 9_2_00494AF6
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_00494B72 push edi; ret 9_2_00494B74
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_00486FBB push ecx; ret 9_2_00486FCE
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_0048B0B5 push ecx; ret 9_2_0048B0C8
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_02BD2395 push ecx; ret 9_2_02BD23A8
Source: is-P9EHV.tmp.1.drStatic PE information: section name: entropy: 7.998355118345409
Source: is-P9EHV.tmp.1.drStatic PE information: section name: entropy: 7.993884408360095
Source: is-P9EHV.tmp.1.drStatic PE information: section name: entropy: 7.568177511419989
Source: is-P9EHV.tmp.1.drStatic PE information: section name: entropy: 7.635911718495945
Source: is-P9EHV.tmp.1.drStatic PE information: section name: entropy: 7.711771268663015
Source: is-R8Q04.tmp.1.drStatic PE information: section name: .pdlzaj entropy: 7.010514435506401
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpFile created: C:\Program Files\MouseSpeedSwitcher\is-EPBMO.tmpJump to dropped file
Source: C:\Users\user\Desktop\MouseSpeedSetup64.exeFile created: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpFile created: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-9JM65.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpFile created: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpFile created: C:\Program Files\MouseSpeedSwitcher\is-P9EHV.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpFile created: C:\Program Files\MouseSpeedSwitcher\unins000.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpFile created: C:\Program Files\MouseSpeedSwitcher\is-R8Q04.tmpJump to dropped file

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeWindow searched: window name: FileMonClassJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeWindow searched: window name: RegMonClassJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mouse Speed SwitcherJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mouse Speed Switcher\Mouse Speed Switcher 64-bit.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mouse Speed Switcher\Mouse Speed Switcher Help.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mouse Speed Switcher\Configure Mouse Speed Switcher 64-bit.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mouse Speed Switcher\Uninstall Mouse Speed Switcher.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run gpsMouseSpeedJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run gpsMouseSpeedJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run gpsMouseSpeedJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run gpsMouseSpeedJump to behavior
Source: C:\Users\user\Desktop\MouseSpeedSetup64.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_9-73811
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosDateJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeWindow / User API: threadDelayed 9296Jump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeWindow / User API: threadDelayed 8395Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-9JM65.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exe TID: 7796Thread sleep count: 37 > 30Jump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exe TID: 8008Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exe TID: 8020Thread sleep time: -83950s >= -30000sJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeFile opened: PHYSICALDRIVE0Jump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeLast function: Thread delayed
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_004797E0 FindFirstFileW,GetLastError,GetLastError,GetLastError,GetLastError,9_2_004797E0
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_02BB66B0 FindFirstFileA,FindNextFileA,FindClose,9_2_02BB66B0
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_02B21F80 GetSystemInfo,9_2_02B21F80
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_val_t@K@virtualmachine@@
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_pointerval_t@_J@virtualmachine@@@detail@boost@@
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_ref_t@G@virtualmachine@@
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_pointerval_t@I@virtualmachine@@
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 3Windows 11 Server Enterprise without Hyper-V (core)
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_pointerval_t@K@virtualmachine@@@detail@boost@@
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_val_t@I@virtualmachine@@@detail@boost@@
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_ref_t@C@virtualmachine@@@detail@boost@@
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_pointerval_t@PAE@virtualmachine@@
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_pointerval_t@PAI@virtualmachine@@@detail@boost@@
Source: MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: vmware
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_ref_t@PAI@virtualmachine@@
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@Ubase_allocation_t@base_variable_t@virtualmachine@@@detail@boost@@
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@Ulvalue_t@virtualmachine@@@detail@boost@@
