File name:

PlayCap-0.1.1-win32.exe

Full analysis: https://app.any.run/tasks/62c52787-22e5-4b73-8fa7-0b16632b3271
Verdict: Malicious activity
Analysis date: October 20, 2023, 17:40:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

ED94C5BF820AC5CDD1F627D8330970B4

SHA1:

5E1D6FBBFD495DB68FF70B07E4055DD158083E9D

SHA256:

5BD66F2B0A5C017063D9F1D2F424181163A02D95651009C373DC7708B4B81C17

SSDEEP:

49152:tGFjR3xH8XdyhFO3/w/pEVVcBOSxWbrYlqbttnNUjm2gOQz1lWLIzpseywKcus6z:tG7BH4F/wuVVcB7sQcbttnNUjpQz1fW9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • PlayCap-0.1.1-win32.exe (PID: 2888)
      • WinPcap_4_1_1.exe (PID: 792)
      • playcap.exe (PID: 3184)

    • Drops the executable file immediately after the start

      • PlayCap-0.1.1-win32.exe (PID: 2888)
      • WinPcap_4_1_1.exe (PID: 792)

    • Application was dropped or rewritten from another process

      • WinPcap_4_1_1.exe (PID: 792)
      • PlayCap-0.1.1-win32.exe (PID: 2888)
      • PlayCap-0.1.1-win32.exe (PID: 1396)
      • playcap.exe (PID: 3184)

    • Starts NET.EXE for service management

      • net.exe (PID: 1240)
      • WinPcap_4_1_1.exe (PID: 792)

    • Creates a writable file the system directory

      • WinPcap_4_1_1.exe (PID: 792)

  • SUSPICIOUS

    • Reads the Internet Settings

      • WinPcap_4_1_1.exe (PID: 792)

    • Reads Microsoft Outlook installation path

      • WinPcap_4_1_1.exe (PID: 792)

    • Creates files in the driver directory

      • WinPcap_4_1_1.exe (PID: 792)

    • The process creates files with name similar to system file names

      • WinPcap_4_1_1.exe (PID: 792)

    • Drops a system driver (possible attempt to evade defenses)

      • WinPcap_4_1_1.exe (PID: 792)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • WinPcap_4_1_1.exe (PID: 792)

    • Creates or modifies Windows services

      • WinPcap_4_1_1.exe (PID: 792)

    • Reads Internet Explorer settings

      • WinPcap_4_1_1.exe (PID: 792)

  • INFO

    • Reads the computer name

      • PlayCap-0.1.1-win32.exe (PID: 2888)
      • WinPcap_4_1_1.exe (PID: 792)
      • playcap.exe (PID: 3184)

    • Checks supported languages

      • PlayCap-0.1.1-win32.exe (PID: 2888)
      • WinPcap_4_1_1.exe (PID: 792)
      • playcap.exe (PID: 3184)

    • Create files in a temporary directory

      • PlayCap-0.1.1-win32.exe (PID: 2888)
      • WinPcap_4_1_1.exe (PID: 792)

    • Reads Environment values

      • WinPcap_4_1_1.exe (PID: 792)

    • Checks proxy server information

      • WinPcap_4_1_1.exe (PID: 792)

    • Creates files in the program directory

      • PlayCap-0.1.1-win32.exe (PID: 2888)
      • WinPcap_4_1_1.exe (PID: 792)

    • Reads the machine GUID from the registry

      • WinPcap_4_1_1.exe (PID: 792)
      • playcap.exe (PID: 3184)

    • Manual execution by a user

      • explorer.exe (PID: 3936)
      • playcap.exe (PID: 3184)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (94.8)
.exe | Win32 Executable MS Visual C++ (generic) (3.4)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.5)
.exe | Generic Win/DOS Executable (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2009:12:05 23:50:41+01:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 23040
InitializedDataSize: 119808
UninitializedDataSize: 1024
EntryPoint: 0x30cb
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start playcap-0.1.1-win32.exe winpcap_4_1_1.exe no specs net.exe no specs net1.exe no specs explorer.exe no specs playcap.exe no specs playcap-0.1.1-win32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
792"C:\Program Files\PlayCap 0.1.1\WinPcap_4_1_1.exe"C:\Program Files\PlayCap 0.1.1\WinPcap_4_1_1.exePlayCap-0.1.1-win32.exe
User:
admin
Company:
CACE Technologies, Inc.
Integrity Level:
HIGH
Description:
WinPcap 4.1.1 installer
Exit code:
0
Version:
4.1.0.1753
Modules
Images
c:\program files\playcap 0.1.1\winpcap_4_1_1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
1240net start npfC:\Windows\System32\net.exeWinPcap_4_1_1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netutils.dll
c:\windows\system32\samcli.dll
1396"C:\Users\admin\Desktop\PlayCap-0.1.1-win32.exe" C:\Users\admin\Desktop\PlayCap-0.1.1-win32.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\playcap-0.1.1-win32.exe
c:\windows\system32\ntdll.dll
2484C:\Windows\system32\net1 start npfC:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\netutils.dll
2888"C:\Users\admin\Desktop\PlayCap-0.1.1-win32.exe" C:\Users\admin\Desktop\PlayCap-0.1.1-win32.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\playcap-0.1.1-win32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
3184"C:\Program Files\PlayCap 0.1.1\bin\playcap.exe" C:\Program Files\PlayCap 0.1.1\bin\playcap.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\program files\playcap 0.1.1\bin\playcap.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3936"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
5 465
Read events
5 432
Write events
32
Delete events
1

