File name:

PortablePaintNET-3.36-fr-r02.zip

Full analysis: https://app.any.run/tasks/68305f6e-292d-423e-a985-a636649ac215
Verdict: Malicious activity
Analysis date: January 18, 2024, 22:05:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

CB5B604E62BC45C4E95F7F77F2348BDF

SHA1:

1F0F702BD768FA557CE3907472D76E8D7BFD3568

SHA256:

BB5F7828441928B6093D4B70A0772CE23764BD8C087031C2D0E94926BA8A0BDE

SSDEEP:

98304:IDKBOBju2meJI+94rQ/GVDb8rIJYPuTfaP4A+0ijSKQ6LJHxv/dXNwHR8p9ybCo4:muD3oNQIaLln

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2044)
      • paint.net.5.0.12.install.anycpu.web.exe (PID: 2428)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • WinRAR.exe (PID: 2044)

    • Executable content was dropped or overwritten

      • paint.net.5.0.12.install.anycpu.web.exe (PID: 2428)

    • Reads the Internet Settings

      • paint.net.5.0.12.install.anycpu.web.exe (PID: 2428)

  • INFO

    • Manual execution by a user

      • PortablePaintNET.exe (PID: 2268)
      • PortablePaintNET.exe (PID: 480)
      • WinRAR.exe (PID: 2480)
      • paint.net.5.0.12.install.anycpu.web.exe (PID: 2444)
      • paint.net.5.0.12.install.anycpu.web.exe (PID: 2428)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2044)
      • WinRAR.exe (PID: 2480)

    • Reads the computer name

      • PortablePaintNET.exe (PID: 2268)
      • PortablePaintNET.exe (PID: 480)
      • paint.net.5.0.12.install.anycpu.web.exe (PID: 2428)

    • Checks supported languages

      • PortablePaintNET.exe (PID: 480)
      • PortablePaintNET.exe (PID: 2268)
      • paint.net.5.0.12.install.anycpu.web.exe (PID: 2428)
      • SetupShim.exe (PID: 664)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2480)

    • Create files in a temporary directory

      • paint.net.5.0.12.install.anycpu.web.exe (PID: 2428)
      • SetupShim.exe (PID: 664)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2009:02:10 15:06:02
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: PortablePaintNET/BackupFK/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
9
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe portablepaintnet.exe no specs regedit.exe no specs portablepaintnet.exe no specs regedit.exe no specs winrar.exe paint.net.5.0.12.install.anycpu.web.exe no specs paint.net.5.0.12.install.anycpu.web.exe setupshim.exe

Process information

PID
CMD
Path
Indicators
Parent process
480"C:\Users\admin\Desktop\PortablePaintNET.exe" C:\Users\admin\Desktop\PortablePaintNET.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Version:
3, 2, 10, 0
Modules
Images
c:\users\admin\desktop\portablepaintnet.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
664"C:\Users\admin\AppData\Local\Temp\7zSC795D35F\SetupShim.exe" /suppressRebootC:\Users\admin\AppData\Local\Temp\7zSC795D35F\SetupShim.exe
paint.net.5.0.12.install.anycpu.web.exe
User:
admin
Company:
dotPDN LLC
Integrity Level:
HIGH
Description:
paint.net Setup Bootstrapper
Exit code:
1
Version:
5.12.8735.38135
Modules
Images
c:\users\admin\appdata\local\temp\7zsc795d35f\setupshim.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
1504regedit /ea BackupFK\origine.reg HKEY_CURRENT_USER\Software\Paint.NETC:\Windows\regedit.exePortablePaintNET.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\regedit.exe
c:\windows\system32\ntdll.dll
2020regedit /ea BackupFK\origine.reg HKEY_CURRENT_USER\Software\Paint.NETC:\Windows\regedit.exePortablePaintNET.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\regedit.exe
c:\windows\system32\ntdll.dll
2044"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\PortablePaintNET-3.36-fr-r02.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2268"C:\Users\admin\Desktop\PortablePaintNET.exe" C:\Users\admin\Desktop\PortablePaintNET.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Version:
3, 2, 10, 0
Modules
Images
c:\users\admin\desktop\portablepaintnet.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
2428"C:\Users\admin\Desktop\paint.net.5.0.12.install.anycpu.web.exe" C:\Users\admin\Desktop\paint.net.5.0.12.install.anycpu.web.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
paint.net Setup
Exit code:
1
Version:
5.12.8735.38135
Modules
Images
c:\users\admin\desktop\paint.net.5.0.12.install.anycpu.web.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2444"C:\Users\admin\Desktop\paint.net.5.0.12.install.anycpu.web.exe" C:\Users\admin\Desktop\paint.net.5.0.12.install.anycpu.web.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
paint.net Setup
Exit code:
3221226540
Version:
5.12.8735.38135
Modules
Images
c:\users\admin\desktop\paint.net.5.0.12.install.anycpu.web.exe
c:\windows\system32\ntdll.dll
2480"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\paint.net.5.0.12.install.anycpu.web.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
2 534
Read events
2 485
Write events
49
Delete events
0

