Edit tour

Windows Analysis Report
MagicUtilities-Setup-3.1.4.5-Win10.exe

Overview

General Information

Sample name:	MagicUtilities-Setup-3.1.4.5-Win10.exe
Analysis ID:	1522465
MD5:	b0a4144c3aeef5d61201706e2f786ff0
SHA1:	224e8360830c2b02e4daef69a2c0d55a98ff0ec4
SHA256:	4150d4963e9283e26e1bbe67f56c733feec94ae4cc42b2e5fc35b40efa92ea8f
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Changes security center settings (notifications, updates, antivirus, firewall)

Found direct / indirect Syscall (likely to bypass EDR)

Hides threads from debuggers

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade analysis by execution special instruction (VM detection)

Yara detected Generic Downloader

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Creates a process in suspended mode (likely to inject code)

Creates files inside the driver directory

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Drops PE files

Enables debug privileges

Enables security privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64_ra

svchost.exe (PID: 3508 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

MagicUtilities-Setup-3.1.4.5-Win10.exe (PID: 6940 cmdline: "C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe" MD5: B0A4144C3AEEF5D61201706E2F786FF0)

MagicUtilities-Setup-3.1.4.5-Win10.tmp (PID: 7008 cmdline: "C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp" /SL5="$80380,68291663,1056768,C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe" MD5: 9D13CC54CB881EF523EEA84C934A8AD1)

taskkill.exe (PID: 6504 cmdline: "C:\Windows\system32\taskkill.exe" /f /im AppleControlPanel.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

_setup64.tmp (PID: 5860 cmdline: helper 105 0x5A4 MD5: E4211D6D009757C078A9FAC7FF4F03D4)

conhost.exe (PID: 5444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

DriverUnInstaller.exe (PID: 4532 cmdline: "C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe" --install=MagicMouse.inf --force MD5: 485E377D92A45B8BDE1C9930355D0722)

conhost.exe (PID: 5640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MagicMouseUtilities.exe (PID: 5552 cmdline: "C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe" -CreateAutoStart MD5: 4D6F565A8A5174231351A1EE978FC5E5)

MagicMouseUtilities.exe (PID: 7076 cmdline: "C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe" -CreateAutoStart MD5: 4D6F565A8A5174231351A1EE978FC5E5)

svchost.exe (PID: 6804 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

SgrmBroker.exe (PID: 7156 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)

svchost.exe (PID: 6008 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 5948 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

MpCmdRun.exe (PID: 3292 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)

conhost.exe (PID: 6056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 6564 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 5964 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

drvinst.exe (PID: 2920 cmdline: DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{8e7b30d9-a74e-2c41-9648-e2741c677ffb}\MagicMouse.inf" "9" "4ba711867" "0000000000000144" "WinSta0\Default" "0000000000000170" "208" "C:\Program Files (x86)\MagicUtilities\DriverMouse" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)

MagicUtilities_Service.exe (PID: 2216 cmdline: "C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe" --run MD5: 607CED1B8039E03E85B8C0476E9F8988)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Program Files (x86)\MagicUtilities\Service\is-5TT39.tmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Program Files (x86)\MagicUtilities\Service\is-5TT39.tmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Program Files (x86)\MagicUtilities\Service\is-5TT39.tmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Sigma Signatures

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 656, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 3508, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: MagicUtilities-Setup-3.1.4.5-Win10.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: MagicUtilities-Setup-3.1.4.5-Win10.exe

Static PE information: certificate valid

Source: MagicUtilities-Setup-3.1.4.5-Win10.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

Yara detected Generic Downloader

Source: Yara match

File source: C:\Program Files (x86)\MagicUtilities\Service\is-5TT39.tmp, type: DROPPED

Source: C:\Windows\System32\drvinst.exe

File created: C:\Windows\System32\DriverStore\Temp\{09dc9bae-bd3c-5743-b5d1-99df04016a9f}

Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\FileRepository\magicmouse.inf_amd64_2697dabe43c1f96e
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\drvstore.tmp
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\inf\oem4.inf
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Windows\System32\drvinst.exe

File deleted: C:\Windows\System32\DriverStore\Temp\{09dc9bae-bd3c-5743-b5d1-99df04016a9f}\SETA38C.tmp

Source: C:\Windows\System32\svchost.exe

Process token adjusted: Security

Source: MagicUtilities-Setup-3.1.4.5-Win10.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal72.troj.evad.winEXE@28/17@0/18

Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp

File created: C:\Program Files (x86)\MagicUtilities

Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp

File created: C:\Users\user\AppData\Local\Programs

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5444:120:WilError_03
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: -1862932489--1742674988. Number: 0
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6532:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5640:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6056:120:WilError_03

Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe

File created: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp

Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="KBOSD.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWCC.SCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWCC.UCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWGameLibrary.SCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWGameLibrary.UCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AlienFXSubAgent.exe"
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AppleControlPanel.exe")
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="KBOSD.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWCC.SCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWCC.UCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWGameLibrary.SCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWGameLibrary.UCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AlienFXSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="KBOSD.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWCC.SCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWCC.UCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWGameLibrary.SCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWGameLibrary.UCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AlienFXSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="KBOSD.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWCC.SCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWCC.UCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWGameLibrary.SCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWGameLibrary.UCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AlienFXSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="KBOSD.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWCC.SCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWCC.UCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWGameLibrary.SCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWGameLibrary.UCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AlienFXSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="KBOSD.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWCC.SCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWCC.UCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWGameLibrary.SCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AWGameLibrary.UCSubAgent.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Process Where Name="AlienFXSubAgent.exe"

Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp

File read: C:\Program Files (x86)\desktop.ini

Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe

File read: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe

Source: unknown	Process created: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe "C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe"
Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe	Process created: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp "C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp" /SL5="$80380,68291663,1056768,C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe"
Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe	Process created: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp "C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp" /SL5="$80380,68291663,1056768,C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe"
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im AppleControlPanel.exe
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\_isetup\_setup64.tmp helper 105 0x5A4
Source: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\_isetup\_setup64.tmp	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe "C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe" --install=MagicMouse.inf --force
Source: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im AppleControlPanel.exe
Source: unknown	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{8e7b30d9-a74e-2c41-9648-e2741c677ffb}\MagicMouse.inf" "9" "4ba711867" "0000000000000144" "WinSta0\Default" "0000000000000170" "208" "C:\Program Files (x86)\MagicUtilities\DriverMouse"
Source: unknown	Process created: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe "C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe" --run
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\_isetup\_setup64.tmp helper 105 0x5A4
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe "C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe" --install=MagicMouse.inf --force
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Process created: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe "C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe" -CreateAutoStart
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Process created: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe "C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe" -CreateAutoStart
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Process created: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe "C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe" -CreateAutoStart
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{8e7b30d9-a74e-2c41-9648-e2741c677ffb}\MagicMouse.inf" "9" "4ba711867" "0000000000000144" "WinSta0\Default" "0000000000000170" "208" "C:\Program Files (x86)\MagicUtilities\DriverMouse"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable

Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe	Section loaded: netapi32.dll
Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: msftedit.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: windows.globalization.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: bcp47mrm.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: globinputhost.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: windows.ui.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: windowmanagementapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: inputhost.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: ntshrui.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\_isetup\_setup64.tmp	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe	Section loaded: newdev.dll
Source: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe	Section loaded: devrtl.dll
Source: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe	Section loaded: drvsetup.dll
Source: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe	Section loaded: drvstore.dll
Source: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: drvstore.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Section loaded: pcacli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsbrokerclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsengineshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpnpmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devrtl.dll
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe	Section loaded: newdev.dll
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe	Section loaded: devobj.dll
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe	Section loaded: devrtl.dll
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	Section loaded: devobj.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	Section loaded: umpdc.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	Section loaded: shfolder.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	Section loaded: textinputframework.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	Section loaded: sxs.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll

Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp

File written: C:\ProgramData\MagicUtilities\MagicUtilities.ini

Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp

Window found: window name: TMainForm

Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Source: MagicUtilities-Setup-3.1.4.5-Win10.exe

Static PE information: certificate valid

Source: MagicUtilities-Setup-3.1.4.5-Win10.exe

Static file information: File size 69423208 > 1048576

Source: MagicUtilities-Setup-3.1.4.5-Win10.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: MagicUtilities-Setup-3.1.4.5-Win10.exe

Static PE information: section name: .didata

Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	File created: C:\Program Files (x86)\MagicUtilities\Service\is-5TT39.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe	File created: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	File created: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	File created: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	File created: C:\Program Files (x86)\MagicUtilities\Service\is-IEGHA.tmp	Jump to dropped file

Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\MagicUtilities_Service

Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Magic Mouse Utilities.lnk

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe	Memory written: PID: 2216 base: 7FFF4F430008 value: E9 EB D9 E9 FF
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe	Memory written: PID: 2216 base: 7FFF4F2CD9F0 value: E9 20 26 16 00

Source: C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	System information queried: FirmwareTableInformation

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe

Special instruction interceptor: First address: 1007C4E4A instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Source: C:\Windows\System32\svchost.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	Window / User API: threadDelayed 577
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	Window / User API: threadDelayed 5070

Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\MagicUtilities\Service\is-5TT39.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\_isetup\_setup64.tmp			Jump to dropped file

Source: C:\Windows\System32\svchost.exe TID: 6284	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe TID: 7164	Thread sleep count: 577 > 30
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe TID: 1508	Thread sleep count: 218 > 30
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe TID: 6016	Thread sleep count: 41 > 30
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe TID: 6016	Thread sleep time: -41000s >= -30000s
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe TID: 6016	Thread sleep count: 5070 > 30
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe TID: 6016	Thread sleep time: -5070000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp

Process information queried: ProcessInformation

Anti Debugging

Hides threads from debuggers

Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe

Open window title or class name: ollydbg

Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	File opened: SIWDEBUG
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	File opened: NTICE
Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe	File opened: SICE

Source: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe

Process queried: DebugPort

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe	NtQuerySystemInformation: Direct from: 0x10048B7AC
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe	NtMapViewOfSection: Direct from: 0x1004876E5
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe	NtProtectVirtualMemory: Indirect: 0x1003C5E63
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe	NtProtectVirtualMemory: Direct from: 0x1004CCEBC
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe	NtProtectVirtualMemory: Direct from: 0x10049E28E
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe	NtQuerySystemInformation: Direct from: 0x1004CA095
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe	NtProtectVirtualMemory: Direct from: 0x1004F3104
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe	NtProtectVirtualMemory: Direct from: 0x1004B0B9F
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe	NtProtectVirtualMemory: Direct from: 0x1004F54FA
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe	NtProtectVirtualMemory: Direct from: 0x100514C6D
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe	NtQuerySystemInformation: Direct from: 0x1004B0BD6
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe	NtQuerySystemInformation: Direct from: 0x10050477F
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe	NtUnmapViewOfSection: Direct from: 0x1004C79D6
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe	NtProtectVirtualMemory: Direct from: 0x1007B70C3
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe	NtClose: Direct from: 0x1004C17D6
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe	NtQuerySystemInformation: Direct from: 0x1007B5A24
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe	NtProtectVirtualMemory: Direct from: 0x1004E8801
Source: C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe	NtProtectVirtualMemory: Direct from: 0x100480521

Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\_isetup\_setup64.tmp helper 105 0x5A4
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Process created: C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe "C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe" -CreateAutoStart

Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp

Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im AppleControlPanel.exe

Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion InstallDate

Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\drvinst.exe	Queries volume information: C:\Windows\System32\DriverStore\Temp\{09dc9bae-bd3c-5743-b5d1-99df04016a9f}\MagicMouse.cat VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation

Source: C:\Windows\System32\drvinst.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Windows Management Instrumentation	1 Windows Service	1 Windows Service	22 Masquerading	1 Credential API Hooking	46 Security Software Discovery	Remote Services	1 Credential API Hooking	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	11 Process Injection	11 Disable or Modify Tools	LSASS Memory	36 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	36 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	LSA Secrets	2 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	144 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Source	Detection	Scanner	Label	Link
MagicUtilities-Setup-3.1.4.5-Win10.exe	0%	Virustotal		Browse
MagicUtilities-Setup-3.1.4.5-Win10.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\_isetup\_setup64.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe	0%	Virustotal	Browse
C:\Program Files (x86)\MagicUtilities\Service\BluetoothPairing.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\MagicUtilities\Service\BluetoothPairing.exe (copy)	0%	Virustotal	Browse
C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe (copy)	0%	Virustotal	Browse

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
184.28.90.27	unknown	United States		16625	AKAMAI-ASUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522465
Start date and time:	2024-09-30 07:11:01 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	MagicUtilities-Setup-3.1.4.5-Win10.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@28/17@0/18
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, SgrmBroker.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Created / dropped Files

C:\Program Files (x86)\MagicUtilities\Service\BluetoothPairing.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	DA0BEE044D35EC9DACDAB0FA96CB2C00
SHA1:	A9364D2D59322B891191011BE4A17031DD2156A5
SHA-256:	74602190AB3F66D31B81AFC38AE8CB224B4B1E21D22A3BDA90482767C0209C12
SHA-512:	CA54B194672C68ED7ACFD4FC21F02B508B99FE0DB5C6270DC5DA123E145AFABE7C43791623225B76AF00389D99C031FCA6E52E97963523B2898570B2C07DA178
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....q..........."...0...-..N.......:-.. ........@.. ........................1.....a.1...`..................................:-.O....@-..J...........l1..)....1......9-.8............................................ ............... ..H............text.....-.. ....-................. ..`.rsrc....J...@-..L....-.............@..@.reloc........1......j1.............@..B.................:-.....H.......p.,.x{...........5....,..........................................(P.....(....:.(......}.......0..&........(.........r...p.o....(....(.............................(.....(.....o...+~....%-.&.......s....%.....(...+&n.o....s#...(....r...p($.....{...."..}....^r...p.(....(.....(......{......{......0..X........(.....rm..p(....o....-.r...p.r...p(....s....z..}......(....r...pr...po......(....}....*.0..S........(.....r...p.(....(...+.(...+~....%-.&~..........s....%.

C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp
File Type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	607CED1B8039E03E85B8C0476E9F8988
SHA1:	1733CFC6D8E3EA9E2590920C6EBA366649B6B9E0
SHA-256:	8635C575357D5BB67560654748CD4183B79D38A0A060A5AC3644A8C40EEF45D6
SHA-512:	60EDDCF7A0F23380EDD652904B75941E45470766590005E3C66458F004F05184439C8585837D2066842A250D512500A54BE6941F5205D2ECE48E0F0E979F1EC3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./.....`...dh...^....J......................................P......RZ[.......................................................J..........=..0X.......Z..)...................................bG.(.....................<..............................text...`........................... ..`.data...dh..........................@....rdata..L1...p......................@..@.pdata..8...........................@..@.bss.....^...@...........................CRT................................@....idata..............................@....cSc0....=..........................@..@.cSc1.....)......................... ..`.cSc2.........<.....................@....cSc3....9V...<..:V.................`..h.rsrc....=.......P...FV.............@..@................................................................................................................................

C:\Program Files (x86)\MagicUtilities\Service\is-5TT39.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3249536
Entropy (8bit):	6.647903409585529
Encrypted:	false
SSDEEP:
MD5:	DA0BEE044D35EC9DACDAB0FA96CB2C00
SHA1:	A9364D2D59322B891191011BE4A17031DD2156A5
SHA-256:	74602190AB3F66D31B81AFC38AE8CB224B4B1E21D22A3BDA90482767C0209C12
SHA-512:	CA54B194672C68ED7ACFD4FC21F02B508B99FE0DB5C6270DC5DA123E145AFABE7C43791623225B76AF00389D99C031FCA6E52E97963523B2898570B2C07DA178
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\MagicUtilities\Service\is-5TT39.tmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\MagicUtilities\Service\is-5TT39.tmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\MagicUtilities\Service\is-5TT39.tmp, Author: Joe Security
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....q..........."...0...-..N.......:-.. ........@.. ........................1.....a.1...`..................................:-.O....@-..J...........l1..)....1......9-.8............................................ ............... ..H............text.....-.. ....-................. ..`.rsrc....J...@-..L....-.............@..@.reloc........1......j1.............@..B.................:-.....H.......p.,.x{...........5....,..........................................(P.....(....:.(......}.......0..&........(.........r...p.o....(....(.............................(.....(.....o...+~....%-.&.......s....%.....(...+&n.o....s#...(....r...p($.....{...."..}....^r...p.(....(.....(......{......{......0..X........(.....rm..p(....o....-.r...p.r...p(....s....z..}......(....r...pr...po......(....}....*.0..S........(.....r...p.(....(...+.(...+~....%-.&~..........s....%.

C:\Program Files (x86)\MagicUtilities\Service\is-IEGHA.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp
File Type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	5947264
Entropy (8bit):	7.787272168854475
Encrypted:	false
SSDEEP:
MD5:	607CED1B8039E03E85B8C0476E9F8988
SHA1:	1733CFC6D8E3EA9E2590920C6EBA366649B6B9E0
SHA-256:	8635C575357D5BB67560654748CD4183B79D38A0A060A5AC3644A8C40EEF45D6
SHA-512:	60EDDCF7A0F23380EDD652904B75941E45470766590005E3C66458F004F05184439C8585837D2066842A250D512500A54BE6941F5205D2ECE48E0F0E979F1EC3
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./.....`...dh...^....J......................................P......RZ[.......................................................J..........=..0X.......Z..)...................................bG.(.....................<..............................text...`........................... ..`.data...dh..........................@....rdata..L1...p......................@..@.pdata..8...........................@..@.bss.....^...@...........................CRT................................@....idata..............................@....cSc0....=..........................@..@.cSc1.....)......................... ..`.cSc2.........<.....................@....cSc3....9V...<..:V.................`..h.rsrc....=.......P...FV.............@..@................................................................................................................................

