File name:

paint.net.5.0.12.install.anycpu.web.exe

Full analysis: https://app.any.run/tasks/880f647e-306b-4474-b2b6-f11f3e8c50c9
Verdict: Malicious activity
Analysis date: December 19, 2023, 10:37:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

D870D65F6B7985C4508C33A69DD15FCF

SHA1:

7916DF66F4B1F3248E72D3BD9759104EDE952BC9

SHA256:

C8BDE770326574ADB8164E682C3C83AAB337544AE83685008666ACA77DF474C7

SSDEEP:

49152:P/cTzK+BLgaTNF6Ymh/vVmx0cMs19bF9bT2W+QU1AbusG0A2GKQsAJEcwE7MFtvS:PZ+BF55mh/vkis11TQ1mGKGJEdFBDZU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • paint.net.5.0.12.install.anycpu.web.exe (PID: 2268)

  • SUSPICIOUS

    • Reads the Internet Settings

      • paint.net.5.0.12.install.anycpu.web.exe (PID: 2268)

  • INFO

    • Create files in a temporary directory

      • paint.net.5.0.12.install.anycpu.web.exe (PID: 2268)
      • SetupShim.exe (PID: 1380)

    • Checks supported languages

      • paint.net.5.0.12.install.anycpu.web.exe (PID: 2268)
      • SetupShim.exe (PID: 1380)

    • Reads the computer name

      • paint.net.5.0.12.install.anycpu.web.exe (PID: 2268)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:12:01 22:11:14+01:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.38
CodeSize: 537088
InitializedDataSize: 195584
UninitializedDataSize: -
EntryPoint: 0x36f81
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 5.12.8735.38135
ProductVersionNumber: 5.12.8735.38135
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: paint.net Setup
FileVersion: 5.12.8735.38135
InternalName: SetupSfx
LegalCopyright: Copyright © 2023 dotPDN LLC, Rick Brewster, and contributors. All Rights Reserved.
OriginalFileName: SetupSfx.exe
ProductName: paint.net
ProductVersion: 5.12.8735.38135
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start paint.net.5.0.12.install.anycpu.web.exe setupshim.exe paint.net.5.0.12.install.anycpu.web.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1380"C:\Users\admin\AppData\Local\Temp\7zSCD88853E\SetupShim.exe" /suppressRebootC:\Users\admin\AppData\Local\Temp\7zSCD88853E\SetupShim.exe
paint.net.5.0.12.install.anycpu.web.exe
User:
admin
Company:
dotPDN LLC
Integrity Level:
HIGH
Description:
paint.net Setup Bootstrapper
Exit code:
1
Version:
5.12.8735.38135
Modules
Images
c:\users\admin\appdata\local\temp\7zscd88853e\setupshim.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
2044"C:\Users\admin\AppData\Local\Temp\paint.net.5.0.12.install.anycpu.web.exe" C:\Users\admin\AppData\Local\Temp\paint.net.5.0.12.install.anycpu.web.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
paint.net Setup
Exit code:
3221226540
Version:
5.12.8735.38135
Modules
Images
c:\users\admin\appdata\local\temp\paint.net.5.0.12.install.anycpu.web.exe
c:\windows\system32\ntdll.dll
2268"C:\Users\admin\AppData\Local\Temp\paint.net.5.0.12.install.anycpu.web.exe" C:\Users\admin\AppData\Local\Temp\paint.net.5.0.12.install.anycpu.web.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
paint.net Setup
Exit code:
1
Version:
5.12.8735.38135
Modules
Images
c:\users\admin\appdata\local\temp\paint.net.5.0.12.install.anycpu.web.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
739
Read events
731
Write events
8
Delete events
0

