BeautyRetouch_v3.3_Setup.exe
This report is generated from a file or URL submitted to this webservice on October 8th 2019 05:51:40 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Spyware
- Contains ability to open the clipboard
- Persistence
-
Grants permissions using icacls (DACL modification)
Spawns a lot of processes
Writes data to a remote process - Fingerprint
-
Queries kernel debugger information
Queries sensitive IE security settings
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
- Marks file for deletion
- Network Behavior
- Contacts 1 host. View all details
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 8
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 1/66 Antivirus vendors marked sample as malicious (1% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
General
-
The analysis extracted a file that was identified as malicious
- details
-
1/78 Antivirus vendors marked dropped file "System.dll" as malicious (classified as "suspicious.low.ml" with 1% detection rate)
1/67 Antivirus vendors marked dropped file "libGLESv2.dll" as malicious (classified as "Process crashed" with 1% detection rate)
1/67 Antivirus vendors marked dropped file "ffmpegsumo.dll" as malicious (classified as "No error" with 1% detection rate)
3/69 Antivirus vendors marked dropped file "Uninstall BeautyRetouch.exe" as malicious (classified as "BehavesLike.AdwareDotDo" with 4% detection rate)
1/78 Antivirus vendors marked dropped file "adobe_caps.dll" as malicious (classified as "Unavailable" with 1% detection rate) - source
- Binary File
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
-
Installation/Persistance
-
Allocates virtual memory in a remote process
- details
-
"BeautyRetouch_v3.3_Setup.exe" allocated memory in "%USERPROFILE%\Desktop\BeautyRetouch.lnk"
"ExManCmd.exe" allocated memory in "\REGISTRY\USER\S-1-5-21-686412048-2446563785-1323799475-1001\Software\Policies"
"ExManCmd.exe" allocated memory in "\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"
"ExManCmd.exe" allocated memory in "%ALLUSERSPROFILE%\Adobe\Extension Manager CC\Temp\TMP_20191008055536984"
"ExManCmd.exe" allocated memory in "\REGISTRY\USER\S-1-5-21-686412048-2446563785-1323799475-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
"ExManCmd.exe" allocated memory in "%ALLUSERSPROFILE%\Adobe\Extension Manager CC\Temp\TMP_20191008055547451\BeautyRetouch.mxi" - source
- API Call
- relevance
- 7/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
- details
-
"BeautyRetouch_v3.3_Setup.exe" wrote 32 bytes to a remote process "%PROGRAMFILES%\(x86)\BeautyRetouch\BeautyRetouch.exe" (Handle: 632)
"BeautyRetouch_v3.3_Setup.exe" wrote 52 bytes to a remote process "C:\Program Files (x86)\BeautyRetouch\BeautyRetouch.exe" (Handle: 632)
"BeautyRetouch_v3.3_Setup.exe" wrote 4 bytes to a remote process "C:\Program Files (x86)\BeautyRetouch\BeautyRetouch.exe" (Handle: 632)
"BeautyRetouch_v3.3_Setup.exe" wrote 8 bytes to a remote process "C:\Program Files (x86)\BeautyRetouch\BeautyRetouch.exe" (Handle: 632)
"BeautyRetouch.exe" wrote 32 bytes to a remote process "C:\Program Files (x86)\BeautyRetouch\BeautyRetouch.exe" (Handle: 736)
"BeautyRetouch.exe" wrote 52 bytes to a remote process "C:\Program Files (x86)\BeautyRetouch\BeautyRetouch.exe" (Handle: 736)
"BeautyRetouch.exe" wrote 4 bytes to a remote process "C:\Program Files (x86)\BeautyRetouch\BeautyRetouch.exe" (Handle: 736)
"BeautyRetouch.exe" wrote 8 bytes to a remote process "C:\Program Files (x86)\BeautyRetouch\BeautyRetouch.exe" (Handle: 736)
"BeautyRetouch.exe" wrote 32 bytes to a remote process "C:\Program Files (x86)\BeautyRetouch\BeautyRetouch.exe" (Handle: 1268)
"BeautyRetouch.exe" wrote 52 bytes to a remote process "C:\Program Files (x86)\BeautyRetouch\BeautyRetouch.exe" (Handle: 1268)
"BeautyRetouch.exe" wrote 4 bytes to a remote process "C:\Program Files (x86)\BeautyRetouch\BeautyRetouch.exe" (Handle: 1268)
"BeautyRetouch.exe" wrote 8 bytes to a remote process "C:\Program Files (x86)\BeautyRetouch\BeautyRetouch.exe" (Handle: 1268)
"BeautyRetouch.exe" wrote 32 bytes to a remote process "C:\Program Files (x86)\BeautyRetouch\BeautyRetouch.exe" (Handle: 1272)
"BeautyRetouch.exe" wrote 52 bytes to a remote process "C:\Program Files (x86)\BeautyRetouch\BeautyRetouch.exe" (Handle: 1272)
"BeautyRetouch.exe" wrote 4 bytes to a remote process "C:\Program Files (x86)\BeautyRetouch\BeautyRetouch.exe" (Handle: 1272)
"BeautyRetouch.exe" wrote 8 bytes to a remote process "C:\Program Files (x86)\BeautyRetouch\BeautyRetouch.exe" (Handle: 1272)
"ExManCmd.exe" wrote 32 bytes to a remote process "C:\Windows\System32\icacls.exe" (Handle: 640)
"ExManCmd.exe" wrote 52 bytes to a remote process "C:\Windows\System32\icacls.exe" (Handle: 640)
"ExManCmd.exe" wrote 4 bytes to a remote process "C:\Windows\System32\icacls.exe" (Handle: 640)
"ExManCmd.exe" wrote 8 bytes to a remote process "C:\Windows\System32\icacls.exe" (Handle: 640)
"ExManCmd.exe" wrote 32 bytes to a remote process "C:\Windows\System32\icacls.exe" (Handle: 652)
"ExManCmd.exe" wrote 52 bytes to a remote process "C:\Windows\System32\icacls.exe" (Handle: 652)
"ExManCmd.exe" wrote 4 bytes to a remote process "C:\Windows\System32\icacls.exe" (Handle: 652)
"ExManCmd.exe" wrote 8 bytes to a remote process "C:\Windows\System32\icacls.exe" (Handle: 652)
"ExManCmd.exe" wrote 32 bytes to a remote process "C:\Windows\System32\icacls.exe" (Handle: 544)
"ExManCmd.exe" wrote 52 bytes to a remote process "C:\Windows\System32\icacls.exe" (Handle: 544)
"ExManCmd.exe" wrote 4 bytes to a remote process "C:\Windows\System32\icacls.exe" (Handle: 544)
"ExManCmd.exe" wrote 8 bytes to a remote process "C:\Windows\System32\icacls.exe" (Handle: 544)
"ExManCmd.exe" wrote 32 bytes to a remote process "C:\Windows\System32\icacls.exe" (Handle: 572)
"ExManCmd.exe" wrote 52 bytes to a remote process "C:\Windows\System32\icacls.exe" (Handle: 572)
"ExManCmd.exe" wrote 4 bytes to a remote process "C:\Windows\System32\icacls.exe" (Handle: 572)
"ExManCmd.exe" wrote 8 bytes to a remote process "C:\Windows\System32\icacls.exe" (Handle: 572)
"ExManCmd.exe" wrote 32 bytes to a remote process "C:\Windows\System32\icacls.exe" (Handle: 340)
"ExManCmd.exe" wrote 52 bytes to a remote process "C:\Windows\System32\icacls.exe" (Handle: 340)
"ExManCmd.exe" wrote 4 bytes to a remote process "C:\Windows\System32\icacls.exe" (Handle: 340)
"ExManCmd.exe" wrote 8 bytes to a remote process "C:\Windows\System32\icacls.exe" (Handle: 340)
"ExManCmd.exe" wrote 32 bytes to a remote process "C:\Windows\System32\icacls.exe" (Handle: 392)
"ExManCmd.exe" wrote 52 bytes to a remote process "C:\Windows\System32\icacls.exe" (Handle: 392)
"ExManCmd.exe" wrote 4 bytes to a remote process "C:\Windows\System32\icacls.exe" (Handle: 392)
"ExManCmd.exe" wrote 8 bytes to a remote process "C:\Windows\System32\icacls.exe" (Handle: 392)
"ExManCmd.exe" wrote 32 bytes to a remote process "C:\Windows\System32\icacls.exe" (Handle: 696)
"ExManCmd.exe" wrote 52 bytes to a remote process "C:\Windows\System32\icacls.exe" (Handle: 696)
"ExManCmd.exe" wrote 4 bytes to a remote process "C:\Windows\System32\icacls.exe" (Handle: 696)
"ExManCmd.exe" wrote 8 bytes to a remote process "C:\Windows\System32\icacls.exe" (Handle: 696)
"ExManCmd.exe" wrote 32 bytes to a remote process "C:\Windows\System32\icacls.exe" (Handle: 692)
"ExManCmd.exe" wrote 52 bytes to a remote process "C:\Windows\System32\icacls.exe" (Handle: 692)
"ExManCmd.exe" wrote 4 bytes to a remote process "C:\Windows\System32\icacls.exe" (Handle: 692)
"ExManCmd.exe" wrote 8 bytes to a remote process "C:\Windows\System32\icacls.exe" (Handle: 692)
"ExManCmd.exe" wrote 32 bytes to a remote process "C:\Windows\System32\icacls.exe" (Handle: 624)
"ExManCmd.exe" wrote 52 bytes to a remote process "C:\Windows\System32\icacls.exe" (Handle: 624) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Allocates virtual memory in a remote process
-
System Security
-
Modifies the access control lists of files
- details
-
Process "icacls.exe" with commandline ""%ALLUSERSPROFILE%\Adobe\Extension Manager CC\EM Store" /grant *S-1-5-32-545:F /T /C" (Show Process)
Process "icacls.exe" with commandline ""%ALLUSERSPROFILE%\Adobe\Extension Manager CC\EM Store\Shared" /grant *S-1-5-32-545:F /T /C" (Show Process)
Process "icacls.exe" with commandline ""%ALLUSERSPROFILE%\Adobe\Extension Manager CC\Temp" /grant *S-1-5-32-545:F /T /C" (Show Process)
Process "icacls.exe" with commandline ""%APPDATA%\Adobe\Extension Manager CC\Temp" /grant *S-1-5-32-545:F /T /C" (Show Process)
Process "icacls.exe" with commandline ""%ALLUSERSPROFILE%\Adobe\Extension Manager CC\Configuration" /grant *S-1-5-32-545:F /T /C" (Show Process)
Process "icacls.exe" with commandline ""%ALLUSERSPROFILE%\Adobe\Extension Manager CC\Configuration\DB" /grant *S-1-5-32-545:F /T /C" (Show Process)
Process "icacls.exe" with commandline ""%ALLUSERSPROFILE%\Adobe\Extension Manager CC\Configuration\DB\ExMan.db" /grant *S-1-5-32-545:F /T /C" (Show Process)
Process "icacls.exe" with commandline ""%ALLUSERSPROFILE%\Adobe\Extension Manager CC\EM Store\Virtual Product" /grant *S-1-5-32-545:F /T /C" (Show Process)
Process "icacls.exe" with commandline ""%ALLUSERSPROFILE%\Adobe\Extension Manager CC\Configuration\XManConfigV2.xml" /grant *S-1-5-32-545:F /T /C" (Show Process)
Process "icacls.exe" with commandline ""%ALLUSERSPROFILE%\Adobe\Extension Manager CC\Configuration\XManConfigV2.xml" /grant *S-1-5-32-545:F /T /C" (Show Process) - source
- Monitored Target
- relevance
- 5/10
- ATT&CK ID
- T1044 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies the access control lists of files
-
Unusual Characteristics
-
Contains native function calls
- details
- NtdllDefWindowProc_A@NTDLL.DLL from BeautyRetouch_v3.3_Setup.exe (PID: 3892) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Spawns a lot of processes
- details
-
Spawned process "BeautyRetouch_v3.3_Setup.exe" (Show Process)
Spawned process "BeautyRetouch.exe" (Show Process)
Spawned process "BeautyRetouch.exe" with commandline "--reporter-url=http://54.249.141.255:1127/post "--application-name=Beauty Retouch" --v=1" (Show Process)