C:\Program Files (x86)\MagicUtilities\Uninstall\unins000.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp
File Type:	InnoSetup Log Magic Utilities {C457C829-197E-41EF-AEF2-FF998099E695}, version 0x418, 73928 bytes, 035347\37\user\376\, C:\Program Files (x86)\MagicUtilities\376\
Category:	dropped
Size (bytes):	73928
Entropy (8bit):	3.940579855232632
Encrypted:	false
SSDEEP:
MD5:	79B079FDF2831AD1C057988956F894DF
SHA1:	13266C3954537EF4AC160A7532EF839EEC9E21BA
SHA-256:	0319A9A0E9E6AF2F5B5D49B2D4CFE016ECDAE6E52F23E7AA35F880FA17C29BD2
SHA-512:	0753978E842047C4AB8C5B8D7844B4232AA9344BDFACF12F61B43C99AC831FD2826C7A83264AE07DEEF11C4833ED8C0368FDFD2BB707EED7FE3BF67474106F6E
Malicious:	false
Reputation:	unknown
Preview:	Inno Setup Uninstall Log (b)....................................{C457C829-197E-41EF-AEF2-FF998099E695}..........................................................................................Magic Utilities.......................................................................................................................... ..................................................................................................................h..............>...............0.3.5.3.4.7......c.a.l.i......C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.a.g.i.c.U.t.i.l.i.t.i.e.s..................:.... ..........,...IFPS....B........................................................................................................ANYMETHOD.....................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TMAINFORM....TMAINFORM.........TUNINSTALLPROGRESSFORM....TUNINSTALLPROGRESSFORM..........................................................

C:\Program Files (x86)\MagicUtilities\Uninstall\unins000.msg

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp
File Type:	InnoSetup messages, version 6.0.0, 261 messages (UTF-16), Cancel installation
Category:	dropped
Size (bytes):	24593
Entropy (8bit):	3.280577818982728
Encrypted:	false
SSDEEP:
MD5:	199FCE2C81BC15A809DF15123EE24938
SHA1:	49EFB06F33B96DCA374E2E9E89B8262B9E1A6277
SHA-256:	6933ACCE29DAD8FB1B9AFE19CF1C220229DD2EE38951129A7993057D88FD9C7B
SHA-512:	9DD7843A01642C37D650BDDBDB697992741C265E554D92C6CA3BEF70C01B8C64049854E388ABD5F1538ED76B61A14FA5FBBE2162EE2895245FD5061F5310A8EB
Malicious:	false
Reputation:	unknown
Preview:	Inno Setup Messages (6.0.0) (u)......................................_..;......;C.a.n.c.e.l. .i.n.s.t.a.l.l.a.t.i.o.n...S.e.l.e.c.t. .a.c.t.i.o.n...&.I.g.n.o.r.e. .t.h.e. .e.r.r.o.r. .a.n.d. .c.o.n.t.i.n.u.e...&.T.r.y. .a.g.a.i.n...&.A.b.o.u.t. .S.e.t.u.p.........%.1. .v.e.r.s.i.o.n. .%.2.....%.3.........%.1. .h.o.m.e. .p.a.g.e.:.....%.4.....A.b.o.u.t. .S.e.t.u.p...Y.o.u. .m.u.s.t. .b.e. .l.o.g.g.e.d. .i.n. .a.s. .a.n. .a.d.m.i.n.i.s.t.r.a.t.o.r. .w.h.e.n. .i.n.s.t.a.l.l.i.n.g. .t.h.i.s. .p.r.o.g.r.a.m.....T.h.e. .f.o.l.l.o.w.i.n.g. .a.p.p.l.i.c.a.t.i.o.n.s. .a.r.e. .u.s.i.n.g. .f.i.l.e.s. .t.h.a.t. .n.e.e.d. .t.o. .b.e. .u.p.d.a.t.e.d. .b.y. .S.e.t.u.p... .I.t. .i.s. .r.e.c.o.m.m.e.n.d.e.d. .t.h.a.t. .y.o.u. .a.l.l.o.w. .S.e.t.u.p. .t.o. .a.u.t.o.m.a.t.i.c.a.l.l.y. .c.l.o.s.e. .t.h.e.s.e. .a.p.p.l.i.c.a.t.i.o.n.s.....T.h.e. .f.o.l.l.o.w.i.n.g. .a.p.p.l.i.c.a.t.i.o.n.s. .a.r.e. .u.s.i.n.g. .f.i.l.e.s. .t.h.a.t. .n.e.e.d. .t.o. .b.e. .u.p.d.a.t.e.d. .b.y. .S.e.t.u.p... .I.t. .i.s. .r.e.

C:\ProgramData\MagicUtilities\MagicUtilities.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.41910913192781
Encrypted:	false
SSDEEP:
MD5:	832C26D8BF7CBE83CD871026FBE2207B
SHA1:	D8678EE914ED1774F09314E3FF6F49840CB9A4C5
SHA-256:	EA9D56DB7DB78C1E72928561A8037B56255C8A5CB5DDE6AF2300654CD10C9922
SHA-512:	FECBC17C01B0BEC5A4B1EA8AAAD935912FBF5E8774D3EB2BDCD1DFBA37F1A27B7C3303819C915EBCC21FA598ABA9B5DB97CFC60F80E31F266BF6A33875B3B378
Malicious:	false
Reputation:	unknown
Preview:	[MagicUtilitiesService]..InstallAllDriversOnBoot=0..

