Windows Analysis Report
FSCaptureSetup107.exe

Overview

General Information

Sample name: FSCaptureSetup107.exe
Analysis ID: 1527895
MD5: 28627a37983f5dc8e00d9c03c7b2dec6
SHA1: dcfdb2464c29de44c6df1c1c0f5cf4a5342cfadb
SHA256: 762463fe496836bc1e6c6a58703f45182575b29494753df3145cd5c563e07f8c
Infos:

Detection

Score: 4
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Compliance

Score: 49
Range: 0 - 100

Signatures

Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Compliance
barindex
Uses 32bit PE files
Source: FSCaptureSetup107.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Window detected: < &BackI &AgreeCancelwww.FastStone.org www.FastStone.orgLicense AgreementPlease review the license terms before installing FastStone Capture 10.7.Press Page Down to see the rest of the agreement.Please read the following terms and conditions carefully before using FastStone Capture. Use of FastStone Capture indicates you accept the terms of this license agreement and warranty.1. Disclaimer of WarrantyFastStone Capture (this software) is provided "as-is" and without warranty of any kind express implied or otherwise including without limitation any warranty of merchantability or fitness for a particular purpose. In no event shall the author of this software be held liable for data loss damages loss of profits or any other kind of loss while using or misusing this software.2. LicenseFastStone Capture is shareware. You may try it free for 30 days. Once this 30-day period has expired you must either purchase a license to use this software or uninstall it from your computer promptly.3. Restrictions on Use FastStone Capture must not be decompiled disassembled reverse engineered or otherwise modified. Copyright (C) 2024 FastStone Corporation. All rights reserved.If you accept the terms of the agreement click I Agree to continue. You must accept the agreement to install FastStone Capture 10.7.
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe File created: C:\Program Files (x86)\FastStone Capture\LicenseAgreement.txt Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe File created: C:\Program Files (x86)\FastStone Capture\LicenseAgreement.txt Jump to behavior
Source: FSCaptureSetup107.exe Static PE information: certificate valid
Source: FSCaptureSetup107.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\hesha\Desktop\FSCPlugin07_V1_035\FastStone.Ocr\obj\Release\FSCPlugin07.pdb source: FSCaptureSetup107.exe, 00000000.00000002.2338865430.00000000026E2000.00000004.00000020.00020000.00000000.sdmp, FSCPlugin07.exe.0.dr
Source: Binary string: C:\Users\hesha\Desktop\FSCPlugin07_V1_035\FastStone.Ocr\obj\Release\FSCPlugin07.pdbxP source: FSCaptureSetup107.exe, 00000000.00000002.2338865430.00000000026E2000.00000004.00000020.00020000.00000000.sdmp, FSCPlugin07.exe.0.dr
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D74
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Code function: 0_2_0040699E FindFirstFileW,FindClose, 0_2_0040699E
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: FSRecorder.exe.0.dr String found in binary or memory: http://avisynth.org
Source: FSCaptureSetup107.exe, FSCrossHair.exe.0.dr, FSCPlugin07.exe.0.dr, FSCPlugin06.exe.0.dr, FSRecorder.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: FSCaptureSetup107.exe, 00000000.00000002.2338865430.00000000026E2000.00000004.00000020.00020000.00000000.sdmp, FSCrossHair.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: FSCaptureSetup107.exe, 00000000.00000002.2338865430.00000000026E2000.00000004.00000020.00020000.00000000.sdmp, FSCrossHair.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: FSCaptureSetup107.exe, FSCPlugin07.exe.0.dr, FSCPlugin06.exe.0.dr, FSRecorder.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: FSCaptureSetup107.exe, FSCrossHair.exe.0.dr, FSCPlugin07.exe.0.dr, FSCPlugin06.exe.0.dr, FSRecorder.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: FSCaptureSetup107.exe, FSCrossHair.exe.0.dr, FSCPlugin07.exe.0.dr, FSCPlugin06.exe.0.dr, FSRecorder.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: FSCaptureSetup107.exe, FSCrossHair.exe.0.dr, FSCPlugin07.exe.0.dr, FSCPlugin06.exe.0.dr, FSRecorder.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: FSCaptureSetup107.exe, 00000000.00000002.2338865430.00000000026E2000.00000004.00000020.00020000.00000000.sdmp, FSCrossHair.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: FSCaptureSetup107.exe, FSCPlugin07.exe.0.dr, FSCPlugin06.exe.0.dr, FSRecorder.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: FSCaptureSetup107.exe, FSCrossHair.exe.0.dr, FSCPlugin07.exe.0.dr, FSCPlugin06.exe.0.dr, FSRecorder.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: FSRecorder.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: FSCaptureSetup107.exe, 00000000.00000002.2338865430.00000000026E2000.00000004.00000020.00020000.00000000.sdmp, FSCrossHair.exe.0.dr String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: FSCaptureSetup107.exe, 00000000.00000002.2338865430.00000000026E2000.00000004.00000020.00020000.00000000.sdmp, FSCrossHair.exe.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: FSCaptureSetup107.exe, FSCPlugin07.exe.0.dr, FSCPlugin06.exe.0.dr, FSRecorder.exe.