Edit tour

Windows Analysis Report
vFjfAgq5PM.msi

Overview

General Information

Sample name:	vFjfAgq5PM.msi renamed because original name is a hash value
Original sample name:	1dd7892458eab123c341452aff6f4d817f290efc7f8c97b76bdb78e1e1fcf8d2.msi
Analysis ID:	1523557
MD5:	087d510f4d69f6faa479e4919f51a175
SHA1:	084c49d7c83b257aacf8c94b28b992c326a2ad09
SHA256:	1dd7892458eab123c341452aff6f4d817f290efc7f8c97b76bdb78e1e1fcf8d2
Tags:	45-202-35-101msiuser-JAMESWT_MHT
Infos:

Detection

Amadey

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Yara detected Amadeys stealer DLL

AI detected suspicious sample

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Contains functionality to infect the boot sector

Contains functionality to inject code into remote processes

Drops large PE files

Loading BitLocker PowerShell Module

Powershell drops PE file

Sigma detected: Execution from Suspicious Folder

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Suspicious powershell command line found

Checks for available system drives (often done to infect USB drives)

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Suspicious MsiExec Embedding Parent

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 7320 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\vFjfAgq5PM.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7372 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7484 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 9342AE7FC298454AC0E2B46CA904726C MD5: 9D09DC1EDA745A5F87553048E57620CF)

cmd.exe (PID: 7884 cmdline: "C:\Windows\SysWOW64\cmd.exe" /c "C:\Program Files (x86)\Dropbox\Update\dropbox.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dropbox.exe (PID: 7940 cmdline: "C:\Program Files (x86)\Dropbox\Update\dropbox.exe" MD5: 3B607E9AE169797C5112736DD445DB25)

powershell.exe (PID: 7956 cmdline: "powershell.exe" -Command "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Program Files (x86)\Dropbox\Update\Dropbox.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'GoogleUpdateTaskMachineUA'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dropbox.exe (PID: 4324 cmdline: "C:\Program Files (x86)\Dropbox\Update\Dropbox.exe" MD5: 3B607E9AE169797C5112736DD445DB25)

msiexec.exe (PID: 7560 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 84080775417F402876A00B89D1C4E077 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)

powershell.exe (PID: 7596 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssFDDB.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiFDC9.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrFDCA.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrFDCB.txt" -propSep " :<->: " -testPrefix "_testValue." MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

CapCut_installer.exe (PID: 7732 cmdline: "C:\Users\Public\Documents\capcut_installer.exe" MD5: C91E097550EA6CCEDF592D8B83414E0D)

dropbox.exe (PID: 8152 cmdline: "C:\Program Files (x86)\Dropbox\Update\Dropbox.exe" MD5: 3B607E9AE169797C5112736DD445DB25)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": "45.202.35.101/pLQvfD4d/index.php", "Version": "4.42", "Install Folder": "9d94d7e7d6", "Install File": "Hkbsse.exe"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.4140266167.0000000002CE1000.00000020.10000000.00040000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000009.00000002.4135316816.0000000001000000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000009.00000002.4138493553.0000000002AA0000.00000040.00000020.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000009.00000002.4138493553.0000000002AA0000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x69d50:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x6d286:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000009.00000002.4137162182.00000000010A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000009.00000002.4137162182.00000000010A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xd6b48:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0xda07e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.dropbox.exe.11160cd.1.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
9.2.dropbox.exe.11160cd.1.unpack	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x655b1:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
9.2.dropbox.exe.2aa12d5.2.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
9.2.dropbox.exe.2aa12d5.2.raw.unpack	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x68a7b:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x6bfb1:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
9.2.dropbox.exe.11160cd.1.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
9.2.dropbox.exe.11160cd.1.raw.unpack	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x68a7b:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x6bfb1:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
9.2.dropbox.exe.2aa12d5.2.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
9.2.dropbox.exe.2aa12d5.2.unpack	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x655b1:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
Click to see the 3 entries

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Public\Documents\capcut_installer.exe", CommandLine: "C:\Users\Public\Documents\capcut_installer.exe", CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\CapCut_installer.exe, NewProcessName: C:\Users\Public\Documents\CapCut_installer.exe, OriginalFileName: C:\Users\Public\Documents\CapCut_installer.exe, ParentCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssFDDB.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiFDC9.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrFDCA.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrFDCB.txt" -propSep " :<->: " -testPrefix "_testValue.", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7596, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Users\Public\Documents\capcut_installer.exe", ProcessId: 7732, ProcessName: CapCut_installer.exe

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssFDDB.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiFDC9.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrFDCA.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrFDCB.txt" -propSep " :<->: " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssFDDB.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiFDC9.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrFDCA.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrFDCB.txt" -propSep " :<->: " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 84080775417F402876A00B89D1C4E077 E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7560, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssFDDB.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiFDC9.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrFDCA.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrFDCB.txt" -propSep " :<->: " -testPrefix "_testValue.", ProcessId: 7596, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssFDDB.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiFDC9.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrFDCA.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrFDCB.txt" -propSep " :<->: " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssFDDB.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiFDC9.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrFDCA.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrFDCB.txt" -propSep " :<->: " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 84080775417F402876A00B89D1C4E077 E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7560, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssFDDB.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiFDC9.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrFDCA.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrFDCB.txt" -propSep " :<->: " -testPrefix "_testValue.", ProcessId: 7596, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssFDDB.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiFDC9.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrFDCA.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrFDCB.txt" -propSep " :<->: " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssFDDB.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiFDC9.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrFDCA.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrFDCB.txt" -propSep " :<->: " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 84080775417F402876A00B89D1C4E077 E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7560, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssFDDB.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiFDC9.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrFDCA.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrFDCB.txt" -propSep " :<->: " -testPrefix "_testValue.", ProcessId: 7596, ProcessName: powershell.exe

Sigma detected: Suspicious MsiExec Embedding Parent

Source: Process started

Author: frack113: Data: Command: "C:\Windows\SysWOW64\cmd.exe" /c "C:\Program Files (x86)\Dropbox\Update\dropbox.exe", CommandLine: "C:\Windows\SysWOW64\cmd.exe" /c "C:\Program Files (x86)\Dropbox\Update\dropbox.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 9342AE7FC298454AC0E2B46CA904726C, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7484, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\SysWOW64\cmd.exe" /c "C:\Program Files (x86)\Dropbox\Update\dropbox.exe", ProcessId: 7884, ProcessName: cmd.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssFDDB.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiFDC9.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrFDCA.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrFDCB.txt" -propSep " :<->: " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssFDDB.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiFDC9.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrFDCA.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrFDCB.txt" -propSep " :<->: " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 84080775417F402876A00B89D1C4E077 E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7560, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssFDDB.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiFDC9.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrFDCA.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrFDCB.txt" -propSep " :<->: " -testPrefix "_testValue.", ProcessId: 7596, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000009.00000002.4135316816.0000000001000000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Amadey {"C2 url": "45.202.35.101/pLQvfD4d/index.php", "Version": "4.42", "Install Folder": "9d94d7e7d6", "Install File": "Hkbsse.exe"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: CapCut_installer.exe, 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_97268b58-a

Source: C:\Users\Public\Documents\CapCut_installer.exe

File created: C:\Users\user\AppData\Local\Temp\installer_downloader.log

Jump to behavior

Source:	Binary string: DropboxUpdate_unsigned.pdb source: dropbox.exe, dropbox.exe, 00000009.00000000.1746989060.0000000000D01000.00000002.00000001.01000000.0000000E.sdmp, dropbox.exe, 00000009.00000002.4134037490.0000000000D01000.00000002.00000001.01000000.0000000E.sdmp, dropbox.exe, 0000000C.00000002.1802477084.0000000000D01000.00000002.00000001.01000000.0000000E.sdmp, dropbox.exe, 0000000C.00000000.1797360608.0000000000D01000.00000002.00000001.01000000.0000000E.sdmp, dropbox.exe, 0000000E.00000000.1843845894.0000000000D01000.00000002.00000001.01000000.0000000E.sdmp, dropbox.exe, 0000000E.00000002.2445065297.0000000000D01000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb\ source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr
Source:	Binary string: D:\code\VideoFusion-win\install\VideofusionInstaller\packet_3rd\3rdparty\build\vs-release\Release\7zip.pdb source: app_package_6f432258ca.exe.6.dr
Source:	Binary string: shell_downloader.dll.pdb source: CapCut_installer.exe, 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: nsis_plugin.dll.pdb` source: CapCut_installer.exe, 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr
Source:	Binary string: D:\code\bytedance\installer\LVInstallerCC\VideofusionInstaller\build\CC_RELEASE\JYInstaller.pdb source: app_package_6f432258ca.exe.6.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: vFjfAgq5PM.msi
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: vFjfAgq5PM.msi
Source:	Binary string: nsis_plugin.dll.pdb source: CapCut_installer.exe, 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmp

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	6_2_004059CC
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_004065FD FindFirstFileW,FindClose,	6_2_004065FD
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_00402868 FindFirstFileW,	6_2_00402868
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C50CB33 FindFirstFileExW,	6_2_6C50CB33
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C50CBE4 FindFirstFileExW,RevokeDragDrop,FindNextFileW,FindClose,FindClose,	6_2_6C50CBE4
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C465C30 PathIsDirectoryW,FindFirstFileW,PathFileExistsW,CreateFileW,CloseHandle,FindNextFileW,FindClose,	6_2_6C465C30
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C43D9E0 FindFirstFileW,FindNextFileW,FindClose,	6_2_6C43D9E0
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C8E62F4 FindFirstFileExW,RevokeDragDrop,FindNextFileW,FindClose,FindClose,	6_2_6C8E62F4
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C8E6243 FindFirstFileExW,	6_2_6C8E6243
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA8D300 CloseHandle,memset,FindFirstFileW,FindClose,	9_2_6BA8D300

Source: C:\Users\Public\Documents\CapCut_installer.exe

Code function: 4x nop then movd mm0, dword ptr [edx]

6_2_6C714577

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 45.202.35.101

Source: Joe Sandbox View

IP Address: 2.19.126.136 2.19.126.136

Source: Joe Sandbox View

ASN Name: ONL-HKOCEANNETWORKLIMITEDHK ONL-HKOCEANNETWORKLIMITEDHK

Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe

Code function: 9_2_02CEBE30 Sleep,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetReadFile,

9_2_02CEBE30

Source: dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp, dropbox.exe, 00000009.00000002.4146470711.000000000365C000.00000004.00000020.00020000.00000000.sdmp, dropbox.exe, 00000009.00000002.4137162182.00000000010A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.202.35.101/pLQvfD4d/index.php
Source: dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.202.35.101/pLQvfD4d/index.php&
Source: dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.202.35.101/pLQvfD4d/index.php4
Source: dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.202.35.101/pLQvfD4d/index.php6
Source: dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.202.35.101/pLQvfD4d/index.php7
Source: dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.202.35.101/pLQvfD4d/index.php7-
Source: dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.202.35.101/pLQvfD4d/index.phpI-CA
Source: dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.202.35.101/pLQvfD4d/index.phpParameters
Source: dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.202.35.101/pLQvfD4d/index.phpQ
Source: dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.202.35.101/pLQvfD4d/index.phpV
Source: dropbox.exe, 00000009.00000002.4137162182.00000000010A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.202.35.101/pLQvfD4d/index.phpb
Source: dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.202.35.101/pLQvfD4d/index.phpf
Source: dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.202.35.101/pLQvfD4d/index.phpft
Source: dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.202.35.101/pLQvfD4d/index.phpg
Source: dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.202.35.101/pLQvfD4d/index.phpi
Source: dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.202.35.101/pLQvfD4d/index.phpindows
Source: dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.202.35.101/pLQvfD4d/index.phpn
Source: dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.202.35.101/pLQvfD4d/index.phps
Source: dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.202.35.101/pLQvfD4d/index.phpv
Source: dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.202.35.101/pLQvfD4d/index.phpz
Source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: vFjfAgq5PM.msi, app_package_6f432258ca.exe.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: app_package_6f432258ca.exe.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0K
Source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: app_package_6f432258ca.exe.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: vFjfAgq5PM.msi, app_package_6f432258ca.exe.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: vFjfAgq5PM.msi, app_package_6f432258ca.exe.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: powershell.exe, 0000000A.00000002.1785489930.0000000003048000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: vFjfAgq5PM.msi, app_package_6f432258ca.exe.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: app_package_6f432258ca.exe.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: app_package_6f432258ca.exe.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: vFjfAgq5PM.msi, app_package_6f432258ca.exe.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: app_package_6f432258ca.exe.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: app_package_6f432258ca.exe.6.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: CapCut_installer.exe, 00000006.00000000.1713102880.000000000040A000.00000008.00000001.01000000.00000006.sdmp, CapCut_installer.exe, 00000006.00000002.4133867392.000000000040A000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000004.00000002.1738790420.0000020816BD5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1738790420.0000020816D18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1815771486.0000000005F0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: app_package_6f432258ca.exe.6.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: vFjfAgq5PM.msi, app_package_6f432258ca.exe.6.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr, app_package_6f432258ca.exe.6.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: app_package_6f432258ca.exe.6.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: vFjfAgq5PM.msi, app_package_6f432258ca.exe.6.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 0000000A.00000002.1788661780.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000A.00000002.1788661780.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000004.00000002.1715470998.0000020806B61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1788661780.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000A.00000002.1788661780.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr	String found in binary or memory: http://t2.symcb.com0
Source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr	String found in binary or memory: http://tl.symcd.com0&
Source: powershell.exe, 0000000A.00000002.1788661780.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr, app_package_6f432258ca.exe.6.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000004.00000002.1715470998.0000020806B61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000A.00000002.1788661780.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBkq
Source: powershell.exe, 0000000A.00000002.1788661780.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 0000000A.00000002.1815771486.0000000005F0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000A.00000002.1815771486.0000000005F0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000A.00000002.1815771486.0000000005F0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: CapCut_installer.exe, 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: CapCut_installer.exe, 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: CapCut_installer.exe, 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: CapCut_installer.exe, 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://editor-api-sg.capcut.com
Source: CapCut_installer.exe, 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://editor-api-sg.capcut.com/service/2/app_alert_check/
Source: CapCut_installer.exe, 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://editor-api-sg.capcut.com/service/2/desktop/device_register/
Source: CapCut_installer.exe, 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://editor-api-sg.capcut.com/service/2/desktop/device_register/https://editor-api-sg.capcut.com/
Source: CapCut_installer.exe, 00000006.00000002.4149333185.0000000056C64000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://editor-api-sg.capcut.comhttps://editor-api-sg.capcut.comhttps://sgali-mcs.byteoversea.comhtt
Source: powershell.exe, 0000000A.00000002.1788661780.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.1715470998.0000020807792000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: app_package_6f432258ca.exe.6.dr	String found in binary or memory: https://imagemagick.org
Source: CapCut_installer.exe, 00000006.00000002.4135355349.0000000000650000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lf16-capcut.faceulv.com/obj/capcutpc-packages-us/packages/CapCut_2_6_0_814_capcutpc_0_creato
Source: CapCut_installer.exe, 00000006.00000003.1735396689.0000000056CD9000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://lf16-capcut.faceulv.com/obj/capcutpc-packages-us/packages/CapCut_4_6_0_1754_capcutpc_0_creat
Source: CapCut_installer.exe, 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://maliva-mcs.byteoversea.com
Source: CapCut_installer.exe, 00000006.00000002.4149333185.0000000056C64000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://maliva-mcs.byteoversea.com/v1/json
Source: CapCut_installer.exe, 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmp, CapCut_installer.exe, 00000006.00000002.4135355349.0000000000666000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mcs.byteoversea.net/v1/json_test
Source: powershell.exe, 00000004.00000002.1738790420.0000020816BD5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1738790420.0000020816D18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1815771486.0000000005F0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: CapCut_installer.exe, 00000006.00000002.4138487516.00000000006C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sf16-va.tiktokcdn.com/obj/eden-va2/JW-abJwhJ/ljhwZthlau
Source: CapCut_installer.exe, 00000006.00000002.4138487516.00000000006C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sf16-va.tiktokcdn.com/obj/eden-va2/JW-abJwhJ/ljhwZthlaud
Source: CapCut_installer.exe, 00000006.00000003.1735396689.0000000056CD9000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sf16-va.tiktokcdn.com/obj/eden-va2/JW-abJwhJ/ljhwZthlaukjlkulzlp/installer/pic/v1/automatic_
Source: CapCut_installer.exe, 00000006.00000003.1735396689.0000000056CD9000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sf16-va.tiktokcdn.com/obj/eden-va2/JW-abJwhJ/ljhwZthlaukjlkulzlp/installer/pic/v1/chroma_key
Source: CapCut_installer.exe, 00000006.00000003.1735396689.0000000056CD9000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sf16-va.tiktokcdn.com/obj/eden-va2/JW-abJwhJ/ljhwZthlaukjlkulzlp/installer/pic/v1/intelligen
Source: CapCut_installer.exe, 00000006.00000003.1735396689.0000000056CD9000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sf16-va.tiktokcdn.com/obj/eden-va2/JW-abJwhJ/ljhwZthlaukjlkulzlp/installer/pic/v1/keyframe/k
Source: CapCut_installer.exe, 00000006.00000003.1735396689.0000000056CD9000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sf16-va.tiktokcdn.com/obj/eden-va2/JW-abJwhJ/ljhwZthlaukjlkulzlp/installer/pic/v1/speech_syn
Source: CapCut_installer.exe, 00000006.00000003.1735396689.0000000056CD9000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sf16-va.tiktokcdn.com/obj/eden-va2/JW-abJwhJ/ljhwZthlaukjlkulzlp/installer/pic/v1/text_style
Source: CapCut_installer.exe, 00000006.00000003.1735396689.0000000056CD9000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sf16-va.tiktokcdn.com/obj/eden-va2/JW-abJwhJ/ljhwZthlaukjlkulzlp/installer/pic/v1/visual_eff
Source: CapCut_installer.exe, 00000006.00000003.1735396689.0000000056CD9000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sf16-va.tiktokcdn.com/obj/eden-va2/JW-abJwhJ/ljhwZthlaukjlkulzlp/installer/pic/v1/water_worl
Source: CapCut_installer.exe, 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://sgali-mcs.byteoversea.com
Source: CapCut_installer.exe, 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmp, CapCut_installer.exe, 00000006.00000002.4149333185.0000000056C64000.00000004.00001000.00020000.00000000.sdmp, CapCut_installer.exe, 00000006.00000002.4135355349.0000000000666000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sgali-mcs.byteoversea.com/v1/json
Source: CapCut_installer.exe, 00000006.00000002.4149333185.0000000056C64000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sgali-mcs.byteoversea.com/v1/jsonV
Source: CapCut_installer.exe, 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://sgali-mcs.byteoversea.com/v1/jsonhttps://mcs.byteoversea.net/v1/json_testInstallerDownloader
Source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: app_package_6f432258ca.exe.6.dr	String found in binary or memory: https://www.capcut.net/clause/user-agreementhttps://www.capcut.net/clause/privacyusD
Source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: C:\Users\Public\Documents\CapCut_installer.exe

Code function: 6_2_00405461 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

6_2_00405461

Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C4A0460 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,		6_2_6C4A0460
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C4A0050 ?PreMessageHandler@CPaintManagerUI@DuiLib@@QAE_NIIJAAJ@Z,?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ,??ACStdPtrArray@DuiLib@@QBEPAXH@Z,?IsWantTab@CRichEditUI@DuiLib@@QAE_NXZ,GetKeyState,?SetNextTabControl@CPaintManagerUI@DuiLib@@QAE_N_N@Z,?__FindControlFromShortcut@CPaintManagerUI@DuiLib@@CGPAVCControlUI@2@PAV32@PAX@Z,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetTickCount,		6_2_6C4A0050

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.dropbox.exe.11160cd.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 9.2.dropbox.exe.2aa12d5.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 9.2.dropbox.exe.11160cd.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 9.2.dropbox.exe.2aa12d5.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000009.00000002.4138493553.0000000002AA0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000009.00000002.4137162182.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Drops large PE files

Source: C:\Users\Public\Documents\CapCut_installer.exe

File dump: app_package_6f432258ca.exe.6.dr 362012672

Jump to dropped file

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Program Files (x86)\Dropbox\Update\goopdate.dll (copy)			Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Program Files (x86)\Dropbox\Update\dropbox.exe (copy)			Jump to dropped file

Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA8AF60 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError,	9_2_6BA8AF60
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA65CE0 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,	9_2_6BA65CE0
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02B0EA9C NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtUnmapViewOfSection,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,	9_2_02B0EA9C

Source: C:\Users\Public\Documents\CapCut_installer.exe

Code function: 6_2_6C4EA3F0: CreateFileW,DeviceIoControl,CloseHandle,

6_2_6C4EA3F0

Source: C:\Users\Public\Documents\CapCut_installer.exe

Code function: 6_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

6_2_0040338F

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\45f79f.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFBC5.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFC43.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFC73.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFC93.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{082E188A-67FA-4D67-920E-C850215DB6EC}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFCD3.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFD80.tmp	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIFBC5.tmp

Jump to behavior

Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_00406B15	6_2_00406B15
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_004072EC	6_2_004072EC
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_00404C9E	6_2_00404C9E
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C4BAC60	6_2_6C4BAC60
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C49CC10	6_2_6C49CC10
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C4AEA90	6_2_6C4AEA90
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C4B0BB0	6_2_6C4B0BB0
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C4BC1D0	6_2_6C4BC1D0
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C4B0180	6_2_6C4B0180
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C48DC40	6_2_6C48DC40
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C4ABF60	6_2_6C4ABF60
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C445980	6_2_6C445980
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C4AFAA0	6_2_6C4AFAA0
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C4B5510	6_2_6C4B5510
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C490D60	6_2_6C490D60
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C4ACDC0	6_2_6C4ACDC0
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C4F0E4F	6_2_6C4F0E4F
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C51683C	6_2_6C51683C
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C4C28E0	6_2_6C4C28E0
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C4D89B0	6_2_6C4D89B0
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C4F6A2B	6_2_6C4F6A2B
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C4B8A90	6_2_6C4B8A90
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C49AB30	6_2_6C49AB30
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C460BD0	6_2_6C460BD0
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C4B6480	6_2_6C4B6480
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C4AA580	6_2_6C4AA580
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C4F4654	6_2_6C4F4654
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C4C2660	6_2_6C4C2660
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C4F2745	6_2_6C4F2745
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C51272F	6_2_6C51272F
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C4F60D0	6_2_6C4F60D0
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C4583F0	6_2_6C4583F0
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C4B9C20	6_2_6C4B9C20
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C4F1C20	6_2_6C4F1C20
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C48FD90	6_2_6C48FD90
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C45BDB0	6_2_6C45BDB0
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C4F3EAB	6_2_6C4F3EAB
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C5098EB	6_2_6C5098EB
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C465930	6_2_6C465930
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C4BBA30	6_2_6C4BBA30
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C45FB10	6_2_6C45FB10
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C4C3440	6_2_6C4C3440
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C491410	6_2_6C491410
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C4BF410	6_2_6C4BF410
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C4AD590	6_2_6C4AD590
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C44B5B0	6_2_6C44B5B0
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C465690	6_2_6C465690
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C443740	6_2_6C443740
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C4EB730	6_2_6C4EB730
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C461040	6_2_6C461040
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C4650E0	6_2_6C4650E0
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C756DC0	6_2_6C756DC0
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C78DDA0	6_2_6C78DDA0
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C712E57	6_2_6C712E57
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C751F70	6_2_6C751F70
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C711F30	6_2_6C711F30
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C7168DD	6_2_6C7168DD
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C7118B0	6_2_6C7118B0
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C750920	6_2_6C750920
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C7119E0	6_2_6C7119E0
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C8C3970	6_2_6C8C3970
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C8EAA95	6_2_6C8EAA95
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C712AB0	6_2_6C712AB0
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C714A80	6_2_6C714A80
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C715A80	6_2_6C715A80
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C711B90	6_2_6C711B90
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C7124C0	6_2_6C7124C0
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C711540	6_2_6C711540
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C797530	6_2_6C797530
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C7515F0	6_2_6C7515F0
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C71867D	6_2_6C71867D
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C715650	6_2_6C715650
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C74E650	6_2_6C74E650
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C7166D5	6_2_6C7166D5
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C7566C0	6_2_6C7566C0
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C74B0D0	6_2_6C74B0D0
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C71614D	6_2_6C71614D
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C753130	6_2_6C753130
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C71626D	6_2_6C71626D
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C749340	6_2_6C749340
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C716349	6_2_6C716349
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C74D3A0	6_2_6C74D3A0
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_00CF39DE	9_2_00CF39DE
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_00CF3DEA	9_2_00CF3DEA
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_00CF798C	9_2_00CF798C
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_00CF3135	9_2_00CF3135
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_00CF360A	9_2_00CF360A
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_00CF420A	9_2_00CF420A
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA549C7	9_2_6BA549C7
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA53283	9_2_6BA53283
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA8E5D4	9_2_6BA8E5D4
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA68AA0	9_2_6BA68AA0
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA62A80	9_2_6BA62A80
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA7FA90	9_2_6BA7FA90
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA79929	9_2_6BA79929
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA6F8B4	9_2_6BA6F8B4
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA758C4	9_2_6BA758C4
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA5A8C0	9_2_6BA5A8C0
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA7C831	9_2_6BA7C831
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA94F80	9_2_6BA94F80
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BAA7EB0	9_2_6BAA7EB0
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA51ECF	9_2_6BA51ECF
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA88E70	9_2_6BA88E70
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA65DB0	9_2_6BA65DB0
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA52DDB	9_2_6BA52DDB
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA5BD37	9_2_6BA5BD37
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA78D50	9_2_6BA78D50
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA5CCA0	9_2_6BA5CCA0
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA80CF0	9_2_6BA80CF0
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA58C24	9_2_6BA58C24
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA58C30	9_2_6BA58C30
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA813F0	9_2_6BA813F0
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BAAA3D4	9_2_6BAAA3D4
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA99310	9_2_6BA99310
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA6F354	9_2_6BA6F354
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA861C0	9_2_6BA861C0
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA9E1C0	9_2_6BA9E1C0
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BAA0100	9_2_6BAA0100
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BAA7158	9_2_6BAA7158
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA800F0	9_2_6BA800F0
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA94030	9_2_6BA94030
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BAA7000	9_2_6BAA7000
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA856B0	9_2_6BA856B0
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA866B0	9_2_6BA866B0
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA6A69E	9_2_6BA6A69E
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA62590	9_2_6BA62590
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA83590	9_2_6BA83590
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA75550	9_2_6BA75550
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA5B4A0	9_2_6BA5B4A0
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA874A0	9_2_6BA874A0
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA8A48E	9_2_6BA8A48E
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA5F430	9_2_6BA5F430
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA7E430	9_2_6BA7E430
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA69447	9_2_6BA69447
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02B0EA9C	9_2_02B0EA9C
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02B0C2A4	9_2_02B0C2A4
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02AA5205	9_2_02AA5205
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02B0B3C0	9_2_02B0B3C0
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02AE8090	9_2_02AE8090
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02AE9035	9_2_02AE9035
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02B0A108	9_2_02B0A108
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02B0B7F0	9_2_02B0B7F0
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02AD870B	9_2_02AD870B
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02AA54B5	9_2_02AA54B5
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02AE34E5	9_2_02AE34E5
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02AC15E8	9_2_02AC15E8
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02AC45C6	9_2_02AC45C6
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02AE781E	9_2_02AE781E
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02AC6967	9_2_02AC6967
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02B0AFE4	9_2_02B0AFE4
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02AE7F70	9_2_02AE7F70
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02AC1DD7	9_2_02AC1DD7
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02D06292	9_2_02D06292
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02D18036	9_2_02D18036
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02D27149	9_2_02D27149
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02CEE610	9_2_02CEE610
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02D01702	9_2_02D01702
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02CE4B30	9_2_02CE4B30
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02D2789B	9_2_02D2789B
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02CEE610	9_2_02CEE610
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02D279BB	9_2_02D279BB
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02D28960	9_2_02D28960
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02D03EF1	9_2_02D03EF1
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02D22E10	9_2_02D22E10
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02D00F13	9_2_02D00F13
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02CE4DE0	9_2_02CE4DE0

Source: Joe Sandbox View	Dropped File: C:\Program Files (x86)\Dropbox\Update\dropbox.exe (copy) E7141AEB22EA3165A4F7FB8C4D210151575F1B95EF545E0978A2174598A08265
Source: Joe Sandbox View	Dropped File: C:\Users\Public\Documents\CapCut_installer.exe 4A9D815F284ADDA187982E2B24DA2BEAAD860739BC4B4CB1CF26408E7C221DD6

Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: String function: 02ABE117 appears 66 times
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: String function: 02CFDA42 appears 81 times
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: String function: 02CFD74E appears 53 times
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: String function: 00CF4EA0 appears 36 times
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: String function: 02CF7B00 appears 37 times
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: String function: 02ABE755 appears 38 times
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: String function: 02CF81C0 appears 131 times
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: String function: 02CFE080 appears 44 times
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: String function: 6BA58FA0 appears 83 times
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: String function: 02AB8895 appears 130 times
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: String function: 6C4BFBB0 appears 34 times
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: String function: 6C45EA50 appears 31 times
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: String function: 6C4EC890 appears 51 times
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: String function: 6C505345 appears 343 times
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: String function: 6C4ED420 appears 74 times

Source: deviceregister_shared.dll.6.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: app_package_6f432258ca.exe.6.dr	Static PE information: Resource name: RELEASE_DLL type: PE32 executable (DLL) (console) Intel 80386, for MS Windows

Source: vFjfAgq5PM.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs vFjfAgq5PM.msi
Source: vFjfAgq5PM.msi	Binary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs vFjfAgq5PM.msi

Source: 9.2.dropbox.exe.11160cd.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 9.2.dropbox.exe.2aa12d5.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 9.2.dropbox.exe.11160cd.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 9.2.dropbox.exe.2aa12d5.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000009.00000002.4138493553.0000000002AA0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000009.00000002.4137162182.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: BgWorker.dll.6.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winMSI@22/57@0/8

Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe

Code function: 9_2_6BA679C0 memset,GetModuleHandleW,FormatMessageW,GetLastError,

9_2_6BA679C0

Source: C:\Users\Public\Documents\CapCut_installer.exe

6_2_0040338F

Source: C:\Users\Public\Documents\CapCut_installer.exe

Code function: 6_2_00404722 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

6_2_00404722

Source: C:\Users\Public\Documents\CapCut_installer.exe

Code function: 6_2_6C4463D0 IsRunningApp,CreateToolhelp32Snapshot,Process32FirstW,GetCurrentProcessId,Process32NextW,CloseHandle,GlobalAlloc,lstrcpynW,

6_2_6C4463D0

Source: C:\Users\Public\Documents\CapCut_installer.exe

Code function: 6_2_00402104 CoCreateInstance,

6_2_00402104

Source: C:\Users\Public\Documents\CapCut_installer.exe

Code function: 6_2_6C49CB40 ?Create@CDialogBuilder@DuiLib@@QAEPAVCControlUI@2@VSTRINGorID@2@PB_WPAVIDialogBuilderCallback@2@PAVCPaintManagerUI@2@PAV32@@Z,?GetResourceDll@CPaintManagerUI@DuiLib@@SAPAUHINSTANCE__@@XZ,FindResourceW,?GetResourceDll@CPaintManagerUI@DuiLib@@SAPAUHINSTANCE__@@XZ,LoadResource,?GetResourceDll@CPaintManagerUI@DuiLib@@SAPAUHINSTANCE__@@XZ,SizeofResource,LockResource,?LoadFromMem@CMarkup@DuiLib@@QAE_NPAEKH@Z,FreeResource,?Load@CMarkup@DuiLib@@QAE_NPB_W@Z,?LoadFromFile@CMarkup@DuiLib@@QAE_NPB_WH@Z,?Create@CDialogBuilder@DuiLib@@QAEPAVCControlUI@2@PAVIDialogBuilderCallback@2@PAVCPaintManagerUI@2@PAV32@@Z,FreeResource,

6_2_6C49CB40

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\Microsoft\Windows Service Association

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\Public\Documents\Dropbox.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7964:120:WilError_03
Source: C:\Users\Public\Documents\CapCut_installer.exe	Mutant created: \Sessions\1\BaseNamedObjects\ByteDance_Mutex_Installer_Downloader_CapCut
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Users\Public\Documents\CapCut_installer.exe	Mutant created: \Sessions\1\BaseNamedObjects\CapCut_Mutex_Install
Source: C:\Users\Public\Documents\CapCut_installer.exe	Mutant created: \Sessions\1\BaseNamedObjects\CapCut_Mutex_UnInstall
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Mutant created: \Sessions\1\BaseNamedObjects\vDbXW
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7604:120:WilError_03
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Mutant created: \Sessions\1\BaseNamedObjects\2f985c58743b38fb2171f673f820cbba
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7892:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF19852D83031204CA.TMP

Jump to behavior

Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe

Command line argument: DllEntry

9_2_00CF15D8

Source: C:\Windows\SysWOW64\msiexec.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: CapCut_installer.exe

String found in binary or memory: resource/install.xml

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\vFjfAgq5PM.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 9342AE7FC298454AC0E2B46CA904726C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 84080775417F402876A00B89D1C4E077 E Global\MSI0000
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssFDDB.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiFDC9.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrFDCA.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrFDCB.txt" -propSep " :<->: " -testPrefix "_testValue."
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\Public\Documents\CapCut_installer.exe "C:\Users\Public\Documents\capcut_installer.exe"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe" /c "C:\Program Files (x86)\Dropbox\Update\dropbox.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Dropbox\Update\dropbox.exe "C:\Program Files (x86)\Dropbox\Update\dropbox.exe"
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Program Files (x86)\Dropbox\Update\Dropbox.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'GoogleUpdateTaskMachineUA'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\Dropbox\Update\dropbox.exe "C:\Program Files (x86)\Dropbox\Update\Dropbox.exe"
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Process created: C:\Program Files (x86)\Dropbox\Update\dropbox.exe "C:\Program Files (x86)\Dropbox\Update\Dropbox.exe"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 9342AE7FC298454AC0E2B46CA904726C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 84080775417F402876A00B89D1C4E077 E Global\MSI0000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe" /c "C:\Program Files (x86)\Dropbox\Update\dropbox.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssFDDB.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiFDC9.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrFDCA.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrFDCB.txt" -propSep " :<->: " -testPrefix "_testValue."	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\Public\Documents\CapCut_installer.exe "C:\Users\Public\Documents\capcut_installer.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Dropbox\Update\dropbox.exe "C:\Program Files (x86)\Dropbox\Update\dropbox.exe"	Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Program Files (x86)\Dropbox\Update\Dropbox.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'GoogleUpdateTaskMachineUA'"	Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Process created: C:\Program Files (x86)\Dropbox\Update\dropbox.exe "C:\Program Files (x86)\Dropbox\Update\Dropbox.exe"	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: mf.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: mfplat.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: mfcore.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: mfperfhelper.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: rtworkq.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Users\Public\Documents\CapCut_installer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: vFjfAgq5PM.msi

Static file information: File size 4157440 > 1048576

Source:	Binary string: DropboxUpdate_unsigned.pdb source: dropbox.exe, dropbox.exe, 00000009.00000000.1746989060.0000000000D01000.00000002.00000001.01000000.0000000E.sdmp, dropbox.exe, 00000009.00000002.4134037490.0000000000D01000.00000002.00000001.01000000.0000000E.sdmp, dropbox.exe, 0000000C.00000002.1802477084.0000000000D01000.00000002.00000001.01000000.0000000E.sdmp, dropbox.exe, 0000000C.00000000.1797360608.0000000000D01000.00000002.00000001.01000000.0000000E.sdmp, dropbox.exe, 0000000E.00000000.1843845894.0000000000D01000.00000002.00000001.01000000.0000000E.sdmp, dropbox.exe, 0000000E.00000002.2445065297.0000000000D01000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb\ source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr
Source:	Binary string: D:\code\VideoFusion-win\install\VideofusionInstaller\packet_3rd\3rdparty\build\vs-release\Release\7zip.pdb source: app_package_6f432258ca.exe.6.dr
Source:	Binary string: shell_downloader.dll.pdb source: CapCut_installer.exe, 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: nsis_plugin.dll.pdb` source: CapCut_installer.exe, 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr
Source:	Binary string: D:\code\bytedance\installer\LVInstallerCC\VideofusionInstaller\build\CC_RELEASE\JYInstaller.pdb source: app_package_6f432258ca.exe.6.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: vFjfAgq5PM.msi
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: vFjfAgq5PM.msi
Source:	Binary string: nsis_plugin.dll.pdb source: CapCut_installer.exe, 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmp

Data Obfuscation

Suspicious powershell command line found

Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Program Files (x86)\Dropbox\Update\Dropbox.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'GoogleUpdateTaskMachineUA'"
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Program Files (x86)\Dropbox\Update\Dropbox.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'GoogleUpdateTaskMachineUA'"			Jump to behavior

Source: C:\Users\Public\Documents\CapCut_installer.exe

Code function: 6_2_6C43F6C0 DownloaderInit,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,DownloaderSetDelegate,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,

6_2_6C43F6C0

Source: Dropbox.exe.1.dr	Static PE information: section name: .text/DE
Source: goopdate.dll.1.dr	Static PE information: section name: .eh_fram
Source: shell_downloader.dll.6.dr	Static PE information: section name: .00cfg
Source: shell_downloader.dll.6.dr	Static PE information: section name: .voltbl
Source: downloader_nsis_plugin.dll.6.dr	Static PE information: section name: .00cfg
Source: downloader_nsis_plugin.dll.6.dr	Static PE information: section name: .voltbl

Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C4ECDEB push ecx; ret	6_2_6C4ECDFE
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C8C2A1B push ecx; ret	6_2_6C8C2A2E
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C717A90 push 89084589h; iretd	6_2_6C717A95
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_00CF5490 push esp; iretd	9_2_00CF5492
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_00CFB915 push ecx; ret	9_2_00CFB928
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_00D03130 push ecx; iretd	9_2_00D03132
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_00CFBAEA push dword ptr [ecx-75h]; iretd	9_2_00CFBAF2
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_00CF4EE5 push ecx; ret	9_2_00CF4EF8
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_00CF564C push esi; iretd	9_2_00CF564E
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_00CF525C push edx; iretd	9_2_00CF5262
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_00CF5651 push esi; iretd	9_2_00CF5652
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_00CF53ED push esp; iretd	9_2_00CF53EE
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_00CF53E9 push ebx; iretd	9_2_00CF53EA
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_00CF53F0 push esp; iretd	9_2_00CF53F2
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_00D033A1 pushfd ; iretd	9_2_00D033A2
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BAA2AD0 push eax; mov dword ptr [esp], esi	9_2_6BAA2B45
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BAACA50 push ss; ret	9_2_6BAACA76
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BAAC92D push es; ret	9_2_6BAAC985
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BAAC878 push es; retf 0005h	9_2_6BAAC87B
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BAAC733 push es; retf	9_2_6BAAC76C
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02AB13E0 push esp; retf 0000h	9_2_02AB13E1
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02ABE0F1 push ecx; ret	9_2_02ABE104
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02AA1405 push 0044C3E0h; ret	9_2_02AA16D7
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02AB1AD4 pushad ; ret	9_2_02AB1AD5
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02CFE0C6 push ecx; ret	9_2_02CFE0D9
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02CFDA1C push ecx; ret	9_2_02CFDA2F

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Users\Public\Documents\CapCut_installer.exe

Code function: CreateFileW,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d

6_2_6C4EA3F0

Source: C:\Users\Public\Documents\CapCut_installer.exe	File created: C:\Users\user\AppData\Local\app_shell_cache_562354\app_package_6f432258ca.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFC43.tmp	Jump to dropped file
Source: C:\Users\Public\Documents\CapCut_installer.exe	File created: C:\Users\user\AppData\Local\Temp\nsv77E.tmp\deviceregister_shared.dll	Jump to dropped file
Source: C:\Users\Public\Documents\CapCut_installer.exe	File created: C:\Users\user\AppData\Local\Temp\nsv77E.tmp\BgWorker.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFC93.tmp	Jump to dropped file
Source: C:\Users\Public\Documents\CapCut_installer.exe	File created: C:\Users\user\AppData\Local\Temp\nsv77E.tmp\downloader_nsis_plugin.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Program Files (x86)\Dropbox\Update\goopdate.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFD80.tmp	Jump to dropped file
Source: C:\Users\Public\Documents\CapCut_installer.exe	File created: C:\Users\user\AppData\Local\Temp\nsv77E.tmp\shell_downloader.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\Public\Documents\goopdate.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFBC5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\Public\Documents\CapCut_installer.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Program Files (x86)\Dropbox\Update\dropbox.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\Public\Documents\Dropbox.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFC73.tmp	Jump to dropped file
Source: C:\Users\Public\Documents\CapCut_installer.exe	File created: C:\Users\user\AppData\Local\Temp\nsv77E.tmp\System.dll	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFC43.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFC93.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFD80.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFBC5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFC73.tmp	Jump to dropped file

Source: C:\Users\Public\Documents\CapCut_installer.exe

File created: C:\Users\user\AppData\Local\Temp\installer_downloader.log

Jump to behavior

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Users\Public\Documents\CapCut_installer.exe

Code function: CreateFileW,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d

6_2_6C4EA3F0

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C4C1AB0 ?OnSize@WindowImplBase@DuiLib@@UAEJIIJAAH@Z,?GetRoundCorner@CPaintManagerUI@DuiLib@@QBE?AUtagSIZE@@XZ,?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ,IsIconic,??0CDuiRect@DuiLib@@QAE@XZ,?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ,GetWindowRect,?Offset@CDuiRect@DuiLib@@QAEXHH@Z,CreateRoundRectRgn,?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ,SetWindowRgn,DeleteObject,		6_2_6C4C1AB0
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C4C1680 ?OnNcActivate@WindowImplBase@DuiLib@@UAEJIIJAAH@Z,?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ,IsIconic,		6_2_6C4C1680

Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe

Code function: 9_2_6BA972F0 SetLastError,GetCurrentDirectoryW,GetLastError,GetLastError,GetLastError,GetCurrentProcess,GetCurrentThread,memset,RtlCaptureContext,WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,memset,GetProcAddress,GetCurrentProcess,lstrlenW,memcpy,GetCurrentProcessId,CreateMutexA,CloseHandle,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,GetProcAddress,GetProcAddress,GetCurrentProcess,GetProcAddress,memset,memset,GetProcAddress,ReleaseMutex,

9_2_6BA972F0

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\Public\Documents\CapCut_installer.exe

Code function: 6_2_6C4463D0 IsRunningApp,CreateToolhelp32Snapshot,Process32FirstW,GetCurrentProcessId,Process32NextW,CloseHandle,GlobalAlloc,lstrcpynW,

6_2_6C4463D0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4608	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3268	Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Window / User API: threadDelayed 1795	Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Window / User API: threadDelayed 8023	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6242	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3339	Jump to behavior

Source: C:\Users\Public\Documents\CapCut_installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\app_shell_cache_562354\app_package_6f432258ca.exe	Jump to dropped file
Source: C:\Users\Public\Documents\CapCut_installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsv77E.tmp\deviceregister_shared.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIFC43.tmp	Jump to dropped file
Source: C:\Users\Public\Documents\CapCut_installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsv77E.tmp\BgWorker.dll	Jump to dropped file
Source: C:\Users\Public\Documents\CapCut_installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsv77E.tmp\downloader_nsis_plugin.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIFC93.tmp	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Dropbox\Update\goopdate.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIFD80.tmp	Jump to dropped file
Source: C:\Users\Public\Documents\CapCut_installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsv77E.tmp\shell_downloader.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIFBC5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\Public\Documents\goopdate.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIFC73.tmp	Jump to dropped file
Source: C:\Users\Public\Documents\CapCut_installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsv77E.tmp\System.dll	Jump to dropped file

Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Source: C:\Users\Public\Documents\CapCut_installer.exe	API coverage: 6.3 %
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	API coverage: 6.5 %

Source: C:\Windows\System32\msiexec.exe TID: 7356	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7676	Thread sleep count: 4608 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7680	Thread sleep count: 3268 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7708	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7696	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe TID: 7944	Thread sleep count: 1795 > 30	Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe TID: 7944	Thread sleep time: -53850000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe TID: 3652	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe TID: 7944	Thread sleep count: 8023 > 30	Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe TID: 7944	Thread sleep time: -240690000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8032	Thread sleep count: 6242 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8020	Thread sleep count: 3339 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8096	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior

Source: C:\Users\Public\Documents\CapCut_installer.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\Public\Documents\CapCut_installer.exe	File Volume queried: C:\Windows\SysWOW64 FullSizeInformation	Jump to behavior

Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	6_2_004059CC
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_004065FD FindFirstFileW,FindClose,	6_2_004065FD
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_00402868 FindFirstFileW,	6_2_00402868
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C50CB33 FindFirstFileExW,	6_2_6C50CB33
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C50CBE4 FindFirstFileExW,RevokeDragDrop,FindNextFileW,FindClose,FindClose,	6_2_6C50CBE4
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C465C30 PathIsDirectoryW,FindFirstFileW,PathFileExistsW,CreateFileW,CloseHandle,FindNextFileW,FindClose,	6_2_6C465C30
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C43D9E0 FindFirstFileW,FindNextFileW,FindClose,	6_2_6C43D9E0
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C8E62F4 FindFirstFileExW,RevokeDragDrop,FindNextFileW,FindClose,FindClose,	6_2_6C8E62F4
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C8E6243 FindFirstFileExW,	6_2_6C8E6243
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BA8D300 CloseHandle,memset,FindFirstFileW,FindClose,	9_2_6BA8D300

Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe

Code function: 9_2_02CE7D30 GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

9_2_02CE7D30

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: dropbox.exe, 00000009.00000002.4146470711.000000000365C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW\|NPA
Source: powershell.exe, 0000000A.00000002.1788661780.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 0000000A.00000002.1788661780.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: dropbox.exe, 00000009.00000002.4146470711.0000000003630000.00000004.00000020.00020000.00000000.sdmp, dropbox.exe, 00000009.00000002.4146470711.000000000365C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: CapCut_installer.exe, 00000006.00000003.1722339478.00000000038BD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: te\dXKKG:41)=G=02:=@5;B3+14J6+5>;682<908FC64>I5AP:F><8;D<5FGECA>=?B>BIIC@ABBEB=FXWFCNG?C>;IOGQEMU4
Source: powershell.exe, 0000000A.00000002.1788661780.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: CapCut_installer.exe, 00000006.00000002.4147485736.0000000002F80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\Public\Documents\CapCut_installer.exe

API call chain: ExitProcess graph end node

graph_6-96905

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\Documents\CapCut_installer.exe

Code function: 6_2_6C4ECB73 IsDebuggerPresent,OutputDebugStringW,

6_2_6C4ECB73

Source: C:\Users\Public\Documents\CapCut_installer.exe

Code function: 6_2_6C4463D0 IsRunningApp,CreateToolhelp32Snapshot,Process32FirstW,GetCurrentProcessId,Process32NextW,CloseHandle,GlobalAlloc,lstrcpynW,

6_2_6C4463D0

Source: C:\Users\Public\Documents\CapCut_installer.exe

6_2_6C43F6C0

Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C4FAD7D mov ecx, dword ptr fs:[00000030h]	6_2_6C4FAD7D
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C50A3E0 mov eax, dword ptr fs:[00000030h]	6_2_6C50A3E0
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C50A3AF mov eax, dword ptr fs:[00000030h]	6_2_6C50A3AF
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C8E39BF mov eax, dword ptr fs:[00000030h]	6_2_6C8E39BF
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C8E39F0 mov eax, dword ptr fs:[00000030h]	6_2_6C8E39F0
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C8D02AD mov ecx, dword ptr fs:[00000030h]	6_2_6C8D02AD
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02ADAAD7 mov eax, dword ptr fs:[00000030h]	9_2_02ADAAD7
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02AD6D00 mov eax, dword ptr fs:[00000030h]	9_2_02AD6D00
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02D1662B mov eax, dword ptr fs:[00000030h]	9_2_02D1662B
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02D1A402 mov eax, dword ptr fs:[00000030h]	9_2_02D1A402

Source: C:\Users\Public\Documents\CapCut_installer.exe

Code function: 6_2_6C4EAB30 __Init_thread_header,GetProcessHeap,__Init_thread_header,

6_2_6C4EAB30

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C4ECAAA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_6C4ECAAA
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C4EC594 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_6C4EC594
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C4FE213 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_6C4FE213
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C8C1DE7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_6C8C1DE7
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C8C2834 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_6C8C2834
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C8E2660 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_6C8E2660
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_00CFA800 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,__amsg_exit,	9_2_00CFA800
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_00CF656E SetUnhandledExceptionFilter,	9_2_00CF656E
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_00CF497A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00CF497A
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_00CF5ADA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00CF5ADA
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BAA1D40 TlsGetValue,CloseHandle,CloseHandle,CloseHandle,TlsSetValue,RtlRemoveVectoredExceptionHandler,RtlAddVectoredExceptionHandler,CloseHandle,CloseHandle,CloseHandle,	9_2_6BAA1D40
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_6BAA1E49 RtlAddVectoredExceptionHandler,	9_2_6BAA1E49
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02CFD2E7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_02CFD2E7
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02D16BAE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_02D16BAE
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02CFDE0A SetUnhandledExceptionFilter,	9_2_02CFDE0A
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02CFDCA5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_02CFDCA5

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssFDDB.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiFDC9.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrFDCA.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrFDCB.txt" -propSep " :<->: " -testPrefix "_testValue."

Contains functionality to inject code into remote processes

Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe

Code function: 9_2_02CE70A0 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,

9_2_02CE70A0

Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe

Code function: 9_2_02CE72B0 ShellExecuteA,CreateThread,Sleep,

9_2_02CE72B0

Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe" /c "C:\Program Files (x86)\Dropbox\Update\dropbox.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssFDDB.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiFDC9.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrFDCA.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrFDCB.txt" -propSep " :<->: " -testPrefix "_testValue."	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\Public\Documents\CapCut_installer.exe "C:\Users\Public\Documents\capcut_installer.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Dropbox\Update\dropbox.exe "C:\Program Files (x86)\Dropbox\Update\dropbox.exe"	Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Program Files (x86)\Dropbox\Update\Dropbox.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'GoogleUpdateTaskMachineUA'"	Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Process created: C:\Program Files (x86)\Dropbox\Update\dropbox.exe "C:\Program Files (x86)\Dropbox\Update\Dropbox.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pssfddb.ps1" -propfile "c:\users\user\appdata\local\temp\msifdc9.txt" -scriptfile "c:\users\user\appdata\local\temp\scrfdca.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scrfdcb.txt" -propsep " :<->: " -testprefix "_testvalue."
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -command "register-scheduledtask -action (new-scheduledtaskaction -execute \"c:\program files (x86)\dropbox\update\dropbox.exe\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'googleupdatetaskmachineua'"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pssfddb.ps1" -propfile "c:\users\user\appdata\local\temp\msifdc9.txt" -scriptfile "c:\users\user\appdata\local\temp\scrfdca.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scrfdcb.txt" -propsep " :<->: " -testprefix "_testvalue."	Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -command "register-scheduledtask -action (new-scheduledtaskaction -execute \"c:\program files (x86)\dropbox\update\dropbox.exe\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'googleupdatetaskmachineua'"	Jump to behavior

Source: C:\Users\Public\Documents\CapCut_installer.exe

Code function: 6_2_6C4EC6AF cpuid

6_2_6C4EC6AF

Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: DownloaderInit,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,DownloaderSetDelegate,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,	6_2_6C43F6C0
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: GetLocaleInfoW,	6_2_6C50C80D
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: EnumSystemLocalesW,	6_2_6C50C4D3
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: GetLocaleInfoW,	6_2_6C50C540
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: GetLocaleInfoW,	6_2_6C50C660
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: EnumSystemLocalesW,	6_2_6C50C615
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_6C50C707
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: EnumSystemLocalesW,	6_2_6C50815D
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: EnumSystemLocalesW,	6_2_6C50C1E3
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	6_2_6C50C280
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	6_2_6C50BF8D
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: GetLocaleInfoW,	6_2_6C507B6C
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: InitLangSettingBox,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,GetLocaleInfoEx,?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z,GetUserDefaultLocaleName,LocaleNameToLCID,?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ,??1CDuiString@DuiLib@@QAE@XZ,?SetListItemSelectListener@CListUI@DuiLib@@QAEXPAVIListItemSelectedListener@2@@Z,GetLangSetting,lstrcpyW,GlobalFree,?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z,?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ,GlobalAlloc,lstrcpynW,??1CDuiString@DuiLib@@QAE@XZ,GlobalAlloc,lstrcpynW,GetDefaultLangSetting,GlobalAlloc,lstrcpynW,	6_2_6C443740
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: GetLocaleInfoA,	9_2_00CFAA75

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Queries volume information: C:\Program Files (x86)\Dropbox\Update VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Queries volume information: C:\Program Files (x86)\Dropbox\Update\dropbox.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe

Code function: 9_2_6BA94F80 GetCurrentProcessId,76E3B410,76E3B410,CreateNamedPipeW,GetLastError,CloseHandle,CloseHandle,

9_2_6BA94F80

Source: C:\Users\Public\Documents\CapCut_installer.exe

Code function: 6_2_6C469900 GetLocalTime,GetCurrentThreadId,GetCurrentProcessId,_strlen,WriteFile,_strlen,

6_2_6C469900

Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe

Code function: 9_2_02CF50C0 IsUserAnAdmin,GetUserNameA,GetComputerNameExW,GetModuleFileNameA,

9_2_02CF50C0

Source: C:\Users\Public\Documents\CapCut_installer.exe

6_2_0040338F

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 9.2.dropbox.exe.11160cd.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.dropbox.exe.2aa12d5.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.dropbox.exe.11160cd.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.dropbox.exe.2aa12d5.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.4140266167.0000000002CE1000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4135316816.0000000001000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4138493553.0000000002AA0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4137162182.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C46E9A0 ?Download@CWebBrowserUI@DuiLib@@UAGJPAUIMoniker@@PAUIBindCtx@@KJPAU_tagBINDINFO@@PB_W3I@Z,	6_2_6C46E9A0
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C481830 ?SetListItemSelectListener@CListUI@DuiLib@@QAEXPAVIListItemSelectedListener@2@@Z,	6_2_6C481830
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C443740 InitLangSettingBox,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,GetLocaleInfoEx,?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z,GetUserDefaultLocaleName,LocaleNameToLCID,?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ,??1CDuiString@DuiLib@@QAE@XZ,?SetListItemSelectListener@CListUI@DuiLib@@QAEXPAVIListItemSelectedListener@2@@Z,GetLangSetting,lstrcpyW,GlobalFree,?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z,?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ,GlobalAlloc,lstrcpynW,??1CDuiString@DuiLib@@QAE@XZ,GlobalAlloc,lstrcpynW,GetDefaultLangSetting,GlobalAlloc,lstrcpynW,	6_2_6C443740
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C43B000 OnControlBindNSISScript,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,??0CDuiString@DuiLib@@QAE@PB_WH@Z,?SaveToControlCallbackMap@WindowImplBase@DuiLib@@QAEXVCDuiString@2@H@Z,	6_2_6C43B000
Source: C:\Users\Public\Documents\CapCut_installer.exe	Code function: 6_2_6C43B130 ControlBindNSISScript,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,lstrcpyW,GlobalFree,??0CDuiString@DuiLib@@QAE@PB_WH@Z,?SaveToControlCallbackMap@WindowImplBase@DuiLib@@QAEXVCDuiString@2@H@Z,	6_2_6C43B130
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02ACE726 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	9_2_02ACE726
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02ACF41D Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,	9_2_02ACF41D
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02D0E051 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	9_2_02D0E051
Source: C:\Program Files (x86)\Dropbox\Update\dropbox.exe	Code function: 9_2_02D0ED48 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,	9_2_02D0ED48

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Deobfuscate/Decode Files or Information	1 Input Capture	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	13 Command and Scripting Interpreter	1 Bootkit	1 DLL Side-Loading	3 Obfuscated Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	3 PowerShell	Logon Script (Windows)	1 Access Token Manipulation	1 Software Packing	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	1 Clipboard Data	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	112 Process Injection	1 DLL Side-Loading	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	46 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	22 Masquerading	Cached Domain Credentials	41 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	31 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	112 Process Injection	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Bootkit	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
vFjfAgq5PM.msi	3%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\Dropbox\Update\dropbox.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\Dropbox\Update\goopdate.dll (copy)	5%	ReversingLabs
C:\Users\Public\Documents\CapCut_installer.exe	0%	ReversingLabs
C:\Users\Public\Documents\Dropbox.exe	0%	ReversingLabs
C:\Users\Public\Documents\goopdate.dll	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsv77E.tmp\BgWorker.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsv77E.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsv77E.tmp\deviceregister_shared.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsv77E.tmp\downloader_nsis_plugin.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsv77E.tmp\shell_downloader.dll	0%	ReversingLabs
C:\Windows\Installer\MSIFBC5.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIFC43.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIFC73.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIFC93.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIFD80.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
https://aka.ms/winsvr-2022-pshelp	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://45.202.35.101/pLQvfD4d/index.phpv	dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://45.202.35.101/pLQvfD4d/index.phps	dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://45.202.35.101/pLQvfD4d/index.phpI-CA	dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://mcs.byteoversea.net/v1/json_test	CapCut_installer.exe, 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmp, CapCut_installer.exe, 00000006.00000002.4135355349.0000000000666000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://45.202.35.101/pLQvfD4d/index.phpz	dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/License	powershell.exe, 0000000A.00000002.1815771486.0000000005F0D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sgali-mcs.byteoversea.com/v1/jsonV	CapCut_installer.exe, 00000006.00000002.4149333185.0000000056C64000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://imagemagick.org	app_package_6f432258ca.exe.6.dr	false		unknown
https://maliva-mcs.byteoversea.com	CapCut_installer.exe, 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmp	false		unknown
https://editor-api-sg.capcut.com/service/2/app_alert_check/	CapCut_installer.exe, 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmp	false		unknown
https://curl.se/docs/hsts.html	CapCut_installer.exe, 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmp	false		unknown
https://www.capcut.net/clause/user-agreementhttps://www.capcut.net/clause/privacyusD	app_package_6f432258ca.exe.6.dr	false		unknown
http://45.202.35.101/pLQvfD4d/index.phpParameters	dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://editor-api-sg.capcut.com	CapCut_installer.exe, 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmp	false		unknown
https://sf16-va.tiktokcdn.com/obj/eden-va2/JW-abJwhJ/ljhwZthlaukjlkulzlp/installer/pic/v1/water_worl	CapCut_installer.exe, 00000006.00000003.1735396689.0000000056CD9000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://45.202.35.101/pLQvfD4d/index.php	dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp, dropbox.exe, 00000009.00000002.4146470711.000000000365C000.00000004.00000020.00020000.00000000.sdmp, dropbox.exe, 00000009.00000002.4137162182.00000000010A8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://45.202.35.101/pLQvfD4d/index.phpft	dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/	powershell.exe, 0000000A.00000002.1815771486.0000000005F0D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000004.00000002.1738790420.0000020816BD5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1738790420.0000020816D18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1815771486.0000000005F0D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sf16-va.tiktokcdn.com/obj/eden-va2/JW-abJwhJ/ljhwZthlaukjlkulzlp/installer/pic/v1/automatic_	CapCut_installer.exe, 00000006.00000003.1735396689.0000000056CD9000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://45.202.35.101/pLQvfD4d/index.php&	dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://maliva-mcs.byteoversea.com/v1/json	CapCut_installer.exe, 00000006.00000002.4149333185.0000000056C64000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000004.00000002.1715470998.0000020806B61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1788661780.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://45.202.35.101/pLQvfD4d/index.php4	dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://45.202.35.101/pLQvfD4d/index.php6	dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000004.00000002.1738790420.0000020816BD5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1738790420.0000020816D18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1815771486.0000000005F0D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 0000000A.00000002.1788661780.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://45.202.35.101/pLQvfD4d/index.php7	dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://sgali-mcs.byteoversea.com	CapCut_installer.exe, 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmp	false		unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000A.00000002.1788661780.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://curl.se/docs/http-cookies.html	CapCut_installer.exe, 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmp	false		unknown
http://45.202.35.101/pLQvfD4d/index.phpindows	dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000000A.00000002.1788661780.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000A.00000002.1788661780.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://go.micro	powershell.exe, 00000004.00000002.1715470998.0000020807792000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sf16-va.tiktokcdn.com/obj/eden-va2/JW-abJwhJ/ljhwZthlaukjlkulzlp/installer/pic/v1/visual_eff	CapCut_installer.exe, 00000006.00000003.1735396689.0000000056CD9000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://contoso.com/Icon	powershell.exe, 0000000A.00000002.1815771486.0000000005F0D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sgali-mcs.byteoversea.com/v1/jsonhttps://mcs.byteoversea.net/v1/json_testInstallerDownloader	CapCut_installer.exe, 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmp	false		unknown
https://aka.ms/pscore6lBkq	powershell.exe, 0000000A.00000002.1788661780.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://45.202.35.101/pLQvfD4d/index.php7-	dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://nsis.sf.net/NSIS_ErrorError	CapCut_installer.exe, 00000006.00000000.1713102880.000000000040A000.00000008.00000001.01000000.00000006.sdmp, CapCut_installer.exe, 00000006.00000002.4133867392.000000000040A000.00000004.00000001.01000000.00000006.sdmp	false	URL Reputation: safe	unknown
https://curl.se/docs/alt-svc.html	CapCut_installer.exe, 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmp	false		unknown
https://editor-api-sg.capcut.com/service/2/desktop/device_register/https://editor-api-sg.capcut.com/	CapCut_installer.exe, 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmp	false		unknown
https://lf16-capcut.faceulv.com/obj/capcutpc-packages-us/packages/CapCut_2_6_0_814_capcutpc_0_creato	CapCut_installer.exe, 00000006.00000002.4135355349.0000000000650000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://github.com/Pester/Pester	powershell.exe, 0000000A.00000002.1788661780.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://lf16-capcut.faceulv.com/obj/capcutpc-packages-us/packages/CapCut_4_6_0_1754_capcutpc_0_creat	CapCut_installer.exe, 00000006.00000003.1735396689.0000000056CD9000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://sf16-va.tiktokcdn.com/obj/eden-va2/JW-abJwhJ/ljhwZthlaukjlkulzlp/installer/pic/v1/intelligen	CapCut_installer.exe, 00000006.00000003.1735396689.0000000056CD9000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://45.202.35.101/pLQvfD4d/index.phpV	dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://sf16-va.tiktokcdn.com/obj/eden-va2/JW-abJwhJ/ljhwZthlau	CapCut_installer.exe, 00000006.00000002.4138487516.00000000006C1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://45.202.35.101/pLQvfD4d/index.phpQ	dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.micro	powershell.exe, 0000000A.00000002.1785489930.0000000003048000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.thawte.com/cps0/	vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr	false		unknown
https://sgali-mcs.byteoversea.com/v1/json	CapCut_installer.exe, 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmp, CapCut_installer.exe, 00000006.00000002.4149333185.0000000056C64000.00000004.00001000.00020000.00000000.sdmp, CapCut_installer.exe, 00000006.00000002.4135355349.0000000000666000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.thawte.com/repository0W	vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr	false		unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000A.00000002.1788661780.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://editor-api-sg.capcut.comhttps://editor-api-sg.capcut.comhttps://sgali-mcs.byteoversea.comhtt	CapCut_installer.exe, 00000006.00000002.4149333185.0000000056C64000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://sf16-va.tiktokcdn.com/obj/eden-va2/JW-abJwhJ/ljhwZthlaukjlkulzlp/installer/pic/v1/keyframe/k	CapCut_installer.exe, 00000006.00000003.1735396689.0000000056CD9000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://sf16-va.tiktokcdn.com/obj/eden-va2/JW-abJwhJ/ljhwZthlaukjlkulzlp/installer/pic/v1/speech_syn	CapCut_installer.exe, 00000006.00000003.1735396689.0000000056CD9000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://www.advancedinstaller.com	vFjfAgq5PM.msi, MSIFD80.tmp.1.dr, MSIFCD3.tmp.1.dr	false		unknown
http://45.202.35.101/pLQvfD4d/index.phpf	dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://45.202.35.101/pLQvfD4d/index.phpg	dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://aka.ms/pscore68	powershell.exe, 00000004.00000002.1715470998.0000020806B61000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://45.202.35.101/pLQvfD4d/index.phpb	dropbox.exe, 00000009.00000002.4137162182.00000000010A8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://editor-api-sg.capcut.com/service/2/desktop/device_register/	CapCut_installer.exe, 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmp	false		unknown
https://sf16-va.tiktokcdn.com/obj/eden-va2/JW-abJwhJ/ljhwZthlaukjlkulzlp/installer/pic/v1/chroma_key	CapCut_installer.exe, 00000006.00000003.1735396689.0000000056CD9000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://45.202.35.101/pLQvfD4d/index.phpn	dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://sf16-va.tiktokcdn.com/obj/eden-va2/JW-abJwhJ/ljhwZthlaud	CapCut_installer.exe, 00000006.00000002.4138487516.00000000006C1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://sf16-va.tiktokcdn.com/obj/eden-va2/JW-abJwhJ/ljhwZthlaukjlkulzlp/installer/pic/v1/text_style	CapCut_installer.exe, 00000006.00000003.1735396689.0000000056CD9000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://45.202.35.101/pLQvfD4d/index.phpi	dropbox.exe, 00000009.00000002.4146470711.0000000003640000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
2.16.202.65	unknown	European Union	16625	AKAMAI-ASUS	false
2.16.202.97	unknown	European Union	16625	AKAMAI-ASUS	false
45.202.35.101	unknown	Seychelles	139086	ONL-HKOCEANNETWORKLIMITEDHK	true
2.18.64.35	unknown	European Union	6057	AdministracionNacionaldeTelecomunicacionesUY	false
2.16.62.200	unknown	European Union	20940	AKAMAI-ASN1EU	false
87.248.202.1	unknown	United Kingdom	22822	LLNWUS	false
2.19.126.136	unknown	European Union	16625	AKAMAI-ASUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523557
Start date and time:	2024-10-01 18:57:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	vFjfAgq5PM.msi renamed because original name is a hash value
Original Sample Name:	1dd7892458eab123c341452aff6f4d817f290efc7f8c97b76bdb78e1e1fcf8d2.msi
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winMSI@22/57@0/8
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 53% Number of executed functions: 149 Number of non-executed functions: 124
Cookbook Comments:	Found application associated with file extension: .msi Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Execution Graph export aborted for target powershell.exe, PID 7596 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Skipping network analysis since amount of network traffic is too extensive
VT rate limit hit for: vFjfAgq5PM.msi

Simulations

Behavior and APIs

Time	Type	Description
12:57:59	API Interceptor	2x Sleep call for process: msiexec.exe modified
12:58:02	API Interceptor	32x Sleep call for process: powershell.exe modified
12:58:09	API Interceptor	1x Sleep call for process: CapCut_installer.exe modified
12:58:17	API Interceptor	6924678x Sleep call for process: dropbox.exe modified
17:58:12	Task Scheduler	Run new task: GoogleUpdateTaskMachineUA path: C:\Program Files (x86)\Dropbox\Update\Dropbox.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
2.16.202.65	https://kusjp5q7xwyt.larksuite.com/wiki/XzhhwohBhigCbykSafAueRYKsXd?from=from_copylink	Get hash	malicious	EvilProxy, HTMLPhisher	Browse
	https://kusjp5q7xwyt.larksuite.com/wiki/XzhhwohBhigCbykSafAueRYKsXd?from=from_copylink	Get hash	malicious	EvilProxy, HTMLPhisher	Browse
	https://cypurge.sharepoint.com/:p:/s/Cypurge-External/Ec-xY8EC2wNNmI0dzW0lmggBrfL-y1m6uYvGy6KEE7cGJw?email=matt.pfaff%40miller-insurance.com&e=4%3aeD088p&at=9	Get hash	malicious	HTMLPhisher	Browse
	https://k3uw0me5e7c.larksuite.com/docx/TWSddUNv5o2K23xucJVucVvZsVc	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse
2.16.202.97	https://kregeurope-my.sharepoint.com/:o:/g/personal/miguel_camino_kreg-europe_com/EozPcA50-69FlIOJAmjO4UIBZmHxAaxb-zbUcCeOEDUK3w?e=fP78tK	Get hash	malicious	Unknown	Browse
2.16.202.97	https://cypurge.sharepoint.com/:p:/s/Cypurge-External/Ec-xY8EC2wNNmI0dzW0lmggBrfL-y1m6uYvGy6KEE7cGJw?email=matt.pfaff%40miller-insurance.com&e=4%3aeD088p&at=9	Get hash	malicious	HTMLPhisher	Browse
45.202.35.101	file.exe	Get hash	malicious	Amadey	Browse	45.202.35.101/pLQvfD4d/index.php
45.202.35.101	file.exe	Get hash	malicious	Amadey	Browse	45.202.35.101/pLQvfD4d/index.php
2.18.64.35	https://url5041.app.lucid.co/uni/ls/click?upn=u001.9CEiYqsCeDB7JcEaXQIz-2F9XjjPqk-2Fb4pFcLw69B6WqTy-2BbVFLiir3sSJZjbRo6mBAwRtKNr9Kf4WztrdCBts7iyzvcJ-2FIUH0XDrcbuiiKrlzy8ZwzSxYR1urVGEa2H8lG0Sg7ExDExUtTEJeACnxEcvsJ4CnFcY2OyyabtZjsqjBmQJR0iCaQNYCn9tJqfPt0sqRsrpUZbmtTsF5u4sk76aC5ja3Exi0TVSSBuxtzkkrePRrkTP-2FRoxSefUr1y9ifBkb_dUh7YYn0CWe7g0uIZp9zt65Hthp00ETbvJwQ2-2FPnaFo-2F6mxOihmrHPDDfCfshjvQGVU9-2Bd2-2B3vsLq0LwwbeORlRqCPnIR26Xq1m6ZVCtavwwAaoSjStADst1UVTP0l4d-2FzBe05CWQHZRJZnuruhZc2ae0Zf85sATPdd2ckxoL02afjX6IZ-2FOnZhoY7M8W-2FjfCWzd1oIyP3ANpDIJAgvTalmosz4y3Bzw-2FhLw29NweA30QmgJS04wuz2oXimlo6op-2FqJedWdU8-2FFbrJTBeUgeanW2Czs-2FFx2TH3awx6W-2F55Yb82yx-2F62ecOROxbh-2BxRxP0NuIJ3E3kOjP9A-2FBHPPistrMOyMfHL3jiBAgKbwxDOZEkcZdWn-2FbhWLonViLvhgsmNJILGX2sEzIPx5T9dHffneCLLKkuS58PqzDIY8zgACYh67a-2BB2UiAkAJ2RKKsfjEyBczdi7jS1NPJGO8JELOnONA-2BUkh-2FPUe3G9cdiSbxRW0MxW4MALRMk7Wout0aHFsrJ7Eh7hadnZE4mjg6TM4MQdJoJM9kphXs-2FrJ8by1dOwVfzD1MjU7M-2FUsC6hEi8gkYGjfbMvNzOqhWtGlGQX1TqXB4dLSi-2FpFlKLKKTOyb-2BEg-2Fk4dUHiOlXDdWkbx1GLw9K6ZKJtQNSWhWZuSXKhKo1a2RW3Ug4SPFD-2F-2Fq24DMjrCmm0g8oFpoDapmDPd4UzAivOlfdqqtkNSCkPToMecTrMkYlTeNujTr-2Bbw99hSJKirL4rAfH9oaNg32Alc4lwJoCppVycgre3BcqTLb2WoN7sUpmWarOPciYLuedGYc0-3D	Get hash	malicious	Unknown	Browse	lucid.co/
87.248.202.1	f380122b-c637-edef-70b2-6adee77f4bad.eml	Get hash	malicious	Unknown	Browse
87.248.202.1	[EXTERNAL] Complete with AdobeSignPDF_ Approve and Sign TRCOT.eml	Get hash	malicious	Unknown	Browse
2.19.126.136	https://trezr-us.github.io/	Get hash	malicious	Unknown	Browse
	PROPOSTA CONTRATTUALE.msg	Get hash	malicious	HTMLPhisher	Browse
	https://nexgenodisha.in/	Get hash	malicious	HTMLPhisher	Browse
	df24c9ca-d50b-c720-84ed-638e99f68d75.eml	Get hash	malicious	Snake Keylogger	Browse
	2c5ed578-e625-cf0d-c38d-9487a29d5b4b.eml	Get hash	malicious	Unknown	Browse
	https://campaign-statistics.com/b/c/S0VSEapY0V_SDNs2	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	moba-24.2-installer_M64ZB-1.exe	Get hash	malicious	PureLog Stealer	Browse	88.221.169.152
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	moba-24.2-installer_M64ZB-1.exe	Get hash	malicious	PureLog Stealer	Browse	184.28.90.27
	Sales_Contract_Main_417053608_09.2024.pdf	Get hash	malicious	Unknown	Browse	184.28.88.176
	ZJh3V10O2e.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	ZJh3V10O2e.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Message_2477367.eml	Get hash	malicious	Unknown	Browse	184.28.90.27
	tomarket_app.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	tomarket_app.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
AKAMAI-ASUS	moba-24.2-installer_M64ZB-1.exe	Get hash	malicious	PureLog Stealer	Browse	88.221.169.152
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	moba-24.2-installer_M64ZB-1.exe	Get hash	malicious	PureLog Stealer	Browse	184.28.90.27
	Sales_Contract_Main_417053608_09.2024.pdf	Get hash	malicious	Unknown	Browse	184.28.88.176
	ZJh3V10O2e.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	ZJh3V10O2e.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Message_2477367.eml	Get hash	malicious	Unknown	Browse	184.28.90.27
	tomarket_app.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	tomarket_app.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
AdministracionNacionaldeTelecomunicacionesUY	Audio_Msg..00299229202324Transcript.html	Get hash	malicious	Unknown	Browse	2.18.64.15
	https://netzero-109977.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	2.18.64.26
	http://mutaksmklogns.godaddysites.com/	Get hash	malicious	Unknown	Browse	2.18.64.8
	https://www.dropbox.com/scl/fi/4fnryjjmfp8le01uyciyl/IASSecurity.paper?rlkey=4ezd7413h2y3rkfjifz9e7enl&st=6sa33sex&dl=0	Get hash	malicious	HTMLPhisher	Browse	2.18.64.212
	ATT71817.docx	Get hash	malicious	HTMLPhisher	Browse	2.18.64.21
	https://netflix-clone-html-css.vercel.app/	Get hash	malicious	HTMLPhisher	Browse	2.18.64.15
	http://maildttfl-att-home03293.weeblysite.com/	Get hash	malicious	Unknown	Browse	2.18.64.26
	http://ledgerlivewalle.com/	Get hash	malicious	Unknown	Browse	2.18.64.15
	http://matamesklinog.godaddysites.com/	Get hash	malicious	Unknown	Browse	2.18.64.8
	http://uphuld-logini.github.io/	Get hash	malicious	Unknown	Browse	2.18.64.15
AKAMAI-ASN1EU	https://wetransfer.com/downloads/fc718a7028ccd1e273879a61c0883fe420241001145250/8110e2eb5f5a56cc2015d1b3243d9b3120241001145309/33d289?trk=TRN_TDL_01&utm_campaign=TRN_TDL_01&utm_medium=email&utm_source=sendgrid	Get hash	malicious	HTMLPhisher	Browse	2.16.238.25
	m6Y6Kh9Bwy.dll	Get hash	malicious	Unknown	Browse	172.234.250.134
	i3VUv6lXnE.exe	Get hash	malicious	Unknown	Browse	172.234.250.134
	N37e46ORr5.exe	Get hash	malicious	Metasploit, Meterpreter	Browse	172.234.120.150
	http://www.aieov.com/setup.exe	Get hash	malicious	Unknown	Browse	2.22.61.59
	https://wtm.ventes-privees-du-jour.com/r/eNplj92OmzAQRp+GvQwYbGNfRBVNwgblh61I0jQ3kTEmOAXsgoFNnr6utFppVcnSSOd845mZXApCiJCbs5xhHwkaMq/EwEMCc1wCRjGl3MOeC0iAXArdEmJaepgUhBKOwoJCQIUgBJU+CwoB3NCFrnK/DfPKGN07QeT4sX3TNM0q1TRCd3IUM64aC2Xb805qI1XrBLENL33iewR4nu/4eDDNtVdDx4UVk6htjxh1cf9QjSjk0FjFdf2BOGs0k7f2v7xomKwt7VQuOuNAz4hatMLMcmEtH3pjs921lF1vWtb8Gxi1rfwia/bpfibb7WqXWVvr66gtcfzgmiyvtrwUfJ4+1qCs1GnU/YrCyR4TK60aFU3idQ8ntNjW9+hZoTo/m7dl4PjfT7UZq27RguCy3hwOoZ/CanOkZnFKm8Oe4SnLJU5uXnywf50j/fb0ft/+8Et0eC2nJEu3krdIqEyy22bEjzBN90n9rLTMyO7Ml8kK3n+dH7dwWhNYgGP6owiHUdD7eRVnLOlHu8Lx/ZJ2uwc/BY8jgXGUDvsXJueAIgDJX8NYskg=	Get hash	malicious	Unknown	Browse	95.101.148.20
	https://url.uk.m.mimecastprotect.com/s/879wCp9pjInpwnDHPf7CG_Zsy?domain=aerographicsut-my.sharepoint.com	Get hash	malicious	HTMLPhisher	Browse	2.16.238.149
	https://targetemissionservices.ezofficeinventory.com/users/sign_in	Get hash	malicious	Unknown	Browse	88.221.110.227
	INVOICE DUE..xlsx	Get hash	malicious	HTMLPhisher	Browse	23.43.61.160
	SecuriteInfo.com.Linux.Siggen.9999.10361.13333.elf	Get hash	malicious	Mirai	Browse	23.202.150.4
ONL-HKOCEANNETWORKLIMITEDHK	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	45.202.35.64
	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	45.202.35.64
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse	45.202.35.64
	x86_64.nn.elf	Get hash	malicious	Okiru	Browse	45.202.35.64
	mips.nn.elf	Get hash	malicious	Okiru	Browse	45.202.35.64
	arm5.nn.elf	Get hash	malicious	Okiru	Browse	45.202.35.64
	arm.nn.elf	Get hash	malicious	Okiru	Browse	45.202.35.64
	SecuriteInfo.com.Linux.DownLoader.598.7400.23434.elf	Get hash	malicious	Gafgyt, Mirai	Browse	45.202.35.94
	SecuriteInfo.com.Linux.DownLoader.507.12484.14071.elf	Get hash	malicious	Gafgyt, Mirai	Browse	45.202.35.94
	SecuriteInfo.com.Linux.DownLoader.507.2370.14148.elf	Get hash	malicious	Mirai	Browse	45.202.35.94

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\Public\Documents\CapCut_installer.exe	ipNkjpa6m0.msi	Get hash	malicious	DanaBot	Browse
C:\Users\Public\Documents\CapCut_installer.exe	https://lf16-capcut.faceulv.com/obj/capcutpc-packages-us/installer/capcut_capcutpc_0_1.2.6_installer.exe	Get hash	malicious	Unknown	Browse
C:\Program Files (x86)\Dropbox\Update\dropbox.exe (copy)	DropboxInstaller.exe	Get hash	malicious	Unknown	Browse
C:\Program Files (x86)\Dropbox\Update\dropbox.exe (copy)	DropboxInstaller.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Config.Msi\45f7a1.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	1554
Entropy (8bit):	5.717324280600494
Encrypted:	false
SSDEEP:	48:Y7ZVshB/0zZxF0Z5ZzUZgZU/z9PQ8e4D8SLXzn:YXsfKvr9RlLjn
MD5:	A7AA55665E3844381390847D79455DB7
SHA1:	867E32EEA5202D7BE3A7A630BE8A3AA2A3F3044F
SHA-256:	F23AFFA267AA7D4F7EB80CC97822A6A9178226FBD175740A92902A0754460ADB
SHA-512:	F78064A217C24142C70D3DBDD6735969D95C798C06E162F249C57BA5300E9B823E83960C648C6D682284C37B1DB5ECEA917140F64B6BE5B91020C9C73E6C7DB6
Malicious:	false
Preview:	...@IXOS.@.....@AgAY.@.....@.....@.....@.....@.....@......&.{082E188A-67FA-4D67-920E-C850215DB6EC}..Windows Service Association..vFjfAgq5PM.msi.@.....@.....@.....@........&.{4203B04D-806D-4EBE-BCFF-E19C0C1E195F}.....@.....@.....@.....@.......@.....@.....@.......@......Windows Service Association......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{A7A802D2-974C-41F3-B652-6214479A05B0}&.{082E188A-67FA-4D67-920E-C850215DB6EC}.@......&.{53C308A6-0419-4345-9F01-D88EAA24B7F1}&.{082E188A-67FA-4D67-920E-C850215DB6EC}.@......&.{9E656843-6FA0-45EB-8445-68ED1ECB3B1A}&.{082E188A-67FA-4D67-920E-C850215DB6EC}.@......&.{5A4E398A-9958-427D-8D2D-BCE98AE52F08}&.{082E188A-67FA-4D67-920E-C850215DB6EC}.@......&.{D1007C7C-7797-48F8-A5E4-FC516E0CB82A}&.{082E188A-67FA-4D67-920E-C850215DB6EC}.@........CreateFolders..Creating folders..Folder: [1]#.=.C:\Program Files (x86)\Microsoft\Windows Service Association\.@......