Spawned process "BeautyRetouch.exe" with commandline "--type=gpu-process --channel="4052.0.177506519\558935583" --no-sandbox --supports-dual-gpus=false --gpu-driver-bug-workarounds=1,19,42 --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor="Oracle Corporation" --gpu-driver-version=5.2.24.0 /prefetch:822062411" (Show Process)
Spawned process "BeautyRetouch.exe" with commandline "--type=renderer --no-sandbox --enable-deferred-image-decoding --lang=en-US --node-integration=true --device-scale-factor=1 --font-cache-shared-mem-suffix=4052 --enable-pinch-virtual-viewport --enable-delegated-renderer --num-raster-threads=1 --channel="4052.1.1376097225\655319693" /prefetch:673131151" (Show Process)
Spawned process "ExManCmd.exe" with commandline "/install "%PROGRAMFILES%\(x86)\BeautyRetouch\resources\app\zxp\BR_CC_3_3.zxp"" (Show Process)
Spawned process "icacls.exe" with commandline ""%ALLUSERSPROFILE%\Adobe\Extension Manager CC\EM Store" /grant *S-1-5-32-545:F /T /C" (Show Process)
Spawned process "icacls.exe" with commandline ""%ALLUSERSPROFILE%\Adobe\Extension Manager CC\EM Store\Shared" /grant *S-1-5-32-545:F /T /C" (Show Process)
Spawned process "icacls.exe" with commandline ""%ALLUSERSPROFILE%\Adobe\Extension Manager CC\Temp" /grant *S-1-5-32-545:F /T /C" (Show Process)
Spawned process "icacls.exe" with commandline ""%APPDATA%\Adobe\Extension Manager CC\Temp" /grant *S-1-5-32-545:F /T /C" (Show Process)
Spawned process "icacls.exe" with commandline ""%ALLUSERSPROFILE%\Adobe\Extension Manager CC\Configuration" /grant *S-1-5-32-545:F /T /C" (Show Process)
Spawned process "icacls.exe" with commandline ""%ALLUSERSPROFILE%\Adobe\Extension Manager CC\Configuration\DB" /grant *S-1-5-32-545:F /T /C" (Show Process)
Spawned process "icacls.exe" with commandline ""%ALLUSERSPROFILE%\Adobe\Extension Manager CC\Configuration\DB\ExMan.db" /grant *S-1-5-32-545:F /T /C" (Show Process)
Spawned process "icacls.exe" with commandline ""%ALLUSERSPROFILE%\Adobe\Extension Manager CC\EM Store\Virtual Product" /grant *S-1-5-32-545:F /T /C" (Show Process)
Spawned process "icacls.exe" with commandline ""%ALLUSERSPROFILE%\Adobe\Extension Manager CC\Configuration\XManConfigV2.xml" /grant *S-1-5-32-545:F /T /C" (Show Process)
Spawned process "ExManBridgeTalkCmd.exe" (Show Process)
Spawned process "ExManBridgeTalkCmd.exe" (Show Process)
Spawned process "ExManBridgeTalkCmd.exe" (Show Process)
Spawned process "icacls.exe" with commandline ""%ALLUSERSPROFILE%\Adobe\Extension Manager CC\Configuration\XManConfigV2.xml" /grant *S-1-5-32-545:F /T /C" (Show Process)
Spawned process "ExManBridgeTalkCmd.exe" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Contains native function calls
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 29
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
-
"ExManCmd.exe" at 00013553-00002620-00000033-136898908276
"ExManBridgeTalkCmd.exe" at 00014231-00002372-00000033-156214852002 - source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Anti-Reverse Engineering
-
Looks up many procedures within the same disassembly stream (often used to hide usage)
- details
-
Found 34 calls to GetProcAddress@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 2372) (Show Stream)
Found 34 calls to GetProcAddress@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 2576) (Show Stream)
Found 34 calls to GetProcAddress@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 1104) (Show Stream)
Found 34 calls to GetProcAddress@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 1596) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
PE file has unusual entropy sections
- details
- .rsrc with unusual entropies 7.03832497594
- source
- Static Parser
- relevance
- 10/10
-
Looks up many procedures within the same disassembly stream (often used to hide usage)
-
Cryptographic Related
-
Found a cryptographic related string
- details
-
"dEs" (Indicator: "des"; File: "00011727-00004052.00000003.25094.039AC000.00000002.mdmp")
"DES" (Indicator: "des"; File: "00014570-00002576.00000000.14750.00843000.00000002.mdmp") - source
- File/Memory
- relevance
- 10/10
-
Found a cryptographic related string
-
Environment Awareness
-
Contains ability to query CPU information
- details
-
cpuid from ExManCmd.exe (PID: 2620) (Show Stream)
cpuid from ExManBridgeTalkCmd.exe (PID: 2372) (Show Stream)
cpuid from ExManBridgeTalkCmd.exe (PID: 2576) (Show Stream)
cpuid from ExManBridgeTalkCmd.exe (PID: 1104) (Show Stream)
cpuid from ExManBridgeTalkCmd.exe (PID: 1596) (Show Stream)
cpuid (Show Stream)
cpuid (Show Stream)
cpuid (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the active computer name
- details
-
"BeautyRetouch_v3.3_Setup.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"BeautyRetouch.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"ExManCmd.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"icacls.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"ExManBridgeTalkCmd.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
-
"ExManCmd.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"ExManBridgeTalkCmd.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query CPU information
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
-
1/69 reputation engines marked "http://main.cc" as malicious (1% detection rate)
1/71 reputation engines marked "http://nsis.sf.net" as malicious (1% detection rate)
2/66 reputation engines marked "http://service.cc" as malicious (3% detection rate) - source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
General
-
Reads configuration files
- details
-
"BeautyRetouch_v3.3_Setup.exe" read file "%USERPROFILE%\Desktop\desktop.ini"
"ExManCmd.exe" read file "C:\Users\%USERNAME%\Desktop\desktop.ini"
"ExManBridgeTalkCmd.exe" read file "%PROGRAMFILES%\(x86)\desktop.ini" - source
- API Call
- relevance
- 4/10
-
Reads configuration files
-
Installation/Persistance
-
Drops executable files
- details
-
"libEGL.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"System.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"libGLESv2.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"AdobeExtensionsService.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"node.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"ExtLib.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"ExManBridgeTalkCmd.exe" has type "PE32 executable (console) Intel 80386 for MS Windows"
"BeautyRetouch.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"nsDialogs.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"ffmpegsumo.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"Uninstall BeautyRetouch.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows Nullsoft Installer self-extracting archive"
"ExManCmd.exe" has type "PE32 executable (console) Intel 80386 for MS Windows"
"VulcanMessage5.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"d3dcompiler_47.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"ExManCoreLib.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"adobe_caps.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"ExManZxpSign.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
-
Heuristic match: "6.6.1.5.3"
Heuristic match: "[4016:4012:1008/055510:VERBOSE1:crash_service_main.cc(68)] Session start. cmdline is [--reporter-url=http://54.249.141.255:1127/post "--application-name=Beauty Retouch" --v=1]"
Heuristic match: "[4016:4012:1008/055510:VERBOSE1:crash_service.cc(283)] checkpoint is %TEMP%\Beauty Retouch Crashes\crash_checkpoint.txt
server is http://54.249.141.255:1127/post
maximum 128 reports/day
reporter is electron-crash-service"
Heuristic match: "[4016:4012:1008/055510:VERBOSE1:crash_service.cc(283)] checkpoint is %TEMP%\Beauty Retouch Crashes\crash_checkpoint.txt
server is http://54.249.141.255:1127/post
maximum 128 reports/day
reporter is electron-crash-service"
Heuristic match: "--reporter-url=http://54.249.141.255:1127/post "--application-name=Beauty Retouch" --v=1" - source
- File/Memory
- relevance
- 3/10
-
Sends traffic on typical HTTP outbound port, but without HTTP header
- details
- TCP traffic to 23.35.140.166 on port 443 is sent without HTTP header
- source
- Network Traffic
- relevance
- 5/10
-
Found potential IP address in binary/memory
-
Spyware/Information Retrieval
-
Contains ability to open the clipboard
- details
- OpenClipboard@USER32.DLL from BeautyRetouch_v3.3_Setup.exe (PID: 3892) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
- ATT&CK ID
- T1115 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to open the clipboard
-
System Destruction
-
Marks file for deletion
- details
-
"C:\BeautyRetouch_v3.3_Setup.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\nsp5422.tmp" for deletion
"C:\BeautyRetouch_v3.3_Setup.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\nsz52D9.tmp" for deletion
"C:\BeautyRetouch_v3.3_Setup.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\nsp5422.tmp\modern-wizard.bmp" for deletion
"C:\BeautyRetouch_v3.3_Setup.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\nsp5422.tmp\nsDialogs.dll" for deletion
"C:\BeautyRetouch_v3.3_Setup.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\nsp5422.tmp\System.dll" for deletion
"%PROGRAMFILES%\(x86)\BeautyRetouch\resources\app\bin\WINDOWS\ExManCmd.exe" marked "%ALLUSERSPROFILE%\Adobe\Extension Manager CC\Configuration\DB\ExMan.db-journal" for deletion
"%PROGRAMFILES%\(x86)\BeautyRetouch\resources\app\bin\WINDOWS\ExManCmd.exe" marked "C:\ProgramData\Adobe\Extension Manager CC\Temp\TMP_20191008055524757" for deletion
"%PROGRAMFILES%\(x86)\BeautyRetouch\resources\app\bin\WINDOWS\ExManCmd.exe" marked "C:\ProgramData\Adobe\Extension Manager CC\Temp\TMP_20191008055536984" for deletion
"%PROGRAMFILES%\(x86)\BeautyRetouch\resources\app\bin\WINDOWS\ExManCmd.exe" marked "C:\ProgramData\Adobe\Extension Manager CC\Configuration\XManConfigV2.xml" for deletion
"%PROGRAMFILES%\(x86)\BeautyRetouch\resources\app\bin\WINDOWS\ExManCmd.exe" marked "C:\ProgramData\Adobe\Extension Manager CC\Temp\TMP_20191008055536119\Actions\.DS_Store" for deletion
