Windows Analysis Report
vFjfAgq5PM.msi

Overview

General Information

Sample name: vFjfAgq5PM.msi
renamed because original name is a hash value
Original sample name: 1dd7892458eab123c341452aff6f4d817f290efc7f8c97b76bdb78e1e1fcf8d2.msi
Analysis ID: 1523557
MD5: 087d510f4d69f6faa479e4919f51a175
SHA1: 084c49d7c83b257aacf8c94b28b992c326a2ad09
SHA256: 1dd7892458eab123c341452aff6f4d817f290efc7f8c97b76bdb78e1e1fcf8d2
Tags: 45-202-35-101msiuser-JAMESWT_MHT
Infos:

Detection

Amadey
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected Amadeys stealer DLL
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Drops large PE files
Loading BitLocker PowerShell Module
Powershell drops PE file
Sigma detected: Execution from Suspicious Folder
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Checks for available system drives (often done to infect USB drives)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Suspicious MsiExec Embedding Parent
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

AV Detection
barindex
Found malware configuration
Source: 00000009.00000002.4135316816.0000000001000000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Amadey {"C2 url": "45.202.35.101/pLQvfD4d/index.php", "Version": "4.42", "Install Folder": "9d94d7e7d6", "Install File": "Hkbsse.exe"}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Source: CapCut_installer.exe, 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_97268b58-a
Source: C:\Users\Public\Documents\CapCut_installer.exe File created: C:\Users\user\AppData\Local\Temp\installer_downloader.log Jump to behavior
Source: Binary string: DropboxUpdate_unsigned.pdb source: dropbox.exe, dropbox.exe, 00000009.00000000.1746989060.0000000000D01000.00000002.00000001.01000000.0000000E.sdmp, dropbox.exe, 00000009.00000002.4134037490.0000000000D01000.00000002.00000001.01000000.0000000E.sdmp, dropbox.exe, 0000000C.00000002.1802477084.0000000000D01000.00000002.00000001.01000000.0000000E.sdmp, dropbox.exe, 0000000C.00000000.1797360608.0000000000D01000.00000002.00000001.01000000.0000000E.sdmp, dropbox.exe, 0000000E.00000000.1843845894.0000000000D01000.00000002.00000001.01000000.0000000E.sdmp, dropbox.exe, 0000000E.00000002.2445065297.0000000000D01000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb\ source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr
Source: Binary string: D:\code\VideoFusion-win\install\VideofusionInstaller\packet_3rd\3rdparty\build\vs-release\Release\7zip.pdb source: app_package_6f432258ca.exe.6.dr
Source: Binary string: shell_downloader.dll.pdb source: CapCut_installer.exe, 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: nsis_plugin.dll.pdb` source: CapCut_installer.exe, 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr
Source: Binary string: D:\code\bytedance\installer\LVInstallerCC\VideofusionInstaller\build\CC_RELEASE\JYInstaller.pdb source: app_package_6f432258ca.exe.6.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: vFjfAgq5PM.msi
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: vFjfAgq5PM.msi
Source: Binary string: nsis_plugin.dll.pdb source: CapCut_installer.exe, 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmp
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 6_2_004059CC
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_004065FD FindFirstFileW,FindClose, 6_2_004065FD
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_00402868 FindFirstFileW, 6_2_00402868
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C50CB33 FindFirstFileExW, 6_2_6C50CB33
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C50CBE4 FindFirstFileExW,RevokeDragDrop,FindNextFileW,FindClose,FindClose, 6_2_6C50CBE4
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C465C30 PathIsDirectoryW,FindFirstFileW,PathFileExistsW,CreateFileW,CloseHandle,FindNextFileW,FindClose, 6_2_6C465C30
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C43D9E0 FindFirstFileW,FindNextFileW,FindClose, 6_2_6C43D9E0
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C8E62F4 FindFirstFileExW,RevokeDragDrop,FindNextFileW,FindClose,FindClose, 6_2_6C8E62F4
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C8E6243 FindFirstFileExW, 6_2_6C8E6243
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA8D300 CloseHandle,memset,FindFirstFileW,FindClose, 9_2_6BA8D300
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 4x nop then movd mm0, dword ptr [edx] 6_2_6C714577