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Magic Mouse Utilities.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon Sep 30 04:11:59 2024, mtime=Mon Sep 30 04:11:59 2024, atime=Mon Mar 18 17:23:40 2024, length=16858496, window=hide
Category:	dropped
Size (bytes):	1189
Entropy (8bit):	4.621116197792826
Encrypted:	false
SSDEEP:
MD5:	C4A99DDF2673481D4A0B4CB33122E737
SHA1:	C6E8A3DD5FA78238399AC6550C21812ED1E14F42
SHA-256:	386796133C79BA45B684412F9B1A640B52F104FFEAC86A60BEB86F69E4D0C7F7
SHA-512:	9303BC5279898F9B6234E1413E8841087958433D68151965D285707A7BDDD30B7B9007A9E067FAA1BEBAB5BAB12B9AF070742917BBAAE081E38690B858CDE1E4
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ......F.......G.......fay...=...........................P.O. .:i.....+00.../C:\.....................1.....>Yp)..PROGRA~2.........O.I>Yp)....................V.....vp..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....f.1.....>Y.)..MAGICU~1..N......>Y.)>Y.).........................(...M.a.g.i.c.U.t.i.l.i.t.i.e.s.....\|.2..=..rX.. .MAGICM~1.EXE..`......>Y.)>Y.)..............................M.a.g.i.c.M.o.u.s.e.U.t.i.l.i.t.i.e.s...e.x.e.......l...............-.......k...........g.@r.....C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe..I.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.a.g.i.c.U.t.i.l.i.t.i.e.s.\.M.a.g.i.c.M.o.u.s.e.U.t.i.l.i.t.i.e.s...e.x.e.%.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.a.g.i.c.U.t.i.l.i.t.i.e.s.........*................@Z\|...K.J.........`.......X.......035347...........hT..CrF.f4... .A.............%..hT..CrF.f4... .A.............%.............1SPS.XF.L8C.

C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp

Download File

Process:	C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3403648
Entropy (8bit):	6.300389626502679
Encrypted:	false
SSDEEP:
MD5:	9D13CC54CB881EF523EEA84C934A8AD1
SHA1:	CC0128344E12D699BB2BE8FCB946ACE81CD8BA8E
SHA-256:	AC45E7D2311D3138311F1B654E76B4685111079915DC55C1E487DF66E1900C36
SHA-512:	1D8A1F5287A53374E1A7EC9DEAD64EB12F2686214AFD63030F6BB5CAACE612D34FDADCDF0A5B771252C94F4437FC79D77B46E15D609591E511CC7C070E66C97A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......c.................L,..v......hf,......p,...@...........................4.....h74...@......@....................-.......-..9....................3..)...........................................................-.......-......................text.... ,......",................. ..`.itext...(...@,.....&,............. ..`.data...X....p,......P,.............@....bss.....y....-..........................idata...9....-..:....,.............@....didata.......-.......-.............@....edata........-......-.............@..@.tls....L.....-..........................rdata..]............,-.............@..@.rsrc.................-.............@..@..............1.......0.............@..@........................................................

C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1404824
Entropy (8bit):	6.096323082226629
Encrypted:	false
SSDEEP:
MD5:	485E377D92A45B8BDE1C9930355D0722
SHA1:	7C785CF12A7C34F5358A9FE58EA266FD488A8EB5
SHA-256:	0F93E6FF9A039FD9B352E3DFEEF9B60898B8CC4C8E61747D83E1B41C7E8DE024
SHA-512:	69CB3AEF95D09B5AB32F8DFC0E34415665710DB92A2645AD884CC93F233FDE9C3372F56E5B777E3DF73484069F6100EBD76A113F7D182AF136A864424D0646D8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........F......../..........J......0.........................................&.............................................................. .......@..P .......l...F...)..................................p ..(....................%...............................text............................... ..`.data....J... ...L..................@....rdata...=...p...>...^..............@..@.pdata...l.......l..................@..@.bss......... ...........................CRT................................@....idata....... ......................@....rsrc...P ...@..."..."..............@.../4...........p&......D..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\InfoBefore_Restart.rtf (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp
File Type:	Rich Text Format data, version 1, ANSI, code page 1252
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	B544CDC71427D9C12F909CA3241E65AF
SHA1:	6E9F9983F1CDB2B5991811D09DB269934297ACD2
SHA-256:	4401E6F150F54BD652D81BF8E665F627FCC4CBED57C8E6882C29C7F1FA6E15C2
SHA-512:	AB9F1296CC6EB8D6D318AA3C89C285083AB5E6DF374A918A8679A1ECBAFB04844E316333D2ABA48C56B66FB5F25E0630CC035C1384A8F16923D34CD7E06BCDD3
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat{\fonttbl{\f0\fnil\fcharset0 Segoe UI;}}..{\colortbl ;\red0\green77\blue187;}..{\*\generator Riched20 10.0.17134}\viewkind4\uc1 ..\pard\sa200\sl276\slmult1\b\f0\fs20\lang9 A computer restart is pending.\par..\b0\fs18 Most likely due to a recent Windows update\line (which could still be downloading or installing).\par..\cf1 Installing or updating the Magic Utilities might fail. \line\b\fs20 It's best to restart your computer first\b0 .\fs18\par..\cf0\fs20 If your \b current work is critical\b0 do not continue \line and press the \b Cancel\b0 button below.\line\fs2\par..}...

C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\InfoBefore_Update.rtf (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp
File Type:	Rich Text Format data, version 1, ANSI, code page 1252
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	5C0B2136816D559D89AE3CB373D0EED8
SHA1:	8D58101198D7A8332ED6D7AF13722366572568B0
SHA-256:	0C070B2D142903AC0E53060043C99ED3AE8304AB33C5AA33DD6E5643E8A0A313
SHA-512:	1D535D734BD1FF4D273B3EF61A03E644B76F508F954559C9F58A124C40F6863F75D4BF1669FC350A8F5ADFBDCA6360A37D4A5BA10E79B02D29DB86148AF06865
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat{\fonttbl{\f0\fnil\fcharset0 Segoe UI;}}..{\colortbl ;\red0\green77\blue187;}..{\*\generator Riched20 10.0.18362}\viewkind4\uc1 ..\pard\sa200\sl276\slmult1\f0\fs20\lang9 You are about to \b update\b0 the Magic Utilities. \fs18\par..Updates usually install fine. In some cases a computer\line\b restart\b0 is required, follow the instructions.\par..\cf1\fs20 If your \b current work is critical\b0 do not continue \line and press the \b Cancel\b0 button below.\line\fs2 \par..}...

