Malware analysis paint.net.5.1.8.install.anycpu.web 2.exe Malicious activity

Add for printing

File name:	paint.net.5.1.8.install.anycpu.web 2.exe
Full analysis:	https://app.any.run/tasks/2dfd2848-4860-48ef-83f1-16b764b2023a
Verdict:	Malicious activity
Analysis date:	May 27, 2025, 10:29:38
OS:	Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:	B0C2D9996620CC2D485AB22DBC70EFB6
SHA1:	EB1CE3D78DB8AE688AAAF6D1B010511FCFA03470
SHA256:	4F359EE85A4ABC9592D5A7BD941A83FCE2A572748341244E85F480410D19D91E
SSDEEP:	24576:cdZBjcyLkXmh/vVmxi7VMs19bF9bT2W+QU1AbusG0A2GKQsAJT4VXkoFb9fvo9Ey:cdDjcyLkmh/vVmxyMs19bF9bT2W+QU1h

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Executable content was dropped or overwritten
  - paint.net.5.1.8.install.anycpu.web 2.exe (PID: 6404)
  - paint.net.5.1.8.install.x64.exe (PID: 7536)
- Reads security settings of Internet Explorer
  - paint.net.5.1.8.install.anycpu.web 2.exe (PID: 6404)
  - SetupDownloader.exe (PID: 6640)
  - paint.net.5.1.8.install.x64.exe (PID: 7536)
- Reads the date of Windows installation
  - paint.net.5.1.8.install.anycpu.web 2.exe (PID: 6404)
  - paint.net.5.1.8.install.x64.exe (PID: 7536)
- Adds/modifies Windows certificates
  - SetupDownloader.exe (PID: 6640)
- Process drops legitimate windows executable
  - paint.net.5.1.8.install.x64.exe (PID: 7536)
  - msiexec.exe (PID: 4628)
- The process creates files with name similar to system file names
  - paint.net.5.1.8.install.x64.exe (PID: 7536)
- The process drops C-runtime libraries
  - paint.net.5.1.8.install.x64.exe (PID: 7536)
  - msiexec.exe (PID: 4628)
- Executes as Windows Service
  - VSSVC.exe (PID: 8020)
- Searches for installed software
  - SetupFrontEnd.exe (PID: 7900)
  - dllhost.exe (PID: 8156)
INFO
- The sample compiled with english language support
  - paint.net.5.1.8.install.anycpu.web 2.exe (PID: 6404)
  - paint.net.5.1.8.install.anycpu.web 2.exe (PID: 6404)
  - paint.net.5.1.8.install.x64.exe (PID: 7536)
  - msiexec.exe (PID: 4628)
- Reads the computer name
  - paint.net.5.1.8.install.anycpu.web 2.exe (PID: 6404)
  - SetupShim.exe (PID: 1660)
  - SetupDownloader.exe (PID: 6640)
  - paint.net.5.1.8.install.x64.exe (PID: 7536)
  - SetupShim.exe (PID: 7868)
  - SetupFrontEnd.exe (PID: 7900)
- Create files in a temporary directory
  - paint.net.5.1.8.install.anycpu.web 2.exe (PID: 6404)
  - SetupShim.exe (PID: 1660)
  - paint.net.5.1.8.install.x64.exe (PID: 7536)
  - SetupDownloader.exe (PID: 6640)
  - SetupShim.exe (PID: 7868)
- Checks supported languages
  - paint.net.5.1.8.install.anycpu.web 2.exe (PID: 6404)
  - SetupShim.exe (PID: 1660)
  - SetupDownloader.exe (PID: 6640)
  - paint.net.5.1.8.install.x64.exe (PID: 7536)
  - SetupFrontEnd.exe (PID: 7900)
  - SetupShim.exe (PID: 7868)
- Process checks computer location settings
  - paint.net.5.1.8.install.anycpu.web 2.exe (PID: 6404)
  - paint.net.5.1.8.install.x64.exe (PID: 7536)
- Reads the machine GUID from the registry
  - SetupDownloader.exe (PID: 6640)
- Creates files or folders in the user directory
  - SetupDownloader.exe (PID: 6640)
  - SetupFrontEnd.exe (PID: 7900)
- Checks proxy server information
  - SetupDownloader.exe (PID: 6640)
- Reads Environment values
  - SetupDownloader.exe (PID: 6640)
- Disables trace logs
  - SetupDownloader.exe (PID: 6640)
- Reads the software policy settings
  - SetupDownloader.exe (PID: 6640)
- Manages system restore points
  - SrTasks.exe (PID: 5956)
- Creates files in the program directory
  - SetupFrontEnd.exe (PID: 7900)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 4628)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2025:05:19 22:53:17+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.44
CodeSize:	211968
InitializedDataSize:	190976
UninitializedDataSize:	-
EntryPoint:	0x24000
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	5.108.9270.41195
ProductVersionNumber:	5.108.9270.41195
FileFlagsMask:	0x0017
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Dynamic link library
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
FileDescription:	paint.net Setup
FileVersion:	5.108.9270.41195
InternalName:	SetupSfx
LegalCopyright:	Copyright © 2025 dotPDN LLC, Rick Brewster, and contributors. All Rights Reserved.
OriginalFileName:	SetupSfx.exe
ProductName:	paint.net
ProductVersion:	5.108.9270.41195