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_ref_t@D@virtualmachine@@@detail@boost@@
Source: MouseSpeedSetup64.exeBinary or memory string: vmcI(
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_ref_t@C@virtualmachine@@
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_val_t@K@virtualmachine@@@detail@boost@@
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_val_t@G@virtualmachine@@
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 11 Server Standard without Hyper-V (core)
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_pointerval_t@D@virtualmachine@@
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_pointerval_t@PAG@virtualmachine@@@detail@boost@@
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 10 Microsoft Hyper-V Server
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_ref_t@F@virtualmachine@@
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_val_t@_K@virtualmachine@@
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_ref_t@PAE@virtualmachine@@
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: )Windows 8 Server Standard without Hyper-V
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_ref_t@PA_K@virtualmachine@@
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_pointerval_t@PA_K@virtualmachine@@@detail@boost@@
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 11 Server Enterprise without Hyper-V (full)
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_pointerval_t@PAH@virtualmachine@@@detail@boost@@
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 11 Server Datacenter without Hyper-V (full)
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_ref_t@_K@virtualmachine@@
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Hyper-V
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_ref_t@F@virtualmachine@@@detail@boost@@
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_ref_t@PA_J@virtualmachine@@
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_ref_t@PA_J@virtualmachine@@@detail@boost@@
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_val_t@C@virtualmachine@@
Source: MouseSpeed64.exe, 0000000B.00000002.3534367836.000001E4332AA000.00000004.00000020.00020000.00000000.sdmp, MouseSpeed64.exe, 0000000B.00000002.3533507508.000001E431386000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_val_t@F@virtualmachine@@@detail@boost@@
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 3Windows 11 Server Datacenter without Hyper-V (core)
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_pointerval_t@C@virtualmachine@@
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_pointerval_t@PAF@virtualmachine@@
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_ref_t@PA_K@virtualmachine@@@detail@boost@@
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_ref_t@G@virtualmachine@@@detail@boost@@
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 5Windows 11 Essential Server Solutions without Hyper-V
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_pointerval_t@F@virtualmachine@@
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_pointerval_t@PAI@virtualmachine@@
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_val_t@H@virtualmachine@@@detail@boost@@
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: LSI-%08XREDIRECT*.INIKEYDEVICEREMOVEDRESETSLEFTFIRSTRUNVirtualBoxVirtualPC/MacVMwareEMULATORVirtualPCTOTALUSESALLKEYSTOTALUSESDR_TAGGEDCONTROLPIDVERSIONNUMBER%u.%02uACTIVATIONIDENHFINGERPRINTV1FINGERPRINTV1ENHFINGERPRINT????-????FINGERPRINTDATELASTRUNGetProcAddressAPROTECTEDFILEPATHPROTECTEDFILE
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_pointerval_t@C@virtualmachine@@@detail@boost@@
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_ref_t@E@virtualmachine@@@detail@boost@@
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_val_t@I@virtualmachine@@
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_pointerval_t@_K@virtualmachine@@@detail@boost@@
Source: MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: VMWare
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_ref_t@D@virtualmachine@@
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_val_t@G@virtualmachine@@@detail@boost@@
Source: mssLicChk.exe, 00000009.00000002.3534274757.0000000002C1C000.00000002.00001000.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: XenVMMXenVMMXenUuidCreateUuidCreateSequentialrpcrt4.dllHARDWARE\ACPI\DSDT\VBOX__%s-%uLanguage
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_val_t@F@virtualmachine@@
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: #Windows 11 Microsoft Hyper-V Server
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 11 Essential Server Solutions without Hyper-V
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_pointerval_t@K@virtualmachine@@
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_pointerval_t@PA_J@virtualmachine@@
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 2012 Server Standard without Hyper-V
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 8 Microsoft Hyper-V Server
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 3Windows 11 Server Enterprise without Hyper-V (full)