C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\is-DFFA0.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp
File Type:	Rich Text Format data, version 1, ANSI, code page 1252
Category:	dropped
Size (bytes):	621
Entropy (8bit):	4.880715430326216
Encrypted:	false
SSDEEP:
MD5:	B544CDC71427D9C12F909CA3241E65AF
SHA1:	6E9F9983F1CDB2B5991811D09DB269934297ACD2
SHA-256:	4401E6F150F54BD652D81BF8E665F627FCC4CBED57C8E6882C29C7F1FA6E15C2
SHA-512:	AB9F1296CC6EB8D6D318AA3C89C285083AB5E6DF374A918A8679A1ECBAFB04844E316333D2ABA48C56B66FB5F25E0630CC035C1384A8F16923D34CD7E06BCDD3
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat{\fonttbl{\f0\fnil\fcharset0 Segoe UI;}}..{\colortbl ;\red0\green77\blue187;}..{\*\generator Riched20 10.0.17134}\viewkind4\uc1 ..\pard\sa200\sl276\slmult1\b\f0\fs20\lang9 A computer restart is pending.\par..\b0\fs18 Most likely due to a recent Windows update\line (which could still be downloading or installing).\par..\cf1 Installing or updating the Magic Utilities might fail. \line\b\fs20 It's best to restart your computer first\b0 .\fs18\par..\cf0\fs20 If your \b current work is critical\b0 do not continue \line and press the \b Cancel\b0 button below.\line\fs2\par..}...

C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\is-QEU9N.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp
File Type:	Rich Text Format data, version 1, ANSI, code page 1252
Category:	dropped
Size (bytes):	524
Entropy (8bit):	4.86457165645488
Encrypted:	false
SSDEEP:
MD5:	5C0B2136816D559D89AE3CB373D0EED8
SHA1:	8D58101198D7A8332ED6D7AF13722366572568B0
SHA-256:	0C070B2D142903AC0E53060043C99ED3AE8304AB33C5AA33DD6E5643E8A0A313
SHA-512:	1D535D734BD1FF4D273B3EF61A03E644B76F508F954559C9F58A124C40F6863F75D4BF1669FC350A8F5ADFBDCA6360A37D4A5BA10E79B02D29DB86148AF06865
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat{\fonttbl{\f0\fnil\fcharset0 Segoe UI;}}..{\colortbl ;\red0\green77\blue187;}..{\*\generator Riched20 10.0.18362}\viewkind4\uc1 ..\pard\sa200\sl276\slmult1\f0\fs20\lang9 You are about to \b update\b0 the Magic Utilities. \fs18\par..Updates usually install fine. In some cases a computer\line\b restart\b0 is required, follow the instructions.\par..\cf1\fs20 If your \b current work is critical\b0 do not continue \line and press the \b Cancel\b0 button below.\line\fs2 \par..}...

C:\Users\user\Desktop\Magic Mouse Utilities.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon Sep 30 04:11:59 2024, mtime=Mon Sep 30 04:12:00 2024, atime=Mon Mar 18 17:23:40 2024, length=16858496, window=hide
Category:	dropped
Size (bytes):	1177
Entropy (8bit):	4.640819794728573
Encrypted:	false
SSDEEP:
MD5:	10A9C65A3B966DAEF08C41E02B004DA3
SHA1:	56ED17ED05BAB5B6CA1029306647FF0980AEE29F
SHA-256:	4D7D7313AC41EF52ED6D521158A7BF09FD414CCA26452373A0DCD342F1CA3C42
SHA-512:	7A32508EC7E2AEA9552C8C75E206CD84AC856E567091024666BB3879CFEBD5DDE84A8B4C82F69CDEF770B1CB4557F9F411F170F827A3D56F1FCBB4F889A9F209
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ......F.......G.......fay...=...........................P.O. .:i.....+00.../C:\.....................1.....>Y.)..PROGRA~2.........O.I>Y.)....................V......=..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....f.1.....>Y.)..MAGICU~1..N......>Y.)>Y.).........................%...M.a.g.i.c.U.t.i.l.i.t.i.e.s.....\|.2..=..rX.. .MAGICM~1.EXE..`......>Y.)>Y.)..............................M.a.g.i.c.M.o.u.s.e.U.t.i.l.i.t.i.e.s...e.x.e.......l...............-.......k...........g.@r.....C:\Program Files (x86)\MagicUtilities\MagicMouseUtilities.exe..C.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.a.g.i.c.U.t.i.l.i.t.i.e.s.\.M.a.g.i.c.M.o.u.s.e.U.t.i.l.i.t.i.e.s...e.x.e.%.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.a.g.i.c.U.t.i.l.i.t.i.e.s.........*................@Z\|...K.J.........`.......X.......035347...........hT..CrF.f4... .A.............%..hT..CrF.f4... .A.............%.............1SPS.XF.L8C....&.m.q....

C:\Windows\INF\setupapi.dev.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe
File Type:	Generic INItialization configuration [BeginLog]
Category:	dropped
Size (bytes):	2495606
Entropy (8bit):	5.223598930678833
Encrypted:	false
SSDEEP:
MD5:	05F6C2A390F318B826B97BBCB9D7C785
SHA1:	3F9D510F102B1375B59BE10E4331507C13EEF366
SHA-256:	6AE8AF37C61EE4057E2F00D917D0C059E152337BAFFC55971E3D13CCFFF339A8
SHA-512:	08F2D8E1AA3E2BB9A05326534BCE02D9D4E09AB077FC04315F92B257441AF8900EFC520F1585224C52965EC0AF66A22586D5193C37253775E78C1EC0A13AD21E
Malicious:	false
Reputation:	unknown
Preview:	[Device Install Log].. OS Version = 10.0.19045.. Service Pack = 0.0.. Suite = 0x0100.. ProductType = 1.. Architecture = amd64....[BeginLog]....[Boot Session: 2023/10/03 09:57:02.288]....>>> [Setup Import Driver Package - C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf]..>>> Section start 2023/10/03 09:57:37.904.. cmd: C:\Windows\System32\spoolsv.exe.. inf: Provider: Microsoft.. inf: Class GUID: {4D36E979-E325-11CE-BFC1-08002BE10318}.. inf: Driver Version: 06/21/2006,10.0.19041.1806.. inf: Catalog File: prnms009.cat.. ump: Import flags: 0x0000000D.. pol: {Driver package policy check} 09:57:37.920.. pol: {Driver package policy check - exit(0x00000000)} 09:57:37.920.. sto: {Stage Driver Package: C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf} 09:57:37.920.. inf: {Query Configurability: C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf} 09:57:37.920.. inf:

