| File name: | dpfsetup.exe |
| Full analysis: | https://app.any.run/tasks/ddb43555-fa9e-4659-8077-e3efb7cd3546 |
| Verdict: | Malicious activity |
| Analysis date: | August 31, 2024, 22:32:29 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 542A1BD90DFC78D09838CAFDA3F3D0DB |
| SHA1: | DC39CFFDC092A82CE89241D4334B1FEB70383C8C |
| SHA256: | 51488AD1B90B26A5D18B9D9D80C8475FDD56A3EBECDE0F403FE2B7A0B6079CA6 |
| SSDEEP: | 49152:qUR0Xr0TdjeSh5mX5bYcvjwpf6wos5sU/4s4Xg/ZPPIAgHNX5/62QBs1hJhtjTZ0:hR0bktevX5Cfxos//4s4uZPPqtXR9uEa |
MALICIOUS
No malicious indicators.SUSPICIOUS
Executable content was dropped or overwritten
- dpfsetup.exe (PID: 3244)
- dpfsetup.exe (PID: 6824)
- dpfsetup.tmp (PID: 2268)
Drops the executable file immediately after the start
- dpfsetup.exe (PID: 3244)
- dpfsetup.exe (PID: 6824)
- dpfsetup.tmp (PID: 2268)
Reads security settings of Internet Explorer
- dpfsetup.tmp (PID: 1964)
Reads the date of Windows installation
- dpfsetup.tmp (PID: 1964)
Reads the Windows owner or organization settings
- dpfsetup.tmp (PID: 2268)
Reads Internet Explorer settings
- dpf.exe (PID: 1164)
INFO
Checks supported languages
- dpfsetup.exe (PID: 3244)
- dpfsetup.exe (PID: 6824)
- dpfsetup.tmp (PID: 1964)
- dpfsetup.tmp (PID: 2268)
- dpf.exe (PID: 1164)
- identity_helper.exe (PID: 4996)
Create files in a temporary directory
- dpfsetup.exe (PID: 3244)
- dpfsetup.exe (PID: 6824)
- dpfsetup.tmp (PID: 2268)
Reads the computer name
- dpfsetup.tmp (PID: 1964)
- dpfsetup.tmp (PID: 2268)
- dpf.exe (PID: 1164)
- identity_helper.exe (PID: 4996)
Process checks computer location settings
- dpfsetup.tmp (PID: 1964)
Creates files in the program directory
- dpfsetup.tmp (PID: 2268)
Creates a software uninstall entry
- dpfsetup.tmp (PID: 2268)
Reads Microsoft Office registry keys
- dpfsetup.tmp (PID: 1964)
- msedge.exe (PID: 3660)
.NET Reactor protector has been detected
- dpf.exe (PID: 1164)
Reads the machine GUID from the registry
- dpf.exe (PID: 1164)
Reads Environment values
- identity_helper.exe (PID: 4996)
Application launched itself
- msedge.exe (PID: 3660)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Inno Setup installer (77.7) |
|---|---|---|
| .exe | | | Win32 Executable Delphi generic (10) |
| .dll | | | Win32 Dynamic Link Library (generic) (4.6) |
| .exe | | | Win32 Executable (generic) (3.1) |
| .exe | | | Win16/32 Executable Delphi generic (1.4) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 1992:06:19 22:22:17+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 41984 |
| InitializedDataSize: | 17920 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xaad0 |
| OSVersion: | 1 |
| ImageVersion: | 6 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.7.0.0 |
| ProductVersionNumber: | 1.7.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | This installation was built with Inno Setup. |
| CompanyName: | Ashisoft |
| FileDescription: | Duplicate Photos Finder Setup |
| FileVersion: | 1.7.0.0 |
| LegalCopyright: | Ashisoft all rights reserved. |
| ProductName: | Duplicate Photos Finder |
| ProductVersion: | 1.7.0.0 |
Total processes
169
Monitored processes
42
Malicious processes
2
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 508 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4288 --field-trial-handle=2140,i,5250935853554139702,16280460237570728570,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 752 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --no-appcompat-clear --mojo-platform-channel-handle=5136 --field-trial-handle=2140,i,5250935853554139702,16280460237570728570,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Version: 122.0.2365.59 Modules
| |||||||||||||||
| 1124 | "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6344 --field-trial-handle=2140,i,5250935853554139702,16280460237570728570,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: PWA Identity Proxy Host Exit code: 3221226029 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 1164 | "C:\Program Files (x86)\Duplicate Photo Finder\dpf.exe" | C:\Program Files (x86)\Duplicate Photo Finder\dpf.exe | dpfsetup.tmp | ||||||||||||
User: admin Company: Ashisoft Integrity Level: MEDIUM Description: Duplicate Photo Finder Version: 1.7.0.0 Modules
| |||||||||||||||