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_pointerval_t@E@virtualmachine@@@detail@boost@@
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_ref_t@I@virtualmachine@@@detail@boost@@
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_ref_t@PAG@virtualmachine@@
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_val_t@C@virtualmachine@@@detail@boost@@
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_val_t@_K@virtualmachine@@@detail@boost@@
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 11 Microsoft Hyper-V Server
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AVbase_interpreter_t@virtualmachine@@
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_ref_t@PAC@virtualmachine@@@detail@boost@@
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: vmwareVBoxService.exe
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_ref_t@E@virtualmachine@@
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 8 Server Standard without Hyper-V
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_pointerval_t@_J@virtualmachine@@
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_pointerval_t@D@virtualmachine@@@detail@boost@@
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_pointerval_t@PAC@virtualmachine@@
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_pointerval_t@PAC@virtualmachine@@@detail@boost@@
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: mssLicChk.exe, 00000009.00000002.3534274757.0000000002C1C000.00000002.00001000.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 3Windows 11 Server Datacenter without Hyper-V (full)
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_val_t@E@virtualmachine@@@detail@boost@@
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 10 Server Standard without Hyper-V
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_ref_t@PAE@virtualmachine@@@detail@boost@@
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_val_t@H@virtualmachine@@
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Hyper-V (guest)
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_ref_t@PAF@virtualmachine@@@detail@boost@@
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_pointerval_t@F@virtualmachine@@@detail@boost@@
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_pointerval_t@PAG@virtualmachine@@
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_ref_t@H@virtualmachine@@@detail@boost@@
Source: MouseSpeedSetup64.tmp, 00000001.00000003.2062757790.00000000008B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}eX
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_val_t@_J@virtualmachine@@@detail@boost@@
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_pointerval_t@G@virtualmachine@@
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_ref_t@I@virtualmachine@@
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AUlvalue_t@virtualmachine@@
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 11 Server Standard without Hyper-V
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$enable_shared_from_this@Ubase_variable_t@virtualmachine@@@boost@@
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_ref_t@H@virtualmachine@@
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_pointerval_t@PAE@virtualmachine@@@detail@boost@@
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: is-P9EHV.tmp.1.drBinary or memory string: DvMcI~
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_pointerval_t@PA_J@virtualmachine@@@detail@boost@@
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_pointerval_t@PA_K@virtualmachine@@
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_ref_t@PAH@virtualmachine@@
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_pointerval_t@H@virtualmachine@@@detail@boost@@
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_pointerval_t@_K@virtualmachine@@
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_pointerval_t@PAF@virtualmachine@@@detail@boost@@
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_pointerval_t@H@virtualmachine@@
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_val_t@E@virtualmachine@@
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 2016 Server Standard without Hyper-V
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_pointerval_t@PAH@virtualmachine@@
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 11 Server Enterprise without Hyper-V (core)
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_pointerval_t@G@virtualmachine@@@detail@boost@@
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 11 Server Datacenter without Hyper-V (core)
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_ref_t@PAG@virtualmachine@@@detail@boost@@
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_val_t@_J@virtualmachine@@
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_ref_t@PAF@virtualmachine@@
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AUbase_variable_t@virtualmachine@@
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_ref_t@_K@virtualmachine@@@detail@boost@@
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_ref_t@PAC@virtualmachine@@
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_pointerval_t@E@virtualmachine@@
