Edit tour

Windows Analysis Report
proxy[1].png

Overview

General Information

Sample name:	proxy[1].png
Analysis ID:	1446063
MD5:	0fbedb10ed339d1b065b66200c5ce802
SHA1:	7b930d85e38fbcf4742565fc4896d8757b43a318
SHA256:	44dc36f4fbd4d55b95dcf49843a2660662213f9e0da23322a57399c8937df033
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Abnormal high CPU Usage

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Classification

Process Tree

System is w10x64_ra

rundll32.exe (PID: 1940 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

PaintStudio.View.exe (PID: 2752 cmdline: "C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" MD5: 7E11B5F9F7A7FE66809577EC83971972)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: PaintStudio.View.exe, 00000016.00000002.2545476210.0000028A20157000.00000004.00000020.00020000.00000000.sdmp, PaintStudio.View.exe, 00000016.00000002.2549513252.0000028A201B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://json-schema.org/draft-04/schema
Source: PaintStudio.View.exe, 00000016.00000002.2511694929.0000028A18F7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.ho
Source: PaintStudio.View.exe, 00000016.00000002.2831965481.0000028A23969000.00000004.00000020.00020000.00000000.sdmp, PaintStudio.View.exe, 00000016.00000002.2543331343.0000028A20124000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/paint3dhelp
Source: PaintStudio.View.exe, 00000016.00000002.2851402839.0000028A23B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.remix3d.com/v3/creations
Source: PaintStudio.View.exe, 00000016.00000002.2836533698.0000028A239CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.remix3d.com/v3/creations/
Source: PaintStudio.View.exe, 00000016.00000002.2831965481.0000028A23969000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://evoke-windowsservices-tas.msedge.net/
Source: PaintStudio.View.exe, 00000016.00000002.2530431480.0000028A2001D000.00000004.00000020.00020000.00000000.sdmp, PaintStudio.View.exe, 00000016.00000002.2831965481.0000028A23969000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://evoke-windowsservices-tas.msedge.net/ab
Source: PaintStudio.View.exe, 00000016.00000002.2831965481.0000028A23969000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://evoke-windowsservices-tas.msedge.net/abC
Source: PaintStudio.View.exe, 00000016.00000003.2166289033.0000028A224E2000.00000004.00000020.00020000.00000000.sdmp, PaintStudio.View.exe, 00000016.00000002.2629112342.0000028A20F4B000.00000004.00000020.00020000.00000000.sdmp, PaintStudio.View.exe, 00000016.00000002.2704854111.0000028A224E2000.00000004.00000020.00020000.00000000.sdmp, PaintStudio.View.exe, 00000016.00000003.2002442810.0000028A224DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hubble.officeapps.live.com/mediasvc/api/media/
Source: PaintStudio.View.exe, 00000016.00000002.2629112342.0000028A20F4B000.00000004.00000020.00020000.00000000.sdmp, PaintStudio.View.exe, 00000016.00000003.2002442810.0000028A224DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/
Source: PaintStudio.View.exe, 00000016.00000002.2635389939.0000028A20FD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/;Media=https://hubble.officeapps.live.com/medias
Source: PaintStudio.View.exe, 00000016.00000002.2550570449.0000028A201CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: PaintStudio.View.exe, 00000016.00000002.2552751428.0000028A20224000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.local
Source: PaintStudio.View.exe, 00000016.00000002.2851402839.0000028A23B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.remix3d.com/details/

Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe

Process Stats: CPU usage > 24%

Source: classification engine

Classification label: clean2.winPNG@2/11@0/0

Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe

File created: C:\Users\user\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Textures

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe "C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe"

Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: telemetryuwp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: vccorlib140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: sharedmemoryuwp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: windows.ui.xaml.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: windows.system.profile.retailinfo.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: windows.applicationmodel.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: windows.storage.applicationdata.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: rometadata.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: windows.staterepositoryclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: vcruntime140_1_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: windows.ui.xaml.controls.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: uiamanager.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: windows.ui.core.textinput.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: windows.web.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: concrt140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: windows.applicationmodel.datatransfer.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: windows.accountscontrol.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: windows.devices.enumeration.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: devdispitemprovider.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: windows.energy.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: windows.graphics.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: directmanipulation.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: profext.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: windows.web.http.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: mfplat.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: rtworkq.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: windows.system.profile.platformdiagnosticsandusagedatasettings.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: threadpoolwinrt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: wpnapps.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: windows.ui.xaml.phone.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: ninput.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: efswrt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: certenroll.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: dsparse.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: windows.system.profile.systemid.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: clipc.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: cryptowinrt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: windows.system.userprofile.diagnosticssettings.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Section loaded: edputil.dll	Jump to behavior

Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1A66AEDC-93C3-4ACC-BA96-08F5716429F7}\InProcServer32

Jump to behavior

Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe

File opened: C:\Windows\SYSTEM32\msftedit.dll

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe

Window / User API: threadDelayed 429

Jump to behavior

Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe TID: 4248	Thread sleep count: 46 > 30			Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe TID: 4248	Thread sleep count: 429 > 30			Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: PaintStudio.View.exe, 00000016.00000002.2797046498.0000028A235D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ToolsVMToolsVM0
Source: PaintStudio.View.exe, 00000016.00000002.2741565591.0000028A22CAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ToolsVMTools
Source: PaintStudio.View.exe, 00000016.00000002.2738009366.0000028A22C4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ToolsVMToolsVM
Source: PaintStudio.View.exe, 00000016.00000002.2717526231.0000028A225EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Textures VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Fonts\PaintA.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Fonts\PaintA.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Fonts\PaintA.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Fonts\PaintA.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Fonts\PaintA.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Fonts\BhaiMDL2.2.52.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Fonts\BhaiMDL2.2.52.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Fonts\BhaiMDL2.2.52.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Fonts\BhaiMDL2.2.52.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Fonts\BhaiMDL2.2.52.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\WorkingFolder\EngineConfigId.bin VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\WorkingFolder\SceneData.bin VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\WorkingFolder\Canvas_0.bin VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\WorkingFolder\Canvas_2.bin VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\WorkingFolder\Canvas_3.bin VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\WorkingFolder\Canvas_4.bin VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Rundll32	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	11 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
proxy[1].png	0%	ReversingLabs

Source	Detection	Scanner	Label
https://login.windows.local	0%	URL Reputation	safe
https://api.remix3d.com/v3/creations/	0%	Avira URL Cloud	safe
http://ns.adobe.ho	0%	Avira URL Cloud	safe
https://aka.ms/paint3dhelp	0%	Avira URL Cloud	safe
http://json-schema.org/draft-04/schema	0%	Avira URL Cloud	safe
https://api.remix3d.com/v3/creations	0%	Avira URL Cloud	safe
https://www.remix3d.com/details/	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://login.windows.local	PaintStudio.View.exe, 00000016.00000002.2552751428.0000028A20224000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/paint3dhelp	PaintStudio.View.exe, 00000016.00000002.2831965481.0000028A23969000.00000004.00000020.00020000.00000000.sdmp, PaintStudio.View.exe, 00000016.00000002.2543331343.0000028A20124000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.remix3d.com/v3/creations	PaintStudio.View.exe, 00000016.00000002.2851402839.0000028A23B71000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ns.adobe.ho	PaintStudio.View.exe, 00000016.00000002.2511694929.0000028A18F7C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://json-schema.org/draft-04/schema	PaintStudio.View.exe, 00000016.00000002.2545476210.0000028A20157000.00000004.00000020.00020000.00000000.sdmp, PaintStudio.View.exe, 00000016.00000002.2549513252.0000028A201B6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.remix3d.com/v3/creations/	PaintStudio.View.exe, 00000016.00000002.2836533698.0000028A239CC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.remix3d.com/details/	PaintStudio.View.exe, 00000016.00000002.2851402839.0000028A23B71000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1446063
Start date and time:	2024-05-22 21:31:59 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	proxy[1].png
Detection:	CLEAN
Classification:	clean2.winPNG@2/11@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, RuntimeBroker.exe, Microsoft.Photos.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 51.104.136.2, 13.107.5.88
Excluded domains from analysis (whitelisted): t1.ssl.ak.tiles.virtualearth.net, evoke-windowsservices-tas-msedge-net.e-0009.e-msedge.net, fs.microsoft.com, slscr.update.microsoft.com, settings-prod-neu-2.northeurope.cloudapp.azure.com, settings-win.data.microsoft.com, e-0009.e-msedge.net, fe3cr.delivery.mp.microsoft.com, t3.ssl.ak.tiles.virtualearth.net, atm-settingsfe-prod-geo2.trafficmanager.net, evoke-windowsservices-tas.msedge.net, t0.ssl.ak.dynamic.tiles.virtualearth.net, t2.ssl.ak.tiles.virtualearth.net, t0.ssl.ak.tiles.virtualearth.net, ecn.dev.virtualearth.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: proxy[1].png