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

157

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1660

"C:\Users\admin\AppData\Local\Temp\7zS4096D1F0\SetupShim.exe" /suppressReboot

C:\Users\admin\AppData\Local\Temp\7zS4096D1F0\SetupShim.exe

—

paint.net.5.1.8.install.anycpu.web 2.exe

User:

admin

Company:

dotPDN LLC

Integrity Level:

HIGH

Description:

paint.net Setup Bootstrapper

Exit code:

Version:

5.108.9270.41195

Modules

Images
c:\users\admin\appdata\local\temp\7zs4096d1f0\setupshim.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

4068

"C:\Program Files\Paint.NET\paintdotnet.exe" /setupActions /install DESKTOPSHORTCUT=1 PDNUPDATING=0 SKIPCLEANUP=0 "PROGRAMSGROUP=" /disablePGO /skipEstablishNVProfile /skipRepairAttempt

C:\Program Files\Paint.NET\paintdotnet.exe

—

msiexec.exe

User:

admin

Company:

dotPDN LLC

Integrity Level:

HIGH

Description:

Paint.NET

Exit code:

Version:

5.108.9270.41195

Modules

Images
c:\program files\paint.net\paintdotnet.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

4628

C:\WINDOWS\system32\msiexec.exe /V

C:\Windows\System32\msiexec.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows® installer

Version:

5.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

5236

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

5956

C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:12

C:\Windows\System32\SrTasks.exe

—

dllhost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft® Windows System Protection background tasks.

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

5960

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

SrTasks.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

6404

"C:\Users\admin\AppData\Local\Temp\paint.net.5.1.8.install.anycpu.web 2.exe"

C:\Users\admin\AppData\Local\Temp\paint.net.5.1.8.install.anycpu.web 2.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

paint.net Setup

Exit code:

3221226540

Version:

5.108.9270.41195

Modules

Images
c:\users\admin\appdata\local\temp\paint.net.5.1.8.install.anycpu.web 2.exe
c:\windows\system32\ntdll.dll

6404

"C:\Users\admin\AppData\Local\Temp\paint.net.5.1.8.install.anycpu.web 2.exe"

C:\Users\admin\AppData\Local\Temp\paint.net.5.1.8.install.anycpu.web 2.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Description:

paint.net Setup

Exit code:

Version:

5.108.9270.41195

Modules

Images
c:\users\admin\appdata\local\temp\paint.net.5.1.8.install.anycpu.web 2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

6640

"x64\SetupDownloader\SetupDownloader.exe" /SkipSuccessPrompt "C:\Users\admin\AppData\Local\Temp\7zS4096D1F0\SetupShim.exe" /suppressReboot

C:\Users\admin\AppData\Local\Temp\7zS4096D1F0\x64\SetupDownloader\SetupDownloader.exe

SetupShim.exe

User:

admin

Company:

dotPDN LLC

Integrity Level:

HIGH

Description:

Paint.NET Setup Downloader

Exit code:

1610612736

Version:

5.108.9270.41195

Modules

Images
c:\users\admin\appdata\local\temp\7zs4096d1f0\x64\setupdownloader\setupdownloader.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

7320

C:\WINDOWS\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\SppExtComObj.Exe