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: FSCaptureSetup107.exe, 00000000.00000002.2338865430.00000000026E2000.00000004.00000020.00020000.00000000.sdmp, FSCrossHair.exe.0.dr String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: FSCaptureSetup107.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: FSCaptureSetup107.exe, FSCPlugin07.exe.0.dr, FSCPlugin06.exe.0.dr, FSRecorder.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: FSCaptureSetup107.exe, FSCrossHair.exe.0.dr, FSCPlugin07.exe.0.dr, FSCPlugin06.exe.0.dr, FSRecorder.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: FSCaptureSetup107.exe, FSCrossHair.exe.0.dr, FSCPlugin07.exe.0.dr, FSCPlugin06.exe.0.dr, FSRecorder.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: FSCaptureSetup107.exe, 00000000.00000002.2338865430.00000000026E2000.00000004.00000020.00020000.00000000.sdmp, FSCrossHair.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0H
Source: FSCaptureSetup107.exe, 00000000.00000002.2338865430.00000000026E2000.00000004.00000020.00020000.00000000.sdmp, FSCrossHair.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0I
Source: FSCaptureSetup107.exe, FSCrossHair.exe.0.dr, FSCPlugin07.exe.0.dr, FSCPlugin06.exe.0.dr, FSRecorder.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: FSRecorder.exe.0.dr String found in binary or memory: http://sourceforge.net/projects/gplmpgdec/
Source: FSRecorder.exe.0.dr String found in binary or memory: http://www.axis.com/techsup/software/amc/index.htm
Source: FSRecorder.exe.0.dr String found in binary or memory: http://www.datastead.com/WMScriptWriter
Source: FSRecorder.exe.0.dr String found in binary or memory: http://www.datastead.com/WMScriptWriterU
Source: FSRecorder.exe.0.dr String found in binary or memory: http://www.datastead.com/_download/WMFDist11.zip
Source: FSCaptureSetup107.exe, FSCrossHair.exe.0.dr, FSCPlugin07.exe.0.dr, FSCPlugin06.exe.0.dr, FSRecorder.exe.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: FSCaptureSetup107.exe, 00000000.00000002.2338865430.00000000026E2000.00000004.00000020.00020000.00000000.sdmp, FSCrossHair.exe.0.dr String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: FSCaptureSetup107.exe, 00000000.00000002.2337132344.00000000004FF000.00000004.00000020.00020000.00000000.sdmp, FSCaptureSetup107.exe, 00000000.00000003.2335936709.00000000004FD000.00000004.00000020.00020000.00000000.sdmp, Website.url.0.dr String found in binary or memory: http://www.faststone.org
Source: FSCapture.exe, 00000004.00000000.2325806470.0000000000711000.00000020.00000001.01000000.0000000B.sdmp String found in binary or memory: http://www.faststone.org/
Source: FSCapture.exe, 00000004.00000000.2325806470.0000000000711000.00000020.00000001.01000000.0000000B.sdmp String found in binary or memory: http://www.faststone.org/FSCTutorial.htm
Source: FSCapture.exe, 00000004.00000000.2325806470.0000000000711000.00000020.00000001.01000000.0000000B.sdmp String found in binary or memory: http://www.faststone.org/FSCTutorial.htmU
Source: FSCapture.exe, 00000004.00000000.2325806470.0000000000711000.00000020.00000001.01000000.0000000B.sdmp String found in binary or memory: http://www.faststone.org/U
Source: FSRecorder.exe.0.dr String found in binary or memory: http://www.matroska.org/
Source: FSCapture.exe, 00000004.00000000.2325806470.0000000000711000.00000020.00000001.01000000.0000000B.sdmp String found in binary or memory: https://www.faststone.org/order.htm
Source: FSCapture.exe, 00000004.00000000.2325806470.0000000000711000.00000020.00000001.01000000.0000000B.sdmp String found in binary or memory: https://www.faststone.org/order.htmU
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Code function: 0_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405809
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640
Detected potential crypto function
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Code function: 0_2_00406D5F 0_2_00406D5F
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_077DFB4F 4_2_077DFB4F
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_077DE3C8 4_2_077DE3C8
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_077D6A59 4_2_077D6A59
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_077DAE47 4_2_077DAE47
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_077D1A30 4_2_077D1A30
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_077DEAC0 4_2_077DEAC0
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_077D4A85 4_2_077D4A85
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_077DDE84 4_2_077DDE84
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_077DD940 4_2_077DD940
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10023030 4_2_10023030
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_1003F050 4_2_1003F050
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10007070 4_2_10007070
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_1001C0D6 4_2_1001C0D6
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_1001C0D8 4_2_1001C0D8
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10016190 4_2_10016190
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_100131A0 4_2_100131A0
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_100451A0 4_2_100451A0
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_100221D0 4_2_100221D0
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10021200 4_2_10021200