C:\Program Files (x86)\Dropbox\Update\dropbox.exe (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	134016
Entropy (8bit):	6.002467697761699
Encrypted:	false
SSDEEP:	3072:BZOOxLE4GTnrcyG2QltfW/ggXi0+LStLnh5jAm7tJOX47cIA9:iOxLEbTtwLf
MD5:	3B607E9AE169797C5112736DD445DB25
SHA1:	076E59938996BAF436888E2ECB536353071E0ADF
SHA-256:	E7141AEB22EA3165A4F7FB8C4D210151575F1B95EF545E0978A2174598A08265
SHA-512:	1A80B6ED790D3325C365DE14D7BDD4D98473C2CFD8A4EB5D97F99D9383946E6C9E892820E54182B06359F495CC42F261E455E3097413C605F0F208D7B6E3C2CD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: DropboxInstaller.exe, Detection: malicious, Browse Filename: DropboxInstaller.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t...0..0..0..9.g.#..9.q.Y..9.v......v.3......7..0..J..9.x.2....f.1..0.e.'..9.c.1..Rich0..................PE..L...r.8f.....................,.......N............@..........................0............@.................................l9..P....P..(................)...........................................-..@...............d....7.......................text...m........................... ..`.data....-..........................@....text/DE\1.......2..................@..@.rsrc...(....P......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Dropbox\Update\goopdate.dll (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	811008
Entropy (8bit):	7.381427644576427
Encrypted:	false
SSDEEP:	12288:KjSHj6U5Bav40rTEN0xQk2EpIIQsj8bOIlgrN0V/W194AwonP8F/E6U5N35:nj6UGTwsQtMIIQs4bOIlI0MwonysN3
MD5:	F10F2B27218C7364F72FA50DA1AF5E2C
SHA1:	799E7562EC5D54F8E3FFF04A7F80DBEE53880DEF
SHA-256:	90D879656C90804E5E9329E8A796E51F1C70C10FFE2A451E261E2E1E592CC1E5
SHA-512:	3FC4F50FAB6DAB122268779167441A5BB23EFB0C9023B353423B93DD98A1B66FD4D7401A18C8E1F40C02D6391DC27AF8C702B376B1180B9B823ADE20B0F802DB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d.f...........#...&.....\............................................................@... ......................`..g....p..8...............................\%...................................................................................text...L...........................`..`.data...............................@....rdata..............................@..@.eh_fram.............v..............@..@.bss.........P...........................edata..g....`....... ..............@..@.idata..8....p......."..............@....CRT....4............6..............@....tls.................8..............@....reloc..\%.......&...:..............@..B................................................................................................................................................................................................................................

C:\Users\Public\Documents\CapCut_installer.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	2313024
Entropy (8bit):	7.713606257309821
Encrypted:	false
SSDEEP:	49152:uGVKq6wrr98ArcTTuVMZCC8GYCNbFLg3dlXI5x8oaigMv3Dh:uGVLprJ8ArnVMZCUPFcNlXID8en1
MD5:	C91E097550EA6CCEDF592D8B83414E0D
SHA1:	021F3F26D86F98AF28DC987BAAD8714F64867207
SHA-256:	4A9D815F284ADDA187982E2B24DA2BEAAD860739BC4B4CB1CF26408E7C221DD6
SHA-512:	916898C9850DDFCD2C11DA7421EEFFC4D48406D9AD4787A4DC572EC17A81A39EDD30733AA8CCCDE8B31450FF8031E3DA68BE019A8A0EFF50C0A17ED4FA0AA3C9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: ipNkjpa6m0.msi, Detection: malicious, Browse Filename: , Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L......\.................h...8...@...3............@.......................... .......H$...@.............................................P&............#..4...........................................................................................text...'f.......h.................. ..`.rdata...............l..............@..@.data...............................@....ndata...@...............................rsrc...P&.......(..................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Documents\Dropbox.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	134016
Entropy (8bit):	6.002467697761699
Encrypted:	false
SSDEEP:	3072:BZOOxLE4GTnrcyG2QltfW/ggXi0+LStLnh5jAm7tJOX47cIA9:iOxLEbTtwLf
MD5:	3B607E9AE169797C5112736DD445DB25
SHA1:	076E59938996BAF436888E2ECB536353071E0ADF
SHA-256:	E7141AEB22EA3165A4F7FB8C4D210151575F1B95EF545E0978A2174598A08265
SHA-512:	1A80B6ED790D3325C365DE14D7BDD4D98473C2CFD8A4EB5D97F99D9383946E6C9E892820E54182B06359F495CC42F261E455E3097413C605F0F208D7B6E3C2CD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t...0..0..0..9.g.#..9.q.Y..9.v......v.3......7..0..J..9.x.2....f.1..0.e.'..9.c.1..Rich0..................PE..L...r.8f.....................,.......N............@..........................0............@.................................l9..P....P..(................)...........................................-..@...............d....7.......................text...m........................... ..`.data....-..........................@....text/DE\1.......2..................@..@.rsrc...(....P......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Documents\goopdate.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	811008
Entropy (8bit):	7.381427644576427
Encrypted:	false
SSDEEP:	12288:KjSHj6U5Bav40rTEN0xQk2EpIIQsj8bOIlgrN0V/W194AwonP8F/E6U5N35:nj6UGTwsQtMIIQs4bOIlI0MwonysN3
MD5:	F10F2B27218C7364F72FA50DA1AF5E2C
SHA1:	799E7562EC5D54F8E3FFF04A7F80DBEE53880DEF
SHA-256:	90D879656C90804E5E9329E8A796E51F1C70C10FFE2A451E261E2E1E592CC1E5
SHA-512:	3FC4F50FAB6DAB122268779167441A5BB23EFB0C9023B353423B93DD98A1B66FD4D7401A18C8E1F40C02D6391DC27AF8C702B376B1180B9B823ADE20B0F802DB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d.f...........#...&.....\............................................................@... ......................`..g....p..8...............................\%...................................................................................text...L...........................`..`.data...............................@....rdata..............................@..@.eh_fram.............v..............@..@.bss.........P...........................edata..g....`....... ..............@..@.idata..8....p......."..............@....CRT....4............6..............@....tls.................8..............@....reloc..\%.......&...:..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	290
Entropy (8bit):	2.9844219596585932
Encrypted:	false
SSDEEP:	6:kKO99Usw9L+N+SkQlPlEGYRMY9z+4KlDA3RUe/:2kD9LNkPlE99SNxAhUe/
MD5:	6238DDD8B199FEFA7FAAE21D69F7E460
SHA1:	E6E65A6CFCDA04C5D8C571BE9F81EEAA013D9554
SHA-256:	D00E5331B1EB0FECC2A817EE50A1BD591751BE1A374116F56FD9A94022441725
SHA-512:	04F47D5A3562147AAF4CBBCC9937086958BAEB74AAD85E496800FD9F1E1525831E309D76CA33F74C8AEC1746D71EA4881C7C90CD3B58EB12E7CD094B269B83A1
Malicious:	false
Preview:	p...... ...........#...(....................................................... ........G..@.......................h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2252
Entropy (8bit):	5.368112811829453
Encrypted:	false
SSDEEP:	48:MWSU4y4RQmFoUeWmfgZ9tK8NPsQm7u1iMuge//ZL7UyW2hlheKG:MLHyIFKL3IZ2KUZOug4YgdG
MD5:	13D4DEB9A57FD17A9D205587D78B77B6
SHA1:	2EA81D0C4FE1E358AD66AE2156CC6EA763CBBAC4
SHA-256:	BEDF14EEC79CD282398427C505497A71863F4AFF7CE0419A58D7E4D8D2ACB7CD
SHA-512:	AC3EC41C0A7FB195C809BCCD7F522D717A6202E28F5F1EA5EB57635035E354C49137E92F09A38536044EC5F9BB4E1DBE50D1018103B988C37A9B83650C28AE02
Malicious:	false
Preview:	@...e...........................................................P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\ProFDDC.tmp

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	832
Entropy (8bit):	2.392236820294695
Encrypted:	false
SSDEEP:	6:GsyrmhAEkC4/0IBIF41CZ8QTs5BB3hAEkC4/0IBIF41CZV:GNmWkPIBIUCZrYBB3WkPIBIUCZV
MD5:	867F2213D55AA81B6C9059E2F12AA020
SHA1:	DA7091ACC3AC8CCA6A27D8FCA4B1DF82DF6FDEDD
SHA-256:	358CBC38AC9699EF8B31A7A11BF97F2A760A9338B5E9C05B3A982BAE2A1D04AA
SHA-512:	F708AC587F49343FD2982029FEE0ED3DB2DA725DF6545AD3C61C267263DD2D51C3791AE6A07B1C2200774C3D26A43737A4106D4A0041D6C217E0EEBC3DEEF607
Malicious:	false
Preview:	.... Directory: C:\Program Files (x86)......Mode LastWriteTime Length Name ..---- ------------- ------ ---- ..d----- 10/1/2024 12:58 PM Dropbox ...... Directory: C:\Program Files (x86)\Dropbox......Mode LastWriteTime Length Name ..---- ------------- ------ ---- ..d----- 10/1/2024 12:58 PM Update ......

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bsbsdnpr.qrd.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ir210rvi.3gp.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oy0gebsq.42r.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_row5q4et.xmt.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t24wbe40.abe.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wbsc002t.u1q.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\automatic_scaling_en.png

Download File

Process:	C:\Users\Public\Documents\CapCut_installer.exe
File Type:	PNG image data, 1280 x 720, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	611814
Entropy (8bit):	7.99428892637589
Encrypted:	true
SSDEEP:	12288:qktcnKLDeGILIySG9cx6HrE56oNb0LE8nfXj2xgtYCPoJlr:AWeGI0DWuUwtb38nL2xdCwJlr
MD5:	F55D2B8FDFD4F476C0D4829FB663C69B
SHA1:	AC3CA7EA4100FFC6E24BC25D536C4FF4846CC1EF
SHA-256:	6EB8B5F62E6763598C2FA9D3182F2D091E6247D88D51475EE4694B76722205EB
SHA-512:	D42963599AB7F264A3211ACE1E16413DEAC91E318CE2E7633553BCF7595E36B400956989C0A09E4C926BEA6AD91A3AAAC9FBE150165D10FFC359ACD1DEF97607
Malicious:	false
Preview:	.PNG........IHDR..............}.V....pHYs...%...%.IR$.....sRGB.........gAMA......a...U{IDATx..mw.Hv...@D.Y....?y.+.........ni5..tU...H.#.....]....X.eY.eY.eY.eY.[..o....~....M.m.C...y.x.....6.....x},...m\|..........\S/..=\...........^.;...c?.....3......ui.`)....C.~n.]C\|[u.q.........q.X..._8v...../.....8O..v\|..=.5..,-.[.G...X.eY.eY.eY.eY.[.o~..Z.....w....p..5&..V}...q9...i..-![..:IY.....a[...k.......X.x..q...9j.....q}.....)..5.........8~...;..P3......!e?.....=.m.h.....".w.....z....^.;.c.hY.eY.eY.eY.e.;......W....S/ ...@...`....}....t.i.{.."G`.g....e}..D....\9.r....7.-.Y...k........0.=....v..9].c..(......!HIsc...=.L..Z9A&.g..a....].P...k.L.C..u.}..7.@.,.,.,.,.....~........t...'.+_>W.w.Xz....U.........N.]8..Y...*..\D.#B[....L.w^{.}.o......v;..X..XO.~.]K..<.<.R.....z....<.%.../.. PN.p..5.8V.."..W..@0@...........eY.eY.eY.eY......7.._..........t.e<7g..=.r_.....rc..3..9.J.3....D.t.1.....3b[...\|.8N.i..v\|.k..M84.h._?g...0f..:..}8..k.....M .c,

C:\Users\user\AppData\Local\Temp\chroma_keying_en.png

Download File

Process:	C:\Users\Public\Documents\CapCut_installer.exe
File Type:	PNG image data, 1280 x 720, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	490493
Entropy (8bit):	7.9929488965939335
Encrypted:	true
SSDEEP:	12288:jktcUTudsdMWXcaYfpZJJoS+OHVVWX1Y9wR0Z/xd:/EudYMucrfpZJGS/qX1+/xd
MD5:	42FEAD072026913A69E7C96BAC8456B0
SHA1:	F563A8680AFD0F912C932D5D9D0EAE7F079A4C88
SHA-256:	FC330E6CFE8B356B214CC5FFD3A7B8E88618373BE46A763DA205AD6228788A38
SHA-512:	35DFF2F402D6AE9E623B2D55DD0C06287B4E31B910EF7A887384504152610601EE0EAC2DECF5E4163F02C621F87BAF3B41A4DE43A5933442BB3F0D641992F2AE
Malicious:	false
Preview:	.PNG........IHDR..............}.V....pHYs...%...%.IR$.....sRGB.........gAMA......a...{.IDATx..mw.Hv...@D.Y....?y.+.........ni5..tU...H.#.....]....X.eY.eY.eY.eY.[..o....~....M.m.C...y.x.....6.....x},...m\|..........\S/..=\...........^.;...c?.....3......ui.`)....C.~n.]C\|[u.q.........q.X..._8v...../.....8O..v\|..=.5..,-.[.G...X.eY.eY.eY.eY.[.o~..Z.....w....p..5&..V}...q9...i..-![..:IY.....a[...k.......X.x..q...9j.....q}.....)..5.........8~...;..P3......!e?.....=.m.h.....".w.....z....^.;.c.hY.eY.eY.eY.e.;......W....S/ ...@...`....}....t.i.{.."G`.g....e}..D....\9.r....7.-.Y...k........0.=....v..9].c..(......!HIsc...=.L..Z9A&.g..a....].P...k.L.C..u.}..7.@.,.,.,.,.....~........t...'.+_>W.w.Xz....U.........N.]8..Y...*..\D.#B[....L.w^{.}.o......v;..X..XO.~.]K..<.<.R.....z....<.%.../.. PN.p..5.8V.."..W..@0@...........eY.eY.eY.eY......7.._..........t.e<7g..=.r_.....rc..3..9.J.3....D.t.1.....3b[...\|.8N.i..v\|.k..M84.h._?g...0f..:..}8..k.....M .c,

C:\Users\user\AppData\Local\Temp\installer_downloader.log

Download File

Process:	C:\Users\Public\Documents\CapCut_installer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	348
Entropy (8bit):	4.750970909733726
Encrypted:	false
SSDEEP:	6:mcCgJl81bFUFcCgJl8hRW0BUFg8n8XFg8hLLFTFTqlVOSi4SpUFf50rlqGSN:mFgJl81FSFgJl820E98V9h1JWlV241fz
MD5:	68BDA4A398650EDD80A666898BFDE9BE
SHA1:	7D43D3446327FD60B68E88D33BBBE724936E0793
SHA-256:	3D918AF6EC933BA4D952E1593BA999BD8BF723E14F846B8C28ECF52A72FD3CE3
SHA-512:	FF051FCA20E6E67CB7E87AA2F67967E0883660EF19640C43186E8D1E2086651FBCFFA462766A66222B42B733BBF37BC9413D8D13F8A1EC39C41E10F59726191D
Malicious:	false
Preview:	20241001-12:58:04:433 [7732:7736] - succeed to initialize dpi helper..20241001-12:58:04:433 [7732:7736] - succeed to set dpi aware..20241001-12:58:04:652 [7732:7764] - capcutpc_0..20241001-12:58:04:652 [7732:7764] - en_CH..20241001-12:58:04:792 [7732:7764] - app shell 4266339975..20241001-12:58:06:339 [7732:7780] - OnDRSdkResult: did=4266339975..

C:\Users\user\AppData\Local\Temp\intelligent_subtitles_en.png

Download File

Process:	C:\Users\Public\Documents\CapCut_installer.exe
File Type:	PNG image data, 1280 x 720, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	516137
Entropy (8bit):	7.994067658585876
Encrypted:	true
SSDEEP:	12288:YKgRqu5jtIrirXzTFqWKkNWlwBDB11W/Sux0nh:YKgv9yoDTcmBfnI0h
MD5:	C51D1976F87828C0DCA46EF4D0243614
SHA1:	5DB8DDCC5E358D1DA6FB4F79E36C1547DDA6069F
SHA-256:	463A0C124A0925FBB341855685B2B58525B100108D271679F2F95398D5F6C618
SHA-512:	698DFF1DE5D050B51FF7400C8C769E1380571347534A773772531252FE2C2D4502DD27C5AFD5D6C8A0CDC90A7DA49A6EB28557B6A9E31A80767D1C1ECFFC44CC
Malicious:	false
Preview:	.PNG........IHDR..............}.V....pHYs...%...%.IR$.....sRGB.........gAMA......a....IDATx....m......s...u...}]...m.y.A.... .Q"....oH.^..< .).._@$$"!.......8...`E.@...(.8.\.....Zs..{....c.}..eW.:?Z...Zk.9..........bY.eY.eY.eY.eY?..'.V}[..\|-..W....j]...8.z?.-.m........XJ]...\.{.........^F.{......\|.....w.%4.~.g...g...5....k.R.............Z..+......aK.....y-s.p......._../.?p.X.....{.k..VZ..r.bmk.,.,.,.,...X.G~..Z.....j=?....kL.G......8.{......l...$e}~OH..my8.^..............g5.Q..U\|~......wyMq\.!.....u....\|.q...q....X.)...v..7.In.@c....0..q........0...:...@.,.,.,.,.'.'.>.....J:...-.~......A......zO.....-r.v~..\.o.W.Et,...s-.......2K8y\|..~..U.......\....q.{...1...9.)inL...'....Z+'.$.,.>.}.c.+..cm..}.x.....f.hY.eY.eY.eY.e.$......W.#..`-.\|..............eU.\|..x..Lm....r.c.w..N`."...-......;.=.}.o......v;..X..XO.~.]K..<.<.R.....z......%.../.. PN.p..5.8V.."..W...`..k.7b..7...Z.eY.eY.eY.eY..~..7.._..........t.e<7g..=.ro.....ra..3.

C:\Users\user\AppData\Local\Temp\keyframe_en.png

Download File

Process:	C:\Users\Public\Documents\CapCut_installer.exe
File Type:	PNG image data, 1280 x 720, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	608036
Entropy (8bit):	7.994908398550246
Encrypted:	true
SSDEEP:	12288:lktcxc00M15LJVcd5otHYuotSoFhGHK7hY1x7mI4zqTdBMjOux0nY:9W0ZNmd5ouFSEuKxzq5Bcz0Y
MD5:	950E97619B630F384CB2EC5C8DD271C2
SHA1:	BB8251280369A583E0F8BFE27A3A370F3F93A876
SHA-256:	620CFFEECF59C90DB73B0CD81F8F4378AEAD22AF98791111EEE877A07344DC55
SHA-512:	F03E7A2D33D5765F6F885F03D6454FAECAA0A5C5788B406958C07C75EB6788722EC114C4F28028E219899603F451C843FA4E65DFBF2DD0FDB2DE2BE871B188C8
Malicious:	false
Preview:	.PNG........IHDR..............}.V....pHYs...%...%.IR$.....sRGB.........gAMA......a...F.IDATx..mw.Hv...@D.Y....?y.+.........ni5..tU...H.#.....]....X.eY.eY.eY.eY.[..o....~....M.m.C...y.x.....6.....x},...m\|..........\S/..=\...........^.;...c?.....3......ui.`)....C.~n.]C\|[u.q.........q.X..._8v...../.....8O..v\|..=.5..,-.[.G...X.eY.eY.eY.eY.[.o~..Z.....w....p..5&..V}...q9...i..-![..:IY.....a[...k.......X.x..q...9j.....q}.....)..5.........8~...;..P3......!e?.....=.m.h.....".w.....z....^.;.c.hY.eY.eY.eY.e.;......W....S/ ...@...`....}....t.i.{.."G`.g....e}..D....\9.r....7.-.Y...k........0.=....v..9].c..(......!HIsc...=.L..Z9A&.g..a....].P...k.L.C..u.}..7.@.,.,.,.,.....~........t...'.+_>W.w.Xz....U.........N.]8..Y...*..\D.#B[....L.w^{.}.o......v;..X..XO.~.]K..<.<.R.....z....<.%.../.. PN.p..5.8V.."..W..@0@...........eY.eY.eY.eY......7.._..........t.e<7g..=.r_.....rc..3..9.J.3....D.t.1.....3b[...\|.8N.i..v\|.k..M84.h._?g...0f..:..}8..k.....M .c,

C:\Users\user\AppData\Local\Temp\nVr5.zip

Download File

Process:	C:\Program Files (x86)\Dropbox\Update\dropbox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	341066
Entropy (8bit):	7.940414171536709
Encrypted:	false
SSDEEP:	6144:SXOIl4FrjZ0V/W1Co4AbdDGxon4s8kp11aLDmOw6VeSMeENrxz0b8/gLXJ9I56T:WOIlgrN0V/W194AwonP8F/E6U5N35e
MD5:	EB53B5C475C58791B0F721ADD9BEA258
SHA1:	2B6467DE3B46C21854B8B82336955630C4097834
SHA-256:	45BEA99C5039EA02EF9A2C55C334D694E4E3A0D5F22F824E3239A9773D19E874
SHA-512:	07170B16AC60F509E7112E688BA836F7D31AF64EF0360305D838DB5636B6722298225281798DFC0757E350818A5EBB4F23516D0F99BF25CF9FFF798D1BF2D57A
Malicious:	false
Preview:	PK.........4:Y..@.3..........loader_xored.bin.i8....1D.e...1e.(.B.IMB.&eI..I..Y..-.l-....J..K...Y...}...7......s_.{_..s..{..v.L..2..^J.#.JDr..6E....q.?...JE5..r..........r.?.....,M:..8.....A....?..)....vyc...t.{..).2.(.../...}.....^f.S.hp..l..WdC..9....W.9.n..........3>.g...g.....b....&.%cOo..d:G..f9..H.....+_vZ..y.X....mJc=w.R.K.I;...e.x..X'...y....G9a....>sw..m.aG.........k.TL.t%....N......S..~..\..^..,A.j..>...<.M...m..?.{j.-.ex..[.v..K.....>...(F__....s...>.@s.@M].....8..s..kI......v...+m.T.p.F....Q.......AM....=.T.y8 ..H..S.F_....b...Q...N9\|..z.2P..tk.y.~}.K.J...X.M........o.nZ..f.\....e..s.-'Ux..L.9v_.....m..W.....j...M.r...\|C.Qw.N..Z....s#..cq.\|A..8.Jq...z..;4..........K..i......!f~=...\|......7s...7.........x...............E..O..?.?.?.?....<J.qZz...@..o....y.?..;......v.M.+l..T.E..g..M.=ll.d.;..\|....N..Y.....?.O..b/X._.l(g.v.3..;cb+.N.?..R=-p.d.&....:..`.....G....{i\.[.p...Ki.w.."..d..M.._[....3..."...........$k.F.+...~

C:\Users\user\AppData\Local\Temp\nsv77E.tmp\BgWorker.dll

Download File

Process:	C:\Users\Public\Documents\CapCut_installer.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2560
Entropy (8bit):	3.5703691140729785
Encrypted:	false
SSDEEP:	24:eFGS1pryjInCLWEhvaM9NUH+/ghluzarTEmpxhpYk3YkDS3O:i1pry06W+d9N42sluzarfpYw4
MD5:	33EC04738007E665059CF40BC0F0C22B
SHA1:	4196759A922E333D9B17BDA5369F14C33CD5E3BC
SHA-256:	50F735AB8F3473423E6873D628150BBC0777BE7B4F6405247CDDF22BB00FB6BE
SHA-512:	2318B01F0C2F2F021A618CA3E6E5C24A94DF5D00154766B77160203B8B0A177C8581C7B688FFE69BE93A69BC7FD06B8A589844D42447F5060FB4BCF94D8A9AEF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c.4.'.Z.'.Z.'.Z.'.[.+.Z.....".Z.s.k.&.Z...^.&.Z.Rich'.Z.................PE..L......J...........!......................... ...............................0..........................................K...4...<............................ ..(.......................................................4............................text............................... ..`.reloc..B.... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsv77E.tmp\System.dll

Download File

Process:	C:\Users\Public\Documents\CapCut_installer.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.719859767584478
Encrypted:	false
SSDEEP:	192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6
MD5:	0D7AD4F45DC6F5AA87F606D0331C6901
SHA1:	48DF0911F0484CBE2A8CDD5362140B63C41EE457
SHA-256:	3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA
SHA-512:	C07DE7308CB54205E8BD703001A7FE4FD7796C9AC1B4BB330C77C872BF712B093645F40B80CE7127531FE6746A5B66E18EA073AB6A644934ABED9BB64126FEA9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L....~.\...........!....."...........).......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.....................@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsv77E.tmp\deviceregister_shared.dll

Download File

Process:	C:\Users\Public\Documents\CapCut_installer.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	231936
Entropy (8bit):	6.777476749807315
Encrypted:	false
SSDEEP:	6144:5Nj2oPjbpV4hliZ7xsFARHtw+WY0L1TBWoBvF:6KV4hliZ7KFAb+L1TIo
MD5:	8BAAAEACB97679FB495E1C4F902F0A68
SHA1:	29185B00E4C56FF8CC22DE64C1407809D60348F1
SHA-256:	7C2A74C4BE8D524A121E78E763C05C7B5CB58B524119AC8897C493E717A1D42A
SHA-512:	49F864332165C0229F0588FA1FD56FDC04BB005BE1B61A9367FAC5F45C32783E2E633C8ACB64C3A921D41D9B79CEB3315813AA409A8F725CC7193958BF4BB8E0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........F..TF..TF..TR..UL..TR..U...TR..UR..T...U[..T...UI..T...UR..TR..UO..TF..T"..T...U[..T...UG..T..;TG..T...UG..TRichF..T........PE..L......b...........!.....D...B...............`.......................................r....@..........................k.......l..d...................................@a..T............................a..@............`..d............................text....C.......D.................. ..`.rdata.......`.......H..............@..@.data................^..............@....rsrc................l..............@..@.reloc...............r..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsv77E.tmp\downloader_nsis_plugin.dll

Download File

Process:	C:\Users\Public\Documents\CapCut_installer.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1285632
Entropy (8bit):	6.652266778604912
Encrypted:	false
SSDEEP:	24576:UtF94NRXKCK8gEM4Vn8rHmAumkpF6sBE:Ut/uXTianGmAumkpFe
MD5:	F181413906A465FD0DD68CC4A3D98803
SHA1:	5AA28BE48047DD0B672AB98D5E7CBD8260486B4B
SHA-256:	E28FF7B8FC4B1EB2D1F394CE15DE2FC031CDA58DB645038C8C07581C31E79DDA
SHA-512:	8D0116BCBC3938B2EBDDDF77DEC87E4B6C872382D20B555571B0BC3E4A35F88D16BC450004F875A8271165B71BDBAE5D4D474A5BFDA4C7787DA63F4325009C25
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....h.c.........."!.....d...4............................................... ............@A............................q...u...,....0.......................@......lO.......................N..........................(............................text....c.......d.................. ..`.rdata...............h..............@..@.data....k.......N...t..............@....00cfg..............................@..@.tls................................@....voltbl...... ...........................rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsv77E.tmp\res.zip

Download File

Process:	C:\Users\Public\Documents\CapCut_installer.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	166245
Entropy (8bit):	7.969354347339473
Encrypted:	false
SSDEEP:	3072:xqbNMh58abnJ6taLk0gLP5mAugd+YMfYTY3CtKqnyL3d:zz/d6t+aLP5mAr7MfP3KKbLd
MD5:	23E2490706D024BD70CCB906EBF0B62D
SHA1:	94C346AC69FF8867204F1A2346491342203980BE
SHA-256:	FBB054F0880B81DE92BE6A9500C6757F4E1A3E8E335E31821D76B49DE8375C8C
SHA-512:	FDD948396D184CC7E663678CE179721DC5D9DDEDCEB46110A86ACFE4AC69613E36ED4030ECE15EF95B575C0027D0E83F0C99F9C1C7FE55B967C86FE4CEF86BD0
Malicious:	false
Preview:	PK........qD)X................app_warning_icon.png..(..PNG........IHDR..............>a.....pHYs...%...%.IR$.....sRGB.........gAMA......a...'.IDATx..}......o......dQ...E$..-.\|.1..]....b\|Tl...`.O.b,..b.MT....,.^# ....{...sw......pv..s..y.............................@.....@'..D....B ...I..3..Et.<Sbi.BY....p..&a[&....,.....N>...z..94??..UL$.+.Y....x..k...Q.J..l.....5../..T...........dc..m.:W[[.0.6.m...K9..(..e..v.v.W..=.L%..SI.J.B[..tB........+..".z...1e.]....j.....f.4...c~S[..B..d=D...-..nlj.F!:...w......"..,s....x-.....wSS...... .....1c..X__.~R!S..........#E.D..G...".....{N.I..`.A..k.......6e.l.7...n...X....z...Ye.7#.......1..U...l..).E.......VTT..h....w....?...g...^.z.&"!....WI..........&d'.o.;..H<.z.\|........j ....u...t..a.......Q...=...........ht...O[9.%.@P}.8sS..#F.q..w'..m..&.mA...^..8...`..6.7h\|U..........&..".z?TD..7e.Y...{..O../.r~...]..G.(...K..{....X..hy..:X}......j{..a8....A.c..)Pd..@..e.677?...oP.6R..........+].\|.M.z.:E#^..

C:\Users\user\AppData\Local\Temp\nsv77E.tmp\shell_downloader.dll

Download File

Process:	C:\Users\Public\Documents\CapCut_installer.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2360320
Entropy (8bit):	6.761538609397524
Encrypted:	false
SSDEEP:	49152:ed86lJRUahxtsyZj1+z9DApoEV+i4u2VFZhDy+:ed86WsCA1+BDwdV94u2VFi
MD5:	C052C0A2ED833D924B7799625413AC1C
SHA1:	BDD08A29F4DE283BA0EB3CDA4ABC26F6E85D4D5E
SHA-256:	098972CF9DDC9D574130E025A252A99B278DE9CC0AE700ACFB8C935C24EB1172
SHA-512:	89E67C29D5D8A401A70A5B572844F24BFDE82D5D4259ECC5E6F12BE0DDB434995A2E985914FC421973998E3FDC48B133E269E8BB1DA513EC66199F01060162F1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....h.c.........."!.................-.......................................`%...........@A.........................^"......b"..............................0$..-..l;"......................:".....8...............Xh".D............................text...2........................... ..`.rdata..............................@..@.data...\|?...."..6....".............@....00cfg........$.......".............@..@.tls..........$.......".............@....voltbl...... $......."..................reloc...-...0$.......".............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\pssFDDB.ps1

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	5784
Entropy (8bit):	3.4920621874565785
Encrypted:	false
SSDEEP:	96:5wb5jTmmywV2BVrIovmkiGjxcj6BngOcvjb:5wbdTif/njVyvb
MD5:	FC1BB6C87FD1F08B534E52546561C53C
SHA1:	DB402C5C1025CF8D3E79DF7B868FD186243AA9D1
SHA-256:	A04750ED5F05B82B90F6B8EA3748BA246AF969757A5A4B74A0E25B186ADD520B
SHA-512:	5495F4AC3C8F42394A82540449526BB8DDD91ADF0A1A852A9E1F2D32A63858B966648B4099D9947D8AC68EE43824DACDA24C337C5B97733905E36C4921280E86
Malicious:	true
Preview:	..p.a.r.a.m.(..... . .[.a.l.i.a.s.(.".p.r.o.p.F.i.l.e.".).]. . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.O.u.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".p.r.o.p.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.K.V.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.F.i.l.e.".).]. . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.A.r.g.s.F.i.l.e.".).].[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.f.a.l.s.e.).].[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.A.r.g.s.F.i.l.e.P.a.t.h..... .,.[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. . . . . . . . . . . . . . . . . . . . . . . . . . .[.s.t.r.i.n.g.]. .$.t.e.s.t.P.r.e.f.i.x..... .,.[.s.w.i.t.c.h.]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\AppData\Local\Temp\scrFDCA.ps1

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	1734
Entropy (8bit):	3.4790270823780713
Encrypted:	false
SSDEEP:	48:ZRqdCcrBO2B5qddVZxFxVRK0xFxV9K0xFxVAHUA:ZRMY2Pa7xFxVRK0xFxV9K0xFxVAHUA
MD5:	7C92E2B5E5B9D676A12482200179BF8D
SHA1:	DC76ABBB745345D5F6A416BA923858A51A98B356
SHA-256:	FEE5D6DAA8C32B50E3075D32B4BD1CA14C5DA1CABDDC1442CC50399E4FAEB16F
SHA-512:	B08B25BBF541286EDA446CFE34169942C57363372F8B924A229AB95420CDFC16473726784BB7197D7BB8EB5C56B5CE4CBAF5509EF04B8D9795D8B3146848253A
Malicious:	true
Preview:	..$.s.o.u.r.c.e.F.o.l.d.e.r. .=. .".C.:.\.U.s.e.r.s.\.P.u.b.l.i.c.\.D.o.c.u.m.e.n.t.s.".....$.d.e.s.t.i.n.a.t.i.o.n.F.o.l.d.e.r. .=. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.D.r.o.p.b.o.x.\.U.p.d.a.t.e.".....$.e.x.e.F.i.l.e. .=. .".d.r.o.p.b.o.x...e.x.e.".....$.d.l.l.F.i.l.e. .=. .".g.o.o.p.d.a.t.e...d.l.l.".....$.c.a.p.c.u.t.F.i.l.e. .=. .".c.a.p.c.u.t._.i.n.s.t.a.l.l.e.r...e.x.e.".........i.f. .(.-.N.o.t. .(.T.e.s.t.-.P.a.t.h. .-.P.a.t.h. .$.d.e.s.t.i.n.a.t.i.o.n.F.o.l.d.e.r.).). .{..... . . . .N.e.w.-.I.t.e.m. .-.P.a.t.h. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.D.r.o.p.b.o.x.". .-.I.t.e.m.T.y.p.e. .D.i.r.e.c.t.o.r.y. .-.F.o.r.c.e..... . . . .N.e.w.-.I.t.e.m. .-.P.a.t.h. .$.d.e.s.t.i.n.a.t.i.o.n.F.o.l.d.e.r. .-.I.t.e.m.T.y.p.e. .D.i.r.e.c.t.o.r.y. .-.F.o.r.c.e.....}.........i.f. .(.T.e.s.t.-.P.a.t.h. .-.P.a.t.h. .".$.s.o.u.r.c.e.F.o.l.d.e.r.\.$.e.x.e.F.i.l.e.".). .{..... . . . .M.o.v.e.-.I.t.e.m. .-.P.a.t.h. .".$.s.o.u.r.c.e.F.o.l.d.e.r.\.$.e.x.e.F.i.l.e.". .-.D.e.s.

C:\Users\user\AppData\Local\Temp\speech_synthesis_en.png

Download File

Process:	C:\Users\Public\Documents\CapCut_installer.exe
File Type:	PNG image data, 1280 x 720, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	467974
Entropy (8bit):	7.9915742893464845
Encrypted:	true
SSDEEP:	12288:IdmctU0S3Ouzz05jOfgOjzWdQBBrKgeIgGSG0GlbVLMHiZyE8Y2kvKtz:KZ60S3LIKfggWdQBdKWVnVVv2KKN
MD5:	7E0FCA9AFBA9A7FBC15D378B8E550BAA
SHA1:	163AED4FD049F3981E88ECAA22966949F233A567
SHA-256:	49D5FA943BCEC39D1244E6C69801F20B5F9D01FC89D6F260236A3C1255B5FC98
SHA-512:	A449FC91D53C5C214B2E0D4C678FD1BB95CCA17463C8F43C095B3C860375413580E5DC45497F7042D2A8DE508C616AF380FF1CB147823C215FCF6B82744BA99C
Malicious:	false
Preview:	.PNG........IHDR..............}.V....pHYs...%...%.IR$.....sRGB.........gAMA......a...#.IDATx...{.vkZ....3.....o.:SUT.g..9..9....l...#.5...vi....#.dt:ctwF;...4. .Qd..`.A...'!(.HAQVAQ..a..[k.s>O.}]...w}..(.....j.......g...?..J9<.[.J.R.T.J.R.T.n.<.m.....{....:.T........o.o.8..~...}.2.....c.....-...f.x.......w...m-....V...g{A_..nm..,e;_..v.....{.o...=..~?m;.Ok.s.Zz..........p....:............U?o....fK.R.T.J.R.T.J..m.w...k...S........W.....}...<.....k@......6.'$t.6.]V..Bv.A..\.x...o..5J....w[..n;..{..b......}.$.....q..j.i.b".l.:.v.V.'....MPp...V.......7..n..\|.z...R.T.J.R.T.J..M=......3.g..s.6...P..'..U..o...uL.&..............z....8.}....wXc[.6Gf.'....6.6.g.B?w...a...p!.~2Q:.c...]....p..z..n.U.A&....................>.j.k..T.J.R.T.J.R...w.....<.{.............t.........S.3...;w...1.Y.;.9..{.....9Lsw^..qu.o...;...v;.7X7.X....MK=.<.<.T.....z....n.%[..... PNBw..=.?W...$..wR....ks7b.g..$.L.R.T.J.R.T.J.jz..o.m._..........p.E<7f...@.;.C.

C:\Users\user\AppData\Local\Temp\text_style_en.png

Download File

Process:	C:\Users\Public\Documents\CapCut_installer.exe
File Type:	PNG image data, 1280 x 720, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	546564
Entropy (8bit):	7.991585702395486
Encrypted:	true
SSDEEP:	12288:gktcDRBZR73/q/a1T0s6rtveEIZJI+OiNLmTKDZatJ44VwaI60uCk:iDRTB3yYP0tmEIZ2+O4qTK8JNVs/m
MD5:	03680B27E2CD41C23DDA448C1EE7B1BB
SHA1:	2EBA3FFB31D116D35B22AA0132F51DB732F5432E
SHA-256:	06599F52F75C8E9F3B0A1476CAA97AB7BB0D61DF6A6FEBFB8CCE14706AF64E6B
SHA-512:	4E47D29A67CF8775BF361E118DCC6268E7367D3738DC14462E9C44DE148EC791C413E576E91FE908F909D01245FCC640FE6D1CEC8718F2C41EB3724E35E61B90
Malicious:	false
Preview:	.PNG........IHDR..............}.V....pHYs...%...%.IR$.....sRGB.........gAMA......a...V.IDATx..mw.Hv...@D.Y....?y.+.........ni5..tU...H.#.....]....X.eY.eY.eY.eY.[..o....~....M.m.C...y.x.....6.....x},...m\|..........\S/..=\...........^.;...c?.....3......ui.`)....C.~n.]C\|[u.q.........q.X..._8v...../.....8O..v\|..=.5..,-.[.G...X.eY.eY.eY.eY.[.o~..Z.....w....p..5&..V}...q9...i..-![..:IY.....a[...k.......X.x..q...9j.....q}.....)..5.........8~...;..P3......!e?.....=.m.h.....".w.....z....^.;.c.hY.eY.eY.eY.e.;......W....S/ ...@...`....}....t.i.{.."G`.g....e}..D....\9.r....7.-.Y...k........0.=....v..9].c..(......!HIsc...=.L..Z9A&.g..a....].P...k.L.C..u.}..7.@.,.,.,.,.....~........t...'.+_>W.w.Xz....U.........N.]8..Y...*..\D.#B[....L.w^{.}.o......v;..X..XO.~.]K..<.<.R.....z....<.%.../.. PN.p..5.8V.."..W..@0@...........eY.eY.eY.eY......7.._..........t.e<7g..=.r_.....rc..3..9.J.3....D.t.1.....3b[...\|.8N.i..v\|.k..M84.h._?g...0f..:..}8..k.....M .c,

C:\Users\user\AppData\Local\Temp\visual_effects_en.png

Download File

Process:	C:\Users\Public\Documents\CapCut_installer.exe
File Type:	PNG image data, 1280 x 720, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	506034
Entropy (8bit):	7.990713925210717
Encrypted:	true
SSDEEP:	12288:IIfavKykQwMaSOfW37JqMocRwfg0LFpNtELrtcGI:Ayy9wMaLfWrJqMoc+IobwJI
MD5:	8EA92C4B9D936D485757D19391F45043
SHA1:	17DDA2A287A49BF23DA9DA09D20062E2DD7A4601
SHA-256:	3A5E1EF48BD852386D5B155306F6B4098B53242C282B9BC54A2C2203301D90BA
SHA-512:	AB041D520B268C0CA6FCF91B87079BED151F97DB3375C5A93E51683605E43021E3111280504F0F58706F1564B515761DB161D7081FD5727783E4A34F48240723
Malicious:	false
Preview:	.PNG........IHDR..............}.V....pHYs...%...%.IR$.....sRGB.........gAMA......a....GIDATx..mw.Hv...@D.Y....?y.+.........ni5..tU...I.#.....]....X.eY.eY.eY.eY.[..o....~....M.m.C...y.x.....6.....x},...m\|..........\S/..=\...........^.;...c?.g...g...5....k.R.............Z..+......aK.....y-s.p......._../.?p.X.....{.k..YZ..r.bmk.,.,.,.,.......\.Z/...j=?....kL.G.....r......[B...u..>.'$..\N...!G9Ae.......8.Y.s..x...e..F9.]^S..k.u....;a.q..=.w.+.f....!.B.~.....{.......w.LmE.......z....^.;.c.hY.eY.eY.eY.e.;......W....S/ ...@...`....}....t.i.{.."G`.g....e}..D....\9.r....7.-.Y...k........0.=....v..9].c..(......!HIsc...=.L..Z9A&.g..a....].P...k.L.C..u.}..7.@.,.,.,.,.....~........t...'.+_>W.w.Xz....U.........N.]8..Y...*..\D.#B[....L.w^{.}.o......v;..X..XO.~.]K..<.<.R.....z....<.%.../.. PN.p..5.8V.."..W..@0@...........eY.eY.eY.eY......7.._..........t.e<7g..=.r_.....rc..3..9.J.3....D.t.1.....3b[...\|.8N.i..v\|.k..M84.h._?g...0f..:..}8..k.....M .c,

C:\Users\user\AppData\Local\Temp\water_world_en.png

Download File

Process:	C:\Users\Public\Documents\CapCut_installer.exe
File Type:	PNG image data, 1280 x 720, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	473975
Entropy (8bit):	7.991906849103518
Encrypted:	true
SSDEEP:	6144:OM8XoBFVaNn0uTzwY9VWVr4BqBLOsQ8y9aVnybaJJyHbk42Tmlh4HFV9A:qXoBFE0uTzwoKrGWyqnDWbGmlCf9A
MD5:	601BBE214313CA48CA8F333161AC62AF
SHA1:	6799BE82B01711A0821DF1321FCF5D14DE0ADD6C
SHA-256:	56A9920B94732C54604A6AB3CE0072D30E0EB1A2F4F835661FECBC0C448D8965
SHA-512:	1ED3A3A5FD57F275280A63F227C30DC83B56F133BF7E60D1510A60085C228CEB99D9EAC39E8F7B751242AD6BC0FC691BF0D66B2720496BA9F71FB4FF1BE59DF6
Malicious:	false
Preview:	.PNG........IHDR..............}.V....pHYs...%...%.IR$.....sRGB.........gAMA......a...;.IDATx...O.-....9.........^.."".2...R$.D.....t.PhD4.@...=..,$z.D..R$Z.... B .R.... c)..s.^.j..w..U..{....{..1.;....kU.U.R>..;j...(.eY.eY.eY.eY..k.~.m.......x..m~....1.............a.....%...U.w=~......k.e....9>..........k}.ZBc...v.\|\|.xA_.....,.8...q....k.o..5...q=.x....;..k...2.......q.e..b......G..1...q+.(...,.,.,.,...U....zyO=.W....g.\c.8j............0...u......=!a...rZ.v...tB.A.8.xV..5.^..G..QNp......r].....NXw.?~..........q......h.qz..6.4vA.].S[..;..Z\|~=..~\|....1..,.,.,.,.~M}........+......!P..'...B{..0..=]GZ..\|.......pq\|X_m7.$..>W...5.....2K8y\|..y..U.........?..q.'.2t......47..O.....x...d.\|.p..>.1.....6..>t<^g.w.q3..,.,.,.,.~..b..........j...........;.,.G_I..u...x.......Y...*..\D.#B..:....8W......6nz}..Wi.cL..u...........-..?....!.9.P....b=...u..?.q..1.E.1...@0@...........eY.eY.eY.eY.?H....q...zMp.A..[...-.9K......0,x...#.....Y..h.r.t"

C:\Users\user\AppData\Local\app_shell_cache_562354\app_package_6f432258ca.exe

Download File

Process:	C:\Users\Public\Documents\CapCut_installer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	362012672
Entropy (8bit):	7.989808146049877
Encrypted:	false
SSDEEP:	6291456:tXz3bDc48WThsZxjvVqW9Ti5cXJPhTVDVZ8OsTrKWPmlCNT+jWFfnAtBk6bPH91F:tXz3vcJgWhfBDLxsT5mc0Wdnak8PdtZv
MD5:	D628A359CA6C550611ECBCC7C32BBF56
SHA1:	4B91DE70926B25BCEE15A8960869E08F319ECF03
SHA-256:	895FDC4C7992A96DF14FD8F723D93BF1684E6898F9FF6C84A7E6E67EC71041F2
SHA-512:	2F6627E6507EE5FDABAB08D51928C13085759A2F9CEA528A4F56AE5D3999CF2D5C492B40592B49DDB712F5055DA7804A8D8389F72C3A577F243622FFA42AD900
Malicious:	false
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........XH..9&..9&..9&.f...9&..k...9&..k..8&..k..9&.%...9&.%....9&..h..9&....L9&.%...9&..9'..;&.....9&.....9&......9&..k...9&..9...9&......9&.Rich.9&.........................PE..L....h............................................@.................................Ai.#..@.........................``.......a...........X...........{.#.4...`..`k..P.......................X...........@...................@_..`....................text.............................. ..`.rdata..............................@..@.data....n.......0...p..............@....tls................................@....rsrc....X.......Z..................@..@.reloc..`k...`...l..................@..B................................................................................................................................................................................................................

C:\Windows\Installer\45f79f.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {4203B04D-806D-4EBE-BCFF-E19C0C1E195F}, Number of Words: 2, Subject: Windows Service Association, Author: Microsoft, Name of Creating Application: Windows Service Association, Template: ;1033, Comments: This installer database contains the logic and data required to install Windows Service Association., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Category:	dropped
Size (bytes):	4157440
Entropy (8bit):	7.739022758516707
Encrypted:	false
SSDEEP:	98304:zYlRGJAeTgvVgl4GVRtc6gMwt9HQTFdoVXI0+S:k28gjzngPtFGe9W
MD5:	087D510F4D69F6FAA479E4919F51A175
SHA1:	084C49D7C83B257AACF8C94B28B992C326A2AD09
SHA-256:	1DD7892458EAB123C341452AFF6F4D817F290EFC7F8C97B76BDB78E1E1FCF8D2
SHA-512:	0621648C405F3670C11DC08349BB69DFD83C3CEBB719B2DD5B0ADFB5878205805B308608B79728FED53AC33D67C726D7951C71DCCE4FCD0C3BEF04FB1340140C
Malicious:	false
Preview:	......................>...................@...................................D.......`.........../...0...1...2...3...4...................................................................................................................................................................................................................................................................................................................................................................................................................;..............."...2........................................................................................... ...!...+...#...$...%...&...'...(...)...*...0...,...-......./...3...1...:...>...4...5...6...7...8...9...4...<.......=.......?...@...A...B...C...5.......F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSIFBC5.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.4046361691542355
Encrypted:	false
SSDEEP:	6144:nLqkVr003gT0stWobv9lQK0T4JGufLIe3HP3LAOu3HjKkMeaZeOJp:LqS0Yg3v9lQK5zRL83PM/ZX
MD5:	5788EFA607D26332D6D7F5E6A1F6BD6F
SHA1:	E7749843CC3E89BC81649087DE4AD44C93D48BC6
SHA-256:	9FC2608C9E5EF5A88DD91C82660FA297144BA6BBF4602140D638DE7233A4625D
SHA-512:	CE472CA4F956DA4160CFD9B9051455974E24DD8B23A0B7B197AFD1F7552E37980809E523BEDC0D4C2F4C9CB6EF300B221E6404E6E6A1B789B67756550DDD2104
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........0...c...c...c$..b...c$..bP..c...b...c...b...c...b...c$..b...c$..b...c$..b...c...c...cM..b...cM..b...cM.3c...c..[c...cM..b...cRich...c................PE..L....v.a.........."!.....t...P......v...............................................}L....@.........................PK......$S..........0........................L......p...............................@...............4............................text...6s.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIFC43.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.4046361691542355
Encrypted:	false
SSDEEP:	6144:nLqkVr003gT0stWobv9lQK0T4JGufLIe3HP3LAOu3HjKkMeaZeOJp:LqS0Yg3v9lQK5zRL83PM/ZX
MD5:	5788EFA607D26332D6D7F5E6A1F6BD6F
SHA1:	E7749843CC3E89BC81649087DE4AD44C93D48BC6
SHA-256:	9FC2608C9E5EF5A88DD91C82660FA297144BA6BBF4602140D638DE7233A4625D
SHA-512:	CE472CA4F956DA4160CFD9B9051455974E24DD8B23A0B7B197AFD1F7552E37980809E523BEDC0D4C2F4C9CB6EF300B221E6404E6E6A1B789B67756550DDD2104
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........0...c...c...c$..b...c$..bP..c...b...c...b...c...b...c$..b...c$..b...c$..b...c...c...cM..b...cM..b...cM.3c...c..[c...cM..b...cRich...c................PE..L....v.a.........."!.....t...P......v...............................................}L....@.........................PK......$S..........0........................L......p...............................@...............4............................text...6s.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIFC73.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.4046361691542355
Encrypted:	false
SSDEEP:	6144:nLqkVr003gT0stWobv9lQK0T4JGufLIe3HP3LAOu3HjKkMeaZeOJp:LqS0Yg3v9lQK5zRL83PM/ZX
MD5:	5788EFA607D26332D6D7F5E6A1F6BD6F
SHA1:	E7749843CC3E89BC81649087DE4AD44C93D48BC6
SHA-256:	9FC2608C9E5EF5A88DD91C82660FA297144BA6BBF4602140D638DE7233A4625D
SHA-512:	CE472CA4F956DA4160CFD9B9051455974E24DD8B23A0B7B197AFD1F7552E37980809E523BEDC0D4C2F4C9CB6EF300B221E6404E6E6A1B789B67756550DDD2104
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........0...c...c...c$..b...c$..bP..c...b...c...b...c...b...c$..b...c$..b...c$..b...c...c...cM..b...cM..b...cM.3c...c..[c...cM..b...cRich...c................PE..L....v.a.........."!.....t...P......v...............................................}L....@.........................PK......$S..........0........................L......p...............................@...............4............................text...6s.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIFC93.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.4046361691542355
Encrypted:	false
SSDEEP:	6144:nLqkVr003gT0stWobv9lQK0T4JGufLIe3HP3LAOu3HjKkMeaZeOJp:LqS0Yg3v9lQK5zRL83PM/ZX
MD5:	5788EFA607D26332D6D7F5E6A1F6BD6F
SHA1:	E7749843CC3E89BC81649087DE4AD44C93D48BC6
SHA-256:	9FC2608C9E5EF5A88DD91C82660FA297144BA6BBF4602140D638DE7233A4625D
SHA-512:	CE472CA4F956DA4160CFD9B9051455974E24DD8B23A0B7B197AFD1F7552E37980809E523BEDC0D4C2F4C9CB6EF300B221E6404E6E6A1B789B67756550DDD2104
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........0...c...c...c$..b...c$..bP..c...b...c...b...c...b...c$..b...c$..b...c$..b...c...c...cM..b...cM..b...cM.3c...c..[c...cM..b...cRich...c................PE..L....v.a.........."!.....t...P......v...............................................}L....@.........................PK......$S..........0........................L......p...............................@...............4............................text...6s.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIFCD3.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	595004
Entropy (8bit):	6.580235892858197
Encrypted:	false
SSDEEP:	12288:hBX/lKyuDvn4SsWPbV5BPsahK7RcekeUuyZD6WGvzQ5VEPLSTa3DY:L12h2SekeUuyZD6lvs0zIa3U
MD5:	C5BA45FBBA2614D47CF12C6EF95C68A3
SHA1:	17725F87732DA7BEFC0DB13BE5DA79B45F77E483
SHA-256:	E1BBD8A598947357CF6985EEA5A4285679DAF1DD0B4AFD56B144CE08CDE7DB8D
SHA-512:	25D93AACE568C9689B6D979A5F6A5462706F155A41D45F5599C570249B48C50B480083BDE374EAEDE0CF7F569377EC04421FF628A556E1557815EA5147BA9BBE
Malicious:	false
Preview:	...@IXOS.@.....@AgAY.@.....@.....@.....@.....@.....@......&.{082E188A-67FA-4D67-920E-C850215DB6EC}..Windows Service Association..vFjfAgq5PM.msi.@.....@.....@.....@........&.{4203B04D-806D-4EBE-BCFF-E19C0C1E195F}.....@.....@.....@.....@.......@.....@.....@.......@......Windows Service Association......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{A7A802D2-974C-41F3-B652-6214479A05B0}=.C:\Program Files (x86)\Microsoft\Windows Service Association\.@.......@.....@.....@......&.{53C308A6-0419-4345-9F01-D88EAA24B7F1}:.02:\Software\Microsoft\Windows Service Association\Version.@.......@.....@.....@......&.{9E656843-6FA0-45EB-8445-68ED1ECB3B1A}%.C:\Users\Public\Documents\Dropbox.exe.@.......@.....@.....@......&.{5A4E398A-9958-427D-8D2D-BCE98AE52F08}..C:\Users\Public\Documents\CapCut_installer.exe.@.......@.....@.....@......&.{D1007C7C-7797-48F8-A5E4-FC516E0CB82A}&

C:\Windows\Installer\MSIFD80.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	588768
Entropy (8bit):	6.567152416272546
Encrypted:	false
SSDEEP:	12288:8BX/lKyuDvn4SsWPbV5BPsahK7RcekeUuyZD6WGvzQ5VEPLSTa3D:m12h2SekeUuyZD6lvs0zIa3
MD5:	637C0F8F44F26EF0C736B8BBD0222334
SHA1:	81AEA6F99D67CA19AE1E2A61E9E967ADA53CD4C0
SHA-256:	57DEA716197079FAD873B65AC02A6E002A43FE01202987541AB5295C0F69D28A
SHA-512:	24A2A827221B920E7133DA56A79A8576E8205C884FDA87B67F2821C00CCC99D194F90905DAB49BB55B5595FF44D39F7CD38EF975DE140BFC6299BAD61DA6C4D7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............J...J...J`..K...J`..K...J`..K...J..K...J..K...J..!J...J..K...J`..K...J...J...J...K...J...K...J..#J...J..KJ...J...K...JRich...J........PE..L...Xw.a.........."!.........Z............................................... ......G.....@......................... o.......o...................................T......p...................@.......h...@...............L............................text...h........................... ..`.rdata..L...........................@..@.data................j..............@....rsrc...............................@..@.reloc...T.......V..................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{082E188A-67FA-4D67-920E-C850215DB6EC}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1640293223094886
Encrypted:	false
SSDEEP:	12:JSbX72FjzJaAGiLIlHVRpZh/7777777777777777777777777vDHFGCeyBTqit/z:JpQQI5tdviF
MD5:	B08A3AE87B65E16668560C6532335BBF
SHA1:	3897629C4ECA0FF962EDA7DEF406E40D4EAFA67E
SHA-256:	55BEB0299C5B4D542CB208DDAF39ADE59819127468E9887574B33350A3C51F87
SHA-512:	4CD09E83F006EC382611DC6240B018799E686A49E775A637DAA8945859299A8DE08929F62B72940F1D40A71F5214856F5E5D9C9A30F81340979153902E3625AB
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5580740466590761
Encrypted:	false
SSDEEP:	48:h8Ph8uRc06WXJ0nT5+OB5Vds9SkdsjAEkrCyvgo4ds9Skds/TSL0:8h813nT509u0RCq59umo
MD5:	A3EE42D1843F9A192EB80C97D83FF1DA
SHA1:	EFEFF0D68FF2E1A249C73F24B98AA9660420BAD8
SHA-256:	2C8BCA3BD82B19B51BAEFBBB45031BDB113A0409FD123079C00230594B05F64B
SHA-512:	19BB69673D20790B84CD1045A7A1158C6B879D8327AAA8853A377EB72C2F3F9B4581DDCB5F028680F9EEE32EFBEBEEC5C8C8FBDA98FC5B5A9B5FE8C09D4A0AD5
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	432221
Entropy (8bit):	5.37516000195081
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauE:zTtbmkExhMJCIpErx
MD5:	BAD75447D8BB034CC12C0DB554098C8D
SHA1:	C6E310E08CB2F30CA464C862DA64617D2B753630
SHA-256:	C825DEB237BA016DFCE17BCF77BD3750343B44F5E230651F39B3D4F0251E3CE2
SHA-512:	8F8967329B152E73BEB1D009E4B6C57A972E730F5C4C863BE004CD6959135125FB6629F300AC5CE6A38AC9AD9423643241B41E037D31E55A05073DD265230F3D
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\Temp\~DF16D12FB74D8F415D.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2490102988588037
Encrypted:	false
SSDEEP:	48:QR0ukUM+CFXJLT52OB5Vds9SkdsjAEkrCyvgo4ds9Skds/TSL0:o0zzTh09u0RCq59umo
MD5:	E65F2BB3250E19C14178F6BDBD87D18E
SHA1:	2C303AAAA5288B99B209EB7AC416627985F391FA
SHA-256:	E7671EEB521A8E6FC638344FD01CD5D18C444C085996D023650485C7D8325363
SHA-512:	8E578B6AA99CEEF57803C476D3647F2822099455B1CFB77CFBDB62D92C3FF1ED959030375AA051EEF949A809D66F50AB8267D675133A74533A3D99FDF00C1653
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF17033EB26EE1F739.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF19852D83031204CA.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.13532454393180288
Encrypted:	false
SSDEEP:	48:I0tLT4ds9SkdsSds9SkdsjAEkrCyvgowVbO:LtB9ur9u0RCqo
MD5:	6C12DD5ABD0CB4A20FF6BA3D1A25CBFF
SHA1:	C01732D852DB26323C57C4F5C79748F3DEAF68B1
SHA-256:	7C7B5441D512DD74979B217D01773958987BAA33A6889A4439D7470F78548575
SHA-512:	20462FEAB9C422F5B1B6840B56505245FEB41026958B25A516ABB1B8CA3826545D5F71FAF59FE96168560B7FC05FE8F590934BB90AE61AD04B7A5F5DA59C972B
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF1AD5B1073908CCBD.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5580740466590761
Encrypted:	false
SSDEEP:	48:h8Ph8uRc06WXJ0nT5+OB5Vds9SkdsjAEkrCyvgo4ds9Skds/TSL0:8h813nT509u0RCq59umo
MD5:	A3EE42D1843F9A192EB80C97D83FF1DA
SHA1:	EFEFF0D68FF2E1A249C73F24B98AA9660420BAD8
SHA-256:	2C8BCA3BD82B19B51BAEFBBB45031BDB113A0409FD123079C00230594B05F64B
SHA-512:	19BB69673D20790B84CD1045A7A1158C6B879D8327AAA8853A377EB72C2F3F9B4581DDCB5F028680F9EEE32EFBEBEEC5C8C8FBDA98FC5B5A9B5FE8C09D4A0AD5
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF1FCAAD1E1A835F32.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF2721960501F9B14D.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF2C44DEC0CAFD61B5.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2490102988588037
Encrypted:	false
SSDEEP:	48:QR0ukUM+CFXJLT52OB5Vds9SkdsjAEkrCyvgo4ds9Skds/TSL0:o0zzTh09u0RCq59umo
MD5:	E65F2BB3250E19C14178F6BDBD87D18E
SHA1:	2C303AAAA5288B99B209EB7AC416627985F391FA
SHA-256:	E7671EEB521A8E6FC638344FD01CD5D18C444C085996D023650485C7D8325363
SHA-512:	8E578B6AA99CEEF57803C476D3647F2822099455B1CFB77CFBDB62D92C3FF1ED959030375AA051EEF949A809D66F50AB8267D675133A74533A3D99FDF00C1653
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF827849708F15B534.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF8995C8B5E81826BF.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5580740466590761
Encrypted:	false
SSDEEP:	48:h8Ph8uRc06WXJ0nT5+OB5Vds9SkdsjAEkrCyvgo4ds9Skds/TSL0:8h813nT509u0RCq59umo
MD5:	A3EE42D1843F9A192EB80C97D83FF1DA
SHA1:	EFEFF0D68FF2E1A249C73F24B98AA9660420BAD8
SHA-256:	2C8BCA3BD82B19B51BAEFBBB45031BDB113A0409FD123079C00230594B05F64B
SHA-512:	19BB69673D20790B84CD1045A7A1158C6B879D8327AAA8853A377EB72C2F3F9B4581DDCB5F028680F9EEE32EFBEBEEC5C8C8FBDA98FC5B5A9B5FE8C09D4A0AD5
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFA44C032BD4F2FEA3.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFEAF9207C6207C7AD.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2490102988588037
Encrypted:	false
SSDEEP:	48:QR0ukUM+CFXJLT52OB5Vds9SkdsjAEkrCyvgo4ds9Skds/TSL0:o0zzTh09u0RCq59umo
MD5:	E65F2BB3250E19C14178F6BDBD87D18E
SHA1:	2C303AAAA5288B99B209EB7AC416627985F391FA
SHA-256:	E7671EEB521A8E6FC638344FD01CD5D18C444C085996D023650485C7D8325363
SHA-512:	8E578B6AA99CEEF57803C476D3647F2822099455B1CFB77CFBDB62D92C3FF1ED959030375AA051EEF949A809D66F50AB8267D675133A74533A3D99FDF00C1653
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFFAD2D32415C8B744.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.07126381248242429
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOGCrMnyBXDBgVky6lit/:2F0i8n0itFzDHFGCeyBT9it/
MD5:	7A0CD66D9525589577D08B5017F0467B
SHA1:	9F28CC558F970B5B701E57F7844D358330AE6A2B
SHA-256:	4E90B636C7F484D2415A4CF6F90BAD9FB821641985D25BF2EB1BBB4C55BFE492
SHA-512:	E969473A9739A80AA14EC66FE7BDBD571C9118497C7763BCE826D34DBDEA79702D4DF08BC91DF50A434E73F6AD873C679C670E9CDFDC4E093BD13A18AE7C3F64
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {4203B04D-806D-4EBE-BCFF-E19C0C1E195F}, Number of Words: 2, Subject: Windows Service Association, Author: Microsoft, Name of Creating Application: Windows Service Association, Template: ;1033, Comments: This installer database contains the logic and data required to install Windows Service Association., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Entropy (8bit):	7.739022758516707
TrID:	Windows SDK Setup Transform Script (63028/2) 47.91% Microsoft Windows Installer (60509/1) 46.00% Generic OLE2 / Multistream Compound File (8008/1) 6.09%
File name:	vFjfAgq5PM.msi
File size:	4'157'440 bytes
MD5:	087d510f4d69f6faa479e4919f51a175
SHA1:	084c49d7c83b257aacf8c94b28b992c326a2ad09
SHA256:	1dd7892458eab123c341452aff6f4d817f290efc7f8c97b76bdb78e1e1fcf8d2
SHA512:	0621648c405f3670c11dc08349bb69dfd83c3cebb719b2dd5b0adfb5878205805b308608b79728fed53ac33d67c726d7951c71dcce4fcd0c3bef04fb1340140c
SSDEEP:	98304:zYlRGJAeTgvVgl4GVRtc6gMwt9HQTFdoVXI0+S:k28gjzngPtFGe9W
TLSH:	84160122338AC23BD9AE0270252D966F156DFDA20B7140D7A3C8293EAEF44D16735F57
File Content Preview:	........................>...................@...................................D.......`.........../...0...1...2...3...4......................................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Target ID:	0
Start time:	12:57:58
Start date:	01/10/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\vFjfAgq5PM.msi"
Imagebase:	0x7ff79b5b0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:57:59
Start date:	01/10/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff79b5b0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	12:58:01
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 9342AE7FC298454AC0E2B46CA904726C
Imagebase:	0xb50000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:58:01
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 84080775417F402876A00B89D1C4E077 E Global\MSI0000
Imagebase:	0xb50000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:58:01
Start date:	01/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssFDDB.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiFDC9.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrFDCA.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrFDCB.txt" -propSep " :<->: " -testPrefix "_testValue."
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:58:01
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:58:04
Start date:	01/10/2024
Path:	C:\Users\Public\Documents\CapCut_installer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Documents\capcut_installer.exe"
Imagebase:	0x400000
File size:	2'313'024 bytes
MD5 hash:	C91E097550EA6CCEDF592D8B83414E0D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	12:58:07
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\cmd.exe" /c "C:\Program Files (x86)\Dropbox\Update\dropbox.exe"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	12:58:07
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x870000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	12:58:07
Start date:	01/10/2024
Path:	C:\Program Files (x86)\Dropbox\Update\dropbox.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Dropbox\Update\dropbox.exe"
Imagebase:	0xcf0000
File size:	134'016 bytes
MD5 hash:	3B607E9AE169797C5112736DD445DB25
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000009.00000002.4140266167.0000000002CE1000.00000020.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000009.00000002.4135316816.0000000001000000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000009.00000002.4138493553.0000000002AA0000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000009.00000002.4138493553.0000000002AA0000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000009.00000002.4137162182.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000009.00000002.4137162182.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	12:58:07
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" -Command "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Program Files (x86)\Dropbox\Update\Dropbox.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'GoogleUpdateTaskMachineUA'"
Imagebase:	0x540000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:58:07
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:58:12
Start date:	01/10/2024
Path:	C:\Program Files (x86)\Dropbox\Update\dropbox.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Dropbox\Update\Dropbox.exe"
Imagebase:	0xcf0000
File size:	134'016 bytes
MD5 hash:	3B607E9AE169797C5112736DD445DB25
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	12:58:17
Start date:	01/10/2024
Path:	C:\Program Files (x86)\Dropbox\Update\dropbox.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Dropbox\Update\Dropbox.exe"
Imagebase:	0xcf0000
File size:	134'016 bytes
MD5 hash:	3B607E9AE169797C5112736DD445DB25
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 00007FFD9B402B82 Relevance: .4, Instructions: 370COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1743083068.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b400000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b92b2bdf5181c4ff3d69d785ab0fdc525abc4fd41df09f36d2e092ff2bd24b2f
Instruction ID: a708aa58d34e5419ce26117af8e66114886c1479ad4b7a2cf97e533182ffe41e
Opcode Fuzzy Hash: b92b2bdf5181c4ff3d69d785ab0fdc525abc4fd41df09f36d2e092ff2bd24b2f
Instruction Fuzzy Hash: C9C1B130A09A4D8FDF98DF9CC451AA9BBF1FF68304F1501AAD449D7296CA34E881CB80

