| File name: | dpfsetup.exe |
| Full analysis: | https://app.any.run/tasks/ddb43555-fa9e-4659-8077-e3efb7cd3546 |
| Verdict: | Malicious activity |
| Analysis date: | August 31, 2024, 22:32:29 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 542A1BD90DFC78D09838CAFDA3F3D0DB |
| SHA1: | DC39CFFDC092A82CE89241D4334B1FEB70383C8C |
| SHA256: | 51488AD1B90B26A5D18B9D9D80C8475FDD56A3EBECDE0F403FE2B7A0B6079CA6 |
| SSDEEP: | 49152:qUR0Xr0TdjeSh5mX5bYcvjwpf6wos5sU/4s4Xg/ZPPIAgHNX5/62QBs1hJhtjTZ0:hR0bktevX5Cfxos//4s4uZPPqtXR9uEa |
MALICIOUS
No malicious indicators.SUSPICIOUS
Executable content was dropped or overwritten
- dpfsetup.exe (PID: 3244)
- dpfsetup.exe (PID: 6824)
- dpfsetup.tmp (PID: 2268)
Drops the executable file immediately after the start
- dpfsetup.exe (PID: 3244)
- dpfsetup.exe (PID: 6824)
- dpfsetup.tmp (PID: 2268)
Reads the Windows owner or organization settings
- dpfsetup.tmp (PID: 2268)
Reads the date of Windows installation
- dpfsetup.tmp (PID: 1964)
Reads security settings of Internet Explorer
- dpfsetup.tmp (PID: 1964)
Reads Internet Explorer settings
- dpf.exe (PID: 1164)
INFO
Create files in a temporary directory
- dpfsetup.exe (PID: 3244)
- dpfsetup.exe (PID: 6824)
- dpfsetup.tmp (PID: 2268)
Process checks computer location settings
- dpfsetup.tmp (PID: 1964)
Reads the computer name
- dpfsetup.tmp (PID: 1964)
- dpfsetup.tmp (PID: 2268)
- dpf.exe (PID: 1164)
- identity_helper.exe (PID: 4996)
Checks supported languages
- dpfsetup.tmp (PID: 2268)
- dpfsetup.exe (PID: 3244)
- dpfsetup.tmp (PID: 1964)
- dpfsetup.exe (PID: 6824)
- dpf.exe (PID: 1164)
- identity_helper.exe (PID: 4996)
Creates files in the program directory
- dpfsetup.tmp (PID: 2268)
Creates a software uninstall entry
- dpfsetup.tmp (PID: 2268)
Reads Microsoft Office registry keys
- dpfsetup.tmp (PID: 1964)
- msedge.exe (PID: 3660)
Reads the machine GUID from the registry
- dpf.exe (PID: 1164)
Application launched itself
- msedge.exe (PID: 3660)
.NET Reactor protector has been detected
- dpf.exe (PID: 1164)
Reads Environment values
- identity_helper.exe (PID: 4996)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Inno Setup installer (77.7) |
|---|---|---|
| .exe | | | Win32 Executable Delphi generic (10) |
| .dll | | | Win32 Dynamic Link Library (generic) (4.6) |
| .exe | | | Win32 Executable (generic) (3.1) |
| .exe | | | Win16/32 Executable Delphi generic (1.4) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 1992:06:19 22:22:17+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 41984 |
| InitializedDataSize: | 17920 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xaad0 |
| OSVersion: | 1 |
| ImageVersion: | 6 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.7.0.0 |
| ProductVersionNumber: | 1.7.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | This installation was built with Inno Setup. |
| CompanyName: | Ashisoft |
| FileDescription: | Duplicate Photos Finder Setup |
| FileVersion: | 1.7.0.0 |
| LegalCopyright: | Ashisoft all rights reserved. |
| ProductName: | Duplicate Photos Finder |
| ProductVersion: | 1.7.0.0 |
Total processes
169
Monitored processes
42
Malicious processes
2
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 508 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4288 --field-trial-handle=2140,i,5250935853554139702,16280460237570728570,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 752 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --no-appcompat-clear --mojo-platform-channel-handle=5136 --field-trial-handle=2140,i,5250935853554139702,16280460237570728570,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Version: 122.0.2365.59 Modules
| |||||||||||||||
| 1124 | "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6344 --field-trial-handle=2140,i,5250935853554139702,16280460237570728570,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: PWA Identity Proxy Host Exit code: 3221226029 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 1164 | "C:\Program Files (x86)\Duplicate Photo Finder\dpf.exe" | C:\Program Files (x86)\Duplicate Photo Finder\dpf.exe | dpfsetup.tmp | ||||||||||||
User: admin Company: Ashisoft Integrity Level: MEDIUM Description: Duplicate Photo Finder Version: 1.7.0.0 Modules
| |||||||||||||||