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10037200 4_2_10037200
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10064234 4_2_10064234
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10016270 4_2_10016270
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10020270 4_2_10020270
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_1004A280 4_2_1004A280
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_1001E299 4_2_1001E299
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_1001F2B0 4_2_1001F2B0
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10007330 4_2_10007330
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10016340 4_2_10016340
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_1004E340 4_2_1004E340
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10001430 4_2_10001430
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10022507 4_2_10022507
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10022509 4_2_10022509
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_1002152C 4_2_1002152C
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10033530 4_2_10033530
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10047540 4_2_10047540
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_1001F5C4 4_2_1001F5C4
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_1001F5C6 4_2_1001F5C6
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_1001B5E0 4_2_1001B5E0
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10007620 4_2_10007620
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_1003D650 4_2_1003D650
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10042680 4_2_10042680
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_1001C710 4_2_1001C710
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10013730 4_2_10013730
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10066732 4_2_10066732
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10007738 4_2_10007738
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10064778 4_2_10064778
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_1001D780 4_2_1001D780
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_100117E0 4_2_100117E0
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_100237F0 4_2_100237F0
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10033800 4_2_10033800
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_1000D840 4_2_1000D840
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_1001B858 4_2_1001B858
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_100338B9 4_2_100338B9
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_1005D8E0 4_2_1005D8E0
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_100348F0 4_2_100348F0
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10005950 4_2_10005950
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_1001C96C 4_2_1001C96C
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_100489B0 4_2_100489B0
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10021A00 4_2_10021A00
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10042A10 4_2_10042A10
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10020A30 4_2_10020A30
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10006A90 4_2_10006A90
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_1001FA90 4_2_1001FA90
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10058AD0 4_2_10058AD0
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10023AF6 4_2_10023AF6
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10023AF4 4_2_10023AF4
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_1005EB19 4_2_1005EB19
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10011C80 4_2_10011C80
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10048CB0 4_2_10048CB0
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10051CC0 4_2_10051CC0
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10063CF0 4_2_10063CF0
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_1003DD30 4_2_1003DD30
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10020D36 4_2_10020D36
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10020D34 4_2_10020D34
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_1001AD70 4_2_1001AD70
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_1001FDA4 4_2_1001FDA4
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_1001FDA6 4_2_1001FDA6
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10005E09 4_2_10005E09
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_1001BE60 4_2_1001BE60
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10064E70 4_2_10064E70
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10065EC6 4_2_10065EC6
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10007EF0 4_2_10007EF0
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_1004AF10 4_2_1004AF10
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_1001CF40 4_2_1001CF40
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_1001AFD6 4_2_1001AFD6
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_1001AFD8 4_2_1001AFD8
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_1001DFF0 4_2_1001DFF0
PE file contains more sections than normal
Source: FSCPlugin03.dll.0.dr Static PE information: Number of sections : 11 > 10
Source: FSCPlugin02.dll.0.dr Static PE information: Number of sections : 11 > 10