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 45.202.35.101
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 2.19.126.136 2.19.126.136
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ONL-HKOCEANNETWORKLIMITEDHK ONL-HKOCEANNETWORKLIMITEDHK
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02CEBE30 Sleep,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetReadFile, 9_2_02CEBE30
Source: dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp, dropbox.exe, 00000009.00000002.4146470711.000000000365C000.00000004.00000020.00020000.00000000.sdmp, dropbox.exe, 00000009.00000002.4137162182.00000000010A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.202.35.101/pLQvfD4d/index.php
Source: dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.202.35.101/pLQvfD4d/index.php&
Source: dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.202.35.101/pLQvfD4d/index.php4
Source: dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.202.35.101/pLQvfD4d/index.php6
Source: dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.202.35.101/pLQvfD4d/index.php7
Source: dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.202.35.101/pLQvfD4d/index.php7-
Source: dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.202.35.101/pLQvfD4d/index.phpI-CA
Source: dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.202.35.101/pLQvfD4d/index.phpParameters
Source: dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.202.35.101/pLQvfD4d/index.phpQ
Source: dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.202.35.101/pLQvfD4d/index.phpV
Source: dropbox.exe, 00000009.00000002.4137162182.00000000010A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.202.35.101/pLQvfD4d/index.phpb
Source: dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.202.35.101/pLQvfD4d/index.phpf
Source: dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.202.35.101/pLQvfD4d/index.phpft
Source: dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.202.35.101/pLQvfD4d/index.phpg
Source: dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.202.35.101/pLQvfD4d/index.phpi
Source: dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.202.35.101/pLQvfD4d/index.phpindows
Source: dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.202.35.101/pLQvfD4d/index.phpn
Source: dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.202.35.101/pLQvfD4d/index.phps
Source: dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.202.35.101/pLQvfD4d/index.phpv
Source: dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.202.35.101/pLQvfD4d/index.phpz
Source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: vFjfAgq5PM.msi, app_package_6f432258ca.exe.6.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: app_package_6f432258ca.exe.6.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0K
Source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: app_package_6f432258ca.exe.6.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: vFjfAgq5PM.msi, app_package_6f432258ca.exe.6.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: vFjfAgq5PM.msi, app_package_6f432258ca.exe.6.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: powershell.exe, 0000000A.00000002.1785489930.0000000003048000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micro
Source: vFjfAgq5PM.msi, app_package_6f432258ca.exe.6.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: app_package_6f432258ca.exe.6.dr String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: app_package_6f432258ca.exe.6.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: vFjfAgq5PM.msi, app_package_6f432258ca.exe.6.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: app_package_6f432258ca.exe.6.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: app_package_6f432258ca.exe.6.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: CapCut_installer.exe, 00000006.00000000.1713102880.000000000040A000.00000008.00000001.01000000.00000006.sdmp, CapCut_installer.exe, 00000006.00000002.4133867392.000000000040A000.00000004.00000001.01000000.00000006.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000004.00000002.1738790420.0000020816BD5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1738790420.0000020816D18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1815771486.0000000005F0D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: app_package_6f432258ca.exe.6.dr String found in binary or memory: http://ocsp.digicert.com0
Source: vFjfAgq5PM.msi, app_package_6f432258ca.exe.6.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr, app_package_6f432258ca.exe.6.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: app_package_6f432258ca.exe.6.dr String found in binary or memory: http://ocsp.digicert.com0I
Source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: vFjfAgq5PM.msi, app_package_6f432258ca.exe.6.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 0000000A.00000002.1788661780.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000A.00000002.1788661780.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000004.00000002.1715470998.0000020806B61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1788661780.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000A.00000002.1788661780.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr String found in binary or memory: http://t2.symcb.com0
Source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr String found in binary or memory: http://tl.symcd.com0&
Source: powershell.exe, 0000000A.00000002.1788661780.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr, app_package_6f432258ca.exe.6.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000004.00000002.1715470998.0000020806B61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000A.00000002.1788661780.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lBkq
Source: powershell.exe, 0000000A.00000002.1788661780.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 0000000A.00000002.1815771486.0000000005F0D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000A.00000002.1815771486.0000000005F0D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000A.00000002.1815771486.0000000005F0D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: CapCut_installer.exe, 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: CapCut_installer.exe, 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://curl.se/docs/hsts.html
Source: CapCut_installer.exe, 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: CapCut_installer.exe, 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://editor-api-sg.capcut.com
Source: CapCut_installer.exe, 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://editor-api-sg.capcut.com/service/2/app_alert_check/
Source: CapCut_installer.exe, 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://editor-api-sg.capcut.com/service/2/desktop/device_register/
Source: CapCut_installer.exe, 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://editor-api-sg.capcut.com/service/2/desktop/device_register/https://editor-api-sg.capcut.com/
Source: CapCut_installer.exe, 00000006.00000002.4149333185.0000000056C64000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://editor-api-sg.capcut.comhttps://editor-api-sg.capcut.comhttps://sgali-mcs.byteoversea.comhtt
Source: powershell.exe, 0000000A.00000002.1788661780.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.1715470998.0000020807792000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: app_package_6f432258ca.exe.6.dr String found in binary or memory: https://imagemagick.org
Source: CapCut_installer.exe, 00000006.00000002.4135355349.0000000000650000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lf16-capcut.faceulv.com/obj/capcutpc-packages-us/packages/CapCut_2_6_0_814_capcutpc_0_creato
Source: CapCut_installer.exe, 00000006.00000003.1735396689.0000000056CD9000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://lf16-capcut.faceulv.com/obj/capcutpc-packages-us/packages/CapCut_4_6_0_1754_capcutpc_0_creat
Source: CapCut_installer.exe, 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://maliva-mcs.byteoversea.com
Source: CapCut_installer.exe, 00000006.00000002.4149333185.0000000056C64000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://maliva-mcs.byteoversea.com/v1/json
Source: CapCut_installer.exe, 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmp, CapCut_installer.exe, 00000006.00000002.4135355349.0000000000666000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mcs.byteoversea.net/v1/json_test
Source: powershell.exe, 00000004.00000002.1738790420.0000020816BD5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1738790420.0000020816D18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1815771486.0000000005F0D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: CapCut_installer.exe, 00000006.00000002.4138487516.00000000006C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sf16-va.tiktokcdn.com/obj/eden-va2/JW-abJwhJ/ljhwZthlau
Source: CapCut_installer.exe, 00000006.00000002.4138487516.00000000006C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sf16-va.tiktokcdn.com/obj/eden-va2/JW-abJwhJ/ljhwZthlaud
Source: CapCut_installer.exe, 00000006.00000003.1735396689.0000000056CD9000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://sf16-va.tiktokcdn.com/obj/eden-va2/JW-abJwhJ/ljhwZthlaukjlkulzlp/installer/pic/v1/automatic_
Source: CapCut_installer.exe, 00000006.00000003.1735396689.0000000056CD9000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://sf16-va.tiktokcdn.com/obj/eden-va2/JW-abJwhJ/ljhwZthlaukjlkulzlp/installer/pic/v1/chroma_key
Source: CapCut_installer.exe, 00000006.00000003.1735396689.0000000056CD9000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://sf16-va.tiktokcdn.com/obj/eden-va2/JW-abJwhJ/ljhwZthlaukjlkulzlp/installer/pic/v1/intelligen
Source: CapCut_installer.exe, 00000006.00000003.1735396689.0000000056CD9000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://sf16-va.tiktokcdn.com/obj/eden-va2/JW-abJwhJ/ljhwZthlaukjlkulzlp/installer/pic/v1/keyframe/k
Source: CapCut_installer.exe, 00000006.00000003.1735396689.0000000056CD9000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://sf16-va.tiktokcdn.com/obj/eden-va2/JW-abJwhJ/ljhwZthlaukjlkulzlp/installer/pic/v1/speech_syn
Source: CapCut_installer.exe, 00000006.00000003.1735396689.0000000056CD9000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://sf16-va.tiktokcdn.com/obj/eden-va2/JW-abJwhJ/ljhwZthlaukjlkulzlp/installer/pic/v1/text_style
Source: CapCut_installer.exe, 00000006.00000003.1735396689.0000000056CD9000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://sf16-va.tiktokcdn.com/obj/eden-va2/JW-abJwhJ/ljhwZthlaukjlkulzlp/installer/pic/v1/visual_eff
Source: CapCut_installer.exe, 00000006.00000003.1735396689.0000000056CD9000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://sf16-va.tiktokcdn.com/obj/eden-va2/JW-abJwhJ/ljhwZthlaukjlkulzlp/installer/pic/v1/water_worl
Source: CapCut_installer.exe, 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://sgali-mcs.byteoversea.com
Source: CapCut_installer.exe, 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmp, CapCut_installer.exe, 00000006.00000002.4149333185.0000000056C64000.00000004.00001000.00020000.00000000.sdmp, CapCut_installer.exe, 00000006.00000002.4135355349.0000000000666000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sgali-mcs.byteoversea.com/v1/json
Source: CapCut_installer.exe, 00000006.00000002.4149333185.0000000056C64000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://sgali-mcs.byteoversea.com/v1/jsonV
Source: CapCut_installer.exe, 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: https://sgali-mcs.byteoversea.com/v1/jsonhttps://mcs.byteoversea.net/v1/json_testInstallerDownloader
Source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr String found in binary or memory: https://www.advancedinstaller.com
Source: app_package_6f432258ca.exe.6.dr String found in binary or memory: https://www.capcut.net/clause/user-agreementhttps://www.capcut.net/clause/privacyusD
Source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr String found in binary or memory: https://www.thawte.com/cps0/
Source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr String found in binary or memory: https://www.thawte.com/repository0W
Contains functionality for read data from the clipboard
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_00405461 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 6_2_00405461
Potential key logger detected (key state polling based)
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4A0460 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState, 6_2_6C4A0460
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4A0050 ?PreMessageHandler@CPaintManagerUI@DuiLib@@QAE_NIIJAAJ@Z,?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ,??ACStdPtrArray@DuiLib@@QBEPAXH@Z,?IsWantTab@CRichEditUI@DuiLib@@QAE_NXZ,GetKeyState,?SetNextTabControl@CPaintManagerUI@DuiLib@@QAE_N_N@Z,?__FindControlFromShortcut@CPaintManagerUI@DuiLib@@CGPAVCControlUI@2@PAV32@PAX@Z,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetTickCount, 6_2_6C4A0050