Function 00007FFD9B4047E5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1743083068.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b400000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d2926b7313eb4f4d0fffdcddef21ac1b47e6c0991d42b779595a8d4c8dfead8
Instruction ID: f8921968ee6d0c3131ddedf5baf6fe2e29f792979c4e719becf4933e6bd71ff0
Opcode Fuzzy Hash: 2d2926b7313eb4f4d0fffdcddef21ac1b47e6c0991d42b779595a8d4c8dfead8
Instruction Fuzzy Hash: 8001677121CB0C8FD748EF4CE451AB6B7E0FB95364F10056DE58AC36A5D636E882CB45

Analysis Process: CapCut_installer.exePID: 7732, Parent PID: 7596COMMON

Execution Graph

Execution Coverage:	4.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	127

Executed Functions

Function 6C49CC10 Relevance: 128.5, APIs: 45, Strings: 28, Instructions: 748
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?GetRoot@CMarkup@DuiLib@@QAE?AVCMarkupNode@2@XZ.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C49CC5A
?IsValid@CMarkupNode@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C49CC61
?GetChild@CMarkupNode@DuiLib@@QAE?AV12@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?), ref: 6C49CCA7
?GetSibling@CMarkupNode@DuiLib@@QAE?AV12@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?), ref: 6C49CCBE
?IsValid@CMarkupNode@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?), ref: 6C49CCD4
?GetName@CMarkupNode@DuiLib@@QBEPB_WXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?), ref: 6C49CCE3
?GetAttributeCount@CMarkupNode@DuiLib@@QAEHXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49CD31
?GetAttributeName@CMarkupNode@DuiLib@@QAEPB_WH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C49CD90
?GetAttributeValueInternal@CMarkupNode@DuiLib@@QAEPB_WH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C49CD9A
?GetAttributeCount@CMarkupNode@DuiLib@@QAEHXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?), ref: 6C49CDC2
?GetAttributeName@CMarkupNode@DuiLib@@QAEPB_WH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C49CE09
?GetAttributeValueInternal@CMarkupNode@DuiLib@@QAEPB_WH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C49CE13
CharNextW.USER32(00000000,?,?,?,?,00000001,00000001,?,?,?,?,?,?,?), ref: 6C49CE57
?GetAttributeCount@CMarkupNode@DuiLib@@QAEHXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49CE97
?GetAttributeName@CMarkupNode@DuiLib@@QAEPB_WH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C49CF21
?GetAttributeValueInternal@CMarkupNode@DuiLib@@QAEPB_WH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C49CF2B
?GetName@CMarkupNode@DuiLib@@QBEPB_WXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?), ref: 6C49D11E
?_Parse@CDialogBuilder@DuiLib@@AAEPAVCControlUI@2@PAVCMarkupNode@2@PAV32@PAVCPaintManagerUI@2@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,00000000,?), ref: 6C49D148
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?), ref: 6C49D16C
?GetAttributeCount@CMarkupNode@DuiLib@@QAEHXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?), ref: 6C49D17C
?GetAttributeName@CMarkupNode@DuiLib@@QAEPB_WH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,?,?,?), ref: 6C49D1E9
?GetAttributeValueInternal@CMarkupNode@DuiLib@@QAEPB_WH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,?,?,?,?,?), ref: 6C49D1F3

Strings

sizebox, xrefs: 6C49D20C
underline, xrefs: 6C49CF70
showdirty, xrefs: 6C49D27A
weight, xrefs: 6C49CFB2
linkfontcolor, xrefs: 6C49D2E8
bktrans, xrefs: 6C49D2A6
roundcorner, xrefs: 6C49D238
name, xrefs: 6C49CDA1, 6C49CE1A, 6C49CF32
default, xrefs: 6C49CF9C
Font, xrefs: 6C49CD02
maxinfo, xrefs: 6C49D264
restype, xrefs: 6C49CE2C
defaultfontcolor, xrefs: 6C49D2D2
italic, xrefs: 6C49CF86
size, xrefs: 6C49CF48, 6C49D1FA
Window, xrefs: 6C49D123
true, xrefs: 6C49CFFE, 6C49D01A, 6C49D036, 6C49D052, 6C49D565, 6C49D59F
mininfo, xrefs: 6C49D24E
bold, xrefs: 6C49CF5A
value, xrefs: 6C49CD60
Default, xrefs: 6C49CD18
disabledfontcolor, xrefs: 6C49D2BC
mask, xrefs: 6C49CE3E
Image, xrefs: 6C49CCEC
caption, xrefs: 6C49D222
selectedcolor, xrefs: 6C49D314
alpha, xrefs: 6C49D290
linkhoverfontcolor, xrefs: 6C49D2FE

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Markup$Node@$Attribute$Name@$Count@Internal@Value$Paint$ManagerNode@2@V12@Valid@$Builder@CharChild@ControlD__@@DialogI@2@I@2@@Markup@NextParse@Root@Sibling@V32@Window@
String ID: Default$Font$Image$Window$alpha$bktrans$bold$caption$default$defaultfontcolor$disabledfontcolor$italic$linkfontcolor$linkhoverfontcolor$mask$maxinfo$mininfo$name$restype$roundcorner$selectedcolor$showdirty$size$sizebox$true$underline$value$weight
API String ID: 1713311723-3208060547
Opcode ID: be81e55e3d1e71deb88bdeb6f87d618bf4cda6d23a7b92beda0de2da158850d3
Instruction ID: bd33f2ba36b3535496756add4391e4c75543a440e68999352973e803481e0381
Opcode Fuzzy Hash: be81e55e3d1e71deb88bdeb6f87d618bf4cda6d23a7b92beda0de2da158850d3
Instruction Fuzzy Hash: 3E3294B1A05350ABD721DF608C41FDF7BE8AF94749F40082DF949D6B80EB74A909C7A6

Function 6C43F6C0 Relevance: 88.7, APIs: 37, Strings: 13, Instructions: 1202stringlibraryloaderCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,?), ref: 6C43F731
GlobalFree.KERNEL32(?), ref: 6C43F742
lstrcpyW.KERNEL32(?,?), ref: 6C43F84B
GlobalFree.KERNEL32(?), ref: 6C43F85C
lstrcpyW.KERNEL32(?,00000004), ref: 6C43F953
GlobalFree.KERNEL32(00000000), ref: 6C43F964
lstrcpyW.KERNEL32(?,00000004,?,?,?), ref: 6C43F9A7
GlobalFree.KERNEL32(00000000), ref: 6C43F9B8
lstrcpyW.KERNEL32(?,00000004,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C43FAB3
GlobalFree.KERNELBASE(00000000), ref: 6C43FAC4
lstrcpyW.KERNEL32(?,00000004), ref: 6C43FBBB
GlobalFree.KERNEL32(00000000), ref: 6C43FBCC
lstrcpyW.KERNEL32(?,00000004), ref: 6C43FCC3
GlobalFree.KERNEL32(00000000), ref: 6C43FCD4
lstrcpyW.KERNEL32(?,00000004), ref: 6C43FDCB
GlobalFree.KERNEL32(00000000), ref: 6C43FDDC
GetLocaleInfoEx.KERNEL32(00000000,00000059,?,00000009), ref: 6C43FEFE
GetLocaleInfoEx.KERNEL32(00000000,0000005A,?,00000009), ref: 6C43FF0E
LoadLibraryA.KERNEL32(shell_downloader.dll,?,00000000,?,?,6C52665C), ref: 6C440196
GetProcAddress.KERNEL32(00000000,CreateShellDownloader), ref: 6C4401AE
GetProcAddress.KERNEL32(00000000,CreateShellEventReporter), ref: 6C4401E0
lstrcpyW.KERNEL32(?,?), ref: 6C4406B2
GlobalFree.KERNEL32(?), ref: 6C4406C3
lstrcpyW.KERNEL32(?,?), ref: 6C4406F9
GlobalFree.KERNEL32(?), ref: 6C44070A
lstrcpyW.KERNEL32(?,?), ref: 6C440740
GlobalFree.KERNEL32(?), ref: 6C440751
lstrcpyW.KERNEL32(?,?), ref: 6C440787
GlobalFree.KERNEL32(?), ref: 6C440798
lstrcpyW.KERNEL32(?,?), ref: 6C4407CE
GlobalFree.KERNELBASE(?), ref: 6C4407DF
lstrcpyW.KERNEL32(?,?), ref: 6C440815
GlobalFree.KERNEL32(?), ref: 6C440826
lstrcpyW.KERNEL32(?,?), ref: 6C44085C
GlobalFree.KERNEL32(?), ref: 6C44086D
lstrcpyW.KERNEL32(?,?), ref: 6C4408A3
GlobalFree.KERNEL32(?), ref: 6C4408B4

Strings

shell_downloader.dll, xrefs: 6C440191
4266339975, xrefs: 6C440320, 6C44032C
HfRl, xrefs: 6C44021E
capcutpc_0, xrefs: 6C43FEA9, 6C43FEB5
DestoryShellDownloader, xrefs: 6C4401B4
RUl, xrefs: 6C4403DE
DestoryShellEventReporter, xrefs: 6C4401E6
DUl, xrefs: 6C43FE97
CreateShellDownloader, xrefs: 6C4401A8
en_CH, xrefs: 6C440002
CreateShellEventReporter, xrefs: 6C4401D4
app shell %s, xrefs: 6C44032D
0A, xrefs: 6C43F705, 6C43F739, 6C43F837, 6C43F853, 6C43F93F, 6C43F95B, 6C43F993, 6C43F9AF, 6C43FA9F, 6C43FABB, 6C43FBA7, 6C43FBC3, 6C43FCAF, 6C43FCCB, 6C43FDB7, 6C43FDD3, 6C440674, 6C4406BA, 6C4406E5, 6C440701, 6C44072C, 6C440748, 6C440773, 6C44078F, 6C4407BA, 6C4407D6, 6C440801, 6C44081D, 6C440848, 6C440864, 6C44088F, 6C4408AB

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: FreeGloballstrcpy$AddressInfoLocaleProc$LibraryLoad
String ID: en_CH$0A$4266339975$CreateShellDownloader$CreateShellEventReporter$DestoryShellDownloader$DestoryShellEventReporter$DUl$HfRl$RUl$app shell %s$capcutpc_0$shell_downloader.dll
API String ID: 103878430-2432307991
Opcode ID: 4489b216f6618caadf03066b5e3169226a3e5c7c66d97fc52e32f13261791744
Instruction ID: f0b7044320d4d105abd43e6181dd6ef15819af83215fd70e4a373db94f03dd08
Opcode Fuzzy Hash: 4489b216f6618caadf03066b5e3169226a3e5c7c66d97fc52e32f13261791744
Instruction Fuzzy Hash: 88A2D4B16057809BE720CF24CC80F9B7BF4EF86318F114A2DE99897791E774A509CB96

Function 0040338F Relevance: 73.9, APIs: 32, Strings: 10, Instructions: 410
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNEL32 ref: 004033B2
GetVersion.KERNEL32 ref: 004033B8
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033EB
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 00403428
OleInitialize.OLE32(00000000), ref: 0040342F
SHGetFileInfoW.SHELL32(00440208,00000000,?,000002B4,00000000), ref: 0040344B
GetCommandLineW.KERNEL32(00472EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 00403460
CharNextW.USER32(00000000,004CB000,00000020,004CB000,00000000,?,00000006,00000008,0000000A), ref: 00403498

Part of subcall function 00406694: GetModuleHandleA.KERNEL32(?,00000020,?,00403401,0000000A), ref: 004066A6
Part of subcall function 00406694: GetProcAddress.KERNEL32(00000000,?), ref: 004066C1

GetTempPathW.KERNEL32(00002000,004DF000,?,00000006,00000008,0000000A), ref: 004035D2
GetWindowsDirectoryW.KERNEL32(004DF000,00001FFB,?,00000006,00000008,0000000A), ref: 004035E3
lstrcatW.KERNEL32(004DF000,\Temp,?,00000006,00000008,0000000A), ref: 004035EF
GetTempPathW.KERNEL32(00001FFC,004DF000,004DF000,\Temp,?,00000006,00000008,0000000A), ref: 00403603
lstrcatW.KERNEL32(004DF000,Low,?,00000006,00000008,0000000A), ref: 0040360B
SetEnvironmentVariableW.KERNEL32(TEMP,004DF000,004DF000,Low,?,00000006,00000008,0000000A), ref: 0040361C
SetEnvironmentVariableW.KERNEL32(TMP,004DF000,?,00000006,00000008,0000000A), ref: 00403624
DeleteFileW.KERNEL32(004DB000,?,00000006,00000008,0000000A), ref: 00403638

Part of subcall function 004062BA: lstrcpynW.KERNEL32(?,?,00002000,00403460,00472EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 004062C7

OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 00403703
ExitProcess.KERNEL32 ref: 00403724
lstrcatW.KERNEL32(004DF000,~nsu,004CB000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403737
lstrcatW.KERNEL32(004DF000,0040A26C,004DF000,~nsu,004CB000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403746
lstrcatW.KERNEL32(004DF000,.tmp,004DF000,~nsu,004CB000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403751
lstrcmpiW.KERNEL32(004DF000,004D7000,004DF000,.tmp,004DF000,~nsu,004CB000,00000000,00000006,?,00000006,00000008,0000000A), ref: 0040375D
SetCurrentDirectoryW.KERNEL32(004DF000,004DF000,?,00000006,00000008,0000000A), ref: 00403779
DeleteFileW.KERNEL32(0043C208,0043C208,?,0047B000,00000008,?,00000006,00000008,0000000A), ref: 004037D3
CopyFileW.KERNEL32(004E7000,0043C208,00000001,?,00000006,00000008,0000000A), ref: 004037E7
CloseHandle.KERNEL32(00000000,0043C208,0043C208,?,0043C208,00000000,?,00000006,00000008,0000000A), ref: 00403814
GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403843
OpenProcessToken.ADVAPI32(00000000), ref: 0040384A
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040385F
AdjustTokenPrivileges.ADVAPI32 ref: 00403882
ExitWindowsEx.USER32(00000002,80040002), ref: 004038A7
ExitProcess.KERNEL32 ref: 004038CA

Strings

~nsu, xrefs: 0040372F
.tmp, xrefs: 0040374B
SeShutdownPrivilege, xrefs: 00403859
Error launching installer, xrefs: 004036BA
TMP, xrefs: 0040361F
TEMP, xrefs: 00403617
Low, xrefs: 00403605
UXTHEME, xrefs: 004033DF, 004033E4, 004033EA
NSIS Error, xrefs: 00403451
\Temp, xrefs: 004035E9

Memory Dump Source

Source File: 00000006.00000002.4133761971.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4133709809.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133815083.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000052F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000535000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000567000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000056F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_CapCut_installer.jbxd

Similarity

API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: .tmp$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3441113951-3195845224
Opcode ID: 63044480bdf60fa59607b726092bbe11153853a5ccbfe3ab443963185e6f75f7
Instruction ID: 33fbdd78d52bfd04f2c73b4da217482bb076a8c6d1615cdfa2cd3638f3c4bec2
Opcode Fuzzy Hash: 63044480bdf60fa59607b726092bbe11153853a5ccbfe3ab443963185e6f75f7
Instruction Fuzzy Hash: 45D1F471100310AAE720BF769D45B2B3AADEB4070AF10447FF885B62E1DBBD8D55876E

Function 6C48DC40 Relevance: 49.9, APIs: 33, Instructions: 421
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?GetResourceDll@CPaintManagerUI@DuiLib@@SAPAUHINSTANCE__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C48DC95
FindResourceW.KERNEL32(00000000,00000000,00000000), ref: 6C48DC9F
?GetResourceDll@CPaintManagerUI@DuiLib@@SAPAUHINSTANCE__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C48DCAF
LoadResource.KERNEL32(00000000,00000000), ref: 6C48DCB6
?GetResourceDll@CPaintManagerUI@DuiLib@@SAPAUHINSTANCE__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C48DCC6
SizeofResource.KERNEL32(00000000,00000000), ref: 6C48DCCD
LockResource.KERNEL32(00000000), ref: 6C48DCED
FreeResource.KERNEL32(00000000), ref: 6C48DD06
?GetResourcePath@CPaintManagerUI@DuiLib@@SAABVCDuiString@2@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C48DD55
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C48DD5E
?GetResourceZip@CPaintManagerUI@DuiLib@@SAABVCDuiString@2@XZ.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C48DD6D
?IsEmpty@CDuiString@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C48DD74
??YCDuiString@DuiLib@@QAEABV01@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C48DD87
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C48DD8F
CreateFileW.KERNEL32 ref: 6C48DDB8
GetFileSize.KERNEL32(00000000,00000000), ref: 6C48DDCC
ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 6C48DE08
CloseHandle.KERNEL32(?), ref: 6C48DE0F
FreeResource.KERNEL32(00000000), ref: 6C48DE48
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C48DF22
CreateFileW.KERNEL32 ref: 6C48DF56
GetFileSize.KERNEL32(00000000,00000000), ref: 6C48DF6C
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 6C48DFA8
CloseHandle.KERNEL32(00000000), ref: 6C48DFAF
CreateDIBSection.GDI32(00000000,00000028,00000000,00000000,00000000,00000000), ref: 6C48E088

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Resource$Lib@@$Paint$FileManager$String@$CreateDll@E__@@$CloseFreeHandleReadSizeString@2@$D__@@Empty@FindLoadLockPath@SectionSizeofV01@V01@@Window@Zip@
String ID:
API String ID: 3845562559-0
Opcode ID: 341f5b5b31e2e88b3bb30368fe2778b69af498a011f522d17f5d41bb3229152e
Instruction ID: 25db8d2e8825062caa9977f223815c430f62e26049fb5e5a58a5b4e36a9fb7e9
Opcode Fuzzy Hash: 341f5b5b31e2e88b3bb30368fe2778b69af498a011f522d17f5d41bb3229152e
Instruction Fuzzy Hash: AF02B2B1505B419BD720CF25C884F67BBF5AF89314F148A1DE4EA87B91DB30E449CBA1

Function 6C445980 Relevance: 26.8, APIs: 3, Strings: 12, Instructions: 551memorystringCOMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 6C445A08

Part of subcall function 6C4E6480: _strlen.LIBCMT ref: 6C4E64B2

GlobalAlloc.KERNEL32(00000040,00001FF8), ref: 6C44604F
lstrcpynW.KERNEL32(-00000004,?), ref: 6C446062

Strings

562354, xrefs: 6C445B30
OnDRSdkResult: did=%s, xrefs: 6C445B09
4266339975, xrefs: 6C445AF7, 6C445AFC, 6C445B08
capcutpc_0, xrefs: 6C445B5C
0A, xrefs: 6C44603B, 6C446068
bann, xrefs: 6C445CEA
er_r, xrefs: 6C445CF1
downloader_config, xrefs: 6C445DA3, 6C445DC8
banner_res, xrefs: 6C445C63, 6C445C88
1.0.0, xrefs: 6C445BBA
show_multi_lang_box, xrefs: 6C445ED3, 6C445EF8, 6C445F44, 6C445F59
%ld, xrefs: 6C44602D

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: _strlen$AllocGloballstrcpyn
String ID: %ld$0A$1.0.0$4266339975$562354$OnDRSdkResult: did=%s$bann$banner_res$capcutpc_0$downloader_config$er_r$show_multi_lang_box
API String ID: 3161073517-3928525903
Opcode ID: 0aa918236290bf55fcfa3fcdad401715b9cd7e84c3f8863b6fde1480280b8992
Instruction ID: 76cda5089a80dd072761de83a86c6cb2b4564eb595084003a28a0889ad862d43
Opcode Fuzzy Hash: 0aa918236290bf55fcfa3fcdad401715b9cd7e84c3f8863b6fde1480280b8992
Instruction Fuzzy Hash: 4512D3B0605B408BEB20CF25C880F56B7F1EF89318F658A1DD99687B91E774F449CB85

Function 6C49CB40 Relevance: 19.6, APIs: 13, Instructions: 75COMMON

Download Yara Rule

APIs

?GetResourceDll@CPaintManagerUI@DuiLib@@SAPAUHINSTANCE__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49CB57
FindResourceW.KERNEL32(00000000,?,?), ref: 6C49CB61
?GetResourceDll@CPaintManagerUI@DuiLib@@SAPAUHINSTANCE__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49CB71
LoadResource.KERNEL32(00000000,00000000), ref: 6C49CB78
?GetResourceDll@CPaintManagerUI@DuiLib@@SAPAUHINSTANCE__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49CB8D
SizeofResource.KERNEL32(00000000,00000000), ref: 6C49CB94
LockResource.KERNEL32(00000000), ref: 6C49CBA1
?LoadFromMem@CMarkup@DuiLib@@QAE_NPAEKH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,00000000), ref: 6C49CBAF

Part of subcall function 6C4A5950: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,6C4A5ECF,?,?,?), ref: 6C4A59AB
Part of subcall function 6C4A5950: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 6C4A5A08
Part of subcall function 6C4A5950: ?_Parse@CMarkup@DuiLib@@AAE_NAAPA_WK@Z.DOWNLOADER_NSIS_PLUGIN(?,00000000), ref: 6C4A5A78

FreeResource.KERNEL32(00000000,00000000,?,00000000), ref: 6C49CBB9
?Load@CMarkup@DuiLib@@QAE_NPB_W@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C49CBD3
?Create@CDialogBuilder@DuiLib@@QAEPAVCControlUI@2@PAVIDialogBuilderCallback@2@PAVCPaintManagerUI@2@PAV32@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,00000000), ref: 6C49CBF1
FreeResource.KERNEL32(00000000), ref: 6C49CBF9

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Resource$Lib@@$ManagerPaint$Dll@E__@@Markup@$ByteCharDialogFreeI@2@LoadMultiWide$BuilderBuilder@Callback@2@ControlCreate@FindFromLoad@LockMem@Parse@SizeofV32@@
String ID:
API String ID: 1299937730-0
Opcode ID: 45d6046ac66fd4f60043e29fc97331f4230655ea48c8692dd54fc11f1bd1e35f
Instruction ID: 4df1e6ef56257e8b37878c7d16961c6c1555f1f0e74bebf06137ca6c83d0a313
Opcode Fuzzy Hash: 45d6046ac66fd4f60043e29fc97331f4230655ea48c8692dd54fc11f1bd1e35f
Instruction Fuzzy Hash: 60216D75B00215ABCF11EFA59C48EAF3FB9EB8A7A4F400419F91997B40DB35D841C7A4

Function 6C4B0BB0 Relevance: 19.4, Strings: 10, Instructions: 6862COMMON

Download Yara Rule

Strings

SPB8, xrefs: 6C4B2996
bad SOS, xrefs: 6C4B329A
bad SOS len, xrefs: 6C4B2115
outofmem, xrefs: 6C4B32A4, 6C4B37A3
bad SOS component count, xrefs: 6C4B0E29, 6C4B2246
{`, xrefs: 6C4B2A10
bad AC huff, xrefs: 6C4B1BF9
too large, xrefs: 6C4B7388
VUUU, xrefs: 6C4B36CA
bad DC huff, xrefs: 6C4B1BEF

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID:
String ID: SPB8$VUUU$bad AC huff$bad DC huff$bad SOS$bad SOS component count$bad SOS len$outofmem$too large${`
API String ID: 0-846989409
Opcode ID: ceeecd21e125141e6188956748ca69137a926ed81dbe98487cb6404d509518af
Instruction ID: f7c4cd0d002c197fef3d45d2c3183b633dcffaf2b083a9ce8c4a5277c7dc9fcc
Opcode Fuzzy Hash: ceeecd21e125141e6188956748ca69137a926ed81dbe98487cb6404d509518af
Instruction Fuzzy Hash: 12E335756083428FD715CF18C884F5ABBF1BF8A314F19496DE889AB760D734E845CBA2

Function 6C4463D0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 97processmemorystringCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C446400
Process32FirstW.KERNEL32(00000000,0000022C), ref: 6C44641E
GetCurrentProcessId.KERNEL32(00000002,00000000), ref: 6C446427
Process32NextW.KERNEL32(00000000,0000022C), ref: 6C446456
CloseHandle.KERNEL32(00000000,00000002,00000000), ref: 6C446491
GlobalAlloc.KERNEL32(00000040,00001FF8,?,?,?,?,00000002,00000000), ref: 6C4464D0
lstrcpynW.KERNEL32(-00000004,?,?,?,?,?,00000002,00000000), ref: 6C4464E3

Strings

hVd, xrefs: 6C44647C
^Ul, xrefs: 6C446475
0A, xrefs: 6C4464BC, 6C4464E9
%ld, xrefs: 6C4464AE

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Process32$AllocCloseCreateCurrentFirstGlobalHandleNextProcessSnapshotToolhelp32lstrcpyn
String ID: %ld$0A$^Ul$hVd
API String ID: 3406200772-1837626475
Opcode ID: 4c7b278fe79fc4268ad2d49367000ad55018fc28b851ecebfbb21e61f0459101
Instruction ID: 5dbe96289ccbb09a28d3c7f53f98d0eb866175de177715218c4398807b681b30
Opcode Fuzzy Hash: 4c7b278fe79fc4268ad2d49367000ad55018fc28b851ecebfbb21e61f0459101
Instruction Fuzzy Hash: 34315AF1A416049BFF10CB64CC45FDA37B8DB4631CF614125FA14E6781E7B4994987A8

Function 6C4B0180 Relevance: 18.0, APIs: 7, Strings: 3, Instructions: 476COMMON

Download Yara Rule

Strings

..\, xrefs: 6C4B06DE
../, xrefs: 6C4B06CC
:, xrefs: 6C4B06C1

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID:
String ID: ../$..\$:
API String ID: 0-2303759622
Opcode ID: bbaca1de80846d31ce6613d35be0a35852011403731b61cb12ab4771096aab0d
Instruction ID: 20e5a56dd7031d4dbe95efd68bc11a6880685399833d19340edfc05f0781c86a
Opcode Fuzzy Hash: bbaca1de80846d31ce6613d35be0a35852011403731b61cb12ab4771096aab0d
Instruction Fuzzy Hash: 8702E4F19016429BD710CF65D980F9AB7B0BF9431AF10462DE929A7B80E730F995CBE1

Function 6C4BAC60 Relevance: 14.4, Strings: 11, Instructions: 622COMMON

Download Yara Rule

Strings

only 8-bit, xrefs: 6C4BADBB, 6C4BADF1
0 width, xrefs: 6C4BB05B
outofmem, xrefs: 6C4BB489
bad component ID, xrefs: 6C4BB454
too large, xrefs: 6C4BB302
bad H, xrefs: 6C4BB470
bad TQ, xrefs: 6C4BB462
bad SOF len, xrefs: 6C4BAD6C, 6C4BB0EA
no header height, xrefs: 6C4BAF4E
bad component count, xrefs: 6C4BB065, 6C4BB0A0
bad V, xrefs: 6C4BB45B

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID:
String ID: 0 width$bad H$bad SOF len$bad TQ$bad V$bad component ID$bad component count$no header height$only 8-bit$outofmem$too large
API String ID: 0-1458373056
Opcode ID: 942de8791052d10754b4864039c17f39dff11cd53b6da0ef50e3f7c6235b74b2
Instruction ID: 7d7d9998022fca5995695f8337c67eb75302b1ca71c801dd61cd67cddaa3d12e
Opcode Fuzzy Hash: 942de8791052d10754b4864039c17f39dff11cd53b6da0ef50e3f7c6235b74b2
Instruction Fuzzy Hash: 05523771B00A16EFDB08CF64C884F9AF7B1FF09305F14422AD869A7B50E734A955CBA1

Function 004059CC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 148filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004DF000,74DF3420,00000000), ref: 004059F5
lstrcatW.KERNEL32(00460250,\*.*,00460250,?,?,004DF000,74DF3420,00000000), ref: 00405A3D
lstrcatW.KERNEL32(?,0040A014,?,00460250,?,?,004DF000,74DF3420,00000000), ref: 00405A60
lstrlenW.KERNEL32(?,?,0040A014,?,00460250,?,?,004DF000,74DF3420,00000000), ref: 00405A66
FindFirstFileW.KERNEL32(00460250,?,?,?,0040A014,?,00460250,?,?,004DF000,74DF3420,00000000), ref: 00405A76
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405B16
FindClose.KERNEL32(00000000), ref: 00405B25

Strings

\*.*, xrefs: 00405A37

Memory Dump Source

Source File: 00000006.00000002.4133761971.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4133709809.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133815083.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000052F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000535000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000567000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000056F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_CapCut_installer.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 2035342205-1173974218
Opcode ID: e10abc69e4b1c2b8094a1b2b520f663248eb98d9a150b6aedb5183a323ea6903
Instruction ID: 3baa02bdf70247edfb0f680676f8bffda79515ede8bd61e7e13478a9eee65f3b
Opcode Fuzzy Hash: e10abc69e4b1c2b8094a1b2b520f663248eb98d9a150b6aedb5183a323ea6903
Instruction Fuzzy Hash: E141D430900914AACB21AB618C89ABF7778EF45369F10427FF801711D1D77CAD81DE6E

Function 6C4BC1D0 Relevance: 12.5, Strings: 9, Instructions: 1283COMMON

Download Yara Rule

Strings

TADI, xrefs: 6C4BC47B
ETLP, xrefs: 6C4BC3E7
outofmem, xrefs: 6C4BD5AA
SNRt, xrefs: 6C4BC3F2
DNEI, xrefs: 6C4BC90A
QDHI, xrefs: 6C4BC3D1
too large, xrefs: 6C4BCF49
RDHI, xrefs: 6C4BC3DC
IBgC, xrefs: 6C4BC470

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID:
String ID: DNEI$ETLP$IBgC$QDHI$RDHI$SNRt$TADI$outofmem$too large
API String ID: 0-4187103729
Opcode ID: f5cedc3f03cd087c1a2376ef7198b6b3c6264c5098ac092f200ac7e3d792e232
Instruction ID: 9d7570ee4cea5357339ac63cd6dee84cdc6a32443aaa0e8ffc4b9adb3fe1122f
Opcode Fuzzy Hash: f5cedc3f03cd087c1a2376ef7198b6b3c6264c5098ac092f200ac7e3d792e232
Instruction Fuzzy Hash: DEC26774A042258FCB25CF29C884FD9B7B1BF49305F1841E9E949A7760D734AE86CFA0

Function 6C469900 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 165filetimethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 6C469962
GetCurrentThreadId.KERNEL32 ref: 6C46997B
GetCurrentProcessId.KERNEL32 ref: 6C469984
_strlen.LIBCMT ref: 6C4699F0
WriteFile.KERNEL32(?,?,00000000,00000000,00000000), ref: 6C469A01
_strlen.LIBCMT ref: 6C469A17

Strings

%04d%02d%02d-%02d:%02d:%02d:%03d [%04d:%04d] - %s, xrefs: 6C4699CB

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Current_strlen$FileLocalProcessThreadTimeWrite
String ID: %04d%02d%02d-%02d:%02d:%02d:%03d [%04d:%04d] - %s
API String ID: 3595871743-2349067216
Opcode ID: d5880de4d1423503134e9026f94a4bc7ce41e8bd0ed06d947648f2f475d24af5
Instruction ID: 7b45dda9b06d71a3db4e1bb56e2487338b82193bb49d53dffb91fae8da922fef
Opcode Fuzzy Hash: d5880de4d1423503134e9026f94a4bc7ce41e8bd0ed06d947648f2f475d24af5
Instruction Fuzzy Hash: 7C516BB1500B409BD720DF65D880FA3BBF8BB18718F044A2DE89782F90E776B549CB91

Function 6C4B5510 Relevance: 12.4, Strings: 9, Instructions: 1158COMMON

Download Yara Rule

Strings

bad zlib header, xrefs: 6C4B558D
outofmem, xrefs: 6C4B642A
no preset dict, xrefs: 6C4B559E
bad compression, xrefs: 6C4B55B1
bad huffman code, xrefs: 6C4B641C
read past buffer, xrefs: 6C4B6468
bad dist, xrefs: 6C4B6431
zlib corrupt, xrefs: 6C4B6455
output buffer limit, xrefs: 6C4B6423

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID:
String ID: bad compression$bad dist$bad huffman code$bad zlib header$no preset dict$outofmem$output buffer limit$read past buffer$zlib corrupt
API String ID: 0-4009756662
Opcode ID: 454d12fea58cda826f9390dcaf2446b710163a31df2d3fd531ec905d7b64c9f7
Instruction ID: e5f4d71eed971f2b138538bdb87aa95c190159a74c24ec06ad5921034a17cd41
Opcode Fuzzy Hash: 454d12fea58cda826f9390dcaf2446b710163a31df2d3fd531ec905d7b64c9f7
Instruction Fuzzy Hash: B0A2C0716087128FD319CF18C490D6AF7E2FFC9314F198A6DE895A7B90D730A846CBA1

Function 6C4AEA90 Relevance: 9.5, APIs: 6, Instructions: 457fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 6C4AEB01
ReadFile.KERNEL32(?,?,?,FFFFFFFF,00000000), ref: 6C4AED23
SetFilePointer.KERNEL32(000000FF,?,00000000,00000001), ref: 6C4AEDC3
ReadFile.KERNEL32(000000FF,00000000,00000000,FFFFFFFF,00000000), ref: 6C4AEE22
SetFilePointer.KERNEL32(000000FF,?,00000000,00000001), ref: 6C4AEEED
ReadFile.KERNEL32(000000FF,?,?,FFFFFFFF,00000000), ref: 6C4AEF38

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: cce69313b4103ce0b4d12d32420763ab3a78491b2cda5fec22ec54026368b06b
Instruction ID: 24b838080dd30b6e9153ee33bd7d0bb19e12501b790eb6d25edb05375f5c5a42
Opcode Fuzzy Hash: cce69313b4103ce0b4d12d32420763ab3a78491b2cda5fec22ec54026368b06b
Instruction Fuzzy Hash: C302BE71A04301AFD704CF68C880E9ABBE1AF98318F154A2DF9A5877A5E771DC56CBC1

Function 6C4EA3F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 6C4EA46C
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000800,?,00000000), ref: 6C4EA4CB
CloseHandle.KERNEL32(00000000), ref: 6C4EA521

Part of subcall function 6C4E6660: _strlen.LIBCMT ref: 6C4E666B

Strings

\\.\PhysicalDrive%d, xrefs: 6C4EA438

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_strlen
String ID: \\.\PhysicalDrive%d
API String ID: 3267502560-2935326385
Opcode ID: 288d4bf784955aa70a8db0239a1084d2a78ae43cf81c676810e1b00c7ca15c1d
Instruction ID: 3eed2c9c204bdfc67080f348b8e478832ba13bd6dd1f46d2f0116543e704702f
Opcode Fuzzy Hash: 288d4bf784955aa70a8db0239a1084d2a78ae43cf81c676810e1b00c7ca15c1d
Instruction Fuzzy Hash: EF31C072604304ABE700CF24DC41FABBBF8AF89319F12492CF59497680E7749948CBE6

Function 6C4ABF60 Relevance: 3.6, Strings: 2, Instructions: 1068COMMON

Download Yara Rule

Strings

incomplete dynamic bit lengths tree, xrefs: 6C4AC49C
oversubscribed dynamic bit lengths tree, xrefs: 6C4AC48A

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID:
String ID: incomplete dynamic bit lengths tree$oversubscribed dynamic bit lengths tree
API String ID: 0-1860574964
Opcode ID: 5913097f9cabce113fd1a3d25dfc3d38287e19eab6ec16c37954e1f4b79a55e9
Instruction ID: 08ab355db30e6a5262fc644fc4dfc9b884bd04ea90de025489a944991b6fdd60
Opcode Fuzzy Hash: 5913097f9cabce113fd1a3d25dfc3d38287e19eab6ec16c37954e1f4b79a55e9
Instruction Fuzzy Hash: 73A23675A012189FCB44CF99C580A9DBBF1FF8D320F24826AE859AB755D731AD42CF90

Function 6C4AFAA0 Relevance: 3.4, APIs: 2, Instructions: 357timeCOMMON

Download Yara Rule

APIs

DosDateTimeToFileTime.KERNEL32(?,?,FFFFFFFF), ref: 6C4AFE31

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Time$DateFile
String ID:
API String ID: 1286729926-0
Opcode ID: a037ebd33ac799fffb6bd8c2475b5344fa7c0c57164eba62a41447d5cba692fc
Instruction ID: 73f7ba6ec8c63d13b0fdf573371a797559d0d440aeb45c20137c6a9520ae45a2
Opcode Fuzzy Hash: a037ebd33ac799fffb6bd8c2475b5344fa7c0c57164eba62a41447d5cba692fc
Instruction Fuzzy Hash: EBE1D5B15053019BE704CF68C8C0F9ABBE1FF99318F14862DE8998B799E771D546CB81

Function 004065FD Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(004DF000,00468298,00464250,00405CE0,00464250,00464250,00000000,00464250,00464250,004DF000,?,74DF3420,004059EC,?,004DF000,74DF3420), ref: 00406608
FindClose.KERNEL32(00000000), ref: 00406614

Memory Dump Source

Source File: 00000006.00000002.4133761971.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4133709809.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133815083.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000052F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000535000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000567000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000056F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_CapCut_installer.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f7cd178be2e6469beafc72b660366141f3ce998a63a06fca00c04ee689428cf9
Instruction ID: 086872f0bf6ffc0fec3bf9e050170664210a11ef237051a194e92f35cf11c1a2
Opcode Fuzzy Hash: f7cd178be2e6469beafc72b660366141f3ce998a63a06fca00c04ee689428cf9
Instruction Fuzzy Hash: 52D012315455205BC7001B386E0C85B7B599F553317158F37F46AF51E0DB758C62869D

Function 6C490220 Relevance: 91.6, APIs: 40, Strings: 12, Instructions: 636
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??0CDuiString@DuiLib@@QAE@PB_WH@Z.DOWNLOADER_NSIS_PLUGIN(?,000000FF), ref: 6C4902D8

Part of subcall function 6C4C02A0: ?Assign@CDuiString@DuiLib@@QAEXPB_WH@Z.DOWNLOADER_NSIS_PLUGIN(?,6C43B105,00000000,?,6C43B105,?), ref: 6C4C02BB

??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(?,000000FF), ref: 6C49033B
??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(?,000000FF), ref: 6C4903B8
??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(?,000000FF), ref: 6C490412
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN(00000000,mask,corner,source,dest,restype,res,file,?,000000FF), ref: 6C4904A3
?Empty@CDuiString@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN(?,000000FF), ref: 6C4904EE
?Empty@CDuiString@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN(?,000000FF), ref: 6C4904F6
CharNextW.USER32(?,?,000000FF), ref: 6C490511
??YCDuiString@DuiLib@@QAEABV01@_W@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C49057F
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C490B4C
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C490B57
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C490B62
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C490B6D

Strings

corner, xrefs: 6C490923
mask, xrefs: 6C490998
res, xrefs: 6C4906A4
fade, xrefs: 6C4909D3
true, xrefs: 6C490A22, 6C490A5C, 6C490A9D
ytiled, xrefs: 6C490A7D
file, xrefs: 6C490690, 6C49073C
hole, xrefs: 6C490A09
source, xrefs: 6C4908AE
dest, xrefs: 6C4907FD
xtiled, xrefs: 6C490A43
restype, xrefs: 6C49075A

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$String@$Empty@Paint$Assign@CharD__@@ManagerNextV01@_Window@
String ID: corner$dest$fade$file$hole$mask$res$restype$source$true$xtiled$ytiled
API String ID: 3219588778-1809293843
Opcode ID: 5e307505eba7305a39dc03c11e749b6c8f8c2ee54bdff575a51ee852e7cfc295
Instruction ID: 678fa8fcbbe24efe7baaa49e085bed24dba986b28e1464b812b67de78b3c18d0
Opcode Fuzzy Hash: 5e307505eba7305a39dc03c11e749b6c8f8c2ee54bdff575a51ee852e7cfc295
Instruction Fuzzy Hash: C3428B71910B919FD720CF60C885FA7BBE4FF99318F404A1DE5DA86A90E7B1B548CB90

Function 6C4C1C00 Relevance: 89.6, APIs: 46, Strings: 5, Instructions: 329
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4C1C23
GetWindowLongW.USER32(00000000,000000F0), ref: 6C4C1C2B
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4C1C41
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 6C4C1C4A
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4C1C5B
GetClientRect.USER32(00000000,?), ref: 6C4C1C65
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4C1C84
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000020), ref: 6C4C1C99
?Init@CPaintManagerUI@DuiLib@@QAEXPAUHWND__@@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C4C1CA7

Part of subcall function 6C49F550: GetDC.USER32(?), ref: 6C49F55C
Part of subcall function 6C49F550: ?Add@CStdPtrArray@DuiLib@@QAE_NPAX@Z.DOWNLOADER_NSIS_PLUGIN ref: 6C49F56B

?AddPreMessageFilter@CPaintManagerUI@DuiLib@@QAE_NPAVIMessageFilterUI@2@@Z.DOWNLOADER_NSIS_PLUGIN(00000048), ref: 6C4C1CB5
??0CDialogBuilder@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,00000048), ref: 6C4C1CD5

Part of subcall function 6C49CB10: ??0CMarkup@DuiLib@@QAE@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C49CB18

?GetResourcePath@CPaintManagerUI@DuiLib@@SAABVCDuiString@2@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,00000048), ref: 6C4C1CDA
?IsEmpty@CDuiString@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN(?,?,00000048), ref: 6C4C1CE1
?GetInstancePath@CPaintManagerUI@DuiLib@@SA?AVCDuiString@2@XZ.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C4C1D43

Part of subcall function 6C49F590: GetModuleFileNameW.KERNEL32(6C430000,?,00000104), ref: 6C49F608
Part of subcall function 6C49F590: ??0CDuiString@DuiLib@@QAE@PB_WH@Z.DOWNLOADER_NSIS_PLUGIN(?,000000FF), ref: 6C49F64A
Part of subcall function 6C49F590: ?ReverseFind@CDuiString@DuiLib@@QBEH_W@Z.DOWNLOADER_NSIS_PLUGIN(0000005C), ref: 6C49F65D
Part of subcall function 6C49F590: ?Left@CDuiString@DuiLib@@QBE?AV12@H@Z.DOWNLOADER_NSIS_PLUGIN(?,00000001,0000005C), ref: 6C49F671
Part of subcall function 6C49F590: ??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,00000001,0000005C), ref: 6C49F689
Part of subcall function 6C49F590: ??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,00000001,0000005C), ref: 6C49F694
Part of subcall function 6C49F590: ??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,0000005C), ref: 6C49F6A9
Part of subcall function 6C49F590: ??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(?,0000005C), ref: 6C49F6B0

?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,00000048), ref: 6C4C1D69
??YCDuiString@DuiLib@@QAEABV01@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,?,00000048), ref: 6C4C1D77

Part of subcall function 6C4C0720: ?Append@CDuiString@DuiLib@@QAEXPB_W@Z.DOWNLOADER_NSIS_PLUGIN(6C4943D8,?,?,6C4943D8,6C52E630), ref: 6C4C0730

??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,?,00000048), ref: 6C4C1D7E
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,?,00000048), ref: 6C4C1D85
?SetResourcePath@CPaintManagerUI@DuiLib@@SAXPB_W@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,?,?,?,00000048), ref: 6C4C1D8B

Part of subcall function 6C49F820: ??4CDuiString@DuiLib@@QAEABV01@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C49F82B
Part of subcall function 6C49F820: ?IsEmpty@CDuiString@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C49F835
Part of subcall function 6C49F820: ?GetLength@CDuiString@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C49F843
Part of subcall function 6C49F820: ?GetAt@CDuiString@DuiLib@@QBE_WH@Z.DOWNLOADER_NSIS_PLUGIN(-00000001,?), ref: 6C49F84F

??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,?,00000048), ref: 6C4C1D95
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,00000048), ref: 6C4C1DDB
?SetResourceZip@CPaintManagerUI@DuiLib@@SAXPB_W_N@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000001,?,?,00000048), ref: 6C4C1DE3
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,00000048), ref: 6C4C1DED
?SetI18nHelper@CPaintManagerUI@DuiLib@@SAXPAVI18nHelper@@@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C4C1E47
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4C1E89
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4C1EA2
?Create@CDialogBuilder@DuiLib@@QAEPAVCControlUI@2@VSTRINGorID@2@PB_WPAVIDialogBuilderCallback@2@PAVCPaintManagerUI@2@PAV32@@Z.DOWNLOADER_NSIS_PLUGIN(?,xml,?,?,00000000), ref: 6C4C1EBC
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4C1EEA
?Create@CDialogBuilder@DuiLib@@QAEPAVCControlUI@2@VSTRINGorID@2@PB_WPAVIDialogBuilderCallback@2@PAVCPaintManagerUI@2@PAV32@@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,?,?,00000000), ref: 6C4C1F00

Part of subcall function 6C49CB40: ?GetResourceDll@CPaintManagerUI@DuiLib@@SAPAUHINSTANCE__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49CB57
Part of subcall function 6C49CB40: FindResourceW.KERNEL32(00000000,?,?), ref: 6C49CB61
Part of subcall function 6C49CB40: ?GetResourceDll@CPaintManagerUI@DuiLib@@SAPAUHINSTANCE__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49CB71
Part of subcall function 6C49CB40: LoadResource.KERNEL32(00000000,00000000), ref: 6C49CB78
Part of subcall function 6C49CB40: ?GetResourceDll@CPaintManagerUI@DuiLib@@SAPAUHINSTANCE__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49CB8D
Part of subcall function 6C49CB40: SizeofResource.KERNEL32(00000000,00000000), ref: 6C49CB94
Part of subcall function 6C49CB40: LockResource.KERNEL32(00000000), ref: 6C49CBA1
Part of subcall function 6C49CB40: ?LoadFromMem@CMarkup@DuiLib@@QAE_NPAEKH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,00000000), ref: 6C49CBAF
Part of subcall function 6C49CB40: FreeResource.KERNEL32(00000000,00000000,?,00000000), ref: 6C49CBB9
Part of subcall function 6C49CB40: ?Create@CDialogBuilder@DuiLib@@QAEPAVCControlUI@2@PAVIDialogBuilderCallback@2@PAVCPaintManagerUI@2@PAV32@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,00000000), ref: 6C49CBF1

??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4C1F09
?AttachDialog@CPaintManagerUI@DuiLib@@QAE_NPAVCControlUI@2@@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C4C1F1C
?AddNotifier@CPaintManagerUI@DuiLib@@QAE_NPAVINotifyUI@2@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C4C1F2C
?SetBackgroundTransparent@CPaintManagerUI@DuiLib@@QAEX_N@Z.DOWNLOADER_NSIS_PLUGIN(00000001,?), ref: 6C4C1F35
?Release@CMarkup@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN(?,?,00000048), ref: 6C4C1F53

Strings

DYRl, xrefs: 6C4C1E2B
xml, xrefs: 6C4C1EB6
ZIPRES, xrefs: 6C4C1F8C
tYRl, xrefs: 6C4C1E1E
Duilib, xrefs: 6C4C2019, 6C4C2027

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Paint$Manager$String@$Resource$Dialog$I@2@$D__@@Transparent@Window@$Builder@Control$BuilderCallback@2@Create@Dll@E__@@I@2@@Markup@Path@V01@V32@@Window$D@2@Empty@I18nLoadLongMessageString@2@V01@@$Add@Append@Array@AttachBackgroundClientD__@@@Dialog@FileFilterFilter@FindFind@FreeFromHelper@Helper@@@Init@InstanceLeft@Length@LockMem@ModuleNameNotifier@NotifyRectRelease@ReverseSizeofV12@Zip@
String ID: DYRl$Duilib$ZIPRES$tYRl$xml
API String ID: 1824748664-2491895551
Opcode ID: 76c336fb89966735b978ace901dc48a766bae0727b174f9a59b01be76f6d4da5
Instruction ID: b2f7fdd5c0a61c8f268d31d80e7430ebf14020545bf87853b0cf19985f2dbcf8
Opcode Fuzzy Hash: 76c336fb89966735b978ace901dc48a766bae0727b174f9a59b01be76f6d4da5
Instruction Fuzzy Hash: 54C1BF757007409BDB10DF74CC94FAABBAAAF88314F00092DE59B87B91EF74E8058B95

Function 6C49D6B0 Relevance: 72.3, APIs: 31, Strings: 10, Instructions: 526
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?GetChild@CMarkupNode@DuiLib@@QAE?AV12@XZ.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C49D702
?GetSibling@CMarkupNode@DuiLib@@QAE?AV12@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,?), ref: 6C49D743
?IsValid@CMarkupNode@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C49D759
?GetName@CMarkupNode@DuiLib@@QBEPB_WXZ.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C49D768

Strings

TreeNode, xrefs: 6C49D7BB, 6C49D9C9, 6C49E3BF
TreeView, xrefs: 6C49DB52
count, xrefs: 6C49D88C
IContainer, xrefs: 6C49E408
Image, xrefs: 6C49D76F
source, xrefs: 6C49D8BB
Font, xrefs: 6C49D781
Include, xrefs: 6C49D7A5
TreeNodeUI, xrefs: 6C49DB12
Default, xrefs: 6C49D793

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@MarkupNode@$V12@$Child@Name@Sibling@Valid@
String ID: Default$Font$IContainer$Image$Include$TreeNode$TreeNodeUI$TreeView$count$source
API String ID: 2095534209-1056048478
Opcode ID: 76a489949c64ec6235ddb59acea67c7919ab4474d26ab28d37ca716146d8a0dd
Instruction ID: 0cb179087fc0ba070bee1e8bee25f5fa0a63b3841d8391519fb761f600afc665
Opcode Fuzzy Hash: 76a489949c64ec6235ddb59acea67c7919ab4474d26ab28d37ca716146d8a0dd
Instruction Fuzzy Hash: 4B127B31A002289BDF11DF64CC44FEE7BB6BF89754F150058E91AAB790DB34A906CBE4

Function 6C4A08C8 Relevance: 70.4, APIs: 39, Strings: 1, Instructions: 381
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUpdateRect.USER32 ref: 6C4A08D9
GetClientRect.USER32(?,?), ref: 6C4A0916
IsRectEmpty.USER32(?), ref: 6C4A091D
?IsUpdateNeeded@CControlUI@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN(?,?), ref: 6C4A0932
DeleteDC.GDI32(?), ref: 6C4A0968
DeleteDC.GDI32(?), ref: 6C4A0978
DeleteObject.GDI32(?), ref: 6C4A0988
DeleteObject.GDI32(?), ref: 6C4A099B
BeginPaint.USER32(?,?), ref: 6C4A155C
EndPaint.USER32(?,?,?,?), ref: 6C4A1565
?SendNotify@CPaintManagerUI@DuiLib@@QAEXPAVCControlUI@2@PB_WIJ_N@Z.DOWNLOADER_NSIS_PLUGIN(00000000,windowinit,00000000,00000000,00000000,?,?), ref: 6C4A1850
?SetNextTabControl@CPaintManagerUI@DuiLib@@QAE_N_N@Z.DOWNLOADER_NSIS_PLUGIN(00000001), ref: 6C4A1864
GetClientRect.USER32(?,?), ref: 6C4A1886
CreateCompatibleDC.GDI32(?), ref: 6C4A1891
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6C4A18AF
BeginPaint.USER32(?,?), ref: 6C4A18D5
SelectObject.GDI32(?,?), ref: 6C4A18EC
SaveDC.GDI32(?), ref: 6C4A18FD
SelectObject.GDI32(?,?), ref: 6C4A1923
SaveDC.GDI32(?), ref: 6C4A1931
RestoreDC.GDI32(?,?), ref: 6C4A1966
GetClientRect.USER32(?,?), ref: 6C4A1986
CreateCompatibleDC.GDI32(?), ref: 6C4A198F
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6C4A19B5
SelectObject.GDI32(?,00000000), ref: 6C4A19C2
BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 6C4A19E9
BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 6C4A1A10
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(?,?), ref: 6C4A1A49
??ACStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,?), ref: 6C4A1A55
RestoreDC.GDI32(?,?), ref: 6C4A1A96
BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 6C4A1ABD
SelectObject.GDI32(?,?), ref: 6C4A1ACC
SelectObject.GDI32(?), ref: 6C4A1AE7
GetStockObject.GDI32(00000005), ref: 6C4A1AED
SelectObject.GDI32(?,00000000), ref: 6C4A1AF7
Rectangle.GDI32 ref: 6C4A1B0D
SelectObject.GDI32(?,00000000), ref: 6C4A1B17
EndPaint.USER32(?,?,?,?), ref: 6C4A1B21
InvalidateRect.USER32(00000000,00000000,00000000,?,?), ref: 6C4A1B3E

Strings

windowinit, xrefs: 6C4A1848

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Object$PaintSelect$Rect$Lib@@$CompatibleCreateDelete$ClientManager$BeginBitmapControlRestoreSaveUpdate$Array@Control@EmptyI@2@InvalidateNeeded@NextNotify@RectangleSendStockTransparent@
String ID: windowinit
API String ID: 3756034615-3894911279
Opcode ID: 9397284b9e46f2b055636660dde26a8e04209daf59ddb2517f53c247b937daed
Instruction ID: 5f8c30044202bbe2435de332af5f9089adad2c3c98b07f081b2a572573be2aa7
Opcode Fuzzy Hash: 9397284b9e46f2b055636660dde26a8e04209daf59ddb2517f53c247b937daed
Instruction Fuzzy Hash: D2F13475600740DFDB21CF68C888E66BBF6FF99300F154A6CE89A87A65DB31E841CB54

Function 6C442680 Relevance: 56.7, APIs: 12, Strings: 20, Instructions: 667
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 6C4426AF

Part of subcall function 6C45EA50: _strlen.LIBCMT ref: 6C45EA7B

lstrcpyW.KERNEL32(?,?), ref: 6C44270B
GlobalFree.KERNEL32 ref: 6C44271C
lstrcpyW.KERNEL32(?,?), ref: 6C442751
GlobalFree.KERNEL32 ref: 6C442762
lstrcpyW.KERNEL32(?,?), ref: 6C4427A0
GlobalFree.KERNEL32 ref: 6C4427B1
GetTickCount.KERNEL32 ref: 6C442D8F
lstrcpyW.KERNEL32(?,00000004), ref: 6C442DEB
GlobalFree.KERNEL32(00000000), ref: 6C442DFC
lstrcpyW.KERNEL32(?,?), ref: 6C442E31
GlobalFree.KERNEL32(?), ref: 6C442E42

Part of subcall function 6C4E6660: _strlen.LIBCMT ref: 6C4E666B

Strings

finish_download, xrefs: 6C442E9F
start_download, xrefs: 6C442E7C
action, xrefs: 6C442EE4
time, xrefs: 6C4428D5, 6C442F7C
progress_rate, xrefs: 6C442FF2
continue_download, xrefs: 6C442E8A
status, xrefs: 6C442831
success, xrefs: 6C4427EF
cancel, xrefs: 6C4427E8, 6C4427FC, 6C442E83
cancel_download, xrefs: 6C442E91
show, xrefs: 6C442E70
fail, xrefs: 6C4427E1
switch_banner, xrefs: 6C442EA6, 6C442EAF
installer_popup_action, xrefs: 6C443170
installer_install_status, xrefs: 6C442CF8
error_code, xrefs: 6C44295A
close, xrefs: 6C442E98
shell event reporter is null!, xrefs: 6C4426C1, 6C442DA1
fail_reason, xrefs: 6C442A1B
0A, xrefs: 6C4426F7, 6C442713, 6C44273D, 6C442759, 6C442785, 6C4427A8, 6C442DD7, 6C442DF3, 6C442E1D, 6C442E39

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: FreeGloballstrcpy$CountTick_strlen
String ID: 0A$action$cancel$cancel_download$close$continue_download$error_code$fail$fail_reason$finish_download$installer_install_status$installer_popup_action$progress_rate$shell event reporter is null!$show$start_download$status$success$switch_banner$time
API String ID: 3718385277-1462346901
Opcode ID: 250333942dda4311f4ac1cef1c7cab2716fa4f36d6038ab0586892e4d7724288
Instruction ID: 4bfa49524b931b84e9ed42eeebce36d50c1115c7a0390aa4c7e0d6754a2a63ee
Opcode Fuzzy Hash: 250333942dda4311f4ac1cef1c7cab2716fa4f36d6038ab0586892e4d7724288
Instruction Fuzzy Hash: E5528CB15083809AE760CF60C898FDBBBE4BF85308F54891CE5C897791DB799549CBE2

Function 6C49DDE0 Relevance: 56.3, APIs: 20, Strings: 12, Instructions: 300
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??0CProgressUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49E0DD
??0CRichEditUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49E1D2
??0COptionUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49E23B
??0CComboBoxUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49E2A3
??0CDateTimeUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49E2C3
??0CTreeViewUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49E2E3

Part of subcall function 6C48A120: ??0CUIAnimation@DuiLib@@QAE@PAVCControlUI@1@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C48A17C
Part of subcall function 6C48A120: ??0CContainerUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C48A18A

?GetPlugins@CPaintManagerUI@DuiLib@@SAPAVCStdPtrArray@2@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E30C
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E323
?GetAt@CStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E32F
?HasChildren@CMarkupNode@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E38E
?_Parse@CDialogBuilder@DuiLib@@AAEPAVCControlUI@2@PAVCMarkupNode@2@PAV32@PAVCPaintManagerUI@2@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,FFFFFFFF), ref: 6C49E3A0
?GetDefaultAttributeList@CPaintManagerUI@DuiLib@@QBEPB_WPB_W@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E46D
?ApplyAttributeList@CControlUI@DuiLib@@QAEPAV12@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E47A
?HasAttributes@CMarkupNode@DuiLib@@QAE_NXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E481
?GetAttributeCount@CMarkupNode@DuiLib@@QAEHXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E48C

Strings

TreeNode, xrefs: 6C49D7BB, 6C49E3BF
TreeView, xrefs: 6C49DE51
DateTime, xrefs: 6C49DE3B
RichEdit, xrefs: 6C49DDF9
CheckBox, xrefs: 6C49DE0F
ComboBox, xrefs: 6C49DE25
Progress, xrefs: 6C49DDE0
Image, xrefs: 6C49D76F
Font, xrefs: 6C49D781
TTBanner, xrefs: 6C49DE67
Include, xrefs: 6C49D7A5
Default, xrefs: 6C49D793

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$ManagerMarkupPaint$AttributeControlNode@$List@$Animation@ApplyArray@Array@2@Attributes@Builder@Children@ComboContainerCount@DateDefaultDialogEditI@1@@I@2@I@2@@Node@2@OptionParse@Plugins@ProgressRichTimeTransparent@TreeV12@V32@View
String ID: CheckBox$ComboBox$DateTime$Default$Font$Image$Include$Progress$RichEdit$TTBanner$TreeNode$TreeView
API String ID: 851718095-3985758060
Opcode ID: b44476ec5de405b90452a4dab2df4e7b906f0e0b03b8b8686c012c36b1d7afb1
Instruction ID: b7154737c271a12c6eb138c7616843c5c72aba0189a4f8afa00958fa065deb3d
Opcode Fuzzy Hash: b44476ec5de405b90452a4dab2df4e7b906f0e0b03b8b8686c012c36b1d7afb1
Instruction Fuzzy Hash: F8A18F71E012289BDF01DBA48C44FEE7BB1BF88309F140568D915B7B81EB74A905CBE6

Function 6C4A5B50 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 278
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?GetResourcePath@CPaintManagerUI@DuiLib@@SAABVCDuiString@2@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4A5C07
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C4A5C10
?GetResourceZip@CPaintManagerUI@DuiLib@@SAABVCDuiString@2@XZ.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C4A5C1F
?IsEmpty@CDuiString@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C4A5C26
??YCDuiString@DuiLib@@QAEABV01@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(?,00000000), ref: 6C4A5C39
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN(?,00000000), ref: 6C4A5C41
?DUI__Trace@DuiLib@@YAXPB_WZZ.DOWNLOADER_NSIS_PLUGIN(00000000,?,00000000), ref: 6C4A5C47
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4A5C52
CreateFileW.KERNEL32 ref: 6C4A5C7B
GetFileSize.KERNEL32(00000000,00000000), ref: 6C4A5C8F
ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 6C4A5CD9
CloseHandle.KERNEL32(?), ref: 6C4A5CE0
?LoadFromMem@CMarkup@DuiLib@@QAE_NPAEKH@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?), ref: 6C4A5CFD
?GetResourceZip@CPaintManagerUI@DuiLib@@SAABVCDuiString@2@XZ.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C4A5D13
??YCDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C4A5D1C

Part of subcall function 6C4C0700: ?Append@CDuiString@DuiLib@@QAEXPB_W@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,6C48DE37,00000000,00000000), ref: 6C4C070B

?IsCachedResourceZip@CPaintManagerUI@DuiLib@@SA_NXZ.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C4A5D21
?GetResourceZipHandle@CPaintManagerUI@DuiLib@@SAPAXXZ.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C4A5D2A
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C4A5D34
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4A5E56
?IsCachedResourceZip@CPaintManagerUI@DuiLib@@SA_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4A5EA5
?LoadFromMem@CMarkup@DuiLib@@QAE_NPAEKH@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?), ref: 6C4A5ECA
?IsCachedResourceZip@CPaintManagerUI@DuiLib@@SA_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4A5EF4
?_Failed@CMarkup@DuiLib@@AAE_NPB_W0@Z.DOWNLOADER_NSIS_PLUGIN(Could not unzip file,00000000), ref: 6C4A5F13

Strings

File is empty, xrefs: 6C4A5DE2
Could not find ziped file, xrefs: 6C4A5D8E
Could not unzip file, xrefs: 6C4A5F0E
Error opening zip file, xrefs: 6C4A5DB2
File too large, xrefs: 6C4A5DD6
Error opening file, xrefs: 6C4A5DA0
Could not read file, xrefs: 6C4A5E2D

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Paint$Manager$Resource$String@$Zip@$CachedD__@@FileMarkup@String@2@Window@$FromLoadMem@V01@V01@@$Append@CloseCreateEmpty@Failed@HandleHandle@Path@ReadSizeTrace@
String ID: Could not find ziped file$Could not read file$Could not unzip file$Error opening file$Error opening zip file$File is empty$File too large
API String ID: 1050601425-2950584456
Opcode ID: 6163d19a02e4a20144fd9a40fd4c3bae692b81442b53bcdfb59edc5daf11f394
Instruction ID: 544fa8f92f6cf35b38aa4c001f1ce2b09c9cdb8f88756abf010623f2b1b4c8b0
Opcode Fuzzy Hash: 6163d19a02e4a20144fd9a40fd4c3bae692b81442b53bcdfb59edc5daf11f394
Instruction Fuzzy Hash: 91A180B1A00B019BE720CFA4D944F97B7A4BF54718F104A2DE5A696F80EB74F509CBD1

Function 6C49DC1B Relevance: 49.3, APIs: 18, Strings: 10, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??0CContainerUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49E051
??0CTabLayoutUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49E1AF
??0CScrollBarUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49E218
??0CImageShowUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49E270

Part of subcall function 6C48B1C0: ??0CControlUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,6C48A78E), ref: 6C48B1C6

?GetPlugins@CPaintManagerUI@DuiLib@@SAPAVCStdPtrArray@2@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E30C
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E323
?GetAt@CStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E32F
?HasChildren@CMarkupNode@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E38E
?_Parse@CDialogBuilder@DuiLib@@AAEPAVCControlUI@2@PAVCMarkupNode@2@PAV32@PAVCPaintManagerUI@2@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,FFFFFFFF), ref: 6C49E3A0
?GetDefaultAttributeList@CPaintManagerUI@DuiLib@@QBEPB_WPB_W@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E46D
?ApplyAttributeList@CControlUI@DuiLib@@QAEPAV12@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E47A
?HasAttributes@CMarkupNode@DuiLib@@QAE_NXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E481
?GetAttributeCount@CMarkupNode@DuiLib@@QAEHXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E48C

Strings

TreeNode, xrefs: 6C49D7BB, 6C49E3BF
Container, xrefs: 6C49DC1B
Indicator, xrefs: 6C49DC76
Image, xrefs: 6C49D76F
TabLayout, xrefs: 6C49DC34
ScrollBar, xrefs: 6C49DC4A
Font, xrefs: 6C49D781
Include, xrefs: 6C49D7A5
ImageShow, xrefs: 6C49DC60
Default, xrefs: 6C49D793

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$ManagerMarkupPaint$AttributeControlNode@$List@$ApplyArray@Array@2@Attributes@Builder@Children@ContainerCount@DefaultDialogI@2@I@2@@ImageLayoutNode@2@Parse@Plugins@ScrollShowTransparent@V12@V32@
String ID: Container$Default$Font$Image$ImageShow$Include$Indicator$ScrollBar$TabLayout$TreeNode
API String ID: 4134825127-3827695368
Opcode ID: 87eeed1a525b5f7da8d3e562f7eb6aee091deec76b033fa8e14c54e5c41a0e6d
Instruction ID: ca799458ec261070575a88348153842f0e72a57fd2e4e0541a37b257846ffbde
Opcode Fuzzy Hash: 87eeed1a525b5f7da8d3e562f7eb6aee091deec76b033fa8e14c54e5c41a0e6d
Instruction Fuzzy Hash: D0918D71E012289BDF11DFA48C84FEE7BB1BF88359F140568D915B7B80EB34A905CAE5

Function 00403D58 Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D94
ShowWindow.USER32(?), ref: 00403DB1
DestroyWindow.USER32 ref: 00403DC5
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DE1
GetDlgItem.USER32(?,?), ref: 00403E02
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403E16
IsWindowEnabled.USER32(00000000), ref: 00403E1D
GetDlgItem.USER32(?,00000001), ref: 00403ECB
GetDlgItem.USER32(?,00000002), ref: 00403ED5
SetClassLongW.USER32(?,000000F2,?), ref: 00403EEF
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403F40
GetDlgItem.USER32(?,00000003), ref: 00403FE6
ShowWindow.USER32(00000000,?), ref: 00404007
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404019
EnableWindow.USER32(?,?), ref: 00404034
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040404A
EnableMenuItem.USER32(00000000), ref: 00404051
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404069
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040407C
lstrlenW.KERNEL32(00450248,?,00450248,00000000), ref: 004040A6
SetWindowTextW.USER32(?,00450248), ref: 004040BA
ShowWindow.USER32(?,0000000A), ref: 004041EE

Memory Dump Source

Source File: 00000006.00000002.4133761971.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4133709809.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133815083.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000052F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000535000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000567000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000056F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_CapCut_installer.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: afd4c106bacae43a95d471af004fac34445ddb18e8f9fdea67f27b9010e33e6b
Instruction ID: ebd8885eb79f40fe398f9982bcc50e4b60f6275a3dc5f5776bcae5bce4ead0d0
Opcode Fuzzy Hash: afd4c106bacae43a95d471af004fac34445ddb18e8f9fdea67f27b9010e33e6b
Instruction Fuzzy Hash: AFC1D5B1500304ABDB206F61EE88E2B3A78FB95346F00053EF645B51F1CB799891DB6E

Function 6C49DEA0 Relevance: 44.0, APIs: 17, Strings: 8, Instructions: 234
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??0CWebBrowserUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49DEFE

Part of subcall function 6C46DCD0: ??0CActiveXUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C46DD01
Part of subcall function 6C46DCD0: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C46DD65
Part of subcall function 6C46DCD0: ?Empty@CDuiString@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C46DD96

??0CListHeaderUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49E100
??0CTileLayoutUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49E1F5
?GetPlugins@CPaintManagerUI@DuiLib@@SAPAVCStdPtrArray@2@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E30C
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E323
?GetAt@CStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E32F
?HasChildren@CMarkupNode@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E38E
?_Parse@CDialogBuilder@DuiLib@@AAEPAVCControlUI@2@PAVCMarkupNode@2@PAV32@PAVCPaintManagerUI@2@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,FFFFFFFF), ref: 6C49E3A0
?GetDefaultAttributeList@CPaintManagerUI@DuiLib@@QBEPB_WPB_W@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E46D
?ApplyAttributeList@CControlUI@DuiLib@@QAEPAV12@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E47A
?HasAttributes@CMarkupNode@DuiLib@@QAE_NXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E481
?GetAttributeCount@CMarkupNode@DuiLib@@QAEHXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E48C

Strings

TreeNode, xrefs: 6C49D7BB, 6C49E3BF
Image, xrefs: 6C49D76F
ListHeader, xrefs: 6C49DEA0
TileLayout, xrefs: 6C49DEB9
WebBrowser, xrefs: 6C49DECF
Font, xrefs: 6C49D781
Include, xrefs: 6C49D7A5
Default, xrefs: 6C49D793

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$ManagerMarkupPaint$AttributeNode@$ControlList@String@$ActiveApplyArray@Array@2@Attributes@BrowserBuilder@Children@Count@DefaultDialogEmpty@HeaderI@2@I@2@@LayoutListNode@2@Parse@Plugins@TileTransparent@V12@V32@
String ID: Default$Font$Image$Include$ListHeader$TileLayout$TreeNode$WebBrowser
API String ID: 3316862072-1371069878
Opcode ID: 2e23d41841e47715553d21f18faf386fc1228aa240597ce54efec9d7eaf16578
Instruction ID: a35e0c0e1a2c562c4a9a4c2737a7f729516b6c346d030afbc1bb3cfce0de0c88
Opcode Fuzzy Hash: 2e23d41841e47715553d21f18faf386fc1228aa240597ce54efec9d7eaf16578
Instruction Fuzzy Hash: 32819F71A012289BDF01DFA58C44FEE7BB5BF88319F140468E915B7B90EB34A905CBE5

Function 6C49DBB3 Relevance: 44.0, APIs: 17, Strings: 8, Instructions: 234
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??0CSliderUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49DC11

Part of subcall function 6C4896C0: ??0CProgressUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4896F1
Part of subcall function 6C4896C0: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C489723
Part of subcall function 6C4896C0: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C48973B
Part of subcall function 6C4896C0: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C489753
Part of subcall function 6C4896C0: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C489768

??0CButtonUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49E02E
??0COptionUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49E18C
?GetPlugins@CPaintManagerUI@DuiLib@@SAPAVCStdPtrArray@2@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E30C
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E323
?GetAt@CStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E32F
?HasChildren@CMarkupNode@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E38E
?_Parse@CDialogBuilder@DuiLib@@AAEPAVCControlUI@2@PAVCMarkupNode@2@PAV32@PAVCPaintManagerUI@2@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,FFFFFFFF), ref: 6C49E3A0
?GetDefaultAttributeList@CPaintManagerUI@DuiLib@@QBEPB_WPB_W@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E46D
?ApplyAttributeList@CControlUI@DuiLib@@QAEPAV12@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E47A
?HasAttributes@CMarkupNode@DuiLib@@QAE_NXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E481
?GetAttributeCount@CMarkupNode@DuiLib@@QAEHXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E48C

Strings

TreeNode, xrefs: 6C49D7BB, 6C49E3BF
Button, xrefs: 6C49DBB3
Image, xrefs: 6C49D76F
Slider, xrefs: 6C49DBE2
Option, xrefs: 6C49DBCC
Font, xrefs: 6C49D781
Include, xrefs: 6C49D7A5
Default, xrefs: 6C49D793

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$ManagerMarkupPaintString@$AttributeNode@$ControlList@$ApplyArray@Array@2@Attributes@Builder@ButtonChildren@Count@DefaultDialogI@2@I@2@@Node@2@OptionParse@Plugins@ProgressSliderTransparent@V12@V32@
String ID: Button$Default$Font$Image$Include$Option$Slider$TreeNode
API String ID: 3736025159-957397793
Opcode ID: ed50a7234e2a5be6e1b3489337dae4876b4bb8262449fc08be13ce921f0aea5c
Instruction ID: 12043323803aab82be77c634e31198909f842015e5e75b2ea1edc6858dfc34f6
Opcode Fuzzy Hash: ed50a7234e2a5be6e1b3489337dae4876b4bb8262449fc08be13ce921f0aea5c
Instruction Fuzzy Hash: 66819D71A012289BDF01DFA58C44FEE7BB1BF88259F140458E915B7B90EB34A905CBE5

Function 6C49D7F3 Relevance: 44.0, APIs: 17, Strings: 8, Instructions: 234
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??0CTextUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49D851

Part of subcall function 6C46A300: ??0CLabelUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C46A331
Part of subcall function 6C46A300: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C46A35C
Part of subcall function 6C46A300: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C46A36D
Part of subcall function 6C46A300: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C46A37E
Part of subcall function 6C46A300: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C46A38F
Part of subcall function 6C46A300: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C46A3A0
Part of subcall function 6C46A300: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C46A3B1
Part of subcall function 6C46A300: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C46A3C2
Part of subcall function 6C46A300: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C46A3D3

??0CEditUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49E00B
??0CListUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49E169
?GetPlugins@CPaintManagerUI@DuiLib@@SAPAVCStdPtrArray@2@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E30C
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E323
?GetAt@CStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E32F
?HasChildren@CMarkupNode@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E38E
?_Parse@CDialogBuilder@DuiLib@@AAEPAVCControlUI@2@PAVCMarkupNode@2@PAV32@PAVCPaintManagerUI@2@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,FFFFFFFF), ref: 6C49E3A0
?GetDefaultAttributeList@CPaintManagerUI@DuiLib@@QBEPB_WPB_W@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E46D
?ApplyAttributeList@CControlUI@DuiLib@@QAEPAV12@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E47A
?HasAttributes@CMarkupNode@DuiLib@@QAE_NXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E481
?GetAttributeCount@CMarkupNode@DuiLib@@QAEHXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E48C

Strings

TreeNode, xrefs: 6C49D7BB, 6C49E3BF
Edit, xrefs: 6C49D7F3
Image, xrefs: 6C49D76F
List, xrefs: 6C49D80C
Font, xrefs: 6C49D781
Include, xrefs: 6C49D7A5
Default, xrefs: 6C49D793
Text, xrefs: 6C49D822

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$String@$ManagerMarkupPaint$AttributeNode@$ControlList@$ApplyArray@Array@2@Attributes@Builder@Children@Count@DefaultDialogEditI@2@I@2@@LabelListNode@2@Parse@Plugins@TextTransparent@V12@V32@
String ID: Default$Edit$Font$Image$Include$List$Text$TreeNode
API String ID: 396727720-2569519243
Opcode ID: 027e08036a023708e378e7c77347a25623cba6a4410249c36a12c320eb24d9d1
Instruction ID: 2b882f1fdd73d97b41002fd569209396a88841b65fdaa02275c6c4edeae3d38d
Opcode Fuzzy Hash: 027e08036a023708e378e7c77347a25623cba6a4410249c36a12c320eb24d9d1
Instruction Fuzzy Hash: B1819D71E012289BDF01DFA58C84FEE7BB5BF88319F140458E915B7B90EB34A905CAE5

Function 6C49ED30 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 199libraryCOMMON

Download Yara Rule

APIs

??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C49EDD6
??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C49EDF2
??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000), ref: 6C49EE0E
??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000,00000000), ref: 6C49EE2A
??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000,00000000,00000000), ref: 6C49EE46
??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C49EE62
??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C49EE7E
??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C49EE9A
??0CStdStringPtrMap@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000053,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C49EEB6
??0CStdStringPtrMap@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000053,00000053,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C49EED2
??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(00000053,00000053,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C49EEF6
??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000053,00000053,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C49EF12
??0CStdStringPtrMap@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000053,00000000,00000053,00000053,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C49EF2E
??0CStdStringPtrMap@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000053,00000053,00000000,00000053,00000053,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C49EF4A
??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000053,00000053,00000000,00000053,00000053,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C49EF66
GetStockObject.GDI32(00000011), ref: 6C49EFA8
GetObjectW.GDI32(00000000,0000005C,?), ref: 6C49EFB5
?GetLength@CDuiString@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49EFCE
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49EFDC
CreateFontIndirectW.GDI32(?), ref: 6C49EFF4
??4CDuiString@DuiLib@@QAEABV01@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C49F009
CreatePen.GDI32(00000000,00000001,000000DC), ref: 6C49F070
#17.COMCTL32 ref: 6C49F07B
LoadLibraryW.KERNEL32(msimg32.dll), ref: 6C49F086

Strings

msimg32.dll, xrefs: 6C49F081

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Array@$Map@String$String@$CreateObjectPaint$D__@@FontIndirectLength@LibraryLoadManagerStockV01@Window@
String ID: msimg32.dll
API String ID: 225290254-3287713914
Opcode ID: 50e59c8ff16957b869412dc7c2b7612d2065339f861db896110d97377e44d012
Instruction ID: ac0aea742204fc0caa70e7a70154fc16540f37eb7e14846973899301b568320b
Opcode Fuzzy Hash: 50e59c8ff16957b869412dc7c2b7612d2065339f861db896110d97377e44d012
Instruction Fuzzy Hash: E6A14A74904B419FE364CF24C499BE2BBF0FF14308F108A1DD99A5B691EBB57189CB91

Function 6C49DCAF Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 220COMMON

Download Yara Rule

APIs

??0CListLabelElementUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49DCF7

Part of subcall function 6C47FFF0: ??0CControlUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C47FFF6

??0CHorizontalLayoutUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49E074
?GetPlugins@CPaintManagerUI@DuiLib@@SAPAVCStdPtrArray@2@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E30C
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E323
?GetAt@CStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E32F
?HasChildren@CMarkupNode@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E38E
?_Parse@CDialogBuilder@DuiLib@@AAEPAVCControlUI@2@PAVCMarkupNode@2@PAV32@PAVCPaintManagerUI@2@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,FFFFFFFF), ref: 6C49E3A0
?GetDefaultAttributeList@CPaintManagerUI@DuiLib@@QBEPB_WPB_W@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E46D
?ApplyAttributeList@CControlUI@DuiLib@@QAEPAV12@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E47A
?HasAttributes@CMarkupNode@DuiLib@@QAE_NXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E481
?GetAttributeCount@CMarkupNode@DuiLib@@QAEHXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E48C

Strings

TreeNode, xrefs: 6C49D7BB, 6C49E3BF
HorizontalLayout, xrefs: 6C49DCAF
Image, xrefs: 6C49D76F
, xrefs: 6C49E068
Font, xrefs: 6C49D781
Include, xrefs: 6C49D7A5
Default, xrefs: 6C49D793
ListLabelElement, xrefs: 6C49DCC8

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$ManagerMarkupPaint$AttributeControlNode@$List@$ApplyArray@Array@2@Attributes@Builder@Children@Count@DefaultDialogElementHorizontalI@2@I@2@@LabelLayoutListNode@2@Parse@Plugins@Transparent@V12@V32@
String ID: $Default$Font$HorizontalLayout$Image$Include$ListLabelElement$TreeNode
API String ID: 3696820255-2307597140
Opcode ID: 0f94f3b96e283769419ad5ddab65249d77720bc367bc5efd44ef74fcf74d04d1
Instruction ID: 93ce99175f022a3c15862555111962cc8c91198d09fa24e58beb1b9c99f43608
Opcode Fuzzy Hash: 0f94f3b96e283769419ad5ddab65249d77720bc367bc5efd44ef74fcf74d04d1
Instruction Fuzzy Hash: FB719E71A012289BDF01DFA58C84FEE7BB1BF88319F150458D915B7790EB34A906CBE5

Function 6C49DD3C Relevance: 40.5, APIs: 16, Strings: 7, Instructions: 220COMMON

Download Yara Rule

APIs

??0CLabelUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49DD84

Part of subcall function 6C479AE0: ??0CControlUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C479B11
Part of subcall function 6C479AE0: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C479BA3
Part of subcall function 6C479AE0: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 6C479BE0

??0CComboUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49E097
?GetPlugins@CPaintManagerUI@DuiLib@@SAPAVCStdPtrArray@2@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E30C
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E323
?GetAt@CStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E32F
?HasChildren@CMarkupNode@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E38E
?_Parse@CDialogBuilder@DuiLib@@AAEPAVCControlUI@2@PAVCMarkupNode@2@PAV32@PAVCPaintManagerUI@2@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,FFFFFFFF), ref: 6C49E3A0
?GetDefaultAttributeList@CPaintManagerUI@DuiLib@@QBEPB_WPB_W@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E46D
?ApplyAttributeList@CControlUI@DuiLib@@QAEPAV12@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E47A
?HasAttributes@CMarkupNode@DuiLib@@QAE_NXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E481
?GetAttributeCount@CMarkupNode@DuiLib@@QAEHXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E48C

Strings

TreeNode, xrefs: 6C49D7BB, 6C49E3BF
Image, xrefs: 6C49D76F
Combo, xrefs: 6C49DD3C
Font, xrefs: 6C49D781
Label, xrefs: 6C49DD55
Include, xrefs: 6C49D7A5
Default, xrefs: 6C49D793

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$ManagerMarkupPaint$AttributeControlNode@$List@$ApplyArray@Array@2@Attributes@Builder@Children@ComboCount@DefaultDialogGdiplusI@2@I@2@@LabelNode@2@Parse@Plugins@StartupString@Transparent@V12@V32@
String ID: Combo$Default$Font$Image$Include$Label$TreeNode
API String ID: 3372772780-3423422957
Opcode ID: 08d5a4bba9daa2dae7376c84f8c4df4d23981e47ecf72536369df729700814f9
Instruction ID: b7a702d4a017c455469dcec53f96ae6f9ebea7bd8eb5772414728cec5015d6ff
Opcode Fuzzy Hash: 08d5a4bba9daa2dae7376c84f8c4df4d23981e47ecf72536369df729700814f9
Instruction Fuzzy Hash: DE71BE71A002289BDF11DFA48C84FEE7BB1BF88259F140458D915B7B90EB34A906CBE5

Function 6C49DD8E Relevance: 40.5, APIs: 16, Strings: 7, Instructions: 220COMMON

Download Yara Rule

APIs

??0CActiveXUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49DDD6

Part of subcall function 6C471660: ??0CControlUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C471691
Part of subcall function 6C471660: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4716B6
Part of subcall function 6C471660: CoInitialize.OLE32(00000000), ref: 6C4716E7

??0CControlUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49E0BA
?GetPlugins@CPaintManagerUI@DuiLib@@SAPAVCStdPtrArray@2@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E30C
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E323
?GetAt@CStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E32F
?HasChildren@CMarkupNode@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E38E
?_Parse@CDialogBuilder@DuiLib@@AAEPAVCControlUI@2@PAVCMarkupNode@2@PAV32@PAVCPaintManagerUI@2@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,FFFFFFFF), ref: 6C49E3A0
?GetDefaultAttributeList@CPaintManagerUI@DuiLib@@QBEPB_WPB_W@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E46D
?ApplyAttributeList@CControlUI@DuiLib@@QAEPAV12@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E47A
?HasAttributes@CMarkupNode@DuiLib@@QAE_NXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E481
?GetAttributeCount@CMarkupNode@DuiLib@@QAEHXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E48C

Strings

TreeNode, xrefs: 6C49D7BB, 6C49E3BF
Control, xrefs: 6C49DD8E
Image, xrefs: 6C49D76F
ActiveX, xrefs: 6C49DDA7
Font, xrefs: 6C49D781
Include, xrefs: 6C49D7A5
Default, xrefs: 6C49D793

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$ControlManagerMarkupPaint$AttributeNode@$List@$ActiveApplyArray@Array@2@Attributes@Builder@Children@Count@DefaultDialogI@2@I@2@@InitializeNode@2@Parse@Plugins@String@Transparent@V12@V32@
String ID: ActiveX$Control$Default$Font$Image$Include$TreeNode
API String ID: 3641923509-3578377750
Opcode ID: 38432413fc9cddb8e765fd62a3f11072b6fdfca1763d6dce620efb8932149b83
Instruction ID: 16d4ea1c4fe8989282c64e6237329f2430046952a3adbb430b81d77263c38163
Opcode Fuzzy Hash: 38432413fc9cddb8e765fd62a3f11072b6fdfca1763d6dce620efb8932149b83
Instruction Fuzzy Hash: E071AF71A002289BDF01DFA48C84FEE7BB5BF88359F150458E915B7790EB34A906CBE5

Function 6C49DF5A Relevance: 40.5, APIs: 16, Strings: 7, Instructions: 220COMMON

Download Yara Rule

APIs

??0CListHeaderItemUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49DFA2

Part of subcall function 6C47EA90: ??0CControlUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C47EAC1
Part of subcall function 6C47EA90: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C47EB05
Part of subcall function 6C47EA90: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C47EB1D
Part of subcall function 6C47EA90: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C47EB35
Part of subcall function 6C47EA90: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C47EB4D
Part of subcall function 6C47EA90: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C47EB65
Part of subcall function 6C47EA90: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C47EB7D
Part of subcall function 6C47EA90: ??0CDuiRect@DuiLib@@QAE@HHHH@Z.DOWNLOADER_NSIS_PLUGIN ref: 6C47EB97
Part of subcall function 6C47EA90: ?Invalidate@CControlUI@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C47EBAD

??0CVerticalLayoutUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49E146
?GetPlugins@CPaintManagerUI@DuiLib@@SAPAVCStdPtrArray@2@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E30C
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E323
?GetAt@CStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E32F
?HasChildren@CMarkupNode@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E38E
?_Parse@CDialogBuilder@DuiLib@@AAEPAVCControlUI@2@PAVCMarkupNode@2@PAV32@PAVCPaintManagerUI@2@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,FFFFFFFF), ref: 6C49E3A0
?GetDefaultAttributeList@CPaintManagerUI@DuiLib@@QBEPB_WPB_W@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E46D
?ApplyAttributeList@CControlUI@DuiLib@@QAEPAV12@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E47A
?HasAttributes@CMarkupNode@DuiLib@@QAE_NXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E481
?GetAttributeCount@CMarkupNode@DuiLib@@QAEHXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E48C

Strings

TreeNode, xrefs: 6C49D7BB, 6C49E3BF
ListHeaderItem, xrefs: 6C49DF73
VerticalLayout, xrefs: 6C49DF5A
Image, xrefs: 6C49D76F
Font, xrefs: 6C49D781
Include, xrefs: 6C49D7A5
Default, xrefs: 6C49D793

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$String@$ControlManagerMarkupPaint$AttributeNode@$List@$ApplyArray@Array@2@Attributes@Builder@Children@Count@DefaultDialogHeaderI@2@I@2@@Invalidate@ItemLayoutListNode@2@Parse@Plugins@Rect@Transparent@V12@V32@Vertical
String ID: Default$Font$Image$Include$ListHeaderItem$TreeNode$VerticalLayout
API String ID: 4023968430-3814321878
Opcode ID: ae3726a606102ae0dbd8dbd756f9c9cb64678ce4f4943f970c6a5b978517e4fd
Instruction ID: e52f050ecff30248fa84988a8c38904b23c323be95ed96858158fc62a0119f76
Opcode Fuzzy Hash: ae3726a606102ae0dbd8dbd756f9c9cb64678ce4f4943f970c6a5b978517e4fd
Instruction Fuzzy Hash: 2F71AE71A002289BDF11DFA48C84FEE7BB1BF88259F140458D915B7B90EB34A906CAE5

Function 004039AA Relevance: 40.5, APIs: 14, Strings: 9, Instructions: 215stringregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 00406694: GetModuleHandleA.KERNEL32(?,00000020,?,00403401,0000000A), ref: 004066A6
Part of subcall function 00406694: GetProcAddress.KERNEL32(00000000,?), ref: 004066C1

GetUserDefaultUILanguage.KERNEL32(00000002,004DF000,74DF3420,004CB000,00000000), ref: 004039C4

Part of subcall function 00406201: wsprintfW.USER32 ref: 0040620E

lstrcatW.KERNEL32(004DB000,00450248,80000001,Control Panel\Desktop\ResourceLocale,00000000,00450248,00000000,00000002,004DF000,74DF3420,004CB000,00000000), ref: 00403A2B
lstrlenW.KERNEL32(SetLabelText,?,?,?,SetLabelText,00000000,004CF000,004DB000,00450248,80000001,Control Panel\Desktop\ResourceLocale,00000000,00450248,00000000,00000002,004DF000), ref: 00403AAB
lstrcmpiW.KERNEL32(?,.exe,SetLabelText,?,?,?,SetLabelText,00000000,004CF000,004DB000,00450248,80000001,Control Panel\Desktop\ResourceLocale,00000000,00450248,00000000), ref: 00403ABE
GetFileAttributesW.KERNEL32(SetLabelText), ref: 00403AC9
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004CF000), ref: 00403B12
RegisterClassW.USER32(00472E80), ref: 00403B4F
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B67
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B9C
ShowWindow.USER32(00000005,00000000), ref: 00403BD2
GetClassInfoW.USER32(00000000,RichEdit20W,00472E80), ref: 00403BFE
GetClassInfoW.USER32(00000000,RichEdit,00472E80), ref: 00403C0B
RegisterClassW.USER32(00472E80), ref: 00403C14
DialogBoxParamW.USER32(?,00000000,00403D58,00000000), ref: 00403C33

Strings

.exe, xrefs: 00403AB8
RichEdit, xrefs: 00403C05
Control Panel\Desktop\ResourceLocale, xrefs: 004039DE
SetLabelText, xrefs: 00403A72, 00403A7B, 00403A89, 00403AD8, 00403ADE
RichEd20, xrefs: 00403BD8
RichEdit20W, xrefs: 00403BF6, 00403BFC
_Nb, xrefs: 00403B2E, 00403B96
RichEd32, xrefs: 00403BE6
.DEFAULT\Control Panel\International, xrefs: 00403A16

Memory Dump Source

Source File: 00000006.00000002.4133761971.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4133709809.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133815083.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000052F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000535000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000567000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000056F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_CapCut_installer.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$SetLabelText$_Nb
API String ID: 606308-176322153
Opcode ID: 05e6a470d583deb61dfa28461213b8f9cfea2f8eeef7c7e4ea0015548a542d3d
Instruction ID: e946f9b6b947081a315c1f95bc525aa973ad4f651662e5f5477bf26fdb3bf1de
Opcode Fuzzy Hash: 05e6a470d583deb61dfa28461213b8f9cfea2f8eeef7c7e4ea0015548a542d3d
Instruction Fuzzy Hash: B361C8302407007ED720AF669E45E2B3A6CEB8474AF40417FF985B51E2DBBD5951CB2E

Function 6C49DF08 Relevance: 38.7, APIs: 15, Strings: 7, Instructions: 220COMMON

Download Yara Rule

APIs

??0CChildLayoutUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49E123
?GetPlugins@CPaintManagerUI@DuiLib@@SAPAVCStdPtrArray@2@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E30C
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E323
?GetAt@CStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E32F
?HasChildren@CMarkupNode@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E38E
?_Parse@CDialogBuilder@DuiLib@@AAEPAVCControlUI@2@PAVCMarkupNode@2@PAV32@PAVCPaintManagerUI@2@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,FFFFFFFF), ref: 6C49E3A0
?GetDefaultAttributeList@CPaintManagerUI@DuiLib@@QBEPB_WPB_W@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E46D
?ApplyAttributeList@CControlUI@DuiLib@@QAEPAV12@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E47A
?HasAttributes@CMarkupNode@DuiLib@@QAE_NXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E481
?GetAttributeCount@CMarkupNode@DuiLib@@QAEHXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E48C

Part of subcall function 6C48BC40: ??0CControlUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,6C48A53D), ref: 6C48BC46

Strings

TreeNode, xrefs: 6C49D7BB, 6C49E3BF
Image, xrefs: 6C49D76F
VideoPlayer, xrefs: 6C49DF21
ChildLayout, xrefs: 6C49DF08
Font, xrefs: 6C49D781
Include, xrefs: 6C49D7A5
Default, xrefs: 6C49D793

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$ManagerMarkupPaint$AttributeControlNode@$List@$ApplyArray@Array@2@Attributes@Builder@ChildChildren@Count@DefaultDialogI@2@I@2@@LayoutNode@2@Parse@Plugins@Transparent@V12@V32@
String ID: ChildLayout$Default$Font$Image$Include$TreeNode$VideoPlayer
API String ID: 1178506243-3490518815
Opcode ID: 60669d21b046b18accc99f7c7fd271cc27b4e32ef90333f5b8d1ca0b65bd961b
Instruction ID: 8a76c8653f6cb3fb6c690592a894f1d5eb2f51114c8487256b4a8fe5a200ee43
Opcode Fuzzy Hash: 60669d21b046b18accc99f7c7fd271cc27b4e32ef90333f5b8d1ca0b65bd961b
Instruction Fuzzy Hash: DD719E71A012289BDF01DFA48C84FEE7B75BF88319F150458D916B7790EB34A906CBE5

Function 6C49DD01 Relevance: 38.7, APIs: 15, Strings: 7, Instructions: 205COMMON

Download Yara Rule

APIs

?GetSibling@CMarkupNode@DuiLib@@QAE?AV12@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,?), ref: 6C49D743
?IsValid@CMarkupNode@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C49D759
?GetName@CMarkupNode@DuiLib@@QBEPB_WXZ.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C49D768
??0CListContainerElementUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49DD32

Part of subcall function 6C4811A0: ??0CContainerUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,6C46AB96), ref: 6C4811A6

?GetPlugins@CPaintManagerUI@DuiLib@@SAPAVCStdPtrArray@2@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E30C
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E323
?GetAt@CStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E32F
?HasChildren@CMarkupNode@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E38E
?_Parse@CDialogBuilder@DuiLib@@AAEPAVCControlUI@2@PAVCMarkupNode@2@PAV32@PAVCPaintManagerUI@2@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,FFFFFFFF), ref: 6C49E3A0
?GetDefaultAttributeList@CPaintManagerUI@DuiLib@@QBEPB_WPB_W@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E46D
?ApplyAttributeList@CControlUI@DuiLib@@QAEPAV12@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E47A
?HasAttributes@CMarkupNode@DuiLib@@QAE_NXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E481
?GetAttributeCount@CMarkupNode@DuiLib@@QAEHXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E48C
?GetAttributeValueInternal@CMarkupNode@DuiLib@@QAEPB_WH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E4A3
?GetAttributeName@CMarkupNode@DuiLib@@QAEPB_WH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E4AE

Strings

TreeNode, xrefs: 6C49D7BB, 6C49E3BF
ListContainerElement, xrefs: 6C49DD01
", xrefs: 6C49DD26
Image, xrefs: 6C49D76F
Font, xrefs: 6C49D781
Include, xrefs: 6C49D7A5
Default, xrefs: 6C49D793

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Markup$Node@$Attribute$ManagerPaint$ContainerControlList@Name@V12@$ApplyArray@Array@2@Attributes@Builder@Children@Count@DefaultDialogElementI@2@I@2@@Internal@ListNode@2@Parse@Plugins@Sibling@Transparent@V32@Valid@Value
String ID: "$Default$Font$Image$Include$ListContainerElement$TreeNode
API String ID: 132488542-544236666
Opcode ID: 42ccb365c67bb54dbb8d5b3cfceabbdeb9a316c7a625fcb15238b452029a3bd9
Instruction ID: 1b91943da22ad8f09b2b5f1d4bc62e02fe3ed25b5eaeeb2e910d8a1345f0cbda
Opcode Fuzzy Hash: 42ccb365c67bb54dbb8d5b3cfceabbdeb9a316c7a625fcb15238b452029a3bd9
Instruction Fuzzy Hash: 1161BD71A002289BDF11DFA58C84FEE7B71BF88359F140058E916B7790EB34A906CBE5

Function 6C49DFAC Relevance: 37.0, APIs: 15, Strings: 6, Instructions: 205COMMON

Download Yara Rule

APIs

?GetSibling@CMarkupNode@DuiLib@@QAE?AV12@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,?), ref: 6C49D743
?IsValid@CMarkupNode@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C49D759
?GetName@CMarkupNode@DuiLib@@QBEPB_WXZ.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C49D768
??0CListTextElementUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49DFDD

Part of subcall function 6C480540: ??0CControlUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C480571
Part of subcall function 6C480540: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4805CB
Part of subcall function 6C480540: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4805DF
Part of subcall function 6C480540: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4805F3
Part of subcall function 6C480540: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C480607
Part of subcall function 6C480540: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C48061B
Part of subcall function 6C480540: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C48062F
Part of subcall function 6C480540: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C480643
Part of subcall function 6C480540: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C480657
Part of subcall function 6C480540: ??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C480682

?GetPlugins@CPaintManagerUI@DuiLib@@SAPAVCStdPtrArray@2@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E30C
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E323
?GetAt@CStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E32F
?HasChildren@CMarkupNode@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E38E
?_Parse@CDialogBuilder@DuiLib@@AAEPAVCControlUI@2@PAVCMarkupNode@2@PAV32@PAVCPaintManagerUI@2@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,FFFFFFFF), ref: 6C49E3A0
?GetDefaultAttributeList@CPaintManagerUI@DuiLib@@QBEPB_WPB_W@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E46D
?ApplyAttributeList@CControlUI@DuiLib@@QAEPAV12@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E47A
?HasAttributes@CMarkupNode@DuiLib@@QAE_NXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E481
?GetAttributeCount@CMarkupNode@DuiLib@@QAEHXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E48C
?GetAttributeValueInternal@CMarkupNode@DuiLib@@QAEPB_WH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E4A3
?GetAttributeName@CMarkupNode@DuiLib@@QAEPB_WH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C49E4AE

Strings

TreeNode, xrefs: 6C49D7BB, 6C49E3BF
ListTextElement, xrefs: 6C49DFAC
Image, xrefs: 6C49D76F
Font, xrefs: 6C49D781
Include, xrefs: 6C49D7A5
Default, xrefs: 6C49D793

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Markup$Node@String@$Attribute$ManagerPaint$Control$Array@List@Name@V12@$ApplyArray@2@Attributes@Builder@Children@Count@DefaultDialogElementI@2@I@2@@Internal@ListNode@2@Parse@Plugins@Sibling@TextTransparent@V32@Valid@Value
String ID: Default$Font$Image$Include$ListTextElement$TreeNode
API String ID: 3487554208-3416847562
Opcode ID: 224880a836baeb14b1fd207a8a7c58c09217836470cf4713434f53438753a969
Instruction ID: 66507a7e02963b23e9358445204a1cf9ab4652227c358cc463e84c231831cbcf
Opcode Fuzzy Hash: 224880a836baeb14b1fd207a8a7c58c09217836470cf4713434f53438753a969
Instruction Fuzzy Hash: F061AE71A012289BDF01DF658C84FEE7B71BF88319F140458E916B7B90EB34A906CBE5

Function 6C473EC0 Relevance: 36.2, APIs: 24, Instructions: 153COMMON

Download Yara Rule

APIs

?IsEmpty@CDuiString@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C473F4A
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C473F55
?DrawImage@CControlUI@DuiLib@@QAE_NPAUHDC__@@PB_W1@Z.DOWNLOADER_NSIS_PLUGIN(?,00000000,00000000), ref: 6C473F60
?Empty@CDuiString@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN(?,00000000,00000000), ref: 6C473F6F
?IsEmpty@CDuiString@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C473F7E
?IsEmpty@CDuiString@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C473F93
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C473F9E
?DrawImage@CControlUI@DuiLib@@QAE_NPAUHDC__@@PB_W1@Z.DOWNLOADER_NSIS_PLUGIN(?,00000000,00000000), ref: 6C473FA9
?Empty@CDuiString@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN(?,00000000,00000000), ref: 6C473FB8
?IsEmpty@CDuiString@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C473FC3
?IsEmpty@CDuiString@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C473FDD
?GetAdjustColor@CControlUI@DuiLib@@QAEKK@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C473FF3
?DrawColor@CRenderEngine@DuiLib@@SAXPAUHDC__@@ABUtagRECT@@K@Z.DOWNLOADER_NSIS_PLUGIN(?,?,00000000,?), ref: 6C474001
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C474010
?DrawImage@CControlUI@DuiLib@@QAE_NPAUHDC__@@PB_W1@Z.DOWNLOADER_NSIS_PLUGIN(?,00000000,00000000), ref: 6C47401B
?Empty@CDuiString@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN(?,00000000,00000000), ref: 6C474026
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C474035
?DrawImage@CControlUI@DuiLib@@QAE_NPAUHDC__@@PB_W1@Z.DOWNLOADER_NSIS_PLUGIN(?,00000000,00000000), ref: 6C474040
?Empty@CDuiString@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN(?,00000000,00000000), ref: 6C47404B
?IsEmpty@CDuiString@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN(?,00000000,00000000), ref: 6C474058
?IsEmpty@CDuiString@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C474069
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C474074
?DrawImage@CControlUI@DuiLib@@QAE_NPAUHDC__@@PB_W1@Z.DOWNLOADER_NSIS_PLUGIN(?,00000000,00000000), ref: 6C47407F
?Empty@CDuiString@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN(?,00000000,00000000), ref: 6C47408A

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Empty@String@$Paint$C__@@ControlDraw$D__@@Image@ManagerWindow@$Color@$AdjustEngine@RenderUtag
String ID:
API String ID: 3270577755-0
Opcode ID: fd94330dd3ea83a7736c405eaa3a1c8e2c38b9449445212e1f3344ffc02ad32f
Instruction ID: 6280a469f9bb16417b44a21402cee35278a40598986e0554ea7dceae0fafb5db
Opcode Fuzzy Hash: fd94330dd3ea83a7736c405eaa3a1c8e2c38b9449445212e1f3344ffc02ad32f
Instruction Fuzzy Hash: 6341C6743007505BD928DA204854FFF67AB9FC139DF04090CD99B6BBD1CF6A680B9AE6

Function 6C497880 Relevance: 31.9, APIs: 21, Instructions: 425COMMON

Download Yara Rule

APIs

IntersectRect.USER32(?,?), ref: 6C4978E7
?GenerateClip@CRenderClip@DuiLib@@SAXPAUHDC__@@UtagRECT@@AAV12@@Z.DOWNLOADER_NSIS_PLUGIN ref: 6C497928

Part of subcall function 6C48D5C0: GetClipBox.GDI32(?), ref: 6C48D5F0
Part of subcall function 6C48D5C0: CreateRectRgnIndirect.GDI32 ref: 6C48D5FD
Part of subcall function 6C48D5C0: CreateRectRgnIndirect.GDI32(?), ref: 6C48D607
Part of subcall function 6C48D5C0: ExtSelectClipRgn.GDI32(?,00000000,00000001), ref: 6C48D612

?DoPaint@CControlUI@DuiLib@@UAEXPAUHDC__@@ABUtagRECT@@@Z.DOWNLOADER_NSIS_PLUGIN(?,?), ref: 6C497939

Part of subcall function 6C49C020: IntersectRect.USER32(?,~dHl,?), ref: 6C49C06A

?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(?,?), ref: 6C49794A
IntersectRect.USER32(?,?,?), ref: 6C497A66
?GenerateClip@CRenderClip@DuiLib@@SAXPAUHDC__@@UtagRECT@@AAV12@@Z.DOWNLOADER_NSIS_PLUGIN ref: 6C497AA7
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C497AC6
??ACStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C497ADC
IntersectRect.USER32(?,?,00000000), ref: 6C497B45
IntersectRect.USER32(?,?,00000000), ref: 6C497CFD
IntersectRect.USER32(?,?,00000000), ref: 6C497DB1
??1CRenderClip@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(?,?), ref: 6C497DF5
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C497E26
??ACStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C497E3C

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Rect$Intersect$Clip@$C__@@ManagerPaintRenderTransparent@Utag$Array@ClipCreateGenerateIndirectV12@@$ControlPaint@SelectT@@@
String ID:
API String ID: 1967232068-0
Opcode ID: b8bd5073e714f23ae28fb09e1f4845260b42b9d2ef2a81b8bdb13ad49f633dac
Instruction ID: 41118de7c152520ff4a9ff57dc698e72fc02c31c5e9847ad2a80a061a55daf23
Opcode Fuzzy Hash: b8bd5073e714f23ae28fb09e1f4845260b42b9d2ef2a81b8bdb13ad49f633dac
Instruction Fuzzy Hash: 90121C74200B008FDB60DF34C894FAABBB5BF89324F154A1DE9AA47791DB35E849CB50

Function 6C442D60 Relevance: 31.8, APIs: 5, Strings: 13, Instructions: 254stringCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 6C442D8F

Part of subcall function 6C4E6660: _strlen.LIBCMT ref: 6C4E666B

Part of subcall function 6C45EA50: _strlen.LIBCMT ref: 6C45EA7B

lstrcpyW.KERNEL32(?,00000004), ref: 6C442DEB
GlobalFree.KERNEL32(00000000), ref: 6C442DFC
lstrcpyW.KERNEL32(?,?), ref: 6C442E31
GlobalFree.KERNEL32(?), ref: 6C442E42

Strings

finish_download, xrefs: 6C442E9F
start_download, xrefs: 6C442E7C
action, xrefs: 6C442EE4
time, xrefs: 6C4428D5, 6C442F7C
progress_rate, xrefs: 6C442FF2
continue_download, xrefs: 6C442E8A
status, xrefs: 6C442831
success, xrefs: 6C4427EF
cancel, xrefs: 6C4427E8, 6C4427FC, 6C442E83
cancel_download, xrefs: 6C442E91
show, xrefs: 6C442E70
fail, xrefs: 6C4427E1
switch_banner, xrefs: 6C442EA6, 6C442EAF
installer_popup_action, xrefs: 6C443170
installer_install_status, xrefs: 6C442CF8
error_code, xrefs: 6C44295A
close, xrefs: 6C442E98
shell event reporter is null!, xrefs: 6C4426C1, 6C442DA1
fail_reason, xrefs: 6C442A1B
0A, xrefs: 6C4426F7, 6C442713, 6C44273D, 6C442759, 6C442785, 6C4427A8, 6C442DD7, 6C442DF3, 6C442E1D, 6C442E39

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: FreeGlobal_strlenlstrcpy$CountTick
String ID: 0A$action$cancel$cancel_download$close$continue_download$error_code$fail$fail_reason$finish_download$installer_install_status$installer_popup_action$progress_rate$shell event reporter is null!$show$start_download$status$success$switch_banner$time
API String ID: 976536840-1462346901
Opcode ID: 95dc5eb3309fb6ae63f3f12c6c4c8c0fa0dbb8c9745499bebadef076c04d0dc3
Instruction ID: 6959eef7d0029dadffa335bc416d89293afdb14d6ea46a5d4f1c383736491dfa
Opcode Fuzzy Hash: 95dc5eb3309fb6ae63f3f12c6c4c8c0fa0dbb8c9745499bebadef076c04d0dc3
Instruction Fuzzy Hash: FFB19FB15083809AE760CF60C884FDBBBE4BF85308F64891CF5D997681DB799549CBE2

Function 6C43B3A0 Relevance: 31.7, APIs: 10, Strings: 8, Instructions: 166stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,?), ref: 6C43B408
GlobalFree.KERNEL32(?), ref: 6C43B419
lstrcpyW.KERNEL32(?,?), ref: 6C43B44E
GlobalFree.KERNEL32 ref: 6C43B45F
?SetInstance@CPaintManagerUI@DuiLib@@SAXPAUHINSTANCE__@@@Z.DOWNLOADER_NSIS_PLUGIN ref: 6C43B4B9
GetModuleFileNameW.KERNEL32(00000000,?,00000200), ref: 6C43B4DF
?Initialize@CWndShadow@@SA_NPAUHINSTANCE__@@@Z.DOWNLOADER_NSIS_PLUGIN ref: 6C43B530
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C43B54F
GlobalAlloc.KERNEL32(00000040,00001FF8), ref: 6C43B58F
lstrcpynW.KERNEL32(-00000004,?), ref: 6C43B5A2

Strings

succeed to initialize dpi helper, xrefs: 6C43B46F
fail to set dpi aware, xrefs: 6C43B49B, 6C43B4A5
fail to initialize dpi helper, xrefs: 6C43B474, 6C43B47E
%sskin, xrefs: 6C43B51C
\, xrefs: 6C43B500
succeed to set dpi aware, xrefs: 6C43B496
0A, xrefs: 6C43B3DD, 6C43B410, 6C43B43A, 6C43B456, 6C43B57B, 6C43B5A8
%ld, xrefs: 6C43B56D

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Global$E__@@@FreeLib@@ManagerPaintlstrcpy$AllocFileInitialize@Instance@ModuleNameShadow@@Transparent@lstrcpyn
String ID: %ld$%sskin$0A$\$fail to initialize dpi helper$fail to set dpi aware$succeed to initialize dpi helper$succeed to set dpi aware
API String ID: 3903624331-3975196561
Opcode ID: 6c46a61677adfdf38b2fb0061dae4fca45ad399e2c396b97d42633348c578bab
Instruction ID: 64023d6426beea590e86626b8f3cc791107f09a8c798866fef4b6ccaec39310a
Opcode Fuzzy Hash: 6c46a61677adfdf38b2fb0061dae4fca45ad399e2c396b97d42633348c578bab
Instruction Fuzzy Hash: E951D8B5A01614ABEB00DF20DC41FAA3BF8EB8A71DF510029F905A7740EB759905CBE9

Function 6C489FA0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

?PaintStatusImage@CProgressUI@DuiLib@@UAEXPAUHDC__@@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C489FBC

Part of subcall function 6C4826A0: ?IsEmpty@CDuiString@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C482758
Part of subcall function 6C4826A0: ?Empty@CDuiString@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C48276C
Part of subcall function 6C4826A0: ?SmallFormat@CDuiString@DuiLib@@QAAHPB_WZZ.DOWNLOADER_NSIS_PLUGIN(?,dest='%d,%d,%d,%d',00000000,00000000,?,?), ref: 6C482789
Part of subcall function 6C4826A0: ?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4827B3
Part of subcall function 6C4826A0: ?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4827BF
Part of subcall function 6C4826A0: ?DrawImage@CControlUI@DuiLib@@QAE_NPAUHDC__@@PB_W1@Z.DOWNLOADER_NSIS_PLUGIN(?,00000000,00000000), ref: 6C4827CB
Part of subcall function 6C4826A0: ?Empty@CDuiString@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN(?,00000000,00000000), ref: 6C4827D6

?GetThumbRect@CSliderUI@DuiLib@@QBE?AUtagRECT@@XZ.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C489FD2

Part of subcall function 6C4898D0: ??0CDuiRect@DuiLib@@QAE@HHHH@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?), ref: 6C4899C1

?IsEmpty@CDuiString@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C48A034
?Empty@CDuiString@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C48A045
?SmallFormat@CDuiString@DuiLib@@QAAHPB_WZZ.DOWNLOADER_NSIS_PLUGIN(?,dest='%d,%d,%d,%d',?,?,?), ref: 6C48A05F
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C48A069
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C48A072
?DrawImage@CControlUI@DuiLib@@QAE_NPAUHDC__@@PB_W1@Z.DOWNLOADER_NSIS_PLUGIN(?,00000000,00000000), ref: 6C48A07E
?Empty@CDuiString@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN(?,00000000,00000000), ref: 6C48A089
?IsEmpty@CDuiString@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C48A096
?Empty@CDuiString@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C48A0A7
?SmallFormat@CDuiString@DuiLib@@QAAHPB_WZZ.DOWNLOADER_NSIS_PLUGIN(?,dest='%d,%d,%d,%d',?,?,?), ref: 6C48A0C1
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C48A0CB
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C48A0D4
?DrawImage@CControlUI@DuiLib@@QAE_NPAUHDC__@@PB_W1@Z.DOWNLOADER_NSIS_PLUGIN(?,00000000,00000000), ref: 6C48A0E0
?Empty@CDuiString@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN(?,00000000,00000000), ref: 6C48A0EB

Strings

dest='%d,%d,%d,%d', xrefs: 6C48A059, 6C48A0BB

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Paint$String@$Empty@$D__@@ManagerWindow@$Image@$C__@@ControlDrawFormat@Small$Rect@$C__@@@ProgressSliderStatusThumbUtag
String ID: dest='%d,%d,%d,%d'
API String ID: 1852725656-1318252795
Opcode ID: 65ed5c20e4db07e993d92164712da9437f18b6bbf917fda627334b2c75164286
Instruction ID: 81ad450571fa9e456bf05df2b8ccc21efe998ae6daf79856d089ef72cf74b9fc
Opcode Fuzzy Hash: 65ed5c20e4db07e993d92164712da9437f18b6bbf917fda627334b2c75164286
Instruction Fuzzy Hash: 594162757093409FCB04DF24C840DAFBBE6AFC9248F40891CF89A53761DB75984A9BD6

Function 6C440640 Relevance: 25.7, APIs: 16, Strings: 1, Instructions: 232stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,?), ref: 6C4406B2
GlobalFree.KERNEL32(?), ref: 6C4406C3
lstrcpyW.KERNEL32(?,?), ref: 6C4406F9
GlobalFree.KERNEL32(?), ref: 6C44070A
lstrcpyW.KERNEL32(?,?), ref: 6C440740
GlobalFree.KERNEL32(?), ref: 6C440751
lstrcpyW.KERNEL32(?,?), ref: 6C440787
GlobalFree.KERNEL32(?), ref: 6C440798
lstrcpyW.KERNEL32(?,?), ref: 6C4407CE
GlobalFree.KERNELBASE(?), ref: 6C4407DF
lstrcpyW.KERNEL32(?,?), ref: 6C440815
GlobalFree.KERNEL32(?), ref: 6C440826
lstrcpyW.KERNEL32(?,?), ref: 6C44085C
GlobalFree.KERNEL32(?), ref: 6C44086D
lstrcpyW.KERNEL32(?,?), ref: 6C4408A3
GlobalFree.KERNEL32(?), ref: 6C4408B4

Strings

shell_downloader.dll, xrefs: 6C440191
4266339975, xrefs: 6C440320, 6C44032C
HfRl, xrefs: 6C44021E
capcutpc_0, xrefs: 6C43FEA9, 6C43FEB5
DestoryShellDownloader, xrefs: 6C4401B4
RUl, xrefs: 6C4403DE
DestoryShellEventReporter, xrefs: 6C4401E6
DUl, xrefs: 6C43FE97
CreateShellDownloader, xrefs: 6C4401A8
en_CH, xrefs: 6C440002
CreateShellEventReporter, xrefs: 6C4401D4
app shell %s, xrefs: 6C44032D
0A, xrefs: 6C43F705, 6C43F739, 6C43F837, 6C43F853, 6C43F93F, 6C43F95B, 6C43F993, 6C43F9AF, 6C43FA9F, 6C43FABB, 6C43FBA7, 6C43FBC3, 6C43FCAF, 6C43FCCB, 6C43FDB7, 6C43FDD3, 6C440674, 6C4406BA, 6C4406E5, 6C440701, 6C44072C, 6C440748, 6C440773, 6C44078F, 6C4407BA, 6C4407D6, 6C440801, 6C44081D, 6C440848, 6C440864, 6C44088F, 6C4408AB

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: FreeGloballstrcpy
String ID: en_CH$0A$4266339975$CreateShellDownloader$CreateShellEventReporter$DestoryShellDownloader$DestoryShellEventReporter$DUl$HfRl$RUl$app shell %s$capcutpc_0$shell_downloader.dll
API String ID: 1709915452-2432307991
Opcode ID: 44d09785771d1d9a7b01abeec87eead90db3087d653970d1cbfbce244291c95c
Instruction ID: 91351666d9a714e9a97b9b7ae6744350e67ba3a128f6df36bde7b7d45926ab7c
Opcode Fuzzy Hash: 44d09785771d1d9a7b01abeec87eead90db3087d653970d1cbfbce244291c95c
Instruction Fuzzy Hash: E28124B5B026049FFB00DF60DCC4F7A3BB8EB5A605B514029FA059B741EB74E815CBA9

Function 6C4AA2A0 Relevance: 22.7, APIs: 15, Instructions: 184COMMON

Download Yara Rule

APIs

?GetSize@CStdValArray@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4AA2C5
??ACStdValArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C4AA2D4
DestroyWindow.USER32(?), ref: 6C4AA2FB
?GetSize@CStdValArray@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4AA325
??ACStdValArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C4AA338
GetWindowRect.USER32(?), ref: 6C4AA35F
?Update@CWndShadow@@IAEXPAUHWND__@@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C4AA41B
?Remove@CStdValArray@DuiLib@@QAE_NH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C4AA42B
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000015), ref: 6C4AA485
ShowWindow.USER32(?,00000000), ref: 6C4AA492

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Array@Lib@@$Window$Size@$D__@@@DestroyRectRemove@Shadow@@ShowUpdate@
String ID:
API String ID: 1380781167-0
Opcode ID: 6362dd1d64fe6bed5e44558072b79a67a49f297a15f27cb8af35c6c37547dd49
Instruction ID: 975be90fa264f2f4ddb06066b4d4c085fff337038abefe71f39f2d19a7699998
Opcode Fuzzy Hash: 6362dd1d64fe6bed5e44558072b79a67a49f297a15f27cb8af35c6c37547dd49
Instruction Fuzzy Hash: DF5126702047409FD721CE64CC49F6B7BE1AFA2315F448A1DF49A46E99C774E846CFA1

Function 00402EDD Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 182COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00402EEE
GetModuleFileNameW.KERNEL32(00000000,004E7000,00002000,?,00000006,00000008,0000000A), ref: 00402F0A

Part of subcall function 00405DB0: GetFileAttributesW.KERNEL32(004E7000,00402F1D,004E7000,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405DB4
Part of subcall function 00405DB0: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DD6

GetFileSize.KERNEL32(00000000,00000000,004EB000,00000000,004D7000,004D7000,004E7000,004E7000,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F56

Strings

Null, xrefs: 00402FD4
Inst, xrefs: 00402FC2
Error launching installer, xrefs: 00402F2D
@K#, xrefs: 00402F5E
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004030B5
soft, xrefs: 00402FCB

Memory Dump Source

Source File: 00000006.00000002.4133761971.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4133709809.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133815083.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000052F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000535000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000567000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000056F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_CapCut_installer.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: @K#$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-2215315552
Opcode ID: 6fdf7a3c576b274adc95fc68e3ac1b8cc101307f87f608dfe476064d1f7918cb
Instruction ID: d807cc789e5c0b6659aec278a7977cb1897ccc82e3fedab9e592eb30a9b28e48
Opcode Fuzzy Hash: 6fdf7a3c576b274adc95fc68e3ac1b8cc101307f87f608dfe476064d1f7918cb
Instruction Fuzzy Hash: 23511671901205ABDB20AF61DD85B9F7FACEB0431AF20403BF914B62D5C7789E818B9D

Function 004062DC Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209stringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(SetLabelText,00002000), ref: 0040641D
GetWindowsDirectoryW.KERNEL32(SetLabelText,00002000,00000000,00448228,?,00405359,00448228,00000000), ref: 00406430
SHGetSpecialFolderLocation.SHELL32(00405359,0042CC00,00000000,00448228,?,00405359,00448228,00000000), ref: 0040646C
SHGetPathFromIDListW.SHELL32(0042CC00,SetLabelText), ref: 0040647A
CoTaskMemFree.OLE32(0042CC00), ref: 00406485
lstrcatW.KERNEL32(SetLabelText,\Microsoft\Internet Explorer\Quick Launch), ref: 004064AB
lstrlenW.KERNEL32(SetLabelText,00000000,00448228,?,00405359,00448228,00000000), ref: 00406503

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 004063ED
SetLabelText, xrefs: 00406306, 004063E1, 004063E8, 004063EC, 00406406, 00406407, 0040641C, 0040642F, 0040644B, 00406476, 004064AA, 004064B0, 004064CC, 004064DF, 004064FC, 00406502, 0040650E, 00406541
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004064A5

Memory Dump Source

Source File: 00000006.00000002.4133761971.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4133709809.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133815083.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000052F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000535000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000567000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000056F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_CapCut_installer.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: SetLabelText$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-4249702658
Opcode ID: 9e3e50e9f75562b351fb2eb57ce77b0171fba213623dd7f5b12e74fcce54a4f1
Instruction ID: deb4280fb9253f119c0dee44fead77f8699473dbe43bed35a1e393a154a8df3c
Opcode Fuzzy Hash: 9e3e50e9f75562b351fb2eb57ce77b0171fba213623dd7f5b12e74fcce54a4f1
Instruction Fuzzy Hash: 87612371A00115AADF209F64DC44BAE37A5EF45318F22803FE907B62D0D77D9AA1C75E

Function 6C4826A0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 108COMMON

Download Yara Rule

APIs

?IsEmpty@CDuiString@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C482758
?Empty@CDuiString@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C48276C
?SmallFormat@CDuiString@DuiLib@@QAAHPB_WZZ.DOWNLOADER_NSIS_PLUGIN(?,dest='%d,%d,%d,%d',00000000,00000000,?,?), ref: 6C482789
?SmallFormat@CDuiString@DuiLib@@QAAHPB_WZZ.DOWNLOADER_NSIS_PLUGIN(?,dest='%d,%d,%d,%d' source='%d,%d,%d,%d',00000000,00000000,?,?,00000000,00000000,?,?), ref: 6C4827A9
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4827B3
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4827BF
?DrawImage@CControlUI@DuiLib@@QAE_NPAUHDC__@@PB_W1@Z.DOWNLOADER_NSIS_PLUGIN(?,00000000,00000000), ref: 6C4827CB
?Empty@CDuiString@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN(?,00000000,00000000), ref: 6C4827D6

Strings

dest='%d,%d,%d,%d', xrefs: 6C482783
dest='%d,%d,%d,%d' source='%d,%d,%d,%d', xrefs: 6C4827A3

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$String@$Paint$Empty@$D__@@Format@ManagerSmallWindow@$C__@@ControlDrawImage@
String ID: dest='%d,%d,%d,%d'$dest='%d,%d,%d,%d' source='%d,%d,%d,%d'
API String ID: 1471891817-1766977312
Opcode ID: 3180bb87b03109bea9f6179b52132169d8000b2cf39fdf21c8bf5801c49b7ba2
Instruction ID: 57d2d67b4aa06fe60eb610e0b4d7efd5e95f8454163232edbaf33717a6b8f42c
Opcode Fuzzy Hash: 3180bb87b03109bea9f6179b52132169d8000b2cf39fdf21c8bf5801c49b7ba2
Instruction Fuzzy Hash: 2531D571B01B049FCB24CE798D88FEBBBA6AFC4309F14092DE45A97751DB7078448B91

Function 6C748E40 Relevance: 16.5, APIs: 13, Instructions: 241COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,6C748BDE,?,?,?,6C7215D6,?,?,?,?,?,?,?), ref: 6C748E4D

Memory Dump Source

Source File: 00000006.00000002.4155419249.000000006C711000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C710000, based on PE: true

Associated: 00000006.00000002.4155355851.000000006C710000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156102127.000000006C93C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156309004.000000006C94B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156309004.000000006C94E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156596890.000000006C953000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c710000_CapCut_installer.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: bb7b2290c52769740bc8ed5813b79206a534c04ec02c6ef7cb7ca9aa89a8ae97
Instruction ID: 7690f7eef07ee2b1742b296af9fbb59a5572b03516d85595adc26fd65d21ba98
Opcode Fuzzy Hash: bb7b2290c52769740bc8ed5813b79206a534c04ec02c6ef7cb7ca9aa89a8ae97
Instruction Fuzzy Hash: 9851E731748119ABEF144E69DE48B9B376DEB82795F10C035FA08DBA90DB35CC01C794

Function 6C7B6100 Relevance: 15.1, APIs: 10, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 6C7B6139
GetCurrentThread.KERNEL32 ref: 6C7B613D
GetCurrentProcess.KERNEL32 ref: 6C7B6145
DuplicateHandle.KERNELBASE(00000000,00000000,00000000,FFFFFFFF,00000000,00000000,00000002), ref: 6C7B6154
GetLastError.KERNEL32 ref: 6C7B6168
SetLastError.KERNEL32(00000000), ref: 6C7B6194
GetCurrentThreadId.KERNEL32 ref: 6C7B61A1
GetCurrentThreadId.KERNEL32 ref: 6C7B61FE
GetCurrentThread.KERNEL32 ref: 6C7B620D
GetThreadPriority.KERNEL32(00000000), ref: 6C7B6214

Memory Dump Source

Source File: 00000006.00000002.4155419249.000000006C711000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C710000, based on PE: true

Associated: 00000006.00000002.4155355851.000000006C710000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156102127.000000006C93C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156309004.000000006C94B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156309004.000000006C94E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156596890.000000006C953000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c710000_CapCut_installer.jbxd

Similarity

API ID: Current$Thread$ErrorLastProcess$DuplicateHandlePriority
String ID:
API String ID: 1544239892-0
Opcode ID: c7390db480fe0d9dace90064afb9125654c24e6cbfcfa361f0d48ea76790f071
Instruction ID: 7561b00058c80e31092a00eb157a69fe3d456399436af73f33772b93df39ebf1
Opcode Fuzzy Hash: c7390db480fe0d9dace90064afb9125654c24e6cbfcfa361f0d48ea76790f071
Instruction Fuzzy Hash: 58410971B056089BDB249F74CE48AAE7BB5EF86758F200934EA09E7741DB30EE05C791

Function 6C48B470 Relevance: 15.1, APIs: 10, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB,?), ref: 6C48B4AA
GetWindowLongW.USER32(?,000000EB), ref: 6C48B4CC
DefWindowProcW.USER32(?,?,?,?), ref: 6C48B4EC
PostQuitMessage.USER32(00000000), ref: 6C48B4FB
GetWindowLongW.USER32(?,000000EB), ref: 6C48B509
InvalidateRect.USER32(?,00000000,00000000), ref: 6C48B547
GetUpdateRect.USER32(?,?,00000000), ref: 6C48B55C
GetWindowLongW.USER32(?,000000EB), ref: 6C48B569
BeginPaint.USER32(?,00000000,?,00000000,?,?,00000000), ref: 6C48B58E
EndPaint.USER32(?,00000000,?,00000000,?,?,00000000), ref: 6C48B5A5

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Window$Long$PaintRect$BeginInvalidateMessagePostProcQuitUpdate
String ID:
API String ID: 4249600834-0
Opcode ID: 9d45a71aaa89327c358d82b140212e3349b112625bd93b15f928c175d7797b8f
Instruction ID: 9dd741079a3c48c676b93962dbcb98f6ce7d749b7c3d0d676bce43184ebd1cf7
Opcode Fuzzy Hash: 9d45a71aaa89327c358d82b140212e3349b112625bd93b15f928c175d7797b8f
Instruction Fuzzy Hash: EF31C4B060A344AFEB10DF24CC55FAB7BB8EFC6369F511A18F512926D0D730D5858B91

Function 6C4A74E0 Relevance: 14.1, APIs: 9, Instructions: 566COMMON

Download Yara Rule

APIs

?SetPos@CControlUI@DuiLib@@UAEXUtagRECT@@@Z.DOWNLOADER_NSIS_PLUGIN ref: 6C4A7509

Part of subcall function 6C4999E0: ??0CDuiRect@DuiLib@@QAE@ABUtagRECT@@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C499A43
Part of subcall function 6C4999E0: IsRectEmpty.USER32(?), ref: 6C499A49
Part of subcall function 6C4999E0: ??0CDuiRect@DuiLib@@QAE@ABUtagRECT@@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C499A5C
Part of subcall function 6C4999E0: ??BCEventSource@DuiLib@@QAE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C499A96
Part of subcall function 6C4999E0: ??RCEventSource@DuiLib@@QAE_NPAX@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C499AA2

?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4A75F0
?GetTextColor@CListHeaderItemUI@DuiLib@@QBEKXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4A7633
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4A76BA
??ACStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C4A76CE
?GetScrollPos@CScrollBarUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4A7853

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$T@@@Utag$EventManagerPaintPos@Rect@ScrollSource@Transparent@$Array@Color@ControlEmptyHeaderItemListRectText
String ID:
API String ID: 3895252646-0
Opcode ID: 90615e1062367c63b0bb0702f281208ef5120737b6bee61c9c3d7cdaa6a3f430
Instruction ID: c0c757fc928f8cdd1705312c52a0229eea6c3320b6db805cfec421c9904f13ef
Opcode Fuzzy Hash: 90615e1062367c63b0bb0702f281208ef5120737b6bee61c9c3d7cdaa6a3f430
Instruction Fuzzy Hash: 5B3249356087118FCB04DF68C894A2EB7F1BFC9724F06096DE99697365DB34AC06CB86

Function 6C749130 Relevance: 13.6, APIs: 9, Instructions: 124memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00000000,00000001,6C748F3C,?,?,?,?,?,?,?,6C8332DB,00000024,?,6C7C1BDC), ref: 6C749183
GetLastError.KERNEL32(?,6C8332DB,00000024,?,6C7C1BDC,?,?), ref: 6C74919B
TryAcquireSRWLockExclusive.KERNEL32(6C94AB58,?,6C8332DB,00000024,?,6C7C1BDC,?,?), ref: 6C7491BF
VirtualFree.KERNEL32(?,00000000,00008000,?,6C8332DB,00000024,?,6C7C1BDC,?,?), ref: 6C7491EA
ReleaseSRWLockExclusive.KERNEL32(6C94AB58,?,6C8332DB,00000024,?,6C7C1BDC,?,?), ref: 6C749218
VirtualAlloc.KERNEL32(?,?,00000000,00000001,?,6C8332DB,00000024,?,6C7C1BDC,?,?), ref: 6C749258
GetLastError.KERNEL32(?,6C8332DB,00000024,?,6C7C1BDC,?,?), ref: 6C749268
VirtualAlloc.KERNEL32(00000000,?,00001000,?,?,6C8332DB,00000024,?,6C7C1BDC,?,?), ref: 6C749300
VirtualFree.KERNEL32(00000040,?,00004000,?,6C8332DB,00000024,?,6C7C1BDC,?,?), ref: 6C749315

Memory Dump Source

Source File: 00000006.00000002.4155419249.000000006C711000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C710000, based on PE: true

Associated: 00000006.00000002.4155355851.000000006C710000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156102127.000000006C93C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156309004.000000006C94B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156309004.000000006C94E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156596890.000000006C953000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c710000_CapCut_installer.jbxd

Similarity

API ID: Virtual$Alloc$ErrorExclusiveFreeLastLock$AcquireRelease
String ID:
API String ID: 3229969321-0
Opcode ID: 48b0d293be8d4dee90c46abcb9e002091a12e59a3a3964397106d96041dde3e1
Instruction ID: 37518c681159b84cb5bbfb08cfbda11e1ce370701fc93a834e6aa09f21c5c776
Opcode Fuzzy Hash: 48b0d293be8d4dee90c46abcb9e002091a12e59a3a3964397106d96041dde3e1
Instruction Fuzzy Hash: AF41A271B48215DBEB145EA88E4C75B777EF7827A8F25C035E608E7A84DB74DC008791

Function 6C4A8800 Relevance: 12.6, APIs: 8, Instructions: 554COMMON

Download Yara Rule

APIs

?SetPos@CControlUI@DuiLib@@UAEXUtagRECT@@@Z.DOWNLOADER_NSIS_PLUGIN ref: 6C4A8829

Part of subcall function 6C4999E0: ??0CDuiRect@DuiLib@@QAE@ABUtagRECT@@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C499A43
Part of subcall function 6C4999E0: IsRectEmpty.USER32(?), ref: 6C499A49
Part of subcall function 6C4999E0: ??0CDuiRect@DuiLib@@QAE@ABUtagRECT@@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C499A5C
Part of subcall function 6C4999E0: ??BCEventSource@DuiLib@@QAE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C499A96
Part of subcall function 6C4999E0: ??RCEventSource@DuiLib@@QAE_NPAX@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C499AA2

?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4A8870
?GetTextColor@CListHeaderItemUI@DuiLib@@QBEKXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4A8955
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4A8A24
??ACStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C4A8A38
?GetScrollPos@CScrollBarUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4A8B90
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4A8BCB
??ACStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C4A8BDF

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$ManagerPaintT@@@Transparent@Utag$Array@EventPos@Rect@ScrollSource@$Color@ControlEmptyHeaderItemListRectText
String ID:
API String ID: 457749161-0
Opcode ID: bad19dc800ce0d7f9a2ec2fb76c526eb902d15569e078d69d6559f859210d9d5
Instruction ID: 256527b8752c69f15f12c7cb8f7291330f5e7ec48ace9d5d47a8d94548737869
Opcode Fuzzy Hash: bad19dc800ce0d7f9a2ec2fb76c526eb902d15569e078d69d6559f859210d9d5
Instruction Fuzzy Hash: 0E2226756097518FCB04DF68C894A2EBBF1BFC9314F05096EE99697361DB30AC06CB86

Function 0040176F Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 145stringtimeCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(00000000,00000000,SetLabelText,004D3000,?,?,00000031), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,SetLabelText,SetLabelText,00000000,00000000,SetLabelText,004D3000,?,?,00000031), ref: 004017D5

Part of subcall function 004062BA: lstrcpynW.KERNEL32(?,?,00002000,00403460,00472EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 004062C7

Part of subcall function 00405322: lstrlenW.KERNEL32(00448228,00000000,0042CC00,74DF23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000,?), ref: 0040535A
Part of subcall function 00405322: lstrlenW.KERNEL32(0040327A,00448228,00000000,0042CC00,74DF23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000), ref: 0040536A
Part of subcall function 00405322: lstrcatW.KERNEL32(00448228,0040327A,0040327A,00448228,00000000,0042CC00,74DF23A0), ref: 0040537D
Part of subcall function 00405322: SetWindowTextW.USER32(00448228,00448228), ref: 0040538F
Part of subcall function 00405322: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B5
Part of subcall function 00405322: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053CF
Part of subcall function 00405322: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053DD

Strings

SetLabelText, xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\Temp\nsv77E.tmp\downloader_nsis_plugin.dll, xrefs: 00401835, 00401851

Memory Dump Source

Source File: 00000006.00000002.4133761971.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4133709809.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133815083.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000052F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000535000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000567000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000056F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_CapCut_installer.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsv77E.tmp\downloader_nsis_plugin.dll$SetLabelText
API String ID: 1941528284-3584615944
Opcode ID: 54c885fde4f66e969a50e30c875ee8f6d585d11011ec9713f6dbabbd7ac90d58
Instruction ID: c6e8234c1d4b6e0ef99598e998ad36802638a9a190aaa2bd7459f070bf199d51
Opcode Fuzzy Hash: 54c885fde4f66e969a50e30c875ee8f6d585d11011ec9713f6dbabbd7ac90d58
Instruction Fuzzy Hash: 9841B471900514BACF107BA5CD45DAF3A79EF05368F20423FF422B10E1DA3C86919A6E

Function 6C48B5D0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 80registrywindowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 6C48B613
RegisterClassExW.USER32 ref: 6C48B640
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C48B65C
CreateWindowExW.USER32 ref: 6C48B6BF
?AddPreMessageFilter@CPaintManagerUI@DuiLib@@QAE_NPAVIMessageFilterUI@2@@Z.DOWNLOADER_NSIS_PLUGIN ref: 6C48B6EA

Strings

0yf, xrefs: 6C48B66F
0, xrefs: 6C48B5FE

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Paint$Lib@@ManagerMessage$ClassCreateD__@@FilterFilter@HandleI@2@@ModuleRegisterWindowWindow@
String ID: 0$0yf
API String ID: 360160774-907318448
Opcode ID: c339b0dd77501a9c536daaca1536bcfe0243a62c2812e2a66020aa21a0181671
Instruction ID: 3b745fa7190c37be7b5527b2020bbaa8011354bd8da2dc0c4086b110503fd4cd
Opcode Fuzzy Hash: c339b0dd77501a9c536daaca1536bcfe0243a62c2812e2a66020aa21a0181671
Instruction Fuzzy Hash: 6D316FB5A043458BDB00DF78C8587AEBBF0FF8A318F41451DE88597750DBB49445CB89

Function 6C49F8F0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

??8CDuiString@DuiLib@@QBE_NPB_W@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C49F946
??4CDuiString@DuiLib@@QAEABV01@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(?,?), ref: 6C49F983
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?), ref: 6C49F9D0
??YCDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN( Ulr,?,?,?), ref: 6C49F9E6
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN( Ulr,?,?,?), ref: 6C49F9ED
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49FA06

Strings

Ulr, xrefs: 6C49F940, 6C49F97D, 6C49F9E1

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$String@$PaintV01@V01@@$D__@@ManagerWindow@
String ID: Ulr
API String ID: 4040377773-3581451991
Opcode ID: 18307e880529e59f31784658db191e112506bcb7d8980b0ac0e5653e421fc0fc
Instruction ID: c3f77c881f7771bed657e2a97346d3a777a427b138a5ca6465bad5da24ca216e
Opcode Fuzzy Hash: 18307e880529e59f31784658db191e112506bcb7d8980b0ac0e5653e421fc0fc
Instruction Fuzzy Hash: C431B6B5A11BC09BD620CF348852FA7BBA4BBC6628F14471EE8E947F81DBB46104C7D1

Function 6C4900D0 Relevance: 12.1, APIs: 8, Instructions: 116COMMON

Download Yara Rule

APIs

?IsEmpty@CDuiString@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49011A
?IsEmpty@CDuiString@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49012C
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C490138
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C490142
?GetImageEx@CPaintManagerUI@DuiLib@@QAEPBUtagTImageInfo@2@PB_W0K@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,?), ref: 6C49014F
IntersectRect.USER32(?,?,00000000), ref: 6C4901AB
IntersectRect.USER32(?,?,?), ref: 6C4901BA
?DrawImage@CRenderEngine@DuiLib@@SAXPAUHDC__@@PAUHBITMAP__@@ABUtagRECT@@222_NE333@Z.DOWNLOADER_NSIS_PLUGIN(?,00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,?), ref: 6C4901F8

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Paint$Manager$D__@@Empty@ImageIntersectRectString@UtagWindow@$C__@@DrawE333@Engine@Image@Info@2@P__@@RenderT@@222_
String ID:
API String ID: 1271947119-0
Opcode ID: b720b2f64044be28ccf0f3295aba2e6505b1e3b252159325bc93673e624748e8
Instruction ID: 12f3b2549d99b4e47a05e293dfacf436d990a04e3e60955d838f85f0b43a0179
Opcode Fuzzy Hash: b720b2f64044be28ccf0f3295aba2e6505b1e3b252159325bc93673e624748e8
Instruction Fuzzy Hash: 1841AC71A053A8ABDB00CF65C880DABBFB9AF89354F44462DFD8597311DB30D885CBA1

Function 6C43BE20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,?), ref: 6C43BE84
GlobalFree.KERNEL32(?), ref: 6C43BE95
lstrcpyW.KERNEL32(?,?), ref: 6C43BECA
GlobalFree.KERNEL32 ref: 6C43BEDB
?ResizeClient@CWindowWnd@DuiLib@@QAEXHH@Z.DOWNLOADER_NSIS_PLUGIN(-000000FE,-000000FE), ref: 6C43BEF8

Strings

0A, xrefs: 6C43BE59, 6C43BE8C, 6C43BEB6, 6C43BED2

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: FreeGloballstrcpy$Client@Lib@@ResizeWindowWnd@
String ID: 0A
API String ID: 2579210014-2007828011
Opcode ID: 2b60258c917ea320144f7e2f4793f674d6ddbf206401d8e47ea8d27229d717ff
Instruction ID: 88896d5aed9c1ada3fd1512e45c4098e0783c30b642cd40c05f3b96c3e993e72
Opcode Fuzzy Hash: 2b60258c917ea320144f7e2f4793f674d6ddbf206401d8e47ea8d27229d717ff
Instruction Fuzzy Hash: B92161B5A026149FDB00CF24DC81F6A37B4EB8A614F510129FE15A7380E774A905CBD9

Function 6C4A9ED0 Relevance: 10.6, APIs: 7, Instructions: 67COMMON

Download Yara Rule

APIs

?Add@CStdValArray@DuiLib@@QAE_NPBX@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C4A9F03
CreateWindowExW.USER32 ref: 6C4A9F55
GetWindowLongW.USER32(?,000000F0), ref: 6C4A9F61
GetWindowLongW.USER32(?,000000FC), ref: 6C4A9F9B
SetWindowLongW.USER32(?,000000FC,?), ref: 6C4A9FAC

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Window$Long$Add@Array@CreateLib@@
String ID:
API String ID: 894824444-0
Opcode ID: ad110228e7d6b363a01f50370fd49e3e097d6a46125f61e3edbf8c6a0fa73248
Instruction ID: 5dc6214bb78ed9db5442eff597c20f87e7e72d155bc08f50a88fb38111096890
Opcode Fuzzy Hash: ad110228e7d6b363a01f50370fd49e3e097d6a46125f61e3edbf8c6a0fa73248
Instruction Fuzzy Hash: 21214D709083009FDB00DF55C804F6FBFF4AFAA354F41861DF49566690C7759545CB99

Function 00406624 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040663B
wsprintfW.USER32 ref: 00406676
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040668A

Strings

%s%S.dll, xrefs: 00406670
\, xrefs: 0040664C
UXTHEME, xrefs: 0040662D

Memory Dump Source

Source File: 00000006.00000002.4133761971.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4133709809.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133815083.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000052F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000535000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000567000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000056F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_CapCut_installer.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction ID: 9fa172bba6ca99a644905d2b6d7ed641771312ed853c50fe9922007c80c3d461
Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction Fuzzy Hash: 7CF0FC70501119A6CF10BB64DD0EF9B365CA700304F10447AA54AF10D1EBB9DB64CB99

Function 6C4ADF20 Relevance: 9.1, APIs: 6, Instructions: 106COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 6C4ADF72
GetCurrentProcess.KERNEL32 ref: 6C4ADF76
DuplicateHandle.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000002), ref: 6C4ADF85
GetFileType.KERNEL32(00000000), ref: 6C4ADFFC
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?), ref: 6C4AE036

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: CurrentFileProcess$DuplicateHandlePointerType
String ID:
API String ID: 952225019-0
Opcode ID: 310de99f69355757c9f06b48bd1af563c8087ac33096f0ac68a3020983bf9619
Instruction ID: 89101dda6489acbb16c35028f91fbe72741dbb99df6b62b2a462939d9afc2e8f
Opcode Fuzzy Hash: 310de99f69355757c9f06b48bd1af563c8087ac33096f0ac68a3020983bf9619
Instruction Fuzzy Hash: D041BD71A043108FEB10CFA9C988F9BBBF4EF1A314F018518E9169B791D774D9458BE1

Function 6C46A860 Relevance: 9.1, APIs: 6, Instructions: 93COMMON

Download Yara Rule

APIs

?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C46A8CE
?GetSize@CStdValArray@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C46A8DB
?DrawHtmlText@CRenderEngine@DuiLib@@SAXPAUHDC__@@PAVCPaintManagerUI@2@AAUtagRECT@@PB_WKPAU5@PAVCDuiString@2@AAHI@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,?,?,00000000,00000000,00000000,?), ref: 6C46A8F5

Part of subcall function 6C491410: IsRectEmpty.USER32(?), ref: 6C491473
Part of subcall function 6C491410: ??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(0000000A), ref: 6C49149B
Part of subcall function 6C491410: ??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(0000000A,0000000A), ref: 6C4914C4
Part of subcall function 6C491410: ??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(0000000A,0000000A,0000000A), ref: 6C4914ED
Part of subcall function 6C491410: GetClipBox.GDI32(?,?), ref: 6C491508
Part of subcall function 6C491410: CreateRectRgnIndirect.GDI32(?), ref: 6C491515
Part of subcall function 6C491410: CreateRectRgnIndirect.GDI32(?), ref: 6C491520
Part of subcall function 6C491410: ExtSelectClipRgn.GDI32(?,00000000,00000001), ref: 6C491533
Part of subcall function 6C491410: ?GetDefaultFontInfo@CPaintManagerUI@DuiLib@@QAEPAUtagTFontInfo@2@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49154C
Part of subcall function 6C491410: ?GetDefaultFontInfo@CPaintManagerUI@DuiLib@@QAEPAUtagTFontInfo@2@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C491557
Part of subcall function 6C491410: SelectObject.GDI32(?,00000000), ref: 6C491565
Part of subcall function 6C491410: SetBkMode.GDI32(?,00000001), ref: 6C491574
Part of subcall function 6C491410: SetTextColor.GDI32(?,?), ref: 6C49159C
Part of subcall function 6C491410: ?GetDefaultSelectedBkColor@CPaintManagerUI@DuiLib@@QBEKXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4915A5

?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C46A922
?GetSize@CStdValArray@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C46A92F
?DrawTextW@CRenderEngine@DuiLib@@SAXPAUHDC__@@PAVCPaintManagerUI@2@AAUtagRECT@@PB_WKHI@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,?,?,?,?), ref: 6C46A944

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Paint$Manager$Array@$FontUtag$DefaultRect$C__@@ClipCreateD__@@DrawEngine@I@2@IndirectInfo@Info@2@RenderSelectSize@TextWindow@$ColorColor@EmptyHtmlModeObjectSelectedString@2@Text@
String ID:
API String ID: 3558637913-0
Opcode ID: c04d3767d40d31617b3845691c6334c5e863c39ce6f6eeda84294929ea5c821d
Instruction ID: eab2c10d2b24bca4438e348097cac9b9c1e3d3b13a3c607b3aa6ef661d9247a6
Opcode Fuzzy Hash: c04d3767d40d31617b3845691c6334c5e863c39ce6f6eeda84294929ea5c821d
Instruction Fuzzy Hash: C341E3B1A006199FDB14CFA8C884EEEBBF5FF48318F14441DE65AA7240D734A845CBA8

Function 6C494FC0 Relevance: 9.1, APIs: 6, Instructions: 87COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 6C494FEC
GetWindowLongW.USER32(?,000000EB), ref: 6C49501A
CallWindowProcW.USER32(?,?,00000082,?,?), ref: 6C49503D
SetWindowLongW.USER32(?,000000EB,00000000), ref: 6C49504D
IsWindow.USER32(?), ref: 6C49505C
SetWindowLongW.USER32(?,000000FC,?), ref: 6C495074

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Window$Long$CallProc
String ID:
API String ID: 513923721-0
Opcode ID: 687424bdf6dfc2c593f2aa16508c56667433e9e84c6bd9f94446e74b22c76a16
Instruction ID: 0cf6d16c66e463be953009130ade275a684cdde2b22d937759b597334195e291
Opcode Fuzzy Hash: 687424bdf6dfc2c593f2aa16508c56667433e9e84c6bd9f94446e74b22c76a16
Instruction Fuzzy Hash: 0631B171605324AFCB219F54CC48F6BBFB1FF45721F614A18E96663790C7329800CB90

Function 6C4A3A20 Relevance: 9.1, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

??4CDuiString@DuiLib@@QAEABV01@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C4A3A88

Part of subcall function 6C4C0460: ?Assign@CDuiString@DuiLib@@QAEXPB_WH@Z.DOWNLOADER_NSIS_PLUGIN(?,000000FF,?,?,?,6C49F00E,?), ref: 6C4C0473

?LoadImageW@CRenderEngine@DuiLib@@SAPAUtagTImageInfo@2@VSTRINGorID@2@PB_WK@Z.DOWNLOADER_NSIS_PLUGIN(?,00000000,?), ref: 6C4A3A74

Part of subcall function 6C48DC40: ?GetResourceDll@CPaintManagerUI@DuiLib@@SAPAUHINSTANCE__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C48DC95
Part of subcall function 6C48DC40: FindResourceW.KERNEL32(00000000,00000000,00000000), ref: 6C48DC9F
Part of subcall function 6C48DC40: ?GetResourceDll@CPaintManagerUI@DuiLib@@SAPAUHINSTANCE__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C48DCAF
Part of subcall function 6C48DC40: LoadResource.KERNEL32(00000000,00000000), ref: 6C48DCB6
Part of subcall function 6C48DC40: ?GetResourceDll@CPaintManagerUI@DuiLib@@SAPAUHINSTANCE__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C48DCC6
Part of subcall function 6C48DC40: SizeofResource.KERNEL32(00000000,00000000), ref: 6C48DCCD
Part of subcall function 6C48DC40: LockResource.KERNEL32(00000000), ref: 6C48DCED
Part of subcall function 6C48DC40: FreeResource.KERNEL32(00000000), ref: 6C48DD06
Part of subcall function 6C48DC40: CreateFileW.KERNEL32 ref: 6C48DF56
Part of subcall function 6C48DC40: GetFileSize.KERNEL32(00000000,00000000), ref: 6C48DF6C
Part of subcall function 6C48DC40: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 6C48DFA8
Part of subcall function 6C48DC40: CloseHandle.KERNEL32(00000000), ref: 6C48DFAF

?LoadImageW@CRenderEngine@DuiLib@@SAPAUtagTImageInfo@2@VSTRINGorID@2@PB_WK@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,?,00000000,00000000,?), ref: 6C4A3A9E
?Insert@CStdStringPtrMap@DuiLib@@QAE_NPB_WPAX@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,?,?,?,00000000,00000000,?), ref: 6C4A3ABD
DeleteObject.GDI32(00000000), ref: 6C4A3AC8
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,00000000,00000000,?), ref: 6C4A3AD1

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Resource$Image$Dll@E__@@FileLoadManagerPaintString@$D@2@Engine@Info@2@RenderUtag$Assign@CloseCreateDeleteFindFreeHandleInsert@LockMap@ObjectReadSizeSizeofStringV01@
String ID:
API String ID: 4071632223-0
Opcode ID: 1940bf28064ac5626ddb077c5b412344a2337ea0079dce90a72f13645531c2ee
Instruction ID: b096aa0270cc426723ba1f7a76842ff523fd9b403cc79b54cb89075472fac7d9
Opcode Fuzzy Hash: 1940bf28064ac5626ddb077c5b412344a2337ea0079dce90a72f13645531c2ee
Instruction Fuzzy Hash: 04210075A002259BDB00CFA8DC80FBBB7B8EF95218F140429EC05A7784EB32ED0586E5

Function 6C491380 Relevance: 9.0, APIs: 6, Instructions: 50COMMON

Download Yara Rule

APIs

SetBkMode.GDI32(?,00000001), ref: 6C49139E
SetTextColor.GDI32(?,?), ref: 6C4913C2
?GetFont@CPaintManagerUI@DuiLib@@QAEPAUHFONT__@@H@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,6C46A949,00000000,?,?,?,?,?,?), ref: 6C4913CD

Part of subcall function 6C4A3430: ?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,?,?,6C4913D2,?,?,?,?,?,6C46A949,00000000,?,?,?), ref: 6C4A3448
Part of subcall function 6C4A3430: ??ACStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(?,00000000,?,?,?,?,6C4913D2,?,?,?,?,?,6C46A949,00000000,?,?), ref: 6C4A3454

SelectObject.GDI32(?,00000000), ref: 6C4913D7
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 6C4913EF
SelectObject.GDI32(?,00000000), ref: 6C4913F7

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$ManagerObjectPaintSelectText$Array@ColorDrawFont@ModeT__@@Transparent@
String ID:
API String ID: 434922825-0
Opcode ID: 0da204b1879004c0d84ea79b52f3fb2ef81d6903eecc945648272f11ba321960
Instruction ID: 35d7003fdcd5e33c8650c608c8febea7ecb20c6faf907b626ed16c71df0c21b7
Opcode Fuzzy Hash: 0da204b1879004c0d84ea79b52f3fb2ef81d6903eecc945648272f11ba321960
Instruction Fuzzy Hash: EC017C32201229AFEF108E65CC48EEF3FBDEB49365F510125F92697291CB34D811DBA0

Function 6C4E9EB0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI ref: 6C4E9EDF
GetAdaptersAddresses.IPHLPAPI(00000000,00000080,00000000,00000000,00000000), ref: 6C4E9F14
GetAdaptersAddresses.IPHLPAPI ref: 6C4E9F54
_strlen.LIBCMT ref: 6C4EA03A

Strings

%.2X, xrefs: 6C4E9FCD

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: AdaptersAddresses$_strlen
String ID: %.2X
API String ID: 385116284-213608013
Opcode ID: 8eeeb64eea6c34d0318941b1b5052484b188b8cd1ea1f5a79caff88d99e12684
Instruction ID: eaf4df177b4aa933789200a0e1f360bcfda24325f0c8c33e56f7c5cc6f3a46de
Opcode Fuzzy Hash: 8eeeb64eea6c34d0318941b1b5052484b188b8cd1ea1f5a79caff88d99e12684
Instruction Fuzzy Hash: B681F3B1D043189BDB10CF68C840FDFBBB4AF4931AF06452DE8996BB81E731A945CB91

Function 00403116 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00403180
GetTickCount.KERNEL32 ref: 00403227
MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 00403250
wsprintfW.USER32 ref: 00403263

Strings

... %d%%, xrefs: 0040325D

Memory Dump Source

Source File: 00000006.00000002.4133761971.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4133709809.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133815083.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000052F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000535000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000567000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000056F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_CapCut_installer.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: 35ed3ddee5496da523dbdd9c24141cac19338b56c2f30bcc5b4fb8fdb3f489c6
Instruction ID: f437ad28db75119c3a693f92e670aa5c34007c7df9fe8e0debaece40423bbb79
Opcode Fuzzy Hash: 35ed3ddee5496da523dbdd9c24141cac19338b56c2f30bcc5b4fb8fdb3f489c6
Instruction Fuzzy Hash: 0D517D71900219DBDB10DF66EA44AAE7BB8AB04356F54417FEC14B72C0CB388A51CBA9

Function 6C49C020 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

IntersectRect.USER32(?,~dHl,?), ref: 6C49C06A
?GenerateRoundClip@CRenderClip@DuiLib@@SAXPAUHDC__@@UtagRECT@@1HHAAV12@@Z.DOWNLOADER_NSIS_PLUGIN ref: 6C49C14D
??1CRenderClip@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49C220

Strings

~dHl, xrefs: 6C49C22E
~dHl, xrefs: 6C49C033, 6C49C068

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Clip@$Lib@@Render$C__@@GenerateIntersectRectRoundT@@1UtagV12@@
String ID: ~dHl$~dHl
API String ID: 3817692452-247497598
Opcode ID: 8559dbeb53698f0cba7942d540243ec5137ee26d7669d45dc4225842caf2a5a2
Instruction ID: a54e278e80b2df65e10bb2f5a2104765829d4f57aa74966662ee313ab751ced9
Opcode Fuzzy Hash: 8559dbeb53698f0cba7942d540243ec5137ee26d7669d45dc4225842caf2a5a2
Instruction Fuzzy Hash: 09616075200B448FCB24DF29C894ABABBF1FF89320F15466DE9964B7A0DB30A845CF40

Function 6C461C70 Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

?Create@CWndShadow@@QAEXPAUHWND__@@@Z.DOWNLOADER_NSIS_PLUGIN(?,?), ref: 6C461DE1
?SetSize@CWndShadow@@QAE_NH@Z.DOWNLOADER_NSIS_PLUGIN(00000008,?), ref: 6C461DEA
?SetPosition@CWndShadow@@QAE_NHH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,?), ref: 6C461DF5
?SetDarkness@CWndShadow@@QAE_NI@Z.DOWNLOADER_NSIS_PLUGIN(00000066,?), ref: 6C461DFE
?SetSharpness@CWndShadow@@QAE_NI@Z.DOWNLOADER_NSIS_PLUGIN(00000014,?), ref: 6C461E07

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Shadow@@$Create@D__@@@Darkness@Position@Sharpness@Size@
String ID:
API String ID: 2507467409-0
Opcode ID: 614ae7a6b8451dd6fd0b9dc3500ad4a5a02acbf1bb908857458c1e51cf1af76a
Instruction ID: 4f919d9fcb8a37dee0b7aa87ef9493c08fb95c8a6a16083af363ccc99cd4eb57
Opcode Fuzzy Hash: 614ae7a6b8451dd6fd0b9dc3500ad4a5a02acbf1bb908857458c1e51cf1af76a
Instruction Fuzzy Hash: 3B417F31B012198BCF14DF6AC894FAEB7B1AF88719F15442DE9169BB84CB74EC058BD1

Function 6C496FB0 Relevance: 7.6, APIs: 5, Instructions: 92COMMON

Download Yara Rule

APIs

?SetPos@CControlUI@DuiLib@@UAEXUtagRECT@@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?), ref: 6C496FD7

Part of subcall function 6C4999E0: ??0CDuiRect@DuiLib@@QAE@ABUtagRECT@@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C499A43
Part of subcall function 6C4999E0: IsRectEmpty.USER32(?), ref: 6C499A49
Part of subcall function 6C4999E0: ??0CDuiRect@DuiLib@@QAE@ABUtagRECT@@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C499A5C
Part of subcall function 6C4999E0: ??BCEventSource@DuiLib@@QAE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C499A96
Part of subcall function 6C4999E0: ??RCEventSource@DuiLib@@QAE_NPAX@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C499AA2

?IsEmpty@CStdPtrArray@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?), ref: 6C496FE7
KiUserCallbackDispatcher.NTDLL(?,?,?,?), ref: 6C49705B
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?), ref: 6C497063
??ACStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,?,?), ref: 6C49706F

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$T@@@Utag$Array@EventRect@Source@$CallbackControlDispatcherEmptyEmpty@ManagerPaintPos@RectTransparent@User
String ID:
API String ID: 358928591-0
Opcode ID: e20fbc193c2855d49e8d2fced3d66dc1a9369787583001b31f5cbe8a453685d2
Instruction ID: 8c35b76f52566e7bc2a420c2161fbb294078a63dbad0e6ae78edfaf8eaf132e1
Opcode Fuzzy Hash: e20fbc193c2855d49e8d2fced3d66dc1a9369787583001b31f5cbe8a453685d2
Instruction Fuzzy Hash: 41312475A042298FCF04CF99C894EBEBBB5FF89314F0500AAE90667351CB356D01CBA9

Function 6C4A28D0 Relevance: 7.6, APIs: 5, Instructions: 87timeCOMMON

Download Yara Rule

APIs

?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,00000000,?,6C472E6C,?,?,?), ref: 6C4A28F3
??ACStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,?,?,00000000,?,6C472E6C,?,?,?), ref: 6C4A28FF
SetTimer.USER32(?,00000000,?,00000000), ref: 6C4A2932
SetTimer.USER32(?,?,?,00000000), ref: 6C4A2973
?Add@CStdPtrArray@DuiLib@@QAE_NPAX@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C4A29AE

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Array@Timer$Add@ManagerPaintTransparent@
String ID:
API String ID: 1629067214-0
Opcode ID: 7d6d107afa73e61dbdca7ecc65c7b545b640b5a70cca600ff7e3688106190536
Instruction ID: 28a3782318023bd91717eab86e51cdf69419112650481ad2e0f74c20687a4231
Opcode Fuzzy Hash: 7d6d107afa73e61dbdca7ecc65c7b545b640b5a70cca600ff7e3688106190536
Instruction Fuzzy Hash: 7D3193717042449FDB18CF55C888FAA7BAABF95314F04416DE81D8B745DB30D842DBA5

Function 6C4ED09E Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

dllmain_raw.LIBCMT ref: 6C4ED0DB
dllmain_crt_dispatch.LIBCMT ref: 6C4ED0F2
dllmain_raw.LIBCMT ref: 6C4ED13A
dllmain_crt_dispatch.LIBCMT ref: 6C4ED14D
dllmain_raw.LIBCMT ref: 6C4ED160

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 2bb2734a1164c20ef32a5ec895e21d26e331343f7694b09accde8f2307dfa21a
Instruction ID: 8f98e5788f74503957eb0be16f900e8837befe78d9b005b6302834aaf24fd533
Opcode Fuzzy Hash: 2bb2734a1164c20ef32a5ec895e21d26e331343f7694b09accde8f2307dfa21a
Instruction Fuzzy Hash: 82216D71D01625AEDB21DE15CC40EAF7A79EBC9B9AF164119F8185BB14C7318D028BE0

Function 6C8C2CCE Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

dllmain_raw.LIBCMT ref: 6C8C2D0B
dllmain_crt_dispatch.LIBCMT ref: 6C8C2D22
dllmain_raw.LIBCMT ref: 6C8C2D6A
dllmain_crt_dispatch.LIBCMT ref: 6C8C2D7D
dllmain_raw.LIBCMT ref: 6C8C2D90

Memory Dump Source

Source File: 00000006.00000002.4155419249.000000006C711000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C710000, based on PE: true

Associated: 00000006.00000002.4155355851.000000006C710000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156102127.000000006C93C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156309004.000000006C94B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156309004.000000006C94E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156596890.000000006C953000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c710000_CapCut_installer.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 424db576116f2bcbbcd99674c144f6e3f95a5328cde09c88820437c41796a3e4
Instruction ID: 37ecaee1326801d96c30a311d3904fee6a059bdfbe081b309af26cf215922f77
Opcode Fuzzy Hash: 424db576116f2bcbbcd99674c144f6e3f95a5328cde09c88820437c41796a3e4
Instruction Fuzzy Hash: 0421E771F0562CAFDB318F19CA48AAF3A78DB90B99B015925F91497790C738CD019BE1

Function 6C4896C0 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

??0CProgressUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4896F1

Part of subcall function 6C4822D0: ??0CLabelUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C482301
Part of subcall function 6C4822D0: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C482346
Part of subcall function 6C4822D0: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C48235E

??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C489723
??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C48973B
??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C489753
??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C489768

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$String@$LabelProgress
String ID:
API String ID: 2668925164-0
Opcode ID: 61660af75d138e681ab9be2b022f67c677ff31048a4ce6b8177cf6879f865e22
Instruction ID: 0838ef4378021884c2d76bcbbbbf9d4edd5c6e856ca943c3ffcce650955a3290
Opcode Fuzzy Hash: 61660af75d138e681ab9be2b022f67c677ff31048a4ce6b8177cf6879f865e22
Instruction Fuzzy Hash: 5F21E3B490161A8FEB14CF94C899BEEBBB0FB48718F00056DC4596B790C7BA6548CF91

Function 6C447A10 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 261COMMON

Download Yara Rule

APIs

?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(ccTTBanner,6C52652E,0000002E,000000FF,?), ref: 6C447A7E

Part of subcall function 6C4A2380: ?Find@CStdStringPtrMap@DuiLib@@QBEPAXPB_W_N@Z.DOWNLOADER_NSIS_PLUGIN(6C43A13A,00000001,?,6C43A13A,?), ref: 6C4A238E

Strings

mp4, xrefs: 6C447C04
ccTTBanner, xrefs: 6C447A79
png, xrefs: 6C447BCE

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$ControlControl@FindFind@I@2@ManagerMap@PaintString
String ID: ccTTBanner$mp4$png
API String ID: 3204744061-2426107242
Opcode ID: a4210029e971b45e5f6984b8a47cc69158cdc71f00a45a31081c1740f380c2d0
Instruction ID: db6efb4860154c06362bf95a2baa4e66cc23932bb53ef7c811028cd2b6770ea4
Opcode Fuzzy Hash: a4210029e971b45e5f6984b8a47cc69158cdc71f00a45a31081c1740f380c2d0
Instruction Fuzzy Hash: 80A17CB15083409FE700CF24C880F5ABBE0FF89318F658A1CE9A59B791E774D946CB82

Function 6C4AE260 Relevance: 6.2, APIs: 4, Instructions: 248fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(EDE0BF06,?,00000001,FFFFFFFF,00000000), ref: 6C4AE295
ReadFile.KERNEL32(EDE0BF06,000000FF,00000001,FFFFFFFF,00000000), ref: 6C4AE322
ReadFile.KERNEL32(EDE0BF06,000000FF,00000001,FFFFFFFF,00000000), ref: 6C4AE3C8
ReadFile.KERNEL32(EDE0BF06,000000FF,00000001,FFFFFFFF,00000000), ref: 6C4AE47E

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: d913085275458443effc604b737e29ef6b05047aac4f0e340a91a78791b95ea2
Instruction ID: 86e3c2e2edc9123de9d778648c127060531036a5f444e8a5b282d62b19a32307
Opcode Fuzzy Hash: d913085275458443effc604b737e29ef6b05047aac4f0e340a91a78791b95ea2
Instruction Fuzzy Hash: 4DA181B1E002468FDB20CFA9C880FAEBBF6AB55324F154718D8B5977D1E270A946C791

Function 6C4AE520 Relevance: 6.2, APIs: 4, Instructions: 165fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002), ref: 6C4AE54E
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000001), ref: 6C4AE56B
SetFilePointer.KERNEL32(00000050,?,00000000,00000000), ref: 6C4AE623
ReadFile.KERNEL32(00000050,00000000,00000404,FFFFFFFF,00000000), ref: 6C4AE643

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: File$Pointer$Read
String ID:
API String ID: 2010065189-0
Opcode ID: d3c0cfc7be326e24814b35ea8cad57a6413ddcf22487074319b41c0711a04ad7
Instruction ID: bf30723a5461dea82814753540e33fa3a282844a3a3beaccaa07a7830224b270
Opcode Fuzzy Hash: d3c0cfc7be326e24814b35ea8cad57a6413ddcf22487074319b41c0711a04ad7
Instruction Fuzzy Hash: C251C2B0E042109FEB15CEA8C8C4F9A7FB1AB55318F688168D914AB795D732DC53C7D1

Function 6C494C90 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

?RegisterSuperclass@CWindowWnd@DuiLib@@QAE_NXZ.DOWNLOADER_NSIS_PLUGIN(?,?,6C43B37A), ref: 6C494CAF

Part of subcall function 6C494DE0: GetClassInfoExW.USER32(00000000,00000000,00000030), ref: 6C494E23
Part of subcall function 6C494DE0: ?GetInstance@CPaintManagerUI@DuiLib@@SAPAUHINSTANCE__@@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,6C494CB4,?,?,6C43B37A), ref: 6C494E40
Part of subcall function 6C494DE0: GetClassInfoExW.USER32(00000000,00000000,00000030), ref: 6C494E48
Part of subcall function 6C494DE0: ?GetInstance@CPaintManagerUI@DuiLib@@SAPAUHINSTANCE__@@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,6C494CB4,?,?,6C43B37A), ref: 6C494E5F
Part of subcall function 6C494DE0: CreateSolidBrush.GDI32(00000000), ref: 6C494E7C
Part of subcall function 6C494DE0: RegisterClassExW.USER32(00000030), ref: 6C494E86
Part of subcall function 6C494DE0: GetLastError.KERNEL32(?,?,?,?,6C494CB4,?,?,6C43B37A), ref: 6C494E93

?RegisterWindowClass@CWindowWnd@DuiLib@@QAE_NXZ.DOWNLOADER_NSIS_PLUGIN(?,?,6C43B37A), ref: 6C494CD3
?GetInstance@CPaintManagerUI@DuiLib@@SAPAUHINSTANCE__@@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,6C43B37A), ref: 6C494CE0
CreateWindowExW.USER32(?,00000000,?,?,00000258,00000320,00000000,?,?,?,00000000,00000000), ref: 6C494D16

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Window$ClassE__@@Instance@ManagerPaintRegister$CreateInfoWnd@$BrushClass@ErrorLastSolidSuperclass@
String ID:
API String ID: 3246782391-0
Opcode ID: 549d6502aeece57861afca8af1da38dceb8c743c1677a13613d55107723b5e86
Instruction ID: 74ed44cbf81010f084573295a2ca638d32cf24d7932d6dbbe34e0f1f7660f0fa
Opcode Fuzzy Hash: 549d6502aeece57861afca8af1da38dceb8c743c1677a13613d55107723b5e86
Instruction Fuzzy Hash: 7C11583A3001199F8F01DF69CC14CAF3FA6EFC96AA7164119FA5687320DB32DC119B94

Function 6C4A2540 Relevance: 6.0, APIs: 4, Instructions: 43windowCOMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 6C4A2587
?TranslateMessage@CPaintManagerUI@DuiLib@@SA_NQAUtagMSG@@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,00000000,00000000,00000000), ref: 6C4A258E

Part of subcall function 6C4A25C0: GetWindowLongW.USER32(?,000000F0), ref: 6C4A25D0
Part of subcall function 6C4A25C0: ?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4A25E5
Part of subcall function 6C4A25C0: ??ACStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4A25F8
Part of subcall function 6C4A25C0: GetParent.USER32(?), ref: 6C4A2613
Part of subcall function 6C4A25C0: ?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4A2636
Part of subcall function 6C4A25C0: ??ACStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4A2649
Part of subcall function 6C4A25C0: GetParent.USER32(00000000), ref: 6C4A266B
Part of subcall function 6C4A25C0: ?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(00000001), ref: 6C4A2692
Part of subcall function 6C4A25C0: ??ACStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000001), ref: 6C4A269E

TranslateMessage.USER32 ref: 6C4A259B
DispatchMessageW.USER32 ref: 6C4A25A2

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$ManagerPaint$Array@Transparent@$MessageParentTranslate$CallbackDispatchDispatcherG@@@LongMessage@UserUtagWindow
String ID:
API String ID: 4064736304-0
Opcode ID: efd3e3d7634b333a927427e3e60c5ab95dd641a8cb4741ba1d41b4fd73c3b57f
Instruction ID: 07f6b5cf2e3c280bc8619272c1c3bec029588119cd01ae93db24889d05eedc0e
Opcode Fuzzy Hash: efd3e3d7634b333a927427e3e60c5ab95dd641a8cb4741ba1d41b4fd73c3b57f
Instruction Fuzzy Hash: 69F0F936A0530067DB10DB658C05FDB77F8EF8B278F560219E95853641FB30B24287EA

Function 004057F1 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,?,00000000), ref: 00405834
GetLastError.KERNEL32 ref: 00405848
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040585D
GetLastError.KERNEL32 ref: 00405867

Memory Dump Source

Source File: 00000006.00000002.4133761971.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4133709809.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133815083.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000052F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000535000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000567000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000056F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_CapCut_installer.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID:
API String ID: 3449924974-0
Opcode ID: 817c7eeb2e6ade2cce28f3b9d2e4670c9c7091e2f59c9eba6f9578a5288f1365
Instruction ID: d156970015101e62572267df52bf1fb018b172c5ebb67f048bc3511340661aba
Opcode Fuzzy Hash: 817c7eeb2e6ade2cce28f3b9d2e4670c9c7091e2f59c9eba6f9578a5288f1365
Instruction Fuzzy Hash: EB010872D00219EADF009FA1C944BEFBBB8EF14304F00803AE945B6280D7789618CFA9

Function 6C49C5D0 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

?IsEmpty@CDuiString@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49C5E0
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49C5EE
?DrawImageString@CRenderEngine@DuiLib@@SA_NPAUHDC__@@PAVCPaintManagerUI@2@ABUtagRECT@@2PB_W3@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,00000000,00000000), ref: 6C49C608

Part of subcall function 6C490220: ??0CDuiString@DuiLib@@QAE@PB_WH@Z.DOWNLOADER_NSIS_PLUGIN(?,000000FF), ref: 6C4902D8
Part of subcall function 6C490220: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(?,000000FF), ref: 6C49033B
Part of subcall function 6C490220: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(?,000000FF), ref: 6C4903B8
Part of subcall function 6C490220: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(?,000000FF), ref: 6C490412

?Empty@CDuiString@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49C616

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$String@$Paint$Empty@Manager$C__@@D__@@DrawEngine@I@2@ImageRenderT@@2UtagWindow@
String ID:
API String ID: 3313731068-0
Opcode ID: e49e50c2483dcfb6350edc09b791a8bea75dc1c72105b755901f27ceb4f7c66a
Instruction ID: d44b65af41a0c5ac607d61f67e60d46d69ca4ca6e7b28b4ecc008f604a74be4a
Opcode Fuzzy Hash: e49e50c2483dcfb6350edc09b791a8bea75dc1c72105b755901f27ceb4f7c66a
Instruction Fuzzy Hash: 3EF0A0F6300A243BD908D6509C80EFE771DEBC465EF04051DEA0107742DB662D1A43E9

Function 6C4AF000 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 192COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00000103,00000000,00000000), ref: 6C4AF06B
_strlen.LIBCMT ref: 6C4AF072

Strings

/, xrefs: 6C4AF09F

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: ByteCharMultiWide_strlen
String ID: /
API String ID: 550581524-2043925204
Opcode ID: 87fffec03bff31179baeecf7a328435a0555c30946e002613cae7fbe312bc38c
Instruction ID: c0faa84eac7727fc0c940c8ba9febcf1b8f5cb9e0e644583a463306bec78364f
Opcode Fuzzy Hash: 87fffec03bff31179baeecf7a328435a0555c30946e002613cae7fbe312bc38c
Instruction Fuzzy Hash: 70712871A067159BE700CFA9D880FDAB7F0BF69318F104769D85897B80E330A986CBD1

Function 6C4AF9F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00000104,00000138,?,?), ref: 6C4AFA24
GetFileType.KERNEL32(?), ref: 6C4AFA40

Strings

Ul, xrefs: 6C4AFA7A

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: CurrentDirectoryFileType
String ID: Ul
API String ID: 924069915-3999281317
Opcode ID: 07f7d91ab7c8371b684f54750a597f9f31d10759ecf6e4802bff34f6e3a402c6
Instruction ID: 995b3540ffdd33ddc6643580e30e6bf8504398cf54fc70808fb3aeac3c3ed7c5
Opcode Fuzzy Hash: 07f7d91ab7c8371b684f54750a597f9f31d10759ecf6e4802bff34f6e3a402c6
Instruction Fuzzy Hash: E411E372A002059BDB00DF65CC44FDB7B78EB95329F550629ED149B780E731A906C7E1

Function 00405DDF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405DFD
GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,004CB000,0040338D,004DB000,004DF000,004DF000,004DF000,004DF000,004DF000,74DF3420,004035D9), ref: 00405E18

Strings

nsa, xrefs: 00405DEC

Memory Dump Source

Source File: 00000006.00000002.4133761971.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4133709809.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133815083.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000052F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000535000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000567000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000056F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_CapCut_installer.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction ID: af8b6ba947558e1b0daa3aed001b6e0f80e178ffca66ecedc63f3e0829e9a41e
Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction Fuzzy Hash: 61F03076A00304FBEB009F69ED05E9FB7BCEB95710F10803AE941E7250E6B09A548B64

Function 6C8148D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 6C8148DE
GetProcAddress.KERNEL32(00000000,GetHandleVerifier), ref: 6C8148EA

Strings

GetHandleVerifier, xrefs: 6C8148E4

Memory Dump Source

Source File: 00000006.00000002.4155419249.000000006C711000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C710000, based on PE: true

Associated: 00000006.00000002.4155355851.000000006C710000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156102127.000000006C93C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156309004.000000006C94B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156309004.000000006C94E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156596890.000000006C953000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c710000_CapCut_installer.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetHandleVerifier
API String ID: 1646373207-1090674830
Opcode ID: b5ce6917db0d42e18576624d789f8c9e4b161ab0c9ef0a1676d5c97fa3312d71
Instruction ID: fecf82595638ef010082ffc200b90c2abed3a3f6947ddaa7788d5a191dcf4b94
Opcode Fuzzy Hash: b5ce6917db0d42e18576624d789f8c9e4b161ab0c9ef0a1676d5c97fa3312d71
Instruction Fuzzy Hash: 58D05B7074D609DAEB20ABA49A05B1172FC77C1B1EF100C10B10F95ED2C765A5508555

Function 6C4C2050 Relevance: 4.9, APIs: 3, Instructions: 394windowCOMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000100,?,?,?), ref: 6C4C2402
?MessageHandler@CPaintManagerUI@DuiLib@@QAE_NIIJAAJ@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,00000000), ref: 6C4C244C
?HandleMessage@CWindowWnd@DuiLib@@MAEJIIJ@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?), ref: 6C4C2460

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$CallbackDispatcherHandleHandler@ManagerMessageMessage@PaintUserWindowWnd@
String ID:
API String ID: 1899377608-0
Opcode ID: 8c5be8921b1a08c93217cb5b3a446bdcf971f452834059ac36d0cd3bf4f06fa1
Instruction ID: a3a6746319f84b6970a24a396c6e12d37aa61500a5430378289153c5169a3034
Opcode Fuzzy Hash: 8c5be8921b1a08c93217cb5b3a446bdcf971f452834059ac36d0cd3bf4f06fa1
Instruction Fuzzy Hash: E8D16A797002199FEB14CE59C884DBAB3EDFB8D324F06402AEE45D7391DAB0AC418B95

Function 6C4A9A50 Relevance: 4.7, APIs: 3, Instructions: 219COMMON

Download Yara Rule

APIs

?SetPos@CControlUI@DuiLib@@UAEXUtagRECT@@@Z.DOWNLOADER_NSIS_PLUGIN ref: 6C4A9A76

Part of subcall function 6C4999E0: ??0CDuiRect@DuiLib@@QAE@ABUtagRECT@@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C499A43
Part of subcall function 6C4999E0: IsRectEmpty.USER32(?), ref: 6C499A49
Part of subcall function 6C4999E0: ??0CDuiRect@DuiLib@@QAE@ABUtagRECT@@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C499A5C
Part of subcall function 6C4999E0: ??BCEventSource@DuiLib@@QAE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C499A96
Part of subcall function 6C4999E0: ??RCEventSource@DuiLib@@QAE_NPAX@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C499AA2

?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4A9AF0
??ACStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C4A9B00

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$T@@@Utag$EventRect@Source@$Array@ControlEmptyManagerPaintPos@RectTransparent@
String ID:
API String ID: 3446424364-0
Opcode ID: 0ced7903f1b6766fa1c22da65fd57a9fc960a8c9fa883a7a980f3433c10d0fa1
Instruction ID: b3378e91b0ab059c11df550ec76b7251c2a44751d541e31041c4dff0f445eca3
Opcode Fuzzy Hash: 0ced7903f1b6766fa1c22da65fd57a9fc960a8c9fa883a7a980f3433c10d0fa1
Instruction Fuzzy Hash: A2913A75A087109FCB04DF29C494A1EBBF1BFC9714F05496EE89A97364DB30A806CF86

Function 6C48A460 Relevance: 4.7, APIs: 3, Instructions: 162COMMON

Download Yara Rule

APIs

?SetBkImage@CControlUI@DuiLib@@QAEXPB_W@Z.DOWNLOADER_NSIS_PLUGIN(6C526390), ref: 6C48A49A

Part of subcall function 6C4992A0: ??8CDuiString@DuiLib@@QBE_NPB_W@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C4992C5
Part of subcall function 6C4992A0: ??4CDuiString@DuiLib@@QAEABV01@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(?,?), ref: 6C4992D5
Part of subcall function 6C4992A0: IntersectRect.USER32(?,?), ref: 6C499368

??0CLabelUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(6C526390), ref: 6C48A5E0
?SetBkImage@CControlUI@DuiLib@@QAEXPB_W@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C48A605

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$ControlImage@String@$IntersectLabelRectV01@
String ID:
API String ID: 620893654-0
Opcode ID: 2fdb6f89b566d6366b83781af506466ce6e97c305d2fb157db38708889365755
Instruction ID: 95903936dc83ecd41a3d6583c9d16f6435e7317b2f3288ee6ba5844b73b6ea04
Opcode Fuzzy Hash: 2fdb6f89b566d6366b83781af506466ce6e97c305d2fb157db38708889365755
Instruction Fuzzy Hash: 04712AB5A012199FCF00CF98C884FEEBBB1BF49324F154269E8156B391C775A945CF94

Function 6C469C80 Relevance: 4.6, APIs: 3, Instructions: 91fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 6C469D35
PathAppendW.SHLWAPI(?,?), ref: 6C469D4F
CreateFileW.KERNEL32 ref: 6C469D7B

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Path$AppendCreateFileTemp
String ID:
API String ID: 3860574532-0
Opcode ID: 299f4237fa4ed9d106d0147ab1e4967d887b5c0df4cca19b2126764d92a5faa9
Instruction ID: 493a9675dfedd2d40f3db05d49d479cb5ea2901fe17b632b8ed2b29afb9d62d0
Opcode Fuzzy Hash: 299f4237fa4ed9d106d0147ab1e4967d887b5c0df4cca19b2126764d92a5faa9
Instruction Fuzzy Hash: E031F271D007498BEB00CFA9D844FEEBBB4EF1A319F104129E854B7B81E7B59584CBA5

Function 00402032 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040205D

Part of subcall function 00405322: lstrlenW.KERNEL32(00448228,00000000,0042CC00,74DF23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000,?), ref: 0040535A
Part of subcall function 00405322: lstrlenW.KERNEL32(0040327A,00448228,00000000,0042CC00,74DF23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000), ref: 0040536A
Part of subcall function 00405322: lstrcatW.KERNEL32(00448228,0040327A,0040327A,00448228,00000000,0042CC00,74DF23A0), ref: 0040537D
Part of subcall function 00405322: SetWindowTextW.USER32(00448228,00448228), ref: 0040538F
Part of subcall function 00405322: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B5
Part of subcall function 00405322: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053CF
Part of subcall function 00405322: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053DD

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040206E
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 004020EB

Memory Dump Source

Source File: 00000006.00000002.4133761971.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4133709809.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133815083.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000052F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000535000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000567000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000056F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_CapCut_installer.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 72a5e19f9697d1318c9a310d29b5b60265bfdb2e952e74c10cb73e1909f0eb38
Instruction ID: 3abd81b96889d1c7eb1cceed2e7b5e281284f1a6e6a9a5ff44b88a827c8e1d1c
Opcode Fuzzy Hash: 72a5e19f9697d1318c9a310d29b5b60265bfdb2e952e74c10cb73e1909f0eb38
Instruction Fuzzy Hash: 8821B071D00205AACF20AFA5CE48A9E7A70BF04358F60413BF511B11E0DBBD8981DA6E

Function 00401B77 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00671690), ref: 00401BE7
GlobalAlloc.KERNEL32(00000040,00004004), ref: 00401BF9

Strings

SetLabelText, xrefs: 00401B9E, 00401BA4, 00401BBE

Memory Dump Source

Source File: 00000006.00000002.4133761971.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4133709809.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133815083.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000052F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000535000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000567000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000056F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_CapCut_installer.jbxd

Similarity

API ID: Global$AllocFree
String ID: SetLabelText
API String ID: 3394109436-1759088561
Opcode ID: e92ebcb273327e1a214b24fe29e5178f564890f3b1a15877f06efc708fafe908
Instruction ID: 2ffc4b8e8b305263ff1bfe934f744a2e7f0909984677ca7ca3d2d917788d1148
Opcode Fuzzy Hash: e92ebcb273327e1a214b24fe29e5178f564890f3b1a15877f06efc708fafe908
Instruction Fuzzy Hash: 52210A76600100ABCB10FF95CE8499E73A8EB48318BA4443FF506F32D0DB78A852DB6D

Function 6C479AE0 Relevance: 4.6, APIs: 3, Instructions: 59COMMON

Download Yara Rule

APIs

??0CControlUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C479B11

Part of subcall function 6C4988F0: ??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C49892D
Part of subcall function 6C4988F0: ??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C498944
Part of subcall function 6C4988F0: ??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000), ref: 6C49895B
Part of subcall function 6C4988F0: ??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000,00000000), ref: 6C498972
Part of subcall function 6C4988F0: ??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000,00000000,00000000), ref: 6C498989
Part of subcall function 6C4988F0: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000,00000000,00000000), ref: 6C4989AC
Part of subcall function 6C4988F0: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000,00000000,00000000), ref: 6C4989C4
Part of subcall function 6C4988F0: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C498A06
Part of subcall function 6C4988F0: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C498A1E
Part of subcall function 6C4988F0: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C498A3F
Part of subcall function 6C4988F0: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C498A61
Part of subcall function 6C4988F0: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C498A76

??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C479BA3
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 6C479BE0

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$String@$Array@$ControlGdiplusStartup
String ID:
API String ID: 2862154974-0
Opcode ID: 1dda60da51ef3da857069013082b1c8e293f23c3de4147a7db00f961c696c400
Instruction ID: 24a9c163f73c02fff0a15484698287c23b36c6725a05f8391da483f4a3794ea2
Opcode Fuzzy Hash: 1dda60da51ef3da857069013082b1c8e293f23c3de4147a7db00f961c696c400
Instruction Fuzzy Hash: C0315CB1810B868AE720CF24C945BEBF7F4BF99318F10571DD5A962291E77431848B94

Function 6C4822D0 Relevance: 4.6, APIs: 3, Instructions: 51COMMON

Download Yara Rule

APIs

??0CLabelUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C482301

Part of subcall function 6C479AE0: ??0CControlUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C479B11
Part of subcall function 6C479AE0: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C479BA3
Part of subcall function 6C479AE0: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 6C479BE0

??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C482346
??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C48235E

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$String@$ControlGdiplusLabelStartup
String ID:
API String ID: 3685453975-0
Opcode ID: 0650c25a9a981312142a1aae62f19b0640f3c370b82e4b450683d981237ae879
Instruction ID: 4eda6a50245828df6451897c8cd3d81201f34f263a253aad7d5942b1cf7488c1
Opcode Fuzzy Hash: 0650c25a9a981312142a1aae62f19b0640f3c370b82e4b450683d981237ae879
Instruction Fuzzy Hash: 6321C3B5A00B598BCB24DF98C849BEFBBB4FB48724F00061DD46567780D7B96904CF95

Function 6C43B300 Relevance: 4.6, APIs: 3, Instructions: 51COMMON

Download Yara Rule

APIs

Part of subcall function 6C4618D0: ??0WindowImplBase@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,?,6C43B33D), ref: 6C4618DA
Part of subcall function 6C4618D0: ??0CWndShadow@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,?,6C43B33D), ref: 6C461910

?Create@CWindowWnd@DuiLib@@QAEPAUHWND__@@PAU3@PB_WKKHHHHPAUHMENU__@@@Z.DOWNLOADER_NSIS_PLUGIN ref: 6C43B375

Part of subcall function 6C494C90: ?RegisterSuperclass@CWindowWnd@DuiLib@@QAE_NXZ.DOWNLOADER_NSIS_PLUGIN(?,?,6C43B37A), ref: 6C494CAF
Part of subcall function 6C494C90: ?RegisterWindowClass@CWindowWnd@DuiLib@@QAE_NXZ.DOWNLOADER_NSIS_PLUGIN(?,?,6C43B37A), ref: 6C494CD3
Part of subcall function 6C494C90: ?GetInstance@CPaintManagerUI@DuiLib@@SAPAUHINSTANCE__@@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,6C43B37A), ref: 6C494CE0
Part of subcall function 6C494C90: CreateWindowExW.USER32(?,00000000,?,?,00000258,00000320,00000000,?,?,?,00000000,00000000), ref: 6C494D16

?CenterWindow@CWindowWnd@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C43B37C

Part of subcall function 6C4952A0: GetWindowRect.USER32(?,?), ref: 6C4952C9
Part of subcall function 6C4952A0: GetParent.USER32(?), ref: 6C4952DB
Part of subcall function 6C4952A0: GetWindow.USER32(?,00000004), ref: 6C4952EA
Part of subcall function 6C4952A0: MonitorFromWindow.USER32(?,00000002), ref: 6C495317
Part of subcall function 6C4952A0: GetMonitorInfoW.USER32(00000000,00000028), ref: 6C495323
Part of subcall function 6C4952A0: GetWindowRect.USER32(00000000,?), ref: 6C49534F

?ShowWindow@CWindowWnd@DuiLib@@QAEX_N0@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000001), ref: 6C43B387

Part of subcall function 6C495100: IsWindow.USER32(?), ref: 6C495109
Part of subcall function 6C495100: ShowWindow.USER32(?,00000000,?,6C43B38C,00000000,00000001), ref: 6C49512C

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Window$Lib@@$Wnd@$MonitorRectRegisterShowWindow@$Base@CenterClass@CreateCreate@D__@@E__@@FromImplInfoInstance@ManagerPaintParentShadow@@Superclass@U__@@@
String ID:
API String ID: 1233114935-0
Opcode ID: e3653ae2cb9c09b536d3c4b8c23a9e5d55f75a534b66942f5dca5722758d87e7
Instruction ID: d8059d86e767d78655842cebcef86808f8f33ffc7a1869d4878cfdd6e880d886
Opcode Fuzzy Hash: e3653ae2cb9c09b536d3c4b8c23a9e5d55f75a534b66942f5dca5722758d87e7
Instruction Fuzzy Hash: C2118E70B043549FDB00DF69C845BAFBBE4EF88758F41451CE8498B391DB74994887D6

Function 6C756090 Relevance: 4.5, APIs: 3, Instructions: 35COMMON

Download Yara Rule

APIs

SystemFunction036.ADVAPI32(?,?,?,6C749AC7,?,00000008), ref: 6C75609E
GetLastError.KERNEL32(6C94ABB0,?,?,?,?,6C749AC7,?,00000008), ref: 6C7560CA
SetLastError.KERNEL32(00000000,?,?,?,?,6C749AC7,?,00000008), ref: 6C7560D5

Memory Dump Source

Source File: 00000006.00000002.4155419249.000000006C711000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C710000, based on PE: true

Associated: 00000006.00000002.4155355851.000000006C710000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156102127.000000006C93C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156309004.000000006C94B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156309004.000000006C94E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156596890.000000006C953000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c710000_CapCut_installer.jbxd

Similarity

API ID: ErrorLast$Function036System
String ID:
API String ID: 1983025473-0
Opcode ID: 4abec82fa8733e83881d6e82aa785fad14dbada9426856c058a5d38008b044cc
Instruction ID: 1af02311b3ab2c100b9dd411e820f456af87dd35312712a90a0350266a32b66f
Opcode Fuzzy Hash: 4abec82fa8733e83881d6e82aa785fad14dbada9426856c058a5d38008b044cc
Instruction Fuzzy Hash: 8EF0397420530C5FDB246FA8DA08BA57BA8EB056AAF104875EA4CCBF10DB71ED00C7A1

Function 6C4A39D0 Relevance: 4.5, APIs: 3, Instructions: 32COMMON

Download Yara Rule

APIs

?Find@CStdStringPtrMap@DuiLib@@QBEPAXPB_W_N@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000001,00000000,00000000,00000000,?,6C490154,00000000,00000000,?), ref: 6C4A39E6
?AddImage@CPaintManagerUI@DuiLib@@QAEPBUtagTImageInfo@2@PB_W0K@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,6C490154,00000000,00000001,00000000,00000000,00000000,?,6C490154,00000000,00000000,?), ref: 6C4A39F8

Part of subcall function 6C4A3A20: ?LoadImageW@CRenderEngine@DuiLib@@SAPAUtagTImageInfo@2@VSTRINGorID@2@PB_WK@Z.DOWNLOADER_NSIS_PLUGIN(?,00000000,?), ref: 6C4A3A74
Part of subcall function 6C4A3A20: ??4CDuiString@DuiLib@@QAEABV01@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C4A3A88
Part of subcall function 6C4A3A20: ?Insert@CStdStringPtrMap@DuiLib@@QAE_NPB_WPAX@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,?,?,?,00000000,00000000,?), ref: 6C4A3ABD
Part of subcall function 6C4A3A20: DeleteObject.GDI32(00000000), ref: 6C4A3AC8
Part of subcall function 6C4A3A20: ??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,00000000,00000000,?), ref: 6C4A3AD1

?Find@CStdStringPtrMap@DuiLib@@QBEPAXPB_W_N@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000001,00000000,00000000,6C490154,00000000,00000001,00000000,00000000,00000000,?,6C490154,00000000,00000000,?), ref: 6C4A3A06

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$ImageMap@String$Find@Info@2@String@Utag$D@2@DeleteEngine@Image@Insert@LoadManagerObjectPaintRenderV01@
String ID:
API String ID: 3670622582-0
Opcode ID: ebf88320b1d9bbeef7c5921232f0c177510fb38dd9353f7945c3f47bd1e51357
Instruction ID: d0526ca673d803245dad713639c0c365b6b87a86546ebb8d0b7de98f7d880e1b
Opcode Fuzzy Hash: ebf88320b1d9bbeef7c5921232f0c177510fb38dd9353f7945c3f47bd1e51357
Instruction Fuzzy Hash: CAE09B3630436577EE10D6A65C44FDB7F5EDB957A8F00002ABE0597651ED61C80686A0

Function 6C8D00BE Relevance: 4.5, APIs: 3, Instructions: 30threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C8E0C1B: GetLastError.KERNEL32(?,00000008,6C8DD284), ref: 6C8E0C1F
Part of subcall function 6C8E0C1B: SetLastError.KERNEL32(00000000,?,?,?,?,6C8332DB,00000024,?,6C7C1BDC,?,?), ref: 6C8E0CC1

CloseHandle.KERNEL32(?,?,?,6C8CFFB4,?,?,6C8D009E,00000000), ref: 6C8D00EF
FreeLibraryAndExitThread.KERNEL32(?,?,?,?,6C8CFFB4,?,?,6C8D009E,00000000), ref: 6C8D0105
ExitThread.KERNEL32 ref: 6C8D010E

Memory Dump Source

Source File: 00000006.00000002.4155419249.000000006C711000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C710000, based on PE: true

Associated: 00000006.00000002.4155355851.000000006C710000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156102127.000000006C93C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156309004.000000006C94B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156309004.000000006C94E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156596890.000000006C953000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c710000_CapCut_installer.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary
String ID:
API String ID: 1991824761-0
Opcode ID: 8f4b77a1f77bea532b7e08406d2b68bbbd04545a92ae54dd9bb1f127342c2607
Instruction ID: da07de29872012dc094e7da829c8fc6aec37a542e64fc093f291e703d81a413d
Opcode Fuzzy Hash: 8f4b77a1f77bea532b7e08406d2b68bbbd04545a92ae54dd9bb1f127342c2607
Instruction Fuzzy Hash: B3F05E305056846BDF314A258A48E5A3AB8BF0A328B324E60ED7AC79A0DB20E845C750

Function 6C432200 Relevance: 4.5, APIs: 3, Instructions: 24COMMON

Download Yara Rule

APIs

??0CWindowWnd@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C432206
??0CStdStringPtrMap@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000053), ref: 6C432217
??0CPaintManagerUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,00000053), ref: 6C432241

Part of subcall function 6C49ED30: ??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C49EDD6
Part of subcall function 6C49ED30: ??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C49EDF2
Part of subcall function 6C49ED30: ??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000), ref: 6C49EE0E
Part of subcall function 6C49ED30: ??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000,00000000), ref: 6C49EE2A
Part of subcall function 6C49ED30: ??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000,00000000,00000000), ref: 6C49EE46
Part of subcall function 6C49ED30: ??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C49EE62
Part of subcall function 6C49ED30: ??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C49EE7E
Part of subcall function 6C49ED30: ??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C49EE9A
Part of subcall function 6C49ED30: ??0CStdStringPtrMap@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000053,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C49EEB6
Part of subcall function 6C49ED30: ??0CStdStringPtrMap@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000053,00000053,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C49EED2
Part of subcall function 6C49ED30: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(00000053,00000053,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C49EEF6
Part of subcall function 6C49ED30: ??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000053,00000053,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C49EF12

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Array@$Map@String$ManagerPaintString@WindowWnd@
String ID:
API String ID: 2648915158-0
Opcode ID: e7279424739d840d5955f98b460106f85e6bf759df818c5cbecb38156be039de
Instruction ID: a25c72af1f6110346a986f8d19da2aa963355c1b32e895ffd4bcae1e8a2606b0
Opcode Fuzzy Hash: e7279424739d840d5955f98b460106f85e6bf759df818c5cbecb38156be039de
Instruction Fuzzy Hash: 08F03A72002B408BC360CF65C8A6B8BBBE4BF14754F400A1EC49A46EA0C774A008CBD0

Function 6C43BFE0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

?ShowWindow@CWindowWnd@DuiLib@@QAEX_N0@Z.DOWNLOADER_NSIS_PLUGIN(00000001,00000001), ref: 6C43C01B

Part of subcall function 6C495100: IsWindow.USER32(?), ref: 6C495109
Part of subcall function 6C495100: ShowWindow.USER32(?,00000000,?,6C43B38C,00000000,00000001), ref: 6C49512C

Strings

0A, xrefs: 6C43C006

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Window$Show$Lib@@Window@Wnd@
String ID: 0A
API String ID: 2490010911-2007828011
Opcode ID: d6660135012fdc45d3b0b3cd9c9ce8fdb443a4fa9bb71499d32a8cc8147c66f0
Instruction ID: a8ff1e508dde0fb5d3c5e81c2238ca59540ba981cc250430e61c19180c833164
Opcode Fuzzy Hash: d6660135012fdc45d3b0b3cd9c9ce8fdb443a4fa9bb71499d32a8cc8147c66f0
Instruction Fuzzy Hash: 41E039B5B106299FDB04CF09C840D857BF5FB8A320B92401AF91493340C7B4A842CBE8

Function 6C7B0D80 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetHandleVerifier.SHELL_DOWNLOADER(?,00000000,00000000,?,6C7B6240,00000000), ref: 6C7B0D89

Part of subcall function 6C8148D0: GetModuleHandleW.KERNEL32(00000000), ref: 6C8148DE
Part of subcall function 6C8148D0: GetProcAddress.KERNEL32(00000000,GetHandleVerifier), ref: 6C8148EA

Strings

@b{l, xrefs: 6C7B0D86, 6C7B0D9E

Memory Dump Source

Source File: 00000006.00000002.4155419249.000000006C711000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C710000, based on PE: true

Associated: 00000006.00000002.4155355851.000000006C710000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156102127.000000006C93C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156309004.000000006C94B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156309004.000000006C94E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156596890.000000006C953000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c710000_CapCut_installer.jbxd

Similarity

API ID: Handle$AddressModuleProcVerifier
String ID: @b{l
API String ID: 3286154149-2043417889
Opcode ID: 9f3127aeb484371fa356f2ffc73dbed16aa99d7b68673856a112b3acd05099d9
Instruction ID: c43ab68d8658b429a9ed428fd0a7c0d3061a25e170c860fac9acfb435fd6b42e
Opcode Fuzzy Hash: 9f3127aeb484371fa356f2ffc73dbed16aa99d7b68673856a112b3acd05099d9
Instruction Fuzzy Hash: 6CD0A7363042186F8710A72AEC84C6F3BADEBCE1B97000071F60AC7710CA216C0187F0

Function 6C4AF6D0 Relevance: 3.2, APIs: 2, Instructions: 196fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 6C4AF828
ReadFile.KERNEL32(FFFFFFFF,?,?,FFFFFFFF,00000000), ref: 6C4AF863

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 917290e6965e1d8eb9c11029efc201114a704cc29a6a44d3d9ebf915ce300e0f
Instruction ID: 688e047dcdde1850275241fa2dc5057aa310c06cf8e8c4532fd4f366d1d7aa0c
Opcode Fuzzy Hash: 917290e6965e1d8eb9c11029efc201114a704cc29a6a44d3d9ebf915ce300e0f
Instruction Fuzzy Hash: E8814871E022159FEB08CFA9C880FAA7BB4BF58314F1541A9DC14AB79AD730D942CBD4

Function 6C4AE730 Relevance: 3.2, APIs: 2, Instructions: 192COMMON

Download Yara Rule

APIs

Part of subcall function 6C4AE520: SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002), ref: 6C4AE54E
Part of subcall function 6C4AE520: SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000001), ref: 6C4AE56B
Part of subcall function 6C4AE520: SetFilePointer.KERNEL32(00000050,?,00000000,00000000), ref: 6C4AE623
Part of subcall function 6C4AE520: ReadFile.KERNEL32(00000050,00000000,00000404,FFFFFFFF,00000000), ref: 6C4AE643

SetFilePointer.KERNEL32(EDE0BF06,31F04D8B,00000000,00000000), ref: 6C4AE7CC
CloseHandle.KERNEL32(EDE0BF06), ref: 6C4AE8EF

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: File$Pointer$CloseHandleRead
String ID:
API String ID: 1441622456-0
Opcode ID: d20c9879363c8d64a2d0a4fd40aa7156dfc779748b27a587764c0c9bc99b3fac
Instruction ID: 1a45994a10297572c3eaa8028554adfebde8c6bdce8bbec123c915c67a8dadd1
Opcode Fuzzy Hash: d20c9879363c8d64a2d0a4fd40aa7156dfc779748b27a587764c0c9bc99b3fac
Instruction Fuzzy Hash: DF81A3B19047819BD710CF64CC80BAAB7E4BFD9314F014B2DF8E896661E770D699CB92

Function 6C8DA3C2 Relevance: 3.2, APIs: 2, Instructions: 191fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6C8DA748: GetConsoleOutputCP.KERNEL32(80F90B91,?,00000000,?), ref: 6C8DA7AB

WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000,?,?,6C8DB81F,?), ref: 6C8DA52B
GetLastError.KERNEL32(?,6C8DB81F,?,6C8DBA67,00000000,?,00000000,6C8DBA67,?,00000000,00000000,6C93AD30,0000002C,6C8DB953,?), ref: 6C8DA535

Memory Dump Source

Source File: 00000006.00000002.4155419249.000000006C711000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C710000, based on PE: true

Associated: 00000006.00000002.4155355851.000000006C710000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156102127.000000006C93C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156309004.000000006C94B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156309004.000000006C94E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156596890.000000006C953000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c710000_CapCut_installer.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: 3b38a6ceb784747346098ed0b8cab182fed94eebd2e03dcf5fdedac3e93024a4
Instruction ID: ce1e60c8fbff814c4ad5e8071d3b0f6f0bc4f765499ce2b880aac3ea520011f8
Opcode Fuzzy Hash: 3b38a6ceb784747346098ed0b8cab182fed94eebd2e03dcf5fdedac3e93024a4
Instruction Fuzzy Hash: 9D61D671D04109AFDF21CFA8CA84EDF7BB9AF0A318F224954E814B7641D375EA05CB60

Function 6C721440 Relevance: 3.1, APIs: 2, Instructions: 148COMMON

Download Yara Rule

APIs

ReleaseSRWLockExclusive.KERNEL32(00000024,00000024,?,6C8332DB,00000024,?,6C7C1BDC,?,?), ref: 6C721535
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,6C8332DB,00000024,?,6C7C1BDC,?,?), ref: 6C7215DA

Memory Dump Source

Source File: 00000006.00000002.4155419249.000000006C711000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C710000, based on PE: true

Associated: 00000006.00000002.4155355851.000000006C710000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156102127.000000006C93C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156309004.000000006C94B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156309004.000000006C94E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156596890.000000006C953000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c710000_CapCut_installer.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: a16a80fe320a06d2c444dff81038785dec776b3efdc9dfcf05894c22e5a663d3
Instruction ID: aa0cbf17c39047c7354f9e70389802b29f6b5d55a8d5f8fd2e24476ab9ac3746
Opcode Fuzzy Hash: a16a80fe320a06d2c444dff81038785dec776b3efdc9dfcf05894c22e5a663d3
Instruction Fuzzy Hash: 2C51AE71A00A019FD718CF29C854BAAB3E5FF45318F04866DE8AAC7B81D739ED01CB90

Function 6C4AE100 Relevance: 3.1, APIs: 2, Instructions: 123fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(000000FF,000000FF,00000001,FFFFFFFF,00000000), ref: 6C4AE135
ReadFile.KERNEL32(000000FF,000000FF,00000001,FFFFFFFF,00000000), ref: 6C4AE1C1

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: bb0dafc1a447e4b05eaf1831b805fe85bdec2734c06d919892598fd84ad598e0
Instruction ID: 18a37fc701fc32b31ab49e3dc2b6ad35906a96684e10829a6f303d253e7ec226
Opcode Fuzzy Hash: bb0dafc1a447e4b05eaf1831b805fe85bdec2734c06d919892598fd84ad598e0
Instruction Fuzzy Hash: 6A41F171A002468FDB20CFA9C880FAABBF5AF16324F14071CD4B5976D1E370A945CB90

Function 6C4ECE5B Relevance: 3.1, APIs: 2, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 6C4ECEA8

Part of subcall function 6C4ED26B: InitializeSListHead.KERNEL32(6C55E018,6C4ECEB2,6C558258,00000010,6C4ED05B,?,00000000,?,00000007,6C558278,00000010,6C4ED06E,?,?,6C4ED0F7,?), ref: 6C4ED270

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6C4ECF12

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: 2d0ff1f1eda6af86c81c3c59fc81b7423f41526369e32f50edad62bf95524840
Instruction ID: e933c3cff814b4d9804f5be20169d69b84619944ed103c81dd8f8e527ae813be
Opcode Fuzzy Hash: 2d0ff1f1eda6af86c81c3c59fc81b7423f41526369e32f50edad62bf95524840
Instruction Fuzzy Hash: 6C21E1326486419ADB04FFA89C01FED3FA0AB4E32FF12085ED455A7FC1DB71544992D5

Function 6C8C2A8B Relevance: 3.1, APIs: 2, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 6C8C2AD8

Part of subcall function 6C8C2E9B: InitializeSListHead.KERNEL32(6C93F9B8,6C8C2AE2,6C93A818,00000010,6C8C2C8B,?,00000000,?,00000007,6C93A838,00000010,6C8C2C9E,?,?,6C8C2D27,?), ref: 6C8C2EA0

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6C8C2B42

Memory Dump Source

Source File: 00000006.00000002.4155419249.000000006C711000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C710000, based on PE: true

Associated: 00000006.00000002.4155355851.000000006C710000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156102127.000000006C93C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156309004.000000006C94B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156309004.000000006C94E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156596890.000000006C953000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c710000_CapCut_installer.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: 88a9860921d24f0b543b1084b9fdf8a3828a0770129e938d949f79e2643fb95c
Instruction ID: 1d010f9efed110ac39acf2dbf5c525390e0068f5c3691efebb9ef09fc8bde2fc
Opcode Fuzzy Hash: 88a9860921d24f0b543b1084b9fdf8a3828a0770129e938d949f79e2643fb95c
Instruction Fuzzy Hash: BD21343274D206EADB34AFAC9708BDC33A0AB5632DF202C69D44567FC1DB29D0088667

Function 6C4ECF62 Relevance: 3.1, APIs: 2, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 6C4ECFA9
___scrt_uninitialize_crt.LIBCMT ref: 6C4ECFC3

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: ea4819bbf9255330a2ee5fbafbae86b84d47b915ba9d4b7469c92fb98b4d2747
Instruction ID: 2544d26a1c4b916ced1048068234a576335533409cfa2ebfae29439c2d53f290
Opcode Fuzzy Hash: ea4819bbf9255330a2ee5fbafbae86b84d47b915ba9d4b7469c92fb98b4d2747
Instruction Fuzzy Hash: 6421C072A44215DACB10EFA88D00FED7BB0FB8E62FF13491ED46496F80CB7596069694

Function 6C8C2B92 Relevance: 3.1, APIs: 2, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 6C8C2BD9
___scrt_uninitialize_crt.LIBCMT ref: 6C8C2BF3

Memory Dump Source

Source File: 00000006.00000002.4155419249.000000006C711000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C710000, based on PE: true

Associated: 00000006.00000002.4155355851.000000006C710000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156102127.000000006C93C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156309004.000000006C94B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156309004.000000006C94E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156596890.000000006C953000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c710000_CapCut_installer.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: eaa506a2d87dd5051e059ff00c5b9aba4602975d7ac392bd0679cac9a1f744ff
Instruction ID: 8f749a3edcfc67c7c7f81654ff3b09b3adf84a6fc9a83db4641b4ca66353af18
Opcode Fuzzy Hash: eaa506a2d87dd5051e059ff00c5b9aba4602975d7ac392bd0679cac9a1f744ff
Instruction Fuzzy Hash: B821D432B09249DACB30DFAC8B087DC77A0EB11719F229D66D055E2ED0CB7CC5098663

