» photo.exe
Overview
Analysis
File Details
Behaviors (1)

photo.exe

Photo

Soft

The application photo.exe, “Open photo ” has been detected as a potentially unwanted program by 37 anti-malware scanners. The program is a setup application that uses the installCore installer, however the file is not signed with an authenticode signature from a trusted source. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Find’. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions.

File name:

photo.exe

Publisher:

Soft

Product:

Photo

Description:

Open photo

Version:

1.1.0.7

MD5:

1def0cfcc69681b050979f34d0ecb3a2

SHA-1:

3e3df2b9197a7331b2ff6776e8bfdf8de9f485cc

SHA-256:

0d9bb40ffa68819db9994a775ff5d8eabdae23da151d219400add6c14349201e

Scanner detections:

37 / 68

Status:

Potentially unwanted

Explanation:

Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Description:

This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:

5/8/2024 2:17:30 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Zusy.11948

368

Agnitum Outpost

Trojan.DL.Esaprof

7.1.1

AhnLab V3 Security

Downloader/Win32.Agent

2015.09.26

Avira AntiVirus

TR/Dldr.Esaprof.A.29

8.3.2.2

Arcabit

Trojan.Zusy.D2EAC

1.0.0.567

avast!

Win32:Trojan-gen

2014.9-160201

AVG

Luhe.Fiha.A

2017.0.2846

Baidu Antivirus

Trojan.SWF.Agent

4.0.3.1621

Bitdefender

Gen:Variant.Zusy.11948

1.0.20.160

Bkav FE

W32.WisdwslD.Trojan

1.3.0.7237

Clam AntiVirus

Win.Trojan.Agent-208752

0.98/21511

Comodo Security

TrojWare.Win32.Genome.CHS

23298

Dr.Web

Trojan.Siggen4.10036

9.0.1.032

Emsisoft Anti-Malware

Gen:Variant.Zusy.11948

8.16.02.01.05

ESET NOD32

SWF/TrojanDownloader.Agent.NDH

10.12296

Fortinet FortiGate

SWF/Agent.NDH!tr.dldr

2/1/2016

F-Prot

W32/Downldr2.IYLZ

v6.4.7.1.166

F-Secure

Gen:Variant.Zusy.11948

11.2016-01-02_2

G Data

Gen:Variant.Zusy.11948

16.2.25

IKARUS anti.virus

Trojan-Dropper.Agent

t3scan.1.9.5.0

K7 AntiVirus

Trojan

13.210.17333

Kaspersky

Worm.Win32.Agent

14.0.0.726

Malwarebytes

Trojan.Downloader

v2016.02.01.05

McAfee

Dropper-FCV!1DEF0CFCC696

5600.6502

Microsoft Security Essentials

TrojanDownloader:Win32/Esaprof.A

1.1.12101.0

MicroWorld eScan

Gen:Variant.Zusy.11948

17.0.0.96

NANO AntiVirus

Trojan.Win32.Siggen4.zdeic

0.30.26.3725

Panda Antivirus

Trj/CI.A

16.02.01.05

Qihoo 360 Security

HEUR/Malware.QVM01.Gen

1.0.0.1015

Quick Heal

TrojanDownloader.Esaprof.A4

2.16.14.00

Reason Heuristics

PUP.InstallCore.Bundler (M)

16.2.1.17

Sophos

Troj/DwnLdr-KUR

4.98

Trend Micro

TROJ_GEN.R047C0CFR15

10.465.01

Vba32 AntiVirus

Worm.Palevo.2191

3.12.26.4

VIPRE Antivirus

Trojan.Win32.Generic

44044

ViRobot

Trojan.Win32.A.Downloader.4792615[h]

2014.3.20.0

Zillya! Antivirus

Trojan.Black.Win32.37598

2.0.0.2413

File size:

4.6 MB (4,792,615 bytes)

Product version:

1.1.0.7

Soft inc.

Trademarks:

Original file name:

Photo

File type:

Executable application (Win32 EXE)

Bundler/Installer:

installCore

Common path:

C:\users\{user}\appdata\roaming\microsoft\windows\start menu\programs\photo.exe

File PE Metadata

Compilation timestamp:

4/10/2011 3:29:22 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

7.10

CTPH (ssdeep):

98304:m+CV0/lWn4FCHWZU5pHuZ9CBkvZcUf1aphMoRdKuI3CwF:mr6/44FpUOZ9CBhQ1ghVRd83C0

Entry address:

0x35CF40

Entry point:

60, BE, 00, 30, 57, 00, 8D, BE, 00, E0, E8, FF, 57, 83, CD, FF, EB, 10, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, EF, 75, 09, 8B, 1E, 83, EE, FC, 11, DB, 73, E4, 31, C9, 83, E8, 03, 72, 0D, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 74, 89, C5, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, 75, 20, 41, 01, DB, 75... 
[+]

Packer / compiler:

UPX 2.90LZMA

Code size:

1.9 MB (2,011,136 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

Find

Command:

C:\users\{user}\appdata\roaming\microsoft\windows\start menu\programs\photo.exe

Remove photo.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.