File name:

PortablePaintNET-3.36-fr-r02.zip

Full analysis: https://app.any.run/tasks/68305f6e-292d-423e-a985-a636649ac215
Verdict: Malicious activity
Analysis date: January 18, 2024, 22:05:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

CB5B604E62BC45C4E95F7F77F2348BDF

SHA1:

1F0F702BD768FA557CE3907472D76E8D7BFD3568

SHA256:

BB5F7828441928B6093D4B70A0772CE23764BD8C087031C2D0E94926BA8A0BDE

SSDEEP:

98304:IDKBOBju2meJI+94rQ/GVDb8rIJYPuTfaP4A+0ijSKQ6LJHxv/dXNwHR8p9ybCo4:muD3oNQIaLln

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • paint.net.5.0.12.install.anycpu.web.exe (PID: 2428)
      • WinRAR.exe (PID: 2044)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • WinRAR.exe (PID: 2044)

    • Executable content was dropped or overwritten

      • paint.net.5.0.12.install.anycpu.web.exe (PID: 2428)

    • Reads the Internet Settings

      • paint.net.5.0.12.install.anycpu.web.exe (PID: 2428)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2044)
      • WinRAR.exe (PID: 2480)

    • Checks supported languages

      • PortablePaintNET.exe (PID: 2268)
      • PortablePaintNET.exe (PID: 480)
      • paint.net.5.0.12.install.anycpu.web.exe (PID: 2428)
      • SetupShim.exe (PID: 664)

    • Reads the computer name

      • PortablePaintNET.exe (PID: 2268)
      • PortablePaintNET.exe (PID: 480)
      • paint.net.5.0.12.install.anycpu.web.exe (PID: 2428)

    • Manual execution by a user

      • PortablePaintNET.exe (PID: 2268)
      • paint.net.5.0.12.install.anycpu.web.exe (PID: 2444)
      • paint.net.5.0.12.install.anycpu.web.exe (PID: 2428)
      • PortablePaintNET.exe (PID: 480)
      • WinRAR.exe (PID: 2480)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2480)

    • Create files in a temporary directory

      • paint.net.5.0.12.install.anycpu.web.exe (PID: 2428)
      • SetupShim.exe (PID: 664)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2009:02:10 15:06:02
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: PortablePaintNET/BackupFK/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
9
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe portablepaintnet.exe no specs regedit.exe no specs portablepaintnet.exe no specs regedit.exe no specs winrar.exe paint.net.5.0.12.install.anycpu.web.exe no specs paint.net.5.0.12.install.anycpu.web.exe setupshim.exe

Process information

PID
CMD
Path
Indicators
Parent process
480"C:\Users\admin\Desktop\PortablePaintNET.exe" C:\Users\admin\Desktop\PortablePaintNET.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Version:
3, 2, 10, 0
Modules
Images
c:\users\admin\desktop\portablepaintnet.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
664"C:\Users\admin\AppData\Local\Temp\7zSC795D35F\SetupShim.exe" /suppressRebootC:\Users\admin\AppData\Local\Temp\7zSC795D35F\SetupShim.exe
paint.net.5.0.12.install.anycpu.web.exe
User:
admin
Company:
dotPDN LLC
Integrity Level:
HIGH
Description:
paint.net Setup Bootstrapper
Exit code:
1
Version:
5.12.8735.38135
Modules
Images
c:\users\admin\appdata\local\temp\7zsc795d35f\setupshim.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
1504regedit /ea BackupFK\origine.reg HKEY_CURRENT_USER\Software\Paint.NETC:\Windows\regedit.exePortablePaintNET.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\regedit.exe
c:\windows\system32\ntdll.dll
2020regedit /ea BackupFK\origine.reg HKEY_CURRENT_USER\Software\Paint.NETC:\Windows\regedit.exePortablePaintNET.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\regedit.exe
c:\windows\system32\ntdll.dll
2044"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\PortablePaintNET-3.36-fr-r02.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2268"C:\Users\admin\Desktop\PortablePaintNET.exe" C:\Users\admin\Desktop\PortablePaintNET.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Version:
3, 2, 10, 0
Modules
Images
c:\users\admin\desktop\portablepaintnet.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
2428"C:\Users\admin\Desktop\paint.net.5.0.12.install.anycpu.web.exe" C:\Users\admin\Desktop\paint.net.5.0.12.install.anycpu.web.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
paint.net Setup
Exit code:
1
Version:
5.12.8735.38135
Modules
Images
c:\users\admin\desktop\paint.net.5.0.12.install.anycpu.web.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2444"C:\Users\admin\Desktop\paint.net.5.0.12.install.anycpu.web.exe" C:\Users\admin\Desktop\paint.net.5.0.12.install.anycpu.web.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
paint.net Setup
Exit code:
3221226540
Version:
5.12.8735.38135
Modules
Images
c:\users\admin\desktop\paint.net.5.0.12.install.anycpu.web.exe
c:\windows\system32\ntdll.dll
2480"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\paint.net.5.0.12.install.anycpu.web.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
2 534
Read events
2 485
Write events
49
Delete events
0