"%PROGRAMFILES%\(x86)\BeautyRetouch\resources\app\bin\WINDOWS\ExManCmd.exe" marked "C:\ProgramData\Adobe\Extension Manager CC\Temp\TMP_20191008055536119\Actions\RA User Actions.atn" for deletion
"%PROGRAMFILES%\(x86)\BeautyRetouch\resources\app\bin\WINDOWS\ExManCmd.exe" marked "C:\ProgramData\Adobe\Extension Manager CC\Temp\TMP_20191008055536119\Actions" for deletion
"%PROGRAMFILES%\(x86)\BeautyRetouch\resources\app\bin\WINDOWS\ExManCmd.exe" marked "C:\ProgramData\Adobe\Extension Manager CC\Temp\TMP_20191008055536119\BeautyRetouch.mxi" for deletion - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
-
"BeautyRetouch_v3.3_Setup.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsp5422.tmp" with delete access
"BeautyRetouch_v3.3_Setup.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsz52D9.tmp" with delete access
"BeautyRetouch_v3.3_Setup.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsp5422.tmp\modern-wizard.bmp" with delete access
"BeautyRetouch_v3.3_Setup.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsp5422.tmp\nsDialogs.dll" with delete access
"BeautyRetouch_v3.3_Setup.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsp5422.tmp\System.dll" with delete access
"BeautyRetouch_v3.3_Setup.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsp5422.tmp\" with delete access
"ExManCmd.exe" opened "%ALLUSERSPROFILE%\Adobe\Extension Manager CC\Configuration\DB\ExMan.db-journal" with delete access
"ExManCmd.exe" opened "C:\ProgramData\Adobe\Extension Manager CC\Temp\TMP_20191008055524757" with delete access
"ExManCmd.exe" opened "C:\ProgramData\Adobe\Extension Manager CC\Temp\TMP_20191008055536984" with delete access
"ExManCmd.exe" opened "C:\ProgramData\Adobe\Extension Manager CC\Configuration\XManConfigV2.xml" with delete access
"ExManCmd.exe" opened "C:\ProgramData\Adobe\Extension Manager CC\Temp\TMP_20191008055536119\Actions\.DS_Store" with delete access
"ExManCmd.exe" opened "C:\ProgramData\Adobe\Extension Manager CC\Temp\TMP_20191008055536119\Actions\RA User Actions.atn" with delete access
"ExManCmd.exe" opened "C:\ProgramData\Adobe\Extension Manager CC\Temp\TMP_20191008055536119\Actions" with delete access
"ExManCmd.exe" opened "C:\ProgramData\Adobe\Extension Manager CC\Temp\TMP_20191008055536119\BeautyRetouch.mxi" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Modifies proxy settings
- details
-
"ExManCmd.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"ExManCmd.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies proxy settings
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
-
"AdobeExtensionsService.exe" claimed CRC 753621 while the actual is CRC 1577264
"ExtLib.dll" claimed CRC 916986 while the actual is CRC 5241468
"ExManBridgeTalkCmd.exe" claimed CRC 392395 while the actual is CRC 916986
"ExManCmd.exe" claimed CRC 1189530 while the actual is CRC 128645
"VulcanMessage5.dll" claimed CRC 1015544 while the actual is CRC 1189530
"d3dcompiler_47.dll" claimed CRC 3527815 while the actual is CRC 1015544
"ExManCoreLib.dll" claimed CRC 5228167 while the actual is CRC 3527815
"adobe_caps.dll" claimed CRC 889904 while the actual is CRC 5228167
"ExManZxpSign.dll" claimed CRC 2395272 while the actual is CRC 889904 - source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
GetModuleFileNameW
IsDebuggerPresent
GetModuleFileNameA
UnhandledExceptionFilter
LoadLibraryExW
GetStartupInfoW
GetCommandLineA
GetProcAddress
WriteFile
GetModuleHandleW
TerminateProcess
GetModuleHandleExW
OutputDebugStringW
CreateFileW
Sleep
GetModuleHandleA
VirtualProtect
VirtualAlloc
LoadLibraryA
GetTempFileNameA
GetTempPathA
LoadLibraryW
GetModuleHandleExA
GetWindowThreadProcessId
SetSecurityDescriptorDacl
OpenProcessToken
GetUserNameW
GetFileAttributesW
GetTempPathW
ConnectNamedPipe
CopyFileW
CreateThread
ExitThread
GetTickCount
OpenProcess
CreateDirectoryW
DeleteFileW
GetComputerNameW
FindNextFileW
FindFirstFileW
FindFirstFileExW
GetCommandLineW
GetFileAttributesExW
FindWindowW
RegCloseKey
RegOpenKeyExW
DeviceIoControl
GetVersionExW
GetFileSizeEx
RegCreateKeyExW
OutputDebugStringA
FindFirstFileExA
FindNextFileA
CreateFileA
CreateProcessW
ShellExecuteA
GetFileAttributesA
RegDeleteKeyA
RegDeleteValueA
RegCreateKeyExA
RegOpenKeyExA
RegEnumKeyA
CopyFileA
LoadLibraryExA
GetFileSize
CreateDirectoryA
DeleteFileA
FindFirstFileA
CreateProcessA
ShellExecuteExA
FindWindowExA
RegDeleteKeyW
CreateServiceW
RegDeleteValueW
StartServiceW
StartServiceCtrlDispatcherW
GetDriveTypeW
DisconnectNamedPipe
CreateToolhelp32Snapshot
CreateFileMappingW
Process32NextW
Process32FirstW
MapViewOfFile
ShellExecuteExW - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"BeautyRetouch_v3.3_Setup.exe" wrote bytes "71111b027a3b1a02ab8b02007f950200fc8c0200729602006cc805001ecd17027d261702" to virtual address "0x75A207E4" (part of module "USER32.DLL")
"BeautyRetouch_v3.3_Setup.exe" wrote bytes "d0553776647340760000000051c14c7794984c77ee9c4c7775dc4e77273e4e770fb35277000000008548b2756987b2750f77b475d917b275ead7b375a934b275f811b2752014b2750c11b275f516b2755414b275ff10b2753214b27500000000" to virtual address "0x742B1000" (part of module "SHFOLDER.DLL")
"BeautyRetouch.exe" wrote bytes "d83a4175" to virtual address "0x754201E0" (part of module "SSPICLI.DLL")
"BeautyRetouch.exe" wrote bytes "b4364175" to virtual address "0x75420200" (part of module "SSPICLI.DLL")
"BeautyRetouch.exe" wrote bytes "707da800" to virtual address "0x039AC878" (part of module "BEAUTYRETOUCH.EXE")
"BeautyRetouch.exe" wrote bytes "c0dfb7771cf9b677ccf8b6770d64b87700000000c011b27500000000fc3eb27500000000e013b275000000009457147625e0b777c6e0b77700000000bc6a137600000000cf31b2750000000093191476000000002c32b27500000000" to virtual address "0x75451000" (part of module "NSI.DLL")
"BeautyRetouch.exe" wrote bytes "b4360200" to virtual address "0x75414EA4" (part of module "SSPICLI.DLL")
"BeautyRetouch.exe" wrote bytes "7d07bb7781edb977ae86b877c6e0b777effdba772d16b9776014bb77478db877a8e2b7776089b87700000000ad3799758b2d9975b641997500000000" to virtual address "0x74051000" (part of module "WSHTCPIP.DLL")
"BeautyRetouch.exe" wrote bytes "0efcba7781edb977ae86b877c6e0b777effdba772d16b977c0fcb677da8fc1776014bb77478db877a8e2b7776089b87700000000ad3799758b2d9975b641997500000000" to virtual address "0x73051000" (part of module "WSHIP6.DLL")
"BeautyRetouch.exe" wrote bytes "71111b027a3b1a02ab8b02007f950200fc8c0200729602006cc805001ecd17027d261702" to virtual address "0x75A207E4" (part of module "USER32.DLL")
"BeautyRetouch.exe" wrote bytes "b4364175" to virtual address "0x754201E4" (part of module "SSPICLI.DLL")
"BeautyRetouch.exe" wrote bytes "b4360200" to virtual address "0x75414D68" (part of module "SSPICLI.DLL")
"BeautyRetouch.exe" wrote bytes "b830120b74ffe0" to virtual address "0x75991368" (part of module "WS2_32.DLL")
"BeautyRetouch.exe" wrote bytes "60120b74" to virtual address "0x7730E324" (part of module "WININET.DLL")
"BeautyRetouch.exe" wrote bytes "b8c0150b74ffe0" to virtual address "0x754136B4" (part of module "SSPICLI.DLL")
"BeautyRetouch.exe" wrote bytes "d83a4175" to virtual address "0x75420274" (part of module "SSPICLI.DLL")
"BeautyRetouch.exe" wrote bytes "b840130b74ffe0" to virtual address "0x75413AD8" (part of module "SSPICLI.DLL")
"BeautyRetouch.exe" wrote bytes "d83a0200" to virtual address "0x75414E38" (part of module "SSPICLI.DLL")
"BeautyRetouch.exe" wrote bytes "d83a0200" to virtual address "0x75414D78" (part of module "SSPICLI.DLL")
"BeautyRetouch.exe" wrote bytes "68130000" to virtual address "0x75991680" (part of module "WS2_32.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"BeautyRetouch_v3.3_Setup.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"BeautyRetouch.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
CRC value set in PE header does not match actual value
-
Hiding 9 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 32
-
Anti-Detection/Stealthyness
-
Contains ability to lookup its own filename
- details
- PathFindFileNameW@SHLWAPI.DLL from ExManCmd.exe (PID: 2620) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to lookup its own filename
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.DLL from ExManCmd.exe (PID: 2620) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from ExManCmd.exe (PID: 2620) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from ExManCmd.exe (PID: 2620) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 2372) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 2372) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 2372) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 2372) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 2576) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 2576) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 2576) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 2576) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 1104) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 1104) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 1104) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 1104) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 1596) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Found strings in conjunction with a procedure lookup that resolve to a known API export symbol
- details
-
Found reference to API CreateThreadpoolWork@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 2372) (Show Stream)
Found reference to API SleepConditionVariableCS@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 2372) (Show Stream)
Found reference to API GetFileInformationByHandleEx@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 2372) (Show Stream)
Found reference to API CreateThreadpoolWork@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 2576) (Show Stream)
Found reference to API SleepConditionVariableCS@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 2576) (Show Stream)
Found reference to API GetFileInformationByHandleEx@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 2576) (Show Stream)