| 1616 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7096 --field-trial-handle=2140,i,5250935853554139702,16280460237570728570,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 1964 | "C:\Users\admin\AppData\Local\Temp\is-RCLG4.tmp\dpfsetup.tmp" /SL5="$503A8,625591,58368,C:\Users\admin\Desktop\dpfsetup.exe" | C:\Users\admin\AppData\Local\Temp\is-RCLG4.tmp\dpfsetup.tmp | — | dpfsetup.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.52.0.0 Modules
| |||||||||||||||
| 2092 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5616 --field-trial-handle=2140,i,5250935853554139702,16280460237570728570,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 2128 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5860 --field-trial-handle=2140,i,5250935853554139702,16280460237570728570,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 2128 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6752 --field-trial-handle=2140,i,5250935853554139702,16280460237570728570,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 2268 | "C:\Users\admin\AppData\Local\Temp\is-L07EN.tmp\dpfsetup.tmp" /SL5="$80328,625591,58368,C:\Users\admin\Desktop\dpfsetup.exe" /SPAWNWND=$503A2 /NOTIFYWND=$503A8 | C:\Users\admin\AppData\Local\Temp\is-L07EN.tmp\dpfsetup.tmp | dpfsetup.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.52.0.0 Modules
| |||||||||||||||
Total events
11 392
Read events
11 267
Write events
116
Delete events
9
Modification events
| (PID) Process: | (2268) dpfsetup.tmp | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Owner |
Value: DC080000F5A8B2B0F5FBDA01 | |||
| (PID) Process: | (2268) dpfsetup.tmp | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | SessionHash |
Value: 1DD76B7BA009ED79AC437CEE2A0ECB361DA1FC6DFF07F81F5CD9288F69201FD6 | |||
| (PID) Process: | (2268) dpfsetup.tmp | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Sequence |
Value: 1 | |||
| (PID) Process: | (2268) dpfsetup.tmp | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | RegFiles0000 |
Value: C:\Program Files (x86)\Duplicate Photo Finder\dpf.exe | |||
| (PID) Process: | (2268) dpfsetup.tmp | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | RegFilesHash |
Value: 2ECAE656E9618E9D4ADE25B0F2CF735294DBC60A2E8593058BB3A7D686145CD7 | |||
| (PID) Process: | (2268) dpfsetup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{82BAA379-A0B8-4637-8286-0A9AD146453F}}_is1 |
| Operation: | write | Name: | Inno Setup: Setup Version |
Value: 5.6.1 (a) | |||
| (PID) Process: | (2268) dpfsetup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{82BAA379-A0B8-4637-8286-0A9AD146453F}}_is1 |
| Operation: | write | Name: | Inno Setup: App Path |
Value: C:\Program Files (x86)\Duplicate Photo Finder | |||
| (PID) Process: | (2268) dpfsetup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{82BAA379-A0B8-4637-8286-0A9AD146453F}}_is1 |
| Operation: | write | Name: | InstallLocation |
Value: C:\Program Files (x86)\Duplicate Photo Finder\ | |||
| (PID) Process: | (2268) dpfsetup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{82BAA379-A0B8-4637-8286-0A9AD146453F}}_is1 |
| Operation: | write | Name: | Inno Setup: Icon Group |
Value: Duplicate Photo Finder | |||
| (PID) Process: | (2268) dpfsetup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{82BAA379-A0B8-4637-8286-0A9AD146453F}}_is1 |
| Operation: | write | Name: | Inno Setup: User |
Value: admin | |||
Executable files
9
Suspicious files
106
Text files
72
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2268 | dpfsetup.tmp | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Duplicate Photo Finder\Duplicate Photo Finder.lnk | binary | |
MD5:86EC68F2EDAD32732B2ABBCD0719F6CE | SHA256:B80854909AB0757A087ADFCB2CC495C1709BF4C84A1E63509708B201725F20DD | |||
| 2268 | dpfsetup.tmp | C:\Users\admin\AppData\Local\Temp\is-03K1I.tmp\_isetup\_setup64.tmp | executable | |
MD5:E4211D6D009757C078A9FAC7FF4F03D4 | SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95 | |||
| 6824 | dpfsetup.exe | C:\Users\admin\AppData\Local\Temp\is-L07EN.tmp\dpfsetup.tmp | executable | |
MD5:1AFBD25DB5C9A90FE05309F7C4FBCF09 | SHA256:3BB0EE5569FE5453C6B3FA25AA517B925D4F8D1F7BA3475E58FA09C46290658C | |||
| 2268 | dpfsetup.tmp | C:\Program Files (x86)\Duplicate Photo Finder\unins000.exe | executable | |