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 9.2.dropbox.exe.11160cd.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 9.2.dropbox.exe.2aa12d5.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 9.2.dropbox.exe.11160cd.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 9.2.dropbox.exe.2aa12d5.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000009.00000002.4138493553.0000000002AA0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000009.00000002.4137162182.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Drops large PE files
Source: C:\Users\Public\Documents\CapCut_installer.exe File dump: app_package_6f432258ca.exe.6.dr 362012672 Jump to dropped file
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Program Files (x86)\Dropbox\Update\goopdate.dll (copy) Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Program Files (x86)\Dropbox\Update\dropbox.exe (copy) Jump to dropped file
Contains functionality to call native functions
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA8AF60 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError, 9_2_6BA8AF60
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA65CE0 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError, 9_2_6BA65CE0
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02B0EA9C NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtUnmapViewOfSection,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect, 9_2_02B0EA9C
Contains functionality to communicate with device drivers
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4EA3F0: CreateFileW,DeviceIoControl,CloseHandle, 6_2_6C4EA3F0
Contains functionality to shutdown / reboot the system
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 6_2_0040338F
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\45f79f.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFBC5.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFC43.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFC73.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFC93.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{082E188A-67FA-4D67-920E-C850215DB6EC} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFCD3.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFD80.tmp Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSIFBC5.tmp Jump to behavior
Detected potential crypto function
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_00406B15 6_2_00406B15
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_004072EC 6_2_004072EC
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_00404C9E 6_2_00404C9E
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4BAC60 6_2_6C4BAC60
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C49CC10 6_2_6C49CC10
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4AEA90 6_2_6C4AEA90
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4B0BB0 6_2_6C4B0BB0
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4BC1D0 6_2_6C4BC1D0
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4B0180 6_2_6C4B0180
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C48DC40 6_2_6C48DC40
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4ABF60 6_2_6C4ABF60
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C445980 6_2_6C445980
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4AFAA0 6_2_6C4AFAA0
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4B5510 6_2_6C4B5510
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C490D60 6_2_6C490D60
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4ACDC0 6_2_6C4ACDC0
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4F0E4F 6_2_6C4F0E4F
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C51683C 6_2_6C51683C
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4C28E0 6_2_6C4C28E0
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4D89B0 6_2_6C4D89B0
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4F6A2B 6_2_6C4F6A2B
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4B8A90 6_2_6C4B8A90
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C49AB30 6_2_6C49AB30
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C460BD0 6_2_6C460BD0
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4B6480 6_2_6C4B6480
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4AA580 6_2_6C4AA580
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4F4654 6_2_6C4F4654
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4C2660 6_2_6C4C2660
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4F2745 6_2_6C4F2745
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C51272F 6_2_6C51272F
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4F60D0 6_2_6C4F60D0
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4583F0 6_2_6C4583F0
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4B9C20 6_2_6C4B9C20
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4F1C20 6_2_6C4F1C20
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C48FD90 6_2_6C48FD90
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C45BDB0 6_2_6C45BDB0
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4F3EAB 6_2_6C4F3EAB
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C5098EB 6_2_6C5098EB
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C465930 6_2_6C465930
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4BBA30 6_2_6C4BBA30
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C45FB10 6_2_6C45FB10
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4C3440 6_2_6C4C3440
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C491410 6_2_6C491410
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4BF410 6_2_6C4BF410
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4AD590 6_2_6C4AD590
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C44B5B0 6_2_6C44B5B0
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C465690 6_2_6C465690
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C443740 6_2_6C443740
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4EB730 6_2_6C4EB730
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C461040 6_2_6C461040
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4650E0 6_2_6C4650E0
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C756DC0 6_2_6C756DC0
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C78DDA0 6_2_6C78DDA0
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C712E57 6_2_6C712E57
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C751F70 6_2_6C751F70
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C711F30 6_2_6C711F30
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C7168DD 6_2_6C7168DD
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C7118B0 6_2_6C7118B0
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C750920 6_2_6C750920
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C7119E0 6_2_6C7119E0
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C8C3970 6_2_6C8C3970
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C8EAA95 6_2_6C8EAA95
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C712AB0 6_2_6C712AB0
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C714A80 6_2_6C714A80
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C715A80 6_2_6C715A80
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C711B90 6_2_6C711B90
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C7124C0 6_2_6C7124C0
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C711540 6_2_6C711540
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C797530 6_2_6C797530
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C7515F0 6_2_6C7515F0
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C71867D 6_2_6C71867D
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C715650 6_2_6C715650
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C74E650 6_2_6C74E650
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C7166D5 6_2_6C7166D5
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C7566C0 6_2_6C7566C0
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C74B0D0 6_2_6C74B0D0
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C71614D 6_2_6C71614D
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C753130 6_2_6C753130
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C71626D 6_2_6C71626D
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C749340 6_2_6C749340
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C716349 6_2_6C716349
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C74D3A0 6_2_6C74D3A0
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_00CF39DE 9_2_00CF39DE
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_00CF3DEA 9_2_00CF3DEA
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_00CF798C 9_2_00CF798C
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_00CF3135 9_2_00CF3135
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_00CF360A 9_2_00CF360A
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_00CF420A 9_2_00CF420A
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA549C7 9_2_6BA549C7
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA53283 9_2_6BA53283
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA8E5D4 9_2_6BA8E5D4
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA68AA0 9_2_6BA68AA0
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA62A80 9_2_6BA62A80
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA7FA90 9_2_6BA7FA90
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA79929 9_2_6BA79929
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA6F8B4 9_2_6BA6F8B4
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA758C4 9_2_6BA758C4
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA5A8C0 9_2_6BA5A8C0
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA7C831 9_2_6BA7C831
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA94F80 9_2_6BA94F80
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BAA7EB0 9_2_6BAA7EB0
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA51ECF 9_2_6BA51ECF
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA88E70 9_2_6BA88E70
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA65DB0 9_2_6BA65DB0
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA52DDB 9_2_6BA52DDB
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA5BD37 9_2_6BA5BD37
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA78D50 9_2_6BA78D50
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA5CCA0 9_2_6BA5CCA0
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA80CF0 9_2_6BA80CF0
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA58C24 9_2_6BA58C24
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA58C30 9_2_6BA58C30
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA813F0 9_2_6BA813F0
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BAAA3D4 9_2_6BAAA3D4
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA99310 9_2_6BA99310
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA6F354 9_2_6BA6F354
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA861C0 9_2_6BA861C0
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA9E1C0 9_2_6BA9E1C0
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BAA0100 9_2_6BAA0100
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BAA7158 9_2_6BAA7158
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA800F0 9_2_6BA800F0
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA94030 9_2_6BA94030
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BAA7000 9_2_6BAA7000
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA856B0 9_2_6BA856B0
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA866B0 9_2_6BA866B0
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA6A69E 9_2_6BA6A69E
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA62590 9_2_6BA62590
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA83590 9_2_6BA83590
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA75550 9_2_6BA75550
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA5B4A0 9_2_6BA5B4A0
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA874A0 9_2_6BA874A0
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA8A48E 9_2_6BA8A48E
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA5F430 9_2_6BA5F430
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA7E430 9_2_6BA7E430
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA69447 9_2_6BA69447
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02B0EA9C 9_2_02B0EA9C
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02B0C2A4 9_2_02B0C2A4
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02AA5205 9_2_02AA5205
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02B0B3C0 9_2_02B0B3C0
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02AE8090 9_2_02AE8090
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02AE9035 9_2_02AE9035
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02B0A108 9_2_02B0A108
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02B0B7F0 9_2_02B0B7F0
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02AD870B 9_2_02AD870B
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02AA54B5 9_2_02AA54B5
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02AE34E5 9_2_02AE34E5
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02AC15E8 9_2_02AC15E8
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02AC45C6 9_2_02AC45C6
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02AE781E 9_2_02AE781E
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02AC6967 9_2_02AC6967
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02B0AFE4 9_2_02B0AFE4
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02AE7F70 9_2_02AE7F70
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02AC1DD7 9_2_02AC1DD7
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02D06292 9_2_02D06292
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02D18036 9_2_02D18036
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02D27149 9_2_02D27149
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02CEE610 9_2_02CEE610
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02D01702 9_2_02D01702
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02CE4B30 9_2_02CE4B30
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02D2789B 9_2_02D2789B
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02CEE610 9_2_02CEE610
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02D279BB 9_2_02D279BB
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02D28960 9_2_02D28960
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02D03EF1 9_2_02D03EF1
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02D22E10 9_2_02D22E10
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02D00F13 9_2_02D00F13
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02CE4DE0 9_2_02CE4DE0
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Program Files (x86)\Dropbox\Update\dropbox.exe (copy) E7141AEB22EA3165A4F7FB8C4D210151575F1B95EF545E0978A2174598A08265
Source: Joe Sandbox View Dropped File: C:\Users\Public\Documents\CapCut_installer.exe 4A9D815F284ADDA187982E2B24DA2BEAAD860739BC4B4CB1CF26408E7C221DD6
Found potential string decryption / allocating functions
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: String function: 02ABE117 appears 66 times
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: String function: 02CFDA42 appears 81 times
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: String function: 02CFD74E appears 53 times
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: String function: 00CF4EA0 appears 36 times
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: String function: 02CF7B00 appears 37 times
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: String function: 02ABE755 appears 38 times
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: String function: 02CF81C0 appears 131 times
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: String function: 02CFE080 appears 44 times
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: String function: 6BA58FA0 appears 83 times
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: String function: 02AB8895 appears 130 times
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: String function: 6C4BFBB0 appears 34 times
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: String function: 6C45EA50 appears 31 times
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: String function: 6C4EC890 appears 51 times
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: String function: 6C505345 appears 343 times
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: String function: 6C4ED420 appears 74 times
PE file contains executable resources (Code or Archives)
Source: deviceregister_shared.dll.6.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: app_package_6f432258ca.exe.6.dr Static PE information: Resource name: RELEASE_DLL type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Sample file is different than original file name gathered from version info
Source: vFjfAgq5PM.msi Binary or memory string: OriginalFilenameAICustAct.dllF vs vFjfAgq5PM.msi
Source: vFjfAgq5PM.msi Binary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs vFjfAgq5PM.msi
Yara signature match
Source: 9.2.dropbox.exe.11160cd.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 9.2.dropbox.exe.2aa12d5.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 9.2.dropbox.exe.11160cd.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 9.2.dropbox.exe.2aa12d5.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000009.00000002.4138493553.0000000002AA0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000009.00000002.4137162182.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: BgWorker.dll.6.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.spyw.evad.winMSI@22/57@0/8
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA679C0 memset,GetModuleHandleW,FormatMessageW,GetLastError, 9_2_6BA679C0
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 6_2_0040338F
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_00404722 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 6_2_00404722
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4463D0 IsRunningApp,CreateToolhelp32Snapshot,Process32FirstW,GetCurrentProcessId,Process32NextW,CloseHandle,GlobalAlloc,lstrcpynW, 6_2_6C4463D0
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_00402104 CoCreateInstance, 6_2_00402104
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C49CB40 ?Create@CDialogBuilder@DuiLib@@QAEPAVCControlUI@2@VSTRINGorID@2@PB_WPAVIDialogBuilderCallback@2@PAVCPaintManagerUI@2@PAV32@@Z,?GetResourceDll@CPaintManagerUI@DuiLib@@SAPAUHINSTANCE__@@XZ,FindResourceW,?GetResourceDll@CPaintManagerUI@DuiLib@@SAPAUHINSTANCE__@@XZ,LoadResource,?GetResourceDll@CPaintManagerUI@DuiLib@@SAPAUHINSTANCE__@@XZ,SizeofResource,LockResource,?LoadFromMem@CMarkup@DuiLib@@QAE_NPAEKH@Z,FreeResource,?Load@CMarkup@DuiLib@@QAE_NPB_W@Z,?LoadFromFile@CMarkup@DuiLib@@QAE_NPB_WH@Z,?Create@CDialogBuilder@DuiLib@@QAEPAVCControlUI@2@PAVIDialogBuilderCallback@2@PAVCPaintManagerUI@2@PAV32@@Z,FreeResource, 6_2_6C49CB40
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Microsoft\Windows Service Association Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\Public\Documents\Dropbox.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7964:120:WilError_03
Source: C:\Users\Public\Documents\CapCut_installer.exe Mutant created: \Sessions\1\BaseNamedObjects\ByteDance_Mutex_Installer_Downloader_CapCut
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Users\Public\Documents\CapCut_installer.exe Mutant created: \Sessions\1\BaseNamedObjects\CapCut_Mutex_Install
Source: C:\Users\Public\Documents\CapCut_installer.exe Mutant created: \Sessions\1\BaseNamedObjects\CapCut_Mutex_UnInstall
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Mutant created: \Sessions\1\BaseNamedObjects\vDbXW
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7604:120:WilError_03
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Mutant created: \Sessions\1\BaseNamedObjects\2f985c58743b38fb2171f673f820cbba
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7892:120:WilError_03
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\TEMP\~DF19852D83031204CA.TMP Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Command line argument: DllEntry 9_2_00CF15D8
Source: C:\Windows\SysWOW64\msiexec.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\msiexec.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: CapCut_installer.exe String found in binary or memory: resource/install.xml
Source: unknown Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\vFjfAgq5PM.msi"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 9342AE7FC298454AC0E2B46CA904726C
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 84080775417F402876A00B89D1C4E077 E Global\MSI0000
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssFDDB.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiFDC9.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrFDCA.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrFDCB.txt" -propSep " :<->: " -testPrefix "_testValue."
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\Public\Documents\CapCut_installer.exe "C:\Users\Public\Documents\capcut_installer.exe"
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe" /c "C:\Program Files (x86)\Dropbox\Update\dropbox.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\Dropbox\Update\dropbox.exe "C:\Program Files (x86)\Dropbox\Update\dropbox.exe"
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Program Files (x86)\Dropbox\Update\Dropbox.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'GoogleUpdateTaskMachineUA'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Program Files (x86)\Dropbox\Update\dropbox.exe "C:\Program Files (x86)\Dropbox\Update\Dropbox.exe"
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Process created: C:\Program Files (x86)\Dropbox\Update\dropbox.exe "C:\Program Files (x86)\Dropbox\Update\Dropbox.exe"
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 9342AE7FC298454AC0E2B46CA904726C Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 84080775417F402876A00B89D1C4E077 E Global\MSI0000 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe" /c "C:\Program Files (x86)\Dropbox\Update\dropbox.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssFDDB.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiFDC9.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrFDCA.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrFDCB.txt" -propSep " :<->: " -testPrefix "_testValue." Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\Public\Documents\CapCut_installer.exe "C:\Users\Public\Documents\capcut_installer.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\Dropbox\Update\dropbox.exe "C:\Program Files (x86)\Dropbox\Update\dropbox.exe" Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Program Files (x86)\Dropbox\Update\Dropbox.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'GoogleUpdateTaskMachineUA'" Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Process created: C:\Program Files (x86)\Dropbox\Update\dropbox.exe "C:\Program Files (x86)\Dropbox\Update\Dropbox.exe" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: mf.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: mfplat.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: mfcore.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: ksuser.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: mfperfhelper.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: rtworkq.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kdscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: vFjfAgq5PM.msi Static file information: File size 4157440 > 1048576
Source: Binary string: DropboxUpdate_unsigned.pdb source: dropbox.exe, dropbox.exe, 00000009.00000000.1746989060.0000000000D01000.00000002.00000001.01000000.0000000E.sdmp, dropbox.exe, 00000009.00000002.4134037490.0000000000D01000.00000002.00000001.01000000.0000000E.sdmp, dropbox.exe, 0000000C.00000002.1802477084.0000000000D01000.00000002.00000001.01000000.0000000E.sdmp, dropbox.exe, 0000000C.00000000.1797360608.0000000000D01000.00000002.00000001.01000000.0000000E.sdmp, dropbox.exe, 0000000E.00000000.1843845894.0000000000D01000.00000002.00000001.01000000.0000000E.sdmp, dropbox.exe, 0000000E.00000002.2445065297.0000000000D01000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb\ source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr
Source: Binary string: D:\code\VideoFusion-win\install\VideofusionInstaller\packet_3rd\3rdparty\build\vs-release\Release\7zip.pdb source: app_package_6f432258ca.exe.6.dr
Source: Binary string: shell_downloader.dll.pdb source: CapCut_installer.exe, 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: nsis_plugin.dll.pdb` source: CapCut_installer.exe, 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr
Source: Binary string: D:\code\bytedance\installer\LVInstallerCC\VideofusionInstaller\build\CC_RELEASE\JYInstaller.pdb source: app_package_6f432258ca.exe.6.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: vFjfAgq5PM.msi
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: vFjfAgq5PM.msi
Source: Binary string: nsis_plugin.dll.pdb source: CapCut_installer.exe, 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmp

Data Obfuscation
barindex
Suspicious powershell command line found
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Program Files (x86)\Dropbox\Update\Dropbox.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'GoogleUpdateTaskMachineUA'"
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Program Files (x86)\Dropbox\Update\Dropbox.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'GoogleUpdateTaskMachineUA'" Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C43F6C0 DownloaderInit,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,DownloaderSetDelegate,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree, 6_2_6C43F6C0
PE file contains sections with non-standard names
Source: Dropbox.exe.1.dr Static PE information: section name: .text/DE
Source: goopdate.dll.1.dr Static PE information: section name: .eh_fram
Source: shell_downloader.dll.6.dr Static PE information: section name: .00cfg
Source: shell_downloader.dll.6.dr Static PE information: section name: .voltbl
Source: downloader_nsis_plugin.dll.6.dr Static PE information: section name: .00cfg
Source: downloader_nsis_plugin.dll.6.dr Static PE information: section name: .voltbl
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4ECDEB push ecx; ret 6_2_6C4ECDFE
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C8C2A1B push ecx; ret 6_2_6C8C2A2E
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C717A90 push 89084589h; iretd 6_2_6C717A95
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_00CF5490 push esp; iretd 9_2_00CF5492
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_00CFB915 push ecx; ret 9_2_00CFB928
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_00D03130 push ecx; iretd 9_2_00D03132
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_00CFBAEA push dword ptr [ecx-75h]; iretd 9_2_00CFBAF2
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_00CF4EE5 push ecx; ret 9_2_00CF4EF8
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_00CF564C push esi; iretd 9_2_00CF564E
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_00CF525C push edx; iretd 9_2_00CF5262
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_00CF5651 push esi; iretd 9_2_00CF5652
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_00CF53ED push esp; iretd 9_2_00CF53EE
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_00CF53E9 push ebx; iretd 9_2_00CF53EA
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_00CF53F0 push esp; iretd 9_2_00CF53F2
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_00D033A1 pushfd ; iretd 9_2_00D033A2
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BAA2AD0 push eax; mov dword ptr [esp], esi 9_2_6BAA2B45
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BAACA50 push ss; ret 9_2_6BAACA76
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BAAC92D push es; ret 9_2_6BAAC985
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BAAC878 push es; retf 0005h 9_2_6BAAC87B
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BAAC733 push es; retf 9_2_6BAAC76C
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02AB13E0 push esp; retf 0000h 9_2_02AB13E1
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02ABE0F1 push ecx; ret 9_2_02ABE104
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02AA1405 push 0044C3E0h; ret 9_2_02AA16D7
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02AB1AD4 pushad ; ret 9_2_02AB1AD5
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02CFE0C6 push ecx; ret 9_2_02CFE0D9
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02CFDA1C push ecx; ret 9_2_02CFDA2F

Persistence and Installation Behavior
barindex
Contains functionality to infect the boot sector
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: CreateFileW,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d 6_2_6C4EA3F0
Drops PE files
Source: C:\Users\Public\Documents\CapCut_installer.exe File created: C:\Users\user\AppData\Local\app_shell_cache_562354\app_package_6f432258ca.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFC43.tmp Jump to dropped file
Source: C:\Users\Public\Documents\CapCut_installer.exe File created: C:\Users\user\AppData\Local\Temp\nsv77E.tmp\deviceregister_shared.dll Jump to dropped file
Source: C:\Users\Public\Documents\CapCut_installer.exe File created: C:\Users\user\AppData\Local\Temp\nsv77E.tmp\BgWorker.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFC93.tmp Jump to dropped file
Source: C:\Users\Public\Documents\CapCut_installer.exe File created: C:\Users\user\AppData\Local\Temp\nsv77E.tmp\downloader_nsis_plugin.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Program Files (x86)\Dropbox\Update\goopdate.dll (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFD80.tmp Jump to dropped file
Source: C:\Users\Public\Documents\CapCut_installer.exe File created: C:\Users\user\AppData\Local\Temp\nsv77E.tmp\shell_downloader.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\Public\Documents\goopdate.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFBC5.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\Public\Documents\CapCut_installer.exe Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Program Files (x86)\Dropbox\Update\dropbox.exe (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\Public\Documents\Dropbox.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFC73.tmp Jump to dropped file
Source: C:\Users\Public\Documents\CapCut_installer.exe File created: C:\Users\user\AppData\Local\Temp\nsv77E.tmp\System.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFC43.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFC93.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFD80.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFBC5.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFC73.tmp Jump to dropped file
Source: C:\Users\Public\Documents\CapCut_installer.exe File created: C:\Users\user\AppData\Local\Temp\installer_downloader.log Jump to behavior

Boot Survival
barindex
Contains functionality to infect the boot sector
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: CreateFileW,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d 6_2_6C4EA3F0

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4C1AB0 ?OnSize@WindowImplBase@DuiLib@@UAEJIIJAAH@Z,?GetRoundCorner@CPaintManagerUI@DuiLib@@QBE?AUtagSIZE@@XZ,?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ,IsIconic,??0CDuiRect@DuiLib@@QAE@XZ,?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ,GetWindowRect,?Offset@CDuiRect@DuiLib@@QAEXHH@Z,CreateRoundRectRgn,?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ,SetWindowRgn,DeleteObject, 6_2_6C4C1AB0
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4C1680 ?OnNcActivate@WindowImplBase@DuiLib@@UAEJIIJAAH@Z,?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ,IsIconic, 6_2_6C4C1680
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA972F0 SetLastError,GetCurrentDirectoryW,GetLastError,GetLastError,GetLastError,GetCurrentProcess,GetCurrentThread,memset,RtlCaptureContext,WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,memset,GetProcAddress,GetCurrentProcess,lstrlenW,memcpy,GetCurrentProcessId,CreateMutexA,CloseHandle,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,GetProcAddress,GetProcAddress,GetCurrentProcess,GetProcAddress,memset,memset,GetProcAddress,ReleaseMutex, 9_2_6BA972F0
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4463D0 IsRunningApp,CreateToolhelp32Snapshot,Process32FirstW,GetCurrentProcessId,Process32NextW,CloseHandle,GlobalAlloc,lstrcpynW, 6_2_6C4463D0
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4608 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3268 Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Window / User API: threadDelayed 1795 Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Window / User API: threadDelayed 8023 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6242 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3339 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\Public\Documents\CapCut_installer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\app_shell_cache_562354\app_package_6f432258ca.exe Jump to dropped file
Source: C:\Users\Public\Documents\CapCut_installer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsv77E.tmp\deviceregister_shared.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIFC43.tmp Jump to dropped file
Source: C:\Users\Public\Documents\CapCut_installer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsv77E.tmp\BgWorker.dll Jump to dropped file
Source: C:\Users\Public\Documents\CapCut_installer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsv77E.tmp\downloader_nsis_plugin.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIFC93.tmp Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Program Files (x86)\Dropbox\Update\goopdate.dll (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIFD80.tmp Jump to dropped file
Source: C:\Users\Public\Documents\CapCut_installer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsv77E.tmp\shell_downloader.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIFBC5.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\Public\Documents\goopdate.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIFC73.tmp Jump to dropped file
Source: C:\Users\Public\Documents\CapCut_installer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsv77E.tmp\System.dll Jump to dropped file
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Found large amount of non-executed APIs
Source: C:\Users\Public\Documents\CapCut_installer.exe API coverage: 6.3 %
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe API coverage: 6.5 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\msiexec.exe TID: 7356 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7676 Thread sleep count: 4608 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7680 Thread sleep count: 3268 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7708 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7696 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe TID: 7944 Thread sleep count: 1795 > 30 Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe TID: 7944 Thread sleep time: -53850000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe TID: 3652 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe TID: 7944 Thread sleep count: 8023 > 30 Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe TID: 7944 Thread sleep time: -240690000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8032 Thread sleep count: 6242 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8020 Thread sleep count: 3339 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8096 Thread sleep time: -10145709240540247s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Users\Public\Documents\CapCut_installer.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Last function: Thread delayed
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Last function: Thread delayed
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe File Volume queried: C:\Windows\SysWOW64 FullSizeInformation Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 6_2_004059CC
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_004065FD FindFirstFileW,FindClose, 6_2_004065FD
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_00402868 FindFirstFileW, 6_2_00402868
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C50CB33 FindFirstFileExW, 6_2_6C50CB33
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C50CBE4 FindFirstFileExW,RevokeDragDrop,FindNextFileW,FindClose,FindClose, 6_2_6C50CBE4
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C465C30 PathIsDirectoryW,FindFirstFileW,PathFileExistsW,CreateFileW,CloseHandle,FindNextFileW,FindClose, 6_2_6C465C30
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C43D9E0 FindFirstFileW,FindNextFileW,FindClose, 6_2_6C43D9E0
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C8E62F4 FindFirstFileExW,RevokeDragDrop,FindNextFileW,FindClose,FindClose, 6_2_6C8E62F4
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C8E6243 FindFirstFileExW, 6_2_6C8E6243
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA8D300 CloseHandle,memset,FindFirstFileW,FindClose, 9_2_6BA8D300
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02CE7D30 GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo, 9_2_02CE7D30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: dropbox.exe, 00000009.00000002.4146470711.000000000365C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW|NPA
Source: powershell.exe, 0000000A.00000002.1788661780.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 0000000A.00000002.1788661780.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Add-NetEventVmNetworkAdapter
Source: dropbox.exe, 00000009.00000002.4146470711.0000000003630000.00000004.00000020.00020000.00000000.sdmp, dropbox.exe, 00000009.00000002.4146470711.000000000365C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: CapCut_installer.exe, 00000006.00000003.1722339478.00000000038BD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: te\dXKKG:41)=G=02:=@5;B3+14J6+5>;682<908FC64>I5AP:F><8;D<5FGECA>=?B>BIIC@ABBEB=FXWFCNG?C>;IOGQEMU4
Source: powershell.exe, 0000000A.00000002.1788661780.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Get-NetEventVmNetworkAdapter
Source: CapCut_installer.exe, 00000006.00000002.4147485736.0000000002F80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\Public\Documents\CapCut_installer.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4ECB73 IsDebuggerPresent,OutputDebugStringW, 6_2_6C4ECB73
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4463D0 IsRunningApp,CreateToolhelp32Snapshot,Process32FirstW,GetCurrentProcessId,Process32NextW,CloseHandle,GlobalAlloc,lstrcpynW, 6_2_6C4463D0
Contains functionality to dynamically determine API calls
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C43F6C0 DownloaderInit,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,DownloaderSetDelegate,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree, 6_2_6C43F6C0
Contains functionality to read the PEB
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4FAD7D mov ecx, dword ptr fs:[00000030h] 6_2_6C4FAD7D
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C50A3E0 mov eax, dword ptr fs:[00000030h] 6_2_6C50A3E0
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C50A3AF mov eax, dword ptr fs:[00000030h] 6_2_6C50A3AF
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C8E39BF mov eax, dword ptr fs:[00000030h] 6_2_6C8E39BF
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C8E39F0 mov eax, dword ptr fs:[00000030h] 6_2_6C8E39F0
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C8D02AD mov ecx, dword ptr fs:[00000030h] 6_2_6C8D02AD
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02ADAAD7 mov eax, dword ptr fs:[00000030h] 9_2_02ADAAD7
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02AD6D00 mov eax, dword ptr fs:[00000030h] 9_2_02AD6D00
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02D1662B mov eax, dword ptr fs:[00000030h] 9_2_02D1662B
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02D1A402 mov eax, dword ptr fs:[00000030h] 9_2_02D1A402
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4EAB30 __Init_thread_header,GetProcessHeap,__Init_thread_header, 6_2_6C4EAB30
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4ECAAA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_6C4ECAAA
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4EC594 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_6C4EC594
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4FE213 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_6C4FE213
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C8C1DE7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_6C8C1DE7
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C8C2834 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_6C8C2834
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C8E2660 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_6C8E2660
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_00CFA800 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,__amsg_exit, 9_2_00CFA800
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_00CF656E SetUnhandledExceptionFilter, 9_2_00CF656E
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_00CF497A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_00CF497A
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_00CF5ADA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_00CF5ADA
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BAA1D40 TlsGetValue,CloseHandle,CloseHandle,CloseHandle,TlsSetValue,RtlRemoveVectoredExceptionHandler,RtlAddVectoredExceptionHandler,CloseHandle,CloseHandle,CloseHandle, 9_2_6BAA1D40
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BAA1E49 RtlAddVectoredExceptionHandler, 9_2_6BAA1E49
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02CFD2E7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_02CFD2E7
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02D16BAE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_02D16BAE
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02CFDE0A SetUnhandledExceptionFilter, 9_2_02CFDE0A
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02CFDCA5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_02CFDCA5