| 1616 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7096 --field-trial-handle=2140,i,5250935853554139702,16280460237570728570,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 1964 | "C:\Users\admin\AppData\Local\Temp\is-RCLG4.tmp\dpfsetup.tmp" /SL5="$503A8,625591,58368,C:\Users\admin\Desktop\dpfsetup.exe" | C:\Users\admin\AppData\Local\Temp\is-RCLG4.tmp\dpfsetup.tmp | — | dpfsetup.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.52.0.0 Modules
| |||||||||||||||
| 2092 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5616 --field-trial-handle=2140,i,5250935853554139702,16280460237570728570,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 2128 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5860 --field-trial-handle=2140,i,5250935853554139702,16280460237570728570,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 2128 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6752 --field-trial-handle=2140,i,5250935853554139702,16280460237570728570,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 2268 | "C:\Users\admin\AppData\Local\Temp\is-L07EN.tmp\dpfsetup.tmp" /SL5="$80328,625591,58368,C:\Users\admin\Desktop\dpfsetup.exe" /SPAWNWND=$503A2 /NOTIFYWND=$503A8 | C:\Users\admin\AppData\Local\Temp\is-L07EN.tmp\dpfsetup.tmp | dpfsetup.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.52.0.0 Modules
| |||||||||||||||
Total events
11 392
Read events
11 267
Write events
116
Delete events
9
Modification events
| (PID) Process: | (2268) dpfsetup.tmp | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Owner |
Value: DC080000F5A8B2B0F5FBDA01 | |||
| (PID) Process: | (2268) dpfsetup.tmp | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | SessionHash |
Value: 1DD76B7BA009ED79AC437CEE2A0ECB361DA1FC6DFF07F81F5CD9288F69201FD6 | |||
| (PID) Process: | (2268) dpfsetup.tmp | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Sequence |
Value: 1 | |||
| (PID) Process: | (2268) dpfsetup.tmp | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | RegFiles0000 |
Value: C:\Program Files (x86)\Duplicate Photo Finder\dpf.exe | |||
| (PID) Process: | (2268) dpfsetup.tmp | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | RegFilesHash |
Value: 2ECAE656E9618E9D4ADE25B0F2CF735294DBC60A2E8593058BB3A7D686145CD7 | |||
| (PID) Process: | (2268) dpfsetup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{82BAA379-A0B8-4637-8286-0A9AD146453F}}_is1 |
| Operation: | write | Name: | Inno Setup: Setup Version |
Value: 5.6.1 (a) | |||
| (PID) Process: | (2268) dpfsetup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{82BAA379-A0B8-4637-8286-0A9AD146453F}}_is1 |
| Operation: | write | Name: | Inno Setup: App Path |
Value: C:\Program Files (x86)\Duplicate Photo Finder | |||
| (PID) Process: | (2268) dpfsetup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{82BAA379-A0B8-4637-8286-0A9AD146453F}}_is1 |
| Operation: | write | Name: | InstallLocation |
Value: C:\Program Files (x86)\Duplicate Photo Finder\ | |||
| (PID) Process: | (2268) dpfsetup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{82BAA379-A0B8-4637-8286-0A9AD146453F}}_is1 |
| Operation: | write | Name: | Inno Setup: Icon Group |
Value: Duplicate Photo Finder | |||
| (PID) Process: | (2268) dpfsetup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{82BAA379-A0B8-4637-8286-0A9AD146453F}}_is1 |
| Operation: | write | Name: | Inno Setup: User |
Value: admin | |||
Executable files
9
Suspicious files
106
Text files
72
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3244 | dpfsetup.exe | C:\Users\admin\AppData\Local\Temp\is-RCLG4.tmp\dpfsetup.tmp | executable | |
MD5:1AFBD25DB5C9A90FE05309F7C4FBCF09 | SHA256:3BB0EE5569FE5453C6B3FA25AA517B925D4F8D1F7BA3475E58FA09C46290658C | |||
| 2268 | dpfsetup.tmp | C:\Users\admin\AppData\Local\Temp\is-03K1I.tmp\isxdl.dll | executable | |
MD5:48AD1A1C893CE7BF456277A0A085ED01 | SHA256:B0CC4697B2FD1B4163FDDCA2050FC62A9E7D221864F1BD11E739144C90B685B3 | |||
| 2268 | dpfsetup.tmp | C:\Program Files (x86)\Duplicate Photo Finder\unins000.dat | binary | |
MD5:85B694983C1D85B9E684E520AD1717B8 | SHA256:15ED7033D1C3F39646D4E2C9EEEC29987A3F5785D6155D48D873118E439789AB | |||
| 3660 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\2dc3472b-b093-4d6d-b955-81c068f384fb.tmp | binary | |
MD5:3AB7BCFD0FDCFE014CEFDC6619914743 | SHA256:FC770EA6AE3B17E974905BFADAB4FABFCBECEC04DD3E08EA54441992872CF635 | |||
| 2268 | dpfsetup.tmp | C:\Program Files (x86)\Duplicate Photo Finder\dpf.exe | executable | |
MD5:12FBC1B5E3C2E9A4F022C6C4B426B46E | SHA256:40D77317D0E775BE43933176A19D814616823EC53A935FC2AD830462B19CD5B6 | |||
| 2268 | dpfsetup.tmp | C:\Program Files (x86)\Duplicate Photo Finder\is-AOCEN.tmp | executable | |
MD5:462C1B57A2FE1366448FA8A906042E51 | SHA256:9A16B43F3F302C9E0A7A10BC3329D3137D0113EA2194220A92919156E615C41F | |||
| 3660 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF13090c.TMP | — | |
MD5:— | SHA256:— | |||
| 3660 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old | — | |
MD5:— | SHA256:— | |||
| 3660 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF13090c.TMP | — | |
MD5:— | SHA256:— | |||
| 3660 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF13091b.TMP | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
77
TCP/UDP connections
81
DNS requests
67
Threats
7
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 401 | 13.107.6.158:443 | https://business.bing.com/api/v1/user/token/microsoftgraph?&clienttype=edge-omnibox | unknown | — | — | — |
— | — | GET | 200 | 13.107.42.16:443 | https://config.edge.skype.com/config/v1/Edge/122.0.2365.59?clientId=4489578223053569932&agents=Edge%2CEdgeConfig%2CEdgeServices%2CEdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=42&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245&fg=1 | unknown | binary | 13.1 Kb | — |
— | — | GET | 200 | 89.116.192.181:443 | https://www.ashisoft.com/delete-duplicate-photos.html | unknown | html | 11.0 Kb | — |
— | — | GET | 200 | 94.245.104.56:443 | https://api.edgeoffer.microsoft.com/edgeoffer/pb/experiments?appId=edge-extensions&country=US | unknown | binary | 59 b | — |
— | — | GET | 401 | 13.107.6.158:443 | https://business.bing.com/work/api/v2/tenant/my/settingswithflights?&clienttype=edge-omnibox | unknown | binary | 583 b | — |
— | — | GET | 200 | 204.79.197.239:443 | https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=122.0.2365.59&experimentationmode=2&scpguard=0&scpfull=0&scpver=0 | unknown | binary | 2.22 Kb | — |
— | — | GET | 200 | 13.107.246.67:443 | https://edge-mobile-static.azureedge.net/eccp/get?settenant=edge-config&setplatform=win&setmkt=en-US&setchannel=stable | unknown | binary | 13.7 Kb | — |
— | — | GET | 200 | 89.116.192.181:443 | https://www.ashisoft.com/assets/custom.css | unknown | text | 14.6 Kb | — |
— | — | GET | 200 | 89.116.192.181:443 | https://www.ashisoft.com/assets/imgs/logo.png | unknown | image | 761 b | — |
— | — | GET | 200 | 142.250.185.234:443 | https://fonts.googleapis.com/css?family=Lato|Open+Sans|Montserrat&display=swap | unknown | text | 8.47 Kb | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
6160 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 192.168.100.255:138 | — | — | — | whitelisted |
6244 | RUXIMICS.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2120 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2120 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3888 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
6160 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4324 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6160 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3660 | msedge.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
config.edge.skype.com |
| whitelisted |
www.ashisoft.com |
| unknown |
edge.microsoft.com |
| whitelisted |
edge-mobile-static.azureedge.net |
| whitelisted |
api.edgeoffer.microsoft.com |
| whitelisted |
business.bing.com |
| whitelisted |
bzib.nelreports.net |
| whitelisted |
fonts.googleapis.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
7108 | msedge.exe | Potentially Bad Traffic | ET DNS Query for .to TLD |
7108 | msedge.exe | Potentially Bad Traffic | ET DNS Query for .to TLD |
7108 | msedge.exe | Potentially Bad Traffic | ET DNS Query for .to TLD |
7108 | msedge.exe | Potentially Bad Traffic | ET DNS Query for .to TLD |
7108 | msedge.exe | Potentially Bad Traffic | ET DNS Query for .to TLD |
7108 | msedge.exe | Potentially Bad Traffic | ET DNS Query for .to TLD |
1 ETPRO signatures available at the full report