Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MagicUtilities-Setup-3.1.4.5-Win10.exe

Overview

General Information

Sample name:MagicUtilities-Setup-3.1.4.5-Win10.exe
Analysis ID:1522462
MD5:b0a4144c3aeef5d61201706e2f786ff0
SHA1:224e8360830c2b02e4daef69a2c0d55a98ff0ec4
SHA256:4150d4963e9283e26e1bbe67f56c733feec94ae4cc42b2e5fc35b40efa92ea8f
Infos:

Detection

Score:2
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Drops PE files
Found dropped PE file which has not been started or loaded
PE file contains sections with non-standard names
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64_ra
  • MagicUtilities-Setup-3.1.4.5-Win10.exe (PID: 7096 cmdline: "C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe" MD5: B0A4144C3AEEF5D61201706E2F786FF0)
    • MagicUtilities-Setup-3.1.4.5-Win10.tmp (PID: 7156 cmdline: "C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp" /SL5="$40380,68291663,1056768,C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe" MD5: 9D13CC54CB881EF523EEA84C934A8AD1)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: MagicUtilities-Setup-3.1.4.5-Win10.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: MagicUtilities-Setup-3.1.4.5-Win10.exeStatic PE information: certificate valid
Source: MagicUtilities-Setup-3.1.4.5-Win10.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: MagicUtilities-Setup-3.1.4.5-Win10.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: classification engineClassification label: clean2.winEXE@3/2@0/0
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpFile created: C:\Users\user\AppData\Local\Programs
Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exeFile created: C:\Users\user\AppData\Local\Temp\is-66B67.tmp
Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization
Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exeFile read: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe
Source: unknownProcess created: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe "C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe"
Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exeProcess created: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp "C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp" /SL5="$40380,68291663,1056768,C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe"
Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exeProcess created: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp "C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp" /SL5="$40380,68291663,1056768,C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe"
Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exeSection loaded: version.dll
Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exeSection loaded: netapi32.dll
Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exeSection loaded: netutils.dll
Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exeSection loaded: uxtheme.dll
Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpSection loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpSection loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpSection loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpSection loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpSection loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpSection loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpSection loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpSection loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpSection loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpSection loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpSection loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpSection loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpSection loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpSection loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpSection loaded: msftedit.dll
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpSection loaded: windows.globalization.dll
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpSection loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpSection loaded: bcp47mrm.dll
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpSection loaded: globinputhost.dll
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpSection loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpWindow found: window name: TMainForm
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLL
Source: MagicUtilities-Setup-3.1.4.5-Win10.exeStatic PE information: certificate valid
Source: MagicUtilities-Setup-3.1.4.5-Win10.exeStatic file information: File size 69423208 > 1048576
Source: MagicUtilities-Setup-3.1.4.5-Win10.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: MagicUtilities-Setup-3.1.4.5-Win10.exeStatic PE information: section name: .didata
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpFile created: C:\Users\user\AppData\Local\Temp\is-P3ELG.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exeFile created: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpJump to dropped file
Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-P3ELG.tmp\_isetup\_setup64.tmpJump to dropped file

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping2
System Owner/User Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory1
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
MagicUtilities-Setup-3.1.4.5-Win10.exe0%ReversingLabs
MagicUtilities-Setup-3.1.4.5-Win10.exe0%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-P3ELG.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-P3ELG.tmp\_isetup\_setup64.tmp0%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1522462
Start date and time:2024-09-30 07:05:54 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:12
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
Analysis Mode:stream
Analysis stop reason:Timeout
Sample name:MagicUtilities-Setup-3.1.4.5-Win10.exe
Detection:CLEAN
Classification:clean2.winEXE@3/2@0/0
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, SgrmBroker.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information

Created / dropped Files

C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp

Download File
Process:C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe
File Type:PE32 executable (GUI) Intel 80386, for MS Windows
Category:dropped
Size (bytes):3403648
Entropy (8bit):6.300389626502679
Encrypted:false
SSDEEP:
MD5:9D13CC54CB881EF523EEA84C934A8AD1
SHA1:CC0128344E12D699BB2BE8FCB946ACE81CD8BA8E
SHA-256:AC45E7D2311D3138311F1B654E76B4685111079915DC55C1E487DF66E1900C36
SHA-512:1D8A1F5287A53374E1A7EC9DEAD64EB12F2686214AFD63030F6BB5CAACE612D34FDADCDF0A5B771252C94F4437FC79D77B46E15D609591E511CC7C070E66C97A
Malicious:false
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
  • Antivirus: Virustotal, Detection: 0%, Browse
Reputation:unknown
Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......c.................L,..v......hf,......p,...@...........................4.....h74...@......@....................-.......-..9....................3..)...........................................................-.......-......................text.... ,......",................. ..`.itext...(...@,..*...&,............. ..`.data...X....p,......P,.............@....bss.....y....-..........................idata...9....-..:....,.............@....didata.......-.......-.............@....edata........-......*-.............@..@.tls....L.....-..........................rdata..]............,-.............@..@.rsrc.................-.............@..@..............1.......0.............@..@........................................................

C:\Users\user\AppData\Local\Temp\is-P3ELG.tmp\_isetup\_setup64.tmp

Download File
Process:C:\Users\user\AppData\Local\Temp\is-66B67.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp
File Type:PE32+ executable (console) x86-64, for MS Windows
Category:dropped
Size (bytes):6144
Entropy (8bit):4.720366600008286
Encrypted:false
SSDEEP:
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:false
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
  • Antivirus: Virustotal, Detection: 0%, Browse
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):7.964732842884367
TrID:
  • Win32 Executable (generic) a (10002005/4) 98.45%
  • Inno Setup installer (109748/4) 1.08%
  • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
  • Win16/32 Executable Delphi generic (2074/23) 0.02%
  • Generic Win/DOS Executable (2004/3) 0.02%
File name:MagicUtilities-Setup-3.1.4.5-Win10.exe
File size:69'423'208 bytes
MD5:b0a4144c3aeef5d61201706e2f786ff0
SHA1:224e8360830c2b02e4daef69a2c0d55a98ff0ec4
SHA256:4150d4963e9283e26e1bbe67f56c733feec94ae4cc42b2e5fc35b40efa92ea8f
SHA512:aaa65d924e5ca74ec003e059c4bb4a5c6dc568271b95e993712f372c861ee0afa50a29bfcdb8d4233bfff08e68d127ad91f06d35737e1f218a6739265b45208d
SSDEEP:1572864:fL25J4bR71bbsBcvuGXSSAcH2I2UOoJceLUYU1+SIJ:fkWd5HocGonjJVUYUs
TLSH:F6E733A2BB34CC99E41B89F09937E93045B7BE74B899840E66E4372EC7B3351295F407
File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon

Icon Hash:334d928faf966d17

Static PE Info

General

Entrypoint:0x4b5eec
Entrypoint Section:.itext
Digitally signed:true
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x63ECF218 [Wed Feb 15 14:54:16 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:1
File Version Major:6
File Version Minor:1
Subsystem Version Major:6
Subsystem Version Minor:1
Import Hash:e569e6f445d32ba23766ad67d1e3787f

Authenticode Signature

Signature Valid:true
Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:The operation completed successfully
Error Number:0
Not Before, Not After
  • 14/06/2023 02:00:00 22/04/2026 01:59:59
Subject Chain
  • CN=Magic Utilities Pty Ltd, O=Magic Utilities Pty Ltd, L=Pottsville, S=New South Wales, C=AU, SERIALNUMBER=617 728 319, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=AU
Version:3
Thumbprint MD5:E138D0A5D91CBAAF9D219ADAFDB54C7E
Thumbprint SHA-1:A49FAF128DC394641240A2E50300802EC88FBE1F
Thumbprint SHA-256:8E20BF4138847097F48F0E110C6757B753D37E84E537FF25FBBB49DFBE767D0A
Serial:07F9B5BD82CA576EEFBB9D2C9D65DCAD

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFA4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-3Ch], eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-5Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-38h], eax
mov dword ptr [ebp-34h], eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-14h], eax
mov eax, 004B14B8h
call 00007FA188D5C635h
xor eax, eax
push ebp
push 004B65E2h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 004B659Eh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [004BE634h]
call 00007FA188DFF127h
call 00007FA188DFEC7Ah
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007FA188D720D4h
mov edx, dword ptr [ebp-14h]
mov eax, 004C1D84h
call 00007FA188D57227h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [004C1D84h]
mov dl, 01h
mov eax, dword ptr [004238ECh]
call 00007FA188D73257h
mov dword ptr [004C1D88h], eax
xor edx, edx
push ebp
push 004B654Ah
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007FA188DFF1AFh
mov dword ptr [004C1D90h], eax
mov eax, dword ptr [004C1D90h]
cmp dword ptr [eax+0Ch], 01h
jne 00007FA188E053CAh
mov eax, dword ptr [004C1D90h]
mov edx, 00000028h
call 00007FA188D73B4Ch
mov edx, dword ptr [004C1D90h]

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0xc40000x9a.edata
IMAGE_DIRECTORY_ENTRY_IMPORT0xc20000xfdc.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x47a10.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x42326e80x2980
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0xc60000x18.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0xc22f40x254.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xc30000x1a4.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000xb39e40xb3a0043af0a9476ca224d8e8461f1e22c94daFalse0.34525867693110646data6.357635049994181IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext0xb50000x16880x1800185e04b9a1f554e31f7f848515dc890cFalse0.54443359375data5.971425428435973IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0xb70000x37a40x3800cab2107c933b696aa5cf0cc6c3fd3980False0.36097935267857145data5.048648594372454IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss0xbb0000x6de80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata0xc20000xfdc0x1000e7d1635e2624b124cfdce6c360ac21cdFalse0.3798828125data5.029087481102678IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata0xc30000x1a40x2008ced971d8a7705c98b173e255d8c9aa7False0.345703125data2.7509822285969876IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata0xc40000x9a0x2008d4e1e508031afe235bf121c80fd7d5fFalse0.2578125data1.877162954504408IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls0xc50000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata0xc60000x5d0x2008f2f090acd9622c88a6a852e72f94e96False0.189453125data1.3838943752217987IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0xc70000x47a100x47c005e29bdd19ebeb493bcb935cc58b4e613False0.22892394381533102data3.9448202111738997IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0xc77380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.5726950354609929
RT_ICON0xc7ba00x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 0EnglishUnited States0.5569767441860465
RT_ICON0xc82580x988Device independent bitmap graphic, 24 x 48 x 32, image size 0EnglishUnited States0.46024590163934426
RT_ICON0xc8be00xcd8Device independent bitmap graphic, 28 x 56 x 32, image size 0EnglishUnited States0.40541362530413627
RT_ICON0xc98b80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.39704502814258913
RT_ICON0xca9600x1588Device independent bitmap graphic, 36 x 72 x 32, image size 0EnglishUnited States0.32093613933236576
RT_ICON0xcbee80x1a68Device independent bitmap graphic, 40 x 80 x 32, image size 0EnglishUnited States0.3239644970414201
RT_ICON0xcd9500x1fc8Device independent bitmap graphic, 44 x 88 x 32, image size 0EnglishUnited States0.29818092428711895
RT_ICON0xcf9180x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.28620331950207467
RT_ICON0xd1ec00x32e8Device independent bitmap graphic, 56 x 112 x 32, image size 0EnglishUnited States0.2422498465316145
RT_ICON0xd51a80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 0EnglishUnited States0.21711147850732168
RT_ICON0xd93d00x5488Device independent bitmap graphic, 72 x 144 x 32, image size 0EnglishUnited States0.15337338262476893
RT_ICON0xde8580x67e8Device independent bitmap graphic, 80 x 160 x 32, image size 0EnglishUnited States0.1349248120300752
RT_ICON0xe50400x7d48Device independent bitmap graphic, 88 x 176 x 32, image size 0EnglishUnited States0.15555624844100774
RT_ICON0xecd880x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 0EnglishUnited States0.11209796089972672
RT_ICON0xf62300x10828Device independent bitmap graphic, 128 x 256 x 32, image size 0EnglishUnited States0.10894061280018928
RT_ICON0x106a580x4f2fPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9931922450791771
RT_STRING0x10b9880x360data0.34375
RT_STRING0x10bce80x260data0.3256578947368421
RT_STRING0x10bf480x45cdata0.4068100358422939
RT_STRING0x10c3a40x40cdata0.3754826254826255
RT_STRING0x10c7b00x2d4data0.39226519337016574
RT_STRING0x10ca840xb8data0.6467391304347826
RT_STRING0x10cb3c0x9cdata0.6410256410256411
RT_STRING0x10cbd80x374data0.4230769230769231
RT_STRING0x10cf4c0x398data0.3358695652173913
RT_STRING0x10d2e40x368data0.3795871559633027
RT_STRING0x10d64c0x2a4data0.4275147928994083
RT_RCDATA0x10d8f00x10data1.5
RT_RCDATA0x10d9000x2c4data0.6384180790960452
RT_RCDATA0x10dbc40x2cdata1.2045454545454546
RT_GROUP_ICON0x10dbf00xf4dataEnglishUnited States0.6721311475409836
RT_VERSION0x10dce40x584dataEnglishUnited States0.2811614730878187
RT_MANIFEST0x10e2680x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

Imports

DLLImport
kernel32.dllGetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dllInitCommonControls
version.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
netapi32.dllNetWkstaGetInfo, NetApiBufferFree
advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, RegQueryValueExW, AdjustTokenPrivileges, GetTokenInformation, ConvertSidToStringSidW, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

Exports

NameOrdinalAddress
TMethodImplementationIntercept30x4541a8
__dbk_fcall_wrapper20x40d0a0
dbkFCallWrapperAddr10x4be63c

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States