File name:

photo-ai.exe

Full analysis: https://app.any.run/tasks/95c63fd4-40ed-423d-a01e-96c163b34e77
Verdict: Malicious activity
Analysis date: December 15, 2023, 09:25:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

F24D0FC0C8A3F44556380D7ED6DE878A

SHA1:

3CE3194DC068EB33A08FDCAD1342937A96727926

SHA256:

0E7A5CC6A93CF4DA4E301728FF4494511640473724823BBD90DE7DBBF467D1A7

SSDEEP:

98304:Jvn2R9HEEh9J5tjX+Z4/4DexRANNj24C9MkY+YKqhQxGw8vVf9/IDOzspbinpLVZ:1sCNzz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads the Internet Settings

      • photo-ai.exe (PID: 1840)

    • Checks Windows Trust Settings

      • photo-ai.exe (PID: 1840)

    • Reads security settings of Internet Explorer

      • photo-ai.exe (PID: 1840)

    • Reads settings of System Certificates

      • photo-ai.exe (PID: 1840)

    • Checks for external IP

      • photo-ai.exe (PID: 1840)

  • INFO

    • Create files in a temporary directory

      • photo-ai.exe (PID: 1840)

    • Checks supported languages

      • photo-ai.exe (PID: 1840)
      • wmpnscfg.exe (PID: 4060)

    • Reads Environment values

      • photo-ai.exe (PID: 1840)

    • Checks proxy server information

      • photo-ai.exe (PID: 1840)

    • Reads the computer name

      • photo-ai.exe (PID: 1840)
      • wmpnscfg.exe (PID: 4060)

    • Creates files or folders in the user directory

      • photo-ai.exe (PID: 1840)

    • Reads the machine GUID from the registry

      • photo-ai.exe (PID: 1840)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 4060)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (64.2)
.dll | Win32 Dynamic Link Library (generic) (15.6)
.exe | Win32 Executable (generic) (10.6)
.exe | Generic Win/DOS Executable (4.7)
.exe | DOS Executable Generic (4.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:11:24 02:15:43+01:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 1916928
InitializedDataSize: 446464
UninitializedDataSize: 1372160
EntryPoint: 0x322e00
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 2.7.16.4
ProductVersionNumber: 2.7.16.4
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: HitPaw
FileDescription: HitPaw Photo AI
FileVersion: 2.7.16.4
LegalCopyright: Copyright © 2021-2023 HITPAW CO.,LIMITED All Rights Reserved.
ProductName: 20231124091516
ProductVersion: 2.7.16.4
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start photo-ai.exe wmpnscfg.exe no specs photo-ai.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1840"C:\Users\admin\AppData\Local\Temp\photo-ai.exe" C:\Users\admin\AppData\Local\Temp\photo-ai.exe
explorer.exe
User:
admin
Company:
HitPaw
Integrity Level:
HIGH
Description:
HitPaw Photo AI
Exit code:
0
Version:
2.7.16.4
Modules
Images
c:\users\admin\appdata\local\temp\photo-ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
1864"C:\Users\admin\AppData\Local\Temp\photo-ai.exe" C:\Users\admin\AppData\Local\Temp\photo-ai.exeexplorer.exe
User:
admin
Company:
HitPaw
Integrity Level:
MEDIUM
Description:
HitPaw Photo AI
Exit code:
3221226540
Version:
2.7.16.4
Modules
Images
c:\users\admin\appdata\local\temp\photo-ai.exe
c:\windows\system32\ntdll.dll
4060"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
4 509
Read events
4 485
Write events
24
Delete events
0

Modification events

(PID) Process:(1840) photo-ai.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1840) photo-ai.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005A010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1840) photo-ai.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1840) photo-ai.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1840) photo-ai.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1840) photo-ai.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1840) photo-ai.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1840) photo-ai.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1840) photo-ai.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
0
Suspicious files
5
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
1840photo-ai.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_FB287BEB63DB9E8D59A799779773B97Cbinary
MD5:31D75FA9E7DA4DBA1405B60D5196162A
SHA256:1D6F50A7D8EA3F4AC6E702E08901E24D8BF4F87B7BDA0AD9FEDCC53389C3308F
1840photo-ai.exeC:\Users\admin\AppData\Local\Temp\hitpawphotoai_hitpaw\galog.jsonbinary
MD5:6624B624AAC7B587D38D57CACEFCF488
SHA256:6D08EB6897A7DB42F0685939C18984E2E35C2876001520362A181763857DE33C
1840photo-ai.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\M17MUZ1C.txttext
MD5:F4624CBA75B4C9D8C590B3F169E48CE0
SHA256:188333A65E7091CA1980560EEA51B8D113818DC22146ADA49C88809A51F4BECF
1840photo-ai.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\SW4TALDC.txttext
MD5:8BF916EB459BC498D88A0C97D24A2246
SHA256:235EC2DF7108E2274BC68162C9D484021F3A7EB076E3EB73B51F96D69D976D20
1840photo-ai.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:EB9F408B42A661F2A12B6758B3CEE69A
SHA256:0331B22E6CC4D7D7F82E13BE72D2404151865A702FF4D2DFB44A64817B130FD4
1840photo-ai.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_FB287BEB63DB9E8D59A799779773B97Cbinary
MD5:F97056AF7E63AB6DE0B4971F3B7C6ED5
SHA256:6CD07664CF85BEEDE92C596FE86D58FCD0C7B36F83CCC8E0FCA530BB05D6DE6C
1840photo-ai.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:1BFE591A4FE3D91B03CDF26EAACD8F89
SHA256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
1840photo-ai.exeC:\Users\admin\AppData\Local\Temp\cloudtext
MD5:FC31B34EB1F36E5FF23BE7F4621AA04E
SHA256:BE7A52D6D1B2E5E2C7A9E338F3AB71B4B2E76797F19CC06D5899AECE2701365B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
12
DNS requests
5
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1840
photo-ai.exe
GET
301
104.18.24.249:80
http://www.tenorshare.com/downloads/service/softwarelog.txt
unknown
html
245 b
unknown
1840
photo-ai.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ef0cb276c6261700
unknown
compressed
4.66 Kb
unknown
1840
photo-ai.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAhflMAthXvozBT%2FU%2B2iPio%3D
unknown
binary
471 b
unknown
1840
photo-ai.exe
GET
200
208.95.112.1:80
http://ip-api.com/csv
unknown
text
172 b
unknown
1080
svchost.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?68f52e492152febd
unknown
compressed
65.2 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
1840
photo-ai.exe
216.239.34.178:443
www.google-analytics.com
GOOGLE
US
unknown
2588
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
1840
photo-ai.exe
104.18.24.249:80
www.tenorshare.com
CLOUDFLARENET
unknown
1840
photo-ai.exe
104.18.24.249:443
www.tenorshare.com
CLOUDFLARENET
unknown
1840
photo-ai.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
1840
photo-ai.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
www.google-analytics.com
  • 216.239.34.178
  • 216.239.38.178
  • 216.239.32.178
  • 216.239.36.178
whitelisted
www.tenorshare.com
  • 104.18.24.249
  • 104.18.25.249
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
ip-api.com
  • 208.95.112.1
shared

Threats

PID
Process
Class
Message
1840
photo-ai.exe
Potential Corporate Privacy Violation
ET POLICY Unsupported/Fake Windows NT Version 5.0
1840
photo-ai.exe
Potential Corporate Privacy Violation
ET POLICY Unsupported/Fake Windows NT Version 5.0
1840
photo-ai.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
1840
photo-ai.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
photo-ai.exe