Sample file is different than original file name gathered from version info
Source: FSCaptureSetup107.exe, 00000000.00000002.2338865430.00000000026E2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameX vs FSCaptureSetup107.exe
Source: FSCaptureSetup107.exe, 00000000.00000002.2338865430.00000000026E2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameFSCPlugin07.exe8 vs FSCaptureSetup107.exe
Source: FSCaptureSetup107.exe, 00000000.00000002.2338865430.00000000026E2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelibwebp.dllB vs FSCaptureSetup107.exe
Source: FSCaptureSetup107.exe, 00000000.00000002.2338865430.00000000026E2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelibsharpyuv.dllB vs FSCaptureSetup107.exe
Uses 32bit PE files
Source: FSCaptureSetup107.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: clean4.winEXE@2/50@0/0
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Code function: 0_2_00404AB5 GetDlgItem,SetWindowTextW,SHAutoComplete,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceExW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404AB5
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Code function: 0_2_004021AA CoCreateInstance, 0_2_004021AA
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe File created: C:\Program Files (x86)\FastStone Capture Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe File created: C:\Users\Public\Desktop\FastStone Capture.lnk Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Mutant created: \Sessions\1\BaseNamedObjects\FSCapture
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe File created: C:\Users\user\AppData\Local\Temp\nsf6303.tmp Jump to behavior
Source: Yara match File source: C:\Program Files (x86)\FastStone Capture\FSCPlugin06.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\FastStone Capture\FSCPlugin04.dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\nsk6323.tmp, type: DROPPED
Source: FSCaptureSetup107.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe File read: C:\Users\user\Desktop\FSCaptureSetup107.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\FSCaptureSetup107.exe "C:\Users\user\Desktop\FSCaptureSetup107.exe"
Source: unknown Process created: C:\Program Files (x86)\FastStone Capture\FSCapture.exe "C:\Program Files (x86)\FastStone Capture\FSCapture.exe"
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Section loaded: avifil32.dll Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Section loaded: olepro32.dll Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Section loaded: libwebp.dll Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Section loaded: libsharpyuv.dll Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Section loaded: mscms.dll Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Section loaded: coloradapterclient.dll Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Section loaded: icm32.dll Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: Visit www.FastStone.org.lnk.0.dr LNK file: ..\..\..\..\..\..\Program Files (x86)\FastStone Capture\Website.url
Source: Uninstall FastStone Capture.lnk.0.dr LNK file: ..\..\..\..\..\..\Program Files (x86)\FastStone Capture\uninst.exe
Source: FastStone Capture.lnk.0.dr LNK file: ..\..\..\..\..\..\Program Files (x86)\FastStone Capture\FSCapture.exe
Source: FastStone Capture.lnk0.0.dr LNK file: ..\..\..\Program Files (x86)\FastStone Capture\FSCapture.exe
Source: FastStone Capture Help.lnk.0.dr LNK file: ..\..\..\..\..\..\Program Files (x86)\FastStone Capture\FSCaptureHelp.chm
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe File written: C:\Users\user\AppData\Local\Temp\nsf6353.tmp\ioSpecial.ini Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Automated click: Next >
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Automated click: I Agree
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Automated click: Install
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Window detected: < &BackI &AgreeCancelwww.FastStone.org www.FastStone.orgLicense AgreementPlease review the license terms before installing FastStone Capture 10.7.Press Page Down to see the rest of the agreement.Please read the following terms and conditions carefully before using FastStone Capture. Use of FastStone Capture indicates you accept the terms of this license agreement and warranty.1. Disclaimer of WarrantyFastStone Capture (this software) is provided "as-is" and without warranty of any kind express implied or otherwise including without limitation any warranty of merchantability or fitness for a particular purpose. In no event shall the author of this software be held liable for data loss damages loss of profits or any other kind of loss while using or misusing this software.2. LicenseFastStone Capture is shareware. You may try it free for 30 days. Once this 30-day period has expired you must either purchase a license to use this software or uninstall it from your computer promptly.3. Restrictions on Use FastStone Capture must not be decompiled disassembled reverse engineered or otherwise modified. Copyright (C) 2024 FastStone Corporation. All rights reserved.If you accept the terms of the agreement click I Agree to continue. You must accept the agreement to install FastStone Capture 10.7.
Source: FSCaptureSetup107.exe Static PE information: certificate valid
Source: FSCaptureSetup107.exe Static file information: File size 9173144 > 1048576
Source: FSCaptureSetup107.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\hesha\Desktop\FSCPlugin07_V1_035\FastStone.Ocr\obj\Release\FSCPlugin07.pdb source: FSCaptureSetup107.exe, 00000000.00000002.2338865430.00000000026E2000.00000004.00000020.00020000.00000000.sdmp, FSCPlugin07.exe.0.dr
Source: Binary string: C:\Users\hesha\Desktop\FSCPlugin07_V1_035\FastStone.Ocr\obj\Release\FSCPlugin07.pdbxP source: FSCaptureSetup107.exe, 00000000.00000002.2338865430.00000000026E2000.00000004.00000020.00020000.00000000.sdmp, FSCPlugin07.exe.0.dr
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_077D9915 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 4_2_077D9915
PE file contains an invalid checksum
Source: FSCPlugin01.dll.0.dr Static PE information: real checksum: 0x5a4c2 should be: 0x540ce
Source: System.dll.0.dr Static PE information: real checksum: 0x0 should be: 0x3d68
Source: FSCIcon.db.0.dr Static PE information: real checksum: 0x0 should be: 0xf25e
Source: InstallOptions.dll.0.dr Static PE information: real checksum: 0x0 should be: 0x7de9
PE file contains sections with non-standard names
Source: FSCPlugin02.dll.0.dr Static PE information: section name: .didata
Source: FSCPlugin03.dll.0.dr Static PE information: section name: .didata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_077D5091 push ecx; ret 4_2_077D50A4
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_1005CDC5 push ecx; ret 4_2_1005CDD8
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_0076C300 push 0076C32Ch; ret 4_2_0076C324
Source: libsharpyuv.dll.0.dr Static PE information: section name: .text entropy: 6.81310369329101
Drops PE files
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe File created: C:\Users\user\AppData\Local\Temp\nsf6353.tmp\InstallOptions.dll Jump to dropped file
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe File created: C:\Program Files (x86)\FastStone Capture\FSCrossHair.exe Jump to dropped file
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe File created: C:\Program Files (x86)\FastStone Capture\libwebp.dll Jump to dropped file
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe File created: C:\Program Files (x86)\FastStone Capture\FSCPlugin06.exe Jump to dropped file
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe File created: C:\Program Files (x86)\FastStone Capture\FSCPlugin04.dll Jump to dropped file
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe File created: C:\Program Files (x86)\FastStone Capture\FSRecorder.exe Jump to dropped file
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe File created: C:\Program Files (x86)\FastStone Capture\libsharpyuv.dll Jump to dropped file
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe File created: C:\Program Files (x86)\FastStone Capture\FSFocus.exe Jump to dropped file
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe File created: C:\Program Files (x86)\FastStone Capture\FSCPlugin02.dll Jump to dropped file
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe File created: C:\Users\user\AppData\Local\Temp\nsf6353.tmp\ShellExecAsUser.dll Jump to dropped file
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe File created: C:\Program Files (x86)\FastStone Capture\FSCPlugin07.exe Jump to dropped file
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe File created: C:\Program Files (x86)\FastStone Capture\FSCPlugin01.dll Jump to dropped file
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe File created: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Jump to dropped file
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe File created: C:\Users\user\AppData\Local\Temp\nsf6353.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe File created: C:\Program Files (x86)\FastStone Capture\uninst.exe Jump to dropped file
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe File created: C:\Program Files (x86)\FastStone Capture\FSCIcon.db Jump to dropped file
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe File created: C:\Program Files (x86)\FastStone Capture\FSCPlugin05.dll Jump to dropped file
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe File created: C:\Program Files (x86)\FastStone Capture\FSCPlugin03.dll Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe File created: C:\Program Files (x86)\FastStone Capture\FSCIcon.db Jump to dropped file
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe File created: C:\Program Files (x86)\FastStone Capture\LicenseAgreement.txt Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe File created: C:\Program Files (x86)\FastStone Capture\LicenseAgreement.txt Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FastStone Capture Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FastStone Capture\FastStone Capture.lnk Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FastStone Capture\FastStone Capture Help.lnk Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FastStone Capture\Visit www.FastStone.org.lnk Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FastStone Capture\Uninstall FastStone Capture.lnk Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Dropped PE file which has not been started: C:\Program Files (x86)\FastStone Capture\FSCrossHair.exe Jump to dropped file
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsf6353.tmp\InstallOptions.dll Jump to dropped file
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Dropped PE file which has not been started: C:\Program Files (x86)\FastStone Capture\FSCPlugin06.exe Jump to dropped file
