Windows Analysis Report
65X4tr6fyX.exe

Overview

General Information

Sample name: 65X4tr6fyX.exe
renamed because original name is a hash value
Original sample name: 737fd3383357d283d2b9d6e9e594023b44f9d3c53548ad86f6739d896dce681a.exe
Analysis ID: 1560418
MD5: e74a1746e6c2d916a5b6c96913e9868b
SHA1: ebbc4fa51c44db6400ab49e42acebf103211efce
SHA256: 737fd3383357d283d2b9d6e9e594023b44f9d3c53548ad86f6739d896dce681a
Tags: exeMenghuNetworkTechnologyBeijingCoLtduser-JAMESWT_MHT
Infos:

Detection

Score: 8
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Compliance

Score: 47
Range: 0 - 100

Signatures

Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Compliance
barindex
Uses 32bit PE files
Source: 65X4tr6fyX.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: 65X4tr6fyX.exe Static PE information: certificate valid
Source: 65X4tr6fyX.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: wininet.pdb source: 65X4tr6fyX.exe, 00000000.00000003.2093412591.0000000005675000.00000004.00000020.00020000.00000000.sdmp, shi35CF.tmp.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\AICustAct.pdby source: 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3B20.tmp.2.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3B20.tmp.2.dr
Source: Binary string: D:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: 65X4tr6fyX.exe, decoder.dll.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\Prereq.pdbo source: 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, 5a3979.msi.2.dr, CapCut Installer.msi.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 5a3979.msi.2.dr, CapCut Installer.msi.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\Prereq.pdb source: 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, 5a3979.msi.2.dr, CapCut Installer.msi.0.dr
Source: Binary string: wininet.pdbUGP source: 65X4tr6fyX.exe, 00000000.00000003.2093412591.0000000005675000.00000004.00000020.00020000.00000000.sdmp, shi35CF.tmp.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 5a3979.msi.2.dr, CapCut Installer.msi.0.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr
Source: Binary string: D:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: 65X4tr6fyX.exe
Source: Binary string: D:\JobRelease\win\Release\stubs\x86\Decoder.pdb5 source: 65X4tr6fyX.exe, decoder.dll.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdbb source: 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 5a3979.msi.2.dr, CapCut Installer.msi.0.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\SysWOW64\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: c: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: a: Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00BF2380 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 0_2_00BF2380
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00AEAB80 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,PathIsUNCW, 0_2_00AEAB80
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00BD4DA0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW, 0_2_00BD4DA0
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00BF3220 FindFirstFileW,FindClose, 0_2_00BF3220
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00BD5370 FindFirstFileW,GetLastError,FindClose, 0_2_00BD5370
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00BB8230 FindFirstFileW,FindNextFileW,FindClose, 0_2_00BB8230
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00BFC530 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_00BFC530
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00C108D0 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_00C108D0
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00BFC930 FindFirstFileW,FindClose, 0_2_00BFC930
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00BD4A10 _wcsrchr,FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,_wcsrchr, 0_2_00BD4A10
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00BDCF00 FindFirstFileW,FindClose,FindClose, 0_2_00BDCF00
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00BEF260 FindFirstFileW,FindClose, 0_2_00BEF260
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00BFF8A0 FindFirstFileW,FindClose, 0_2_00BFF8A0
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00BFB500 _wcschr,_wcsrchr,_wcsrchr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection, 0_2_00BFB500
Source: 65X4tr6fyX.exe String found in binary or memory: RShlwapi.dllShell32.dllmsiexec.exeSoftware\JavaSoft\Java Development Kit\binSoftware\JavaSoft\Java Runtime Environment\JavaHomeFlashWindowExFlashWindowKernel32.dllGetPackagePathhttp://www.example.comTESThttp://www.google.comhttp://www.yahoo.comtin9999.tmpGETattachment.partfilenamecharset= "POSTutf-8DLD123US-ASCIIAdvancedInstallerutf-16ISO-8859-1*/*HTTP/1.0Local Network ServerFTP ServerContent-Type: application/x-www-form-urlencoded; charset=utf-8 equals www.yahoo.com (Yahoo)
Source: 65X4tr6fyX.exe, 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmp, 65X4tr6fyX.exe, 00000000.00000000.2045610116.0000000000CE9000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: Shlwapi.dllShell32.dllmsiexec.exeSoftware\JavaSoft\Java Development Kit\binSoftware\JavaSoft\Java Runtime Environment\JavaHomeFlashWindowExFlashWindowKernel32.dllGetPackagePathhttp://www.example.comTESThttp://www.google.comhttp://www.yahoo.comtin9999.tmpGETattachment.partfilenamecharset= "POSTutf-8DLD123US-ASCIIAdvancedInstallerutf-16ISO-8859-1*/*HTTP/1.0Local Network ServerFTP ServerContent-Type: application/x-www-form-urlencoded; charset=utf-8 equals www.yahoo.com (Yahoo)
Source: shi35CF.tmp.0.dr String found in binary or memory: http://.css
Source: shi35CF.tmp.0.dr String found in binary or memory: http://.jpg