Modification events

(PID) Process:(792) WinPcap_4_1_1.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(792) WinPcap_4_1_1.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(792) WinPcap_4_1_1.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(792) WinPcap_4_1_1.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(792) WinPcap_4_1_1.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(792) WinPcap_4_1_1.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(792) WinPcap_4_1_1.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NPF
Operation:writeName:Start
Value:
3
(PID) Process:(3184) playcap.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(3184) playcap.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
01000000020000000000000007000000060000000C0000000B0000000D0000000A0000000900000008000000030000000500000004000000FFFFFFFF
(PID) Process:(3184) playcap.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\201\Shell
Operation:writeName:SniffedFolderType
Value:
Generic
Executable files
24
Suspicious files
4
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
2888PlayCap-0.1.1-win32.exeC:\Users\admin\AppData\Local\Temp\nsuBDC1.tmp\UserInfo.dllexecutable
MD5:7579ADE7AE1747A31960A228CE02E666
SHA256:564C80DEC62D76C53497C40094DB360FF8A36E0DC1BDA8383D0F9583138997F5
792WinPcap_4_1_1.exeC:\Users\admin\AppData\Local\Temp\nsoE1E3.tmp\ioSpecial.initext
MD5:E2D5070BC28DB1AC745613689FF86067
SHA256:D95AED234F932A1C48A2B1B0D98C60CA31F962310C03158E2884AB4DDD3EA1E0
2888PlayCap-0.1.1-win32.exeC:\Program Files\PlayCap 0.1.1\WinPcap_4_1_1.exeexecutable
MD5:2CAA5498171B21388168C13AD4F4A157
SHA256:8E57D910173FB471F4A02911D652A4A65C1632CACB67F759472B1D7EC9995F87
2888PlayCap-0.1.1-win32.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\PlayCap\PlayCap.lnkbinary
MD5:D7EC98B3B8A3DD0A8FB7EFCD4E892B38
SHA256:0D90609DD83C1BD656FDBD3B24ED2F54766873E36E4CD89993827C4F92F7111A
2888PlayCap-0.1.1-win32.exeC:\Program Files\PlayCap 0.1.1\bin\playcap.exeexecutable
MD5:562D436F89937E0892BD5850F4BC420F
SHA256:D172DEEB0D9AC16C6C18C2A92EB482B642D90F1D98C145932B55469B5F18FCD9
2888PlayCap-0.1.1-win32.exeC:\Program Files\PlayCap 0.1.1\bin\pthreadVC2.dllexecutable
MD5:5EEBA1AFEB9A050ACB0EF64A4EC6C736
SHA256:20230A540850E454B4CD0DD11B34D66D6826DE1F839A5AC72B96BD32F76CCCC3
2888PlayCap-0.1.1-win32.exeC:\Users\admin\AppData\Local\Temp\nsuBDC1.tmp\StartMenu.dllexecutable
MD5:A4173B381625F9F12AADB4E1CDAEFDB8
SHA256:7755FF2707CA19344D489A5ACEC02D9E310425FA6E100D2F13025761676B875B
2888PlayCap-0.1.1-win32.exeC:\Program Files\PlayCap 0.1.1\bin\libpng13.dllexecutable
MD5:04865CBF31FF163A422D44C39747F011
SHA256:BCC18FAEE81A2362B2BEBC58208FF23E8A9641DD5843DD6692C19F942E0259BC
2888PlayCap-0.1.1-win32.exeC:\Program Files\PlayCap 0.1.1\Uninstall.exeexecutable
MD5:45D394860066EA4B66E91688D999EE75
SHA256:3CB387842ED5CF346D5BC4797E998337D9FE527ECCB13240967BE8A8B6C512E1
2888PlayCap-0.1.1-win32.exeC:\Program Files\PlayCap 0.1.1\bin\zlib1.dllexecutable
MD5:80E41408F6D641DC1C0F5353A0CC8125
SHA256:B09537250201236472CCD3CAFF5C0C12A5FAD262E1E951350E9E5ED2A81D9DDE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2656
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PlayCap-0.1.1-win32.exe