MD5:462C1B57A2FE1366448FA8A906042E51 | SHA256:9A16B43F3F302C9E0A7A10BC3329D3137D0113EA2194220A92919156E615C41F | |||
| 2268 | dpfsetup.tmp | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Duplicate Photo Finder\Uninstall Duplicate Photo Finder.lnk | binary | |
MD5:B2AFDE138219BAEC81EC44B0F53DFB6E | SHA256:37B0802C14E4FDFB2FF7B562D14B89A6D379D9FC4B870CF469DBBF78B03688D4 | |||
| 2268 | dpfsetup.tmp | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Duplicate Photo Finder\Visit Us.url | text | |
MD5:98B9F66A6E29072EE924E6BE16109489 | SHA256:777A57FE9533440AEDF223AD7FFA91BBFE7F4141053376527B91BA4C0B3A1FD4 | |||
| 3660 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF13090c.TMP | — | |
MD5:— | SHA256:— | |||
| 3660 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old | — | |
MD5:— | SHA256:— | |||
| 3660 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF13090c.TMP | — | |
MD5:— | SHA256:— | |||
| 3660 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF13091b.TMP | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
77
TCP/UDP connections
81
DNS requests
67
Threats
7
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 401 | 13.107.6.158:443 | https://business.bing.com/api/v1/user/token/microsoftgraph?&clienttype=edge-omnibox | unknown | — | — | unknown |
— | — | GET | 200 | 142.250.185.131:443 | https://fonts.gstatic.com/s/lato/v24/S6uyw4BMUTPHjx4wXg.woff2 | unknown | woff2 | 23.0 Kb | unknown |
— | — | GET | 200 | 13.107.42.16:443 | https://config.edge.skype.com/config/v1/Edge/122.0.2365.59?clientId=4489578223053569932&agents=Edge%2CEdgeConfig%2CEdgeServices%2CEdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=42&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245&fg=1 | unknown | binary | 13.1 Kb | unknown |
— | — | GET | 200 | 89.116.192.181:443 | https://www.ashisoft.com/assets/imgs/facebook.svg | unknown | image | 344 b | unknown |
— | — | GET | 200 | 89.116.192.181:443 | https://www.ashisoft.com/assets/imgs/logo.png | unknown | image | 761 b | unknown |
— | — | GET | 200 | 204.79.197.239:443 | https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=122.0.2365.59&experimentationmode=2&scpguard=0&scpfull=0&scpver=0 | unknown | binary | 2.22 Kb | unknown |
— | — | GET | 200 | 89.116.192.181:443 | https://www.ashisoft.com/assets/imgs/twitter.svg | unknown | image | 871 b | unknown |
— | — | GET | 200 | 89.116.192.181:443 | https://www.ashisoft.com/assets/imgs/pinterest.svg | unknown | image | 2.78 Kb | unknown |
— | — | GET | 200 | 13.107.246.67:443 | https://edge-mobile-static.azureedge.net/eccp/get?settenant=edge-config&setplatform=win&setmkt=en-US&setchannel=stable | unknown | binary | 13.7 Kb | unknown |
— | — | GET | 401 | 13.107.6.158:443 | https://business.bing.com/work/api/v2/tenant/my/settingswithflights?&clienttype=edge-omnibox | unknown | binary | 583 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
6160 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 192.168.100.255:138 | — | — | — | whitelisted |
6244 | RUXIMICS.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2120 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2120 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3888 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
6160 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4324 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6160 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3660 | msedge.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
config.edge.skype.com |
| whitelisted |
www.ashisoft.com |
| unknown |
edge.microsoft.com |
| whitelisted |
edge-mobile-static.azureedge.net |
| whitelisted |
api.edgeoffer.microsoft.com |
| whitelisted |
business.bing.com |
| whitelisted |
bzib.nelreports.net |
| whitelisted |
fonts.googleapis.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
7108 | msedge.exe | Potentially Bad Traffic | ET DNS Query for .to TLD |
7108 | msedge.exe | Potentially Bad Traffic | ET DNS Query for .to TLD |
7108 | msedge.exe | Potentially Bad Traffic | ET DNS Query for .to TLD |
7108 | msedge.exe | Potentially Bad Traffic | ET DNS Query for .to TLD |
7108 | msedge.exe | Potentially Bad Traffic | ET DNS Query for .to TLD |
7108 | msedge.exe | Potentially Bad Traffic | ET DNS Query for .to TLD |
1 ETPRO signatures available at the full report