Found reference to API CreateThreadpoolWork@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 1104) (Show Stream)
Found reference to API SleepConditionVariableCS@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 1104) (Show Stream)
Found reference to API GetFileInformationByHandleEx@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 1104) (Show Stream)
Found reference to API CreateThreadpoolWork@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 1596) (Show Stream)
Found reference to API SleepConditionVariableCS@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 1596) (Show Stream)
Found reference to API GetFileInformationByHandleEx@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 1596) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
PE file contains zero-size sections
- details
- Raw size of ".ndata" is zero
- source
- Static Parser
- relevance
- 10/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTimeAsFileTime@KERNEL32.DLL from ExManCmd.exe (PID: 2620) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from ExManCmd.exe (PID: 2620) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from ExManCmd.exe (PID: 2620) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 2372) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 2372) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 2372) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 2576) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 2576) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 2576) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 1104) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 1104) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 1104) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 1596) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 1596) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 1596) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream)
GetLocalTime@KERNEL32.dll (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine timezone
- details
-
GetTimeZoneInformation@KERNEL32.DLL from ExManCmd.exe (PID: 2620) (Show Stream)
GetTimeZoneInformation@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 2372) (Show Stream)
GetTimeZoneInformation@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 2576) (Show Stream)
GetTimeZoneInformation@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 1104) (Show Stream)
GetTimeZoneInformation@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 1596) (Show Stream)
GetTimeZoneInformation@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine version
- details
-
GetVersion@KERNEL32.DLL from BeautyRetouch_v3.3_Setup.exe (PID: 3892) (Show Stream)
GetVersion@KERNEL32.DLL from BeautyRetouch_v3.3_Setup.exe (PID: 3892) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the system locale
- details
-
GetUserDefaultLCID@KERNEL32.DLL from ExManCmd.exe (PID: 2620) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from ExManCmd.exe (PID: 2620) (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from ExManCmd.exe (PID: 2620) (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from ExManCmd.exe (PID: 2620) (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from ExManCmd.exe (PID: 2620) (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from ExManCmd.exe (PID: 2620) (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 2372) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 2372) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 2372) (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 2372) (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 2372) (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 2372) (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 2576) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 2576) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 2576) (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 2576) (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 2576) (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 2576) (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 1104) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 1104) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
-
GetDiskFreeSpaceA@KERNEL32.DLL from BeautyRetouch_v3.3_Setup.exe (PID: 3892) (Show Stream)
GetDiskFreeSpaceA@KERNEL32.DLL from BeautyRetouch_v3.3_Setup.exe (PID: 3892) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 3/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp ax, 00000006h" and "je 00403243h" from BeautyRetouch_v3.3_Setup.exe (PID: 3892) (Show Stream)
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp ax, 00000006h" and "je 00403243h" from BeautyRetouch_v3.3_Setup.exe (PID: 3892) (Show Stream)
Found API call GetTimeZoneInformation@KERNEL32.DLL directly followed by "cmp eax, FFFFFFFFh" and "je 010AAB02h" from ExManCmd.exe (PID: 2620) (Show Stream)
Found API call GetTimeZoneInformation@KERNEL32.DLL directly followed by "cmp eax, FFFFFFFFh" and "je 00292357h" from ExManBridgeTalkCmd.exe (PID: 2372) (Show Stream)
Found API call GetTimeZoneInformation@KERNEL32.DLL directly followed by "cmp eax, FFFFFFFFh" and "je 00832357h" from ExManBridgeTalkCmd.exe (PID: 2576) (Show Stream)
Found API call GetTimeZoneInformation@KERNEL32.DLL directly followed by "cmp eax, FFFFFFFFh" and "je 001C2357h" from ExManBridgeTalkCmd.exe (PID: 1104) (Show Stream)
Found API call GetTimeZoneInformation@KERNEL32.DLL directly followed by "cmp eax, FFFFFFFFh" and "je 00E32357h" from ExManBridgeTalkCmd.exe (PID: 1596) (Show Stream)
Found API call GetTimeZoneInformation@KERNEL32.dll directly followed by "cmp eax, FFFFFFFFh" and "je 0045C90Bh" (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Possibly tries to detect the presence of a debugger
- details
-
GetProcessHeap@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 2372) (Show Stream)
GetProcessHeap@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 2576) (Show Stream)
GetProcessHeap@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 1104) (Show Stream)
GetProcessHeap@KERNEL32.DLL from ExManBridgeTalkCmd.exe (PID: 1596) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Queries volume information
- details
-
"BeautyRetouch_v3.3_Setup.exe" queries volume information of "C:\" at 00009624-00003892-00000046-27406890351
"BeautyRetouch_v3.3_Setup.exe" queries volume information of "%PROGRAMFILES%\(x86)\BeautyRetouch\BeautyRetouch.exe" at 00009624-00003892-00000046-27421529720
"BeautyRetouch_v3.3_Setup.exe" queries volume information of "C:\" at 00009624-00003892-00000046-30127184172
"BeautyRetouch_v3.3_Setup.exe" queries volume information of "C:\Program Files (x86)\BeautyRetouch\Uninstall BeautyRetouch.exe" at 00009624-00003892-00000046-30128095082
"BeautyRetouch_v3.3_Setup.exe" queries volume information of "C:\" at 00009624-00003892-00000046-30165163150
"BeautyRetouch_v3.3_Setup.exe" queries volume information of "C:\Program Files (x86)\BeautyRetouch\BeautyRetouch.exe" at 00009624-00003892-00000046-30166068596
"BeautyRetouch.exe" queries volume information of "C:\Program Files (x86)\BeautyRetouch" at 00011727-00004052-00000046-88740159527
"BeautyRetouch.exe" queries volume information of "C:\Program Files (x86)\BeautyRetouch\resources" at 00011727-00004052-00000046-88742247261
"BeautyRetouch.exe" queries volume information of "C:\" at 00011727-00004052-00000046-88750150455
"BeautyRetouch.exe" queries volume information of "C:\Program Files (x86)" at 00011727-00004052-00000046-88752558658
"BeautyRetouch.exe" queries volume information of "C:\Program Files (x86)\BeautyRetouch" at 00011727-00004052-00000046-88754618788
"BeautyRetouch.exe" queries volume information of "C:\Program Files (x86)\BeautyRetouch\resources" at 00011727-00004052-00000046-88756239813
"BeautyRetouch.exe" queries volume information of "C:\" at 00011727-00004052-00000046-88794701734
"BeautyRetouch.exe" queries volume information of "C:\Program Files (x86)" at 00011727-00004052-00000046-88796151612
"BeautyRetouch.exe" queries volume information of "C:\Program Files (x86)\BeautyRetouch" at 00011727-00004052-00000046-88797650840
"BeautyRetouch.exe" queries volume information of "C:\Program Files (x86)\BeautyRetouch\resources" at 00011727-00004052-00000046-88799200697
"BeautyRetouch.exe" queries volume information of "C:\" at 00011727-00004052-00000046-88803684004
"BeautyRetouch.exe" queries volume information of "C:\Program Files (x86)" at 00011727-00004052-00000046-88805135256
"BeautyRetouch.exe" queries volume information of "C:\Program Files (x86)\BeautyRetouch" at 00011727-00004052-00000046-88806637940
"BeautyRetouch.exe" queries volume information of "C:\Program Files (x86)\BeautyRetouch\resources" at 00011727-00004052-00000046-88808172801 - source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information of an entire harddrive
- details
-
"BeautyRetouch_v3.3_Setup.exe" queries volume information of "C:\" at 00009624-00003892-00000046-27406890351
"BeautyRetouch_v3.3_Setup.exe" queries volume information of "C:\" at 00009624-00003892-00000046-30127184172
"BeautyRetouch_v3.3_Setup.exe" queries volume information of "C:\" at 00009624-00003892-00000046-30165163150
"BeautyRetouch.exe" queries volume information of "C:\" at 00011727-00004052-00000046-88750150455
"BeautyRetouch.exe" queries volume information of "C:\" at 00011727-00004052-00000046-88794701734
"BeautyRetouch.exe" queries volume information of "C:\" at 00011727-00004052-00000046-88803684004
"BeautyRetouch.exe" queries volume information of "C:\" at 00011727-00004052-00000046-88856220688
"BeautyRetouch.exe" queries volume information of "C:\" at 00011727-00004052-00000046-88867287379
"BeautyRetouch.exe" queries volume information of "C:\" at 00011727-00004052-00000046-89317572406
"BeautyRetouch.exe" queries volume information of "C:\" at 00011727-00004052-00000046-92208159429
"BeautyRetouch.exe" queries volume information of "C:\" at 00011727-00004052-00000046-92231480066
"BeautyRetouch.exe" queries volume information of "C:\" at 00011727-00004052-00000046-92305705826