Source: 65X4tr6fyX.exe, 00000000.00000003.2177129106.00000000063D1000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2183096782.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2177184809.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr, MSI3B20.tmp.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 65X4tr6fyX.exe, 00000000.00000003.2177129106.00000000063D1000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2183096782.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2177184809.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr, MSI3B20.tmp.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 65X4tr6fyX.exe, 00000000.00000003.2177129106.00000000063D1000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2183096782.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2177184809.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr, MSI3B20.tmp.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 65X4tr6fyX.exe, 00000000.00000003.2177129106.00000000063D1000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2183096782.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2177184809.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr, MSI3B20.tmp.2.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 65X4tr6fyX.exe, 00000000.00000003.2177129106.00000000063D1000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2183096782.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2177184809.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr, MSI3B20.tmp.2.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 65X4tr6fyX.exe, 00000000.00000003.2177129106.00000000063D1000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2183096782.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2177184809.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr, MSI3B20.tmp.2.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: shi35CF.tmp.0.dr String found in binary or memory: http://html4/loose.dtd
Source: 65X4tr6fyX.exe, 00000000.00000003.2177129106.00000000063D1000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2183096782.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2177184809.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr, MSI3B20.tmp.2.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: 65X4tr6fyX.exe, 00000000.00000003.2177129106.00000000063D1000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2183096782.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2177184809.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr, MSI3B20.tmp.2.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: 65X4tr6fyX.exe, 00000000.00000003.2177129106.00000000063D1000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2183096782.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2177184809.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr, MSI3B20.tmp.2.dr String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: 65X4tr6fyX.exe, 00000000.00000003.2177129106.00000000063D1000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2183096782.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2177184809.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr, MSI3B20.tmp.2.dr String found in binary or memory: http://t2.symcb.com0
Source: 65X4tr6fyX.exe, 00000000.00000003.2177129106.00000000063D1000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2183096782.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2177184809.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr, MSI3B20.tmp.2.dr String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: 65X4tr6fyX.exe, 00000000.00000003.2177129106.00000000063D1000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2183096782.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2177184809.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr, MSI3B20.tmp.2.dr String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: 65X4tr6fyX.exe, 00000000.00000003.2177129106.00000000063D1000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2183096782.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2177184809.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr, MSI3B20.tmp.2.dr String found in binary or memory: http://tl.symcd.com0&
Source: 65X4tr6fyX.exe, 00000000.00000003.2177129106.00000000063D1000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2183096782.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2177184809.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr, MSI3B20.tmp.2.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: 65X4tr6fyX.exe, 00000000.00000003.2177129106.00000000063D1000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2183096782.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2177184809.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr, MSI3B20.tmp.2.dr String found in binary or memory: https://www.advancedinstaller.com
Source: 65X4tr6fyX.exe, 00000000.00000003.2177129106.00000000063D1000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2183096782.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2177184809.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr, MSI3B20.tmp.2.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: 65X4tr6fyX.exe, 00000000.00000003.2177129106.00000000063D1000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2183096782.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2177184809.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr, MSI3B20.tmp.2.dr String found in binary or memory: https://www.thawte.com/cps0/
Source: 65X4tr6fyX.exe, 00000000.00000003.2177129106.00000000063D1000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2183096782.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2177184809.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr, MSI3B20.tmp.2.dr String found in binary or memory: https://www.thawte.com/repository0W