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_ref_t@_J@virtualmachine@@
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_ref_t@PAH@virtualmachine@@@detail@boost@@
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: *Windows 11 Server Standard without Hyper-V
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AU?$variable_ref_t@K@virtualmachine@@
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_ref_t@K@virtualmachine@@@detail@boost@@
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: mssLicChk.exe, 00000009.00000002.3533114166.00000000006BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: VBoxService.exe
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_ref_t@PAI@virtualmachine@@@detail@boost@@
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_pointerval_t@I@virtualmachine@@@detail@boost@@
Source: mssLicChk.exe, 00000009.00000003.2007837772.00000000028A3000.00000004.00000020.00020000.00000000.sdmp, mssLicChk.exe, 00000009.00000002.3534317409.0000000002C4E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .?AV?$sp_counted_impl_p@U?$variable_ref_t@_J@virtualmachine@@@detail@boost@@
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: *Windows 10 Server Standard without Hyper-V
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 1Windows 11 Server Standard without Hyper-V (core)
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: MouseSpeed64.exe, MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: MouseSpeed64.exe, 00000008.00000002.2003341990.00007FF755813000.00000040.00000001.01000000.00000008.sdmp, MouseSpeed64.exe, 0000000B.00000002.3535027795.00007FF755813000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeAPI call chain: ExitProcess graph end nodegraph_9-73669
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeOpen window title or class name: regmonclass
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeOpen window title or class name: procmon_window_class
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeOpen window title or class name: filemonclass
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeFile opened: SIWDEBUG
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeFile opened: NTICE
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeFile opened: SIce
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeFile opened: SuperBpmDev0
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeFile opened: SIWVID
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeProcess queried: DebugPortJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeProcess queried: DebugPortJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_00456710 LdrInitializeThunk,9_2_00456710
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_004801BA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_004801BA
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_00416A50 WaitForDebugEvent,EnterCriticalSection,GetTickCount,_memset,GetThreadContext,ReadProcessMemory,type_info::name,type_info::name,type_info::name,type_info::name,MessageBoxA,ReadProcessMemory,_memset,GetThreadContext,SetThreadContext,ReadProcessMemory,OutputDebugStringW,OutputDebugStringA,type_info::name,type_info::name,CreateMutexA,GetLastError,ResumeThread,CloseHandle,CloseHandle,_memset,_memset,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,CloseHandle,ContinueDebugEvent,ContinueDebugEvent,LeaveCriticalSection,9_2_00416A50
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_00416A50 WaitForDebugEvent,EnterCriticalSection,GetTickCount,_memset,GetThreadContext,ReadProcessMemory,type_info::name,type_info::name,type_info::name,type_info::name,MessageBoxA,ReadProcessMemory,_memset,GetThreadContext,SetThreadContext,ReadProcessMemory,OutputDebugStringW,OutputDebugStringA,type_info::name,type_info::name,CreateMutexA,GetLastError,ResumeThread,CloseHandle,CloseHandle,_memset,_memset,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,CloseHandle,ContinueDebugEvent,ContinueDebugEvent,LeaveCriticalSection,9_2_00416A50
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_0042FD80 CreateThread,LoadStringA,LoadStringW,GetCurrentProcessId,swprintf,OpenMutexA,swprintf,CreateMutexA,GetLastError,WaitForSingleObject,swprintf,FindWindowA,Sleep,_strlen,SendMessageA,ReleaseMutex,GetEnvironmentVariableA,_memset,swprintf,SetEnvironmentVariableA,GetLastError,swprintf,WaitForInputIdle,GetCurrentProcessId,swprintf,OpenMutexA,GetCurrentThread,SetThreadPriority,LoadLibraryA,GetProcAddress,GetVersionExA,GetCurrentProcessId,swprintf,CreateMutexA,GetLastError,swprintf,SetEnvironmentVariableA,9_2_0042FD80
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_0042FD80 mov eax, dword ptr fs:[00000030h]9_2_0042FD80
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_0048C146 SetUnhandledExceptionFilter,9_2_0048C146
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_004801BA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_004801BA
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_0048AE5D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_0048AE5D

HIPS / PFW / Operating System Protection Evasion

barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeNtProtectVirtualMemory: Indirect: 0x7FF7558A93F7Jump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeNtSetInformationThread: Indirect: 0x7FF755857B61Jump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,9_2_0049205C
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,9_2_004920B7
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,9_2_00492288
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: EnumSystemLocalesA,9_2_0049234A
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,9_2_00492374
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,9_2_004923DB
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,9_2_00492417
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,9_2_0049AEE1
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,9_2_0049AFBB
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: ____lc_handle_func,GetLocaleInfoW,9_2_004BF6B6
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: GetLocaleInfoA,9_2_00489C13
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,9_2_00491EC0
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,9_2_00491FB5
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: GetLocaleInfoA,9_2_02BAA550
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductIdJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\MouseSpeed64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductIdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9OEV.tmp\MouseSpeedSetup64.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_0048C9D7 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,9_2_0048C9D7
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_0048F8D8 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,9_2_0048F8D8
Source: C:\Program Files\MouseSpeedSwitcher\mssLicChk.exeCode function: 9_2_0042FD80 CreateThread,LoadStringA,LoadStringW,GetCurrentProcessId,swprintf,OpenMutexA,swprintf,CreateMutexA,GetLastError,WaitForSingleObject,swprintf,FindWindowA,Sleep,_strlen,SendMessageA,ReleaseMutex,GetEnvironmentVariableA,_memset,swprintf,SetEnvironmentVariableA,GetLastError,swprintf,WaitForInputIdle,GetCurrentProcessId,swprintf,OpenMutexA,GetCurrentThread,SetThreadPriority,LoadLibraryA,GetProcAddress,GetVersionExA,GetCurrentProcessId,swprintf,CreateMutexA,GetLastError,swprintf,SetEnvironmentVariableA,9_2_0042FD80

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
Native API		1
DLL Side-Loading		1
Abuse Elevation Control Mechanism		1
Deobfuscate/Decode Files or Information		21
Input Capture		2
System Time Discovery		Remote Services1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		1
Image File Execution Options Injection		1
DLL Side-Loading		1
Abuse Elevation Control Mechanism		LSASS Memory2
File and Directory Discovery		Remote Desktop Protocol21
Input Capture		11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
Windows Service		1
Image File Execution Options Injection		3
Obfuscated Files or Information		Security Account Manager45
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCron11
Registry Run Keys / Startup Folder		1
Windows Service		12
Software Packing		NTDS461
Security Software Discovery		Distributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
Process Injection		1
DLL Side-Loading		LSA Secrets25
Virtualization/Sandbox Evasion		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts11
Registry Run Keys / Startup Folder		3
Masquerading		Cached Domain Credentials1
Process Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items25
Virtualization/Sandbox Evasion		DCSync1
Application Window Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Process Injection		Proc Filesystem2
System Owner/User Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1631238 Sample: MouseSpeedSetup64.exe Startdate: 06/03/2025 Architecture: WINDOWS Score: 42 35 www.gphotoshow.com 2->35 37 gphotoshow.com 2->37 39 2 other IPs or domains 2->39 51 Multi AV Scanner detection for submitted file 2->51 53 Detected unpacking (changes PE section rights) 2->53 55 Found evasive API chain (may stop execution after checking mutex) 2->55 57 2 other signatures 2->57 9 MouseSpeedSetup64.exe 2 2->9         started        signatures3 process4 file5 25 C:\Users\user\...\MouseSpeedSetup64.tmp, PE32 9->25 dropped 12 MouseSpeedSetup64.tmp 29 44 9->12         started        process6 file7 27 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 12->27 dropped 29 C:\Program Files\...\unins000.exe (copy), PE32 12->29 dropped 31 C:\Program Files\...\mssLicChk.exe (copy), PE32 12->31 dropped 33 4 other files (2 malicious) 12->33 dropped 15 MouseSpeed64.exe 147 7 12->15         started        19 mssLicChk.exe 7 8 12->19         started        21 MouseSpeed64.exe 3 5 12->21         started        process8 dnsIp9 41 gphotoshow.com 88.99.26.79, 443, 63631 HETZNER-ASDE Germany 15->41 43 Hides threads from debuggers 15->43 45 Found direct / indirect Syscall (likely to bypass EDR) 15->45 47 Tries to detect sandboxes / dynamic malware analysis system (registry check) 19->47 49 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 19->49 23 conhost.exe 19->23         started        signatures10 process11

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.