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Dropped PE file which has not been started: C:\Program Files (x86)\FastStone Capture\FSRecorder.exe Jump to dropped file
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Dropped PE file which has not been started: C:\Program Files (x86)\FastStone Capture\FSCPlugin04.dll Jump to dropped file
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Dropped PE file which has not been started: C:\Program Files (x86)\FastStone Capture\FSFocus.exe Jump to dropped file
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Dropped PE file which has not been started: C:\Program Files (x86)\FastStone Capture\FSCPlugin02.dll Jump to dropped file
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsf6353.tmp\ShellExecAsUser.dll Jump to dropped file
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Dropped PE file which has not been started: C:\Program Files (x86)\FastStone Capture\FSCPlugin07.exe Jump to dropped file
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Dropped PE file which has not been started: C:\Program Files (x86)\FastStone Capture\FSCPlugin01.dll Jump to dropped file
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Dropped PE file which has not been started: C:\Program Files (x86)\FastStone Capture\uninst.exe Jump to dropped file
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsf6353.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Dropped PE file which has not been started: C:\Program Files (x86)\FastStone Capture\FSCIcon.db Jump to dropped file
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Dropped PE file which has not been started: C:\Program Files (x86)\FastStone Capture\FSCPlugin05.dll Jump to dropped file
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Dropped PE file which has not been started: C:\Program Files (x86)\FastStone Capture\FSCPlugin03.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe API coverage: 0.3 %
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe File Volume queried: C:\Program Files (x86) FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe File Volume queried: C:\Program Files (x86) FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D74
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Code function: 0_2_0040699E FindFirstFileW,FindClose, 0_2_0040699E
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_077D92A5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_077D92A5
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_077D9915 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 4_2_077D9915
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_077D92A5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_077D92A5
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_077D8DEF _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_077D8DEF
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_077DCDAA __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_077DCDAA
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_1005D0E5 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_1005D0E5
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10059BFE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_10059BFE
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_10065C74 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind, 4_2_10065C74
Source: FSCapture.exe, 00000004.00000000.2325806470.0000000000711000.00000020.00000001.01000000.0000000B.sdmp Binary or memory string: TrayNotifyWndShell_TrayWndU
Source: FSCapture.exe, 00000004.00000000.2325806470.0000000000711000.00000020.00000001.01000000.0000000B.sdmp, FSCrossHair.exe.0.dr, FSRecorder.exe.0.dr Binary or memory string: Shell_TrayWnd
Source: FSCapture.exe, 00000004.00000000.2325806470.0000000000711000.00000020.00000001.01000000.0000000B.sdmp, FSRecorder.exe.0.dr Binary or memory string: SHELL_TRAYWND
Source: FSCapture.exe, 00000004.00000000.2325806470.0000000000711000.00000020.00000001.01000000.0000000B.sdmp Binary or memory string: Shell_TrayWndtooltips_class32SV
Source: FSCapture.exe, 00000004.00000000.2325806470.0000000000711000.00000020.00000001.01000000.0000000B.sdmp, FSCrossHair.exe.0.dr, FSRecorder.exe.0.dr Binary or memory string: Shell_TrayWndU
Source: FSCapture.exe, 00000004.00000000.2325806470.0000000000711000.00000020.00000001.01000000.0000000B.sdmp, FSRecorder.exe.0.dr Binary or memory string: PROGMAN
Source: FSCapture.exe, 00000004.00000000.2325806470.0000000000711000.00000020.00000001.01000000.0000000B.sdmp, FSRecorder.exe.0.dr Binary or memory string: SHELL_TRAYWNDU
Contains functionality to query locales information (e.g. system language)
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: GetLocaleInfoA, 4_2_077DF93C
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: GetLocaleInfoA, 4_2_100664E8
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe Code function: 4_2_077D8CDB GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 4_2_077D8CDB
Source: C:\Users\user\Desktop\FSCaptureSetup107.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1527895 Sample: FSCaptureSetup107.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 4 4 FSCaptureSetup107.exe 18 76 2->4         started        7 FSCapture.exe 1 5 2->7         started        file3 9 C:\Users\user\AppData\Local\...\System.dll, PE32 4->9 dropped 11 C:\Users\user\AppData\...\ShellExecAsUser.dll, PE32 4->11 dropped 13 C:\Users\user\AppData\...\InstallOptions.dll, PE32 4->13 dropped 15 15 other files (none is malicious) 4->15 dropped
No contacted IP infos