Process:	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	242
Entropy (8bit):	5.189865564667958
Encrypted:	false
SSDEEP:	6:rpahDh2KN4+l1gsj4y80RwupEJj1cydLjAHa:rSDZN4+lRRJpgj1fdLs6
MD5:	A94D10C05E2ABBF0E6B5C5F5B19EA3B2
SHA1:	D00BB251C50661AF46CD6621D2FBF7262411C3CA
SHA-256:	12186A6E2A521350B71537866989BA04DFEA3F5828E243D23B7DA0DE423805B7
SHA-512:	D3A005E54CC78A132A60F57E73438C6BFE311583C6AE80949512A4691AF73C2ECF241C8E31C011B5D6111405FAD6EF86A2173010F24D259680D1A14679463E66
Malicious:	false
Reputation:	low
Preview:	[{"Id":"{a5fcbcd1-fda7-4c50-8188-cd8ea4fe002f}","SourceId":"","Name":"proxy[1].png","URI":"","DateTime":1.3360887049901898E+17,"Path":"Projects\\WorkingFolder","SourceFilePath":"","Version":0.21,"IsRecovered":false,"IsPreviouslySaved":false}]

C:\Users\user\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json.~tmp

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	242
Entropy (8bit):	5.189865564667958
Encrypted:	false
SSDEEP:	6:rpahDh2KN4+l1gsj4y80RwupEJj1cydLjAHa:rSDZN4+lRRJpgj1fdLs6
MD5:	A94D10C05E2ABBF0E6B5C5F5B19EA3B2
SHA1:	D00BB251C50661AF46CD6621D2FBF7262411C3CA
SHA-256:	12186A6E2A521350B71537866989BA04DFEA3F5828E243D23B7DA0DE423805B7
SHA-512:	D3A005E54CC78A132A60F57E73438C6BFE311583C6AE80949512A4691AF73C2ECF241C8E31C011B5D6111405FAD6EF86A2173010F24D259680D1A14679463E66
Malicious:	false
Reputation:	low
Preview:	[{"Id":"{a5fcbcd1-fda7-4c50-8188-cd8ea4fe002f}","SourceId":"","Name":"proxy[1].png","URI":"","DateTime":1.3360887049901898E+17,"Path":"Projects\\WorkingFolder","SourceFilePath":"","Version":0.21,"IsRecovered":false,"IsPreviouslySaved":false}]

C:\Users\user\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\WorkingFolder\Canvas_0.bin