Modification events

(PID) Process:(2268) paint.net.5.0.12.install.anycpu.web.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2268) paint.net.5.0.12.install.anycpu.web.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2268) paint.net.5.0.12.install.anycpu.web.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2268) paint.net.5.0.12.install.anycpu.web.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
5
Suspicious files
0
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
2268paint.net.5.0.12.install.anycpu.web.exeC:\Users\admin\AppData\Local\Temp\7zSCD88853E\arm64\SetupDownloader\SetupDownloader.Configuration.jsontext
MD5:8CA6779446E31E219589A08769448DA2
SHA256:2B23A17E993B7837A89365CDD328541F58DDFD4AB2B45285058284EEE5733613
2268paint.net.5.0.12.install.anycpu.web.exeC:\Users\admin\AppData\Local\Temp\7zSCD88853E\x64\SetupDownloader\SetupDownloader.Configuration.jsontext
MD5:8CA6779446E31E219589A08769448DA2
SHA256:2B23A17E993B7837A89365CDD328541F58DDFD4AB2B45285058284EEE5733613
2268paint.net.5.0.12.install.anycpu.web.exeC:\Users\admin\AppData\Local\Temp\7zSCD88853E\SetupShim.exeexecutable
MD5:B14D53B26F1E5048DB079DE3A9E9A395
SHA256:16E98A0597F0CD49AEF25136E300226538A700F54F9CF4B4DAE6E17ADBB51587
2268paint.net.5.0.12.install.anycpu.web.exeC:\Users\admin\AppData\Local\Temp\7zSCD88853E\arm64\SetupDownloader\Newtonsoft.Json.dllexecutable
MD5:195FFB7167DB3219B217C4FD439EEDD6
SHA256:E1E27AF7B07EEEDF5CE71A9255F0422816A6FC5849A483C6714E1B472044FA9D
2268paint.net.5.0.12.install.anycpu.web.exeC:\Users\admin\AppData\Local\Temp\7zSCD88853E\x64\SetupDownloader\Newtonsoft.Json.dllexecutable
MD5:195FFB7167DB3219B217C4FD439EEDD6
SHA256:E1E27AF7B07EEEDF5CE71A9255F0422816A6FC5849A483C6714E1B472044FA9D
2268paint.net.5.0.12.install.anycpu.web.exeC:\Users\admin\AppData\Local\Temp\7zSCD88853E\arm64\SetupDownloader\SetupDownloader.exeexecutable
MD5:1D716801430FAEAB98CF0F02DAF09505
SHA256:23835C9ACD3D622D1A88F437226A33CB7BE34054C4B7747CC98CB4C765B11D47
2268paint.net.5.0.12.install.anycpu.web.exeC:\Users\admin\AppData\Local\Temp\7zSCD88853E\x64\SetupDownloader\SetupDownloader.exeexecutable
MD5:1D716801430FAEAB98CF0F02DAF09505
SHA256:23835C9ACD3D622D1A88F437226A33CB7BE34054C4B7747CC98CB4C765B11D47
2268paint.net.5.0.12.install.anycpu.web.exeC:\Users\admin\AppData\Local\Temp\7zSCD88853E\arm64\SetupDownloader\SetupDownloader.exe.configxml
MD5:59EFD5B23C940DECA60238B287720310
SHA256:907801FC6262AE2E70F9AD104F903E3580F195BBAB4AD27D79C9E571DA970D86
2268paint.net.5.0.12.install.anycpu.web.exeC:\Users\admin\AppData\Local\Temp\7zSCD88853E\x64\SetupDownloader\SetupDownloader.exe.configxml
MD5:59EFD5B23C940DECA60238B287720310
SHA256:907801FC6262AE2E70F9AD104F903E3580F195BBAB4AD27D79C9E571DA970D86
1380SetupShim.exeC:\Users\admin\AppData\Local\Temp\pdnSetupShim.logtext
MD5:7ED93C28F1428631ABFFB4AF5A76CE3D
SHA256:8EAC2C4FF890471C8E2DD066BFE79E4E702D92F3079D99D26A9204B34F9C5B44
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted

DNS requests

No data

Threats

No threats detected
Process
Message
SetupShim.exe
GetNativePlatformID() returned x86
SetupShim.exe
--- paint.net SetupShim starting, lpCmdLine='/suppressReboot', nCmdShow=1
SetupShim.exe
bIsWin10_1809 = false
SetupShim.exe
SetupShim.exe
SetupShim.exe
Checking OS requirement
SetupShim.exe
SetupShim.exe
SetupShim.exe
SetupShim.exe
GetNativePlatformID: GetNativeSystemInfo() returned wProcessorArchitecture=0
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
paint.net.5.0.12.install.anycpu.web.exe