Function 004015C1 Relevance: 3.1, APIs: 2, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405C3A: CharNextW.USER32(?,?,00464250,?,00405CAE,00464250,00464250,004DF000,?,74DF3420,004059EC,?,004DF000,74DF3420,00000000), ref: 00405C48
Part of subcall function 00405C3A: CharNextW.USER32(00000000), ref: 00405C4D
Part of subcall function 00405C3A: CharNextW.USER32(00000000), ref: 00405C65

GetFileAttributesW.KERNEL32(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 004057F1: CreateDirectoryW.KERNEL32(?,?,00000000), ref: 00405834

SetCurrentDirectoryW.KERNEL32(?,004D3000,?,00000000,000000F0), ref: 0040164D

Memory Dump Source

Source File: 00000006.00000002.4133761971.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4133709809.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133815083.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000052F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000535000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000567000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000056F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_CapCut_installer.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID:
API String ID: 1892508949-0
Opcode ID: 125bac33416d21a80fc522b842b933099275dd0dd1ea66691da55d5ffdcd1f5d
Instruction ID: 536d45c59d08a7b21130d9dbd5b0e10796a041e4a40079992e14d28e29d42f71
Opcode Fuzzy Hash: 125bac33416d21a80fc522b842b933099275dd0dd1ea66691da55d5ffdcd1f5d
Instruction Fuzzy Hash: 2211E231504505EBCF30AFA1CD0159F36A0EF14369B28493BFA45B22F1DB3E8A919B5E

Function 00402484 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004024B5
RegCloseKey.ADVAPI32(?,?,?,004125D0,00000000,00000011,00000002), ref: 00402557

Memory Dump Source

Source File: 00000006.00000002.4133761971.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4133709809.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133815083.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000052F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000535000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000567000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000056F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_CapCut_installer.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 8c6ae37f0c00b40db9a7f0b8771259aad396ca2ebfe9c6ecab15c5ec5bd387db
Instruction ID: 1206e07bb255176646816810ef0290bee69920d7ecde6c9ccbb84b14c6b4306b
Opcode Fuzzy Hash: 8c6ae37f0c00b40db9a7f0b8771259aad396ca2ebfe9c6ecab15c5ec5bd387db
Instruction Fuzzy Hash: E311A771D10205EBDF14DFA4CA585AE77B4EF44348B20843FE505B72C0D6B89A41EB5E

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000006.00000002.4133761971.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4133709809.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133815083.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000052F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000535000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000567000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000056F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_CapCut_installer.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: be076caaca7df3d109edefedbdc7bfa3a965653d784c315eb79774cf5cfe89e5
Instruction ID: ea42f58d7670a619ed9131e80823b54190387dbc53765a55c310ef4228f9fff3
Opcode Fuzzy Hash: be076caaca7df3d109edefedbdc7bfa3a965653d784c315eb79774cf5cfe89e5
Instruction Fuzzy Hash: AF0128316202109BE7095B789E04B2A3798E710315F10463FF855F62F1D6B8CC829B5C

Function 6C8D0040 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(6C93A8A0,0000000C), ref: 6C8D0053
ExitThread.KERNEL32 ref: 6C8D005A

Memory Dump Source

Source File: 00000006.00000002.4155419249.000000006C711000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C710000, based on PE: true

Associated: 00000006.00000002.4155355851.000000006C710000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156102127.000000006C93C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156309004.000000006C94B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156309004.000000006C94E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156596890.000000006C953000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c710000_CapCut_installer.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: 526c2af32b6fbb39224eb7940086c85df66fe33240b01bb82e70e0a8a44bbe3c
Instruction ID: a8c1d10bb844ce9e862c6bdef2c2b28162e64216a06525ea7465fbb787eb0c85
Opcode Fuzzy Hash: 526c2af32b6fbb39224eb7940086c85df66fe33240b01bb82e70e0a8a44bbe3c
Instruction Fuzzy Hash: 2DF02270A44204AFDB20AFB4C648AAE3B70FF46318F2409A9E40597B90CF30AC05CB61

Function 6C4618D0 Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

??0WindowImplBase@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,?,6C43B33D), ref: 6C4618DA

Part of subcall function 6C432200: ??0CWindowWnd@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C432206
Part of subcall function 6C432200: ??0CStdStringPtrMap@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000053), ref: 6C432217
Part of subcall function 6C432200: ??0CPaintManagerUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,00000053), ref: 6C432241

??0CWndShadow@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,?,6C43B33D), ref: 6C461910

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Window$Base@ImplManagerMap@PaintShadow@@StringWnd@
String ID:
API String ID: 367008870-0
Opcode ID: 359f61c1c81dd633a0f759126ecf5839ddfed4a5282b1bd6e7018c0e6c4a384e
Instruction ID: 17d6fdb595ed8478220cc567d0c4628e4cd5413c221d1f6780d92e57c9075122
Opcode Fuzzy Hash: 359f61c1c81dd633a0f759126ecf5839ddfed4a5282b1bd6e7018c0e6c4a384e
Instruction Fuzzy Hash: 1B0162724007489BD320CF21D849FDBBBE4AF56354F11872EE89A5AE61D7B0B588CBD4

Function 6C748D60 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

Part of subcall function 6C74CE80: TryAcquireSRWLockExclusive.KERNEL32(6C94ABA8,?,?,6C748D69,?,?,6C748F1F,?,?,?,?,?,6C8332DB,00000024,?,6C7C1BDC), ref: 6C74CE89
Part of subcall function 6C74CE80: ReleaseSRWLockExclusive.KERNEL32(6C94ABA8,?,6C748D69,?,?,6C748F1F,?,?,?,?,?,6C8332DB,00000024,?,6C7C1BDC), ref: 6C74CEAD

GetCurrentProcess.KERNEL32(?,?,6C748F1F,?,?,?,?,?,6C8332DB,00000024,?,6C7C1BDC,?,?), ref: 6C748D7B
IsWow64Process.KERNEL32(00000000,6C93D3BC,?,6C748F1F,?,?,?,?,?,6C8332DB,00000024,?,6C7C1BDC,?,?), ref: 6C748D87

Memory Dump Source

Source File: 00000006.00000002.4155419249.000000006C711000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C710000, based on PE: true

Associated: 00000006.00000002.4155355851.000000006C710000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156102127.000000006C93C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156309004.000000006C94B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156309004.000000006C94E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156596890.000000006C953000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c710000_CapCut_installer.jbxd

Similarity

API ID: ExclusiveLockProcess$AcquireCurrentReleaseWow64
String ID:
API String ID: 2898688079-0
Opcode ID: a62911659d731cbd16326128abf7c5c5d95e5271fe8e3e3a725c436f7da8d2ef
Instruction ID: 2cb8b7227593fa4538af678a9fdd198efa49569a7789183dbcc949a74a204d72
Opcode Fuzzy Hash: a62911659d731cbd16326128abf7c5c5d95e5271fe8e3e3a725c436f7da8d2ef
Instruction Fuzzy Hash: 4DE0653371A12897DB205B798A0575536E85B1A75DF308136FD18D7F44E724CC408BD4

Function 6C74CE80 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(6C94ABA8,?,?,6C748D69,?,?,6C748F1F,?,?,?,?,?,6C8332DB,00000024,?,6C7C1BDC), ref: 6C74CE89
ReleaseSRWLockExclusive.KERNEL32(6C94ABA8,?,6C748D69,?,?,6C748F1F,?,?,?,?,?,6C8332DB,00000024,?,6C7C1BDC), ref: 6C74CEAD

Memory Dump Source

Source File: 00000006.00000002.4155419249.000000006C711000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C710000, based on PE: true

Associated: 00000006.00000002.4155355851.000000006C710000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156102127.000000006C93C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156309004.000000006C94B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156309004.000000006C94E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156596890.000000006C953000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c710000_CapCut_installer.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: 6a8ae2241e4824595835b854aade67712e4189aa53436696402404d3337494d0
Instruction ID: aae329d3a964d4dbe374715a9ffb846e86d32f55a7bae80f6bc08ef3dd736127
Opcode Fuzzy Hash: 6a8ae2241e4824595835b854aade67712e4189aa53436696402404d3337494d0
Instruction Fuzzy Hash: 8BE06D213082745AEB15B6E6461CBA53B6B578329EF34C6B5D04586F80CF21884CC762

Function 6C506BB4 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,6C50AF64,?,00000000,?,?,6C50AC04,?,00000007,?,?,6C50B5A5,?,?), ref: 6C506BCA
GetLastError.KERNEL32(?,?,6C50AF64,?,00000000,?,?,6C50AC04,?,00000007,?,?,6C50B5A5,?,?), ref: 6C506BD5

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: b6acc619f00f1d8d9ca22a2da45387120cfb005a418820d3b7d49cb22fec31cf
Instruction ID: 6d8c4b47f2b0c8ee69993debc62093279f7b9307aa54b04a9f5fb3ddf5db0894
Opcode Fuzzy Hash: b6acc619f00f1d8d9ca22a2da45387120cfb005a418820d3b7d49cb22fec31cf
Instruction Fuzzy Hash: 53E08C32204204ABDB022FA1DC08FCA3E68EB41399F528024FA28C6960DB75D4808BD8

Function 6C495100 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 6C495109
ShowWindow.USER32(?,00000000,?,6C43B38C,00000000,00000001), ref: 6C49512C

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Window$Show
String ID:
API String ID: 990937876-0
Opcode ID: a91517c45f53ab217f5812458aab0bdd4d99d3b74ea53b433b7deabc6514d9f7
Instruction ID: 0b8378a2eaa223f88edd197a4cd81d4d3bb583632a062a6a25e2ed69885d3d34
Opcode Fuzzy Hash: a91517c45f53ab217f5812458aab0bdd4d99d3b74ea53b433b7deabc6514d9f7
Instruction Fuzzy Hash: A3E086712001647FDF055F21CC05DB7BFF8EB06791B55C16AE896CA011DA72D8119B90

Function 00406694 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403401,0000000A), ref: 004066A6
GetProcAddress.KERNEL32(00000000,?), ref: 004066C1

Part of subcall function 00406624: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040663B
Part of subcall function 00406624: wsprintfW.USER32 ref: 00406676
Part of subcall function 00406624: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040668A

Memory Dump Source

Source File: 00000006.00000002.4133761971.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4133709809.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133815083.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000052F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000535000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000567000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000056F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_CapCut_installer.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 2c450699f5e5c6ed5e41876474a170b73f17b01a65d70064c3ee9ca103cb2d45
Instruction ID: 155b38c425e345f43688a0673e138072f65e923c2ca09dacbbabb210d44f0fbf
Opcode Fuzzy Hash: 2c450699f5e5c6ed5e41876474a170b73f17b01a65d70064c3ee9ca103cb2d45
Instruction Fuzzy Hash: 50E0863250461156D31197709E4487762EC9B95750307483EF946F2091DB399C36A66D

Function 00405DB0 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(004E7000,00402F1D,004E7000,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405DB4
CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DD6

Memory Dump Source

Source File: 00000006.00000002.4133761971.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4133709809.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133815083.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000052F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000535000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000567000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000056F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_CapCut_installer.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15

Function 00405D8B Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?,00405990,?,?,00000000,00405B66,?,?,?,?), ref: 00405D90
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405DA4

Memory Dump Source

Source File: 00000006.00000002.4133761971.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4133709809.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133815083.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000052F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000535000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000567000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000056F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_CapCut_installer.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
Instruction ID: fe430eedc911e7c92ce83e5abbc00e08444bb0e311ec0623c818608bfa408f6d
Opcode Fuzzy Hash: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
Instruction Fuzzy Hash: 1BD0C972504420ABD2512728AF0C89BBB95DB542717028B39FAA9A22B0CB304C568A98

Function 0040586E Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,00000000,00403382,004DF000,004DF000,004DF000,004DF000,74DF3420,004035D9,?,00000006,00000008,0000000A), ref: 00405874
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 00405882

Memory Dump Source

Source File: 00000006.00000002.4133761971.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4133709809.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133815083.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000052F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000535000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000567000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000056F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_CapCut_installer.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
Instruction ID: b5712d1dc6f90c91938fb9970759bfac189bcafefc635788875416fd9ee2894b
Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
Instruction Fuzzy Hash: 2FC04C712155019ED7546F619F08B277A50EB60781F158839A946E10E0DB348465ED2D

Function 6C8E0C1B Relevance: 2.6, APIs: 2, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000008,6C8DD284), ref: 6C8E0C1F
SetLastError.KERNEL32(00000000,?,?,?,?,6C8332DB,00000024,?,6C7C1BDC,?,?), ref: 6C8E0CC1

Memory Dump Source

Source File: 00000006.00000002.4155419249.000000006C711000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C710000, based on PE: true

Associated: 00000006.00000002.4155355851.000000006C710000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156102127.000000006C93C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156309004.000000006C94B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156309004.000000006C94E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156596890.000000006C953000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c710000_CapCut_installer.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 5e6ced8769475a8be497b82d6a02b7aeb3d5dd3e824d9a00937c3ff444b3917b
Instruction ID: f736fdc4e7283292d8dd0de719fbdd2fd7798f17929cfbcf7730ebd007902c55
Opcode Fuzzy Hash: 5e6ced8769475a8be497b82d6a02b7aeb3d5dd3e824d9a00937c3ff444b3917b
Instruction Fuzzy Hash: BD11C63120D2516ADB3067B99EC999B2668AB0B3ECB250F30F568D2AD0DF54C908A390

Function 6C749280 Relevance: 2.5, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,?,00004000,?,?,6C8332DB,00000024,?,6C7C1BDC,?,?), ref: 6C74928E
GetLastError.KERNEL32(?,?,6C8332DB,00000024,?,6C7C1BDC,?,?), ref: 6C749298

Memory Dump Source

Source File: 00000006.00000002.4155419249.000000006C711000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C710000, based on PE: true

Associated: 00000006.00000002.4155355851.000000006C710000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156102127.000000006C93C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156309004.000000006C94B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156309004.000000006C94E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156596890.000000006C953000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c710000_CapCut_installer.jbxd

Similarity

API ID: ErrorFreeLastVirtual
String ID:
API String ID: 499627090-0
Opcode ID: d04ab74d1c1019f1f7747c245c5d30136b0bb78d6c5ad288f4ebb1f92210a358
Instruction ID: 3327768a26ced15e82cb03f562a2992747a5b316986707618f7ff7d988cfaaee
Opcode Fuzzy Hash: d04ab74d1c1019f1f7747c245c5d30136b0bb78d6c5ad288f4ebb1f92210a358
Instruction Fuzzy Hash: 32D05E3138820C679B101E92AF09B553B6DAB12BB5B10C021FA0CC9C10E722D1108594

Function 6C4AF2D0 Relevance: 1.7, APIs: 1, Instructions: 202COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 6C4AF346

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: f6f25896b47be70b3d752a521ef1e6c4b59bb3cd7bb87a6182c667569541175d
Instruction ID: a79947c82dc035338bcda0ab9182fb0f83f701e71e32d8279b56d58016acbe0c
Opcode Fuzzy Hash: f6f25896b47be70b3d752a521ef1e6c4b59bb3cd7bb87a6182c667569541175d
Instruction Fuzzy Hash: 8D7180729012199BDF11CFA8CC80EDE7BF5AF55338F554764D824AB3D8E73198068B90

Function 6C472DB0 Relevance: 1.7, APIs: 1, Instructions: 180timeCOMMON

Download Yara Rule

APIs

?SetTimer@CPaintManagerUI@DuiLib@@QAE_NPAVCControlUI@2@II@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?), ref: 6C472E67

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: ControlI@2@Lib@@ManagerPaintTimer@
String ID:
API String ID: 3785836659-0
Opcode ID: 0011930d3b8cf1edcd8b3d34d6b4879c3fb9f030b0cefa5b320fae47e40601ed
Instruction ID: 138e78ab552ab2a9e1eff855906bcac9d8b80f878d8af5ee4507f32c77824978
Opcode Fuzzy Hash: 0011930d3b8cf1edcd8b3d34d6b4879c3fb9f030b0cefa5b320fae47e40601ed
Instruction Fuzzy Hash: 4D51AF71A00206CFDB24CF69C884FDA77A2FB85315F198539E8599B741DB31E846CBA1

Function 6C461F10 Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

?PostMessageW@CWindowWnd@DuiLib@@QAEJIIJ@Z.DOWNLOADER_NSIS_PLUGIN(00002B66,00000000,00000000,6C51FA74), ref: 6C461FBB

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@MessagePostWindowWnd@
String ID:
API String ID: 1787732090-0
Opcode ID: f354a17049a3a3e745a9b177622fe1562f299452f00c9fc01c806a90eecc9228
Instruction ID: 7b25259ee6897d817fb9153daa87dfa9b8d77a503732dda33869ba1f213054cf
Opcode Fuzzy Hash: f354a17049a3a3e745a9b177622fe1562f299452f00c9fc01c806a90eecc9228
Instruction Fuzzy Hash: 3E212775A003059FCB14DF66C8C8EAABBB5BF88315F20042ED50A5BB51CB31A989CBD0

Function 6C48A740 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 6C48B1C0: ??0CControlUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,6C48A78E), ref: 6C48B1C6

?SetLineSize@CScrollBarUI@DuiLib@@QAEXH@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C48A7A8

Part of subcall function 6C48B5D0: GetModuleHandleW.KERNEL32 ref: 6C48B613
Part of subcall function 6C48B5D0: RegisterClassExW.USER32 ref: 6C48B640
Part of subcall function 6C48B5D0: ?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C48B65C
Part of subcall function 6C48B5D0: CreateWindowExW.USER32 ref: 6C48B6BF
Part of subcall function 6C48B5D0: ?AddPreMessageFilter@CPaintManagerUI@DuiLib@@QAE_NPAVIMessageFilterUI@2@@Z.DOWNLOADER_NSIS_PLUGIN ref: 6C48B6EA

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Paint$ManagerMessage$ClassControlCreateD__@@FilterFilter@HandleI@2@@LineModuleRegisterScrollSize@WindowWindow@
String ID:
API String ID: 2965648927-0
Opcode ID: 0f71ec77105f4e6531b1f6471ad24d4607bcb74cf9528aa96d111fa11d7f68cd
Instruction ID: 3086fb00d93a14c22bad29281c6fdfa0d9305787f88f78c8ce0208d10754d952
Opcode Fuzzy Hash: 0f71ec77105f4e6531b1f6471ad24d4607bcb74cf9528aa96d111fa11d7f68cd
Instruction Fuzzy Hash: D621C9B5A017098FCB10DFA8CC54AEEBBB5FF48724F04061DD56AA7781D734A9008EA4

Function 6C50DE73 Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6C5092D2: RtlAllocateHeap.NTDLL(00000000,?,?,?,6C4BFA56,?,?,?,6C4310AD,00000000), ref: 6C509304

RtlReAllocateHeap.NTDLL(00000000,6C43117B,?,?,6C43117B,?,6C4BF9EF,?,0000000B), ref: 6C50DED0

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7631359948374387c32b881a4aabfe859068a841e505037aaf8d58a56c848b7e
Instruction ID: ca2f58daa7f2a567d387d1d0302c589b02eadaa80e9f61184dce8e2436dfe85b
Opcode Fuzzy Hash: 7631359948374387c32b881a4aabfe859068a841e505037aaf8d58a56c848b7e
Instruction Fuzzy Hash: 46F09632705216AADB116B2A9C04F8F7B6C9FD3778F254519FC28D6E90DF74E80581A1

Function 6C4ED2FE Relevance: 1.5, APIs: 1, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,6C4EC56F,00000010,?,?,6C4EC56F,?,6C55370C), ref: 6C4ED35E

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 298e8837e05089dd6516ad2b98c767a92552b957d46e2294761f5e98c5fec73b
Instruction ID: 6ce4fd515cf08845107598175738e1f71832f6f0f5f576f25fa461d105d437ab
Opcode Fuzzy Hash: 298e8837e05089dd6516ad2b98c767a92552b957d46e2294761f5e98c5fec73b
Instruction Fuzzy Hash: 5601A775A00208AFCB01DF5CD880FAEBBB9FF89715F124159E9159B391D770D901CB90

Function 6C8CFFA7 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 6C8D00BE: CloseHandle.KERNEL32(?,?,?,6C8CFFB4,?,?,6C8D009E,00000000), ref: 6C8D00EF
Part of subcall function 6C8D00BE: FreeLibraryAndExitThread.KERNEL32(?,?,?,?,6C8CFFB4,?,?,6C8D009E,00000000), ref: 6C8D0105
Part of subcall function 6C8D00BE: ExitThread.KERNEL32 ref: 6C8D010E

GetModuleHandleExW.KERNEL32(00000004,?,0000000C), ref: 6C8CFFEC

Memory Dump Source

Source File: 00000006.00000002.4155419249.000000006C711000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C710000, based on PE: true

Associated: 00000006.00000002.4155355851.000000006C710000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4155687987.000000006C8F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156102127.000000006C93C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156309004.000000006C94B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156309004.000000006C94E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.4156596890.000000006C953000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c710000_CapCut_installer.jbxd

Similarity

API ID: ExitHandleThread$CloseFreeLibraryModule
String ID:
API String ID: 620020252-0
Opcode ID: 8260dfbef82bab89def5d3c63e1ebada29d026d904d614766b59e36770482de6
Instruction ID: f57c4fe931dc1d40aba5ec5abefb1b01e4c58b057cecb19d0fa2e51c2e3b98c3
Opcode Fuzzy Hash: 8260dfbef82bab89def5d3c63e1ebada29d026d904d614766b59e36770482de6
Instruction Fuzzy Hash: 92F0C272601248BBD7209F56DD0AD8BBBA8DFC0B54F214529FA19C7740DBB0AE04C6E1

Function 6C506B57 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,6C5073B8,00000001,00000364,?,0000000B,000000FF,?,?,6C4FD1CA,6C509315), ref: 6C506B98

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 241861f01d7b00b2b80a56c9f34b37805c9213757c356cfbaabcdc29400d244f
Instruction ID: de5ea8fc078261400acf59710bdf11f63147e1c7df1a99c925716fa281baf5a7
Opcode Fuzzy Hash: 241861f01d7b00b2b80a56c9f34b37805c9213757c356cfbaabcdc29400d244f
Instruction Fuzzy Hash: 10F0E9B17053245FEF015F26CC04F9F37A89F82774B154511AC24E7980CF70D48186E1

Function 6C48A840 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

?IsEmpty@CStdPtrArray@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C48A852

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Array@Empty@Lib@@
String ID:
API String ID: 3255822546-0
Opcode ID: 10e97aa895ec72a640efa3acf9414c273630057d32bd9abd31753672f3a3a843
Instruction ID: e095349e4748f88d27ff40ab42feaea132e361597b2aefd467671b41e96268a4
Opcode Fuzzy Hash: 10e97aa895ec72a640efa3acf9414c273630057d32bd9abd31753672f3a3a843
Instruction Fuzzy Hash: A0E0D1373051145BF500965EEC84FB6B755EBC57B6F54013BDB0593740C661D80242F4

Function 6C5092D2 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,6C4BFA56,?,?,?,6C4310AD,00000000), ref: 6C509304

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 30256f4f6e006dc10844bc5242f8b59c14597f63c1f298cf0659b70a599a93b6
Instruction ID: f096f3f5d6e555ed9a898a6a84dda097f114f62b93b867735992609fefeab848
Opcode Fuzzy Hash: 30256f4f6e006dc10844bc5242f8b59c14597f63c1f298cf0659b70a599a93b6
Instruction Fuzzy Hash: 37E0E53170521196EB015A658C04FCA3A5C9F832B4F190524DC28D6DD8DB20D84089E4

Function 00405E62 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(00000000,00000000,00000004,00000004,00000000,?,?,004032FA,000000FF,00428200,?,00428200,?,?,00000004,00000000), ref: 00405E76

Memory Dump Source

Source File: 00000006.00000002.4133761971.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4133709809.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133815083.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000052F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000535000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000567000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000056F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_CapCut_installer.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction ID: 8754e0b6f25d564075f0081c534dd79b85a2df0f0bc88b3642164a4a3ec1e455
Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction Fuzzy Hash: FDE0B63221065AAFDF109F95DC00AAB7B6CEB052A0F044437FD59E7150D671EA21DAE4

Function 00405E33 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,00000000,00000004,00000004,00000000,?,?,00403344,00000000,00000000,00403168,?,00000004,00000000,00000000,00000000), ref: 00405E47

Memory Dump Source

Source File: 00000006.00000002.4133761971.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4133709809.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133815083.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000052F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000535000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000567000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000056F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_CapCut_installer.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction ID: bd732019988057c431ec21c3a2c50b1292625b962aa4d7912315599e48db2a91
Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction Fuzzy Hash: A9E08C3220021AABCF20AF54DC00FEB3B6CEB05760F004832FD65E6040E230EA219BE8

Function 00406127 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(00000000,00000000,00000000,?,?,00448228,?,?,004061B5,00448228,00000000,?,?,SetLabelText,?), ref: 0040614B

Memory Dump Source

Source File: 00000006.00000002.4133761971.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4133709809.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133815083.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000052F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000535000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000567000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000056F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_CapCut_installer.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: b908bd292ce434c6339c018d18c1e3bfafdd2f7559b63d477f04a141d62eba1a
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: 94D0123214020DFBDF119E909D01FAB775DAB08350F014426FE06A9191D776D530AB14

Function 6C4999A0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

?DrawImageString@CRenderEngine@DuiLib@@SA_NPAUHDC__@@PAVCPaintManagerUI@2@ABUtagRECT@@2PB_W3@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,6C474084,?,00000000,00000000), ref: 6C4999BD

Part of subcall function 6C490220: ??0CDuiString@DuiLib@@QAE@PB_WH@Z.DOWNLOADER_NSIS_PLUGIN(?,000000FF), ref: 6C4902D8
Part of subcall function 6C490220: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(?,000000FF), ref: 6C49033B
Part of subcall function 6C490220: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(?,000000FF), ref: 6C4903B8
Part of subcall function 6C490220: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(?,000000FF), ref: 6C490412

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@String@$C__@@DrawEngine@I@2@ImageManagerPaintRenderT@@2Utag
String ID:
API String ID: 746362113-0
Opcode ID: 19bb3290260c96de749caca1e7e63d2bb8f94a52ff5a87fdda9eea1431e54d35
Instruction ID: 1eb56ef5b647248c1bcf1df6eef911833a920da3f05e14ef5c6dc9863a42f2da
Opcode Fuzzy Hash: 19bb3290260c96de749caca1e7e63d2bb8f94a52ff5a87fdda9eea1431e54d35
Instruction Fuzzy Hash: D1D09E7200010DBBCB019E84DC44DE97B2EFB94308F548469FA084D112E63396769B91

Function 6C48B380 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?), ref: 6C48B394

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 0a9a390c353bb60fae35a77b42868550c33cc24766c97751d6900b499939ed43
Instruction ID: 88a69d83993e920c64fff8649a02e56663b813330ec742ba495ee8d89816107b
Opcode Fuzzy Hash: 0a9a390c353bb60fae35a77b42868550c33cc24766c97751d6900b499939ed43
Instruction Fuzzy Hash: 36D0127124502DBFCB115A8DD804CB57FACDF4726570540B7F940CA512C96299118BD5

Function 6C4956C0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 6C4956D2

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 9ee3eca9a55445f596b5471b5ff0bea61d704b41b63059942001392f3f28be1e
Instruction ID: ca3bb262c34472ff145e11a66ac2d2a8684154a6ef31aad9599fcf4d467d12f0
Opcode Fuzzy Hash: 9ee3eca9a55445f596b5471b5ff0bea61d704b41b63059942001392f3f28be1e
Instruction Fuzzy Hash: 74C0EA36000248FB8F025F81DD04C9ABF6AEB19264B58C459FA18085218733D532AB94

Function 6C495280 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

PostMessageW.USER32(?,00000000,00000000,00002B66), ref: 6C49528F

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b7683e5b508da3b89f5d63f31d42d97d7dfce3a7f2e6c929848b69dd4a38190f
Instruction ID: bd31eb4c61d68056613f6273089d53b15e237073c7f855b2986a82688504e30f
Opcode Fuzzy Hash: b7683e5b508da3b89f5d63f31d42d97d7dfce3a7f2e6c929848b69dd4a38190f
Instruction Fuzzy Hash: B3C00136000208FB8F025F81DC05CDABF3AEB1A262B448019FA18084218733D571EB95

Function 00403347 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,004030A4,?,?,00000006,00000008,0000000A), ref: 00403355

Memory Dump Source

Source File: 00000006.00000002.4133761971.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4133709809.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133815083.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000052F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000535000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000567000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000056F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_CapCut_installer.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D

Function 00404266 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00404091), ref: 00404274

Memory Dump Source

Source File: 00000006.00000002.4133761971.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4133709809.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133815083.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4133867392.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000052F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000535000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.0000000000567000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4134156590.000000000056F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_CapCut_installer.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 916ba585e608d634958797641490031ceb4b368d387894d1e0aab50b7c43ae9e
Instruction ID: 80b1fa8ab317a3fb83bf0bb9afc1fcb2ede285a6b5c9b7890d3d6fe7da01b763
Opcode Fuzzy Hash: 916ba585e608d634958797641490031ceb4b368d387894d1e0aab50b7c43ae9e
Instruction Fuzzy Hash: 69B092361C4600AAEE118B50DE49F497A62E7A4702F008138B244640B0CAB200E0DB09

Function 6C4B0870 Relevance: 1.3, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,6C48DEA2,00000103,00000000,?,?), ref: 6C4B0951

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: fb2bc684665ed41be85d717c658202f879e9d01b4b83022a2d89bc3a8df77cfd
Instruction ID: 6db11cbdd2bc6c9907197f1c0f381177f21ab71408334ab9e6cc37a93d3337e7
Opcode Fuzzy Hash: fb2bc684665ed41be85d717c658202f879e9d01b4b83022a2d89bc3a8df77cfd
Instruction Fuzzy Hash: CB317C71A017199BDB10DF64DC14FEBBBB4AF4A365F010129F8597B280E774A944CBE0

Non-executed Functions

Function 6C49AB30 Relevance: 116.5, APIs: 29, Strings: 37, Instructions: 988windowCOMMON

Download Yara Rule

APIs

?SetVirtualWnd@CControlUI@DuiLib@@QAEXPB_W@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C49AE9B

Part of subcall function 6C49A9B0: ??4CDuiString@DuiLib@@QAEABV01@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C49A9BC
Part of subcall function 6C49A9B0: ?UsedVirtualWnd@CPaintManagerUI@DuiLib@@QAEX_N@Z.DOWNLOADER_NSIS_PLUGIN(00000001,?), ref: 6C49A9C6

CharNextW.USER32(?), ref: 6C49B061
CharNextW.USER32(?), ref: 6C49B076
IntersectRect.USER32(?,?,?), ref: 6C49B139
CharNextW.USER32(?), ref: 6C49B251
CharNextW.USER32(?), ref: 6C49B266
IntersectRect.USER32(?,?,?), ref: 6C49B31F
CharNextW.USER32(?), ref: 6C49B351
CharNextW.USER32(?), ref: 6C49B366
IntersectRect.USER32(?,?,?), ref: 6C49B41F
?Invalidate@CPaintManagerUI@DuiLib@@QAEXAAUtagRECT@@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C49B440
CharNextW.USER32(?), ref: 6C49B454
?SetBorderColor@CControlUI@DuiLib@@QAEXK@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C49B473
CharNextW.USER32(?), ref: 6C49B487
?SetFocusBorderColor@CControlUI@DuiLib@@QAEXK@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C49B4A6
?SetColorHSL@CControlUI@DuiLib@@QAEX_N@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C49B4CA
??0CDuiString@DuiLib@@QAE@PB_WH@Z.DOWNLOADER_NSIS_PLUGIN(?,000000FF), ref: 6C49B526
?Find@CDuiString@DuiLib@@QBEH_WH@Z.DOWNLOADER_NSIS_PLUGIN(0000002C,00000000,?,?,?,?,?,000000FF), ref: 6C49B53B
?SetBorderSize@CControlUI@DuiLib@@QAEXUtagRECT@@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,00000000,00000000), ref: 6C49B5A9
?SetLeftBorderSize@CControlUI@DuiLib@@QAEXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C49B5BE
?SetTopBorderSize@CControlUI@DuiLib@@QAEXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C49B5D6
?SetBorderSize@CControlUI@DuiLib@@QAEXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C49B5EF
?SetBorderSize@CControlUI@DuiLib@@QAEXUtagRECT@@@Z.DOWNLOADER_NSIS_PLUGIN ref: 6C49B603
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49B60B
?SetRightBorderSize@CControlUI@DuiLib@@QAEXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C49B623
?SetBottomBorderSize@CControlUI@DuiLib@@QAEXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C49B63B
?SetBorderStyle@CControlUI@DuiLib@@QAEXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C49B653
?SetBorderRound@CControlUI@DuiLib@@QAEXUtagSIZE@@@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C49B690
?SetBkImage@CControlUI@DuiLib@@QAEXPB_W@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C49B69F

Strings

maxheight, xrefs: 6C49AD78
borderstyle, xrefs: 6C49ACC8
keyboard, xrefs: 6C49AE12
bkimage, xrefs: 6C49ACF4
name, xrefs: 6C49AD8E
visible, xrefs: 6C49AE28
topbordersize, xrefs: 6C49AC86
bordersize, xrefs: 6C49AC5A
width, xrefs: 6C49AD0A
mouse, xrefs: 6C49ADFC
relativepos, xrefs: 6C49AB94
bkcolor1, xrefs: 6C49ABD6
userdata, xrefs: 6C49ADD0
borderround, xrefs: 6C49ACDE
text, xrefs: 6C49ADA4
pos, xrefs: 6C49AB7E
shortcut, xrefs: 6C49AE54
bkcolor, xrefs: 6C49ABC0
menu, xrefs: 6C49AE6A
enabled, xrefs: 6C49ADE6
maxwidth, xrefs: 6C49AD62
height, xrefs: 6C49AD20
float, xrefs: 6C49AE3E
true, xrefs: 6C49B4B0, 6C49B77D, 6C49B7A1, 6C49B7C8, 6C49B7EF, 6C49B816, 6C49B853
bkcolor2, xrefs: 6C49ABEC
colorhsl, xrefs: 6C49AC44
padding, xrefs: 6C49ABAA
bottombordersize, xrefs: 6C49ACB2
bordercolor, xrefs: 6C49AC18
minwidth, xrefs: 6C49AD36
rightbordersize, xrefs: 6C49AC9C
minheight, xrefs: 6C49AD4C
leftbordersize, xrefs: 6C49AC70
tooltip, xrefs: 6C49ADBA
bkcolor3, xrefs: 6C49AC02
virtualwnd, xrefs: 6C49AE80
focusbordercolor, xrefs: 6C49AC2E

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Control$Border$CharNext$Size@$String@Utag$IntersectRectT@@@$Color@ManagerPaintVirtualWnd@$BottomColorE@@@Find@FocusImage@Invalidate@LeftRightRound@Style@UsedV01@
String ID: bkcolor$bkcolor1$bkcolor2$bkcolor3$bkimage$bordercolor$borderround$bordersize$borderstyle$bottombordersize$colorhsl$enabled$float$focusbordercolor$height$keyboard$leftbordersize$maxheight$maxwidth$menu$minheight$minwidth$mouse$name$padding$pos$relativepos$rightbordersize$shortcut$text$tooltip$topbordersize$true$userdata$virtualwnd$visible$width
API String ID: 2182062608-1118692965
Opcode ID: 216d07b5948161466b802eb208bb961c64a8a77c36cd57aaa531e31a606dab41
Instruction ID: 32805308da2c24adb2045d965a07c7b3349fcb6b18d8bacdf7498ef0818f4497
Opcode Fuzzy Hash: 216d07b5948161466b802eb208bb961c64a8a77c36cd57aaa531e31a606dab41
Instruction Fuzzy Hash: 7672CF71A007109BDB20DF24DC85FAA7BB5BF95205F144A2DE84AD7B90EB70F909CB52

Function 6C490D60 Relevance: 31.8, APIs: 15, Strings: 3, Instructions: 325libraryloaderwindowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(?), ref: 6C490E27
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6C490E37
SelectObject.GDI32(00000000,00000000), ref: 6C490E4C
SelectObject.GDI32(?,?), ref: 6C490F53
DeleteObject.GDI32(00000000), ref: 6C490F5C
DeleteDC.GDI32(?), ref: 6C490F63
DeleteObject.GDI32(?), ref: 6C491001
CreateSolidBrush.GDI32(?), ref: 6C491063
FillRect.USER32(?,?,?), ref: 6C491108
__Init_thread_header.LIBCMT ref: 6C491118
GetModuleHandleW.KERNEL32(msimg32.dll), ref: 6C491132
GetProcAddress.KERNEL32(00000000,AlphaBlend), ref: 6C49113E

Strings

AlphaBlend, xrefs: 6C491138
msimg32.dll, xrefs: 6C49112D, 6C491175
GradientFill, xrefs: 6C491180

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Object$CreateDelete$CompatibleSelect$AddressBitmapBrushFillHandleInit_thread_headerModuleProcRectSolid
String ID: AlphaBlend$GradientFill$msimg32.dll
API String ID: 3148250353-216815851
Opcode ID: 7119343d824de843395af2f18096a2f32ea423f2d7f9561e4dddb3d3f9683a47
Instruction ID: 7ee97adb13d2b929bbe7413c1c984cc06a4aeeaa3687554ee027cd2fae43dee8
Opcode Fuzzy Hash: 7119343d824de843395af2f18096a2f32ea423f2d7f9561e4dddb3d3f9683a47
Instruction Fuzzy Hash: D9D16875A002189FDB04CFA8CD84EAEBBB5FF8A315F54412AE805EB780D774A901CB94

Function 6C4C28E0 Relevance: 9.4, APIs: 6, Instructions: 413COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6C4C294B
__aullrem.LIBCMT ref: 6C4C295B

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: __aulldiv__aullrem
String ID:
API String ID: 3839614884-0
Opcode ID: 257b88af36be77cd2ddbc02d2eb4e01615fb514c81f8136154aa56ac8b534803
Instruction ID: 22dde7d61bdf66d07d2b2e08f2171a026d3b3ce9b739e15c98bb43090598973b
Opcode Fuzzy Hash: 257b88af36be77cd2ddbc02d2eb4e01615fb514c81f8136154aa56ac8b534803
Instruction Fuzzy Hash: 41E1272AA106268AC3388F298951F35B6E9FF74310F515137EC88DB7E2E67DC851D3A1

Function 6C4ECB73 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 6C4ECAE3: GetLastError.KERNEL32 ref: 6C4ECAF5

IsDebuggerPresent.KERNEL32(?,?,?,6C4EBF0A), ref: 6C4ECBA6
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,6C4EBF0A), ref: 6C4ECBB5

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 6C4ECBB0
MZx, xrefs: 6C4ECB7B

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: DebugDebuggerErrorLastOutputPresentString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule$MZx
API String ID: 389471666-1466369552
Opcode ID: 75935425f36faa4c527708d51ae864af21e959b276db997bcada567868e44f5f
Instruction ID: 51a31ba6d52934f73a30af42a01a7fe6700ec5da7c10c48c78fa3bde6d0ec77a
Opcode Fuzzy Hash: 75935425f36faa4c527708d51ae864af21e959b276db997bcada567868e44f5f
Instruction Fuzzy Hash: CBE039707047508EE720EF25E818F43BEF4AB0931AB06895ED856C3F40E7B5D4488B92

Function 6C50CBE4 Relevance: 6.2, APIs: 4, Instructions: 205COMMONLIBRARYCODE

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C50CCD4

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 6889654b28efcd5d1335a48381fbab23db1a2d2c611af6ddf64bb4a2481654d4
Instruction ID: f1266b0de0029b83137c175992a53de3f9f673d112f4cd3a2e86201998889b00
Opcode Fuzzy Hash: 6889654b28efcd5d1335a48381fbab23db1a2d2c611af6ddf64bb4a2481654d4
Instruction Fuzzy Hash: 9471E871E051689FDF21EF28CC88AEEBBB8AB46308F2441D9D419D3610DB316EC58F61

Function 6C4EAB30 Relevance: 4.6, APIs: 3, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

__Init_thread_header.LIBCMT ref: 6C4EAB79
GetProcessHeap.KERNEL32 ref: 6C4EAB8A
__Init_thread_header.LIBCMT ref: 6C4EABC7

Part of subcall function 6C4EC007: EnterCriticalSection.KERNEL32(6C55DC60,00000000,006D0088,?,6C4E7C21,6C55FB1C,?,6C4E7EF4,006D0358,?,6C4E53FD,00000000,mutex lock failed,6C461F28), ref: 6C4EC012
Part of subcall function 6C4EC007: LeaveCriticalSection.KERNEL32(6C55DC60,?,6C4E7C21,6C55FB1C,?,6C4E7EF4,006D0358,?,6C4E53FD,00000000,mutex lock failed,6C461F28), ref: 6C4EC04F

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: CriticalInit_thread_headerSection$EnterHeapLeaveProcess
String ID:
API String ID: 3206262373-0
Opcode ID: 9309e38a215bd1a2bf1773bf86b37b12adcd001b0e4a79eeb0ecdf12cec950e8
Instruction ID: fd791be9eac4957f27fea9e18f1b71ff00f2777c5f1e0b192a69cf5ed397b4dd
Opcode Fuzzy Hash: 9309e38a215bd1a2bf1773bf86b37b12adcd001b0e4a79eeb0ecdf12cec950e8
Instruction Fuzzy Hash: D611B1B1E00641CFCA00EB58CD72E423BB1BF5B23AF87076AC54546F90D731A555CAAB

Function 6C4B8A90 Relevance: 2.4, Strings: 1, Instructions: 1198COMMON

Download Yara Rule

Strings

outofmem, xrefs: 6C4B9538

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID:
String ID: outofmem
API String ID: 0-748900114
Opcode ID: b06965a056de15723280f0b2b54622b15e67c91b768789a8a2a79fd8df3e2b33
Instruction ID: 701157fe271ee79de3bfbea503fa38a1acf9549d45df6530ef47bf29c80c47bd
Opcode Fuzzy Hash: b06965a056de15723280f0b2b54622b15e67c91b768789a8a2a79fd8df3e2b33
Instruction Fuzzy Hash: 59C23674A04705CFDB24CF68C894FAABBF1BF1A304F14452DD89AA7750E735A84ACB61

Function 6C51683C Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6C516797,?,?,00000008,?,?,6C515708,00000000), ref: 6C516A69

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: d268b77e9ec2781c9e5e143ca05a8064ec95c651923268edcf0fbe3f037ef363
Instruction ID: 4f65f294dd6b0fb7e6ac6537339be5a44bb13d0cd62aced429b37908dc9dea82
Opcode Fuzzy Hash: d268b77e9ec2781c9e5e143ca05a8064ec95c651923268edcf0fbe3f037ef363
Instruction Fuzzy Hash: 40B16D31614608DFE704CF28C88AB557BE0FF45368F258658E8E9CFAA1CB35E981CB40

Function 6C50CB33 Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6C506B57: RtlAllocateHeap.NTDLL(00000008,?,?,?,6C5073B8,00000001,00000364,?,0000000B,000000FF,?,?,6C4FD1CA,6C509315), ref: 6C506B98

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C50CCD4
FindNextFileW.KERNEL32(00000000,?), ref: 6C50CDC8
FindClose.KERNEL32(00000000), ref: 6C50CE07
FindClose.KERNEL32(00000000), ref: 6C50CE3A

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Find$CloseFile$AllocateFirstHeapNext
String ID:
API String ID: 4087847297-0
Opcode ID: 536656e21fdaa31802bb4acf1e4bfbe17d23fb866084baaaecf5747b9061bdf1
Instruction ID: 0e8227fbec3d97d60da7d61b30a2315abf120f0172ae2df5ccec4643a4a15f72
Opcode Fuzzy Hash: 536656e21fdaa31802bb4acf1e4bfbe17d23fb866084baaaecf5747b9061bdf1
Instruction Fuzzy Hash: D2512971B05218AFDB10AF2C8C84AFE77B9EF8621CF244199E829D7600DB30AD459B71

Function 6C4F0E4F Relevance: 1.6, Strings: 1, Instructions: 322COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 6C4F0FE7

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: fae8bc1be850d728685ec5f82a085cdcd87c21b15e4bb7974e725648dfd2afb1
Instruction ID: bf49caadd296db51097db4817b48c95b4e3d43fa3d7cc0a63a4e53f938512895
Opcode Fuzzy Hash: fae8bc1be850d728685ec5f82a085cdcd87c21b15e4bb7974e725648dfd2afb1
Instruction Fuzzy Hash: 5AB1BFB0A0068A8EDB24CF64C690EAEB7F1AFC9309B10461DD4B6A7F50D771E947CB51

Function 6C460BD0 Relevance: 1.6, Strings: 1, Instructions: 305COMMON

Download Yara Rule

Strings

@, xrefs: 6C460EE7

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: df36e770d47fd1cf4f71581286b9e5d948a232122b1587228845d77e9293e1ad
Instruction ID: 69440bebaf90be2437574eb2209d2fafa2c1be9604e3802a96aa163e5c5c8963
Opcode Fuzzy Hash: df36e770d47fd1cf4f71581286b9e5d948a232122b1587228845d77e9293e1ad
Instruction Fuzzy Hash: E5D1D572A087408FC318CF29C89075AFBF1BFC9314F158A2EF9A9973A1D77598448B42

Function 6C50C80D Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 6C50721A: GetLastError.KERNEL32(?,00000008,6C508F68,?,?,?,00000000), ref: 6C50721E
Part of subcall function 6C50721A: SetLastError.KERNEL32(00000000,?,?,00000000,?,0000000B,000000FF,?,?,?,00000000), ref: 6C5072C0

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,6C50C49C,00000000,00000000,?), ref: 6C50C839

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 5e6fd3b4d62833721db067c7e4398750a1ab894fff57983aa6b4f1888d61aad0
Instruction ID: 771248fa6a4e6f1fffbf3fb673826c51f4514a8d86e134d983d91e3aac553c20
Opcode Fuzzy Hash: 5e6fd3b4d62833721db067c7e4398750a1ab894fff57983aa6b4f1888d61aad0
Instruction Fuzzy Hash: 32F0D632700111ABEB146A608D45BAB3764FF82358F154528DD11F3940FB70FD41C6E5

Function 6C4D89B0 Relevance: .5, Instructions: 510COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70442ee6db13348dae4789297162659e19252ae276ee9c50d235f32a04bddada
Instruction ID: e8fe5c34930a075fc8330e639728caa8b4d4cd79151b3a05a161373662e3e1cb
Opcode Fuzzy Hash: 70442ee6db13348dae4789297162659e19252ae276ee9c50d235f32a04bddada
Instruction Fuzzy Hash: C822E274201B008FD720DF29C4A4F56BBE1BF49319F158A1DE9AA8BBA0D775F945CB80

Function 6C4ACDC0 Relevance: .5, Instructions: 498COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b55ee5f669d07937c704e1251d1f81f1357fed89c09bac17e271da945fe8f05
Instruction ID: cb0451c8591a0766111c90ae9ed844e77d86cff4120b9cbbcba3fed8e1b6e81e
Opcode Fuzzy Hash: 2b55ee5f669d07937c704e1251d1f81f1357fed89c09bac17e271da945fe8f05
Instruction Fuzzy Hash: 88226C71A08341CFD724CF59C080B9AB7F1FBD9319F148A2EE89997794D7749886CB82

Function 6C4F6A2B Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b1bbb3f56a2aebaab340162cb5640f375a1fedb10d051a5b508804bd38f60b
Instruction ID: f631f68c027e11c42130224099f2a93e8a7a71fe26a55b0a043f3832141f9e72
Opcode Fuzzy Hash: 16b1bbb3f56a2aebaab340162cb5640f375a1fedb10d051a5b508804bd38f60b
Instruction Fuzzy Hash: C8514D72E00219AFDF04CF99C951EEEBBB6EF89314F19805DE815AB341C734AA51CB90

Function 6C46E9A0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6de1d3dbe69e43f3f7810c26973a7692cda98d771f32dc4c07593f778221ec46
Instruction ID: d3d840f2da59b44237e7726b91408b60f4df020acaa25786d6f4b9271506e067
Opcode Fuzzy Hash: 6de1d3dbe69e43f3f7810c26973a7692cda98d771f32dc4c07593f778221ec46
Instruction Fuzzy Hash: 3F0157729006499FCB05CF89CC45FAFBBB5FB48720F004218EA1427750C335A920CBE4

Function 6C4FAD7D Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10e410ac1251cdfeb3d1402f837c40cc107bd8d35f55339f78f65369173614a8
Instruction ID: 66014f13118a6d9edd48f5dd77630ab3b584e2a939de583016e75f209fae22ac
Opcode Fuzzy Hash: 10e410ac1251cdfeb3d1402f837c40cc107bd8d35f55339f78f65369173614a8
Instruction Fuzzy Hash: 97C08C341019409ECE06C910C2B0FE4337AEBD57CBF90088CC4224BF41CA1EDC87D620

Function 6C49E9F0 Relevance: 66.2, APIs: 44, Instructions: 230COMMON

Download Yara Rule

APIs

?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49EA54
??ACStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C49EA66
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49EAA6
??ACStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C49EAB8
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C49EACB
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C49EAD2
?Resize@CStdStringPtrMap@DuiLib@@QAEXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C49EAF0
DeleteObject.GDI32(6C49C5D0), ref: 6C49EB1E
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49EB46
??ACStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C49EB58
DeleteObject.GDI32(00000000), ref: 6C49EB61
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49EB70
?Empty@CStdPtrArray@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49EB83
?GetSize@CStdValArray@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49EBA6
?GetAt@CStdStringPtrMap@DuiLib@@QBEPB_WH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C49EBB8
?Find@CStdStringPtrMap@DuiLib@@QBEPAXPB_W_N@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000,00000000), ref: 6C49EBC7
?FreeImage@CRenderEngine@DuiLib@@SAXPBUtagTImageInfo@2@@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000,00000000,00000000), ref: 6C49EBD1

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Array@$ManagerMap@PaintStringString@Transparent@$DeleteObject$Empty@Engine@Find@FreeImageImage@Info@2@@RenderResize@Size@Utag
String ID:
API String ID: 1634950856-0
Opcode ID: f181cec1ff73ee2a885412f5a1f33c43d261e2991d8ed86b3614c23c1cd00ad0
Instruction ID: 1f40490ec4e8b8bee4a75f27858bcf0cce209813c6756ae85746369973a30525
Opcode Fuzzy Hash: f181cec1ff73ee2a885412f5a1f33c43d261e2991d8ed86b3614c23c1cd00ad0
Instruction Fuzzy Hash: D6913A79A012148BDB14DFA8C894EEEBBB5BF49309F10042CE416B7B90DB35AD05CBE5

Function 6C488B20 Relevance: 59.8, APIs: 6, Strings: 28, Instructions: 329COMMON

Download Yara Rule

APIs

??4CDuiString@DuiLib@@QAEABV01@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C488E4D
?Invalidate@CControlUI@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C488E54
?SetHorizontal@CScrollBarUI@DuiLib@@QAEX_N@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C488E85
?SetScrollRange@CScrollBarUI@DuiLib@@QAEXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C488EA9
?SetScrollPos@CScrollBarUI@DuiLib@@QAEXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C488EBC
?NeedUpdate@CControlUI@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C488F8B

Strings

bknormalimage, xrefs: 6C488C9B
button1pushedimage, xrefs: 6C488B67
bkdisabledimage, xrefs: 6C488CDD
railpushedimage, xrefs: 6C488C6F
raildisabledimage, xrefs: 6C488C85
button2disabledimage, xrefs: 6C488BD5
button1disabledimage, xrefs: 6C488B7D
bkhotimage, xrefs: 6C488CB1
button2pushedimage, xrefs: 6C488BBF
linesize, xrefs: 6C488D09
button2hotimage, xrefs: 6C488BA9
railnormalimage, xrefs: 6C488C43
button1hotimage, xrefs: 6C488B51
showbutton1, xrefs: 6C488D4B
thumbnormalimage, xrefs: 6C488BEB
bkpushedimage, xrefs: 6C488CC7
thumbpushedimage, xrefs: 6C488C17
showbutton2, xrefs: 6C488D61
railhotimage, xrefs: 6C488C59
true, xrefs: 6C488E6D, 6C488EC3, 6C488EDC
range, xrefs: 6C488D1F
value, xrefs: 6C488D35
inset, xrefs: 6C488D77
thumbdisabledimage, xrefs: 6C488C2D
button2normalimage, xrefs: 6C488B93
hor, xrefs: 6C488CF3
button1normalimage, xrefs: 6C488B3B
thumbhotimage, xrefs: 6C488C01

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Scroll$Control$Horizontal@Invalidate@NeedPos@Range@String@Update@V01@
String ID: bkdisabledimage$bkhotimage$bknormalimage$bkpushedimage$button1disabledimage$button1hotimage$button1normalimage$button1pushedimage$button2disabledimage$button2hotimage$button2normalimage$button2pushedimage$hor$inset$linesize$raildisabledimage$railhotimage$railnormalimage$railpushedimage$range$showbutton1$showbutton2$thumbdisabledimage$thumbhotimage$thumbnormalimage$thumbpushedimage$true$value
API String ID: 1720453397-274274673
Opcode ID: b6eaf9f35be5d96bb239c4ca9b2523b41956498c03c4611578f42cfe863cad33
Instruction ID: 54a23579981548b00f8848452c3f1e16f099c2f04babe11370190011aa25f62a
Opcode Fuzzy Hash: b6eaf9f35be5d96bb239c4ca9b2523b41956498c03c4611578f42cfe863cad33
Instruction Fuzzy Hash: E4A191B1E0260597DA44DA349D81FFB72985F6164AF40082EEC1AE6F81FF74F908C9B5

Function 6C49284B Relevance: 56.3, APIs: 29, Strings: 3, Instructions: 259COMMON

Download Yara Rule

APIs

CharNextW.USER32 ref: 6C49285C
?GetFontInfo@CPaintManagerUI@DuiLib@@QAEPAUtagTFontInfo@2@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C492893
?Add@CStdPtrArray@DuiLib@@QAE_NPAX@Z.DOWNLOADER_NSIS_PLUGIN(?,00000000), ref: 6C4928A1
SelectObject.GDI32(?,?), ref: 6C4928AE
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4938CE
?GetAt@CStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(-00000001), ref: 6C4938D8
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(-00000001), ref: 6C493909
?GetAt@CStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(-00000001,-00000001), ref: 6C493913

Strings

underline, xrefs: 6C4937EB
italic, xrefs: 6C493800
bold, xrefs: 6C4937D6

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Array@ManagerPaint$FontTransparent@$Add@CharInfo@Info@2@NextObjectSelectUtag
String ID: bold$italic$underline
API String ID: 3029817520-1406305012
Opcode ID: e038b63e8a5f7455605d1de0d85e195e082d894c74d5c2aa6c1b913c162be7e4
Instruction ID: 67c3869ce5def513faa49eecbcaee7460c2fa5d2b4ff24964f7202878fec565d
Opcode Fuzzy Hash: e038b63e8a5f7455605d1de0d85e195e082d894c74d5c2aa6c1b913c162be7e4
Instruction Fuzzy Hash: 02B16CB5500B418AD724CF64C880FFAB7F1FF9A314F504A1EE5AB87A50EB70A545CB91

Function 6C434E30 Relevance: 49.7, APIs: 33, Instructions: 193COMMON

Download Yara Rule

APIs

??0CStdPtrArray@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C434E47
??0CStdPtrArray@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?), ref: 6C434E53
??0CStdPtrArray@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?), ref: 6C434E5F
??0CStdPtrArray@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?), ref: 6C434E6B
??0CStdPtrArray@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?), ref: 6C434E77
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?), ref: 6C434E8D

Part of subcall function 6C4BFB60: ?Assign@CDuiString@DuiLib@@QAEXPB_WH@Z.DOWNLOADER_NSIS_PLUGIN(?,000000FF), ref: 6C4BFB7A

??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?), ref: 6C434E9F
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?), ref: 6C434F15
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?), ref: 6C434F27
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?), ref: 6C434F47
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?), ref: 6C434F67
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C434F79
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C435003
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C435015
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C435027
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C435039
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C435069
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C43507B
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C43508D
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C43509F
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4350CF
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4350E1
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4350F3
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C435105
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C435131
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C435143
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C435155
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C435167
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C435179
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C43518B
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C43519D
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4351AF
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4351C1

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$V01@@$String@$Array@$Assign@
String ID:
API String ID: 2220921340-0
Opcode ID: 4551abfc586c1be5a339c6b4d5abd07da6aac01d8f0c935cf42fd1527625c790
Instruction ID: 5a70b626cd68e2261ed50dab28ed22d82d9ce5c8a1326f92500c9103a0d3047f
Opcode Fuzzy Hash: 4551abfc586c1be5a339c6b4d5abd07da6aac01d8f0c935cf42fd1527625c790
Instruction Fuzzy Hash: 0AA13075915F4BAAEA15CB74C560EE6F3ACBF18248F009B0DD5AE62541EF3072D8C7A0

Function 6C476B20 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 267COMMON

Download Yara Rule

APIs

?IsEmpty@CDuiString@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C476B75
?PaintStatusImage@CComboUI@DuiLib@@UAEXPAUHDC__@@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C476B83

Part of subcall function 6C4767B0: ?IsEmpty@CDuiString@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C476846
Part of subcall function 6C4767B0: ?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C476851
Part of subcall function 6C4767B0: ?DrawImage@CControlUI@DuiLib@@QAE_NPAUHDC__@@PB_W1@Z.DOWNLOADER_NSIS_PLUGIN(?,00000000,00000000), ref: 6C47685C
Part of subcall function 6C4767B0: ?Empty@CDuiString@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN(?,00000000,00000000), ref: 6C476867
Part of subcall function 6C4767B0: ?IsEmpty@CDuiString@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C476874
Part of subcall function 6C4767B0: ?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C47687F
Part of subcall function 6C4767B0: ?DrawImage@CControlUI@DuiLib@@QAE_NPAUHDC__@@PB_W1@Z.DOWNLOADER_NSIS_PLUGIN(?,00000000,00000000), ref: 6C47688A
Part of subcall function 6C4767B0: ?Empty@CDuiString@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN(?,00000000,00000000), ref: 6C476895

??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C476C5F
?Find@CDuiString@DuiLib@@QBEHPB_WH@Z.DOWNLOADER_NSIS_PLUGIN(source,00000000,?), ref: 6C476C77
?Find@CDuiString@DuiLib@@QBEHPB_WH@Z.DOWNLOADER_NSIS_PLUGIN(6C52CBE6,?,source,00000000,?), ref: 6C476C8E
?Find@CDuiString@DuiLib@@QBEHPB_WH@Z.DOWNLOADER_NSIS_PLUGIN(6C52CBE6,00000001,6C52CBE6,?,source,00000000,?), ref: 6C476CAB
??0CDuiRect@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(6C52CBE6,00000001,6C52CBE6,?,source,00000000,?), ref: 6C476CC9
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN(6C52CBE6,00000001,6C52CBE6,?,source,00000000,?), ref: 6C476CD8

Strings

source, xrefs: 6C476C72
gfff, xrefs: 6C476D3F

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$String@$Paint$Empty@$D__@@Find@Image@ManagerWindow@$C__@@ControlDraw$C__@@@ComboRect@StatusV01@@
String ID: gfff$source
API String ID: 3337341799-584504365
Opcode ID: 2d6511aefacf64256746ecaa6c396a3fb626855ffc148b21d085708f7a53db2d
Instruction ID: 7ec3e88383a7f438cbe04b3105482d93e3f7703c1754e376215d025bbb3c7cc1
Opcode Fuzzy Hash: 2d6511aefacf64256746ecaa6c396a3fb626855ffc148b21d085708f7a53db2d
Instruction Fuzzy Hash: 2CC12C71910B818BD320CF28C885FE7B7A5FB99314F104B2DD5EA86A91EBB1A545CB90

Function 6C44A9D0 Relevance: 46.0, APIs: 3, Strings: 23, Instructions: 453COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 6C44AB6A

Strings

string literal, xrefs: 6C44AD56, 6C44AEB7
end of input, xrefs: 6C44AD8E, 6C44AEEF
'[', xrefs: 6C44AD5D, 6C44AEBE
ax e, xrefs: 6C44AA16
true literal, xrefs: 6C44AD41, 6C44AE8F, 6C44AEFB
'{', xrefs: 6C44AD64, 6C44AEC5
':', xrefs: 6C44AD79, 6C44AEDA
unknown token, xrefs: 6C44AD87, 6C44AEA2
'[', '{', or a literal, xrefs: 6C44AD95, 6C44AEF6
; last read: ', xrefs: 6C44ABF0
number literal, xrefs: 6C44ABA9, 6C44AD9A, 6C44AE9B
false literal, xrefs: 6C44AD48, 6C44AEA9
']', xrefs: 6C44AD6B, 6C44AECC
while parsing , xrefs: 6C44AA41
',', xrefs: 6C44AD80, 6C44AEE1
'}', xrefs: 6C44AD72, 6C44AED3
<U+%.4X>, xrefs: 6C44AB26
null literal, xrefs: 6C44AD4F, 6C44AEB0
unexpected , xrefs: 6C44AE02
<uninitialized>, xrefs: 6C44AB9D
<parse error>, xrefs: 6C44AEE8
rror, xrefs: 6C44AA0F
; expected , xrefs: 6C44AF63

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: _strlen
String ID: ','$':'$'['$'[', '{', or a literal$']'$'{'$'}'$; expected $; last read: '$<U+%.4X>$<parse error>$<uninitialized>$ax e$end of input$false literal$null literal$number literal$rror$string literal$true literal$unexpected $unknown token$while parsing
API String ID: 4218353326-1051297095
Opcode ID: 0ff493bc29be26ba078de6e9bcf1298c91af79dedc33fa4bc621aa6731f6a248
Instruction ID: c3453e714cd0ae1693479a39b6d904647e58827d4ef252bae6f7e83cc77189b6
Opcode Fuzzy Hash: 0ff493bc29be26ba078de6e9bcf1298c91af79dedc33fa4bc621aa6731f6a248
Instruction Fuzzy Hash: 0B02B1B184C3409FE301CB14C880F9ABBE1EF86359F298A6CF9855BBA1D775D845C792

Function 6C4E2D30 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 99COMMON

Download Yara Rule

APIs

__Init_thread_header.LIBCMT ref: 6C4E2EC3

Strings

April, xrefs: 6C4E2D86
Jul, xrefs: 6C4E2E67
Mar, xrefs: 6C4E2E2B
September, xrefs: 6C4E2DD1
Jun, xrefs: 6C4E2E58
Apr, xrefs: 6C4E2E3A
March, xrefs: 6C4E2D77
Jan, xrefs: 6C4E2E0D
May, xrefs: 6C4E2D95, 6C4E2E49
June, xrefs: 6C4E2DA4
January, xrefs: 6C4E2D59
February, xrefs: 6C4E2D68
Nov, xrefs: 6C4E2EA3
Sep, xrefs: 6C4E2E85
August, xrefs: 6C4E2DC2
Dec, xrefs: 6C4E2EB2
November, xrefs: 6C4E2DEF
October, xrefs: 6C4E2DE0
Aug, xrefs: 6C4E2E76
Oct, xrefs: 6C4E2E94
December, xrefs: 6C4E2DFE
July, xrefs: 6C4E2DB3
Feb, xrefs: 6C4E2E1C

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Init_thread_header
String ID: Apr$April$Aug$August$Dec$December$Feb$February$Jan$January$Jul$July$Jun$June$Mar$March$May$Nov$November$Oct$October$Sep$September
API String ID: 3738618077-4155687352
Opcode ID: c9255dcdeded235d7fe766de87977b7c9d1e0235c03240e7c8a6a423f7c8a890
Instruction ID: c7198717575035754a631ea15a89f58231786c5f870f80dbbbd5608b368229f9
Opcode Fuzzy Hash: c9255dcdeded235d7fe766de87977b7c9d1e0235c03240e7c8a6a423f7c8a890
Instruction Fuzzy Hash: 0331E73176006CE64404BBF0AE55DDE1A918B5A50AF821F3D6206AFFD1EF35982845E7

Function 6C4E2FD0 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 99COMMON

Download Yara Rule

APIs

__Init_thread_header.LIBCMT ref: 6C4E3163

Strings

Sep, xrefs: 6C4E3125
August, xrefs: 6C4E3062
Oct, xrefs: 6C4E3134
September, xrefs: 6C4E3071
May, xrefs: 6C4E3035, 6C4E30E9
July, xrefs: 6C4E3053
February, xrefs: 6C4E3008
June, xrefs: 6C4E3044
Dec, xrefs: 6C4E3152
October, xrefs: 6C4E3080
Jul, xrefs: 6C4E3107
Aug, xrefs: 6C4E3116
January, xrefs: 6C4E2FF9
Jun, xrefs: 6C4E30F8
December, xrefs: 6C4E309E
Apr, xrefs: 6C4E30DA
Nov, xrefs: 6C4E3143
April, xrefs: 6C4E3026
Feb, xrefs: 6C4E30BC
Jan, xrefs: 6C4E30AD
November, xrefs: 6C4E308F
March, xrefs: 6C4E3017
Mar, xrefs: 6C4E30CB

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Init_thread_header
String ID: Apr$April$Aug$August$Dec$December$Feb$February$Jan$January$Jul$July$Jun$June$Mar$March$May$Nov$November$Oct$October$Sep$September
API String ID: 3738618077-4155687352
Opcode ID: 55a835a2ad6482ef01458866e8db848d83db6aee04a4ce2f0d2648c270f17522
Instruction ID: d41d7610ce265e60a1b2527a3e7735fa4b7832a2cc3af6d12ac73e8e2b3c1f8c
Opcode Fuzzy Hash: 55a835a2ad6482ef01458866e8db848d83db6aee04a4ce2f0d2648c270f17522
Instruction Fuzzy Hash: DA311D30A0451027D124F6F06C72F9E1BA24B5B12E7821A3ED11D6EF82EF33552852D3

Function 6C486C80 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 281COMMON

Download Yara Rule

Strings

wanttab, xrefs: 6C486D39
hscrollbar, xrefs: 6C486CDB
wantctrlreturn, xrefs: 6C486D65
true, xrefs: 6C486CAD, 6C486CED, 6C486D06, 6C486E2D, 6C486E4F, 6C486E6B, 6C486E87, 6C486EA3, 6C486F19, 6C486F42
align, xrefs: 6C486DD3
vscrollbar, xrefs: 6C486C9B
autohscroll, xrefs: 6C486D23
false, xrefs: 6C486EF7
wantreturn, xrefs: 6C486D4F
center, xrefs: 6C486F7D
left, xrefs: 6C486F64
rich, xrefs: 6C486D7B
readonly, xrefs: 6C486DA7
password, xrefs: 6C486DBD
multiline, xrefs: 6C486D91
autovscroll, xrefs: 6C486CC9
font, xrefs: 6C486DE9
right, xrefs: 6C486FA1
textcolor, xrefs: 6C486DFF

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID:
String ID: align$autohscroll$autovscroll$center$false$font$hscrollbar$left$multiline$password$readonly$rich$right$textcolor$true$vscrollbar$wantctrlreturn$wantreturn$wanttab
API String ID: 0-3605038472
Opcode ID: 7fbac5de9dea4a00e01f27ac9a7b5466795853a6383aa94a896cb4194cf08c2f
Instruction ID: 03d154d88dbc6e77431363ba185f78cebc0080a7dd9c19ec69735294cc536d51
Opcode Fuzzy Hash: 7fbac5de9dea4a00e01f27ac9a7b5466795853a6383aa94a896cb4194cf08c2f
Instruction Fuzzy Hash: 678115B2E2A20552EB919A315D41FEF36E85F5164AF04082CFD16E1BC1FB24F509CAA5

Function 6C47EF90 Relevance: 35.2, APIs: 3, Strings: 17, Instructions: 243COMMON

Download Yara Rule

APIs

CharNextW.USER32(?), ref: 6C47F1C3
??4CDuiString@DuiLib@@QAEABV01@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C47F2BB
?Invalidate@CControlUI@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C47F2C2

Strings

focusedimage, xrefs: 6C47F09D
pushedimage, xrefs: 6C47F087
true, xrefs: 6C47F0E1, 6C47F188, 6C47F271
align, xrefs: 6C47EFD7
sepwidth, xrefs: 6C47EFC1
dragable, xrefs: 6C47EFAB
endellipsis, xrefs: 6C47EFED
center, xrefs: 6C47F137
normalimage, xrefs: 6C47F05B
left, xrefs: 6C47F11E
hotimage, xrefs: 6C47F071
textpadding, xrefs: 6C47F02F
showhtml, xrefs: 6C47F045
sepimage, xrefs: 6C47F0B3
font, xrefs: 6C47F003
right, xrefs: 6C47F15B
textcolor, xrefs: 6C47F019

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$CharControlInvalidate@NextString@V01@
String ID: align$center$dragable$endellipsis$focusedimage$font$hotimage$left$normalimage$pushedimage$right$sepimage$sepwidth$showhtml$textcolor$textpadding$true
API String ID: 3081853683-386778586
Opcode ID: 9ddd6c4cff49d1f48342281046fd18481b059b538f30e564515bff21fa803559
Instruction ID: 9cc188fe48a96834ce7d051601304dce2a0defbf2dc08dafffb822747ceb8250
Opcode Fuzzy Hash: 9ddd6c4cff49d1f48342281046fd18481b059b538f30e564515bff21fa803559
Instruction Fuzzy Hash: 9071C6B1E0230597F760DA748C81FEB76A89F5124AF00082DED1AE1B81FB35F909CA75

Function 6C478B70 Relevance: 29.9, APIs: 7, Strings: 10, Instructions: 166windowCOMMON

Download Yara Rule

APIs

?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C478CA0
SendMessageW.USER32(00000000,000000CF,00000000,00000000), ref: 6C478CAE
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C478D1C
SendMessageW.USER32(00000000,000000C5,00000000,00000000), ref: 6C478D2A
??4CDuiString@DuiLib@@QAEABV01@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C478D51
?Invalidate@CControlUI@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C478D58
CharNextW.USER32(?), ref: 6C478D78

Strings

focusedimage, xrefs: 6C478C0F
hotimage, xrefs: 6C478BF9
readonly, xrefs: 6C478B8B
password, xrefs: 6C478BB7
true, xrefs: 6C478C69, 6C478CB9, 6C478CDE
maxchar, xrefs: 6C478BCD
numberonly, xrefs: 6C478BA1
nativebkcolor, xrefs: 6C478C3B
disabledimage, xrefs: 6C478C25
normalimage, xrefs: 6C478BE3

