File name:

paint.net.5.0.13.install.anycpu.web.exe

Full analysis: https://app.any.run/tasks/35f484cc-a8db-4f26-8f68-27f823f4374c
Verdict: Malicious activity
Analysis date: June 29, 2024, 20:55:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

9E8C911802A8F387D536A340F39B2636

SHA1:

85074C4E1574DE523596950D33AA10FA27813813

SHA256:

289DF7D7B2F0DA4DE90CF66EE44D60162FDB65E8F36744F724009D5879925D27

SSDEEP:

49152:viacEzBAkqbZ9Mmh/vVmxd5Ms19bF9bT2W+QU1AbusG0A2GKQsAJIa4c773iHbeR:viOQYmh/vkks11TQ1mGKGJIa4oiKZyC7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • paint.net.5.0.13.install.anycpu.web.exe (PID: 2748)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • paint.net.5.0.13.install.anycpu.web.exe (PID: 2748)

    • Executable content was dropped or overwritten

      • paint.net.5.0.13.install.anycpu.web.exe (PID: 2748)

    • Reads the Internet Settings

      • paint.net.5.0.13.install.anycpu.web.exe (PID: 2748)

  • INFO

    • Checks supported languages

      • paint.net.5.0.13.install.anycpu.web.exe (PID: 2748)
      • SetupShim.exe (PID: 2944)

    • Create files in a temporary directory

      • paint.net.5.0.13.install.anycpu.web.exe (PID: 2748)
      • SetupShim.exe (PID: 2944)

    • Reads the computer name

      • paint.net.5.0.13.install.anycpu.web.exe (PID: 2748)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:03:05 23:29:49+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.4
CodeSize: 536576
InitializedDataSize: 195584
UninitializedDataSize: -
EntryPoint: 0x36d21
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 5.13.8830.42291
ProductVersionNumber: 5.13.8830.42291
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: paint.net Setup
FileVersion: 5.13.8830.42291
InternalName: SetupSfx
LegalCopyright: Copyright © 2024 dotPDN LLC, Rick Brewster, and contributors. All Rights Reserved.
OriginalFileName: SetupSfx.exe
ProductName: paint.net
ProductVersion: 5.13.8830.42291
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start paint.net.5.0.13.install.anycpu.web.exe setupshim.exe paint.net.5.0.13.install.anycpu.web.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2748"C:\Users\admin\AppData\Local\Temp\paint.net.5.0.13.install.anycpu.web.exe" C:\Users\admin\AppData\Local\Temp\paint.net.5.0.13.install.anycpu.web.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
paint.net Setup
Exit code:
1
Version:
5.13.8830.42291
Modules
Images
c:\users\admin\appdata\local\temp\paint.net.5.0.13.install.anycpu.web.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2944"C:\Users\admin\AppData\Local\Temp\7zSCBA793C4\SetupShim.exe" /suppressRebootC:\Users\admin\AppData\Local\Temp\7zSCBA793C4\SetupShim.exe
paint.net.5.0.13.install.anycpu.web.exe
User:
admin
Company:
dotPDN LLC
Integrity Level:
HIGH
Description:
paint.net Setup Bootstrapper
Exit code:
1
Version:
5.13.8830.42291
Modules
Images
c:\users\admin\appdata\local\temp\7zscba793c4\setupshim.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
3700"C:\Users\admin\AppData\Local\Temp\paint.net.5.0.13.install.anycpu.web.exe" C:\Users\admin\AppData\Local\Temp\paint.net.5.0.13.install.anycpu.web.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
paint.net Setup
Exit code:
3221226540
Version:
5.13.8830.42291
Modules
Images
c:\users\admin\appdata\local\temp\paint.net.5.0.13.install.anycpu.web.exe
c:\windows\system32\ntdll.dll
Total events
2 931
Read events
2 923
Write events
8
Delete events
0