"BeautyRetouch.exe" queries volume information of "C:\" at 00011727-00004052-00000046-92477394218
"BeautyRetouch.exe" queries volume information of "C:\" at 00011727-00004052-00000046-92487211213
"BeautyRetouch.exe" queries volume information of "C:\" at 00011727-00004052-00000046-92532946591
"BeautyRetouch.exe" queries volume information of "C:\" at 00011727-00004052-00000046-92539331072
"BeautyRetouch.exe" queries volume information of "C:\" at 00011727-00004052-00000046-92583398145
"BeautyRetouch.exe" queries volume information of "C:\" at 00011727-00004052-00000046-92625728779
"BeautyRetouch.exe" queries volume information of "C:\" at 00011727-00004052-00000046-92663000595
"BeautyRetouch.exe" queries volume information of "C:\" at 00011727-00004052-00000046-92699416292 - source
- API Call
- relevance
- 8/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the registry for installed applications
- details
-
"BeautyRetouch_v3.3_Setup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\BEAUTYRETOUCH_V3.3_SETUP.EXE")
"BeautyRetouch_v3.3_Setup.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\BEAUTYRETOUCH_V3.3_SETUP.EXE")
"BeautyRetouch_v3.3_Setup.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\BEAUTYRETOUCH")
"ExManCmd.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\ICACLS.EXE")
"ExManCmd.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\ICACLS.EXE") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query machine time
-
General
-
Contacts server
- details
- "23.35.140.166:443"
- source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
-
"C:\omnius\workspace\ExMan_Main_Win\ExManBridgeTalkCmd\Bin\Win\Release\ExManBridgeTalkCmd.pdb"
"D:\libchromiumcontent\vendor\chromium\src\out_32\Release\libEGL.dll.pdb" - source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"BeautyRetouch_v3.3_Setup.exe" created file "%TEMP%\nsp5422.tmp\modern-wizard.bmp"
"BeautyRetouch_v3.3_Setup.exe" created file "%TEMP%\nsp5422.tmp\nsDialogs.dll"
"BeautyRetouch_v3.3_Setup.exe" created file "%TEMP%\nsp5422.tmp\System.dll" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\DBWinMutex"
"DBWinMutex"
"\Sessions\1\BaseNamedObjects\Global\C:/Users/%OSUSER%/AppData/Local/Temp/Beauty Retouch Crashes/operation_log.txt"
"Global\C:/Users/%OSUSER%/AppData/Local/Temp/Beauty Retouch Crashes/operation_log.txt"
"\Sessions\1\BaseNamedObjects\Local\__DDrawExclMode__"
"\Sessions\1\BaseNamedObjects\Local\__DDrawCheckExclMode__"
"Local\__DDrawCheckExclMode__"
"Local\__DDrawExclMode__"
"\Sessions\1\BaseNamedObjects\EMCL.log"
"\Sessions\1\BaseNamedObjects\ExmanProcessMutex" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "libEGL.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "AdobeExtensionsService.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "ExtLib.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "ExManBridgeTalkCmd.exe" as clean (type is "PE32 executable (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "nsDialogs.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "natives_blob.bin" as clean (type is "data"), Antivirus vendors marked dropped file "ExManCmd.exe" as clean (type is "PE32 executable (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "VulcanMessage5.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "d3dcompiler_47.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "snapshot_blob.bin" as clean (type is "data"), Antivirus vendors marked dropped file "ExManCoreLib.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "ExManZxpSign.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
- "BeautyRetouch_v3.3_Setup.exe" loaded module "%WINDIR%\SysWOW64\riched20.dll" at 741E0000
- source
- Loaded Module
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Overview of unique CLSIDs touched in registry
- details
-
"BeautyRetouch_v3.3_Setup.exe" touched "Computer" (Path: "HKCU\WOW6432NODE\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER")
"BeautyRetouch_v3.3_Setup.exe" touched "Memory Mapped Cache Mgr" (Path: "HKCU\WOW6432NODE\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}")
"BeautyRetouch_v3.3_Setup.exe" touched "Shortcut" (Path: "HKCU\WOW6432NODE\CLSID\{00021401-0000-0000-C000-000000000046}\TREATAS")
"BeautyRetouch.exe" touched "MMDeviceEnumerator class" (Path: "HKCU\WOW6432NODE\CLSID\{BCDE0395-E52F-467C-8E3D-C4579291692E}")
"BeautyRetouch.exe" touched "TF_InputProcessorProfiles" (Path: "HKCU\WOW6432NODE\CLSID\{33C53A50-F456-4884-B049-85FD643ECFED}")
"ExManCmd.exe" touched "Network" (Path: "HKCU\WOW6432NODE\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\SHELLFOLDER")
"ExManCmd.exe" touched "Recycle Bin" (Path: "HKCU\WOW6432NODE\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\SHELLFOLDER")
"ExManCmd.exe" touched "Control Panel" (Path: "HKCU\WOW6432NODE\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\SHELLFOLDER")
"ExManCmd.exe" touched "UsersFiles" (Path: "HKCU\WOW6432NODE\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\SHELLFOLDER")
"ExManCmd.exe" touched "UsersLibraries" (Path: "HKCU\WOW6432NODE\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\SHELLFOLDER")
"ExManCmd.exe" touched "CLSID_SearchFolder" (Path: "HKCU\WOW6432NODE\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\SHELLFOLDER")
"ExManCmd.exe" touched "IE History and Feeds Shell Data Source for Windows Search" (Path: "HKCU\WOW6432NODE\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\SHELLFOLDER")
"ExManCmd.exe" touched "Public Folder" (Path: "HKCU\WOW6432NODE\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\SHELLFOLDER")
"ExManCmd.exe" touched "Control Panel command object for Start menu and desktop" (Path: "HKCU\WOW6432NODE\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\SHELLFOLDER")
"ExManCmd.exe" touched "@%systemroot%\system32\mssvp.dll,-110" (Path: "HKCU\WOW6432NODE\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\SHELLFOLDER")
"ExManCmd.exe" touched "CLSID_SearchHome" (Path: "HKCU\WOW6432NODE\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\SHELLFOLDER")
"ExManCmd.exe" touched "Other Users Folder" (Path: "HKCU\WOW6432NODE\CLSID\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\SHELLFOLDER")
"ExManCmd.exe" touched "@%systemroot%\system32\mssvp.dll,-112" (Path: "HKCU\WOW6432NODE\CLSID\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\SHELLFOLDER")
"ExManCmd.exe" touched "CLSID_StartMenuProviderFolder" (Path: "HKCU\WOW6432NODE\CLSID\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\SHELLFOLDER")
"ExManCmd.exe" touched "CLSID_StartMenuPathCompleteProviderFolder" (Path: "HKCU\WOW6432NODE\CLSID\{E345F35F-9397-435C-8F95-4E922C26259E}\SHELLFOLDER") - source
- Registry Access
- relevance
- 3/10
-
Process launched with changed environment
- details
-
Process "BeautyRetouch.exe" (Show Process) was launched with new environment variables: "SYSTEMDRIVE="C:", MEOW="%ALLUSERSPROFILE%\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\", WINDIR="C:\Windows", ATOM_SHELL_INTERNAL_CRASH_SERVICE="1", SYSTEMROOT="C:\Windows""
Process "BeautyRetouch.exe" (Show Process) was launched with missing environment variables: "LOCALAPPDATA, PROCESSOR_LEVEL, FP_NO_HOST_CHECK, PROMPT, SESSIONNAME, ALLUSERSPROFILE, PROCESSOR_ARCHITECTURE, PSModulePath, VXDIR, SystemDrive, APPDATA, windows_tracing_logfile, ProgramFiles(x86), CommonProgramFiles, Path, PATHEXT, OS, PROCESSOR_ARCHITEW6432, windows_tracing_flags, COMPUTERNAME, PROCESSOR_REVISION, CommonProgramW6432, ComSpec, ProgramData, ProgramW6432, SystemRoot, PROCESSOR_IDENTIFIER, TMP, CommonProgramFiles(x86), PUBLIC, ProgramFiles, NUMBER_OF_PROCESSORS, windir"
Process "BeautyRetouch.exe" (Show Process) was launched with new environment variables: "LOCALAPPDATA="C:\Users\%USERNAME%\AppData\Local", PROCESSOR_LEVEL="6", FP_NO_HOST_CHECK="NO", PROMPT="$P$G", SESSIONNAME="Console", ALLUSERSPROFILE="C:\ProgramData", PROCESSOR_ARCHITECTURE="x86", PSModulePath="C:\Windows\system32\WindowsPowerShell\v1.0\Modules\;C:\Program Files (x86)\AutoIt3\AutoItX", VXDIR="C:\VxStream", SystemDrive="C:", APPDATA="C:\Users\%USERNAME%\AppData\Roaming", windows_tracing_logfile="C:\BVTBin\Tests\installpackage\csilogfile.log", ProgramFiles(x86)="C:\Program Files (x86)", GOOGLE_API_KEY="AIzaSyAQfxPJiounkhOjODEO5ZieffeBv6yft2Q", CommonProgramFiles="C:\Program Files (x86)\Common Files", Path="C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\", PATHEXT=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC", OS="Windows_NT", PROCESSOR_ARCHITEW6432="AMD64", windows_tracing_flags="3", COMPUTERNAME="Xrmo5iKwVD", PROCESSOR_REVISION="4f01", CommonProgramW6432="C:\Program Files\Common Files", ComSpec="C:\Windows\system32\cmd.exe", ProgramData="C:\ProgramData", ProgramW6432="C:\Program Files", SystemRoot="C:\Windows", PROCESSOR_IDENTIFIER="Intel64 Family 6 Model 79 Stepping 1
GenuineIntel", TMP="C:\Users\%USERNAME%\AppData\Local\Temp", CommonProgramFiles(x86)="C:\Program Files (x86)\Common Files", PUBLIC="C:\Users\%USERNAME%\Program Files (x86)", NUMBER_OF_PROCESSORS="2", windir="C:\Windows""
Process "BeautyRetouch.exe" (Show Process) was launched with missing environment variables: "SYSTEMDRIVE, MEOW, WINDIR, ATOM_SHELL_INTERNAL_CRASH_SERVICE, SYSTEMROOT" - source
- Monitored Target
- relevance
- 10/10
-
Scanning for window names
- details
- "BeautyRetouch_v3.3_Setup.exe" searching for class "#32770"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
-
Spawned process "BeautyRetouch.exe" (Show Process)
Spawned process "BeautyRetouch.exe" with commandline "--reporter-url=http://54.249.141.255:1127/post "--application-na ..." (Show Process), Spawned process "BeautyRetouch.exe" with commandline "--type=gpu-process --channel="4052.0.177506519\558935583" --no-s ..." (Show Process), Spawned process "BeautyRetouch.exe" with commandline "--type=renderer --no-sandbox --enable-deferred-image-decoding -- ..." (Show Process), Spawned process "ExManCmd.exe" with commandline "/install "%PROGRAMFILES%\(x86)\BeautyRetouch\resources\app\zxp\B ..." (Show Process)
Spawned process "icacls.exe" with commandline ""%ALLUSERSPROFILE%\Adobe\Extension Manager CC\EM Store" /grant * ..." (Show Process)
Spawned process "icacls.exe" with commandline ""%ALLUSERSPROFILE%\Adobe\Extension Manager CC\EM Store\Shared" / ..." (Show Process)
Spawned process "icacls.exe" with commandline ""%ALLUSERSPROFILE%\Adobe\Extension Manager CC\Temp" /grant *S-1- ..." (Show Process)
Spawned process "icacls.exe" with commandline ""%APPDATA%\Adobe\Extension Manager CC\Temp" /grant *S-1-5-32-545 ..." (Show Process)
Spawned process "icacls.exe" with commandline ""%ALLUSERSPROFILE%\Adobe\Extension Manager CC\Configuration" /gr ..." (Show Process)
Spawned process "icacls.exe" with commandline ""%ALLUSERSPROFILE%\Adobe\Extension Manager CC\Configuration\DB" ..." (Show Process)
Spawned process "icacls.exe" with commandline ""%ALLUSERSPROFILE%\Adobe\Extension Manager CC\Configuration\DB\E ..." (Show Process), Spawned process "icacls.exe" with commandline ""%ALLUSERSPROFILE%\Adobe\Extension Manager CC\EM Store\Virtual P ..." (Show Process)
Spawned process "icacls.exe" with commandline ""%ALLUSERSPROFILE%\Adobe\Extension Manager CC\Configuration\XMan ..." (Show Process), Spawned process "ExManBridgeTalkCmd.exe" (Show Process), Spawned process "ExManBridgeTalkCmd.exe" (Show Process), Spawned process "ExManBridgeTalkCmd.exe" (Show Process), Spawned process "icacls.exe" with commandline ""%ALLUSERSPROFILE%\Adobe\Extension Manager CC\Configuration\XMan ..." (Show Process)
Spawned process "ExManBridgeTalkCmd.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "BeautyRetouch.exe" (Show Process)
Spawned process "BeautyRetouch.exe" with commandline "--reporter-url=http://54.249.141.255:1127/post "--application-na ..." (Show Process), Spawned process "BeautyRetouch.exe" with commandline "--type=gpu-process --channel="4052.0.177506519\558935583" --no-s ..." (Show Process), Spawned process "BeautyRetouch.exe" with commandline "--type=renderer --no-sandbox --enable-deferred-image-decoding -- ..." (Show Process), Spawned process "ExManCmd.exe" with commandline "/install "%PROGRAMFILES%\(x86)\BeautyRetouch\resources\app\zxp\B ..." (Show Process)
Spawned process "icacls.exe" with commandline ""%ALLUSERSPROFILE%\Adobe\Extension Manager CC\EM Store" /grant * ..." (Show Process)
Spawned process "icacls.exe" with commandline ""%ALLUSERSPROFILE%\Adobe\Extension Manager CC\EM Store\Shared" / ..." (Show Process)
Spawned process "icacls.exe" with commandline ""%ALLUSERSPROFILE%\Adobe\Extension Manager CC\Temp" /grant *S-1- ..." (Show Process)
Spawned process "icacls.exe" with commandline ""%APPDATA%\Adobe\Extension Manager CC\Temp" /grant *S-1-5-32-545 ..." (Show Process)
Spawned process "icacls.exe" with commandline ""%ALLUSERSPROFILE%\Adobe\Extension Manager CC\Configuration" /gr ..." (Show Process)
Spawned process "icacls.exe" with commandline ""%ALLUSERSPROFILE%\Adobe\Extension Manager CC\Configuration\DB" ..." (Show Process)
Spawned process "icacls.exe" with commandline ""%ALLUSERSPROFILE%\Adobe\Extension Manager CC\Configuration\DB\E ..." (Show Process), Spawned process "icacls.exe" with commandline ""%ALLUSERSPROFILE%\Adobe\Extension Manager CC\EM Store\Virtual P ..." (Show Process)
Spawned process "icacls.exe" with commandline ""%ALLUSERSPROFILE%\Adobe\Extension Manager CC\Configuration\XMan ..." (Show Process), Spawned process "ExManBridgeTalkCmd.exe" (Show Process), Spawned process "ExManBridgeTalkCmd.exe" (Show Process), Spawned process "ExManBridgeTalkCmd.exe" (Show Process), Spawned process "icacls.exe" with commandline ""%ALLUSERSPROFILE%\Adobe\Extension Manager CC\Configuration\XMan ..." (Show Process)
Spawned process "ExManBridgeTalkCmd.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contacts server
-
Installation/Persistance
-
Connects to LPC ports
- details
-
"BeautyRetouch_v3.3_Setup.exe" connecting to "\ThemeApiPort"
"BeautyRetouch.exe" connecting to "\ThemeApiPort"
"ExManCmd.exe" connecting to "\ThemeApiPort"
"ExManBridgeTalkCmd.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"libEGL.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"BeautyRetouch.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Has Working directory Archive ctime=Fri Aug 30 11:11:24 2019 mtime=Tue Oct 8 03:52:21 2019 atime=Fri Aug 30 11:11:24 2019 length=57772032 window=hide"
"System.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"libGLESv2.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"AdobeExtensionsService.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"node.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"ExtLib.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"ExManBridgeTalkCmd.exe" has type "PE32 executable (console) Intel 80386 for MS Windows"
"BeautyRetouch.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"nsDialogs.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"ffmpegsumo.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"Uninstall BeautyRetouch.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows Nullsoft Installer self-extracting archive"
"natives_blob.bin" has type "data"
"ExManCmd.exe" has type "PE32 executable (console) Intel 80386 for MS Windows"
"VulcanMessage5.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"d3dcompiler_47.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"snapshot_blob.bin" has type "data"
"ExManCoreLib.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"adobe_caps.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"BeautyRetouch_v3.3_Setup.exe" touched file "C:\Windows\SysWOW64\oleaccrc.dll"
"BeautyRetouch_v3.3_Setup.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000001b.db"
"BeautyRetouch_v3.3_Setup.exe" touched file "C:\Windows\SysWOW64\en-US\user32.dll.mui"
"BeautyRetouch_v3.3_Setup.exe" touched file "C:\Windows\SysWOW64\en-US\msctf.dll.mui"
"BeautyRetouch_v3.3_Setup.exe" touched file "C:\Windows\Fonts\StaticCache.dat"
"BeautyRetouch_v3.3_Setup.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"BeautyRetouch_v3.3_Setup.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches"
"BeautyRetouch_v3.3_Setup.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"BeautyRetouch_v3.3_Setup.exe" touched file "C:\Program Files (x86)\BeautyRetouch\resources\app\bin\WINDOWS\ExManBridgeTalkCmd.exe"
"BeautyRetouch_v3.3_Setup.exe" touched file "C:\Program Files (x86)\BeautyRetouch\resources\app\bin\WINDOWS\ExtLib.dll"
"BeautyRetouch_v3.3_Setup.exe" touched file "C:\Program Files (x86)\BeautyRetouch\resources\app\bin\WINDOWS\VulcanMessage5.dll"
"BeautyRetouch_v3.3_Setup.exe" touched file "C:\Program Files (x86)\BeautyRetouch\resources\app\bin\WINDOWS\adobe_caps.dll"
"BeautyRetouch_v3.3_Setup.exe" touched file "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\BeautyRetouch\BeautyRetouch.lnk"
"BeautyRetouch_v3.3_Setup.exe" touched file "C:\Program Files (x86)\BeautyRetouch\resources\app\bin\WINDOWS\.DS_Store"
"BeautyRetouch_v3.3_Setup.exe" touched file "C:\Program Files (x86)\BeautyRetouch\resources\app\bin\WINDOWS\AdobeExtensionsService.exe"
"BeautyRetouch_v3.3_Setup.exe" touched file "C:\Program Files (x86)\BeautyRetouch\resources\app\bin\WINDOWS\ExManCmd.exe"
"BeautyRetouch_v3.3_Setup.exe" touched file "C:\Program Files (x86)\BeautyRetouch\resources\app\bin\WINDOWS\ExManCoreLib.dll"
"BeautyRetouch_v3.3_Setup.exe" touched file "C:\Program Files (x86)\BeautyRetouch\resources\app\bin\WINDOWS\ExManCoreLib.lib"
"BeautyRetouch_v3.3_Setup.exe" touched file "C:\Program Files (x86)\BeautyRetouch\resources\app\bin\WINDOWS\ExManZxpSign.dll"
"BeautyRetouch_v3.3_Setup.exe" touched file "C:\Program Files (x86)\BeautyRetouch\resources\app\bin\WINDOWS\README" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://nsis.sf.net/NSIS_Error"
Heuristic match: "l3@3B:
.LB"
Heuristic match: "q$pXZM>.vI"
Heuristic match: "PnnzBc.PA"
Heuristic match: "^sT31]/e.Gg"
Heuristic match: "\p/H4Y
.at"
Pattern match: "http://54.249.141.255:1127/post"
Pattern match: "http://www.w3.org/2000/09/xmldsig#"
Heuristic match: "application.name"
Heuristic match: ".adobe.com"
Pattern match: "upload.ffmpeg.org/incoming/" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Creates or modifies windows services
- details
-
"BeautyRetouch.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
"ExManCmd.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"BeautyRetouch_v3.3_Setup.exe" opened "\Device\KsecDD"
"BeautyRetouch.exe" opened "\Device\KsecDD"
"ExManCmd.exe" opened "\Device\KsecDD"
"ExManBridgeTalkCmd.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates or modifies windows services
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
-
"libEGL.dll" was detected as "Borland Delphi 3.0 (???)"
"libGLESv2.dll" was detected as "Borland Delphi 3.0 (???)"
"AdobeExtensionsService.exe" was detected as "VC8 -> Microsoft Corporation"
"ExtLib.dll" was detected as "Borland Delphi 3.0 (???)"
"ExManBridgeTalkCmd.exe" was detected as "VC8 -> Microsoft Corporation"
"ffmpegsumo.dll" was detected as "Borland Delphi 3.0 (???)"
"ExManCmd.exe" was detected as "VC8 -> Microsoft Corporation"
"VulcanMessage5.dll" was detected as "Borland Delphi 3.0 (???)"
"d3dcompiler_47.dll" was detected as "Visual C++ 2005 DLL -> Microsoft"
"ExManCoreLib.dll" was detected as "Borland Delphi 3.0 (???)"
"adobe_caps.dll" was detected as "Borland Delphi 3.0 (???)"
"ExManZxpSign.dll" was detected as "Borland Delphi 3.0 (???)" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1002 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
BeautyRetouch_v3.3_Setup.exe
- Filename
- BeautyRetouch_v3.3_Setup.exe
- Size
- 45MiB (47461814 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
- Architecture
- WINDOWS
- SHA256
- d279087a544454dab3c434283d71b3aa99e57b0ccced786df1fcc758db7e9103
- MD5
- 79e47eac37bc129a80ee58bc7380191a
- SHA1
- 83e4fc9fa56af848f891df4794f89ef7e719617e
Classification (TrID)
- 64.5% (.EXE) Win32 Executable MS Visual C++ (generic)
- 13.6% (.DLL) Win32 Dynamic Link Library (generic)
- 9.3% (.EXE) Win32 Executable (generic)
- 4.1% (.EXE) OS/2 Executable (generic)
- 4.1% (.EXE) Generic Win/DOS Executable
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 20 processes in total (System Resource Monitor).