HIPS / PFW / Operating System Protection Evasion
barindex
Bypasses PowerShell execution policy
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssFDDB.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiFDC9.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrFDCA.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrFDCB.txt" -propSep " :<->: " -testPrefix "_testValue."
Contains functionality to inject code into remote processes
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02CE70A0 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree, 9_2_02CE70A0
Contains functionality to launch a program with higher privileges
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02CE72B0 ShellExecuteA,CreateThread,Sleep, 9_2_02CE72B0
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe" /c "C:\Program Files (x86)\Dropbox\Update\dropbox.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssFDDB.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiFDC9.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrFDCA.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrFDCB.txt" -propSep " :<->: " -testPrefix "_testValue." Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\Public\Documents\CapCut_installer.exe "C:\Users\Public\Documents\capcut_installer.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\Dropbox\Update\dropbox.exe "C:\Program Files (x86)\Dropbox\Update\dropbox.exe" Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Program Files (x86)\Dropbox\Update\Dropbox.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'GoogleUpdateTaskMachineUA'" Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Process created: C:\Program Files (x86)\Dropbox\Update\dropbox.exe "C:\Program Files (x86)\Dropbox\Update\Dropbox.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pssfddb.ps1" -propfile "c:\users\user\appdata\local\temp\msifdc9.txt" -scriptfile "c:\users\user\appdata\local\temp\scrfdca.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scrfdcb.txt" -propsep " :<->: " -testprefix "_testvalue."
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -command "register-scheduledtask -action (new-scheduledtaskaction -execute \"c:\program files (x86)\dropbox\update\dropbox.exe\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'googleupdatetaskmachineua'"
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pssfddb.ps1" -propfile "c:\users\user\appdata\local\temp\msifdc9.txt" -scriptfile "c:\users\user\appdata\local\temp\scrfdca.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scrfdcb.txt" -propsep " :<->: " -testprefix "_testvalue." Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -command "register-scheduledtask -action (new-scheduledtaskaction -execute \"c:\program files (x86)\dropbox\update\dropbox.exe\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'googleupdatetaskmachineua'" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C4EC6AF cpuid 6_2_6C4EC6AF
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: DownloaderInit,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,DownloaderSetDelegate,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree, 6_2_6C43F6C0
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: GetLocaleInfoW, 6_2_6C50C80D
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: EnumSystemLocalesW, 6_2_6C50C4D3
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: GetLocaleInfoW, 6_2_6C50C540
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: GetLocaleInfoW, 6_2_6C50C660
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: EnumSystemLocalesW, 6_2_6C50C615
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 6_2_6C50C707
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: EnumSystemLocalesW, 6_2_6C50815D
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: EnumSystemLocalesW, 6_2_6C50C1E3
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 6_2_6C50C280
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 6_2_6C50BF8D
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: GetLocaleInfoW, 6_2_6C507B6C
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: InitLangSettingBox,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,GetLocaleInfoEx,?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z,GetUserDefaultLocaleName,LocaleNameToLCID,?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ,??1CDuiString@DuiLib@@QAE@XZ,?SetListItemSelectListener@CListUI@DuiLib@@QAEXPAVIListItemSelectedListener@2@@Z,GetLangSetting,lstrcpyW,GlobalFree,?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z,?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ,GlobalAlloc,lstrcpynW,??1CDuiString@DuiLib@@QAE@XZ,GlobalAlloc,lstrcpynW,GetDefaultLangSetting,GlobalAlloc,lstrcpynW, 6_2_6C443740
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: GetLocaleInfoA, 9_2_00CFAA75
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Queries volume information: C:\Program Files (x86)\Dropbox\Update VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Queries volume information: C:\Program Files (x86)\Dropbox\Update\dropbox.exe VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_6BA94F80 GetCurrentProcessId,76E3B410,76E3B410,CreateNamedPipeW,GetLastError,CloseHandle,CloseHandle, 9_2_6BA94F80
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C469900 GetLocalTime,GetCurrentThreadId,GetCurrentProcessId,_strlen,WriteFile,_strlen, 6_2_6C469900
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02CF50C0 IsUserAnAdmin,GetUserNameA,GetComputerNameExW,GetModuleFileNameA, 9_2_02CF50C0
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 6_2_0040338F

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 9.2.dropbox.exe.11160cd.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.dropbox.exe.2aa12d5.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.dropbox.exe.11160cd.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.dropbox.exe.2aa12d5.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.4140266167.0000000002CE1000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.4135316816.0000000001000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.4138493553.0000000002AA0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.4137162182.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C46E9A0 ?Download@CWebBrowserUI@DuiLib@@UAGJPAUIMoniker@@PAUIBindCtx@@KJPAU_tagBINDINFO@@PB_W3I@Z, 6_2_6C46E9A0
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C481830 ?SetListItemSelectListener@CListUI@DuiLib@@QAEXPAVIListItemSelectedListener@2@@Z, 6_2_6C481830
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C443740 InitLangSettingBox,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,GetLocaleInfoEx,?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z,GetUserDefaultLocaleName,LocaleNameToLCID,?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ,??1CDuiString@DuiLib@@QAE@XZ,?SetListItemSelectListener@CListUI@DuiLib@@QAEXPAVIListItemSelectedListener@2@@Z,GetLangSetting,lstrcpyW,GlobalFree,?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z,?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ,GlobalAlloc,lstrcpynW,??1CDuiString@DuiLib@@QAE@XZ,GlobalAlloc,lstrcpynW,GetDefaultLangSetting,GlobalAlloc,lstrcpynW, 6_2_6C443740
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C43B000 OnControlBindNSISScript,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,??0CDuiString@DuiLib@@QAE@PB_WH@Z,?SaveToControlCallbackMap@WindowImplBase@DuiLib@@QAEXVCDuiString@2@H@Z, 6_2_6C43B000
Source: C:\Users\Public\Documents\CapCut_installer.exe Code function: 6_2_6C43B130 ControlBindNSISScript,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,??0CDuiString@DuiLib@@QAE@PB_WH@Z,?SaveToControlCallbackMap@WindowImplBase@DuiLib@@QAEXVCDuiString@2@H@Z, 6_2_6C43B130
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02ACE726 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 9_2_02ACE726
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02ACF41D Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext, 9_2_02ACF41D
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02D0E051 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 9_2_02D0E051
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe Code function: 9_2_02D0ED48 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext, 9_2_02D0ED48
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1523557 Sample: vFjfAgq5PM.msi Startdate: 01/10/2024 Architecture: WINDOWS Score: 100 88 Found malware configuration 2->88 90 Malicious sample detected (through community Yara rule) 2->90 92 Yara detected Amadeys stealer DLL 2->92 94 7 other signatures 2->94 10 msiexec.exe 14 35 2->10         started        13 msiexec.exe 4 2->13         started        16 dropbox.exe 2->16         started        process3 dnsIp4 56 C:\Users\Public\...\CapCut_installer.exe, PE32 10->56 dropped 58 C:\Windows\Installer\MSIFD80.tmp, PE32 10->58 dropped 60 C:\Windows\Installer\MSIFC93.tmp, PE32 10->60 dropped 62 5 other files (none is malicious) 10->62 dropped 18 msiexec.exe 8 10->18         started        21 msiexec.exe 1 1 10->21         started        72 87.248.202.1 LLNWUS United Kingdom 13->72 file5 process6 file7 48 C:\Users\user\AppData\Local\...\scrFDCA.ps1, Unicode 18->48 dropped 50 C:\Users\user\AppData\Local\...\pssFDDB.ps1, Unicode 18->50 dropped 24 powershell.exe 17 18->24         started        96 Bypasses PowerShell execution policy 21->96 28 cmd.exe 1 21->28         started        signatures8 process9 file10 52 C:\...\goopdate.dll (copy), PE32 24->52 dropped 54 C:\Program Files (x86)\...\dropbox.exe (copy), PE32 24->54 dropped 98 Powershell drops PE file 24->98 30 CapCut_installer.exe 37 24->30         started        35 conhost.exe 24->35         started        37 dropbox.exe 13 28->37         started        39 conhost.exe 28->39         started        signatures11 process12 dnsIp13 74 2.18.64.35 AdministracionNacionaldeTelecomunicacionesUY European Union 30->74 76 2.16.202.65 AKAMAI-ASUS European Union 30->76 80 4 other IPs or domains 30->80 64 C:\Users\user\...\app_package_6f432258ca.exe, PE32 30->64 dropped 66 C:\Users\user\...\shell_downloader.dll, PE32 30->66 dropped 68 C:\Users\user\...\downloader_nsis_plugin.dll, PE32 30->68 dropped 70 3 other files (none is malicious) 30->70 dropped 82 Contains functionality to infect the boot sector 30->82 84 Drops large PE files 30->84 78 45.202.35.101 ONL-HKOCEANNETWORKLIMITEDHK Seychelles 37->78 86 Suspicious powershell command line found 37->86 41 powershell.exe 2 37 37->41         started        44 dropbox.exe 37->44         started        file14 signatures15 process16 signatures17 100 Loading BitLocker PowerShell Module 41->100 46 conhost.exe 41->46         started        process18
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
2.16.202.65
 unknown European Union
16625 AKAMAI-ASUS false
2.16.202.97
 unknown European Union
16625 AKAMAI-ASUS false
45.202.35.101
 unknown Seychelles
139086 ONL-HKOCEANNETWORKLIMITEDHK true
2.18.64.35
 unknown European Union
6057 AdministracionNacionaldeTelecomunicacionesUY false
2.16.62.200
 unknown European Union
20940 AKAMAI-ASN1EU false
87.248.202.1
 unknown United Kingdom
22822 LLNWUS false
2.19.126.136
 unknown European Union
16625 AKAMAI-ASUS false

Private

IP
127.0.0.1