File name:

FSCaptureSetup97.exe

Full analysis: https://app.any.run/tasks/ca482042-1dfa-45e3-a366-9f07639c594c
Verdict: Malicious activity
Analysis date: December 20, 2023, 23:40:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

E90E3FA5F43BA1E4B5864BE39F023307

SHA1:

7BF6570B5AD79502EEE5EF70C6C7845C3A984119

SHA256:

4447348C4323B21A4F35945083EEA282E69DD2E7447070D8C6DDDDBFE0F139CF

SSDEEP:

98304:/vt0lfPZcRWJOfL4WOy1bf9FJTRjXXQFVuDJJyzVTBcXvq1h7HdYnCr5gpeWMCWy:9ct+T/A8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • FSCaptureSetup97.exe (PID: 2268)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • FSCaptureSetup97.exe (PID: 2268)

    • The process creates files with name similar to system file names

      • FSCaptureSetup97.exe (PID: 2268)

  • INFO

    • Checks supported languages

      • FSCaptureSetup97.exe (PID: 2268)
      • FSCapture.exe (PID: 1864)

    • Creates files in the program directory

      • FSCaptureSetup97.exe (PID: 2268)

    • Create files in a temporary directory

      • FSCaptureSetup97.exe (PID: 2268)

    • Reads the computer name

      • FSCaptureSetup97.exe (PID: 2268)
      • FSCapture.exe (PID: 1864)

    • Reads the machine GUID from the registry

      • FSCaptureSetup97.exe (PID: 2268)

    • Manual execution by a user

      • FSCapture.exe (PID: 1864)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:08:01 04:44:18+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26112
InitializedDataSize: 141824
UninitializedDataSize: 2048
EntryPoint: 0x35d8
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 9.7.0.0
ProductVersionNumber: 9.7.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
Comments: FastStone Capture 9.7
CompanyName: FastStone Corporation
FileDescription: FastStone Capture 9.7 Setup
FileVersion: 9.7.0.0
LegalCopyright: Copyright (C) 2021 by FastStone Corporation
LegalTrademarks: -
ProductName: FastStone Capture
ProductVersion: 9.7
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start fscapturesetup97.exe fscapture.exe no specs fscapturesetup97.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1864"C:\Program Files\FastStone Capture\FSCapture.exe" C:\Program Files\FastStone Capture\FSCapture.exeexplorer.exe
User:
admin
Company:
FastStone Corporation
Integrity Level:
MEDIUM
Description:
FastStone Capture
Exit code:
0
Version:
9.7.0.0
Modules
Images
c:\program files\faststone capture\fscapture.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2044"C:\Users\admin\AppData\Local\Temp\FSCaptureSetup97.exe" C:\Users\admin\AppData\Local\Temp\FSCaptureSetup97.exeexplorer.exe
User:
admin
Company:
FastStone Corporation
Integrity Level:
MEDIUM
Description:
FastStone Capture 9.7 Setup
Exit code:
3221226540
Version:
9.7.0.0
Modules
Images
c:\users\admin\appdata\local\temp\fscapturesetup97.exe
c:\windows\system32\ntdll.dll
2268"C:\Users\admin\AppData\Local\Temp\FSCaptureSetup97.exe" C:\Users\admin\AppData\Local\Temp\FSCaptureSetup97.exe
explorer.exe
User:
admin
Company:
FastStone Corporation
Integrity Level:
HIGH
Description:
FastStone Capture 9.7 Setup
Exit code:
0
Version:
9.7.0.0
Modules
Images
c:\users\admin\appdata\local\temp\fscapturesetup97.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
Total events
959
Read events
959
Write events
0
Delete events
0

Modification events

No data
Executable files
11
Suspicious files
20
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
2268FSCaptureSetup97.exeC:\Users\admin\AppData\Local\Temp\nseFA60.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
2268FSCaptureSetup97.exeC:\Program Files\FastStone Capture\FSCapture.exeexecutable
MD5:63ABEABDC23DBDE398CF12C2B8A9BEFF
SHA256:BFEBC8A35E1718C37138CB84FBC942697A61DCE7D8004EA419C094A11702568E
2268FSCaptureSetup97.exeC:\Users\admin\AppData\Local\Temp\nseFA60.tmp\InstallOptions.dllexecutable
MD5:0A9FB96A7579B685EC36B17FC354E6A3
SHA256:B34FB342F21D690AAC024B6F48A597E78D15791EF480AC55159CD585D0F64AF7
2268FSCaptureSetup97.exeC:\Users\admin\AppData\Local\Temp\nseFA60.tmp\ioSpecial.initext
MD5:E2D5070BC28DB1AC745613689FF86067
SHA256:D95AED234F932A1C48A2B1B0D98C60CA31F962310C03158E2884AB4DDD3EA1E0
2268FSCaptureSetup97.exeC:\Program Files\FastStone Capture\FSRecorder.exeexecutable
MD5:C7585E5EE822A84D866F5C42432BC973
SHA256:7DEC285575CA1EEC98AD55C881D26D7E7C04E9F96FC5B33E1F1DEFA87C6289FD
2268FSCaptureSetup97.exeC:\Program Files\FastStone Capture\FSLogo.pngimage
MD5:D03A70C659C1B548EE2076D3E937CEE6
SHA256:15DA9D859193790BC08AAA1C88CB61E318FC8E90D8D37D72A5884A028887A898
2268FSCaptureSetup97.exeC:\Program Files\FastStone Capture\FSCPlugin01.dllexecutable
MD5:F421919DA3CB7C44B086210D4D797D7A
SHA256:CF66F927D6D3EBC77D93567C25C9577803E5FB64201755D7773257C4C3ED5D2B
2268FSCaptureSetup97.exeC:\Program Files\FastStone Capture\LicenseAgreement.txttext
MD5:E802003F3A375DF1F1342BA0B5AE7E66
SHA256:E49E33EFF610C948362FBF7B383EFA95F585B99D19519B59BDE6870B9C4F02DB
2268FSCaptureSetup97.exeC:\Program Files\FastStone Capture\FSCIcon.dbexecutable
MD5:E4DD6134F0DA16B24F9DF1BBA0969F55
SHA256:3CC8478F1DE6BA82347702F74A0A413105189C26238123C6DE21635D751FFD80
2268FSCaptureSetup97.exeC:\Program Files\FastStone Capture\Languages\FSC02.fslangbinary
MD5:242B406A92A85F536DB64DD49E046886
SHA256:7FF49D83B8080D27860CF5AC71E96F8E82B43F62F719ACE0E903B66F0E38E894
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
Process
Message
FSCaptureSetup97.exe
ExecShellAsUser: elevated process detected
FSCaptureSetup97.exe
ExecShellAsUser: got desktop
FSCaptureSetup97.exe
ExecShellAsUser: DLL_PROCESS_DETACH
FSCaptureSetup97.exe
ExecShellAsUser: thread finished
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
FSCaptureSetup97.exe