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	4926
Entropy (8bit):	3.2436157012975593
Encrypted:	false
SSDEEP:
MD5:	6C73370A3EADBA7F6FE5A9DCEEF94EC5
SHA1:	491DB9EACDA66A46FBA1542163A6D345DD3C865E
SHA-256:	0E6B92D52C6897E22AEDD7F0F5FC7FAC161568F2E6CFD1E3B9E5500DA52AAD87
SHA-512:	06B2AB928D1EB1C2665E8F799355C8306586EDF54231F8250E2A305F81CEE17A4F9C4697CB6198509BF0DD3EFD8203879EF531B99E1693AB8BD8379A02E3A043
Malicious:	false
Reputation:	unknown
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. F.r.i. .. O.c.t. .. 0.6. .. 2.0.2.3. .1.1.:.3.5.:.2.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e........................................ .W.S.C. .S.t.a.t.e. .I.n.f.o. ................................................................. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. ..............................d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

C:\Windows\System32\catroot2\dberr.txt

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	74042
Entropy (8bit):	5.390359521990259
Encrypted:	false
SSDEEP:
MD5:	D926D13331BC3F433AF1EEC3C9C120BD
SHA1:	1AB0912C3DC0F19C20F008A622601F713F1A77B8
SHA-256:	F58444B41763D10E5B4C1230755234051C9E7C1C819D2BF7B54BFAB19906322C
SHA-512:	223E193E15F90C703C61979A2CC7D30752F455D2567D911D682177F9A50C43B049EED12A2F38B0ECBE7C799503334025CA602439893AF03F80004F32CA1D733F
Malicious:	false
Reputation:	unknown
Preview:	CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6041 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6699 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #4398 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6041 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6699 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #4398 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #2083 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #2459 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: SyncAllDBs Corruption or Schema Change..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #891 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #1307 encountered JET error -1601..CatalogDB: 08:57:12 03/10/2023: SyncDB:: Sync sta

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	129
Entropy (8bit):	4.681020691708262
Encrypted:	false
SSDEEP:
MD5:	45259BAAE12241F60BBF199D7E06C44B
SHA1:	6FC161723301DD4AB22C97D79850A5462D7759A8
SHA-256:	8B9F83D1CEFBF4CD1A4304C2A578F17CD66A3AD536B8E778B1A2A98957C99A43
SHA-512:	3A75B12D927CEB60F07070AB3DEC37365DD0ECD27EA25F188EB219E0138FE63006013D9E075BE2C4CE4440D6B4A5AD2757C931E575F8F667B8FDFA95215341F4
Malicious:	false
Reputation:	unknown
Preview:	..Magic Utilities - Driver (Un)Installer - Version 3.1.3.8....Success installing driver: MagicMouse.inf....Exit code is 0x0 / 0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.964732842884367
TrID:	Win32 Executable (generic) a (10002005/4) 98.45% Inno Setup installer (109748/4) 1.08% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	MagicUtilities-Setup-3.1.4.5-Win10.exe
File size:	69'423'208 bytes
MD5:	b0a4144c3aeef5d61201706e2f786ff0
SHA1:	224e8360830c2b02e4daef69a2c0d55a98ff0ec4
SHA256:	4150d4963e9283e26e1bbe67f56c733feec94ae4cc42b2e5fc35b40efa92ea8f
SHA512:	aaa65d924e5ca74ec003e059c4bb4a5c6dc568271b95e993712f372c861ee0afa50a29bfcdb8d4233bfff08e68d127ad91f06d35737e1f218a6739265b45208d
SSDEEP:	1572864:fL25J4bR71bbsBcvuGXSSAcH2I2UOoJceLUYU1+SIJ:fkWd5HocGonjJVUYUs
TLSH:	F6E733A2BB34CC99E41B89F09937E93045B7BE74B899840E66E4372EC7B3351295F407
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	334d928faf966d17

Static PE Info

General

Entrypoint:	0x4b5eec
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x63ECF218 [Wed Feb 15 14:54:16 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	e569e6f445d32ba23766ad67d1e3787f

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	14/06/2023 02:00:00 22/04/2026 01:59:59
Subject Chain	CN=Magic Utilities Pty Ltd, O=Magic Utilities Pty Ltd, L=Pottsville, S=New South Wales, C=AU, SERIALNUMBER=617 728 319, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=AU
Version:	3
Thumbprint MD5:	E138D0A5D91CBAAF9D219ADAFDB54C7E
Thumbprint SHA-1:	A49FAF128DC394641240A2E50300802EC88FBE1F
Thumbprint SHA-256:	8E20BF4138847097F48F0E110C6757B753D37E84E537FF25FBBB49DFBE767D0A
Serial:	07F9B5BD82CA576EEFBB9D2C9D65DCAD

