File name:

paint.net.5.0.13.install.anycpu.web.exe

Full analysis: https://app.any.run/tasks/78061502-1899-4556-9e6a-f4a017af5f71
Verdict: Malicious activity
Analysis date: May 10, 2024, 12:43:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

9E8C911802A8F387D536A340F39B2636

SHA1:

85074C4E1574DE523596950D33AA10FA27813813

SHA256:

289DF7D7B2F0DA4DE90CF66EE44D60162FDB65E8F36744F724009D5879925D27

SSDEEP:

49152:viacEzBAkqbZ9Mmh/vVmxd5Ms19bF9bT2W+QU1AbusG0A2GKQsAJIa4c773iHbeR:viOQYmh/vkks11TQ1mGKGJIa4oiKZyC7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • paint.net.5.0.13.install.anycpu.web.exe (PID: 4088)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • paint.net.5.0.13.install.anycpu.web.exe (PID: 4088)

    • Executable content was dropped or overwritten

      • paint.net.5.0.13.install.anycpu.web.exe (PID: 4088)

    • Reads the Internet Settings

      • paint.net.5.0.13.install.anycpu.web.exe (PID: 4088)

  • INFO

    • Checks supported languages

      • paint.net.5.0.13.install.anycpu.web.exe (PID: 4088)
      • SetupShim.exe (PID: 1120)

    • Reads the computer name

      • paint.net.5.0.13.install.anycpu.web.exe (PID: 4088)

    • Create files in a temporary directory

      • SetupShim.exe (PID: 1120)
      • paint.net.5.0.13.install.anycpu.web.exe (PID: 4088)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:03:05 23:29:49+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.4
CodeSize: 536576
InitializedDataSize: 195584
UninitializedDataSize: -
EntryPoint: 0x36d21
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 5.13.8830.42291
ProductVersionNumber: 5.13.8830.42291
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: paint.net Setup
FileVersion: 5.13.8830.42291
InternalName: SetupSfx
LegalCopyright: Copyright © 2024 dotPDN LLC, Rick Brewster, and contributors. All Rights Reserved.
OriginalFileName: SetupSfx.exe
ProductName: paint.net
ProductVersion: 5.13.8830.42291
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start paint.net.5.0.13.install.anycpu.web.exe setupshim.exe paint.net.5.0.13.install.anycpu.web.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1120"C:\Users\admin\AppData\Local\Temp\7zS8FF51200\SetupShim.exe" /suppressRebootC:\Users\admin\AppData\Local\Temp\7zS8FF51200\SetupShim.exe
paint.net.5.0.13.install.anycpu.web.exe
User:
admin
Company:
dotPDN LLC
Integrity Level:
HIGH
Description:
paint.net Setup Bootstrapper
Version:
5.13.8830.42291
Modules
Images
c:\users\admin\appdata\local\temp\7zs8ff51200\setupshim.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
3976"C:\Users\admin\AppData\Local\Temp\paint.net.5.0.13.install.anycpu.web.exe" C:\Users\admin\AppData\Local\Temp\paint.net.5.0.13.install.anycpu.web.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
paint.net Setup
Exit code:
3221226540
Version:
5.13.8830.42291
Modules
Images
c:\users\admin\appdata\local\temp\paint.net.5.0.13.install.anycpu.web.exe
c:\windows\system32\ntdll.dll
4088"C:\Users\admin\AppData\Local\Temp\paint.net.5.0.13.install.anycpu.web.exe" C:\Users\admin\AppData\Local\Temp\paint.net.5.0.13.install.anycpu.web.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
paint.net Setup
Version:
5.13.8830.42291
Modules
Images
c:\users\admin\appdata\local\temp\paint.net.5.0.13.install.anycpu.web.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
2 932
Read events
2 924
Write events
8
Delete events
0