Contains functionality to call native functions
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00C12390 NtdllDefWindowProc_W, 0_2_00C12390
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00B92620 GetSystemDirectoryW,_wcschr,LoadLibraryExW,NtdllDefWindowProc_W, 0_2_00B92620
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00B30110 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W, 0_2_00B30110
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00B78100 NtdllDefWindowProc_W, 0_2_00B78100
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00AE2330 NtdllDefWindowProc_W, 0_2_00AE2330
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00AEC750 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection, 0_2_00AEC750
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00AE8840 NtdllDefWindowProc_W, 0_2_00AE8840
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00AE89B0 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W, 0_2_00AE89B0
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00ADEBF0 GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W, 0_2_00ADEBF0
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00B30C9E GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW, 0_2_00B30C9E
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00B30C28 GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW, 0_2_00B30C28
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00B30D5D GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW, 0_2_00B30D5D
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00B26FA0 NtdllDefWindowProc_W, 0_2_00B26FA0
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00ADF1A0 SysFreeString,SysAllocString,GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,NtdllDefWindowProc_W,SysFreeString, 0_2_00ADF1A0
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00ADF7D0 NtdllDefWindowProc_W, 0_2_00ADF7D0
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00AFD760 NtdllDefWindowProc_W, 0_2_00AFD760
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00AE1740 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DestroyWindow, 0_2_00AE1740
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00AF18D0 NtdllDefWindowProc_W, 0_2_00AF18D0
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00AE1D70 NtdllDefWindowProc_W, 0_2_00AE1D70
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\5a3979.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3AB1.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3B20.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3B6F.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3B9F.tmp Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSI3AB1.tmp Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_3_0120A272 0_3_0120A272
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_3_0120A272 0_3_0120A272
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_3_0120A298 0_3_0120A298
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_3_0120A298 0_3_0120A298
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_3_0120A272 0_3_0120A272
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_3_0120A272 0_3_0120A272
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_3_0120A298 0_3_0120A298
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_3_0120A298 0_3_0120A298
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00C0C120 0_2_00C0C120
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00BAC150 0_2_00BAC150
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00AEAB80 0_2_00AEAB80
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00BE8C40 0_2_00BE8C40
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00C115C0 0_2_00C115C0
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00AF62B0 0_2_00AF62B0
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00AF44A0 0_2_00AF44A0
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00AEE540 0_2_00AEE540
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00C767E0 0_2_00C767E0
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00C84801 0_2_00C84801
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00AE8DF0 0_2_00AE8DF0
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00C7EF3A 0_2_00C7EF3A
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00AD3010 0_2_00AD3010
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00BB3460 0_2_00BB3460
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00B05680 0_2_00B05680
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00C6F7DC 0_2_00C6F7DC
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00AF3890 0_2_00AF3890
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00C819A0 0_2_00C819A0
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00AF79D0 0_2_00AF79D0
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00B2FAD0 0_2_00B2FAD0
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00C89D65 0_2_00C89D65
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00AD3E25 0_2_00AD3E25
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: String function: 00B03BA0 appears 90 times
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: String function: 00AD87D0 appears 404 times
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: String function: 00AD70D0 appears 36 times
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: String function: 00AD7160 appears 52 times
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: String function: 00BCF720 appears 61 times
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: String function: 00AD9120 appears 38 times
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: String function: 00AD9990 appears 60 times
