File name: | CapturePlus_v3.0.0.0.exe |
Full analysis: | https://app.any.run/tasks/5a664201-c9b7-448b-a058-7532699a6a86 |
Verdict: | Malicious activity |
Analysis date: | March 31, 2020, 04:50:26 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | C614FCE50829FC441F0D09F18AA82A51 |
SHA1: | 7443E4975F457765992B4E83AA1A76783ABC789E |
SHA256: | 9CE4AD239A47ADE3D3287C90584F8A102B2849658D7B642C4F013BECD3807A11 |
SSDEEP: | 98304:4IjQiBlA3E1pLgnWpzJvY46EkE7Byot+ay2NDwAY41Q:+ijioRJA4627BhtYN/41Q |
.exe | | | Win32 EXE PECompact compressed (generic) (62.6) |
---|---|---|
.exe | | | Win32 Executable Delphi generic (21.3) |
.exe | | | Win32 Executable (generic) (6.7) |
.exe | | | Win16/32 Executable Delphi generic (3.1) |
.exe | | | Generic Win/DOS Executable (3) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2018:03:20 07:00:21+01:00 |
PEType: | PE32 |
LinkerVersion: | 2.25 |
CodeSize: | 93696 |
InitializedDataSize: | 148992 |
UninitializedDataSize: | - |
EntryPoint: | 0x177f4 |
OSVersion: | 5 |
ImageVersion: | 6 |
SubsystemVersion: | 5 |
Subsystem: | Windows GUI |
FileVersionNumber: | 3.0.0.0 |
ProductVersionNumber: | 3.0.0.0 |
FileFlagsMask: | 0x003f |
FileFlags: | (none) |
FileOS: | Win32 |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | Neutral |
CharacterSet: | Unicode |
Comments: | This installation was built with Inno Setup. |
CompanyName: | http://captureplus.net/ |
FileDescription: | CapturePlus Setup |
FileVersion: | 3.0.0.0 |
LegalCopyright: | |
ProductName: | CapturePlus |
ProductVersion: | 3.0.0.0 |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 20-Mar-2018 06:00:21 |
Detected languages: |
|
Comments: | This installation was built with Inno Setup. |
CompanyName: | http://captureplus.net/ |
FileDescription: | CapturePlus Setup |
FileVersion: | 3.0.0.0 |
LegalCopyright: | - |
ProductName: | CapturePlus |
ProductVersion: | 3.0.0.0 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0050 |
Pages in file: | 0x0002 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x000F |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x001A |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000100 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 8 |
Time date stamp: | 20-Mar-2018 06:00:21 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00015DB4 | 0x00015E00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.31479 |
.itext | 0x00017000 | 0x00000F7C | 0x00001000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.82423 |
.data | 0x00018000 | 0x00000F1C | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 2.75532 |
.bss | 0x00019000 | 0x0000579C | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.idata | 0x0001F000 | 0x00000F3E | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.86171 |
.tls | 0x00020000 | 0x00000008 | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rdata | 0x00021000 | 0x00000018 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.170146 |
.rsrc | 0x00022000 | 0x000223C0 | 0x00022400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.64007 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.13965 | 1580 | Latin 1 / Western European | English - United States | RT_MANIFEST |
2 | 4.69584 | 16936 | Latin 1 / Western European | English - United States | RT_ICON |
3 | 5.16891 | 9640 | Latin 1 / Western European | English - United States | RT_ICON |
4 | 5.19401 | 4264 | Latin 1 / Western European | English - United States | RT_ICON |
5 | 5.60548 | 1128 | Latin 1 / Western European | English - United States | RT_ICON |
4091 | 2.77471 | 156 | Latin 1 / Western European | UNKNOWN | RT_STRING |
4092 | 3.27116 | 204 | Latin 1 / Western European | UNKNOWN | RT_STRING |
4093 | 3.32381 | 176 | Latin 1 / Western European | UNKNOWN | RT_STRING |