Modification events

(PID) Process:(2748) paint.net.5.0.13.install.anycpu.web.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2748) paint.net.5.0.13.install.anycpu.web.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2748) paint.net.5.0.13.install.anycpu.web.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2748) paint.net.5.0.13.install.anycpu.web.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
5
Suspicious files
0
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
2748paint.net.5.0.13.install.anycpu.web.exeC:\Users\admin\AppData\Local\Temp\7zSCBA793C4\x64\SetupDownloader\SetupDownloader.Configuration.jsontext
MD5:8CA6779446E31E219589A08769448DA2
SHA256:2B23A17E993B7837A89365CDD328541F58DDFD4AB2B45285058284EEE5733613
2748paint.net.5.0.13.install.anycpu.web.exeC:\Users\admin\AppData\Local\Temp\7zSCBA793C4\arm64\SetupDownloader\Newtonsoft.Json.dllexecutable
MD5:195FFB7167DB3219B217C4FD439EEDD6
SHA256:E1E27AF7B07EEEDF5CE71A9255F0422816A6FC5849A483C6714E1B472044FA9D
2748paint.net.5.0.13.install.anycpu.web.exeC:\Users\admin\AppData\Local\Temp\7zSCBA793C4\arm64\SetupDownloader\SetupDownloader.Configuration.jsontext
MD5:8CA6779446E31E219589A08769448DA2
SHA256:2B23A17E993B7837A89365CDD328541F58DDFD4AB2B45285058284EEE5733613
2748paint.net.5.0.13.install.anycpu.web.exeC:\Users\admin\AppData\Local\Temp\7zSCBA793C4\x64\SetupDownloader\Newtonsoft.Json.dllexecutable
MD5:195FFB7167DB3219B217C4FD439EEDD6
SHA256:E1E27AF7B07EEEDF5CE71A9255F0422816A6FC5849A483C6714E1B472044FA9D
2748paint.net.5.0.13.install.anycpu.web.exeC:\Users\admin\AppData\Local\Temp\7zSCBA793C4\arm64\SetupDownloader\SetupDownloader.exeexecutable
MD5:67662D81CC89357BE411C8FD981F7333
SHA256:46B80D6A0C515274DBE615A86441E93EB656683CFE7C48EF80ACA4ED5AA9C01E
2748paint.net.5.0.13.install.anycpu.web.exeC:\Users\admin\AppData\Local\Temp\7zSCBA793C4\x64\SetupDownloader\SetupDownloader.exeexecutable
MD5:67662D81CC89357BE411C8FD981F7333
SHA256:46B80D6A0C515274DBE615A86441E93EB656683CFE7C48EF80ACA4ED5AA9C01E
2748paint.net.5.0.13.install.anycpu.web.exeC:\Users\admin\AppData\Local\Temp\7zSCBA793C4\SetupShim.exeexecutable
MD5:ED82DA8CE63807986D06E19CE59D7869
SHA256:CBAF647F029408FBD79290F6727CE9A3CC4C9BCFAC19C74A09981B4BC849A3DC
2748paint.net.5.0.13.install.anycpu.web.exeC:\Users\admin\AppData\Local\Temp\7zSCBA793C4\x64\SetupDownloader\SetupDownloader.exe.configxml
MD5:59EFD5B23C940DECA60238B287720310
SHA256:907801FC6262AE2E70F9AD104F903E3580F195BBAB4AD27D79C9E571DA970D86
2748paint.net.5.0.13.install.anycpu.web.exeC:\Users\admin\AppData\Local\Temp\7zSCBA793C4\arm64\SetupDownloader\SetupDownloader.exe.configxml
MD5:59EFD5B23C940DECA60238B287720310
SHA256:907801FC6262AE2E70F9AD104F903E3580F195BBAB4AD27D79C9E571DA970D86
2944SetupShim.exeC:\Users\admin\AppData\Local\Temp\pdnSetupShim.logtext
MD5:7ED93C28F1428631ABFFB4AF5A76CE3D
SHA256:8EAC2C4FF890471C8E2DD066BFE79E4E702D92F3079D99D26A9204B34F9C5B44
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
7
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
1372
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2564
svchost.exe
239.255.255.250:3702
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

No data

Threats

No threats detected
Process
Message
SetupShim.exe
--- paint.net SetupShim starting, lpCmdLine='/suppressReboot', nCmdShow=1
SetupShim.exe
SetupShim.exe
CoInitializeEx() returned 0
SetupShim.exe
SetupShim.exe
GetNativePlatformID: GetNativeSystemInfo() returned wProcessorArchitecture=0
SetupShim.exe
SetupShim.exe
GetNativePlatformID() returned x86
SetupShim.exe
SetupShim.exe
Checking OS requirement
SetupShim.exe
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
paint.net.5.0.13.install.anycpu.web.exe