Modification events

(PID) Process:(4088) paint.net.5.0.13.install.anycpu.web.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(4088) paint.net.5.0.13.install.anycpu.web.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(4088) paint.net.5.0.13.install.anycpu.web.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(4088) paint.net.5.0.13.install.anycpu.web.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
4
Suspicious files
0
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
4088paint.net.5.0.13.install.anycpu.web.exeC:\Users\admin\AppData\Local\Temp\7zS8FF51200\x64\SetupDownloader\SetupDownloader.exe
MD5:
SHA256:
4088paint.net.5.0.13.install.anycpu.web.exeC:\Users\admin\AppData\Local\Temp\7zS8FF51200\x64\SetupDownloader\SetupDownloader.Configuration.jsontext
MD5:8CA6779446E31E219589A08769448DA2
SHA256:2B23A17E993B7837A89365CDD328541F58DDFD4AB2B45285058284EEE5733613
4088paint.net.5.0.13.install.anycpu.web.exeC:\Users\admin\AppData\Local\Temp\7zS8FF51200\arm64\SetupDownloader\SetupDownloader.Configuration.jsontext
MD5:8CA6779446E31E219589A08769448DA2
SHA256:2B23A17E993B7837A89365CDD328541F58DDFD4AB2B45285058284EEE5733613
1120SetupShim.exeC:\Users\admin\AppData\Local\Temp\pdnSetupShim.logtext
MD5:7ED93C28F1428631ABFFB4AF5A76CE3D
SHA256:8EAC2C4FF890471C8E2DD066BFE79E4E702D92F3079D99D26A9204B34F9C5B44
4088paint.net.5.0.13.install.anycpu.web.exeC:\Users\admin\AppData\Local\Temp\7zS8FF51200\SetupShim.exeexecutable
MD5:ED82DA8CE63807986D06E19CE59D7869
SHA256:CBAF647F029408FBD79290F6727CE9A3CC4C9BCFAC19C74A09981B4BC849A3DC
4088paint.net.5.0.13.install.anycpu.web.exeC:\Users\admin\AppData\Local\Temp\7zS8FF51200\x64\SetupDownloader\Newtonsoft.Json.dllexecutable
MD5:195FFB7167DB3219B217C4FD439EEDD6
SHA256:E1E27AF7B07EEEDF5CE71A9255F0422816A6FC5849A483C6714E1B472044FA9D
4088paint.net.5.0.13.install.anycpu.web.exeC:\Users\admin\AppData\Local\Temp\7zS8FF51200\arm64\SetupDownloader\Newtonsoft.Json.dllexecutable
MD5:195FFB7167DB3219B217C4FD439EEDD6
SHA256:E1E27AF7B07EEEDF5CE71A9255F0422816A6FC5849A483C6714E1B472044FA9D
4088paint.net.5.0.13.install.anycpu.web.exeC:\Users\admin\AppData\Local\Temp\7zS8FF51200\x64\SetupDownloader\SetupDownloader.exe.configxml
MD5:59EFD5B23C940DECA60238B287720310
SHA256:907801FC6262AE2E70F9AD104F903E3580F195BBAB4AD27D79C9E571DA970D86
4088paint.net.5.0.13.install.anycpu.web.exeC:\Users\admin\AppData\Local\Temp\7zS8FF51200\arm64\SetupDownloader\SetupDownloader.exe.configxml
MD5:59EFD5B23C940DECA60238B287720310
SHA256:907801FC6262AE2E70F9AD104F903E3580F195BBAB4AD27D79C9E571DA970D86
4088paint.net.5.0.13.install.anycpu.web.exeC:\Users\admin\AppData\Local\Temp\7zS8FF51200\arm64\SetupDownloader\SetupDownloader.exeexecutable
MD5:67662D81CC89357BE411C8FD981F7333
SHA256:46B80D6A0C515274DBE615A86441E93EB656683CFE7C48EF80ACA4ED5AA9C01E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
Process
Message
SetupShim.exe
--- paint.net SetupShim starting, lpCmdLine='/suppressReboot', nCmdShow=1
SetupShim.exe
Checking OS requirement
SetupShim.exe
SetupShim.exe
SetupShim.exe
GetNativePlatformID() returned x86
SetupShim.exe
GetNativePlatformID: GetNativeSystemInfo() returned wProcessorArchitecture=0
SetupShim.exe
CoInitializeEx() returned 0
SetupShim.exe
SetupShim.exe
SetupShim.exe
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
paint.net.5.0.13.install.anycpu.web.exe