File name:

한캡쳐 플러스_hancapture-plus.exe

Full analysis: https://app.any.run/tasks/41341a51-3f82-4963-b749-d56c534f1415
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 09, 2024, 05:05:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

94BA3C541E7B7CC778569C35C15C6E66

SHA1:

D8C2FE8EC79BA94690979E57C378D9F22ED928A1

SHA256:

101CADC890E6F67407EE3CB4E46DC7571F635DED197422717DB89DED3DBB1B88

SSDEEP:

12288:hfgpO8IRB9BPG4J/97kWnymAujMW2MblGPg7x1xJToW:KpO8IRf13Jt9nymNMWXblGPg91vToW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 한캡쳐 플러스_hancapture-plus.exe (PID: 1120)
      • McryptSetup.exe (PID: 316)
      • WTPSetup.exe (PID: 1812)
      • hancapture-plus.exe (PID: 1940)
      • hancapture-plus.tmp (PID: 2508)
      • WebToPdfEx.exe (PID: 1788)
      • HanCapturePlus.exe (PID: 1868)
      • new_WebToPdfEx.exe (PID: 1976)

    • Uses Task Scheduler to autorun other applications

      • hancapture-plus.tmp (PID: 2508)

    • Unusual connection from system programs

      • rundll32.exe (PID: 2400)

  • SUSPICIOUS

    • Reads the Internet Settings

      • 한캡쳐 플러스_hancapture-plus.exe (PID: 1120)
      • MyencryptFix.exe (PID: 1652)
      • MyencryptC.exe (PID: 2012)
      • WebToPdfEx.exe (PID: 1788)
      • hancapture-plus.tmp (PID: 2508)
      • new_WebToPdfEx.exe (PID: 1976)
      • HanCapturePlus.exe (PID: 1868)
      • rundll32.exe (PID: 2400)

    • Adds/modifies Windows certificates

      • 한캡쳐 플러스_hancapture-plus.exe (PID: 1120)

    • Reads settings of System Certificates

      • 한캡쳐 플러스_hancapture-plus.exe (PID: 1120)
      • MyencryptFix.exe (PID: 1652)
      • WebToPdfEx.exe (PID: 1788)
      • new_WebToPdfEx.exe (PID: 1976)
      • rundll32.exe (PID: 2400)

    • Executable content was dropped or overwritten

      • 한캡쳐 플러스_hancapture-plus.exe (PID: 1120)
      • McryptSetup.exe (PID: 316)
      • hancapture-plus.exe (PID: 1940)
      • WTPSetup.exe (PID: 1812)
      • WebToPdfEx.exe (PID: 1788)
      • hancapture-plus.tmp (PID: 2508)
      • new_WebToPdfEx.exe (PID: 1976)

    • Reads security settings of Internet Explorer

      • 한캡쳐 플러스_hancapture-plus.exe (PID: 1120)
      • MyencryptFix.exe (PID: 1652)
      • MyencryptC.exe (PID: 2012)
      • hancapture-plus.tmp (PID: 2508)
      • WebToPdfEx.exe (PID: 1788)
      • new_WebToPdfEx.exe (PID: 1976)
      • HanCapturePlus.exe (PID: 1868)

    • Creates a software uninstall entry

      • McryptSetup.exe (PID: 316)
      • WTPSetup.exe (PID: 1812)

    • Starts CMD.EXE for commands execution

      • 한캡쳐 플러스_hancapture-plus.exe (PID: 1120)

    • Executing commands from a ".bat" file

      • 한캡쳐 플러스_hancapture-plus.exe (PID: 1120)

    • Process drops legitimate windows executable

      • WTPSetup.exe (PID: 1812)
      • hancapture-plus.tmp (PID: 2508)

    • Reads the Windows owner or organization settings

      • hancapture-plus.tmp (PID: 2508)

    • Process requests binary or script from the Internet

      • HanCapturePlus.exe (PID: 1868)

    • Uses RUNDLL32.EXE to load library

      • HanCapturePlus.exe (PID: 1868)

    • Changes Internet Explorer settings (feature browser emulation)

      • hancapture-plus.tmp (PID: 2508)

    • Reads Internet Explorer settings

      • rundll32.exe (PID: 2400)

    • Reads Microsoft Outlook installation path

      • rundll32.exe (PID: 2400)