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$ManagerMessagePaintSendTransparent@$CharControlInvalidate@NextString@V01@
String ID: disabledimage$focusedimage$hotimage$maxchar$nativebkcolor$normalimage$numberonly$password$readonly$true
API String ID: 3540976091-1317005473
Opcode ID: f42562244dafb96f49980dce4e758093ce62fe5332f3bda9fb78b21980403ab7
Instruction ID: b466e96e29d2539ed14f84e441aeef78405a5d544185a0014a5fc24d06f27bad
Opcode Fuzzy Hash: f42562244dafb96f49980dce4e758093ce62fe5332f3bda9fb78b21980403ab7
Instruction Fuzzy Hash: D941D671E01304ABEB60DA704D50FEB37A85F61646F40082EEC1AF5B81FB25F9088AB5

Function 6C43AB50 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 195stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,?), ref: 6C43ABBA
GlobalFree.KERNEL32(?), ref: 6C43ABCB
GetClientRect.USER32(00000000,?), ref: 6C43ABEC
?DUI__Trace@DuiLib@@YAXPB_WZZ.DOWNLOADER_NSIS_PLUGIN ref: 6C43AC0A
ClientToScreen.USER32(?,?), ref: 6C43AC3D
ClientToScreen.USER32(?), ref: 6C43AC43
GlobalAlloc.KERNEL32(00000040,00001FF8), ref: 6C43AC7C
lstrcpynW.KERNEL32(-00000004,?), ref: 6C43AC8F
GlobalAlloc.KERNEL32(00000040,00001FF8), ref: 6C43ACD6
lstrcpynW.KERNEL32(-00000004,?), ref: 6C43ACE9
GlobalAlloc.KERNEL32(00000040,00001FF8), ref: 6C43AD31
lstrcpynW.KERNEL32(-00000004,?), ref: 6C43AD44
GlobalAlloc.KERNEL32(00000040,00001FF8), ref: 6C43AD8C
lstrcpynW.KERNEL32(-00000004,?), ref: 6C43AD9F

Strings

0A, xrefs: 6C43AB91, 6C43ABC2, 6C43AC68, 6C43AC95, 6C43ACC2, 6C43ACEF, 6C43AD1D, 6C43AD4A, 6C43AD78, 6C43ADA5
%ld, xrefs: 6C43AC5A, 6C43ACB4, 6C43AD0F, 6C43AD6A

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Global$Alloclstrcpyn$Client$Screen$FreeLib@@RectTrace@lstrcpy
String ID: %ld$0A
API String ID: 421585343-4217419862
Opcode ID: 8a6f5945e60a2994b0d11c21beeae1f569805432ec6de3f8883906d830256ff5
Instruction ID: 5c03f808573608540ca7099530cdadfc4c1578f3793b43ec5851c1a4f407402d
Opcode Fuzzy Hash: 8a6f5945e60a2994b0d11c21beeae1f569805432ec6de3f8883906d830256ff5
Instruction Fuzzy Hash: 9F715EB5A01710AFDB10DF24DC45FAA7BF8EB8A729F414419F945A3340D778A844CBEA

Function 6C444B80 Relevance: 26.7, APIs: 6, Strings: 9, Instructions: 443stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,00000004), ref: 6C444BD5
GlobalFree.KERNEL32(00000000), ref: 6C444BE6
lstrcpyW.KERNEL32(?,?), ref: 6C444C1B
GlobalFree.KERNEL32(?), ref: 6C444C2C
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C444D0A
?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(listSelectLang), ref: 6C444DB3

Part of subcall function 6C4A2380: ?Find@CStdStringPtrMap@DuiLib@@QBEPAXPB_W_N@Z.DOWNLOADER_NSIS_PLUGIN(6C43A13A,00000001,?,6C43A13A,?), ref: 6C4A238E

Part of subcall function 6C45EA50: _strlen.LIBCMT ref: 6C45EA7B

??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C444E46
GlobalAlloc.KERNEL32(00000040,00001FF8), ref: 6C4454C4
lstrcpynW.KERNEL32(-00000004,?), ref: 6C4454D7

Strings

listSelectLang, xrefs: 6C4442D0, 6C444DAE
select_language, xrefs: 6C44465B, 6C44475B, 6C4450A6
download, xrefs: 6C4444C5
action, xrefs: 6C444616, 6C444F63
system_language, xrefs: 6C4446B0, 6C445002
language_rank, xrefs: 6C4447FF, 6C44514A
cancel, xrefs: 6C444D97
show, xrefs: 6C444DD4
%ld, xrefs: 6C4454A2
click_language_specific, xrefs: 6C4445E7
en_CH, xrefs: 6C4446FC, 6C445047
save, xrefs: 6C444F25, 6C444F2E
type, xrefs: 6C4443E1
shell event reporter is null!, xrefs: 6C4442AC, 6C444D57
enter_from, xrefs: 6C444480
is_use_default_langugae, xrefs: 6C4448C7, 6C4451E2
0A, xrefs: 6C444161, 6C44417D, 6C4441CA, 6C4441E6, 6C444BC1, 6C444BDD, 6C444C07, 6C444C23, 6C4454B0, 6C4454DD
language_settings_popup_action, xrefs: 6C444AF8, 6C4453E5

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$GlobalPaint$FreeManagerlstrcpy$AllocControlControl@D__@@FindFind@I@2@Map@StringString@Window@_strlenlstrcpyn
String ID: en_CH$%ld$0A$action$cancel$click_language_specific$download$enter_from$is_use_default_langugae$language_rank$language_settings_popup_action$listSelectLang$save$select_language$shell event reporter is null!$show$system_language$type
API String ID: 3081418716-1570023029
Opcode ID: 355f447609c8958cc0cf0c2a18320f9d94cb6362960979561a3b676658bd75c6
Instruction ID: 7184adc47bde87deada0ec61207166d5f80e2626f9a49c4c9cd8d94d102da526
Opcode Fuzzy Hash: 355f447609c8958cc0cf0c2a18320f9d94cb6362960979561a3b676658bd75c6
Instruction Fuzzy Hash: EC127AB15083809AE771CF60C894FEFBBE4AB89308F14491CE5C99B791DB799548CBD2

Function 6C4E2890 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 77COMMON

Download Yara Rule

APIs

__Init_thread_header.LIBCMT ref: 6C4E298D

Strings

Fri, xrefs: 6C4E296D
Wed, xrefs: 6C4E294F
Thursday, xrefs: 6C4E28F5
Tuesday, xrefs: 6C4E28D7
Tue, xrefs: 6C4E2940
Mon, xrefs: 6C4E2931
Saturday, xrefs: 6C4E2913
Sat, xrefs: 6C4E297C
Monday, xrefs: 6C4E28C8
Sun, xrefs: 6C4E2922
Thu, xrefs: 6C4E295E
Sunday, xrefs: 6C4E28B9
Wednesday, xrefs: 6C4E28E6
Friday, xrefs: 6C4E2904

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Init_thread_header
String ID: Fri$Friday$Mon$Monday$Sat$Saturday$Sun$Sunday$Thu$Thursday$Tue$Tuesday$Wed$Wednesday
API String ID: 3738618077-525747235
Opcode ID: 54c5bfb651d77bed7d4819b8fd950d8c2f70825b91e397b7a4c3688a4e34d324
Instruction ID: ab1cfa60379f1ce1938b98d2a6a0d87325dd250506f4c217c0d654b637847113
Opcode Fuzzy Hash: 54c5bfb651d77bed7d4819b8fd950d8c2f70825b91e397b7a4c3688a4e34d324
Instruction Fuzzy Hash: 6231F631A10249C3D904EF609D61DEA23709B9B20BFD32B2EA1494BF47FF2456E58297

Function 6C4E2AE0 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 77COMMON

Download Yara Rule

APIs

__Init_thread_header.LIBCMT ref: 6C4E2BDD

Strings

Mon, xrefs: 6C4E2B81
Sunday, xrefs: 6C4E2B09
Wednesday, xrefs: 6C4E2B36
Monday, xrefs: 6C4E2B18
Thursday, xrefs: 6C4E2B45
Thu, xrefs: 6C4E2BAE
Friday, xrefs: 6C4E2B54
Sat, xrefs: 6C4E2BCC
Fri, xrefs: 6C4E2BBD
Sun, xrefs: 6C4E2B72
Tue, xrefs: 6C4E2B90
Wed, xrefs: 6C4E2B9F
Tuesday, xrefs: 6C4E2B27
Saturday, xrefs: 6C4E2B63

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Init_thread_header
String ID: Fri$Friday$Mon$Monday$Sat$Saturday$Sun$Sunday$Thu$Thursday$Tue$Tuesday$Wed$Wednesday
API String ID: 3738618077-525747235
Opcode ID: ddbab0a7b49fd271d0e7b485640867e1479831a804854d1bf813c5750c153690
Instruction ID: 5ace7b69c38c0108e346a89146df37d1a6c72808b8da588aa71171d548edf67f
Opcode Fuzzy Hash: ddbab0a7b49fd271d0e7b485640867e1479831a804854d1bf813c5750c153690
Instruction Fuzzy Hash: 8231B670E0924192C514EBB05D31FA9277157AF11ABC3271EE40D1BFE2EF3666A4829A

Function 6C434A90 Relevance: 25.6, APIs: 17, Instructions: 148COMMON

Download Yara Rule

APIs

??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C434AC7

Part of subcall function 6C4BFB90: ?Assign@CDuiString@DuiLib@@QAEXPB_WH@Z.DOWNLOADER_NSIS_PLUGIN(6C4313B7,000000FF,?,?,6C4313B7,?), ref: 6C4BFB9D

??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?), ref: 6C434AD9
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?), ref: 6C434B4F
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?), ref: 6C434B61
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?), ref: 6C434B81
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?), ref: 6C434BA1
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?), ref: 6C434BB3
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?), ref: 6C434C45
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?), ref: 6C434C73
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?), ref: 6C434C85
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?), ref: 6C434C97
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C434CA9
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C434CBB
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C434CE8
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?), ref: 6C434D16
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?), ref: 6C434D38
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?), ref: 6C434D5A

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@String@$V01@V01@@$Assign@
String ID:
API String ID: 3995927423-0
Opcode ID: 625d896420f26e44ed9f2716727efcaca8de11ef5eebe83bb2b9cd7f284f2920
Instruction ID: e4cd86c1d864aded9bc4febd1a3c2fb5672db0a5d5a66472e72c1adca0350f3a
Opcode Fuzzy Hash: 625d896420f26e44ed9f2716727efcaca8de11ef5eebe83bb2b9cd7f284f2920
Instruction Fuzzy Hash: 95814E65915F4AA6E615CF74C950BE2F3A8BF69308F00D709D9AD62502EB3072D8C790

Function 6C46C800 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 182COMMON

Download Yara Rule

APIs

??0CDelegateBase@DuiLib@@QAE@PAX0@Z.DOWNLOADER_NSIS_PLUGIN(?,6C46CAF0), ref: 6C46C883
??YCEventSource@DuiLib@@QAEXABVCDelegateBase@1@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C46CAF0), ref: 6C46C8A9
?InitWindow@WindowImplBase@DuiLib@@UAEXXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C46CAF0), ref: 6C46C8B3
??0CDelegateBase@DuiLib@@QAE@PAX0@Z.DOWNLOADER_NSIS_PLUGIN(?,6C46CB30,?), ref: 6C46C8D6
??YCEventSource@DuiLib@@QAEXABVCDelegateBase@1@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,6C46CB30,?), ref: 6C46C902
?InitWindow@WindowImplBase@DuiLib@@UAEXXZ.DOWNLOADER_NSIS_PLUGIN(?,?,6C46CB30,?), ref: 6C46C90C
??0CDelegateBase@DuiLib@@QAE@PAX0@Z.DOWNLOADER_NSIS_PLUGIN(?,6C46CB70,?,?,6C46CB30,?), ref: 6C46C92F
??YCEventSource@DuiLib@@QAEXABVCDelegateBase@1@@Z.DOWNLOADER_NSIS_PLUGIN(6C5247D8,?,6C46CB70,?,?,6C46CB30,?), ref: 6C46C95B
?InitWindow@WindowImplBase@DuiLib@@UAEXXZ.DOWNLOADER_NSIS_PLUGIN(6C5247D8,?,6C46CB70,?,?,6C46CB30,?), ref: 6C46C963
?Add@CListUI@DuiLib@@UAE_NPAVCControlUI@2@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C46CAF0), ref: 6C46C9FB

Part of subcall function 6C47B630: ?AddAt@CContainerUI@DuiLib@@UAE_NPAVCControlUI@2@H@Z.DOWNLOADER_NSIS_PLUGIN(?,00000000), ref: 6C47B79F

?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C46CAF0), ref: 6C46CA09
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C46CAF0), ref: 6C46CA15
?GetAt@CStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C46CA3A

Strings

TreeNodeUI, xrefs: 6C46C850

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Base@Delegate$Base@1@@EventImplInitSource@WindowWindow@$ControlManagerPaintTransparent@$Add@Array@ContainerI@2@I@2@@List
String ID: TreeNodeUI
API String ID: 253121990-3489782448
Opcode ID: 8c0963297ffe412809b07e40756c211cf91ee49f894bc5689ed483b0e4a5a9b6
Instruction ID: f0ecc9213cfd401978c5d7d8610180486fbd56e14ef2d0da4006c076bb27355a
Opcode Fuzzy Hash: 8c0963297ffe412809b07e40756c211cf91ee49f894bc5689ed483b0e4a5a9b6
Instruction Fuzzy Hash: B281E579600B419FC724DF2AC994E66BBF5BF48714B004A2DD9AA87BA1D730F905CF90

Function 6C4368A0 Relevance: 22.6, APIs: 15, Instructions: 129COMMON

Download Yara Rule

APIs

??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C4368D7

Part of subcall function 6C4BFB90: ?Assign@CDuiString@DuiLib@@QAEXPB_WH@Z.DOWNLOADER_NSIS_PLUGIN(6C4313B7,000000FF,?,?,6C4313B7,?), ref: 6C4BFB9D

??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?), ref: 6C4368E9
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?), ref: 6C43695F
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?), ref: 6C436971
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?), ref: 6C436991
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?), ref: 6C4369B1
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?), ref: 6C4369C3
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?), ref: 6C436A6F
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?), ref: 6C436AB9
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?), ref: 6C436ACB
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?), ref: 6C436ADD
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C436AEF
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C436B01
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C436B13
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C436B25

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@String@$V01@V01@@$Assign@
String ID:
API String ID: 3995927423-0
Opcode ID: 92ca17d044f8bb1323e1cd3fca7b30f713846eb484e5f13280d5bd9624b04ab4
Instruction ID: 9e983b82c91177c995d44310ad86168b4c6faf24aae2c33561b4b721b8e2d7a4
Opcode Fuzzy Hash: 92ca17d044f8bb1323e1cd3fca7b30f713846eb484e5f13280d5bd9624b04ab4
Instruction Fuzzy Hash: 19711165D19F8696E615CB38C950BE6F3A8BF69308F00E70DD9AD61502FB3072E8C790

Function 6C492AF3 Relevance: 22.6, APIs: 15, Instructions: 117COMMON

Download Yara Rule

APIs

?GetDefaultFontInfo@CPaintManagerUI@DuiLib@@QAEPAUtagTFontInfo@2@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C492B03

Part of subcall function 6C4A3210: SelectObject.GDI32(?,?), ref: 6C4A324D
Part of subcall function 6C4A3210: GetTextMetricsW.GDI32(?,?), ref: 6C4A325B
Part of subcall function 6C4A3210: SelectObject.GDI32(?,00000000), ref: 6C4A3265

?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C492B0E
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C492B1A
?GetAt@CStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(-00000001), ref: 6C492B24
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C492B66
?GetFont@CPaintManagerUI@DuiLib@@QAEPAUHFONT__@@PB_WH_N11H@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,00000001,?,?), ref: 6C492B81
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C492BB4
?AddFont@CPaintManagerUI@DuiLib@@QAEPAUHFONT__@@PB_WH_N11H@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,00000001,?,?), ref: 6C492BCF
?GetFontInfo@CPaintManagerUI@DuiLib@@QAEPAUtagTFontInfo@2@PAUHFONT__@@@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C492BD8
?Add@CStdPtrArray@DuiLib@@QAE_NPAX@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C492BE6
SelectObject.GDI32(?,?), ref: 6C492BF3
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C492C0B
?GetAt@CStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(-00000001), ref: 6C492C15
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(-00000001), ref: 6C492C48
?GetAt@CStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(-00000001,-00000001), ref: 6C492C52

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Paint$Manager$Array@FontTransparent@$ObjectSelect$D__@@Font@Info@Info@2@T__@@UtagWindow@$Add@DefaultMetricsT__@@@Text
String ID:
API String ID: 4068819503-0
Opcode ID: 4e5ea7617c1dc4ebee31702d7384333c4d8b18d156a3216e16b45e941dd9eb8e
Instruction ID: 3252709de80a7bb63e0e5b9293ca4b8a58724af79b6d4a6f012730d92c2bb2d0
Opcode Fuzzy Hash: 4e5ea7617c1dc4ebee31702d7384333c4d8b18d156a3216e16b45e941dd9eb8e
Instruction Fuzzy Hash: 2B513375101B509FC724CF25C5A0EA7BBF1AF55204B04896DE9AA8BB61DB30A848CBA0

Function 6C496B60 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

?SetOwner@CScrollBarUI@DuiLib@@QAEXPAVCContainerUI@2@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C496BDE
?ApplyAttributeList@CControlUI@DuiLib@@QAEPAV12@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(00000000,VScrollBar), ref: 6C496C23

Part of subcall function 6C49BD50: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49BDF1
Part of subcall function 6C49BD50: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49BE3C
Part of subcall function 6C49BD50: ?Empty@CDuiString@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49BE60
Part of subcall function 6C49BD50: ?Empty@CDuiString@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49BE68
Part of subcall function 6C49BD50: CharNextW.USER32(?), ref: 6C49BE81
Part of subcall function 6C49BD50: ??YCDuiString@DuiLib@@QAEABV01@_W@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C49BEAE

?GetDefaultAttributeList@CPaintManagerUI@DuiLib@@QBEPB_WPB_W@Z.DOWNLOADER_NSIS_PLUGIN(VScrollBar), ref: 6C496C13

Part of subcall function 6C4A3D30: ?Find@CStdStringPtrMap@DuiLib@@QBEPAXPB_W_N@Z.DOWNLOADER_NSIS_PLUGIN(6C496CDE,00000001,?,?,?,6C496CDE,HScrollBar), ref: 6C4A3D49

??0CScrollBarUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C496BC5

Part of subcall function 6C487500: ??0CControlUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C487531
Part of subcall function 6C487500: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C487582
Part of subcall function 6C487500: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C48759A
Part of subcall function 6C487500: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4875B2
Part of subcall function 6C487500: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4875CA
Part of subcall function 6C487500: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4875F3
Part of subcall function 6C487500: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C48760B
Part of subcall function 6C487500: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C487623
Part of subcall function 6C487500: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C48763B
Part of subcall function 6C487500: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C487664
Part of subcall function 6C487500: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C48767C
Part of subcall function 6C487500: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C487694
Part of subcall function 6C487500: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4876AC
Part of subcall function 6C487500: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4876CE
Part of subcall function 6C487500: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4876E6

??0CScrollBarUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C496C7E
?SetHorizontal@CScrollBarUI@DuiLib@@QAEX_N@Z.DOWNLOADER_NSIS_PLUGIN(00000001), ref: 6C496C98
?SetOwner@CScrollBarUI@DuiLib@@QAEXPAVCContainerUI@2@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C496CA4
?GetDefaultAttributeList@CPaintManagerUI@DuiLib@@QBEPB_WPB_W@Z.DOWNLOADER_NSIS_PLUGIN(HScrollBar), ref: 6C496CD9
?ApplyAttributeList@CControlUI@DuiLib@@QAEPAV12@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(00000000,HScrollBar), ref: 6C496CE9
?NeedUpdate@CControlUI@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C496D12

Strings

VScrollBar, xrefs: 6C496C0E
HScrollBar, xrefs: 6C496CD4

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$String@$Scroll$AttributeControlList@$ApplyContainerDefaultEmpty@I@2@@ManagerOwner@PaintV12@$CharFind@Horizontal@Map@NeedNextStringUpdate@V01@_
String ID: HScrollBar$VScrollBar
API String ID: 1562105434-4035620935
Opcode ID: 27ef92bcbe8ddc1e963cfff13174f583e13a48a74ac215effb13aa6f7a8def91
Instruction ID: 719cbf6c22b4e946bfc646469078aafda17fe2a166cbb003013412587bab3d10
Opcode Fuzzy Hash: 27ef92bcbe8ddc1e963cfff13174f583e13a48a74ac215effb13aa6f7a8def91
Instruction Fuzzy Hash: 61519CB0A022248BDF48DF94C890FEEBBB0BF48714F100569ED19AB795DB7598008FE4

Function 6C478E90 Relevance: 19.6, APIs: 13, Instructions: 140COMMON

Download Yara Rule

APIs

?IsEmpty@CDuiString@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C478EFE
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C478F4B
?Empty@CDuiString@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C478F6B
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C478F72
??YCDuiString@DuiLib@@QAEABV01@_W@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C478F96
CharNextW.USER32(00000000,?), ref: 6C478F9E
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C479023
?DrawTextW@CRenderEngine@DuiLib@@SAXPAUHDC__@@PAVCPaintManagerUI@2@AAUtagRECT@@PB_WKHI@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,00000000,?,?,?), ref: 6C479042
?GetDefaultFontColor@CPaintManagerUI@DuiLib@@QBEKXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C47904F
?GetDefaultDisabledColor@CPaintManagerUI@DuiLib@@QBEKXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C47906A
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C479086
?DrawTextW@CRenderEngine@DuiLib@@SAXPAUHDC__@@PAVCPaintManagerUI@2@AAUtagRECT@@PB_WKHI@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,00000000,?,?,?), ref: 6C4790A5
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4790B0

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Paint$Manager$String@$D__@@Window@$C__@@Color@DefaultDrawEmpty@Engine@I@2@RenderTextUtag$CharDisabledFontNextV01@@V01@_
String ID:
API String ID: 1414992554-0
Opcode ID: 90a4a8fed77dc571f2bb23e98020d47c468b752cbf341aeb4f1d3d9af990dd9e
Instruction ID: b6c5aab55d7b2fb838a75cf0d071776f7a5bf997c782bcce8a6c300a174271c7
Opcode Fuzzy Hash: 90a4a8fed77dc571f2bb23e98020d47c468b752cbf341aeb4f1d3d9af990dd9e
Instruction Fuzzy Hash: 2D6137B1510B418FD720CF28C884FA2B7F5FF89314F144A6DE9DA4BA51EB71A445CBA1

Function 6C474D20 Relevance: 18.1, APIs: 12, Instructions: 114COMMON

Download Yara Rule

APIs

??0CContainerUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C474D51

Part of subcall function 6C495810: ??0CControlUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C495841
Part of subcall function 6C495810: ??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C495868

??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C474D97
??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C474DB9
??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C474DD1
??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C474DE9
??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C474E01
??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C474E19
??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C474E31
??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C474E49
??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C474E61
??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C474E76
??0CSize@DuiLib@@QAE@HH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000096), ref: 6C474E97

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$String@$Array@ContainerControlSize@
String ID:
API String ID: 2932014989-0
Opcode ID: 04422ad9088d6fb427ac5b7b587e41369c3fcdfccc9a2d859369ec6a7b15b0b9
Instruction ID: abee4020c3b41843cd77b99133cf2dfd80db3b953d7bf62a36d076c9c6c2a9c9
Opcode Fuzzy Hash: 04422ad9088d6fb427ac5b7b587e41369c3fcdfccc9a2d859369ec6a7b15b0b9
Instruction Fuzzy Hash: CE51D2B4900B598BDB20CFA4C884BEFBBB0FB04718F004A1DD4696B790DB796549CF95

Function 6C4988F0 Relevance: 18.1, APIs: 12, Instructions: 114COMMON

Download Yara Rule

APIs

??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C49892D
??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C498944
??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000), ref: 6C49895B
??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000,00000000), ref: 6C498972
??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000,00000000,00000000), ref: 6C498989
??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000,00000000,00000000), ref: 6C4989AC
??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000,00000000,00000000), ref: 6C4989C4
??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C498A06
??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C498A1E
??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C498A3F
??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C498A61
??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C498A76

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$String@$Array@
String ID:
API String ID: 2949776054-0
Opcode ID: 2f24f16d725dfaed63a831f4b64332ad5dd96c78606f35a662e323fcbfa3de80
Instruction ID: 63f6aad15bb7e85aee618070a74231fdad4319120ac346930ea7b1f3cc305e06
Opcode Fuzzy Hash: 2f24f16d725dfaed63a831f4b64332ad5dd96c78606f35a662e323fcbfa3de80
Instruction Fuzzy Hash: 2251F8B49053598FEB04CF94C458FEABBB0FF54308F0542ADD5082B3A2DBB95588CB91

Function 6C4A2C60 Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 6C4A2CA2
?GetVirtualWnd@CControlUI@DuiLib@@QBE?AVCDuiString@2@XZ.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C4A2CCA

Part of subcall function 6C49A9D0: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49AA3A
Part of subcall function 6C49A9D0: ?IsEmpty@CDuiString@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49AA4F
Part of subcall function 6C49A9D0: ??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C49AA9D
Part of subcall function 6C49A9D0: ??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C49AAA8

??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(?,?), ref: 6C4A2CE8
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?), ref: 6C4A2CDD

Part of subcall function 6C4BFB90: ?Assign@CDuiString@DuiLib@@QAEXPB_WH@Z.DOWNLOADER_NSIS_PLUGIN(6C4313B7,000000FF,?,?,6C4313B7,?), ref: 6C4BFB9D

??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4A2D1A
??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4A2D2F
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C4A2D50
?Add@CStdPtrArray@DuiLib@@QAE_NPAX@Z.DOWNLOADER_NSIS_PLUGIN(?,?), ref: 6C4A2D93
??BCEventSource@DuiLib@@QAE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4A2DC5

Part of subcall function 6C4BF730: ?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(?,6C4A2DCA), ref: 6C4BF733

??RCEventSource@DuiLib@@QAE_NPAX@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C4A2DDB

Part of subcall function 6C4BF8D0: ?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(6C4A2DE0,?), ref: 6C4BF8E4
Part of subcall function 6C4BF8D0: ??ACStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,6C4A2DE0,?), ref: 6C4BF8F3

?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4A2E02
??ACStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C4A2E0E

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$String@$Array@ManagerPaintTransparent@V01@V01@@$EventSource@$Add@Assign@ControlCountEmpty@String@2@TickVirtualWnd@
String ID:
API String ID: 3692377244-0
Opcode ID: 7b49beb562a376567cd053a81d6940a0b28195a08fbff351cdb19039ff2f6540
Instruction ID: dbb5068394d2ac70a8da58c98f23c1c30d57a347af8c8c6eb7aa9e416a2298e0
Opcode Fuzzy Hash: 7b49beb562a376567cd053a81d6940a0b28195a08fbff351cdb19039ff2f6540
Instruction Fuzzy Hash: 13417C75A006199FDB14CF68C854FEEBBB0BF49324F00462DD5A967780DB746985CBD0

Function 6C436D80 Relevance: 18.1, APIs: 12, Instructions: 68COMMON

Download Yara Rule

APIs

??0CLabelUI@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C436D8B

Part of subcall function 6C435B90: ??0CStdPtrArray@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C435BA7
Part of subcall function 6C435B90: ??0CStdPtrArray@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?), ref: 6C435BB3
Part of subcall function 6C435B90: ??0CStdPtrArray@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?), ref: 6C435BBF
Part of subcall function 6C435B90: ??0CStdPtrArray@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?), ref: 6C435BCB
Part of subcall function 6C435B90: ??0CStdPtrArray@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?), ref: 6C435BD7
Part of subcall function 6C435B90: ??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?), ref: 6C435BED
Part of subcall function 6C435B90: ??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?), ref: 6C435BFF
Part of subcall function 6C435B90: ??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?), ref: 6C435C75
Part of subcall function 6C435B90: ??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?), ref: 6C435C87
Part of subcall function 6C435B90: ??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?), ref: 6C435CA7
Part of subcall function 6C435B90: ??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?), ref: 6C435CC7
Part of subcall function 6C435B90: ??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C435CD9

??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C436DBD

Part of subcall function 6C4BFB60: ?Assign@CDuiString@DuiLib@@QAEXPB_WH@Z.DOWNLOADER_NSIS_PLUGIN(?,000000FF), ref: 6C4BFB7A

??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?), ref: 6C436DCF
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?), ref: 6C436DE1
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?), ref: 6C436DF3
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?), ref: 6C436E05
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?), ref: 6C436E17
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?), ref: 6C436E29
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?), ref: 6C436E4D
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?), ref: 6C436E6F
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?), ref: 6C436E81
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?), ref: 6C436E93

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$V01@@$String@$Array@$Assign@Label
String ID:
API String ID: 1348915742-0
Opcode ID: 2df7d2eff9509df05b6cffe0acfa26443a89ba6d2456a82ab8848f8b7bf373b7
Instruction ID: 3067b7b92e227460ebb8288bc2779083f1e7eeb7535d2d18edfb6b786fab2067
Opcode Fuzzy Hash: 2df7d2eff9509df05b6cffe0acfa26443a89ba6d2456a82ab8848f8b7bf373b7
Instruction Fuzzy Hash: 9A317F39A05F4BAADB14CBB5C860EE7F7ACBF14245F00495D91AE53641EF347158CBA0

Function 6C46AB60 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 361COMMON

Download Yara Rule

APIs

??0CListContainerElementUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C46AB91

Part of subcall function 6C4811A0: ??0CContainerUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,6C46AB96), ref: 6C4811A6

??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C46ABC5
??0CHorizontalLayoutUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C46AC14

Part of subcall function 6C4A8780: ??0CContainerUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,6C46AC19), ref: 6C4A8786

??0COptionUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C46AC57

Part of subcall function 6C4819C0: ??0CButtonUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4819F1
Part of subcall function 6C4819C0: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C481A16
Part of subcall function 6C4819C0: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C481A38
Part of subcall function 6C4819C0: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C481A50
Part of subcall function 6C4819C0: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C481A65

??0CLabelUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C46AC8E

Part of subcall function 6C479AE0: ??0CControlUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C479B11
Part of subcall function 6C479AE0: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C479BA3
Part of subcall function 6C479AE0: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 6C479BE0

??0COptionUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C46ACD1
??0COptionUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C46AD08

Strings

left, xrefs: 6C46AE54
align, xrefs: 6C46AE59
TreeNodeUI, xrefs: 6C46AF11

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$String@$ContainerOption$Array@ButtonControlElementGdiplusHorizontalLabelLayoutListStartup
String ID: TreeNodeUI$align$left
API String ID: 1560961058-55002490
Opcode ID: fc89f41640de9786eabda90f0302e6d46e521d7399fcafcd82d0765440be3a70
Instruction ID: 984e3c46522a25f26cbb8d37173105c89e756f0111141bb396b63b8f5f6706a6
Opcode Fuzzy Hash: fc89f41640de9786eabda90f0302e6d46e521d7399fcafcd82d0765440be3a70
Instruction Fuzzy Hash: AEF116B4A006298FCB14DF58C848BAEBBF1BF88324F150659E865AB3D1C7B56901CF95

Function 6C480B70 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 147COMMON

Download Yara Rule

APIs

PtInRect.USER32(?,?,?), ref: 6C480BF7
PtInRect.USER32(?,?,?), ref: 6C480C57
PtInRect.USER32(?,?,?), ref: 6C480C97
?Invalidate@CTreeNodeUI@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C480CC2
?Invalidate@CTreeNodeUI@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C480CE6
?DoEvent@CListLabelElementUI@DuiLib@@UAEXAAUtagTEventUI@2@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C480D06
LoadCursorW.USER32(00000000,00007F89), ref: 6C480D14
SetCursor.USER32(00000000), ref: 6C480D1B

Strings

link, xrefs: 6C480D2E

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@Rect$CursorInvalidate@NodeTree$ElementEventEvent@I@2@@LabelListLoadUtag
String ID: link
API String ID: 3811646-917281265
Opcode ID: 11e88b933eb3e8d04ec9ea179dc717c31d0fdaed827f10d37ad4064cd4d09acc
Instruction ID: 61704487bea20c9dd11d1550d7ab9224344eaf09cf71a7c7583adfc90a39cd25
Opcode Fuzzy Hash: 11e88b933eb3e8d04ec9ea179dc717c31d0fdaed827f10d37ad4064cd4d09acc
Instruction Fuzzy Hash: 0C51C0716032908FCB10CF59C844FAB77B5FF81329F1A05A9E9266B782C734E801CB94

Function 6C434830 Relevance: 16.6, APIs: 11, Instructions: 83COMMON

Download Yara Rule

APIs

??0CContainerUI@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C43483B

Part of subcall function 6C4317C0: ??0CStdPtrArray@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C4317D7
Part of subcall function 6C4317C0: ??0CStdPtrArray@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?), ref: 6C4317E3
Part of subcall function 6C4317C0: ??0CStdPtrArray@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?), ref: 6C4317EF
Part of subcall function 6C4317C0: ??0CStdPtrArray@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?), ref: 6C4317FB
Part of subcall function 6C4317C0: ??0CStdPtrArray@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?), ref: 6C431807
Part of subcall function 6C4317C0: ??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?), ref: 6C43181D
Part of subcall function 6C4317C0: ??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?), ref: 6C43182F
Part of subcall function 6C4317C0: ??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?), ref: 6C4318A5
Part of subcall function 6C4317C0: ??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?), ref: 6C4318B7
Part of subcall function 6C4317C0: ??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?), ref: 6C4318D7
Part of subcall function 6C4317C0: ??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?), ref: 6C4318F7
Part of subcall function 6C4317C0: ??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C431909
Part of subcall function 6C4317C0: ??0CStdPtrArray@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C431963

??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C434885

Part of subcall function 6C4BFB60: ?Assign@CDuiString@DuiLib@@QAEXPB_WH@Z.DOWNLOADER_NSIS_PLUGIN(?,000000FF), ref: 6C4BFB7A

??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?), ref: 6C4348B3
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?), ref: 6C4348C5
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?), ref: 6C4348D7
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?), ref: 6C4348E9
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?), ref: 6C4348FB
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C434928
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?), ref: 6C434956
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?), ref: 6C434978
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?), ref: 6C43499A

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$V01@@$String@$Array@$Assign@Container
String ID:
API String ID: 3626823794-0
Opcode ID: 85b9a6e14f8c839aa70e00f07892552baf55e4bdfc60644283de083a79785646
Instruction ID: 3342f87ba0fcf18c55f01d9568febc35680b69b701ed0c5c10e52ece44f84904
Opcode Fuzzy Hash: 85b9a6e14f8c839aa70e00f07892552baf55e4bdfc60644283de083a79785646
Instruction Fuzzy Hash: 69410879A05F0AAADB14DF74C860ED3F7ACFF59248F004A1EA16E93540EB34B159CB94

Function 6C4349E0 Relevance: 16.5, APIs: 11, Instructions: 38COMMON

Download Yara Rule

APIs

??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C434A06
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C434A11
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C434A1C
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C434A27
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C434A32
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C434A3D
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C434A48
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C434A53
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C434A5E
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C434A69
??1CContainerUI@DuiLib@@UAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C434A70

Part of subcall function 6C495730: ?RemoveAll@CContainerUI@DuiLib@@UAEXXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C495786
Part of subcall function 6C495730: ??1CStdValArray@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4957DA
Part of subcall function 6C495730: ??1CControlUI@DuiLib@@UAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4957E1

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$String@$Container$All@Array@ControlRemove
String ID:
API String ID: 389304163-0
Opcode ID: 8bb08924a732883f70f40f9bee15d998ffc9c16c346b7f1cb1c93d3bff70159b
Instruction ID: f5c55426f95a4ae30497dc6b279f28ab0ab42ce2f0c793b7883af726a3bebeb6
Opcode Fuzzy Hash: 8bb08924a732883f70f40f9bee15d998ffc9c16c346b7f1cb1c93d3bff70159b
Instruction Fuzzy Hash: 0701527A03660086EA14DB64DCB1FEB7B98EF10288F4004ECC15E16A91EF353B09CAB5

Function 6C43AEC0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 106stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,?), ref: 6C43AF16
GlobalFree.KERNEL32 ref: 6C43AF27
lstrcpyW.KERNEL32(?,?), ref: 6C43AF52
GlobalFree.KERNEL32 ref: 6C43AF63
?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C43AF75
GlobalAlloc.KERNEL32(00000040,00001FF8,?,?,?,?,?,?), ref: 6C43AFC6
lstrcpynW.KERNEL32(-00000004,?,?,?,?,?,?,?), ref: 6C43AFD9

Strings

0A, xrefs: 6C43AF02, 6C43AF1E, 6C43AF38, 6C43AF5A, 6C43AFB2, 6C43AFDF
%ld, xrefs: 6C43AFA4

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Global$Freelstrcpy$AllocControlControl@FindI@2@Lib@@ManagerPaintlstrcpyn
String ID: %ld$0A
API String ID: 1711196038-4217419862
Opcode ID: db194ba7b2c28aa7c863921972dad896996c786b6b6f1b10f66f5b3876968c8f
Instruction ID: a3ec79688827c26397ffd19eb490514f5b2a646e63f85b2827e029bb232839a4
Opcode Fuzzy Hash: db194ba7b2c28aa7c863921972dad896996c786b6b6f1b10f66f5b3876968c8f
Instruction Fuzzy Hash: D731C7F1A422149BEB00CF60DC44FA637B8EF8A719F450059FA05A7380DB759905CBE9

Function 6C43ED60 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 248stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,?), ref: 6C43EDC0
GlobalFree.KERNEL32 ref: 6C43EDD1
lstrcpyW.KERNEL32(?,?), ref: 6C43EDEB
GlobalFree.KERNEL32 ref: 6C43EDFC
GlobalAlloc.KERNEL32(00000040,00001FF8), ref: 6C43EFB8
lstrcpynW.KERNEL32(-00000004,?), ref: 6C43EFCB
GlobalAlloc.KERNEL32(00000040,00001FF8), ref: 6C43F012
lstrcpynW.KERNEL32(-00000004,?), ref: 6C43F025

Strings

0A, xrefs: 6C43EDA6, 6C43EDC8, 6C43EDD7, 6C43EDF3, 6C43EFA4, 6C43EFD1, 6C43EFFE, 6C43F02B
%ld, xrefs: 6C43EF96, 6C43EFF0

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Global$AllocFreelstrcpylstrcpyn
String ID: %ld$0A
API String ID: 2234640201-4217419862
Opcode ID: 26e17610cb4d4fb8173309f82196bdd1dcd8184374bfda94eb1d87b74aafa257
Instruction ID: d48b9134cbb330408ba72144bd6017dd73d0651da4892bf87f23cd0f1053fe89
Opcode Fuzzy Hash: 26e17610cb4d4fb8173309f82196bdd1dcd8184374bfda94eb1d87b74aafa257
Instruction Fuzzy Hash: CC91F7B1D022249BEB10CF11CC80FDA77B8AF4A319F4505A9F808A7391D774AE89CBD5

Function 6C480DD0 Relevance: 15.2, APIs: 10, Instructions: 230COMMON

Download Yara Rule

APIs

??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C480FD8
??4CDuiString@DuiLib@@QAEABV01@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C481014
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C481070

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$PaintString@$D__@@ManagerV01@Window@
String ID:
API String ID: 4253066994-0
Opcode ID: f8574ff7b1fe45fe1da63f1f322db942aa71f249adee74d1b517e74e3324361d
Instruction ID: 64fdf0b0bc4bff28b6ae04ec37ff29b8194cf93b05e3e128716628ddb45fa5d3
Opcode Fuzzy Hash: f8574ff7b1fe45fe1da63f1f322db942aa71f249adee74d1b517e74e3324361d
Instruction Fuzzy Hash: FAB1E4B5601B408FD724CF28C884FA6B7F1BB89314F148A6ED99A87B51DB70F945CB90

Function 6C436F70 Relevance: 15.1, APIs: 10, Instructions: 107COMMON

Download Yara Rule

APIs

??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C436FA7

Part of subcall function 6C4BFB90: ?Assign@CDuiString@DuiLib@@QAEXPB_WH@Z.DOWNLOADER_NSIS_PLUGIN(6C4313B7,000000FF,?,?,6C4313B7,?), ref: 6C4BFB9D

??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?), ref: 6C436FB9
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?), ref: 6C43702F
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?), ref: 6C437041
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?), ref: 6C437061
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?), ref: 6C437081
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?), ref: 6C437093
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?), ref: 6C43713F
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?), ref: 6C43717D
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?,?), ref: 6C43718F

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@String@$V01@V01@@$Assign@
String ID:
API String ID: 3995927423-0
Opcode ID: 6ff45fa00bb19d32be160469ac3b70767420ac90505647e03ce4f22202bfe1e9
Instruction ID: d3cc552d7bc6ca7f8e6a07820bfe3a48cd3997cfc873a4db5ab3a5fb999e279b
Opcode Fuzzy Hash: 6ff45fa00bb19d32be160469ac3b70767420ac90505647e03ce4f22202bfe1e9
Instruction Fuzzy Hash: 2751EF65D19F8695E616CB38C951AF2F3A4BF69348F04E709DAAD61403FB3072E8C790

Function 6C4A09AF Relevance: 15.1, APIs: 10, Instructions: 96windowCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 6C4A09C5
?SetFocus@CPaintManagerUI@DuiLib@@QAEXPAVCControlUI@2@@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C4A0A2A
GetWindow.USER32(?,00000004), ref: 6C4A0A33
SetFocus.USER32(00000000,?,00000004,00000000), ref: 6C4A0A42
?GetAt@CStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C4A1718
?Remove@CStdPtrArray@DuiLib@@QAE_NH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C4A172B
??BCEventSource@DuiLib@@QAE_NXZ.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C4A173D
??RCEventSource@DuiLib@@QAE_NPAX@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000), ref: 6C4A1750
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C4A1762
??ACStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000), ref: 6C4A176E

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Array@$EventManagerPaintSource@$ControlCountFocusFocus@I@2@@Remove@TickTransparent@Window
String ID:
API String ID: 716611885-0
Opcode ID: d5c6995f0757a16639081c5ddc7b48782b1e218f8144affc54f25b3b772f15bc
Instruction ID: ac67cfc6fe4f78d57971428b99d28b11d7783a1a9beb566cd9684facd1d2aac5
Opcode Fuzzy Hash: d5c6995f0757a16639081c5ddc7b48782b1e218f8144affc54f25b3b772f15bc
Instruction Fuzzy Hash: D4317C38701B008FDB14DF69C494F66B7E2BF99314F15052DD19B87BA0EB70E8468B44

Function 6C434D90 Relevance: 15.0, APIs: 10, Instructions: 31COMMON

Download Yara Rule

APIs

??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C434DB6
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C434DC1
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C434DCC
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C434DD7
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C434DE2
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C434DED
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C434DF8
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C434E03
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C434E0E
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C434E19

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@String@
String ID:
API String ID: 514026501-0
Opcode ID: 9acda57023fde72bec13adbbf715373ca0a912fe2c80db15488b6b7c113e4852
Instruction ID: e4e9b62cdef6c26164e99f4a66b45367d8ca65d798d57b313bf83ed4e435a1fc
Opcode Fuzzy Hash: 9acda57023fde72bec13adbbf715373ca0a912fe2c80db15488b6b7c113e4852
Instruction Fuzzy Hash: A0F0C77A53960086D614DB64DCB1FF67B94EF11248F5005EDC15E16A51DF353B09CAB0

Function 6C43E860 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 198memorystringCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 6C43E899
GlobalAlloc.KERNEL32(00000040,00001FF8), ref: 6C43EA04
lstrcpynW.KERNEL32(-00000004,?), ref: 6C43EA17
GlobalAlloc.KERNEL32(00000040,00001FF8), ref: 6C43EA75
lstrcpynW.KERNEL32(-00000004,?), ref: 6C43EA88

Strings

0A, xrefs: 6C43E9DF, 6C43EA1D, 6C43EA61, 6C43EA8E
exe file path: %s, xrefs: 6C43E8A0
%ld, xrefs: 6C43EA53

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: AllocGloballstrcpyn$FileModuleName
String ID: %ld$0A$exe file path: %s
API String ID: 3103822100-1008475089
Opcode ID: 1bf0c6f0baa8d4f4c0c4cbefc40a35fb4d0918b1ddff0f6f5953dc1528157b07
Instruction ID: 770e74d8221864ea36fdf784d0798a1dcdfc5be1e3b12b3990de00ba1f1e4d19
Opcode Fuzzy Hash: 1bf0c6f0baa8d4f4c0c4cbefc40a35fb4d0918b1ddff0f6f5953dc1528157b07
Instruction Fuzzy Hash: 6151CFB2A05340ABD710DF61CC40F9B7BB4AF8A319F01092DF98896791E775A948CBD6

Function 6C43C970 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 91stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,?), ref: 6C43C9D3
GlobalFree.KERNEL32(?), ref: 6C43C9E4
?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C43C9F4
?GetValue@CProgressUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C43C9FF
GlobalAlloc.KERNEL32(00000040,00001FF8,?,?,?,?,?,?), ref: 6C43CA59
lstrcpynW.KERNEL32(-00000004,?,?,?,?,?,?,?), ref: 6C43CA6C

Strings

0A, xrefs: 6C43C9A8, 6C43C9DB, 6C43CA45, 6C43CA72
%ld, xrefs: 6C43CA37

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: GlobalLib@@$AllocControlControl@FindFreeI@2@ManagerPaintProgressValue@lstrcpylstrcpyn
String ID: %ld$0A
API String ID: 74881526-4217419862
Opcode ID: 40ce2361c06192847edc32f740147a5435125f87aa17f40bd276cb0e1154b8dc
Instruction ID: e4190a10cc49ddd803d66407d0fa2b75634394367e19900aba92f870fb774e0f
Opcode Fuzzy Hash: 40ce2361c06192847edc32f740147a5435125f87aa17f40bd276cb0e1154b8dc
Instruction Fuzzy Hash: 9831A1B5A01614AFEB10DF24DC01F9A3BF4EB8A314F524019FA19A7340EB74A905CBD9

Function 6C494DE0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

GetClassInfoExW.USER32(00000000,00000000,00000030), ref: 6C494E23
?GetInstance@CPaintManagerUI@DuiLib@@SAPAUHINSTANCE__@@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,6C494CB4,?,?,6C43B37A), ref: 6C494E40
GetClassInfoExW.USER32(00000000,00000000,00000030), ref: 6C494E48
?GetInstance@CPaintManagerUI@DuiLib@@SAPAUHINSTANCE__@@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,6C494CB4,?,?,6C43B37A), ref: 6C494E5F
CreateSolidBrush.GDI32(00000000), ref: 6C494E7C
RegisterClassExW.USER32(00000030), ref: 6C494E86
GetLastError.KERNEL32(?,?,?,?,6C494CB4,?,?,6C43B37A), ref: 6C494E93

Strings

0, xrefs: 6C494E04

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Class$E__@@InfoInstance@Lib@@ManagerPaint$BrushCreateErrorLastRegisterSolid
String ID: 0
API String ID: 3828204466-4108050209
Opcode ID: e62d7529e2dddc77657e27ab71d5d04fe5edd32ce44c34130fc4c92061a83214
Instruction ID: a61635fc5e40016db43bd75f616b82ab2c6012cb0d07ea4d63270be2a7eae02c
Opcode Fuzzy Hash: e62d7529e2dddc77657e27ab71d5d04fe5edd32ce44c34130fc4c92061a83214
Instruction Fuzzy Hash: 4321AE75B002148FDF00DF69CC88EBEBBB8FF89255F568119E816A3350EB349941CB94

Function 6C47AF60 Relevance: 13.6, APIs: 9, Instructions: 120COMMON

Download Yara Rule

APIs

??0CVerticalLayoutUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C47AF91

Part of subcall function 6C4A7420: ??0CContainerUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,6C47AF96), ref: 6C4A7426

??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C47AFE8
??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C47B000
??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C47B018
??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C47B02D
??0CVerticalLayoutUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C47B068
??0CHorizontalLayoutUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C47B0AF

Part of subcall function 6C4A8780: ??0CContainerUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,6C46AC19), ref: 6C4A8786

?Add@CContainerUI@DuiLib@@UAE_NPAVCControlUI@2@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C47B0FB
?Add@CContainerUI@DuiLib@@UAE_NPAVCControlUI@2@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C47B109

Part of subcall function 6C495A10: ?InitControls@CPaintManagerUI@DuiLib@@QAE_NPAVCControlUI@2@0@Z.DOWNLOADER_NSIS_PLUGIN(?,6C521394,?,6C495A10,?,?,?,6C47B10E,?), ref: 6C495A32
Part of subcall function 6C495A10: ?NeedUpdate@CControlUI@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN(?,6C47B10E,?), ref: 6C495A54

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$ContainerControlString@$Layout$Add@I@2@@Vertical$Controls@HorizontalI@2@0@InitManagerNeedPaintUpdate@
String ID:
API String ID: 4046941250-0
Opcode ID: c455492223074a201ed5ec5894c7dc2ad7f4d9a6f0afd4466ba92430657beaa5
Instruction ID: 8136ad838cae846b9bfd6ece607356d6ada1dbfee2582e644e8d8e79711af15c
Opcode Fuzzy Hash: c455492223074a201ed5ec5894c7dc2ad7f4d9a6f0afd4466ba92430657beaa5
Instruction Fuzzy Hash: 0A51F3B0901B5A8FDB20CFA4C895BEABBF0FB08314F10466DD4A96B390D7796505CF95

Function 6C4A0A5B Relevance: 13.6, APIs: 9, Instructions: 120COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(00000000), ref: 6C4A0A89
ScreenToClient.USER32(?,00000000), ref: 6C4A0A92

Part of subcall function 6C4A0460: GetKeyState.USER32(00000011), ref: 6C4A046E
Part of subcall function 6C4A0460: GetKeyState.USER32(00000002), ref: 6C4A0478
Part of subcall function 6C4A0460: GetKeyState.USER32(00000001), ref: 6C4A0485
Part of subcall function 6C4A0460: GetKeyState.USER32(00000010), ref: 6C4A0492
Part of subcall function 6C4A0460: GetKeyState.USER32(00000012), ref: 6C4A049F

GetTickCount.KERNEL32 ref: 6C4A0B1D
?GetAt@CStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C4A1718
?Remove@CStdPtrArray@DuiLib@@QAE_NH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C4A172B
??BCEventSource@DuiLib@@QAE_NXZ.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C4A173D
??RCEventSource@DuiLib@@QAE_NPAX@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000), ref: 6C4A1750
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C4A1762
??ACStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000), ref: 6C4A176E

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$State$Array@$EventSource@$ClientCountCursorManagerPaintRemove@ScreenTickTransparent@
String ID:
API String ID: 3918407828-0
Opcode ID: e6edb67096f2470506ec6b578322284b0d87c7d85359c85acc008644252d834d
Instruction ID: 1eab184ee4f5ef109b1c51fe065df6d8c88d25277222752c4e4a010fa16b1d6c
Opcode Fuzzy Hash: e6edb67096f2470506ec6b578322284b0d87c7d85359c85acc008644252d834d
Instruction Fuzzy Hash: 2B413779601B408FCB20CF69C884FAAB7F1BF99314F04092DD59B87B50EB70E8468B54

Function 6C4A0E69 Relevance: 13.6, APIs: 9, Instructions: 118windowCOMMON

Download Yara Rule

APIs

ScreenToClient.USER32(?,?), ref: 6C4A0E82
GetTickCount.KERNEL32 ref: 6C4A0F16
SendMessageW.USER32(?,00000200,00000000,?), ref: 6C4A0F4F
?GetAt@CStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C4A1718
?Remove@CStdPtrArray@DuiLib@@QAE_NH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C4A172B
??BCEventSource@DuiLib@@QAE_NXZ.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C4A173D
??RCEventSource@DuiLib@@QAE_NPAX@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000), ref: 6C4A1750
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C4A1762
??ACStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000), ref: 6C4A176E

Part of subcall function 6C4A0460: GetKeyState.USER32(00000011), ref: 6C4A046E
Part of subcall function 6C4A0460: GetKeyState.USER32(00000002), ref: 6C4A0478
Part of subcall function 6C4A0460: GetKeyState.USER32(00000001), ref: 6C4A0485
Part of subcall function 6C4A0460: GetKeyState.USER32(00000010), ref: 6C4A0492
Part of subcall function 6C4A0460: GetKeyState.USER32(00000012), ref: 6C4A049F

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$State$Array@$EventSource@$ClientCountManagerMessagePaintRemove@ScreenSendTickTransparent@
String ID:
API String ID: 971744113-0
Opcode ID: 32ab8a2021ec6afb50d443d8bbbdc1180903d511c15005b2e37f1875d62fc471
Instruction ID: 4b642030802cdb9a002aa3c5a92af2a7e03dcac2c9eda3833b3b298b2eb2eb93
Opcode Fuzzy Hash: 32ab8a2021ec6afb50d443d8bbbdc1180903d511c15005b2e37f1875d62fc471
Instruction Fuzzy Hash: 45411678600B019FDB64DF69C894E6AB7F1BF98314F14092DE59B87B90EB70E805CB94

Function 6C4A0D82 Relevance: 13.6, APIs: 9, Instructions: 115windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32 ref: 6C4A0D86
SetCapture.USER32(?), ref: 6C4A0E04
GetTickCount.KERNEL32 ref: 6C4A0E3E
?GetAt@CStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C4A1718
?Remove@CStdPtrArray@DuiLib@@QAE_NH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C4A172B
??BCEventSource@DuiLib@@QAE_NXZ.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C4A173D
??RCEventSource@DuiLib@@QAE_NPAX@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000), ref: 6C4A1750
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C4A1762
??ACStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000), ref: 6C4A176E

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Array@$EventSource@$CaptureCountFocusManagerPaintRemove@TickTransparent@
String ID:
API String ID: 3251327614-0
Opcode ID: f1b72307bd2c55fd6f288f9f293ae313be45b7ad944d70899bf579ec0cdcecf9
Instruction ID: dc32c849483a14c2c004e501893e5a442de1596903d5c85c50ab66695a9e2c6d
Opcode Fuzzy Hash: f1b72307bd2c55fd6f288f9f293ae313be45b7ad944d70899bf579ec0cdcecf9
Instruction Fuzzy Hash: 78410478600B018FCB54DF69C894E6AB7E2BF98314F15482DD59A87B61EB30E846CB54

Function 6C4A0B7C Relevance: 13.6, APIs: 9, Instructions: 115windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32 ref: 6C4A0B80
SetCapture.USER32(?), ref: 6C4A0C09
GetTickCount.KERNEL32 ref: 6C4A0FE9
?GetAt@CStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C4A1718
?Remove@CStdPtrArray@DuiLib@@QAE_NH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C4A172B
??BCEventSource@DuiLib@@QAE_NXZ.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C4A173D
??RCEventSource@DuiLib@@QAE_NPAX@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000), ref: 6C4A1750
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C4A1762
??ACStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000), ref: 6C4A176E

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Array@$EventSource@$CaptureCountFocusManagerPaintRemove@TickTransparent@
String ID:
API String ID: 3251327614-0
Opcode ID: 6715a220c8be98ad081b8af9762a5507c3c856691780b4befa7cf844b1afd4f3
Instruction ID: 86749860383287e9825fa4ba61df27798011fc95b2cde5813243e997e6699855
Opcode Fuzzy Hash: 6715a220c8be98ad081b8af9762a5507c3c856691780b4befa7cf844b1afd4f3
Instruction Fuzzy Hash: BC410378600B01CFDB24DF69C494E6AB7E2BF89314F15482DE49B87B60EB30E806CB54

Function 6C4A0CD0 Relevance: 13.6, APIs: 9, Instructions: 109windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32 ref: 6C4A0CD4
SetCapture.USER32(?), ref: 6C4A0D3E
GetTickCount.KERNEL32 ref: 6C4A0E3E
?GetAt@CStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C4A1718
?Remove@CStdPtrArray@DuiLib@@QAE_NH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C4A172B
??BCEventSource@DuiLib@@QAE_NXZ.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C4A173D
??RCEventSource@DuiLib@@QAE_NPAX@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000), ref: 6C4A1750
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C4A1762
??ACStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000), ref: 6C4A176E

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Array@$EventSource@$CaptureCountFocusManagerPaintRemove@TickTransparent@
String ID:
API String ID: 3251327614-0
Opcode ID: 56d30353a66192bf2acf3dbfee9930d8454cc415d4ec5dcb9a04b7ba6ca91d27
Instruction ID: 998a3f3bc2fe394b10155745a371db04c3cd80aa682357fcc92514dabf7d36d3
Opcode Fuzzy Hash: 56d30353a66192bf2acf3dbfee9930d8454cc415d4ec5dcb9a04b7ba6ca91d27
Instruction Fuzzy Hash: BD411378600B018FD754CF69C494E6AB7E2BF98314F15482DD49A87B60EB30E846CB54

Function 6C47EA90 Relevance: 13.6, APIs: 9, Instructions: 84COMMON

Download Yara Rule

APIs

??0CControlUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C47EAC1

Part of subcall function 6C4988F0: ??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C49892D
Part of subcall function 6C4988F0: ??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C498944
Part of subcall function 6C4988F0: ??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000), ref: 6C49895B
Part of subcall function 6C4988F0: ??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000,00000000), ref: 6C498972
Part of subcall function 6C4988F0: ??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000,00000000,00000000), ref: 6C498989
Part of subcall function 6C4988F0: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000,00000000,00000000), ref: 6C4989AC
Part of subcall function 6C4988F0: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000,00000000,00000000), ref: 6C4989C4
Part of subcall function 6C4988F0: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C498A06
Part of subcall function 6C4988F0: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C498A1E
Part of subcall function 6C4988F0: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C498A3F
Part of subcall function 6C4988F0: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C498A61
Part of subcall function 6C4988F0: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C498A76

??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C47EB05
??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C47EB1D
??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C47EB35
??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C47EB4D
??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C47EB65
??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C47EB7D
??0CDuiRect@DuiLib@@QAE@HHHH@Z.DOWNLOADER_NSIS_PLUGIN ref: 6C47EB97
?Invalidate@CControlUI@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C47EBAD

Part of subcall function 6C498EB0: IntersectRect.USER32(?,?,?), ref: 6C498F5B

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$String@$Array@$Control$IntersectInvalidate@RectRect@
String ID:
API String ID: 3273616563-0
Opcode ID: 0a57c03017f200020b5731565b4180d1d105eccb6a6fbf75e30a24e0e55c6e16
Instruction ID: 8e64e327172e5ebc09db06facdd99a442e1b870019169b2b18760e7b143bc392
Opcode Fuzzy Hash: 0a57c03017f200020b5731565b4180d1d105eccb6a6fbf75e30a24e0e55c6e16
Instruction Fuzzy Hash: B44104B490475A8BDB00DFA8C884BEEBBB0FF48318F00061DD8556B391DB796648CB95

Function 6C43CF30 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,?), ref: 6C43CF94
GlobalFree.KERNEL32 ref: 6C43CFA5
lstrcpyW.KERNEL32(?,?), ref: 6C43D00C
GlobalFree.KERNEL32(?), ref: 6C43D01D
?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C43D02D
?EvaluateI18n@CPaintManagerUI@DuiLib@@SAPB_WPB_W@Z.DOWNLOADER_NSIS_PLUGIN(?,?), ref: 6C43D03F

Strings

0A, xrefs: 6C43CF69, 6C43CF9C, 6C43CFAB, 6C43D014

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: FreeGlobalLib@@ManagerPaintlstrcpy$ControlControl@EvaluateFindI18n@I@2@
String ID: 0A
API String ID: 2738693966-2007828011
Opcode ID: 83a86f6ce19cbdb9ff772d9dde724638c5c4ae890b4852950559f99d1545c918
Instruction ID: 7024b23f3398ceec7a6f156428f46568844940476a9478115e83b4c309ec28ec
Opcode Fuzzy Hash: 83a86f6ce19cbdb9ff772d9dde724638c5c4ae890b4852950559f99d1545c918
Instruction Fuzzy Hash: F231A3B5A012189FEB00CF24DC80FAA77F8FB8A318F510529ED1997340EB74E945CB99

Function 6C43C830 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,?), ref: 6C43C894
GlobalFree.KERNEL32 ref: 6C43C8A5
lstrcpyW.KERNEL32(?,?), ref: 6C43C90C
GlobalFree.KERNEL32(?), ref: 6C43C91D
?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C43C93E
?SetValue@CProgressUI@DuiLib@@QAEXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?), ref: 6C43C94A

Strings

0A, xrefs: 6C43C869, 6C43C89C, 6C43C8AB, 6C43C914

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: FreeGlobalLib@@lstrcpy$ControlControl@FindI@2@ManagerPaintProgressValue@
String ID: 0A
API String ID: 874629674-2007828011
Opcode ID: ca49c481846bc05b0e475c5c0e151d56997eb88ccf471ffb43dcb94b4de72193
Instruction ID: ce794b8ffa87923a9baa88f77ae4fa0a65eb84069d5afe7e7a85337722c3693f
Opcode Fuzzy Hash: ca49c481846bc05b0e475c5c0e151d56997eb88ccf471ffb43dcb94b4de72193
Instruction Fuzzy Hash: BC3192B1A012289FEB10DF24DC40FAA77B8BB4A718F414469EE58A7340E774A945CBD8

Function 6C43A900 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 80stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,?), ref: 6C43A963
GlobalFree.KERNEL32(?), ref: 6C43A974
GetWindowLongA.USER32(00000000,000000F0), ref: 6C43A986
GlobalAlloc.KERNEL32(00000040,00001FF8), ref: 6C43A9C1
lstrcpynW.KERNEL32(-00000004,?), ref: 6C43A9D4

Strings

0A, xrefs: 6C43A938, 6C43A96B, 6C43A9AD, 6C43A9DA
%ld, xrefs: 6C43A99F

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Global$AllocFreeLongWindowlstrcpylstrcpyn
String ID: %ld$0A
API String ID: 2062605823-4217419862
Opcode ID: 7953d5b741de3c1440143d1391ae770c0b3be07e559db3889e634d6b53a9a343
Instruction ID: a941afbcfb08c2d93f59a73a67f118dbcb0da68687b3e650f95a59e07eb81d19
Opcode Fuzzy Hash: 7953d5b741de3c1440143d1391ae770c0b3be07e559db3889e634d6b53a9a343
Instruction Fuzzy Hash: 69216FB5A026149FDB10CF24DC45F9A3BB4EB4A724F424419FE18A7340D778A805CBD9

Function 6C43CAA0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 79stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,?), ref: 6C43CB04
GlobalFree.KERNEL32(?), ref: 6C43CB15
?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(editDir), ref: 6C43CB29

Strings

editDir, xrefs: 6C43CB24
RUl, xrefs: 6C43CB62
PUl, xrefs: 6C43CB46
0A, xrefs: 6C43CAD9, 6C43CB0C

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: ControlControl@FindFreeGlobalI@2@Lib@@ManagerPaintlstrcpy
String ID: 0A$PUl$RUl$editDir
API String ID: 3306664104-315604671
Opcode ID: e8c1f1e381fb654517817dc914885ad66c213db09b03c38c9f42588f0762a200
Instruction ID: 32da563e1a3b4c6dba0d77bec6b706e06cbb67457cd21b3acb38ef5a92109ea9
Opcode Fuzzy Hash: e8c1f1e381fb654517817dc914885ad66c213db09b03c38c9f42588f0762a200
Instruction Fuzzy Hash: BD216FB5B026249FDB50DF25DC80E6A7BF4EF8A714B42041AED1A97341DB74A805CBD8

Function 6C43ADD0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 78stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,?), ref: 6C43AE0F
GlobalFree.KERNEL32 ref: 6C43AE20
?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C43AE30
GlobalAlloc.KERNEL32(00000040,00001FF8,?,?,?,?,?,?), ref: 6C43AE87
lstrcpynW.KERNEL32(-00000004,?,?,?,?,?,?,?), ref: 6C43AE9A

Strings

0A, xrefs: 6C43ADFB, 6C43AE17, 6C43AE73, 6C43AEA0
%ld, xrefs: 6C43AE65

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Global$AllocControlControl@FindFreeI@2@Lib@@ManagerPaintlstrcpylstrcpyn
String ID: %ld$0A
API String ID: 282767564-4217419862
Opcode ID: 65a865f74e5ae0ffdb1842337c468cd6e5d2f36ae6c7b7de18c8593edfd4a9d6
Instruction ID: 34d23167d5add26edf11d7c032880ec6acc2b51e66508049f5d87b28a106fc92
Opcode Fuzzy Hash: 65a865f74e5ae0ffdb1842337c468cd6e5d2f36ae6c7b7de18c8593edfd4a9d6
Instruction Fuzzy Hash: 9821C4B5B81610ABEB00DF61DC01FAA37B4EF8B719F410159FA14A73C0DB78A515CA99

Function 6C43CD00 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 65memorystringCOMMON

Download Yara Rule

APIs

?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C43CD54
SHBrowseForFolderW.SHELL32(?), ref: 6C43CD90
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 6C43CD9C
GlobalAlloc.KERNEL32(00000040,00001FF8), ref: 6C43CDB6
lstrcpynW.KERNEL32(-00000004,?), ref: 6C43CDC9

Strings

@, xrefs: 6C43CD69
0A, xrefs: 6C43CD30, 6C43CDA2, 6C43CDCF

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: AllocBrowseFolderFromGlobalLib@@ListManagerPaintPathTransparent@lstrcpyn
String ID: 0A$@
API String ID: 4231578708-1509858616
Opcode ID: c3d9261c431ed91f7576ed88c2e2f334cbe91ecfdc81219cbe6ddf42b799248b
Instruction ID: f4973024c4510dafde86942d3f10025341c3f07650daa7dc8f344f5b5e2789a7
Opcode Fuzzy Hash: c3d9261c431ed91f7576ed88c2e2f334cbe91ecfdc81219cbe6ddf42b799248b
Instruction Fuzzy Hash: 2B214CB1A012199FDB50DF65DC48F9A7BF4EB8A314F42419AE918E7340D778A980CF98

Function 6C494860 Relevance: 12.2, APIs: 8, Instructions: 154COMMON

Download Yara Rule

APIs

??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C494931

Part of subcall function 6C4BFB60: ?Assign@CDuiString@DuiLib@@QAEXPB_WH@Z.DOWNLOADER_NSIS_PLUGIN(?,000000FF), ref: 6C4BFB7A

?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4949DD
??8CDuiString@DuiLib@@QBE_NPB_W@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C4949E6
?IsEmpty@CDuiString@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C4949FB
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C494A0C
??8CDuiString@DuiLib@@QBE_NPB_W@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C494A15
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C494A35
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C494A40

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$String@$Paint$D__@@ManagerWindow@$Assign@Empty@V01@@
String ID:
API String ID: 4232050872-0
Opcode ID: 584bceb3db16ef7950a72e3e3a9d946ae4e430865499e15c8e2715a655ef6f84
Instruction ID: de9fa938faf7ec01a51feb48f48d5c9ce053774c7b3bcef6fa008e65887f47f4
Opcode Fuzzy Hash: 584bceb3db16ef7950a72e3e3a9d946ae4e430865499e15c8e2715a655ef6f84
Instruction Fuzzy Hash: 97711975910B818FC324CF28C494FA6F7A1BB89364F104B2DD9EA87B90EB70B545CB94

Function 6C46A9A0 Relevance: 12.1, APIs: 8, Instructions: 115COMMON

Download Yara Rule

APIs

?IsEmpty@CDuiString@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C46A9BD
?IsEmpty@CDuiString@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C46A9F1
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C46AAD5
?DrawHtmlText@CRenderEngine@DuiLib@@SAXPAUHDC__@@PAVCPaintManagerUI@2@AAUtagRECT@@PB_WKPAU5@PAVCDuiString@2@AAHI@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,00000000,?,?,?,?,?), ref: 6C46AAF2

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Paint$Empty@ManagerString@$C__@@D__@@DrawEngine@HtmlI@2@RenderString@2@Text@UtagWindow@
String ID:
API String ID: 19083765-0
Opcode ID: d99cd92d3b261f71e88bbc04f5015acd12a8c9ad8c8f9cc437012167431ab954
Instruction ID: d1ccdc23ec13d44c08d46918dbfa345c73d1760faa0993d5111d7345302e952d
Opcode Fuzzy Hash: d99cd92d3b261f71e88bbc04f5015acd12a8c9ad8c8f9cc437012167431ab954
Instruction Fuzzy Hash: B5414AB0A00A189FCB10CF65C880EEFBBF5BF49319F04092EDA9AA7601E7356845CB55

Function 6C438B70 Relevance: 12.1, APIs: 8, Instructions: 115COMMON

Download Yara Rule

APIs

??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C438BC5
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?), ref: 6C438BD7
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?), ref: 6C438C4D
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?), ref: 6C438C5F
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?), ref: 6C438C7F
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?), ref: 6C438C9F
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?), ref: 6C438CB1
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?), ref: 6C438D5D

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@String@V01@V01@@
String ID:
API String ID: 100188926-0
Opcode ID: 1a7c7826a91f253db9bf121b0c836320570d15295e32bbc9efcac2fbb76309c2
Instruction ID: 6c9c00aba7ec4b640d7899c5768c37b6c0f775e9c03b7e424e3a0847ac600388
Opcode Fuzzy Hash: 1a7c7826a91f253db9bf121b0c836320570d15295e32bbc9efcac2fbb76309c2
Instruction Fuzzy Hash: 9961DF65D14F86A6E756CB38C951AF2F3A4BF69308F04E70D99AD62412EF3072E4C790

Function 6C4A0F5B Relevance: 12.1, APIs: 8, Instructions: 100COMMON

Download Yara Rule

APIs

ScreenToClient.USER32 ref: 6C4A0F77
GetTickCount.KERNEL32 ref: 6C4A0FE9
?GetAt@CStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C4A1718
?Remove@CStdPtrArray@DuiLib@@QAE_NH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C4A172B
??BCEventSource@DuiLib@@QAE_NXZ.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C4A173D
??RCEventSource@DuiLib@@QAE_NPAX@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000), ref: 6C4A1750
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C4A1762
??ACStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000), ref: 6C4A176E

Part of subcall function 6C4A0460: GetKeyState.USER32(00000011), ref: 6C4A046E
Part of subcall function 6C4A0460: GetKeyState.USER32(00000002), ref: 6C4A0478
Part of subcall function 6C4A0460: GetKeyState.USER32(00000001), ref: 6C4A0485
Part of subcall function 6C4A0460: GetKeyState.USER32(00000010), ref: 6C4A0492
Part of subcall function 6C4A0460: GetKeyState.USER32(00000012), ref: 6C4A049F

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$State$Array@$EventSource@$ClientCountManagerPaintRemove@ScreenTickTransparent@
String ID:
API String ID: 2824413920-0
Opcode ID: e3a89ac5474fdb9bcdb1acbfcbb0f743c272f05920b567d4cb587e05fa1d38c5
Instruction ID: d41b6932b339452a39f1634c7d9b36bbcf9198c8ebab8cfea2c9dc4240838709
Opcode Fuzzy Hash: e3a89ac5474fdb9bcdb1acbfcbb0f743c272f05920b567d4cb587e05fa1d38c5
Instruction Fuzzy Hash: EA415978605B408FD720CF65C890EA6B7F1BF99314F05092ED49B87BA1EB30F84A8B50

Function 6C4809B0 Relevance: 12.1, APIs: 8, Instructions: 87COMMON

Download Yara Rule

APIs

?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C480A22
?Add@CStdPtrArray@DuiLib@@QAE_NPAX@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C480A2F
??ACStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C480A3E
??8CDuiString@DuiLib@@QBE_NPB_W@Z.DOWNLOADER_NSIS_PLUGIN(?,?), ref: 6C480A57
?Assign@CDuiString@DuiLib@@QAEXPB_WH@Z.DOWNLOADER_NSIS_PLUGIN(?,000000FF,?,?), ref: 6C480A65
??0CDuiString@DuiLib@@QAE@PB_WH@Z.DOWNLOADER_NSIS_PLUGIN(?,000000FF,?), ref: 6C480A8B

Part of subcall function 6C4C02A0: ?Assign@CDuiString@DuiLib@@QAEXPB_WH@Z.DOWNLOADER_NSIS_PLUGIN(?,6C43B105,00000000,?,6C43B105,?), ref: 6C4C02BB

?SetAt@CStdPtrArray@DuiLib@@QAE_NHPAX@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,000000FF,?), ref: 6C480AA0
?Invalidate@CTreeNodeUI@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,000000FF,?), ref: 6C480AAA

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$String@$Array@$Assign@$Add@Invalidate@ManagerNodePaintTransparent@Tree
String ID:
API String ID: 116671538-0
Opcode ID: c56bc4c8c7c9b19467ac1f0ba7677dd51dda03704d584ebddfef3736cc6e45db
Instruction ID: 136da45623963b5f678ae0ce1f208e8d8cdd9861729be44eaa0a21324494ab32
Opcode Fuzzy Hash: c56bc4c8c7c9b19467ac1f0ba7677dd51dda03704d584ebddfef3736cc6e45db
Instruction Fuzzy Hash: 6231B171A022558FCB14DF998880FAEBBB1FF88764F14022ED8556B790DB389C418BD1

Function 6C4A0C48 Relevance: 12.1, APIs: 8, Instructions: 83COMMON

Download Yara Rule

APIs

ReleaseCapture.USER32 ref: 6C4A0C63
GetTickCount.KERNEL32 ref: 6C4A0C9C
?GetAt@CStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C4A1718
?Remove@CStdPtrArray@DuiLib@@QAE_NH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C4A172B
??BCEventSource@DuiLib@@QAE_NXZ.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C4A173D
??RCEventSource@DuiLib@@QAE_NPAX@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000), ref: 6C4A1750
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C4A1762
??ACStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000), ref: 6C4A176E

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Array@$EventSource@$CaptureCountManagerPaintReleaseRemove@TickTransparent@
String ID:
API String ID: 1714650517-0
Opcode ID: cc715f522d1be1f3640b7d5a9b7fcdf62ccf35eb6598f66d8404ed5c9b49b5c2
Instruction ID: 4ba0323096aa23b6647746da2c7b9b7f5b97fda2b94cef6db1cc4b3972231266
Opcode Fuzzy Hash: cc715f522d1be1f3640b7d5a9b7fcdf62ccf35eb6598f66d8404ed5c9b49b5c2
Instruction Fuzzy Hash: D4314278601B00CFC764DF69C490F66B7E2BF98314F01096DD59A8BBA1DB70E846CB90

Function 6C478DA0 Relevance: 12.1, APIs: 8, Instructions: 79COMMON

Download Yara Rule

APIs

?IsEmpty@CDuiString@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C478E29
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C478E34
?DrawImage@CControlUI@DuiLib@@QAE_NPAUHDC__@@PB_W1@Z.DOWNLOADER_NSIS_PLUGIN(?,00000000,00000000), ref: 6C478E3F
?Empty@CDuiString@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN(?,00000000,00000000), ref: 6C478E4A
?IsEmpty@CDuiString@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C478E57
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C478E62
?DrawImage@CControlUI@DuiLib@@QAE_NPAUHDC__@@PB_W1@Z.DOWNLOADER_NSIS_PLUGIN(?,00000000,00000000), ref: 6C478E6D
?Empty@CDuiString@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN(?,00000000,00000000), ref: 6C478E78

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Empty@PaintString@$C__@@ControlD__@@DrawImage@ManagerWindow@
String ID:
API String ID: 3803486185-0
Opcode ID: ef174468409f15c36f016dd6725f227efeb7fa16744a8320505d51a64ecb7e2a
Instruction ID: f797d7a49a2c9759d822c025d7591fbe75f94ccf9aec1d6e847adc45b4bb4313
Opcode Fuzzy Hash: ef174468409f15c36f016dd6725f227efeb7fa16744a8320505d51a64ecb7e2a
Instruction Fuzzy Hash: A8212934304B104BDA28DB248850FFF73AB9FC535DF04051EE99BAB791CB7938068AA5

Function 6C436820 Relevance: 12.0, APIs: 8, Instructions: 30COMMON

Download Yara Rule

APIs

??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C436832
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C43683D
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C436848
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C436853
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C43685E
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C436869
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C436874
??1CLabelUI@DuiLib@@UAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C43687B

Part of subcall function 6C479AB0: GdiplusShutdown.GDIPLUS(00000002,6C523684,?,6C4792A7,00000000), ref: 6C479AC2
Part of subcall function 6C479AB0: ??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(00000002,6C523684,?,6C4792A7,00000000), ref: 6C479ACD

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$String@$GdiplusLabelShutdown
String ID:
API String ID: 402361070-0
Opcode ID: 247b996aa2c6acf1206378b2f913dd06e720cf2cccdf6292a0c6867bd0b5df88
Instruction ID: e72a8d54846727be403a1e01dbc97d5ac5658f3dc083f6a45fa9be6656f406c5
Opcode Fuzzy Hash: 247b996aa2c6acf1206378b2f913dd06e720cf2cccdf6292a0c6867bd0b5df88
Instruction Fuzzy Hash: DBF0363A02661046EA14E764DCB0FFA7798EF10289F4040BDD15E52791DF353608CBF5

Function 6C440D60 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 225memorystringCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 6C440DB0
GlobalAlloc.KERNEL32(00000040,00001FF8), ref: 6C440FE5
lstrcpynW.KERNEL32(-00000004,?), ref: 6C440FF8

Strings

exe file name: %s, xrefs: 6C440DF9
0A, xrefs: 6C440FC0, 6C440FFE
exe file path: %s, xrefs: 6C440DB7

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: AllocFileGlobalModuleNamelstrcpyn
String ID: 0A$exe file name: %s$exe file path: %s
API String ID: 2376901158-2426332254
Opcode ID: 8dd6c595bb1eba8e87bae22265d1d6d53a69a5c2f1786aa09708e590c266087a
Instruction ID: f10a0b04b5312205c07c4ac25ca07c5131f976ab9b6ccd233991bccc2f9750a6
Opcode Fuzzy Hash: 8dd6c595bb1eba8e87bae22265d1d6d53a69a5c2f1786aa09708e590c266087a
Instruction Fuzzy Hash: 7381E0B15097418AE700CF24CC40F9BB7E0EFE5319F248A2DF8A596790E7749659CB82

Function 6C43CDF0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,?), ref: 6C43CE54
GlobalFree.KERNEL32 ref: 6C43CE65
lstrcpyW.KERNEL32(?,?), ref: 6C43CECC
GlobalFree.KERNEL32(?), ref: 6C43CEDD
?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C43CEED

Strings

0A, xrefs: 6C43CE29, 6C43CE5C, 6C43CE6B, 6C43CED4

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: FreeGloballstrcpy$ControlControl@FindI@2@Lib@@ManagerPaint
String ID: 0A
API String ID: 2765125890-2007828011
Opcode ID: 2561cd88fe24abf8ac5cd9b0d0b882cb93d4c79687bb197581255138d2b663c1
Instruction ID: c2433bacf701e7f6a6e88662b8e98628fc6ada3f6aaeac6657fc813357cf29b1
Opcode Fuzzy Hash: 2561cd88fe24abf8ac5cd9b0d0b882cb93d4c79687bb197581255138d2b663c1
Instruction Fuzzy Hash: F731A1B5A012289FEB00DF24CC41FAA77B8FB8A314F610119E91897380EB74A945CB98

Function 6C432A60 Relevance: 10.6, APIs: 7, Instructions: 87COMMON

Download Yara Rule

APIs

??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C432A97

Part of subcall function 6C4BFB90: ?Assign@CDuiString@DuiLib@@QAEXPB_WH@Z.DOWNLOADER_NSIS_PLUGIN(6C4313B7,000000FF,?,?,6C4313B7,?), ref: 6C4BFB9D

??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?), ref: 6C432AA9
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?), ref: 6C432B1F
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?), ref: 6C432B31
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?), ref: 6C432B51
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?), ref: 6C432B71
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?), ref: 6C432B83

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@String@$V01@V01@@$Assign@
String ID:
API String ID: 3995927423-0
Opcode ID: 4018513842c28609179ef0efb28f2fb344d3759484fd10c84fd6b311925e722b
Instruction ID: e2eac7c607cf9024d374de99db6bc2b7a0071fa1a821363ac60ad76933134d84
Opcode Fuzzy Hash: 4018513842c28609179ef0efb28f2fb344d3759484fd10c84fd6b311925e722b
Instruction Fuzzy Hash: E751E065D19F8695E216CB38C611BF6F3A4BF69348F04E709DAAD21113EB3072E5C394

Function 6C432CD0 Relevance: 10.6, APIs: 7, Instructions: 85COMMON

Download Yara Rule

APIs

??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C432D07

Part of subcall function 6C4BFB90: ?Assign@CDuiString@DuiLib@@QAEXPB_WH@Z.DOWNLOADER_NSIS_PLUGIN(6C4313B7,000000FF,?,?,6C4313B7,?), ref: 6C4BFB9D

??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?), ref: 6C432D19
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?), ref: 6C432D8F
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?), ref: 6C432DA1
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?), ref: 6C432DC1
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?), ref: 6C432DE1
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?), ref: 6C432DF3

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@String@$V01@V01@@$Assign@
String ID:
API String ID: 3995927423-0
Opcode ID: 996327a4ee03596b0a722f3a09de9d4cbbf74a25571b7deaab8f1d3baba93b65
Instruction ID: 263e549706b04a58d95db0035f0706c804431127bf74be938dd6faadc3a7bf30
Opcode Fuzzy Hash: 996327a4ee03596b0a722f3a09de9d4cbbf74a25571b7deaab8f1d3baba93b65
Instruction Fuzzy Hash: 3E410265D19F8696E216CB38C611BE2F3A4BF69348F04E709DAAD61103FB3072E5C390

Function 6C432EC0 Relevance: 10.6, APIs: 7, Instructions: 83COMMON

Download Yara Rule

APIs

??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C432EF7

Part of subcall function 6C4BFB90: ?Assign@CDuiString@DuiLib@@QAEXPB_WH@Z.DOWNLOADER_NSIS_PLUGIN(6C4313B7,000000FF,?,?,6C4313B7,?), ref: 6C4BFB9D

??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?), ref: 6C432F09
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?), ref: 6C432F7F
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?), ref: 6C432F91
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?), ref: 6C432FB1
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?), ref: 6C432FD1
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?), ref: 6C432FE3

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@String@$V01@V01@@$Assign@
String ID:
API String ID: 3995927423-0
Opcode ID: dd2fb01bd8e1d624a93c0e1ceb7c45945e4ff1131e0a95b8a10c84e643fb7771
Instruction ID: 261ce3f175c2a70a63d7b9538defeb7b7ae8b9a2dd65ab18ab92ba4010f02e99
Opcode Fuzzy Hash: dd2fb01bd8e1d624a93c0e1ceb7c45945e4ff1131e0a95b8a10c84e643fb7771
Instruction Fuzzy Hash: 0A411265D19F8696E216CB38C611BE2F3A4BF69348F04E709DAAD61103FB3072E4C390

Function 6C4A0FF7 Relevance: 10.6, APIs: 7, Instructions: 74COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 6C4A102E
?GetAt@CStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C4A1718
?Remove@CStdPtrArray@DuiLib@@QAE_NH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C4A172B
??BCEventSource@DuiLib@@QAE_NXZ.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C4A173D
??RCEventSource@DuiLib@@QAE_NPAX@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000), ref: 6C4A1750
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C4A1762
??ACStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000), ref: 6C4A176E

Part of subcall function 6C4A0460: GetKeyState.USER32(00000011), ref: 6C4A046E
Part of subcall function 6C4A0460: GetKeyState.USER32(00000002), ref: 6C4A0478
Part of subcall function 6C4A0460: GetKeyState.USER32(00000001), ref: 6C4A0485
Part of subcall function 6C4A0460: GetKeyState.USER32(00000010), ref: 6C4A0492
Part of subcall function 6C4A0460: GetKeyState.USER32(00000012), ref: 6C4A049F

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$State$Array@$EventSource@$CountManagerPaintRemove@TickTransparent@
String ID:
API String ID: 641485356-0
Opcode ID: 4f030293cb660340b227c75171b21f544147e7f08a0c34d92d16c2cde34d0e80
Instruction ID: 5583b1b5fd3b060d6dc2fd0c7c879a494338b4f76546a3b31b202e3dbe04aad3
Opcode Fuzzy Hash: 4f030293cb660340b227c75171b21f544147e7f08a0c34d92d16c2cde34d0e80
Instruction Fuzzy Hash: 8D314738A01B419FC764CF69C590EA6B3E1BF99318F00591DD59B87B60EB70F886CB90

Function 6C49A9D0 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49AA3A
?IsEmpty@CDuiString@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49AA4F
?GetVirtualWnd@CControlUI@DuiLib@@QBE?AVCDuiString@2@XZ.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C49AA87

Part of subcall function 6C49A9D0: ??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C49AA9D
Part of subcall function 6C49A9D0: ??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C49AAA8

??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C49AAB5
??4CDuiString@DuiLib@@QAEABV01@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(6C526390), ref: 6C49AAC4

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$String@$V01@$V01@@$ControlEmpty@String@2@VirtualWnd@
String ID:
API String ID: 3323136718-0
Opcode ID: ca961b3c08be5a656d16ee5e69c7fbd42b170f9cc2d8046d1b8a46b46a6f6b16
Instruction ID: 6b4c15253319cd70ae90b67b1840ee6bdba380b614c11d3a30b7297143498f7f
Opcode Fuzzy Hash: ca961b3c08be5a656d16ee5e69c7fbd42b170f9cc2d8046d1b8a46b46a6f6b16
Instruction Fuzzy Hash: 523139B6D007998BDB00CF54C840EEABB70BF89218F204759E8546A781DB759A46CBD0

Function 6C4A4DD0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4A4DD8
??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4A4DEF
??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4A4E06
??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C4A4E1F
??0CStdPtrArray@DuiLib@@QAE@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C4A4E38

Strings

Ulr, xrefs: 6C4A4E01

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$String@$Array@
String ID: Ulr
API String ID: 2949776054-3581451991
Opcode ID: c692e57531b426533757435cbc0b0d57d7a242c56a3a29bece56a3d8f382bac1
Instruction ID: 44e15e7b0abeff98bd2b5f774cbf141a84cacfdb48bab0b9f5391f0052a862b0
Opcode Fuzzy Hash: c692e57531b426533757435cbc0b0d57d7a242c56a3a29bece56a3d8f382bac1
Instruction Fuzzy Hash: 95F090FDA111905AF404F3905C23F9A7A441F5720EF45003DE80AA9F80EFBAB62D85E7

Function 6C436B40 Relevance: 10.5, APIs: 7, Instructions: 23COMMON

Download Yara Rule

APIs

??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C436B52
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C436B5D
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C436B68
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C436B73
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C436B7E
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C436B89
??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C436B94

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@String@
String ID:
API String ID: 514026501-0
Opcode ID: 07afecae88db129a01dd3ba2818a3c93cb7b518abe610ee4392700d889fd64a2
Instruction ID: 45252ecf9d49b2ade600f70c92b74a66975e13b1f6af118c1c6767fcb5846784
Opcode Fuzzy Hash: 07afecae88db129a01dd3ba2818a3c93cb7b518abe610ee4392700d889fd64a2
Instruction Fuzzy Hash: 29E0A23E03A61046E614E668DCB0EF57798EF10254F4004EDC19F12691DF3136088BF0

Function 6C480F10 Relevance: 9.1, APIs: 6, Instructions: 135COMMON

Download Yara Rule

APIs

??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C480F29
??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C480FD8
??4CDuiString@DuiLib@@QAEABV01@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C481014

Part of subcall function 6C4C0460: ?Assign@CDuiString@DuiLib@@QAEXPB_WH@Z.DOWNLOADER_NSIS_PLUGIN(?,000000FF,?,?,?,6C49F00E,?), ref: 6C4C0473

?GetAt@CStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C481030
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C48103B
?Assign@CDuiString@DuiLib@@QAEXPB_WH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,000000FF,00000000), ref: 6C48104A
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C481070
?DrawHtmlText@CRenderEngine@DuiLib@@SAXPAUHDC__@@PAVCPaintManagerUI@2@AAUtagRECT@@PB_WKPAU5@PAVCDuiString@2@AAHI@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,00000000,?,?,?,00000008,?), ref: 6C4810AA

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$PaintString@$Manager$Assign@D__@@Window@$Array@C__@@DrawEngine@HtmlI@2@RenderString@2@Text@UtagV01@
String ID:
API String ID: 529210432-0
Opcode ID: 43c8901550ec45750cdb15f12244bff62d86b1d794e0893943c50e835f10b96c
Instruction ID: c6886a94789ea97abe2474a599f22e0b88508b5e10d6ff288d38465695b27ea3
Opcode Fuzzy Hash: 43c8901550ec45750cdb15f12244bff62d86b1d794e0893943c50e835f10b96c
Instruction Fuzzy Hash: 3F51E4B5601B408FD724CF28C884EA6B7F1FB99314F148A6ED9AA87B51D770F945CB80

Function 6C50EC30 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 369COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 6C50ED1A
__freea.LIBCMT ref: 6C50EDB0
__freea.LIBCMT ref: 6C50EDCC

Strings

am/pm, xrefs: 6C50EE30
a/p, xrefs: 6C50EE94

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: __freea$__alloca_probe_16
String ID: a/p$am/pm
API String ID: 3509577899-3206640213
Opcode ID: b8429dbf8db0b2fd6025de070dabbdae3d6a0756ec5c141042917a495102f13f
Instruction ID: 5e0073a00c8ef8386b11e526120ac2d97d904f833320fbecb9fe1dfd7dd39fc4
Opcode Fuzzy Hash: b8429dbf8db0b2fd6025de070dabbdae3d6a0756ec5c141042917a495102f13f
Instruction Fuzzy Hash: E6C1F271B01216DBDB10CF68CD94BAA7770FF46308F344649E891EBA50E3B6A941CBA5

Function 6C47E920 Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

APIs

?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C47E993
??ACStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C47E9A4
??ACStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C47E9D6
?GetDefaultFontInfo@CPaintManagerUI@DuiLib@@QAEPAUtagTFontInfo@2@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C47EA03
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C47EA32
??ACStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C47EA3E

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Array@ManagerPaint$FontTransparent@$DefaultInfo@Info@2@Utag
String ID:
API String ID: 231493994-0
Opcode ID: 8f2de69b98a0bfe847acad769357cfc6995ea2227141bb4fa2eecc3998ec57ab
Instruction ID: c8f7b62588c84c92fffbf6a8dce0891b01ad29f73753498ba02404d4c2b8ac3f
Opcode Fuzzy Hash: 8f2de69b98a0bfe847acad769357cfc6995ea2227141bb4fa2eecc3998ec57ab
Instruction Fuzzy Hash: 3F410575A002189FCF14CFA9C894EEEBBB5BF89358F054469E906AB351DB319C05CBA4

Function 6C470E00 Relevance: 9.1, APIs: 6, Instructions: 86COMMON

Download Yara Rule

APIs

?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C470E6B
GetClientRect.USER32(00000000,00000000), ref: 6C470E74
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C470E80
GetClientRect.USER32(00000000,00000000), ref: 6C470E89
CreateAcceleratorTableW.USER32(?,00000001), ref: 6C470EE1
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C470F1B

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Paint$Lib@@Manager$ClientRectTransparent@$AcceleratorCreateD__@@TableWindow@
String ID:
API String ID: 2560423918-0
Opcode ID: b42e4d6221117e613168223f15c74c54b4da2417c4443b96877348e94bc14b28
Instruction ID: 69305483ae58ee9ef7a17df7aa21227349a0085f34d7540b9c99ce6977e21aa5
Opcode Fuzzy Hash: b42e4d6221117e613168223f15c74c54b4da2417c4443b96877348e94bc14b28
Instruction Fuzzy Hash: AA4103B5A01249CFDB10CF54C958BEEBBB0FF48328F108519E815AB790C7B9A945CFA5

Function 6C4C2FC0 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32 ref: 6C4C2FFF
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C4C3024
__allrem.LIBCMT ref: 6C4C3038
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C4C3071
__Init_thread_header.LIBCMT ref: 6C4C3093
QueryPerformanceFrequency.KERNEL32 ref: 6C4C30BA

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: PerformanceQueryUnothrow_t@std@@@__ehfuncinfo$??2@$CounterFrequencyInit_thread_header__allrem
String ID:
API String ID: 3691769289-0
Opcode ID: 7458c7713ea338ff9681ce39109f045f95bad9a19b1c8edc179aa86540db7d44
Instruction ID: 2109ca0b14faa1d079abadf2a2d2e3464ba9fe3200042168681c29c2fb4ca7fa
Opcode Fuzzy Hash: 7458c7713ea338ff9681ce39109f045f95bad9a19b1c8edc179aa86540db7d44
Instruction Fuzzy Hash: C83156B5A04340AFC714DF19DC4586ABBF8EFCA364F058A5DF4A987790DB35A804CB92

Function 6C4A0B43 Relevance: 9.1, APIs: 6, Instructions: 66COMMON

Download Yara Rule

APIs

?GetAt@CStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C4A1718
?Remove@CStdPtrArray@DuiLib@@QAE_NH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C4A172B
??BCEventSource@DuiLib@@QAE_NXZ.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C4A173D
??RCEventSource@DuiLib@@QAE_NPAX@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000), ref: 6C4A1750
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C4A1762
??ACStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,00000000), ref: 6C4A176E

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Array@$EventSource@$ManagerPaintRemove@Transparent@
String ID:
API String ID: 1680783006-0
Opcode ID: 6582b90f00f5b5797686fd34193bbaa27871e4511167dc9b36e2fc72aa1bcd52
Instruction ID: 7ebae1f4b6d5d90b38bb4ad2546efdf01b6c60dd6e158c1bba05ad43738fb254
Opcode Fuzzy Hash: 6582b90f00f5b5797686fd34193bbaa27871e4511167dc9b36e2fc72aa1bcd52
Instruction Fuzzy Hash: 4B2139387016018FD754CF69C590F66B7E2BF98348F14456CD5AB8BBA1EB30E8478B90

Function 6C494B30 Relevance: 9.1, APIs: 6, Instructions: 61COMMON

Download Yara Rule

APIs

?IsEmpty@CDuiString@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C494B4B
?GetSize@CStdValArray@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C494B73
?GetAt@CStdStringPtrMap@DuiLib@@QBEPB_WH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C494B7F
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C494B8D
?Find@CStdStringPtrMap@DuiLib@@QBEPAXPB_W_N@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000,?,00000000), ref: 6C494BA5
?LoopDispatch@CNotifyPump@DuiLib@@QAE_NAAUtagTNotifyUI@2@@Z.DOWNLOADER_NSIS_PLUGIN(?,00000000,00000000,?,00000000), ref: 6C494BB3

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Map@NotifyPaintString$Array@D__@@Dispatch@Empty@Find@I@2@@LoopManagerPump@Size@String@UtagWindow@
String ID:
API String ID: 3901886468-0
Opcode ID: cd87a154b723f5e1c2c86420d88cb9439aca799325d9218f0d5a3ca060488b10
Instruction ID: d540c234e6a8f8a12d65ceb0f714e2f377209e17f096f73ab6bd1647f397f080
Opcode Fuzzy Hash: cd87a154b723f5e1c2c86420d88cb9439aca799325d9218f0d5a3ca060488b10
Instruction Fuzzy Hash: 9F018235A011295ADF00DA65EC51FFFBFA5DFC21DDF10103AE9259BB50EB218D0982E5

Function 6C492F9A Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C49238F
?Resize@CStdPtrArray@DuiLib@@QAEXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C492398
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C4923A0
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C4923AE
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C4923BC
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4923D9
?Resize@CStdPtrArray@DuiLib@@QAEXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C4923E2
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C4923EA
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C4923F8
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C492406
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(?,?,00000000), ref: 6C492423
?Resize@CStdPtrArray@DuiLib@@QAEXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,00000000), ref: 6C49242C
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,00000000), ref: 6C492434
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,00000000), ref: 6C492442
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,00000000), ref: 6C492450
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C492FC9
?Remove@CStdPtrArray@DuiLib@@QAE_NH@Z.DOWNLOADER_NSIS_PLUGIN(-00000001), ref: 6C492FD3
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(-00000001), ref: 6C492FE6
?GetAt@CStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(-00000001,-00000001), ref: 6C492FF0
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(-00000001,-00000001), ref: 6C49300D
?GetAt@CStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(-00000001,-00000001,-00000001), ref: 6C493017

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@Paint$Manager$Transparent@$Array@D__@@Window@$Resize@$Remove@
String ID:
API String ID: 3960065117-0
Opcode ID: 82aa25ae4d84586377873595667552a801f9443a05f6f6d9a0eb8ec816c6db78
Instruction ID: c9edb43a928a34e9a04fa7029973cbefbb054a3db7cc84f121af9c7ded3186b2
Opcode Fuzzy Hash: 82aa25ae4d84586377873595667552a801f9443a05f6f6d9a0eb8ec816c6db78
Instruction Fuzzy Hash: 56219075102B048FC768DF28D6A0EA6BBE1FF49604750095DE59B87F55DB30F814CBA1

Function 6C492F28 Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C492F3E
?Remove@CStdPtrArray@DuiLib@@QAE_NH@Z.DOWNLOADER_NSIS_PLUGIN(-00000001), ref: 6C492F48
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(-00000001), ref: 6C492F50
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(-00000001), ref: 6C492F62
?GetAt@CStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(-00000001,-00000001), ref: 6C492F6C
SetTextColor.GDI32(?,?), ref: 6C492F8F

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$ManagerPaintTransparent@$Array@$ColorRemove@Text
String ID:
API String ID: 1119298389-0
Opcode ID: f31636a4505ca9f78e362c17e6efb082eb2f78d3a6d934b76971cde37c57cf58
Instruction ID: e750d8d69d228a496d768b621f83d8956700c96cc5a85e52a66de53ee57a1150
Opcode Fuzzy Hash: f31636a4505ca9f78e362c17e6efb082eb2f78d3a6d934b76971cde37c57cf58
Instruction Fuzzy Hash: 46014070201A118BD728CF25D9A4FBBBBE1FF42705B50451DE09B87B55DF34A904CBA0

Function 6C488FA0 Relevance: 9.0, APIs: 6, Instructions: 33COMMON

Download Yara Rule

APIs

IntersectRect.USER32(?,?,?), ref: 6C488FB8
?PaintBk@CScrollBarUI@DuiLib@@QAEXPAUHDC__@@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?), ref: 6C488FC8

Part of subcall function 6C489000: ?IsEmpty@CDuiString@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,6C488FCD,?,?,?,?), ref: 6C489061
Part of subcall function 6C489000: ?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,6C488FCD,?,?,?,?), ref: 6C48906C
Part of subcall function 6C489000: ?DrawImage@CControlUI@DuiLib@@QAE_NPAUHDC__@@PB_W1@Z.DOWNLOADER_NSIS_PLUGIN(?,00000000,00000000,?,?,?,?,6C488FCD,?,?,?,?), ref: 6C489077
Part of subcall function 6C489000: ?Empty@CDuiString@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN(?,00000000,00000000,?,?,?,?,6C488FCD,?,?,?,?), ref: 6C489082
Part of subcall function 6C489000: ?IsEmpty@CDuiString@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,6C488FCD,?,?,?,?), ref: 6C48908F
Part of subcall function 6C489000: ?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,6C488FCD,?,?,?,?), ref: 6C48909A
Part of subcall function 6C489000: ?DrawImage@CControlUI@DuiLib@@QAE_NPAUHDC__@@PB_W1@Z.DOWNLOADER_NSIS_PLUGIN(?,00000000,00000000,?,?,?,?,6C488FCD,?,?,?,?), ref: 6C4890A5
Part of subcall function 6C489000: ?Empty@CDuiString@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN(?,00000000,00000000,?,?,?,?,6C488FCD,?,?,?,?), ref: 6C4890B0

?PaintButton1@CScrollBarUI@DuiLib@@QAEXPAUHDC__@@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?), ref: 6C488FD0

Part of subcall function 6C4890C0: ?Empty@CDuiString@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C48910C
Part of subcall function 6C4890C0: ?SmallFormat@CDuiString@DuiLib@@QAAHPB_WZZ.DOWNLOADER_NSIS_PLUGIN(?,dest='%d,%d,%d,%d',?,?,?,?), ref: 6C489149
Part of subcall function 6C4890C0: ?IsEmpty@CDuiString@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C48916E
Part of subcall function 6C4890C0: ?IsEmpty@CDuiString@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4891C6
Part of subcall function 6C4890C0: ?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4891D2
Part of subcall function 6C4890C0: ?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4891DB
Part of subcall function 6C4890C0: ?DrawImage@CControlUI@DuiLib@@QAE_NPAUHDC__@@PB_W1@Z.DOWNLOADER_NSIS_PLUGIN(?,00000000,00000000), ref: 6C4891E8

?PaintButton2@CScrollBarUI@DuiLib@@QAEXPAUHDC__@@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?), ref: 6C488FD8

Part of subcall function 6C489220: ?Empty@CDuiString@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C48926C
Part of subcall function 6C489220: ?SmallFormat@CDuiString@DuiLib@@QAAHPB_WZZ.DOWNLOADER_NSIS_PLUGIN(?,dest='%d,%d,%d,%d',?,?,?,?), ref: 6C4892A9
Part of subcall function 6C489220: ?IsEmpty@CDuiString@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4892CE
Part of subcall function 6C489220: ?IsEmpty@CDuiString@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C489326
Part of subcall function 6C489220: ?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C489332
Part of subcall function 6C489220: ?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C48933B
Part of subcall function 6C489220: ?DrawImage@CControlUI@DuiLib@@QAE_NPAUHDC__@@PB_W1@Z.DOWNLOADER_NSIS_PLUGIN(?,00000000,00000000), ref: 6C489348

?PaintThumb@CScrollBarUI@DuiLib@@QAEXPAUHDC__@@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?), ref: 6C488FE0

Part of subcall function 6C489380: ?Empty@CDuiString@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4893E7
Part of subcall function 6C489380: ?SmallFormat@CDuiString@DuiLib@@QAAHPB_WZZ.DOWNLOADER_NSIS_PLUGIN(?,dest='%d,%d,%d,%d',00000000,?,?,?), ref: 6C489425
Part of subcall function 6C489380: ?IsEmpty@CDuiString@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C489457
Part of subcall function 6C489380: ?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C489462
Part of subcall function 6C489380: ?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C48946C
Part of subcall function 6C489380: ?DrawImage@CControlUI@DuiLib@@QAE_NPAUHDC__@@PB_W1@Z.DOWNLOADER_NSIS_PLUGIN(?,00000000,?), ref: 6C48947A
Part of subcall function 6C489380: ?Empty@CDuiString@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN(?,00000000,?), ref: 6C489485
Part of subcall function 6C489380: ?IsEmpty@CDuiString@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C489492
Part of subcall function 6C489380: ?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C48949D
Part of subcall function 6C489380: ?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4894A6
Part of subcall function 6C489380: ?DrawImage@CControlUI@DuiLib@@QAE_NPAUHDC__@@PB_W1@Z.DOWNLOADER_NSIS_PLUGIN(?,00000000,00000000), ref: 6C4894B2

?PaintRail@CScrollBarUI@DuiLib@@QAEXPAUHDC__@@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?), ref: 6C488FE8

Part of subcall function 6C4894F0: ?Empty@CDuiString@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C489556
Part of subcall function 6C4894F0: ?SmallFormat@CDuiString@DuiLib@@QAAHPB_WZZ.DOWNLOADER_NSIS_PLUGIN(?,dest='%d,%d,%d,%d',00000000,?,?), ref: 6C489609
Part of subcall function 6C4894F0: ?IsEmpty@CDuiString@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C48963B
Part of subcall function 6C4894F0: ?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C489646
Part of subcall function 6C4894F0: ?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C489650
Part of subcall function 6C4894F0: ?DrawImage@CControlUI@DuiLib@@QAE_NPAUHDC__@@PB_W1@Z.DOWNLOADER_NSIS_PLUGIN(?,00000000,?), ref: 6C48965E
Part of subcall function 6C4894F0: ?Empty@CDuiString@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN(?,00000000,?), ref: 6C489669
Part of subcall function 6C4894F0: ?IsEmpty@CDuiString@DuiLib@@QBE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C489676
Part of subcall function 6C4894F0: ?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C489681
Part of subcall function 6C4894F0: ?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C48968A

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Paint$String@$Empty@$D__@@ManagerWindow@$C__@@ControlDrawImage@$C__@@@Scroll$Format@Small$Button1@Button2@IntersectRail@RectThumb@
String ID:
API String ID: 3088774176-0
Opcode ID: 77552d9f1a9bab5462865bc77411693d4e8bce79a3b9d7fe69ad247934863911
Instruction ID: 00e14bf2cc71e149bd113ccc8d37dcd464a9476520e3bab0f0ef9df73b9124fa
Opcode Fuzzy Hash: 77552d9f1a9bab5462865bc77411693d4e8bce79a3b9d7fe69ad247934863911
Instruction Fuzzy Hash: 33E03031302414238A15A6569C58DFF3E3DDBD2A78700442DF5064A741CF27D809D2E5

Function 6C48CAD0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 144serviceCOMMON

Download Yara Rule

APIs

MFGetService.MF(?,6C518300,6C52E24C,?), ref: 6C48CB79
MFGetService.MF(?,6C526380,6C52E25C,?,?,6C518300,6C52E24C,?), ref: 6C48CB8C
GetVersionExW.KERNEL32(00000114), ref: 6C48CBB2
PropVariantClear.OLE32(00000114), ref: 6C48CC79

Strings

d, xrefs: 6C48CB1C

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Service$ClearPropVariantVersion
String ID: d
API String ID: 2864237665-2564639436
Opcode ID: 471cd0e42364ed2c940b16377382e3b57ea631dec2e80828bb1904eed6ed8940
Instruction ID: 5f6c62d5fdb133c08bf4c6d78457689b212d88dc044b20a3a2fadd3ee326a97a
Opcode Fuzzy Hash: 471cd0e42364ed2c940b16377382e3b57ea631dec2e80828bb1904eed6ed8940
Instruction Fuzzy Hash: 385169752093429FD714DF29DC84F5ABBF8BF89724F110A2DE69187660DB30E848CB96

Function 6C43AAB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,?), ref: 6C43AB13
GlobalFree.KERNEL32(?), ref: 6C43AB24
?DUI__Trace@DuiLib@@YAXPB_WZZ.DOWNLOADER_NSIS_PLUGIN(NSISHelper Trace:%s,?), ref: 6C43AB30

Strings

0A, xrefs: 6C43AAE8, 6C43AB1B
NSISHelper Trace:%s, xrefs: 6C43AB2B

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: FreeGlobalLib@@Trace@lstrcpy
String ID: 0A$NSISHelper Trace:%s
API String ID: 977204074-2400286239
Opcode ID: 11855833707ead5a5a9b668073eb0f829c58588e97ff2126a9b13735d6b06d8c
Instruction ID: ad340a53bf376fcfa202172593ccaf5d625840d8873dc2df504646af5794dfd1
Opcode Fuzzy Hash: 11855833707ead5a5a9b668073eb0f829c58588e97ff2126a9b13735d6b06d8c
Instruction Fuzzy Hash: 291152B5A01614AFDB40DF68DC40E9A7BF4FF8A314F514029ED2897340EB34A519CBD5

Function 6C4FACFB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,421655A9,?,?,00000000,6C517240,000000FF,?,6C4FADC5,6C4FAC95,?,6C4FAE61,00000000), ref: 6C4FAD30
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6C4FAD42
FreeLibrary.KERNEL32(00000000,?,?,00000000,6C517240,000000FF,?,6C4FADC5,6C4FAC95,?,6C4FAE61,00000000), ref: 6C4FAD64

Strings

CorExitProcess, xrefs: 6C4FAD3A
mscoree.dll, xrefs: 6C4FAD29

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 4ab5cedaff73a72cb29f8314e54f5520d608b1717f1183828db941de9c61193f
Instruction ID: d630614725b83f46b98f9c02e9fed991f88bb62cd458a6ef504375d17eafd6c2
Opcode Fuzzy Hash: 4ab5cedaff73a72cb29f8314e54f5520d608b1717f1183828db941de9c61193f
Instruction Fuzzy Hash: A301A736514515AFDF028F40CC04FAFBBB9FB44755F010925F832A2A90DB759900CA94

Function 6C4C0AD0 Relevance: 7.7, APIs: 5, Instructions: 206COMMON

Download Yara Rule

APIs

?Assign@CDuiString@DuiLib@@QAEXPB_WH@Z.DOWNLOADER_NSIS_PLUGIN(?,00000000), ref: 6C4C0BC5
?Append@CDuiString@DuiLib@@QAEXPB_W@Z.DOWNLOADER_NSIS_PLUGIN(6C476EF0,?,?,?,?,?,00000000,?,000000FF,00000000), ref: 6C4C0CC8
?Assign@CDuiString@DuiLib@@QAEXPB_WH@Z.DOWNLOADER_NSIS_PLUGIN(?,00000000,6C476EF0,?,?,?,?,?,00000000,?,000000FF,00000000), ref: 6C4C0D05
?Append@CDuiString@DuiLib@@QAEXPB_W@Z.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,?,?,?,?,?,00000000), ref: 6C4C0D3E
?Assign@CDuiString@DuiLib@@QAEXPB_WH@Z.DOWNLOADER_NSIS_PLUGIN(?,000000FF,00000000,?,?,?,?,?,?,?,00000000), ref: 6C4C0D66

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@String@$Assign@$Append@
String ID:
API String ID: 1164206293-0
Opcode ID: 884af0880f6418090d70f11f5550aa168eea2292c46e471fc7d3f05666ab063b
Instruction ID: 617e3ee9bf539b77780c8d016937c597ed2fc6aa79d61080d50a946d0153968a
Opcode Fuzzy Hash: 884af0880f6418090d70f11f5550aa168eea2292c46e471fc7d3f05666ab063b
Instruction Fuzzy Hash: 7A8171B5E012698BDB24CB24CC81FEDB774AF95304F5001A9D508A7751EB70AE99CFD2

Function 6C506FD7 Relevance: 7.7, APIs: 5, Instructions: 202COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 6C50705E
__alloca_probe_16.LIBCMT ref: 6C50711F
__freea.LIBCMT ref: 6C507186

Part of subcall function 6C5092D2: RtlAllocateHeap.NTDLL(00000000,?,?,?,6C4BFA56,?,?,?,6C4310AD,00000000), ref: 6C509304

__freea.LIBCMT ref: 6C50719B
__freea.LIBCMT ref: 6C5071AB

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: 0915425fed8634c6f9d38e3d54be55b926d51f0b13cfd7b6fafefd87f471b139
Instruction ID: 3a2d566a88663c7bf68c7c54cf4dd1154646939fa941be2fd5dabb869de3fc32
Opcode Fuzzy Hash: 0915425fed8634c6f9d38e3d54be55b926d51f0b13cfd7b6fafefd87f471b139
Instruction Fuzzy Hash: BD51B672701616AFEB118FA4CC40DEB3BA9EF85298B254669FD14D7A91F731CC14CBA0

Function 6C438DC0 Relevance: 7.6, APIs: 5, Instructions: 142COMMON

Download Yara Rule

APIs

??1CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C438E18
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C438E55
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C438E93
??0CDuiString@DuiLib@@QAE@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C438F63

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@String@$V01@@$V01@
String ID:
API String ID: 2241132566-0
Opcode ID: 52cedb30e7efa6ae12f0a66654a99bd580f09123a3a1d9354815a0e987a82450
Instruction ID: 15ddc8bb0f92839d17ea9f3c6c0e5bbb4a5e79be0306cdbaaa296e5c9615aa25
Opcode Fuzzy Hash: 52cedb30e7efa6ae12f0a66654a99bd580f09123a3a1d9354815a0e987a82450
Instruction Fuzzy Hash: 31419275B012248FCB14DF69C8D0EAEF7A2EB88309F18856BD919DF791D731D8058B90

Function 6C4709D0 Relevance: 7.6, APIs: 5, Instructions: 141comwindowCOMMON

Download Yara Rule

APIs

OleLockRunning.OLE32(?,00000001,00000000), ref: 6C470A2B
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C470A4E
?AddMessageFilter@CPaintManagerUI@DuiLib@@QAE_NPAVIMessageFilterUI@2@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C470ADF
??0CDuiRect@DuiLib@@QAE@ABUtagRECT@@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C470B53
?ResetOffset@CDuiRect@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C470B64

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Paint$ManagerMessageRect@$D__@@FilterFilter@I@2@@LockOffset@ResetRunningT@@@UtagWindow@
String ID:
API String ID: 1555984728-0
Opcode ID: 51fad4dfd61c70de09a168c94577fddf2378a1e8d5bffb9f0383a6f3f2e32af5
Instruction ID: dc784c6a031616c1c11c2c6b8665c29a8cdd4dc6bf9d1f0ceefe0acd3b002112
Opcode Fuzzy Hash: 51fad4dfd61c70de09a168c94577fddf2378a1e8d5bffb9f0383a6f3f2e32af5
Instruction Fuzzy Hash: 365148742017419FD724CF25C984FA6BBE1BF48328F20465DE89A8BB91D730F946CBA4

Function 6C440960 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 91stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,?), ref: 6C4409D2
GlobalFree.KERNEL32(?), ref: 6C4409E3
lstrcpyW.KERNEL32(?,?), ref: 6C440A18
GlobalFree.KERNEL32 ref: 6C440A29

Strings

0A, xrefs: 6C44099A, 6C4409DA, 6C440A04, 6C440A20

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: FreeGloballstrcpy
String ID: 0A
API String ID: 1709915452-2007828011
Opcode ID: d3bed9ef654025c50abc87abe27fd3dfa5e6792be9803a2f94432e80e57ca896
Instruction ID: d5f57ec9e8ae86e6819fc1f768c70d71f296d413f7b045f7ab50f25eaae73679
Opcode Fuzzy Hash: d3bed9ef654025c50abc87abe27fd3dfa5e6792be9803a2f94432e80e57ca896
Instruction Fuzzy Hash: 4D31AEB1A012149FEB00CF24DC84F6A7BB4EB5A714F52402AED14AB341E774E915CBD9

Function 6C490C20 Relevance: 7.6, APIs: 5, Instructions: 90COMMON

Download Yara Rule

APIs

SetBkColor.GDI32(?,?), ref: 6C490C6D
ExtTextOutW.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 6C490C83
CreateDIBSection.GDI32(?,?,00000000,00000000,00000000,00000000), ref: 6C490CD3
?DrawImage@CRenderEngine@DuiLib@@SAXPAUHDC__@@PAUHBITMAP__@@ABUtagRECT@@222_NE333@Z.DOWNLOADER_NSIS_PLUGIN ref: 6C490D31
DeleteObject.GDI32(00000000), ref: 6C490D3A

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: C__@@ColorCreateDeleteDrawE333@Engine@Image@Lib@@ObjectP__@@RenderSectionT@@222_TextUtag
String ID:
API String ID: 811329335-0
Opcode ID: 243d5a06143acc762e50a44ad9b09fbe51851450e57a918315afe857264fc4b1
Instruction ID: fd64d9258b6012e710046d14a0bb5a4f33249e98fcc12ae84dbb8bb2e8b38c3f
Opcode Fuzzy Hash: 243d5a06143acc762e50a44ad9b09fbe51851450e57a918315afe857264fc4b1
Instruction Fuzzy Hash: 98319270A043449FE700CF28CC81BAABBF4EF99714F10461DF994A6291E774E6C48B96

Function 6C494EC0 Relevance: 7.6, APIs: 5, Instructions: 57registryCOMMON

Download Yara Rule

APIs

?GetInstance@CPaintManagerUI@DuiLib@@SAPAUHINSTANCE__@@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,6C43B37A), ref: 6C494F05
LoadCursorW.USER32(00000000,00007F00), ref: 6C494F14
CreateSolidBrush.GDI32(00000000), ref: 6C494F1F
RegisterClassW.USER32(?), ref: 6C494F46
GetLastError.KERNEL32(?,?,?,6C43B37A), ref: 6C494F53

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: BrushClassCreateCursorE__@@ErrorInstance@LastLib@@LoadManagerPaintRegisterSolid
String ID:
API String ID: 3502039814-0
Opcode ID: 2b9707fb15fa60d8a07a74998761869c0fec87df0aab54e6421a369355930e18
Instruction ID: edc4085d7822097129fc389071a818ae2197d99a51d0943ca5aca4cf24de1c89
Opcode Fuzzy Hash: 2b9707fb15fa60d8a07a74998761869c0fec87df0aab54e6421a369355930e18
Instruction Fuzzy Hash: FA116D75A002189FDB00EFA5C848BEEBFB4EF89315F51001AE806A7390DB355904CB99

Function 6C436D00 Relevance: 7.5, APIs: 5, Instructions: 33COMMON

Download Yara Rule

APIs

??4CButtonUI@DuiLib@@QAEAAV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C436D0B

Part of subcall function 6C4368A0: ??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C4368D7
Part of subcall function 6C4368A0: ??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?), ref: 6C4368E9
Part of subcall function 6C4368A0: ??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?), ref: 6C43695F
Part of subcall function 6C4368A0: ??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?), ref: 6C436971
Part of subcall function 6C4368A0: ??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?), ref: 6C436991
Part of subcall function 6C4368A0: ??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?), ref: 6C4369B1
Part of subcall function 6C4368A0: ??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?), ref: 6C4369C3
Part of subcall function 6C4368A0: ??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?), ref: 6C436A6F
Part of subcall function 6C4368A0: ??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,?,?,?,?,?), ref: 6C436AB9

??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C436D29

Part of subcall function 6C4BFB90: ?Assign@CDuiString@DuiLib@@QAEXPB_WH@Z.DOWNLOADER_NSIS_PLUGIN(6C4313B7,000000FF,?,?,6C4313B7,?), ref: 6C4BFB9D

??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?), ref: 6C436D4B
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?), ref: 6C436D5D
??4CDuiString@DuiLib@@QAEABV01@ABV01@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?,?), ref: 6C436D6F

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$String@V01@V01@@$Assign@Button
String ID:
API String ID: 3240169457-0
Opcode ID: 83b86217c644ecae045adb71b61baf56d95313df8a1940eb54bc673a006784f4
Instruction ID: 97d3290ae403fad56c6ffaaac0d9946227ac2c10e8f80967d06b8be73a7d0c77
Opcode Fuzzy Hash: 83b86217c644ecae045adb71b61baf56d95313df8a1940eb54bc673a006784f4
Instruction Fuzzy Hash: 0FF0A436202F4766DA05CBB5CC60EE7F7ACAF56254F00851D915E53602DB30755987E0

Function 6C47ACD0 Relevance: 7.5, APIs: 5, Instructions: 17COMMON

Download Yara Rule

APIs

GdipDeleteBrush.GDIPLUS(?), ref: 6C47ACE3
GdipDeleteBrush.GDIPLUS(?,?), ref: 6C47ACEB
GdipDeleteStringFormat.GDIPLUS(?,?,?), ref: 6C47ACF3
GdipDeleteGraphics.GDIPLUS(?,?,?,?), ref: 6C47ACFB
GdipDeleteFont.GDIPLUS(?,?,?,?,?), ref: 6C47AD03

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: DeleteGdip$Brush$FontFormatGraphicsString
String ID:
API String ID: 1705489728-0
Opcode ID: 17b18c1adfa2b0c15e38731e8862fc521341adf68a7dd3dbbe178e1a624baddb
Instruction ID: 5fe2bea6c42c0bcfbc1cac052367b4ba827a66dc0b496b5b86a2606659f5708c
Opcode Fuzzy Hash: 17b18c1adfa2b0c15e38731e8862fc521341adf68a7dd3dbbe178e1a624baddb
Instruction Fuzzy Hash: EDE0EC36408A44DBDA212B34CC05987BAB1BF48384B004968FD9E21F30D722BEEDDB05

Function 6C482990 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 131libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C482810: ?GetFont@CPaintManagerUI@DuiLib@@QAEPAUHFONT__@@H@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C4828A2
Part of subcall function 6C482810: GetObjectW.GDI32(?,0000005C), ref: 6C4828AD
Part of subcall function 6C482810: ?GetSize@CStdValArray@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4828ED
Part of subcall function 6C482810: GetDeviceCaps.GDI32(00000000,0000005A), ref: 6C4828F5

LoadLibraryW.KERNEL32(msftedit.dll), ref: 6C482AB2
GetProcAddress.KERNEL32(00000000,CreateTextServices), ref: 6C482AC2

Strings

CreateTextServices, xrefs: 6C482ABC
msftedit.dll, xrefs: 6C482AAD

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$AddressArray@CapsDeviceFont@LibraryLoadManagerObjectPaintProcSize@T__@@
String ID: CreateTextServices$msftedit.dll
API String ID: 637618331-260715840
Opcode ID: cdd6c922cd29a0f0655b7a04ce09092dacfd870322b9b5fc1dd716dd357f456a
Instruction ID: 536bbc04c5fa7d6a96134e5016fbb3906a21f84e7f407bb2df2e0dd33bcbe74b
Opcode Fuzzy Hash: cdd6c922cd29a0f0655b7a04ce09092dacfd870322b9b5fc1dd716dd357f456a
Instruction Fuzzy Hash: 9051BC31A05B428BD720CF25C898BA7BBF4FF99314F11471EE9AA87291DB74E980C750

Function 6C470BC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

??0CWindowWnd@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C470C14
?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C470C49
?Create@CWindowWnd@DuiLib@@QAEPAUHWND__@@PAU3@PB_WKKHHHHPAUHMENU__@@@Z.DOWNLOADER_NSIS_PLUGIN ref: 6C470C85

Part of subcall function 6C494C90: ?RegisterSuperclass@CWindowWnd@DuiLib@@QAE_NXZ.DOWNLOADER_NSIS_PLUGIN(?,?,6C43B37A), ref: 6C494CAF
Part of subcall function 6C494C90: ?RegisterWindowClass@CWindowWnd@DuiLib@@QAE_NXZ.DOWNLOADER_NSIS_PLUGIN(?,?,6C43B37A), ref: 6C494CD3
Part of subcall function 6C494C90: ?GetInstance@CPaintManagerUI@DuiLib@@SAPAUHINSTANCE__@@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,6C43B37A), ref: 6C494CE0
Part of subcall function 6C494C90: CreateWindowExW.USER32(?,00000000,?,?,00000258,00000320,00000000,?,?,?,00000000,00000000), ref: 6C494D16

Strings

UIActiveX, xrefs: 6C470C7B

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@Window$Wnd@$Paint$D__@@ManagerRegister$Class@CreateCreate@E__@@Instance@Superclass@U__@@@Window@
String ID: UIActiveX
API String ID: 3057503944-3812124200
Opcode ID: c614d1545998e4e33a413676eccab33c084496232726bf6cadb04f66447ef21c
Instruction ID: 52ef834cc0bd830ddbf2afb371f713cdf0e0cc4f7c4504a9367f0e77218340c8
Opcode Fuzzy Hash: c614d1545998e4e33a413676eccab33c084496232726bf6cadb04f66447ef21c
Instruction Fuzzy Hash: 652187B0A007598FCB14DF69C444BAEBBF0BB88314F004A2CD881AB791D7399941CFE1

Function 6C43AA00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53memorystringCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000200), ref: 6C43AA5B
GlobalAlloc.KERNEL32(00000040,00001FF8), ref: 6C43AA75
lstrcpynW.KERNEL32(-00000004,?), ref: 6C43AA88

Strings

0A, xrefs: 6C43AA30, 6C43AA61, 6C43AA8E

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: AllocFileGlobalModuleNamelstrcpyn
String ID: 0A
API String ID: 2376901158-2007828011
Opcode ID: d3d082df1045f2322305100561d2999d17e48e726c7cd3a7d6a879679f034cd3
Instruction ID: 8d340868fe50faefd8019fd132eb5d7d1c77debed9da085e03a0c85bba69f797
Opcode Fuzzy Hash: d3d082df1045f2322305100561d2999d17e48e726c7cd3a7d6a879679f034cd3
Instruction Fuzzy Hash: 51112BF5B01204AFDB50DF69DC45F8A3BF4EB4A715F82405AFA14A7340D778A445CB98

Function 6C4EAEF0 Relevance: 6.1, APIs: 4, Instructions: 113COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(8007000E,?,00000006), ref: 6C4EAF0F
LoadResource.KERNEL32(8007000E,00000000), ref: 6C4EAF23
LockResource.KERNEL32(00000000), ref: 6C4EAF32
SizeofResource.KERNEL32(8007000E,00000000), ref: 6C4EAF46

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 12553700d0f248c861b1290c47f5c8f35262a385783832964aa2907e09bc5926
Instruction ID: f7c02ec2be53d569b5426e28928a2dbc2429fddf7afdc7d6c50c68ed07c185e4
Opcode Fuzzy Hash: 12553700d0f248c861b1290c47f5c8f35262a385783832964aa2907e09bc5926
Instruction Fuzzy Hash: 0031AF71A022159BD710CF65CC88F6B7BB9EF887A6B268525F8109B754EB34D80486E0

Function 6C482810 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

?GetFont@CPaintManagerUI@DuiLib@@QAEPAUHFONT__@@H@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C4828A2

Part of subcall function 6C4A3430: ?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN(00000000,?,?,?,?,6C4913D2,?,?,?,?,?,6C46A949,00000000,?,?,?), ref: 6C4A3448
Part of subcall function 6C4A3430: ??ACStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(?,00000000,?,?,?,?,6C4913D2,?,?,?,?,?,6C46A949,00000000,?,?), ref: 6C4A3454

GetObjectW.GDI32(?,0000005C), ref: 6C4828AD
?GetSize@CStdValArray@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4828ED
GetDeviceCaps.GDI32(00000000,0000005A), ref: 6C4828F5

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Array@ManagerPaint$CapsDeviceFont@ObjectSize@T__@@Transparent@
String ID:
API String ID: 2019016212-0
Opcode ID: cd328de41f4ceeb8fa1061e3ba743b3ecfe9450075653b3802d7d12b11baa5d8
Instruction ID: 7ec535bb590219f4c64429031a11ae2ab4c0d219096a9d5c4368af4607cc0f67
Opcode Fuzzy Hash: cd328de41f4ceeb8fa1061e3ba743b3ecfe9450075653b3802d7d12b11baa5d8
Instruction Fuzzy Hash: 7C417FB1E143818BEB04CF24C884A6ABBA0BFD9314F10465EECC18B386EBB4D944C795

Function 6C498DB0 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

??8CDuiString@DuiLib@@QBE_NPB_W@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C498DD5
??4CDuiString@DuiLib@@QAEABV01@PB_W@Z.DOWNLOADER_NSIS_PLUGIN(?,?), ref: 6C498DE5

Part of subcall function 6C4C0460: ?Assign@CDuiString@DuiLib@@QAEXPB_WH@Z.DOWNLOADER_NSIS_PLUGIN(?,000000FF,?,?,?,6C49F00E,?), ref: 6C4C0473

IntersectRect.USER32(?,?), ref: 6C498E78
?Invalidate@CPaintManagerUI@DuiLib@@QAEXAAUtagRECT@@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C498E90

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$String@$Assign@IntersectInvalidate@ManagerPaintRectT@@@UtagV01@
String ID:
API String ID: 800707973-0
Opcode ID: 00a5a951d19d710bf10b57149fd33b5fb47c7fdff2d78aaa789835ba5fb55599
Instruction ID: 26d4d464ff37b5569dbda019ed185240aeba014f3a4dcead1ee7b45d96087731
Opcode Fuzzy Hash: 00a5a951d19d710bf10b57149fd33b5fb47c7fdff2d78aaa789835ba5fb55599
Instruction Fuzzy Hash: 0121C1757043808BCB00DF28C880DAABBA9AFCD264F150A2EE9829B711EF31D945C795

Function 6C494D30 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

?RegisterSuperclass@CWindowWnd@DuiLib@@QAE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C494D52

Part of subcall function 6C494DE0: GetClassInfoExW.USER32(00000000,00000000,00000030), ref: 6C494E23
Part of subcall function 6C494DE0: ?GetInstance@CPaintManagerUI@DuiLib@@SAPAUHINSTANCE__@@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,6C494CB4,?,?,6C43B37A), ref: 6C494E40
Part of subcall function 6C494DE0: GetClassInfoExW.USER32(00000000,00000000,00000030), ref: 6C494E48
Part of subcall function 6C494DE0: ?GetInstance@CPaintManagerUI@DuiLib@@SAPAUHINSTANCE__@@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,6C494CB4,?,?,6C43B37A), ref: 6C494E5F
Part of subcall function 6C494DE0: CreateSolidBrush.GDI32(00000000), ref: 6C494E7C
Part of subcall function 6C494DE0: RegisterClassExW.USER32(00000030), ref: 6C494E86
Part of subcall function 6C494DE0: GetLastError.KERNEL32(?,?,?,?,6C494CB4,?,?,6C43B37A), ref: 6C494E93

?RegisterWindowClass@CWindowWnd@DuiLib@@QAE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C494D76
?GetInstance@CPaintManagerUI@DuiLib@@SAPAUHINSTANCE__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C494D92
CreateWindowExW.USER32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 6C494DC9

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Window$ClassE__@@Instance@ManagerPaintRegister$CreateInfoWnd@$BrushClass@ErrorLastSolidSuperclass@
String ID:
API String ID: 3246782391-0
Opcode ID: 36d73964ea17b0c08d9f144bfeeb6d6f071dd462f9df1bae8956662b24506025
Instruction ID: edd2aa4b6a77bbf2bf13a00ac2e705510458b1a973fc6f69d2583860bc00c0d8
Opcode Fuzzy Hash: 36d73964ea17b0c08d9f144bfeeb6d6f071dd462f9df1bae8956662b24506025
Instruction Fuzzy Hash: FB21583A7002199FCF01DF68CC54CAF3FB6EF882A9B114119E91597320DB32DC118BA4

Function 6C494BD0 Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

?RegisterSuperclass@CWindowWnd@DuiLib@@QAE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C494BF2

Part of subcall function 6C494DE0: GetClassInfoExW.USER32(00000000,00000000,00000030), ref: 6C494E23
Part of subcall function 6C494DE0: ?GetInstance@CPaintManagerUI@DuiLib@@SAPAUHINSTANCE__@@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,6C494CB4,?,?,6C43B37A), ref: 6C494E40
Part of subcall function 6C494DE0: GetClassInfoExW.USER32(00000000,00000000,00000030), ref: 6C494E48
Part of subcall function 6C494DE0: ?GetInstance@CPaintManagerUI@DuiLib@@SAPAUHINSTANCE__@@XZ.DOWNLOADER_NSIS_PLUGIN(?,?,?,?,6C494CB4,?,?,6C43B37A), ref: 6C494E5F
Part of subcall function 6C494DE0: CreateSolidBrush.GDI32(00000000), ref: 6C494E7C
Part of subcall function 6C494DE0: RegisterClassExW.USER32(00000030), ref: 6C494E86
Part of subcall function 6C494DE0: GetLastError.KERNEL32(?,?,?,?,6C494CB4,?,?,6C43B37A), ref: 6C494E93

?RegisterWindowClass@CWindowWnd@DuiLib@@QAE_NXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C494C1A
?GetInstance@CPaintManagerUI@DuiLib@@SAPAUHINSTANCE__@@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C494C27
CreateWindowExW.USER32 ref: 6C494C75

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Window$ClassE__@@Instance@ManagerPaintRegister$CreateInfoWnd@$BrushClass@ErrorLastSolidSuperclass@
String ID:
API String ID: 3246782391-0
Opcode ID: 64af8e1717d8e4ba0a87712e362b312e95d676f7a98696cdb8d1ad572e701efc
Instruction ID: 004e7d3d9ce4be9398e2bab1699fcb1fdcdcc5fbacf086411b85eb30e2c20b95
Opcode Fuzzy Hash: 64af8e1717d8e4ba0a87712e362b312e95d676f7a98696cdb8d1ad572e701efc
Instruction Fuzzy Hash: B2218E757043118FC704DF29C45496EBBE5AFC8259F12891EE89A87350EB30D9018B9A

Function 6C46CF60 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C46CF78
?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C46CF84
?GetAt@CStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C46CFBA
?Remove@CListUI@DuiLib@@UAE_NPAVCControlUI@2@@Z.DOWNLOADER_NSIS_PLUGIN(?), ref: 6C46CFE7

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$ManagerPaintTransparent@$Array@ControlI@2@@ListRemove@
String ID:
API String ID: 1125254611-0
Opcode ID: 91dbb4ccdf5a33b9fb9ab8899f3d11fc00c2d523430585fd0a98532a7444cd9e
Instruction ID: 6b1fad47ca431ce690caf7a1438a17f767c682101acef8ee52266ff8e76f2ef8
Opcode Fuzzy Hash: 91dbb4ccdf5a33b9fb9ab8899f3d11fc00c2d523430585fd0a98532a7444cd9e
Instruction Fuzzy Hash: 97112AB1A001198BDF08EF59C990EFFBB75EF45358F00002AE601ABB94DB309906CBE5

Function 6C4A29D0 Relevance: 6.0, APIs: 4, Instructions: 50timeCOMMON

Download Yara Rule

APIs

?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4A29F6
??ACStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C4A2A04
IsWindow.USER32(?), ref: 6C4A2A2B
KillTimer.USER32(?,?), ref: 6C4A2A3B

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Array@KillManagerPaintTimerTransparent@Window
String ID:
API String ID: 2182944226-0
Opcode ID: 667650b45a701dd18200d3a9dc824e782348ba619de4ae56b1006cc8fdea3a36
Instruction ID: b7b40495d8c0f0d9b9b57cff1cf851340bda783d05a44e1f96f7eeb48b3df865
Opcode Fuzzy Hash: 667650b45a701dd18200d3a9dc824e782348ba619de4ae56b1006cc8fdea3a36
Instruction Fuzzy Hash: 65010431700606AFCB10CFA6C888E9AFB79BB40355F544228D40997B44DB31A896D7D0

Function 6C478AF0 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

?EstimateSize@CControlUI@DuiLib@@UAE?AUtagSIZE@@U3@@Z.DOWNLOADER_NSIS_PLUGIN(?,?,?), ref: 6C478B1A
?GetFont@CLabelUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C478B26
?GetFontInfo@CPaintManagerUI@DuiLib@@QAEPAUtagTFontInfo@2@H@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C478B2E
??0CSize@DuiLib@@QAE@HH@Z.DOWNLOADER_NSIS_PLUGIN(?,?,00000000), ref: 6C478B46

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$FontSize@Utag$ControlEstimateFont@Info@Info@2@LabelManagerPaintU3@@
String ID:
API String ID: 3110568791-0
Opcode ID: 9d70681a541cb64f1434661d0be0d0a6deffaf24d0276bc44dbe32418fe8443b
Instruction ID: 53ba31fa78d4c6d487f69b15f367d384e8abc6b3cf490e8b0824da8c9b03d8bf
Opcode Fuzzy Hash: 9d70681a541cb64f1434661d0be0d0a6deffaf24d0276bc44dbe32418fe8443b
Instruction Fuzzy Hash: A9018F71600119ABCB04DF64D844EEFBB75FF89218F40042DE9095B300DB31A859C7E0

Function 6C4A2C00 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

?GetTransparent@CPaintManagerUI@DuiLib@@QBEHXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4A2C22
??ACStdPtrArray@DuiLib@@QBEPAXH@Z.DOWNLOADER_NSIS_PLUGIN(00000000), ref: 6C4A2C2E
?Remove@CStdPtrArray@DuiLib@@QAE_NH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000000), ref: 6C4A2C3D
?InsertAt@CStdPtrArray@DuiLib@@QAE_NHPAX@Z.DOWNLOADER_NSIS_PLUGIN(?,?), ref: 6C4A2C48

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$Array@$InsertManagerPaintRemove@Transparent@
String ID:
API String ID: 2449232581-0
Opcode ID: da22d3ee452936914787170a34662828be5c229c40605f87d0e1c2a7e655012d
Instruction ID: e2e81b097c9ba171f708ab3504487de6c763a621815f2791cb637103a0e98880
Opcode Fuzzy Hash: da22d3ee452936914787170a34662828be5c229c40605f87d0e1c2a7e655012d
Instruction Fuzzy Hash: 85E09B2630501476DB35A65B9C94EBF7A5DDBD19ECF11003EE50D87750DE210C0692E5

Function 6C4649B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 6C464B71

Strings

7OFl, xrefs: 6C4649C3
!, xrefs: 6C464A10

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: ___std_exception_copy
String ID: !$7OFl
API String ID: 2659868963-3178115553
Opcode ID: e2e7d734a584efbd5f7e875babc7b501236db46c843471f9095b8729536d3041
Instruction ID: ea4e5479047d38ec07275a9fa469d5ea12524d2671d82fb2e49e2997fdf8fb0b
Opcode Fuzzy Hash: e2e7d734a584efbd5f7e875babc7b501236db46c843471f9095b8729536d3041
Instruction Fuzzy Hash: F8516AB0C007489FEB11CFA5D854FDEBBB4BF05318F148218E8656BBA1D3B59688CB90

Function 6C48C900 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?), ref: 6C48C966
PostMessageW.USER32(?,00008001,?,0000006A), ref: 6C48C9AB

Strings

j, xrefs: 6C48C95D

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: EventMessagePost
String ID: j
API String ID: 887131480-2137352139
Opcode ID: 4b2d40823f101ca7d80209c7c8554a6af25a242af171d2b56275987dd4dcf1a9
Instruction ID: 44ba816e6e3763951d34ac247e6f8b7400aa1b3eb00a8428f80f6af8d39bf463
Opcode Fuzzy Hash: 4b2d40823f101ca7d80209c7c8554a6af25a242af171d2b56275987dd4dcf1a9
Instruction Fuzzy Hash: 9E217C356012069FCB04DF65CC89EAFBBB4FF89320F110029E646A7660E730E901CBA4

Function 6C4A6AE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

?NeedUpdate@CControlUI@DuiLib@@QAEXXZ.DOWNLOADER_NSIS_PLUGIN ref: 6C4A6B94

Strings

itemsize, xrefs: 6C4A6AFB
columns, xrefs: 6C4A6B0D

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: ControlLib@@NeedUpdate@
String ID: columns$itemsize
API String ID: 1369412743-2782364138
Opcode ID: b3212912ac5ba5af14f9f8d3aa9b5c9bad488a6ef5201c7dd55a3fe5c0c88626
Instruction ID: 8d53e435fa3211d7c3c4761fa89841a53cc1a1fc17b166afc40820ee180fcadf
Opcode Fuzzy Hash: b3212912ac5ba5af14f9f8d3aa9b5c9bad488a6ef5201c7dd55a3fe5c0c88626
Instruction Fuzzy Hash: FA11A8B1E402149BD700DE649C41FEF7BA8EF9435AF44042ED909E6741E731A90987B5

Function 6C464920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 6C464956
___std_exception_copy.LIBVCRUNTIME ref: 6C464987

Strings

vector, xrefs: 6C464923

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: ___std_exception_copy
String ID: vector
API String ID: 2659868963-460212315
Opcode ID: 46139647679b11245cdc7131409091cdd040095bd508ae9767f257c8141da584
Instruction ID: 41acab820e704e1ce5d852b0a6eea130b146bcf86657b2175e20270c9930371e
Opcode Fuzzy Hash: 46139647679b11245cdc7131409091cdd040095bd508ae9767f257c8141da584
Instruction Fuzzy Hash: C5017CB2008708ABE324CF05D805F46BBF8EB55259F508A1DD94987F01D372E5098BE2

Function 6C476A30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

??0CComboUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C476A61

Part of subcall function 6C474D20: ??0CContainerUI@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C474D51
Part of subcall function 6C474D20: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C474D97
Part of subcall function 6C474D20: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C474DB9
Part of subcall function 6C474D20: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C474DD1
Part of subcall function 6C474D20: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C474DE9
Part of subcall function 6C474D20: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C474E01
Part of subcall function 6C474D20: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C474E19
Part of subcall function 6C474D20: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C474E31
Part of subcall function 6C474D20: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C474E49
Part of subcall function 6C474D20: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C474E61
Part of subcall function 6C474D20: ??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C474E76
Part of subcall function 6C474D20: ??0CSize@DuiLib@@QAE@HH@Z.DOWNLOADER_NSIS_PLUGIN(00000000,00000096), ref: 6C474E97

??0CDuiString@DuiLib@@QAE@XZ.DOWNLOADER_NSIS_PLUGIN ref: 6C476A90

Strings

D/Rl, xrefs: 6C476A76

Memory Dump Source

Source File: 00000006.00000002.4153337190.000000006C431000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C430000, based on PE: true

Associated: 00000006.00000002.4152029815.000000006C430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4154530179.000000006C518000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155009488.000000006C559000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155237573.000000006C55B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155286326.000000006C55C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.4155320092.000000006C564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c430000_CapCut_installer.jbxd

Similarity

API ID: Lib@@$String@$ComboContainerSize@
String ID: D/Rl
API String ID: 2630983738-3400139534
Opcode ID: d5e669bd8098eb0ea743345cb5b9b20d36f2779d016a902c88f7e5d134d0eb33
Instruction ID: df1e313efa19fbe26e207fbac9167d8f9df4f383ca61e54f7be435f0b29bb99b
Opcode Fuzzy Hash: d5e669bd8098eb0ea743345cb5b9b20d36f2779d016a902c88f7e5d134d0eb33
Instruction Fuzzy Hash: 0B0124B69007998BCB24CF98D846BEEBBB4FB44724F00062DD55A67B90C7381505CFE5

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report vFjfAgq5PM.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Amadey

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\45f7a1.rbs

C:\Program Files (x86)\Dropbox\Update\dropbox.exe (copy)

C:\Program Files (x86)\Dropbox\Update\goopdate.dll (copy)

C:\Users\Public\Documents\CapCut_installer.exe

C:\Users\Public\Documents\Dropbox.exe

C:\Users\Public\Documents\goopdate.dll

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\ProFDDC.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bsbsdnpr.qrd.ps1

Windows Analysis Report
vFjfAgq5PM.msi

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre