File name:

Photo 018.exe

Full analysis: https://app.any.run/tasks/cbf8552f-33c7-41ab-8550-c761b28099d5
Verdict: Malicious activity
Analysis date: March 22, 2024, 09:23:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

7254BC46F8C6EF326A56B2B9CE745D7E

SHA1:

6DC2B9DFF4EE9DDAE1A0DE72D8052EF355D8357B

SHA256:

0FE8C87EDCD0880ADB34D1686514FA286D029B4EB87590F86F34C8C3F2DF9FDE

SSDEEP:

12288:HsRC0dvzZjLLZ72OVjbiRIEUdLL1D1l14KAIFJADnRte6U8C0RecxvVGAyrW:MRC0dvzZjnZ7BNbiRIE831D1l1jAgqDD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Photo 018.exe (PID: 3956)
      • InstallFramework.exe (PID: 2672)

    • Changes appearance of the Explorer extensions

      • Systeme.exe (PID: 1496)
      • Photo 018.exe (PID: 3956)

    • Changes the autorun value in the registry

      • Photo 018.exe (PID: 3956)

  • SUSPICIOUS

    • Reads the Internet Settings

      • Photo 018.exe (PID: 3956)
      • Systeme.exe (PID: 1496)

    • Connects to unusual port

      • Photo 018.exe (PID: 3956)
      • Systeme.exe (PID: 1496)

    • Starts itself from another location

      • Photo 018.exe (PID: 3956)

    • Executable content was dropped or overwritten

      • Photo 018.exe (PID: 3956)
      • InstallFramework.exe (PID: 2672)

    • Connects to FTP

      • Photo 018.exe (PID: 3956)

    • Reads security settings of Internet Explorer

      • Photo 018.exe (PID: 3956)

  • INFO

    • Reads the computer name

      • Photo 018.exe (PID: 3956)
      • Systeme.exe (PID: 1496)

    • Checks supported languages

      • Photo 018.exe (PID: 3956)
      • InstallFramework.exe (PID: 2672)
      • Systeme.exe (PID: 1496)

    • Checks proxy server information

      • Photo 018.exe (PID: 3956)
      • Systeme.exe (PID: 1496)

    • Create files in a temporary directory

      • Photo 018.exe (PID: 3956)
      • InstallFramework.exe (PID: 2672)

    • Creates files or folders in the user directory

      • Photo 018.exe (PID: 3956)

    • Reads the machine GUID from the registry

      • Systeme.exe (PID: 1496)
      • Photo 018.exe (PID: 3956)

    • Creates files in the program directory

      • Photo 018.exe (PID: 3956)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (46.3)
.exe | Win64 Executable (generic) (41)
.exe | Win32 Executable (generic) (6.6)
.exe | Generic Win/DOS Executable (2.9)
.exe | DOS Executable Generic (2.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:22 08:39:05+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 7.1
CodeSize: 73728
InitializedDataSize: 188416
UninitializedDataSize: -
EntryPoint: 0x1222e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.16
ProductVersionNumber: 1.0.0.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: French
CharacterSet: Unicode
CompanyName: -
FileDescription: -
FileVersion: 1.00Qb
Version: 1.00Qb
LegalCopyright: -
WDVersion: 16
ProductName: Acad
ProductVersion: 1.00Qb
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start photo 018.exe installframework.exe systeme.exe

Process information

PID
CMD
Path
Indicators
Parent process
1496C:\ProgramData\Systeme\Systeme.exeC:\ProgramData\Systeme\Systeme.exe
Photo 018.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00Qb
Modules
Images
c:\programdata\systeme\systeme.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
2672"C:\Users\admin\AppData\Local\Temp\InstallFramework.exe" /REP="C:\Users\admin\AppData\Local\Temp\" /SILENTC:\Users\admin\AppData\Local\Temp\InstallFramework.exe
Photo 018.exe
User:
admin
Company:
PC SOFT
Integrity Level:
MEDIUM
Description:
PC SOFT - Executable auto-extractible
Exit code:
0
Version:
15.00Aa
Modules
Images
c:\users\admin\appdata\local\temp\installframework.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
3956"C:\Users\admin\AppData\Local\Temp\Photo 018.exe" C:\Users\admin\AppData\Local\Temp\Photo 018.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
4294967295
Version:
1.00Qb
Modules
Images
c:\users\admin\appdata\local\temp\photo 018.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
Total events
3 273
Read events
3 235
Write events
28
Delete events
10

Modification events

(PID) Process:(3956) Photo 018.exeKey:HKEY_CURRENT_USER\Software\PC SOFT\WinDev\16.0\APPLI\Photo 018
Operation:writeName:LAST_FRAMEWORK
Value:
160057k
(PID) Process:(3956) Photo 018.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3956) Photo 018.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyServer
Value:
(PID) Process:(3956) Photo 018.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyOverride
Value:
(PID) Process:(3956) Photo 018.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoConfigURL
Value:
(PID) Process:(3956) Photo 018.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoDetect
Value:
(PID) Process:(3956) Photo 018.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005C010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3956) Photo 018.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47}
Operation:writeName:WpadDecisionReason
Value:
1
(PID) Process:(3956) Photo 018.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47}
Operation:writeName:WpadDecisionTime
Value:
E2DFC7AB3A7CDA01
(PID) Process:(3956) Photo 018.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47}
Operation:writeName:WpadDecision
Value:
0
Executable files
47
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3956Photo 018.exeC:\Users\admin\AppData\Local\Temp\InstallFramework.exeexecutable
MD5:4152937F33475D31249CE919C323AFA3
SHA256:BE986D474F493ED6098760AAA958E86499F495E352242CE022FFF81B434F930F
2672InstallFramework.exeC:\Users\admin\AppData\Local\Temp\wd160agt.dllexecutable
MD5:CE48B94ECFBE8C34B29D559B4CF3FC73
SHA256:4A0B0B2EA41044CC9062A1DC076B3149A6C3EA2ED11653F131F4CBB2139DB3DC
3956Photo 018.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\InstallFramework_160057k[1].exeexecutable
MD5:4152937F33475D31249CE919C323AFA3
SHA256:BE986D474F493ED6098760AAA958E86499F495E352242CE022FFF81B434F930F
2672InstallFramework.exeC:\Users\admin\AppData\Local\Temp\wd160etat.dllexecutable
MD5:68BBACFC966C59E7DF74EF90003BB836
SHA256:83A82ED17E0DB8B537AD9C45967E8D28B22533C0AC7B2B3819386465BE28F43B
2672InstallFramework.exeC:\Users\admin\AppData\Local\Temp\wd160cpl.dllexecutable
MD5:E963C9984D3B2DBD75940BF47A6C4B9F
SHA256:60D5778E349EFDE5C2E8B87491B39B78CCAB495BCD502022698251CC81A59B22
2672InstallFramework.exeC:\Users\admin\AppData\Local\Temp\wd160db.dllexecutable
MD5:FF71B65D39FCB54CF5BDEC1E38833BC4
SHA256:E22E591167FC5FFC4D5D18C1ADCD08F78B234FE5D906C78FA8583A8C5DADACD7
2672InstallFramework.exeC:\Users\admin\AppData\Local\Temp\wd160ce.dllexecutable
MD5:2DDF6672A67C7E33F2B215AF8CFAE4BC
SHA256:445225C9BD489BCC17B39FD3A5AC35FDB0B2F1149CB682CAB712C6018F5C6D4D
2672InstallFramework.exeC:\Users\admin\AppData\Local\Temp\wd160com.dllexecutable
MD5:4D225127B75B51B44B830859560A9EF6
SHA256:8DE8B4FEB26470463F13BFB48AAAD601702B9963DCB36354A056763570E7B9F3
2672InstallFramework.exeC:\Users\admin\AppData\Local\Temp\wd160gpu.dllexecutable
MD5:E03380FDFEA5121AF207174414CAB5A9
SHA256:475DF80DD8C2E7094E553B7753AA95A1E8294B0C12C322397329AB56A87B74D3
2672InstallFramework.exeC:\Users\admin\AppData\Local\Temp\wd160grf.dllexecutable
MD5:225462D5A1B347E3C66A7B8A59554513
SHA256:A310A5259D371F7EF38BDD97E7CD9F116D0C9FD08F4BC9F2B0FD4CD6E054E5AC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
9
DNS requests
2
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1496
Systeme.exe
GET
200
212.129.20.209:80
http://www.monip.org/
unknown
html
376 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
3956
Photo 018.exe
141.94.100.106:21
framework.pcsoft.fr
OVH SAS
FR
unknown
3956
Photo 018.exe
141.94.100.106:50759
framework.pcsoft.fr
OVH SAS
FR
unknown
3956
Photo 018.exe
141.94.100.106:50295
framework.pcsoft.fr
OVH SAS
FR
unknown
1496
Systeme.exe
41.137.2.6:4900
MAROCCONNECT
MA
unknown
1496
Systeme.exe
212.129.20.209:80
www.monip.org
Online S.a.s.
FR
unknown

DNS requests

Domain
IP
Reputation
framework.pcsoft.fr
  • 141.94.100.106
  • 135.125.5.38
  • 51.89.20.151
  • 151.80.29.133
unknown
www.monip.org
  • 212.129.20.209
unknown

Threats

PID
Process
Class
Message
Misc activity
ET INFO .exe File requested over FTP
3956
Photo 018.exe
Misc activity
ET HUNTING PE EXE Download over raw TCP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Photo 018.exe