4094 | 3.34866 | 628 | Latin 1 / Western European | UNKNOWN | RT_STRING |
4095 | 3.346 | 860 | Latin 1 / Western European | UNKNOWN | RT_STRING |
advapi32.dll |
comctl32.dll |
kernel32.dll |
oleaut32.dll |
user32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3148 | "C:\Users\admin\AppData\Local\Temp\CapturePlus_v3.0.0.0.exe" | C:\Users\admin\AppData\Local\Temp\CapturePlus_v3.0.0.0.exe | explorer.exe | |
User: admin Company: http://captureplus.net/ Integrity Level: MEDIUM Description: CapturePlus Setup Exit code: 0 Version: 3.0.0.0 | ||||
2484 | "C:\Users\admin\AppData\Local\Temp\is-ICD3V.tmp\CapturePlus_v3.0.0.0.tmp" /SL5="$90140,3549761,243712,C:\Users\admin\AppData\Local\Temp\CapturePlus_v3.0.0.0.exe" | C:\Users\admin\AppData\Local\Temp\is-ICD3V.tmp\CapturePlus_v3.0.0.0.tmp | — | CapturePlus_v3.0.0.0.exe |
User: admin Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 | ||||
1780 | "C:\Users\admin\AppData\Local\Temp\CapturePlus_v3.0.0.0.exe" /SPAWNWND=$601CA /NOTIFYWND=$90140 | C:\Users\admin\AppData\Local\Temp\CapturePlus_v3.0.0.0.exe | CapturePlus_v3.0.0.0.tmp | |
User: admin Company: http://captureplus.net/ Integrity Level: HIGH Description: CapturePlus Setup Exit code: 0 Version: 3.0.0.0 | ||||
2696 | "C:\Users\admin\AppData\Local\Temp\is-H1IGN.tmp\CapturePlus_v3.0.0.0.tmp" /SL5="$C0122,3549761,243712,C:\Users\admin\AppData\Local\Temp\CapturePlus_v3.0.0.0.exe" /SPAWNWND=$601CA /NOTIFYWND=$90140 | C:\Users\admin\AppData\Local\Temp\is-H1IGN.tmp\CapturePlus_v3.0.0.0.tmp | CapturePlus_v3.0.0.0.exe | |
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 | ||||
1828 | "C:\Program Files\Internet Explorer\iexplore.exe" http://captureplus.net/php/link.php?lang=ko&product=captureplus&page=install | C:\Program Files\Internet Explorer\iexplore.exe | CapturePlus_v3.0.0.0.tmp | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Internet Explorer Exit code: 1 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
2288 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1828 CREDAT:275457 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
3408 | "C:\Program Files\CapturePlus\CapturePlus.exe" | C:\Program Files\CapturePlus\CapturePlus.exe | CapturePlus_v3.0.0.0.tmp | |
User: admin Company: CapturePlus.net Integrity Level: HIGH Description: CapturePlus - Screen Capture App Exit code: 0 Version: 3.0.0.0 | ||||
3196 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1536 | "C:\Program Files\CapturePlus\CapturePlus.exe" | C:\Program Files\CapturePlus\CapturePlus.exe | explorer.exe | |
User: admin Company: CapturePlus.net Integrity Level: MEDIUM Description: CapturePlus - Screen Capture App Exit code: 0 Version: 3.0.0.0 | ||||
4044 | "C:\Program Files\Google\Chrome\Application\chrome.exe" | C:\Program Files\Google\Chrome\Application\chrome.exe | explorer.exe | |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 75.0.3770.100 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2696 | CapturePlus_v3.0.0.0.tmp | C:\Program Files\CapturePlus\is-NDPOK.tmp | — | |
MD5:— | SHA256:— | |||
2696 | CapturePlus_v3.0.0.0.tmp | C:\Program Files\CapturePlus\is-T6F61.tmp | — | |
MD5:— | SHA256:— | |||
2696 | CapturePlus_v3.0.0.0.tmp | C:\Program Files\CapturePlus\LibSSL\is-4INTC.tmp | — | |
MD5:— | SHA256:— | |||
2696 | CapturePlus_v3.0.0.0.tmp | C:\Program Files\CapturePlus\LibSSL\is-K0VNB.tmp | — | |
MD5:— | SHA256:— | |||
2696 | CapturePlus_v3.0.0.0.tmp | C:\Program Files\CapturePlus\language\is-B9RJC.tmp | — | |
MD5:— | SHA256:— | |||
2696 | CapturePlus_v3.0.0.0.tmp | C:\Program Files\CapturePlus\language\is-50N2O.tmp | — | |
MD5:— | SHA256:— | |||
2696 | CapturePlus_v3.0.0.0.tmp | C:\Program Files\CapturePlus\language\is-7IOVT.tmp | — | |
MD5:— | SHA256:— | |||
2696 | CapturePlus_v3.0.0.0.tmp | C:\Program Files\CapturePlus\language\is-B4530.tmp | — | |