—

svchost.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

KMS Connection Broker

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll

Add for printing

Total events

16 584

Read events

15 688

Write events

855

Delete events

Modification events


(PID) Process:	(6640) SetupDownloader.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SetupDownloader_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6640) SetupDownloader.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SetupDownloader_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(6640) SetupDownloader.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SetupDownloader_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(6640) SetupDownloader.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SetupDownloader_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(6640) SetupDownloader.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SetupDownloader_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(6640) SetupDownloader.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SetupDownloader_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(6640) SetupDownloader.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SetupDownloader_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(6640) SetupDownloader.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SetupDownloader_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6640) SetupDownloader.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SetupDownloader_RASMANCS
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(6640) SetupDownloader.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SetupDownloader_RASMANCS
Operation:	write	Name:	EnableConsoleTracing
Value: 0

Add for printing

Executable files

623

Suspicious files

184

Text files

213

Unknown types

Dropped files

PID	Process	Filename		Type
6640	SetupDownloader.exe	C:\Users\admin\AppData\Local\Temp\PdnSetupDownloader\1485fee6-b0ea-47c3-9364-69b094f7710f\paint.net.install.zip		—
		MD5:—	SHA256:—
6640	SetupDownloader.exe	C:\Users\admin\AppData\Local\Temp\PdnSetupDownloader\1485fee6-b0ea-47c3-9364-69b094f7710f\paint.net.5.1.8.install.x64.exe		—
		MD5:—	SHA256:—
6404	paint.net.5.1.8.install.anycpu.web 2.exe	C:\Users\admin\AppData\Local\Temp\7zS4096D1F0\SetupShim.exe		executable
		MD5:6F01674E8F2048A4E5C625C526E20523	SHA256:1350E75CA26CE27F8345A6A216537B20AC642EADAC72E5285B0412C66451CB4D
6640	SetupDownloader.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BD96F9183ADE69B6DF458457F594566C_A8E93B875B1AF8C8DD911384F8886B6B		binary
		MD5:6FE9A4BBEC09806D4FDE62AC04C7921A	SHA256:FB4780FF1AAAADEF7E2039E293CBF2305231D0E30473BB14166C050C25EE4E7E
1660	SetupShim.exe	C:\Users\admin\AppData\Local\Temp\pdnSetupShim.log		text
		MD5:85E05B91B2D2C7A01FF444599CE89CDD	SHA256:EA517594225F3B909FC5312E271EB5470C4C294B4406086E9232089188AEB299
6404	paint.net.5.1.8.install.anycpu.web 2.exe	C:\Users\admin\AppData\Local\Temp\7zS4096D1F0\arm64\SetupDownloader\SetupDownloader.exe.config		xml
		MD5:59EFD5B23C940DECA60238B287720310	SHA256:907801FC6262AE2E70F9AD104F903E3580F195BBAB4AD27D79C9E571DA970D86
6404	paint.net.5.1.8.install.anycpu.web 2.exe	C:\Users\admin\AppData\Local\Temp\7zS4096D1F0\x64\SetupDownloader\Newtonsoft.Json.dll		executable
		MD5:195FFB7167DB3219B217C4FD439EEDD6	SHA256:E1E27AF7B07EEEDF5CE71A9255F0422816A6FC5849A483C6714E1B472044FA9D
6404	paint.net.5.1.8.install.anycpu.web 2.exe	C:\Users\admin\AppData\Local\Temp\7zS4096D1F0\x64\SetupDownloader\SetupDownloader.Configuration.json		text
		MD5:6DF7F325B73C57F0D0EDFDE0CB3F709A	SHA256:9BBA7887079E90C9CF59E75D9DB75B5A57CE456E50E7C8057C06879E2E60645A
6404	paint.net.5.1.8.install.anycpu.web 2.exe	C:\Users\admin\AppData\Local\Temp\7zS4096D1F0\arm64\SetupDownloader\SetupDownloader.exe		executable
		MD5:2502DE1C20B16224AFD3DCD523081FA3	SHA256:6B1D61DFC0D938D8564363793A76BEE8ED7457360A1E84C9A11F6870BB1411C0
6404	paint.net.5.1.8.install.anycpu.web 2.exe	C:\Users\admin\AppData\Local\Temp\7zS4096D1F0\arm64\SetupDownloader\SetupDownloader.Configuration.json		text
		MD5:6DF7F325B73C57F0D0EDFDE0CB3F709A	SHA256:9BBA7887079E90C9CF59E75D9DB75B5A57CE456E50E7C8057C06879E2E60645A

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6640	SetupDownloader.exe	GET	200	131.253.33.203:80	http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBTDHsfuqfubd3pihvq4mgQVWgHWNwQUyH7SaoUqG8oZmAQHJ89QEE9oqKICEzMAAAAHh6M0o3uljhwAAAAAAAc%3D	unknown	—	—	whitelisted
5496	MoUsoCoreWorker.exe	GET	200	23.216.77.6:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5496	MoUsoCoreWorker.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5796	svchost.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6640	SetupDownloader.exe	GET	200	131.253.33.203:80	http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBTOQYLFSE5GO%2FpaRVfYu7d9gZEbQAQU2UEpsA8PY2zvadf1zSmepEhqMOYCEzMAAAAF%2B3pcMhNh310AAAAAAAU%3D	unknown	—	—	whitelisted
6640	SetupDownloader.exe	GET	200	131.253.33.203:80	http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBTh4QXD3xfHaxna9yfH20h%2Ft5LfbQQUZZ9RzoVofy%2BKRYiq3acxux4NAF4CEzMAAu%2FwPw3N%2FoiAf4EAAAAC7%2FA%3D	unknown	—	—	whitelisted
6640	SetupDownloader.exe	GET	200	131.253.33.203:80	http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBTh4QXD3xfHaxna9yfH20h%2Ft5LfbQQUZZ9RzoVofy%2BKRYiq3acxux4NAF4CEzMAAu%2FwPw3N%2FoiAf4EAAAAC7%2FA%3D	unknown	—	—	whitelisted
6640	SetupDownloader.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ID%20Verified%20CS%20EOC%20CA%2002.crl	unknown	—	—	whitelisted
6640	SetupDownloader.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Identity%20Verification%20Root%20Certificate%20Authority%202020.crl	unknown	—	—	whitelisted
6640	SetupDownloader.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Public%20RSA%20Timestamping%20CA%202020.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
5496	MoUsoCoreWorker.exe	23.216.77.6:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5496	MoUsoCoreWorker.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
5796	svchost.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
7000	RUXIMICS.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
5496	MoUsoCoreWorker.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
5796	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6640	SetupDownloader.exe	50.87.184.106:443	www.getpaint.net	UNIFIEDLAYER-AS-1	US	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.250.186.78	whitelisted
crl.microsoft.com	23.216.77.6 23.216.77.28	whitelisted
www.microsoft.com	2.23.246.101	whitelisted
settings-win.data.microsoft.com	51.124.78.146	whitelisted
www.getpaint.net	50.87.184.106	whitelisted
github.com	140.82.121.4	whitelisted
objects.githubusercontent.com	185.199.109.133 185.199.108.133 185.199.111.133 185.199.110.133	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
oneocsp.microsoft.com	131.253.33.203	whitelisted
slscr.update.microsoft.com	20.109.210.53	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

paint.net.5.1.8.install.anycpu.web 2.exe

B0C2D9996620CC2D485AB22DBC70EFB6

EB1CE3D78DB8AE688AAAF6D1B010511FCFA03470

4F359EE85A4ABC9592D5A7BD941A83FCE2A572748341244E85F480410D19D91E

24576:cdZBjcyLkXmh/vVmxi7VMs19bF9bT2W+QU1AbusG0A2GKQsAJT4VXkoFb9fvo9Ey:cdDjcyLkmh/vVmxyMs19bF9bT2W+QU1h

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Reads the date of Windows installation

Adds/modifies Windows certificates

Process drops legitimate windows executable

The process creates files with name similar to system file names

The process drops C-runtime libraries

Executes as Windows Service

Searches for installed software

INFO

The sample compiled with english language support

Reads the computer name

Create files in a temporary directory

Checks supported languages

Process checks computer location settings

Reads the machine GUID from the registry

Creates files or folders in the user directory

Checks proxy server information

Reads Environment values

Disables trace logs

Reads the software policy settings

Manages system restore points

Creates files in the program directory

Executable content was dropped or overwritten

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings