File name:

unnamed.jpg

Full analysis: https://app.any.run/tasks/e7888b69-3796-4901-bf58-171d901458e5
Verdict: Malicious activity
Analysis date: March 07, 2018, 14:34:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: image/jpeg
File info: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, Exif Standard: [TIFF image data, little-endian, direntries=2, software=Google], baseline, precision 8, 900x900, frames 3
MD5:

67DCFF907D68B00CEB4BD227667E47D7

SHA1:

3D7413F2BC964C94DF5481321D5F13CF1A64E586

SHA256:

8C95F228E9C58142CED050DBDD5E193EFAF2F9F450C5385758665F1BD9953AA8

SSDEEP:

1536:a3ehzXE3TZLvKudJ4KpAXt2IGmm/kmTz/VHt4dIYLrGahVep2l1yUI:9XhKpAXtBGR3TVHDUZe0l1U

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Creates files in the Windows directory

      • rundll32.exe (PID: 2844)

    • Modifies files in the system directory

      • rundll32.exe (PID: 2844)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • WFS.exe (PID: 3096)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.jpg | JFIF-EXIF JPEG Bitmap (38.4)
.jpg | JFIF JPEG bitmap (30.7)
.jpg | JPEG bitmap (23)
.mp3 | MP3 audio (7.6)

EXIF

JFIF

JFIFVersion: 1.01
ResolutionUnit: None
XResolution: 1
YResolution: 1

EXIF

Software: Google
ExifVersion: 0220
UserComment: Screenshot

Composite

ImageSize: 900x900
Megapixels: 0.81
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe no specs wfs.exe no specs fxssvc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2844"C:\Windows\System32\rundll32.exe" "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\admin\AppData\Local\Temp\unnamed.jpgC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
3096"C:\Windows\System32\WFS.exe" /Delete /Account . /SendTo C:\Users\admin\AppData\Local\Temp\1D3B6217F7EAA.tifC:\Windows\System32\WFS.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Fax and Scan
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\wfs.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3904C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exeservices.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Fax Service
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
834
Read events
794
Write events
40
Delete events
0

Modification events

(PID) Process:(2844) rundll32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
rundll32.exe
(PID) Process:(2844) rundll32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows Photo Viewer\Slideshow
Operation:writeName:Shuffle
Value:
0
(PID) Process:(2844) rundll32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows Photo Viewer\Slideshow
Operation:writeName:Loop
Value:
1
(PID) Process:(2844) rundll32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows Photo Viewer\Slideshow
Operation:writeName:Mute
Value:
0
(PID) Process:(2844) rundll32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows Photo Viewer\Slideshow
Operation:writeName:Speed
Value:
1
(PID) Process:(2844) rundll32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\OpenWithProgids
Operation:writeName:jpegfile
Value:
(PID) Process:(2844) rundll32.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\Program Files\Windows Photo Viewer\PhotoViewer.dll
Value:
Windows Photo Viewer
(PID) Process:(2844) rundll32.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\Windows\system32\mspaint.exe
Value:
Paint
(PID) Process:(2844) rundll32.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\Program Files\Opera\Opera.exe
Value:
Opera Internet Browser
(PID) Process:(2844) rundll32.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\Windows\eHome\ehshell.exe
Value:
Windows Media Center
Executable files
0
Suspicious files
0
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
2844rundll32.exeC:\Windows\system32\FxsTmp\fxsF276.tmp
MD5:
SHA256:
2844rundll32.exeC:\Windows\system32\spool\PRINTERS\00002.SPL
MD5:
SHA256:
2844rundll32.exeC:\Users\admin\AppData\Local\Temp\1D3B6217F4301.tif
MD5:
SHA256:
2844rundll32.exeC:\Windows\system32\FxsTmp\fxsF837.tmp
MD5:
SHA256:
3096WFS.exeC:\Users\admin\Documents\Scanned Documents\Welcome Scan.jpg\:3or4kl4x13tuuug3Byamue2s4b:$DATA
MD5:
SHA256:
3096WFS.exe:3or4kl4x13tuuug3Byamue2s4b:$DATA
MD5:
SHA256:
3096WFS.exeC:
MD5:
SHA256:
2844rundll32.exeC:\Windows\System32\FxsTmp\fxsF826.tmp
MD5:
SHA256:
2844rundll32.exeC:\Users\admin\AppData\Local\Temp\1D3B6217F7EAA.tifimage
MD5:
SHA256:
3096WFS.exeC:\Users\admin\Documents\Fax\Drafts\desktop.iniini
MD5:049287DAE44828AE84F1F63806E68689
SHA256:EEF82D186B097ABD1A114E1BD2DB82EDCEB4AE9437DFE7C7E11ED4711A7151D1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
unnamed.jpg