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFA4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-3Ch], eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-5Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-38h], eax
mov dword ptr [ebp-34h], eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-14h], eax
mov eax, 004B14B8h
call 00007F146126B805h
xor eax, eax
push ebp
push 004B65E2h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 004B659Eh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [004BE634h]
call 00007F146130E2F7h
call 00007F146130DE4Ah
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007F14612812A4h
mov edx, dword ptr [ebp-14h]
mov eax, 004C1D84h
call 00007F14612663F7h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [004C1D84h]
mov dl, 01h
mov eax, dword ptr [004238ECh]
call 00007F1461282427h
mov dword ptr [004C1D88h], eax
xor edx, edx
push ebp
push 004B654Ah
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007F146130E37Fh
mov dword ptr [004C1D90h], eax
mov eax, dword ptr [004C1D90h]
cmp dword ptr [eax+0Ch], 01h
jne 00007F146131459Ah
mov eax, dword ptr [004C1D90h]
mov edx, 00000028h
call 00007F1461282D1Ch
mov edx, dword ptr [004C1D90h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xc4000	0x9a	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc2000	0xfdc	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x47a10	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x42326e8	0x2980
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc6000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc22f4	0x254	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xc3000	0x1a4	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb39e4	0xb3a00	43af0a9476ca224d8e8461f1e22c94da	False	0.34525867693110646	data	6.357635049994181	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0xb5000	0x1688	0x1800	185e04b9a1f554e31f7f848515dc890c	False	0.54443359375	data	5.971425428435973	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xb7000	0x37a4	0x3800	cab2107c933b696aa5cf0cc6c3fd3980	False	0.36097935267857145	data	5.048648594372454	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xbb000	0x6de8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xc2000	0xfdc	0x1000	e7d1635e2624b124cfdce6c360ac21cd	False	0.3798828125	data	5.029087481102678	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0xc3000	0x1a4	0x200	8ced971d8a7705c98b173e255d8c9aa7	False	0.345703125	data	2.7509822285969876	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0xc4000	0x9a	0x200	8d4e1e508031afe235bf121c80fd7d5f	False	0.2578125	data	1.877162954504408	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xc5000	0x18	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xc6000	0x5d	0x200	8f2f090acd9622c88a6a852e72f94e96	False	0.189453125	data	1.3838943752217987	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xc7000	0x47a10	0x47c00	5e29bdd19ebeb493bcb935cc58b4e613	False	0.22892394381533102	data	3.9448202111738997	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc7738	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.5726950354609929
RT_ICON	0xc7ba0	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 0	English	United States	0.5569767441860465
RT_ICON	0xc8258	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	English	United States	0.46024590163934426
RT_ICON	0xc8be0	0xcd8	Device independent bitmap graphic, 28 x 56 x 32, image size 0	English	United States	0.40541362530413627
RT_ICON	0xc98b8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.39704502814258913
RT_ICON	0xca960	0x1588	Device independent bitmap graphic, 36 x 72 x 32, image size 0	English	United States	0.32093613933236576
RT_ICON	0xcbee8	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 0	English	United States	0.3239644970414201
RT_ICON	0xcd950	0x1fc8	Device independent bitmap graphic, 44 x 88 x 32, image size 0	English	United States	0.29818092428711895
RT_ICON	0xcf918	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.28620331950207467
RT_ICON	0xd1ec0	0x32e8	Device independent bitmap graphic, 56 x 112 x 32, image size 0	English	United States	0.2422498465316145
RT_ICON	0xd51a8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 0	English	United States	0.21711147850732168
RT_ICON	0xd93d0	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 0	English	United States	0.15337338262476893
RT_ICON	0xde858	0x67e8	Device independent bitmap graphic, 80 x 160 x 32, image size 0	English	United States	0.1349248120300752
RT_ICON	0xe5040	0x7d48	Device independent bitmap graphic, 88 x 176 x 32, image size 0	English	United States	0.15555624844100774
RT_ICON	0xecd88	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 0	English	United States	0.11209796089972672
RT_ICON	0xf6230	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 0	English	United States	0.10894061280018928
RT_ICON	0x106a58	0x4f2f	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9931922450791771
RT_STRING	0x10b988	0x360	data			0.34375
RT_STRING	0x10bce8	0x260	data			0.3256578947368421
RT_STRING	0x10bf48	0x45c	data			0.4068100358422939
RT_STRING	0x10c3a4	0x40c	data			0.3754826254826255
RT_STRING	0x10c7b0	0x2d4	data			0.39226519337016574
RT_STRING	0x10ca84	0xb8	data			0.6467391304347826
RT_STRING	0x10cb3c	0x9c	data			0.6410256410256411
RT_STRING	0x10cbd8	0x374	data			0.4230769230769231
RT_STRING	0x10cf4c	0x398	data			0.3358695652173913
RT_STRING	0x10d2e4	0x368	data			0.3795871559633027
RT_STRING	0x10d64c	0x2a4	data			0.4275147928994083
RT_RCDATA	0x10d8f0	0x10	data			1.5
RT_RCDATA	0x10d900	0x2c4	data			0.6384180790960452
RT_RCDATA	0x10dbc4	0x2c	data			1.2045454545454546
RT_GROUP_ICON	0x10dbf0	0xf4	data	English	United States	0.6721311475409836
RT_VERSION	0x10dce4	0x584	data	English	United States	0.2811614730878187
RT_MANIFEST	0x10e268	0x7a8	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3377551020408163

Imports

DLL	Import
kernel32.dll	GetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dll	InitCommonControls
version.dll	GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
user32.dll	CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dll	SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
netapi32.dll	NetWkstaGetInfo, NetApiBufferFree
advapi32.dll	ConvertStringSecurityDescriptorToSecurityDescriptorW, RegQueryValueExW, AdjustTokenPrivileges, GetTokenInformation, ConvertSidToStringSidW, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

Exports

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x4541a8
__dbk_fcall_wrapper	2	0x40d0a0
dbkFCallWrapperAddr	1	0x4be63c

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MagicUtilities-Setup-3.1.4.5-Win10.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Dropped Files

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Created / dropped Files

C:\Program Files (x86)\MagicUtilities\Service\BluetoothPairing.exe (copy)

C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe (copy)

C:\Program Files (x86)\MagicUtilities\Service\is-5TT39.tmp

C:\Program Files (x86)\MagicUtilities\Service\is-IEGHA.tmp

C:\Program Files (x86)\MagicUtilities\Uninstall\unins000.dat

C:\Program Files (x86)\MagicUtilities\Uninstall\unins000.msg

C:\ProgramData\MagicUtilities\MagicUtilities.ini

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Magic Mouse Utilities.lnk

C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp

C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe

C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\InfoBefore_Restart.rtf (copy)

C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\InfoBefore_Update.rtf (copy)

C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\_isetup\_setup64.tmp

C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\is-DFFA0.tmp

C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\is-QEU9N.tmp

C:\Users\user\Desktop\Magic Mouse Utilities.lnk

C:\Windows\INF\setupapi.dev.log

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

C:\Windows\System32\catroot2\dberr.txt

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
MagicUtilities-Setup-3.1.4.5-Win10.exe