MD5:— | SHA256:— | |||
2696 | CapturePlus_v3.0.0.0.tmp | C:\Program Files\CapturePlus\language\is-M7M8K.tmp | — | |
MD5:— | SHA256:— | |||
2696 | CapturePlus_v3.0.0.0.tmp | C:\Program Files\CapturePlus\language\is-RMRK1.tmp | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2288 | iexplore.exe | GET | 302 | 45.56.90.99:80 | http://captureplus.net/php/link.php?lang=ko&product=captureplus&page=install | US | — | — | malicious |
2288 | iexplore.exe | GET | 302 | 45.56.90.99:80 | http://captureplus.net/ | US | — | — | malicious |
3408 | CapturePlus.exe | GET | 200 | 45.56.90.99:80 | http://captureplus.net/php/update.php?program=Y2FwdHVyZXBsdXNfZW4%3D&q=QTVCQjQyNjczOEMyRkNBRENFMkQzM0JGQzI2QjRGNEM%3D&hkey=ODYyMDc5YjI4ZDZjNDIyNGM3ZjcxOTdkN2U2N2RjMDk%3D&v=U3RhbmRhcmQrVkdBK0dyYXBoaWNzK0FkYXB0ZXI%3D&o=TWljcm9zb2Z0K1dpbmRvd3MrNytQcm9mZXNzaW9uYWwrJTdDMzIlN0MxMDMz&ver=MjAxODEyMjgwMQ%3D%3D | US | text | 94 b | malicious |
2288 | iexplore.exe | GET | 200 | 216.58.207.35:80 | http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDfMYPZCGzPzwgAAAAAMgoG | US | der | 472 b | whitelisted |
2288 | iexplore.exe | GET | 200 | 216.58.207.35:80 | http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQCBvB0n5ktWhAgAAAAAMgsn | US | der | 472 b | whitelisted |
2288 | iexplore.exe | GET | 200 | 216.58.207.35:80 | http://ocsp.pki.goog/gts1o1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCECiNXDcMFIfFAgAAAABcZ1E%3D | US | der | 471 b | whitelisted |
2288 | iexplore.exe | GET | 200 | 216.58.207.35:80 | http://ocsp.pki.goog/gts1o1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCECiNXDcMFIfFAgAAAABcZ1E%3D | US | der | 471 b | whitelisted |
2288 | iexplore.exe | GET | 200 | 216.58.207.35:80 | http://ocsp.pki.goog/gts1o1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCECiNXDcMFIfFAgAAAABcZ1E%3D | US | der | 471 b | whitelisted |
2288 | iexplore.exe | GET | 200 | 216.58.207.35:80 | http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQCBvB0n5ktWhAgAAAAAMgsn | US | der | 472 b | whitelisted |
2288 | iexplore.exe | GET | 200 | 216.58.207.35:80 | http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDL%2FQslYWVuogIAAAAAXGdc | US | der | 472 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2288 | iexplore.exe | 172.217.21.226:443 | adservice.google.com | Google Inc. | US | whitelisted |
2288 | iexplore.exe | 172.217.16.162:443 | pagead2.googlesyndication.com | Google Inc. | US | whitelisted |
2288 | iexplore.exe | 45.56.90.99:80 | captureplus.net | Linode, LLC | US | malicious |
2288 | iexplore.exe | 104.18.20.226:80 | ocsp.globalsign.com | Cloudflare Inc | US | shared |
2288 | iexplore.exe | 45.56.90.99:443 | captureplus.net | Linode, LLC | US | malicious |
1828 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2288 | iexplore.exe | 104.18.21.226:80 | ocsp.globalsign.com | Cloudflare Inc | US | shared |
2288 | iexplore.exe | 172.217.23.98:443 | googleads.g.doubleclick.net | Google Inc. | US | whitelisted |
2288 | iexplore.exe | 216.58.207.35:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
3408 | CapturePlus.exe | 45.56.90.99:80 | captureplus.net | Linode, LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
captureplus.net |
| malicious |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ocsp.globalsign.com |
| whitelisted |
ocsp2.globalsign.com |
| whitelisted |
pagead2.googlesyndication.com |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
adservice.google.ie |
| whitelisted |
adservice.google.com |
| whitelisted |
googleads.g.doubleclick.net |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3408 | CapturePlus.exe | Potentially Bad Traffic | ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) |
1536 | CapturePlus.exe | Potentially Bad Traffic | ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) |