  • INFO

    • Reads Environment values

      • 한캡쳐 플러스_hancapture-plus.exe (PID: 1120)
      • MyencryptFix.exe (PID: 1652)
      • WebToPdfEx.exe (PID: 1788)
      • new_WebToPdfEx.exe (PID: 1976)

    • Reads the software policy settings

      • 한캡쳐 플러스_hancapture-plus.exe (PID: 1120)
      • MyencryptFix.exe (PID: 1652)
      • WebToPdfEx.exe (PID: 1788)
      • new_WebToPdfEx.exe (PID: 1976)
      • rundll32.exe (PID: 2400)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1184)

    • Reads the machine GUID from the registry

      • 한캡쳐 플러스_hancapture-plus.exe (PID: 1120)
      • MyencryptFix.exe (PID: 1652)
      • WebToPdfEx.exe (PID: 1788)
      • HanCapturePlus.exe (PID: 1868)
      • WebToPdf.exe (PID: 1996)
      • new_WebToPdfEx.exe (PID: 1976)
      • WebToPdf.exe (PID: 2544)

    • Checks supported languages

      • 한캡쳐 플러스_hancapture-plus.exe (PID: 1120)
      • wmpnscfg.exe (PID: 1184)
      • McryptSetup.exe (PID: 316)
      • MyencryptFix.exe (PID: 1652)
      • MyencryptC.exe (PID: 2012)
      • WTPSetup.exe (PID: 1812)
      • WebToPdfEx.exe (PID: 1788)
      • hancapture-plus.exe (PID: 1940)
      • new_WebToPdfEx.exe (PID: 1976)
      • hancapture-plus.tmp (PID: 2508)
      • WebToPdf.exe (PID: 1996)
      • HanCapturePlus.exe (PID: 1868)
      • WebToPdf.exe (PID: 2544)
      • MyencryptC.exe (PID: 3384)

    • Reads the computer name

      • 한캡쳐 플러스_hancapture-plus.exe (PID: 1120)
      • wmpnscfg.exe (PID: 1184)
      • McryptSetup.exe (PID: 316)
      • MyencryptC.exe (PID: 2012)
      • MyencryptFix.exe (PID: 1652)
      • WTPSetup.exe (PID: 1812)
      • WebToPdfEx.exe (PID: 1788)
      • hancapture-plus.tmp (PID: 2508)
      • HanCapturePlus.exe (PID: 1868)
      • WebToPdf.exe (PID: 1996)
      • new_WebToPdfEx.exe (PID: 1976)
      • WebToPdf.exe (PID: 2544)
      • MyencryptC.exe (PID: 3384)

    • Create files in a temporary directory

      • 한캡쳐 플러스_hancapture-plus.exe (PID: 1120)
      • hancapture-plus.exe (PID: 1940)
      • hancapture-plus.tmp (PID: 2508)

    • Creates files or folders in the user directory

      • McryptSetup.exe (PID: 316)
      • WTPSetup.exe (PID: 1812)
      • WebToPdfEx.exe (PID: 1788)
      • hancapture-plus.tmp (PID: 2508)
      • rundll32.exe (PID: 2400)
      • new_WebToPdfEx.exe (PID: 1976)

    • Creates a software uninstall entry

      • hancapture-plus.tmp (PID: 2508)

    • Checks proxy server information

      • rundll32.exe (PID: 2400)
      • HanCapturePlus.exe (PID: 1868)

    • Reads security settings of Internet Explorer

      • rundll32.exe (PID: 2400)

    • Application launched itself

      • chrome.exe (PID: 2968)
      • chrome.exe (PID: 3364)

    • The process uses the downloaded file

      • chrome.exe (PID: 2984)
      • chrome.exe (PID: 3560)

    • Creates files in the program directory

      • chrome.exe (PID: 3364)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2079:04:24 07:28:40+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 584192
InitializedDataSize: 14848
UninitializedDataSize: -
EntryPoint: 0x9084e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 2024.3.14.1
ProductVersionNumber: 2024.3.14.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: 소프트웨어 자료실 다운로더
CompanyName: (주)드림위즈 인터넷
FileDescription: 드림위즈 소프트웨어
FileVersion: 2024.03.14.1
InternalName: Dw_Software.exe
LegalCopyright: Copyright(c) 2021 by DreamWiz Internet All rights reserved.
LegalTrademarks: -
OriginalFileName: Dw_Software.exe
ProductName: DreamWiz Software
ProductVersion: 2024.03.14.1
AssemblyVersion: 2024.3.14.1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
94
Monitored processes
44
Malicious processes
10
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 한캡쳐 플러스_hancapture-plus.exe wmpnscfg.exe no specs mcryptsetup.exe myencryptfix.exe myencryptc.exe no specs wtpsetup.exe webtopdfex.exe hancapture-plus.exe cmd.exe no specs hancapture-plus.tmp schtasks.exe no specs new_webtopdfex.exe hancaptureplus.exe webtopdf.exe rundll32.exe webtopdf.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs myencryptc.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs 한캡쳐 플러스_hancapture-plus.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
316"C:\Users\admin\AppData\Local\Temp\McryptSetup.exe" /SC:\Users\admin\AppData\Local\Temp\McryptSetup.exe
한캡쳐 플러스_hancapture-plus.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\mcryptsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
1028"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=1280 --field-trial-handle=1108,i,2008729939137384534,11375020356005888679,131072 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1120"C:\Users\admin\Desktop\한캡쳐 플러스_hancapture-plus.exe" C:\Users\admin\Desktop\한캡쳐 플러스_hancapture-plus.exe
explorer.exe
User:
admin
Company:
(주)드림위즈 인터넷
Integrity Level:
HIGH
Description:
드림위즈 소프트웨어
Exit code:
0
Version:
2024.03.14.1
Modules
Images
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\75b341f10c9579cbe1059d18f6f3b27b\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\api-ms-win-core-xstate-l2-1-0.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\2bef38851483abae82f1172c1aaa604c\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\167c4b04ac34ab24a58f841c21862a3e\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\59978a45568399ef08cfe99da6a725bb\system.windows.forms.ni.dll
c:\windows\system32\uxtheme.dll
1184"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1620"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --mojo-platform-channel-handle=3064 --field-trial-handle=1108,i,2008729939137384534,11375020356005888679,131072 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
HIGH
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1628"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --mojo-platform-channel-handle=3652 --field-trial-handle=1108,i,2008729939137384534,11375020356005888679,131072 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1652C:\Users\admin\AppData\Roaming\Myencrypt\MyencryptFix.exe installC:\Users\admin\AppData\Roaming\Myencrypt\MyencryptFix.exe
McryptSetup.exe
User:
admin
Company:
Plna11
Integrity Level:
HIGH
Description:
MyencrptFix
Exit code:
0
Version:
2024.05.07.1
Modules
Images
c:\users\admin\appdata\roaming\myencrypt\myencryptfix.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1788"C:\Users\admin\AppData\Roaming\WebToPdf\WebToPdfEx.exe" installC:\Users\admin\AppData\Roaming\WebToPdf\WebToPdfEx.exe
WTPSetup.exe
User:
admin
Company:
pal11
Integrity Level:
HIGH
Description:
WebToPdfEx
Exit code:
0
Version:
2023.05.24.1
Modules
Images
c:\users\admin\appdata\roaming\webtopdf\webtopdfex.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1812"C:\Users\admin\AppData\Local\Temp\WTPSetup.exe" /SC:\Users\admin\AppData\Local\Temp\WTPSetup.exe
한캡쳐 플러스_hancapture-plus.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\wtpsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
1868"C:\Users\admin\AppData\Roaming\Hantools\HanCapturePlus\HanCapturePlus.exe" ko_KRC:\Users\admin\AppData\Roaming\Hantools\HanCapturePlus\HanCapturePlus.exe
hancapture-plus.tmp
User:
admin
Company:
DreamWiz Internet
Integrity Level:
HIGH
Description:
HanCapturePlus
Version:
1.0.0.15
Modules
Images
c:\users\admin\appdata\roaming\hantools\hancaptureplus\hancaptureplus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
54 538
Read events
54 109
Write events
385
Delete events
44

Modification events

(PID) Process:(1120) 한캡쳐 플러스_hancapture-plus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\??? ???_hancapture-plus_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1120) 한캡쳐 플러스_hancapture-plus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\??? ???_hancapture-plus_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(1120) 한캡쳐 플러스_hancapture-plus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\??? ???_hancapture-plus_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(1120) 한캡쳐 플러스_hancapture-plus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\??? ???_hancapture-plus_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(1120) 한캡쳐 플러스_hancapture-plus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\??? ???_hancapture-plus_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(1120) 한캡쳐 플러스_hancapture-plus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\??? ???_hancapture-plus_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(1120) 한캡쳐 플러스_hancapture-plus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\??? ???_hancapture-plus_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1120) 한캡쳐 플러스_hancapture-plus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\??? ???_hancapture-plus_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(1120) 한캡쳐 플러스_hancapture-plus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\??? ???_hancapture-plus_RASMANCS
Operation:writeName:FileTracingMask
Value:
(PID) Process:(1120) 한캡쳐 플러스_hancapture-plus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\??? ???_hancapture-plus_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
Executable files
36
Suspicious files
82
Text files
52
Unknown types
4

Dropped files

PID
Process
Filename
Type
316McryptSetup.exeC:\Users\admin\AppData\Roaming\Myencrypt\MetroFramework.dllexecutable
MD5:34EA7F7D66563F724318E322FF08F4DB
SHA256:C2C12D31B4844E29DE31594FC9632A372A553631DE0A0A04C8AF91668E37CF49
316McryptSetup.exeC:\Users\admin\AppData\Roaming\Myencrypt\Myencrypt.exeexecutable
MD5:10737E899AF534FEF7613F3EF93AAA13
SHA256:F604F049F6BE0C56EDCE99A62DE40E5D9D30BF997BE465B65327CFCE1AE7B07C
1812WTPSetup.exeC:\Users\admin\AppData\Roaming\WebToPdf\MaterialSkin.dllexecutable
MD5:022F385E55D9D3D42A33B4CA999BF22A
SHA256:3B0E1B3AF6D2B8B3D02B6CD52849277C9C8066C2AE565E68253D4551C37492D3
1812WTPSetup.exeC:\Users\admin\AppData\Roaming\WebToPdf\WebToPdf.exeexecutable
MD5:C7FDA9E27E18A4DB3D4E8307B76CB4DC
SHA256:CECC3E61E72D3504408E9DFFAB839B5C2D11C2E1A35E6837239A81EF6B70E401
1120한캡쳐 플러스_hancapture-plus.exeC:\Users\admin\AppData\Local\Temp\McryptSetup.exeexecutable
MD5:2C507CA23251C7FC3350DB133705E2DE
SHA256:D8211F7AF463B0300E84EB4A5CAE4B92A70DF1A99C174255CA56C18513077F38
316McryptSetup.exeC:\Users\admin\AppData\Roaming\Myencrypt\MyencryptC.exeexecutable
MD5:917AF402CDC343CE37DC34D557AACB08
SHA256:31FCC16AE3598FAA053E4FAB656AF77D39F50B557D5D82FE7B7E7CAD35DBCFA0
316McryptSetup.exeC:\Users\admin\AppData\Roaming\Myencrypt\Myencrypt_x86.dllexecutable
MD5:25C0196091A5F4B436CCA629D6EF8664
SHA256:DB5496983E58DD3F3C13637CFA56FC6010B2B12EA5FE4D9019A5E2607342F1FD
316McryptSetup.exeC:\Users\admin\AppData\Roaming\Myencrypt\MyencryptFix.exeexecutable
MD5:A82AEEC37F00FD8CC821D3BACEC63035
SHA256:B38BB0E7C0254CA2EBE60CAD5EADA662EC28684DE4A44173736D8351FF558911
316McryptSetup.exeC:\Users\admin\AppData\Roaming\Myencrypt\MetroFramework.Fonts.dllexecutable
MD5:65EF4B23060128743CEF937A43B82AA3
SHA256:C843869AACA5135C2D47296985F35C71CA8AF4431288D04D481C4E46CC93EE26
316McryptSetup.exeC:\Users\admin\AppData\Roaming\Myencrypt\MetroFramework.Design.dllexecutable
MD5:AB4C3529694FC8D2427434825F71B2B8
SHA256:0A4A96082E25767E4697033649B16C76A652E120757A2CECAB8092AD0D716B65
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
38
TCP/UDP connections
72
DNS requests
70
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1120
한캡쳐 플러스_hancapture-plus.exe
GET
200
183.110.214.137:80
http://downsoftware.dreamwiz.com/images/dreamwiz.ico
KR
image
9.07 Kb
unknown
1120
한캡쳐 플러스_hancapture-plus.exe
GET
200
183.110.214.137:80
http://downsoftware.dreamwiz.com/api/dl/request/hancapture-plus
KR
binary
61 b
unknown
2508
hancapture-plus.tmp
POST
200
183.110.214.166:80
http://www.hantools.co.kr/_counter/ins_v2.asp?type=8&mode=I&version=1.0.0.15&guid={1C0EDBDF-DAC6-4028-A548-72509BA5A0DC}&partnerid=1
KR
unknown
2508
hancapture-plus.tmp
GET
200
183.110.214.185:80
http://download.hantools.co.kr/addon/HanCaptureplus_ko_KR.ini
KR
text
3.40 Kb
unknown
1868
HanCapturePlus.exe
GET
200
183.110.214.185:80
http://download.hantools.co.kr/extention/toast.dat
KR
text
20 b
unknown
1868
HanCapturePlus.exe
GET
200
183.110.214.166:80
http://www.hantools.co.kr/_counter/ins_v2.asp?type=8&mode=E&version=1.0.0.15&guid={1C0EDBDF-DAC6-4028-A548-72509BA5A0DC}&partnerid=HanCapturePlus
KR
unknown
1868
HanCapturePlus.exe
GET
200
183.110.214.185:80
http://download.hantools.co.kr/extention/Toast.dll
KR
executable
5.83 Mb
unknown
2400
rundll32.exe
GET
200
183.110.214.150:80
http://apppixel.mmnneo.com/settings?ncid=%7B5D73AE9D%2DCFB4%2D46EA%2D956A%2D019021D58EEE%7D&app=&dummy=1715234792
KR
text
1.92 Kb
unknown
2400
rundll32.exe
GET
200
183.110.214.185:80
http://open.hantools.co.kr/v2/KeywordVariable.asp?ver=$&cddtc=$pt$&dummy=1715234794
KR
text
758 b
unknown
1868
HanCapturePlus.exe
GET
200
183.110.214.166:80
http://www.hantools.co.kr/update/hancaptureplus/?version=1.0.0.15
KR
text
229 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
1120
한캡쳐 플러스_hancapture-plus.exe
112.175.69.174:443
www.noform.co.kr
Korea Telecom
KR
unknown
1652
MyencryptFix.exe
112.175.69.181:443
www.networkbence.co.kr
Korea Telecom
KR
unknown
1652
MyencryptFix.exe
112.175.69.174:443
www.noform.co.kr
Korea Telecom
KR
unknown
1788
WebToPdfEx.exe
112.175.69.181:443
www.networkbence.co.kr
Korea Telecom
KR
unknown
1120
한캡쳐 플러스_hancapture-plus.exe
183.110.214.137:80
downsoftware.dreamwiz.com
Korea Telecom
KR
unknown
1120
한캡쳐 플러스_hancapture-plus.exe
183.110.214.137:443
downsoftware.dreamwiz.com
Korea Telecom
KR
unknown
1120
한캡쳐 플러스_hancapture-plus.exe
121.160.102.14:443
dl-cdn.bomul.com
Korea Telecom
KR
unknown

DNS requests

Domain
IP
Reputation
www.noform.co.kr
  • 112.175.69.174
unknown
www.networkbence.co.kr
  • 112.175.69.181
unknown
downsoftware.dreamwiz.com
  • 183.110.214.137
unknown
software.dreamwiz.com
  • 183.110.214.137
unknown
dl-cdn.bomul.com
  • 121.160.102.14
unknown
www.google-analytics.com
  • 142.250.186.110
whitelisted
www.hantools.co.kr
  • 183.110.214.166
unknown
download.hantools.co.kr
  • 183.110.214.185
unknown
apppixel.mmnneo.com
  • 183.110.214.150
unknown
open.hantools.co.kr
  • 183.110.214.185
unknown

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Misc activity
ET INFO WinHttpRequest Downloading EXE
A Network Trojan was detected
ET MALWARE Likely Evil EXE download from WinHttpRequest non-exe extension
1 ETPRO signatures available at the full report
Process
Message
WebToPdf.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
chrome.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Google\Chrome\User Data directory exists )
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
한캡쳐 플러스_hancapture-plus.exe