Modification events

(PID) Process:(2044) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(2044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(2044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
Executable files
72
Suspicious files
10
Text files
40
Unknown types
0

Dropped files

PID
Process
Filename
Type
2044WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2044.1476\PortablePaintNET\Paint.NET\Effects\ColorBalance.dllexecutable
MD5:83B0ECDBC4A0BB37E6E0CD30864A1640
SHA256:BC3B0DE05BCD125E51DACC4C64DD408D5860B962AEEA445AF6842FB00F0CA61B
2044WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2044.1476\PortablePaintNET\Paint.NET\Effects\EdHarvey.Effects.dllexecutable
MD5:F01C9A2DC27F751BF8B59A80F26EC7DD
SHA256:2298F74849CF1B3B15D93668806B87E1D7701AF3384FE605BA34463CBFC852B1
2044WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2044.1476\PortablePaintNET\Paint.NET\Effects\Gradient Bars.dllexecutable
MD5:AC36BC6F699B0688710BA15767B7FB24
SHA256:E510586C109B6347C59D7787A072088811A6DB27B432B0BF79C334E48D1F91B8
2044WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2044.1476\PortablePaintNET\Paint.NET\Effects\Curves+.dllexecutable
MD5:844D4E03193C6967E73B1F34B8B60C0D
SHA256:01E4FD82E2546BD85627D1C6B13D39DFE6BAFEA43BAE307FFC20C7E9260CBAAD
2044WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2044.1476\PortablePaintNET\Paint.NET\Effects\Feather.dllexecutable
MD5:7935639DBBF92AB7352B583C81F9ACB7
SHA256:4914E329AC88C6E107E5896DD8A7C1218C1D0C64806ADDDF03E53A51F040856B
2044WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2044.1476\PortablePaintNET\Paint.NET\Effects\Burninate.dllexecutable
MD5:27E0B9D2D109A0A1C2D7C7251D776375
SHA256:0554CC98F6FBF79A1F753F1997D0076C5E7C1D4BC055095E64D7647DE115AD7E
2044WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2044.1476\PortablePaintNET\BackupFK\PaintNETDEL.regtext
MD5:6D40F3B5DEE73DEDD51333A3EC0F561D
SHA256:D19B6EA3D2E9B537E80F67E7082B3CBBFD70D0C5C70126B7032AA5E25E793475
2044WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2044.1476\PortablePaintNET\Paint.NET\Effects\Film.dllexecutable
MD5:235CFAB0CCC5B678390C8F2A5D91858A
SHA256:260AABED57AC30C85C77E771C102CC8B3BE90EE0C0A2F23E46F223BCC4AEED43
2044WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2044.1476\PortablePaintNET\Paint.NET\Effects\Jitter.dllexecutable
MD5:C50B5A4CB238E50D619FAD203DEDBF4D
SHA256:6B71AE5B3AB4B41F8FE234FB6BD3DBC8335FBF84853909FBF98ADD67E21B3E38
2044WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2044.1476\PortablePaintNET\Paint.NET\Effects\Arrows.dllexecutable
MD5:1D95CBFB3610435D66B641AB07FAB87E
SHA256:D99C85E2DF95003D1D74E4952F09170A48120280EC90A0D1385DF1CB8F4E5661
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
Process
Message
SetupShim.exe
SetupShim.exe
--- paint.net SetupShim starting, lpCmdLine='/suppressReboot', nCmdShow=1
SetupShim.exe
Checking OS requirement
SetupShim.exe
SetupShim.exe
CoInitializeEx() returned 0
SetupShim.exe
SetupShim.exe
GetNativePlatformID() returned x86
SetupShim.exe
bIsWin10_1809 = false
SetupShim.exe
SetupShim.exe
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PortablePaintNET-3.36-fr-r02.zip