Sample file is different than original file name gathered from version info
Source: 65X4tr6fyX.exe, 00000000.00000003.2093412591.0000000005675000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewininet.dllD vs 65X4tr6fyX.exe
Source: 65X4tr6fyX.exe, 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameInstaller.exe4 vs 65X4tr6fyX.exe
Source: 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelzmaextractor.dllF vs 65X4tr6fyX.exe
Source: 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAICustAct.dllF vs 65X4tr6fyX.exe
Source: 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs 65X4tr6fyX.exe
Source: 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePrereq.dllF vs 65X4tr6fyX.exe
Source: 65X4tr6fyX.exe Binary or memory string: OriginalFileNameInstaller.exe4 vs 65X4tr6fyX.exe
Source: 65X4tr6fyX.exe Binary or memory string: OriginalFilenameDecoder.dllF vs 65X4tr6fyX.exe
Uses 32bit PE files
Source: 65X4tr6fyX.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: shi35CF.tmp.0.dr Binary string: \Device\NameResTrk\RecordNrtCloneOpenPacket
Source: classification engine Classification label: clean8.winEXE@8/13@0/0
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00BD3200 FormatMessageW,GetLastError, 0_2_00BD3200
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00BFDAE0 GetDiskFreeSpaceExW, 0_2_00BFDAE0
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00C17B10 CoCreateInstance, 0_2_00C17B10
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00B6AD00 FindResourceW,LoadResource,LockResource,SizeofResource, 0_2_00B6AD00
Source: C:\Users\user\Desktop\65X4tr6fyX.exe File created: C:\Users\user\AppData\Roaming\FineViews Official Community Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe File created: C:\Users\user\AppData\Local\Temp\shi35CF.tmp Jump to behavior
Source: 65X4tr6fyX.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\65X4tr6fyX.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe File read: C:\Users\user\Desktop\65X4tr6fyX.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\65X4tr6fyX.exe "C:\Users\user\Desktop\65X4tr6fyX.exe"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding EBEF6F46475D66D6CF3B6B5FF30932BA C
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\FineViews Official Community\Installer 1.0.0\install\D67B221\CapCut Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\65X4tr6fyX.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1732213957 " AI_EUIMSI=""
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 2B5EC4E9F9B2BE78351790F405B34BD2
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\FineViews Official Community\Installer 1.0.0\install\D67B221\CapCut Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\65X4tr6fyX.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1732213957 " AI_EUIMSI="" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding EBEF6F46475D66D6CF3B6B5FF30932BA C Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 2B5EC4E9F9B2BE78351790F405B34BD2 Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: davhlpr.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: lpk.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: 65X4tr6fyX.exe Static PE information: certificate valid
Source: 65X4tr6fyX.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: 65X4tr6fyX.exe Static file information: File size 49006072 > 1048576
Source: 65X4tr6fyX.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x217a00
Source: 65X4tr6fyX.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 65X4tr6fyX.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 65X4tr6fyX.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 65X4tr6fyX.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 65X4tr6fyX.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 65X4tr6fyX.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 65X4tr6fyX.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: 65X4tr6fyX.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wininet.pdb source: 65X4tr6fyX.exe, 00000000.00000003.2093412591.0000000005675000.00000004.00000020.00020000.00000000.sdmp, shi35CF.tmp.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\AICustAct.pdby source: 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3B20.tmp.2.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3B20.tmp.2.dr
Source: Binary string: D:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: 65X4tr6fyX.exe, decoder.dll.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\Prereq.pdbo source: 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, 5a3979.msi.2.dr, CapCut Installer.msi.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 5a3979.msi.2.dr, CapCut Installer.msi.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\Prereq.pdb source: 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, 5a3979.msi.2.dr, CapCut Installer.msi.0.dr
Source: Binary string: wininet.pdbUGP source: 65X4tr6fyX.exe, 00000000.00000003.2093412591.0000000005675000.00000004.00000020.00020000.00000000.sdmp, shi35CF.tmp.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 5a3979.msi.2.dr, CapCut Installer.msi.0.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr
Source: Binary string: D:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: 65X4tr6fyX.exe
Source: Binary string: D:\JobRelease\win\Release\stubs\x86\Decoder.pdb5 source: 65X4tr6fyX.exe, decoder.dll.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdbb source: 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 5a3979.msi.2.dr, CapCut Installer.msi.0.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr
Source: 65X4tr6fyX.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 65X4tr6fyX.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 65X4tr6fyX.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 65X4tr6fyX.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 65X4tr6fyX.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Binary contains a suspicious time stamp
Source: shi35CF.tmp.0.dr Static PE information: 0xC7FEC470 [Wed Apr 29 05:06:56 2076 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00C10560 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00C10560
PE file contains sections with non-standard names
Source: shi35CF.tmp.0.dr Static PE information: section name: .wpp_sf
Source: shi35CF.tmp.0.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_3_011FC1E2 push eax; ret 0_3_011FC299
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_3_01247903 push es; retf 0_3_01247A44
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_3_01247903 push es; retf 0_3_01247A44
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_3_01246865 push es; retf 0_3_012468B6
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_3_01246865 push es; retf 0_3_012468B6
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_3_01248167 push es; retf 0_3_012481A2
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_3_01248167 push es; retf 0_3_012481A2
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_3_01247A41 push es; retf 0_3_01247A44
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_3_01247A41 push es; retf 0_3_01247A44
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_3_01246F94 push es; retf 0_3_01246FDA
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_3_01246F94 push es; retf 0_3_01246FDA
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_3_01247903 push es; retf 0_3_01247A44
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_3_01247903 push es; retf 0_3_01247A44
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_3_01246F94 push es; retf 0_3_01246FDA
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_3_01246F94 push es; retf 0_3_01246FDA
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_3_01246865 push es; retf 0_3_012468B6
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_3_01246865 push es; retf 0_3_012468B6
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_3_01248167 push es; retf 0_3_012481A2
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_3_01248167 push es; retf 0_3_012481A2
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_3_01247A41 push es; retf 0_3_01247A44
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_3_01247A41 push es; retf 0_3_01247A44
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_3_011FC1E2 push eax; ret 0_3_011FC299
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00B760EB push ecx; mov dword ptr [esp], 3F800000h 0_2_00B762BE
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00C6771E push ecx; ret 0_2_00C67731
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00AE5CB0 push ecx; mov dword ptr [esp], ecx 0_2_00AE5CB1
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00BB3D60 push ecx; mov dword ptr [esp], 3F800000h 0_2_00BB3E96
Drops PE files
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3AB1.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3B20.tmp Jump to dropped file
Source: C:\Users\user\Desktop\65X4tr6fyX.exe File created: C:\Users\user\AppData\Roaming\FineViews Official Community\Installer 1.0.0\install\decoder.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3B6F.tmp Jump to dropped file
Source: C:\Users\user\Desktop\65X4tr6fyX.exe File created: C:\Users\user\AppData\Local\Temp\shi35CF.tmp Jump to dropped file
Source: C:\Users\user\Desktop\65X4tr6fyX.exe File created: C:\Users\user\AppData\Local\Temp\MSI3766.tmp Jump to dropped file
Source: C:\Users\user\Desktop\65X4tr6fyX.exe File created: C:\Users\user\AppData\Local\Temp\MSI3842.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3B9F.tmp Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3AB1.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3B20.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3B6F.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3B9F.tmp Jump to dropped file
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI3AB1.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI3B20.tmp Jump to dropped file
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\FineViews Official Community\Installer 1.0.0\install\decoder.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI3B6F.tmp Jump to dropped file
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi35CF.tmp Jump to dropped file
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI3766.tmp Jump to dropped file
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI3842.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI3B9F.tmp Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\65X4tr6fyX.exe File Volume queried: C:\Users\user\AppData\Roaming FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe File Volume queried: C:\Users\user\AppData\Roaming\FineViews Official Community\Installer 1.0.0\install FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe File Volume queried: C:\Users\user\AppData\Roaming\FineViews Official Community\Installer 1.0.0\install\D67B221 FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00BF2380 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 0_2_00BF2380
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00AEAB80 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,PathIsUNCW, 0_2_00AEAB80
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00BD4DA0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW, 0_2_00BD4DA0
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00BF3220 FindFirstFileW,FindClose, 0_2_00BF3220
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00BD5370 FindFirstFileW,GetLastError,FindClose, 0_2_00BD5370
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00BB8230 FindFirstFileW,FindNextFileW,FindClose, 0_2_00BB8230
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00BFC530 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_00BFC530
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00C108D0 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_00C108D0
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00BFC930 FindFirstFileW,FindClose, 0_2_00BFC930
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00BD4A10 _wcsrchr,FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,_wcsrchr, 0_2_00BD4A10
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00BDCF00 FindFirstFileW,FindClose,FindClose, 0_2_00BDCF00
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00BEF260 FindFirstFileW,FindClose, 0_2_00BEF260
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00BFF8A0 FindFirstFileW,FindClose, 0_2_00BFF8A0
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00BFB500 _wcschr,_wcsrchr,_wcsrchr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection, 0_2_00BFB500
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00C6411D VirtualQuery,GetSystemInfo, 0_2_00C6411D
Source: MSI3B9F.tmp.2.dr Binary or memory string: RegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00C66437 IsDebuggerPresent,OutputDebugStringW, 0_2_00C66437
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00C10560 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00C10560
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00C6674C mov esi, dword ptr fs:[00000030h] 0_2_00C6674C
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00C88A0E mov eax, dword ptr fs:[00000030h] 0_2_00C88A0E
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00C7D840 mov ecx, dword ptr fs:[00000030h] 0_2_00C7D840
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00C667B8 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree, 0_2_00C667B8
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00B02530 __set_se_translator,SetUnhandledExceptionFilter, 0_2_00B02530
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00C671E8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00C671E8
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00C6BEA3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00C6BEA3
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Process created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\fineviews official community\installer 1.0.0\install\d67b221\capcut installer.msi" ai_setupexepath=c:\users\user\desktop\65x4tr6fyx.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1732213957 " ai_euimsi=""
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Process created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\fineviews official community\installer 1.0.0\install\d67b221\capcut installer.msi" ai_setupexepath=c:\users\user\desktop\65x4tr6fyx.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1732213957 " ai_euimsi="" Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00BFFD20 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,CloseHandle, 0_2_00BFFD20
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: GetLocaleInfoW,GetLocaleInfoW,MsgWaitForMultipleObjectsEx,MsgWaitForMultipleObjectsEx,PeekMessageW,TranslateMessage,DispatchMessageW,PeekMessageW,TranslateMessage,DispatchMessageW,MsgWaitForMultipleObjectsEx, 0_2_00BF4F10
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: EnumSystemLocalesW, 0_2_00C80DD9
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_00C84D50
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: EnumSystemLocalesW, 0_2_00C84FF2
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: GetLocaleInfoW, 0_2_00C84F4B
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: EnumSystemLocalesW, 0_2_00C850D8
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: EnumSystemLocalesW, 0_2_00C8503D
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_00C85163
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: GetLocaleInfoW, 0_2_00C853B6
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: GetLocaleInfoW, 0_2_00C81356
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00C854DF
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: GetLocaleInfoW, 0_2_00C855E5
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00C856B4
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00C0C8F0 CreateNamedPipeW,CreateFileW, 0_2_00C0C8F0
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00C663AD GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime, 0_2_00C663AD
Source: C:\Users\user\Desktop\65X4tr6fyX.exe Code function: 0_2_00C0B490 GetUserNameW,GetUserNameW,GetLastError,GetUserNameW,GetEnvironmentVariableW,GetEnvironmentVariableW, 0_2_00C0B490
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1560418 Sample: 65X4tr6fyX.exe Startdate: 21/11/2024 Architecture: WINDOWS Score: 8 5 msiexec.exe 3 9 2->5         started        8 65X4tr6fyX.exe 40 2->8         started        file3 16 C:\Windows\Installer\MSI3B9F.tmp, PE32 5->16 dropped 18 C:\Windows\Installer\MSI3B6F.tmp, PE32 5->18 dropped 20 C:\Windows\Installer\MSI3B20.tmp, PE32 5->20 dropped 22 C:\Windows\Installer\MSI3AB1.tmp, PE32 5->22 dropped 10 msiexec.exe 5->10         started        12 msiexec.exe 5->12         started        24 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 8->24 dropped 26 C:\Users\user\AppData\Local\...\shi35CF.tmp, PE32+ 8->26 dropped 28 C:\Users\user\AppData\Local\...\MSI3842.tmp, PE32 8->28 dropped 30 C:\Users\user\AppData\Local\...\MSI3766.tmp, PE32 8->30 dropped 14 msiexec.exe 5 8->14         started        process4
No contacted IP infos