-
BeautyRetouch_v3.3_Setup.exe
(PID: 3892)
1/66
-
BeautyRetouch.exe
(PID: 4052)
- BeautyRetouch.exe --reporter-url=http://54.249.141.255:1127/post "--application-name=Beauty Retouch" --v=1 (PID: 4016)
- BeautyRetouch.exe --type=gpu-process --channel="4052.0.177506519\558935583" --no-sandbox --supports-dual-gpus=false --gpu-driver-bug-workarounds=1,19,42 --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor="Oracle Corporation" --gpu-driver-version=5.2.24.0 /prefetch:822062411 (PID: 3132)
-
BeautyRetouch.exe
--type=renderer --no-sandbox --enable-deferred-image-decoding --lang=en-US --node-integration=true --device-scale-factor=1 --font-cache-shared-mem-suffix=4052 --enable-pinch-virtual-viewport --enable-delegated-renderer --num-raster-threads=1 --channel="4052.1.1376097225\655319693" /prefetch:673131151
(PID: 3524)
-
ExManCmd.exe
/install "%PROGRAMFILES%\(x86)\BeautyRetouch\resources\app\zxp\BR_CC_3_3.zxp"
(PID: 2620)
- icacls.exe "%ALLUSERSPROFILE%\Adobe\Extension Manager CC\EM Store" /grant *S-1-5-32-545:F /T /C (PID: 3096)
- icacls.exe "%ALLUSERSPROFILE%\Adobe\Extension Manager CC\EM Store\Shared" /grant *S-1-5-32-545:F /T /C (PID: 3472)
- icacls.exe "%ALLUSERSPROFILE%\Adobe\Extension Manager CC\Temp" /grant *S-1-5-32-545:F /T /C (PID: 1420)
- icacls.exe "%APPDATA%\Adobe\Extension Manager CC\Temp" /grant *S-1-5-32-545:F /T /C (PID: 2016)
- icacls.exe "%ALLUSERSPROFILE%\Adobe\Extension Manager CC\Configuration" /grant *S-1-5-32-545:F /T /C (PID: 3712)
- icacls.exe "%ALLUSERSPROFILE%\Adobe\Extension Manager CC\Configuration\DB" /grant *S-1-5-32-545:F /T /C (PID: 2200)
- icacls.exe "%ALLUSERSPROFILE%\Adobe\Extension Manager CC\Configuration\DB\ExMan.db" /grant *S-1-5-32-545:F /T /C (PID: 2500)
- icacls.exe "%ALLUSERSPROFILE%\Adobe\Extension Manager CC\EM Store\Virtual Product" /grant *S-1-5-32-545:F /T /C (PID: 3288)
- icacls.exe "%ALLUSERSPROFILE%\Adobe\Extension Manager CC\Configuration\XManConfigV2.xml" /grant *S-1-5-32-545:F /T /C (PID: 1412)
- ExManBridgeTalkCmd.exe (PID: 2372)
- ExManBridgeTalkCmd.exe (PID: 2576)
- ExManBridgeTalkCmd.exe (PID: 1104)
- icacls.exe "%ALLUSERSPROFILE%\Adobe\Extension Manager CC\Configuration\XManConfigV2.xml" /grant *S-1-5-32-545:F /T /C (PID: 3056)
- ExManBridgeTalkCmd.exe (PID: 1596)
-
ExManCmd.exe
/install "%PROGRAMFILES%\(x86)\BeautyRetouch\resources\app\zxp\BR_CC_3_3.zxp"
(PID: 2620)
-
BeautyRetouch.exe
(PID: 4052)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
23.35.140.166 |
443
TCP |
exmancmd.exe PID: 2620 |
United States |
Contacted Countries
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
http://nsis.sf.net/nsis_error | Domain/IP reference | 00009624-00003892-49803-73-00402D48 |
adobe.com | Domain/IP reference | 00015299-00001596-46138-1890-00E191E1 |
application.name | Domain/IP reference | 00013553-00002620-14163-242-01084950 |
Extracted Strings
Extracted Files
Displaying 39 extracted file(s). The remaining 72 file(s) are available in the full version and XML/JSON reports.
-
Malicious 5
-
-
Uninstall BeautyRetouch.exe
- Size
- 74KiB (75984 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
- AV Scan Result
- Labeled as "BehavesLike.AdwareDotDo" (3/69)
- Runtime Process
- BeautyRetouch_v3.3_Setup.exe (PID: 3892)
- MD5
- 6c4646fe7bc6f57c521e62cd57c500fe
- SHA1
- 6a8982ad5873cb7732dab3a512c3be6d9bb7a31b
- SHA256
- 8b4c32ef31a1c6cbb104e4ba649bdf5c6873d2b683e4ea10a4d97c550cccf428
-
ffmpegsumo.dll
- Size
- 1.8MiB (1897472 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "No error" (1/67)
- Runtime Process
- BeautyRetouch_v3.3_Setup.exe (PID: 3892)
- MD5
- 553790486e9408116bdd395ef9b5209c
- SHA1
- 06c96015df05b66a86b11ae6c8a4167a5b385eda
- SHA256
- a8b334af755f0f0e1e791ee8727e106437871af0e310c57b53c64c486dcdc14a
-
libGLESv2.dll
- Size
- 1.5MiB (1570304 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "Process crashed" (1/67)
- Runtime Process
- BeautyRetouch_v3.3_Setup.exe (PID: 3892)
- MD5
- 95a9e13c79572002acc5ee0000b6d441
- SHA1
- 8705139af10d8984fd4067f2015d087c5bd9cb7d
- SHA256
- ec0005d3135ea2505bbcbd45f4d7425e1ef9863966b34815e25fcbee8549a702
-
adobe_caps.dll
- Size
- 840KiB (859824 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "Unavailable" (1/78)
- Runtime Process
- ExManBridgeTalkCmd.exe (PID: 2576)
- MD5
- f91e500b6c30df372761c6301f9e776e
- SHA1
- a8b447b0bb8c6173c6b2ca54a07dd5baddc42a0b
- SHA256
- 1895924fdade9330c3b88d58ae9fc6527af5fe6b51270f671fa23155a8e6dd27
-
System.dll
- Size
- 11KiB (11264 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "suspicious.low.ml" (1/78)
- Runtime Process
- BeautyRetouch_v3.3_Setup.exe (PID: 3892)
- MD5
- 55a26d7800446f1373056064c64c3ce8
- SHA1
- 80256857e9a0a9c8897923b717f3435295a76002
- SHA256
- 904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8
-
-
Clean 12
-
-
d3dcompiler_47.dll
- Size
- 3.3MiB (3466856 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/78
- Runtime Process
- BeautyRetouch_v3.3_Setup.exe (PID: 3892)
- MD5
- c5b362bce86bb0ad3149c4540201331d
- SHA1
- 91bc4989345a4e26f06c0c781a21a27d4ee9bacd
- SHA256
- efbdbbcd0d954f8fdc53467de5d89ad525e4e4a9cfff8a15d07c6fdb350c407f
-
libEGL.dll
- Size
- 73KiB (74752 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/63
- Runtime Process
- BeautyRetouch_v3.3_Setup.exe (PID: 3892)
- MD5
- 6978692ded971e354264f31bc585f3d8
- SHA1
- 6be06fc582461124ebc5586b82ed9ddc102568e1
- SHA256
- 45dd22319eae8113eea3f727aabf64b5a32c953d5ba04435c907168f87e18af1
-
natives_blob.bin
- Size
- 402KiB (412135 bytes)
- Type
- data
- AV Scan Result
- 0/69
- Runtime Process
- BeautyRetouch_v3.3_Setup.exe (PID: 3892)
- MD5
- ba2853cd2b0001d826ac5e3b4d4ff58f
- SHA1
- c4b067ee2514266594fec9e9d32a989f8bc5391a
- SHA256
- d4d783ab1e64b2228977769fd940b10e455dd74bce3b9c175991d3268bc20380
-
AdobeExtensionsService.exe
- Size
- 687KiB (703040 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/68
- Runtime Process
- BeautyRetouch_v3.3_Setup.exe (PID: 3892)
- MD5
- 323cfa14a4e335d39eae10ba3ddbfbb6
- SHA1
- fbd72b56e89c3c4383202e98afd556d74dba9618
- SHA256
- 057e05e753f7fe8ac9fb58edfe1dafd68c027ed1ef774163289e1d0ea3b8b959
-
ExManBridgeTalkCmd.exe
- Size
- 380KiB (389184 bytes)
- Type
- peexe executable
- Description
- PE32 executable (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/69
- Runtime Process
- BeautyRetouch_v3.3_Setup.exe (PID: 3892)
- MD5
- 0737b667808992919340dc6a2a839bdf
- SHA1
- c92ffe3ea729950fb2da3179a3092c9ca976d289
- SHA256
- 63f346f447232c4da45b0b2bdd2ad30f1bdb4cb50e0f77fcd5a5e3d6fdbcd27e
-
ExManCmd.exe
- Size
- 1.1MiB (1163328 bytes)
- Type
- peexe executable
- Description
- PE32 executable (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/72
- Runtime Process
- BeautyRetouch_v3.3_Setup.exe (PID: 3892)
- MD5
- ffadac2f0c7e7a1502cc130cd9fc7803
- SHA1
- 30beec1b355b2b56173a1792c8fd1e8bd70926e7
- SHA256
- da6d2374c11c09088f6bbc629be8a001059f87da289cb1499bc91f6396f7c328
-
ExManCoreLib.dll
- Size
- 5MiB (5220928 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/71
- Runtime Process
- BeautyRetouch_v3.3_Setup.exe (PID: 3892)
- MD5
- 9b1c779203ae21a10b5beaf5d12b1b1d
- SHA1
- c3c4becf3c97d9ba326bb9f8b9e5fe7bbd2f9808
- SHA256
- 3aa875e74a8f7ef1590218da8e07b04c78bf40c10414544bae96a8ab565fe910
-
ExManZxpSign.dll
- Size
- 2.3MiB (2390080 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/72
- Runtime Process
- BeautyRetouch_v3.3_Setup.exe (PID: 3892)
- MD5
- 6b098a8c453bd36df8c2e5bc2869f6b0
- SHA1
- 79d82865fad80f0d05bfd34257131ee4fed9b4fe
- SHA256
- a9c3153b3ceb015080691c47c5606c4982339effcb4830fb46b6c2b6d6db9eac
-
ExtLib.dll
- Size
- 861KiB (881728 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/71
- Runtime Process
- BeautyRetouch_v3.3_Setup.exe (PID: 3892)
- MD5
- 04120132fc8ddb99d5d8a7f05341bd1a
- SHA1
- 7330e3acfcfbf28146fb8484fc7cdfef1839ec2b
- SHA256
- 6b496eb6fe8ce3c025ae1d898b117be5dd328651e42d0a415c45f9ff7cf07471
-
VulcanMessage5.dll
- Size
- 943KiB (965696 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/70
- Runtime Process
- BeautyRetouch_v3.3_Setup.exe (PID: 3892)
- MD5
- c32dab1475961368000092ec57d64521
- SHA1
- b1a819350fd9569b27e22f709dd38611e0bdc603
- SHA256
- 7937586466edf9998bd8a9609815639d2d50bbc4f5cb5afbea28bd092b72f33d
-
snapshot_blob.bin
- Size
- 681KiB (697644 bytes)
- Type
- data
- AV Scan Result
- 0/69
- Runtime Process
- BeautyRetouch_v3.3_Setup.exe (PID: 3892)
- MD5
- c772102237177d0529d81013fc21bb5c
- SHA1
- 8d10915058a86809ed230bb8a882e196171a3028
- SHA256
- 49f218cc3e81270ca5f90db29b275f04890ade29523ef65ed43b10787f8cc459
-
nsDialogs.dll
- Size
- 9.5KiB (9728 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/82
- Runtime Process