Modification events

(PID) Process:(2044) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(2044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(2044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
Executable files
72
Suspicious files
10
Text files
40
Unknown types
0

Dropped files

PID
Process
Filename
Type
2044WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2044.1476\PortablePaintNET\Paint.NET\Effects\Feather.dllexecutable
MD5:7935639DBBF92AB7352B583C81F9ACB7
SHA256:4914E329AC88C6E107E5896DD8A7C1218C1D0C64806ADDDF03E53A51F040856B
2044WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2044.1476\PortablePaintNET\Paint.NET\Effects\Arrows.dllexecutable
MD5:1D95CBFB3610435D66B641AB07FAB87E
SHA256:D99C85E2DF95003D1D74E4952F09170A48120280EC90A0D1385DF1CB8F4E5661
2044WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2044.1476\PortablePaintNET\BackupFK\PaintNETDEL.regtext
MD5:6D40F3B5DEE73DEDD51333A3EC0F561D
SHA256:D19B6EA3D2E9B537E80F67E7082B3CBBFD70D0C5C70126B7032AA5E25E793475
2044WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2044.1476\PortablePaintNET\Paint.NET\Effects\Burninate.dllexecutable
MD5:27E0B9D2D109A0A1C2D7C7251D776375
SHA256:0554CC98F6FBF79A1F753F1997D0076C5E7C1D4BC055095E64D7647DE115AD7E
2044WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2044.1476\PortablePaintNET\Paint.NET\Effects\Color Match.dllexecutable
MD5:F417E473AF7F67EDED7A731FF2C89C82
SHA256:75BF6E98CECBF1A584CDB4273A3F7409051135270AEDD66B0B96F2FAF8011B72
2044WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2044.1476\PortablePaintNET\Paint.NET\Effects\EdHarvey.Effects.dllexecutable
MD5:F01C9A2DC27F751BF8B59A80F26EC7DD
SHA256:2298F74849CF1B3B15D93668806B87E1D7701AF3384FE605BA34463CBFC852B1
2044WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2044.1476\PortablePaintNET\Paint.NET\Effects\Curves+.dllexecutable
MD5:844D4E03193C6967E73B1F34B8B60C0D
SHA256:01E4FD82E2546BD85627D1C6B13D39DFE6BAFEA43BAE307FFC20C7E9260CBAAD
2044WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2044.1476\PortablePaintNET\Paint.NET\Effects\Flip.dllexecutable
MD5:FB2F6B81D46F69C215A25626712ACFCB
SHA256:8C3AE50797D4B591307DB0BDFE883ECAEB36CFC752CFFE663F94295007659368
2044WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2044.1476\PortablePaintNET\Paint.NET\Effects\Gradient Bars.dllexecutable
MD5:AC36BC6F699B0688710BA15767B7FB24
SHA256:E510586C109B6347C59D7787A072088811A6DB27B432B0BF79C334E48D1F91B8
2044WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2044.1476\PortablePaintNET\Paint.NET\Effects\Film.dllexecutable
MD5:235CFAB0CCC5B678390C8F2A5D91858A
SHA256:260AABED57AC30C85C77E771C102CC8B3BE90EE0C0A2F23E46F223BCC4AEED43
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
Process
Message
SetupShim.exe
SetupShim.exe
--- paint.net SetupShim starting, lpCmdLine='/suppressReboot', nCmdShow=1
SetupShim.exe
Checking OS requirement
SetupShim.exe
SetupShim.exe
CoInitializeEx() returned 0
SetupShim.exe
SetupShim.exe
GetNativePlatformID() returned x86
SetupShim.exe
bIsWin10_1809 = false
SetupShim.exe
SetupShim.exe
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PortablePaintNET-3.36-fr-r02.zip