Windows Analysis Report
MagicUtilities-Setup-3.1.4.5-Win10.exe

Overview

General Information

Sample name: MagicUtilities-Setup-3.1.4.5-Win10.exe
Analysis ID: 1522465
MD5: b0a4144c3aeef5d61201706e2f786ff0
SHA1: 224e8360830c2b02e4daef69a2c0d55a98ff0ec4
SHA256: 4150d4963e9283e26e1bbe67f56c733feec94ae4cc42b2e5fc35b40efa92ea8f
Infos:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Changes security center settings (notifications, updates, antivirus, firewall)
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction (VM detection)
Yara detected Generic Downloader
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Creates a process in suspended mode (likely to inject code)
Creates files inside the driver directory
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Drops PE files
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses taskkill to terminate processes

Classification

Uses 32bit PE files
Source: MagicUtilities-Setup-3.1.4.5-Win10.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: MagicUtilities-Setup-3.1.4.5-Win10.exe Static PE information: certificate valid
Source: MagicUtilities-Setup-3.1.4.5-Win10.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: C:\Program Files (x86)\MagicUtilities\Service\is-5TT39.tmp, type: DROPPED
Creates files inside the driver directory
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{09dc9bae-bd3c-5743-b5d1-99df04016a9f}
Creates files inside the system directory
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\FileRepository\magicmouse.inf_amd64_2697dabe43c1f96e
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\drvstore.tmp
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\inf\oem4.inf
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Deletes files inside the Windows folder
Source: C:\Windows\System32\drvinst.exe File deleted: C:\Windows\System32\DriverStore\Temp\{09dc9bae-bd3c-5743-b5d1-99df04016a9f}\SETA38C.tmp
Enables security privileges
Source: C:\Windows\System32\svchost.exe Process token adjusted: Security
Uses 32bit PE files
Source: MagicUtilities-Setup-3.1.4.5-Win10.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: classification engine Classification label: mal72.troj.evad.winEXE@28/17@0/18
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp File created: C:\Program Files (x86)\MagicUtilities
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp File created: C:\Users\user\AppData\Local\Programs
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5444:120:WilError_03
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: -1862932489--1742674988. Number: 0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6532:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5640:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6056:120:WilError_03
Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe File created: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp
Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="KBOSD.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWCC.SCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWCC.UCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWGameLibrary.SCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWGameLibrary.UCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AlienFXSubAgent.exe"
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AppleControlPanel.exe")
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="KBOSD.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWCC.SCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWCC.UCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWGameLibrary.SCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWGameLibrary.UCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AlienFXSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="KBOSD.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWCC.SCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWCC.UCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWGameLibrary.SCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWGameLibrary.UCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AlienFXSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="KBOSD.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWCC.SCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWCC.UCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWGameLibrary.SCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWGameLibrary.UCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AlienFXSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="KBOSD.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWCC.SCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWCC.UCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWGameLibrary.SCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWGameLibrary.UCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AlienFXSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="KBOSD.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWCC.SCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWCC.UCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWGameLibrary.SCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWGameLibrary.UCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AlienFXSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp File read: C:\Program Files (x86)\desktop.ini
Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization
Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe File read: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe
Source: unknown Process created: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe "C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe"
Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe Process created: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp "C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp" /SL5="$80380,68291663,1056768,C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe"
Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe Process created: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp "C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp" /SL5="$80380,68291663,1056768,C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im AppleControlPanel.exe
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Process created: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\_isetup\_setup64.tmp helper 105 0x5A4
Source: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\_isetup\_setup64.tmp Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Process created: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe "C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe" --install=MagicMouse.inf --force
Source: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im AppleControlPanel.exe
Source: unknown Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{8e7b30d9-a74e-2c41-9648-e2741c677ffb}\MagicMouse.inf" "9" "4ba711867" "0000000000000144" "WinSta0\Default" "0000000000000170" "208" "C:\Program Files (x86)\MagicUtilities\DriverMouse"
Source: unknown Process created: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe "C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe" --run
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Process created: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\_isetup\_setup64.tmp helper 105 0x5A4
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Process created: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe "C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe" --install=MagicMouse.inf --force
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Process created: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe "C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe" -CreateAutoStart
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Process created: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe "C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe" -CreateAutoStart
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Process created: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe "C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe" -CreateAutoStart
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{8e7b30d9-a74e-2c41-9648-e2741c677ffb}\MagicMouse.inf" "9" "4ba711867" "0000000000000144" "WinSta0\Default" "0000000000000170" "208" "C:\Program Files (x86)\MagicUtilities\DriverMouse"
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe Section loaded: version.dll
Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe Section loaded: netapi32.dll
Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe Section loaded: netutils.dll
Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: msftedit.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: windows.globalization.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: bcp47mrm.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: globinputhost.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: windows.ui.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: windowmanagementapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: inputhost.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: ntshrui.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\_isetup\_setup64.tmp Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe Section loaded: newdev.dll
Source: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe Section loaded: devrtl.dll
Source: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe Section loaded: drvsetup.dll
Source: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe Section loaded: drvstore.dll
Source: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\drvinst.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\drvinst.exe Section loaded: devrtl.dll
Source: C:\Windows\System32\drvinst.exe Section loaded: drvstore.dll
Source: C:\Windows\System32\drvinst.exe Section loaded: cabinet.dll
Source: C:\Windows\System32\drvinst.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\drvinst.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\drvinst.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\drvinst.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\drvinst.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Section loaded: pcacli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: moshost.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mapsbtsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mosstorage.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mapconfiguration.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: storsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: devobj.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fltlib.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bcd.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cabinet.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: storageusage.dll
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: aphostservice.dll
Source: C:\Windows\System32\svchost.exe Section loaded: networkhelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: userdataplatformhelperutil.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mccspal.dll
Source: C:\Windows\System32\svchost.exe Section loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vaultcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dmcfgutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dmcmnutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dmxmlhelputils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe Section loaded: inproclogger.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe Section loaded: windows.networking.connectivity.dll
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe Section loaded: synccontroller.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: aphostclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: accountaccessor.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dsclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe Section loaded: systemeventsbrokerclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: userdatalanguageutil.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mccsengineshared.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cemapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: userdatatypehelperutil.dll
Source: C:\Windows\System32\svchost.exe Section loaded: phoneutil.dll
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: umpnpmgr.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: devrtl.dll
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe Section loaded: apphelp.dll
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe Section loaded: version.dll
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe Section loaded: newdev.dll
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe Section loaded: devobj.dll
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe Section loaded: devrtl.dll
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe Section loaded: version.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe Section loaded: winmm.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe Section loaded: powrprof.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe Section loaded: devobj.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe Section loaded: umpdc.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe Section loaded: shfolder.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe Section loaded: textinputframework.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe Section loaded: coreuicomponents.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe Section loaded: wintypes.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe Section loaded: wintypes.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe Section loaded: wintypes.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe Section loaded: sxs.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe Section loaded: amsi.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: amsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: wscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: urlmon.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: iertutil.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: srvcli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: slc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp File written: C:\ProgramData\MagicUtilities\MagicUtilities.ini
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Window found: window name: TMainForm
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL
Source: MagicUtilities-Setup-3.1.4.5-Win10.exe Static PE information: certificate valid
Source: MagicUtilities-Setup-3.1.4.5-Win10.exe Static file information: File size 69423208 > 1048576
Source: MagicUtilities-Setup-3.1.4.5-Win10.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
PE file contains sections with non-standard names
Source: MagicUtilities-Setup-3.1.4.5-Win10.exe Static PE information: section name: .didata
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp File created: C:\Program Files (x86)\MagicUtilities\Service\is-5TT39.tmp Jump to dropped file
Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe File created: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp File created: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp File created: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp File created: C:\Program Files (x86)\MagicUtilities\Service\is-IEGHA.tmp Jump to dropped file
Creates or modifies windows services
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\MagicUtilities_Service
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Magic Mouse Utilities.lnk

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe Memory written: PID: 2216 base: 7FFF4F430008 value: E9 EB D9 E9 FF
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe Memory written: PID: 2216 base: 7FFF4F2CD9F0 value: E9 20 26 16 00
Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe System information queried: FirmwareTableInformation
Tries to evade analysis by execution special instruction (VM detection)
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe Special instruction interceptor: First address: 1007C4E4A instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\svchost.exe File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe Window / User API: threadDelayed 577
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe Window / User API: threadDelayed 5070
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Dropped PE file which has not been started: C:\Program Files (x86)\MagicUtilities\Service\is-5TT39.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\_isetup\_setup64.tmp Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 6284 Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe TID: 7164 Thread sleep count: 577 > 30
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe TID: 1508 Thread sleep count: 218 > 30
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe TID: 6016 Thread sleep count: 41 > 30
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe TID: 6016 Thread sleep time: -41000s >= -30000s
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe TID: 6016 Thread sleep count: 5070 > 30
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe TID: 6016 Thread sleep time: -5070000s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\Windows\System32 FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Process information queried: ProcessInformation

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe Open window title or class name: ollydbg
Checks for debuggers (devices)
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe File opened: SIWDEBUG
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe File opened: NTICE
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe File opened: SICE
Checks if the current process is being debugged
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe Process queried: DebugPort
Enables debug privileges
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe NtQuerySystemInformation: Direct from: 0x10048B7AC
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe NtMapViewOfSection: Direct from: 0x1004876E5
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe NtProtectVirtualMemory: Indirect: 0x1003C5E63
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe NtProtectVirtualMemory: Direct from: 0x1004CCEBC
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe NtProtectVirtualMemory: Direct from: 0x10049E28E
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe NtQuerySystemInformation: Direct from: 0x1004CA095
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe NtProtectVirtualMemory: Direct from: 0x1004F3104
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe NtProtectVirtualMemory: Direct from: 0x1004B0B9F
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe NtProtectVirtualMemory: Direct from: 0x1004F54FA
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe NtProtectVirtualMemory: Direct from: 0x100514C6D
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe NtQuerySystemInformation: Direct from: 0x1004B0BD6
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe NtQuerySystemInformation: Direct from: 0x10050477F
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe NtUnmapViewOfSection: Direct from: 0x1004C79D6
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe NtProtectVirtualMemory: Direct from: 0x1007B70C3
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe NtClose: Direct from: 0x1004C17D6
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe NtQuerySystemInformation: Direct from: 0x1007B5A24
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe NtProtectVirtualMemory: Direct from: 0x1004E8801
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe NtProtectVirtualMemory: Direct from: 0x100480521
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Process created: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\_isetup\_setup64.tmp helper 105 0x5A4
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Process created: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe "C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe" -CreateAutoStart
Uses taskkill to terminate processes
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im AppleControlPanel.exe
Queries the installation date of Windows
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion InstallDate
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\drvinst.exe Queries volume information: C:\Windows\System32\DriverStore\Temp\{09dc9bae-bd3c-5743-b5d1-99df04016a9f}\MagicMouse.cat VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C: VolumeInformation
Source: C:\Windows\System32\drvinst.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
184.28.90.27
 unknown United States
16625 AKAMAI-ASUS false

Private

IP
127.0.0.1