- BeautyRetouch_v3.3_Setup.exe (PID: 3892)
- MD5
- ee449b0adce56fbfa433b0239f3f81be
- SHA1
- ec1e4f9815ea592a3f19b1fe473329b8ddfa201c
- SHA256
- c1cc3aa4326e83a73a778dee0cf9afcc03a6bafb0a32cea791a27eb9c2288985
-
-
Informative Selection 3
-
-
ExMan.db
- Size
- 192KiB (196608 bytes)
- Type
- data
- Description
- SQLite 3.x database
- Runtime Process
- icacls.exe (PID: 2200)
- MD5
- e564e62c9e9b2e0ce44f3b179ffdea9c
- SHA1
- 787981ed4bab86b422bb3c74260b50ab6e069810
- SHA256
- 98d83b390d59cf8306acc90628b5320866144a3ea06096624ea173d9bdbecb29
-
XManConfigV2.xml
- Size
- 314KiB (321054 bytes)
- Type
- text
- Description
- XML 1.0 document, ASCII text
- Runtime Process
- icacls.exe (PID: 3056)
- MD5
- 179cddadbef00d6c5f652e8804682c09
- SHA1
- dfc16842fa9443f2a9454cdee2227f242e1cad1c
- SHA256
- 3a4c85b5d46891b83e2a38315e3bd13de99721281714f2135328998cc6f9cd9d
-
.DS_Store
- Size
- 6KiB (6148 bytes)
- Type
- unknown
- Description
- Apple Desktop Services Store
- Runtime Process
- BeautyRetouch_v3.3_Setup.exe (PID: 3892)
- MD5
- 194577a7e20bdcc7afbb718f502c134c
- SHA1
- df2fbeb1400acda0909a32c1cf6bf492f1121e07
- SHA256
- d65165279105ca6773180500688df4bdc69a2c7b771752f0a46ef120b7fd8ec3
-
-
Informative 19
-
-
ExMan.db-journal
- Size
- 13KiB (12824 bytes)
- Runtime Process
- icacls.exe (PID: 2200)
- MD5
- a3f3643136e6b2a3a069a787004e8829
- SHA1
- 743fb4b090004a0992da72e308835b4f93e76e85
- SHA256
- 08d565e5c05f0ee2039ef8529b9b748482bc09af57e54b7577671c3f61168094
-
TMP_20191008055524757
- Size
- 283KiB (289845 bytes)
- Runtime Process
- ExManCmd.exe (PID: 2620)
- MD5
- 8366429e0767346ab4773d4a6c969b1a
- SHA1
- a9564016ca45bde48949716932965536b5e77c38
- SHA256
- 50ec6aad9d7fd1b2094197c7295b1f88219bd921faa73576890110321cfc8e11
-
TMP_20191008055536615
- Size
- 283KiB (289845 bytes)
- Runtime Process
- ExManCmd.exe (PID: 2620)
- MD5
- 8366429e0767346ab4773d4a6c969b1a
- SHA1
- a9564016ca45bde48949716932965536b5e77c38
- SHA256
- 50ec6aad9d7fd1b2094197c7295b1f88219bd921faa73576890110321cfc8e11
-
TMP_20191008055536984
- Size
- 314KiB (321054 bytes)
- Runtime Process
- ExManCmd.exe (PID: 2620)
- MD5
- 179cddadbef00d6c5f652e8804682c09
- SHA1
- dfc16842fa9443f2a9454cdee2227f242e1cad1c
- SHA256
- 3a4c85b5d46891b83e2a38315e3bd13de99721281714f2135328998cc6f9cd9d
-
RA User Actions.atn
- Size
- 159B (159 bytes)
- Runtime Process
- ExManCmd.exe (PID: 2620)
- MD5
- 994d779203b9769ff22d6b18ee1e3a27
- SHA1
- 7f85bc1e7b28454024a7bc7b6368855f0b50d9c5
- SHA256
- 5c00da3d0127a50154b8429a1a17f0d1a80a914bf0a1d261a9f928a4d2cc5dfc
-
BeautyRetouch.mxi
- Size
- 11KiB (11402 bytes)
- Runtime Process
- ExManCmd.exe (PID: 2620)
- MD5
- f01879e916378dea2a69b0f9c7b3861a
- SHA1
- 69956f5da5eb28d9dcfe09b0dffde9ab0c56fda8
- SHA256
- c09b839f66848ca6277deb955e751ca2ad1d01db87245effbb38973059831e37
-
RA_Brushes CC2018.abr
- Size
- 23KiB (23787 bytes)
- Runtime Process
- ExManCmd.exe (PID: 2620)
- MD5
- 676b784e5da9996a74c804ec043ef5af
- SHA1
- 86e2f9ccb06568772f0aadc505d170e0cd10a5ab
- SHA256
- 5c66003471c2e71d6818f7b85957f14e90c66e0e71e2f1630c78bcbceec0014c
-
signatures.xml
- Size
- 3KiB (3048 bytes)
- Runtime Process
- ExManCmd.exe (PID: 2620)
- MD5
- 27f2d5d5f216599be56946561723d83a
- SHA1
- 7a93933c0b5ca68ce81e66d385c20f691a1a4cc1
- SHA256
- 035eda17e15f8aca75f17f7a4fe89c60e72646303b57287725739b94493de263
-
RA Brushes Presets CC2018.tpl
- Size
- 22KiB (22280 bytes)
- Runtime Process
- ExManCmd.exe (PID: 2620)
- MD5
- 9a08651a63cf9de0e839f7b2c65cba2d
- SHA1
- a9f79282d315824f9b47c9c19afb22a0c148dcc5
- SHA256
- ada77b80ec38524751b890fe4fd255463f86bb655974915bcd0a1f1bb5e7572b
-
brcc.zxp
- Size
- 710KiB (727504 bytes)
- Runtime Process
- ExManCmd.exe (PID: 2620)
- MD5
- 053d4931b7c31744629ddd16bbbfc49b
- SHA1
- 91dffd421d758844afb1d637f9fc5b3baaea0576
- SHA256
- f7ad4f78f6d980f4f0e634039655122e2c3799adfcb679df36892bfd28c750db
-
icon.png
- Size
- 16KiB (15958 bytes)
- Runtime Process
- BeautyRetouch_v3.3_Setup.exe (PID: 3892)
- MD5
- 8792923690bd90a093dceff27ff57da6
- SHA1
- 96fe3c6b0abaac0c993346d145a2c9759acd3f1d
- SHA256
- 8620623c2821ed5733e7d21788eb03ee9058ad7dcb67150a9ed9609c16c5d035
-
mimetype
- Size
- 41B (41 bytes)
- Runtime Process
- ExManCmd.exe (PID: 2620)
- MD5
- c08502997fc819570b793f6e81ce0495
- SHA1
- 20f805f7c716f09950bbc2f7a9c803e3f1cf57b4
- SHA256
- 6f4ece9eef5c4e518ad56a6f82d14e95f93e4e5d07b1cb8d22de8666d7ac3d7f
-
Uninstall BeautyRetouch.lnk
- Size
- 1.1KiB (1135 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Oct 8 03:53:05 2019, mtime=Tue Oct 8 03:53:05 2019, atime=Tue Oct 8 03:53:05 2019, length=75984, window=hide
- Runtime Process
- BeautyRetouch_v3.3_Setup.exe (PID: 3892)
- MD5
- c1609090227548c4b14bf4dcafcd8dfd
- SHA1
- 596e3dc762778065ddf8ff98ec873c1bed7e0173
- SHA256
- 5ab7af7a1833c4e9832a7635411ba5100e41d0849d065fc9022860283f9d4e77
-
EMCL.log
- Size
- 1.1KiB (1130 bytes)
- Runtime Process
- ExManCmd.exe (PID: 2620)
- MD5
- de789f7c46a25bf16d9f3036c808b76e
- SHA1
- 65fd1a6136a6dffcb00f08fd8376935f1038e91a
- SHA256
- 3411fd56e1cc6111b7745a46f39ce59a3b7122387dec76cdd64b2f34c0e3e1b5
-
DevTools Extensions
- Size
- 2B (2 bytes)
- Runtime Process
- BeautyRetouch.exe (PID: 4052)
- MD5
- d751713988987e9331980363e24189ce
- SHA1
- 97d170e1550eee4afc0af065b78cda302a97674c
- SHA256
- 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
-
d4a8d9cdf699b865a4593290eb741749_6b06490d-f9fd-424c-8b6d-83edc4369e89
- Size
- 48B (48 bytes)
- Runtime Process
- ExManBridgeTalkCmd.exe (PID: 2372)
- MD5
- 3bd9159a7248531ed3bda449e339db98
- SHA1
- 20cbc993534b3fb3f2cbae34bf1393fab730ae13
- SHA256
- 3e98e210391515538bd5aa8e899fa98197c8d40bce8b8f3d04c802a0d847b006
-
BeautyRetouch.exe
- Size
- 5MiB (5216145 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Runtime Process
- BeautyRetouch_v3.3_Setup.exe (PID: 3892)
- MD5
- 6620ae7690c47a11fd2c05eb93d743a4
- SHA1
- c32a5c7b4e76e329d21febe1b55c773e99138446
- SHA256
- 4566e27957744dcd3f3f40d9c3a4c70f1ad564c505aea495971327103f118f0f
-
node.dll
- Size
- 5MiB (5225776 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- Runtime Process
- BeautyRetouch_v3.3_Setup.exe (PID: 3892)
- MD5
- dbb47685fab9476c973abcec64dac6bb
- SHA1
- 8540ed652a25e1629baeba0d032ffab1182fb620
- SHA256
- f6e9760684baae6407bf1b7c6856cc5161a551c7ca44419c07a3a5ed925166ae
-
BeautyRetouch.lnk
- Size
- 1KiB (1067 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Fri Aug 30 11:11:24 2019, mtime=Tue Oct 8 03:52:21 2019, atime=Fri Aug 30 11:11:24 2019, length=57772032, window=hide
- Runtime Process
- BeautyRetouch_v3.3_Setup.exe (PID: 3892)
- MD5
- fa68ada67a20b81cadadca5440c52a7e
- SHA1
- 6c27d6b6970213f83087f14fc2d66148476ef080
- SHA256
- fd9d2c902d652c11dd1075fedc8a9a4a208ee1502deddd22f41785abb615d924
-
Notifications
-
Runtime
- Extracted file "BeautyRetouch.exe" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/4566e27957744dcd3f3f40d9c3a4c70f1ad564c505aea495971327103f118f0f/analysis/1570514432/")
- No static analysis parsing on sample was performed
- Not all IP/URL string resources were checked online
- Not all file accesses are visible for icacls.exe (PID: 1412)
- Not all file accesses are visible for icacls.exe (PID: 1420)
- Not all file accesses are visible for icacls.exe (PID: 2016)
- Not all file accesses are visible for icacls.exe (PID: 2200)
- Not all file accesses are visible for icacls.exe (PID: 2500)
- Not all file accesses are visible for icacls.exe (PID: 3056)
- Not all file accesses are visible for icacls.exe (PID: 3096)
- Not all file accesses are visible for icacls.exe (PID: 3288)
- Not all file accesses are visible for icacls.exe (PID: 3472)
- Not all file accesses are visible for icacls.exe (PID: 3712)
- Not all sources for indicator ID "api-0" are available in the report
- Not all sources for indicator ID "api-11" are available in the report
- Not all sources for indicator ID "api-25" are available in the report
- Not all sources for indicator ID "api-26" are available in the report
- Not all sources for indicator ID "api-39" are available in the report
- Not all sources for indicator ID "api-4" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report
- Not all sources for indicator ID "registry-35" are available in the report
- Not all sources for indicator ID "registry-72" are available in the report
- Not all sources for indicator ID "static-1" are available in the report
- Not all sources for indicator ID "static-6" are available in the report
- Not all sources for indicator ID "stream-4" are available in the report
- Not all sources for indicator ID "stream-49" are available in the report
- Not all sources for indicator ID "string-64" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report