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
File Type:	Matlab v4 mat-file (little endian) v\033, text, rows 11, columns 1230, imaginary
Category:	dropped
Size (bytes):	7054
Entropy (8bit):	7.903038674226112
Encrypted:	false
SSDEEP:	192:/vWFEQeCKCg61VcKaGz+S9eNmVqWI9LNqu:/z8gkOHGvaSu
MD5:	AA7789D13C424F82A52B3B3C57E0E1A3
SHA1:	7FB3C4BE67D762002E7EF86170F34F1E01A2B9C9
SHA-256:	7FDA032FE43662CC612E79CDAFBC448B57185BEDE7DFF775787275771619E856
SHA-512:	09A5F219E20C586393CC7F443C89EAAC52CF51C2D917C7EAB8F3C2AA399B62F2464A57E1EF7872D75B6D4D029202D1E547DB754F851F835FFF152D59B1C3FCD4
Malicious:	false
Reputation:	low
Preview:	....................v....PNG........IHDR....................sRGB.........gAMA......a.... IDATx^...5UY.....bihx.3.E$L.I..T......D-O..`` ..d(b...`.JH.X.h...T...<.)e.)=..=.....{..Zs.....\{...~.o.;k..}..z.^{.v.i...Oc..q.0f.8..3a....0N.Vs}...[J..n!...S."..PZ.j....KW..5..>7...dL.8... .5.n...K?$u..K.X.H.B2&+S..7..'.G.G..44...?....1I.J...tW.!......`E.....K2........%....}S.O...%V..H..f.....H.H........WH.....)..%./KO....z..Q......1..{..a...3$2...c.H.K.....k..^z.t..I{...8C:Y.2?0f..........n..L.....'J^...g,..=.A._.)$.r......J...Q..;I..svgR@.2.sfwf..9[...o........wK.;..2......K?;.39......J....t.Z..).E.cgw.K>&Q5..1.-....p~..a..B..%..f..a......s%.....$../.I.)....?....JT7~Z2..;..KC.fwfH.Q.P.....L:S"...;%NJS...;J.%}G2..3........3Lx..%..(...x..Mb.G.".%.....J.!......)........~W......r\|D.$....J..e.!.....iG.{n.........Ho.~\|v.......\|.....\_..$.e.lK.MpZ.}.iI.+..}T.=ivg...s...../..H.w.....x.o,....a..A..%.'..]..X......pTx.."oC..6m.5....~..A...........iI......0l..

C:\Users\user\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\WorkingFolder\Canvas_1.bin

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
File Type:	Matlab v4 mat-file (little endian) \202\002, text, rows 11, columns 1230, imaginary
Category:	dropped
Size (bytes):	666
Entropy (8bit):	2.851816467757008
Encrypted:	false
SSDEEP:	3:vlll3lS82onv//thPktlVR3ujVLts7CX9/xWxbxYHZeklhAIK9Rp:vtTvv/lhPktPkjVR/CJxslhAIKnp
MD5:	3A4D99A1600049410A5036D24E858962
SHA1:	3022619CDB4D01ABE98268768DE735384812C1FC
SHA-256:	9A0AF1C22E233A8A37FEC6A52DEB58862AF735B716C074B27E586A74F6ACEC2A
SHA-512:	CCCB616AECD23EC565AF874EACBF825B90D2BD7415FDD7E4982A4317ADE4801E43FC77CD7C5D10E8E8E5F5A9ED878681FCB9527B109426D0067333FF71964082
Malicious:	false
Reputation:	low
Preview:	.........................PNG........IHDR....................sRGB.........gAMA......a....,IDATx^..1.. ........E...zvw..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................d.<...]/.l.....IEND.B`.

C:\Users\user\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\WorkingFolder\Canvas_2.bin

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
File Type:	Matlab v4 mat-file (little endian) \202\002, text, rows 11, columns 1230, imaginary
Category:	dropped
Size (bytes):	666
Entropy (8bit):	2.851816467757008
Encrypted:	false
SSDEEP:	3:vlll3lS82onv//thPktlVR3ujVLts7CX9/xWxbxYHZeklhAIK9Rp:vtTvv/lhPktPkjVR/CJxslhAIKnp
MD5:	3A4D99A1600049410A5036D24E858962
SHA1:	3022619CDB4D01ABE98268768DE735384812C1FC
SHA-256:	9A0AF1C22E233A8A37FEC6A52DEB58862AF735B716C074B27E586A74F6ACEC2A
SHA-512:	CCCB616AECD23EC565AF874EACBF825B90D2BD7415FDD7E4982A4317ADE4801E43FC77CD7C5D10E8E8E5F5A9ED878681FCB9527B109426D0067333FF71964082
Malicious:	false
Reputation:	low
Preview:	.........................PNG........IHDR....................sRGB.........gAMA......a....,IDATx^..1.. ........E...zvw..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................d.<...]/.l.....IEND.B`.

C:\Users\user\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\WorkingFolder\Canvas_3.bin

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
File Type:	Matlab v4 mat-file (little endian) \202\002, text, rows 11, columns 1230, imaginary
Category:	dropped
Size (bytes):	666
Entropy (8bit):	2.851816467757008
Encrypted:	false
SSDEEP:	3:vlll3lS82onv//thPktlVR3ujVLts7CX9/xWxbxYHZeklhAIK9Rp:vtTvv/lhPktPkjVR/CJxslhAIKnp
MD5:	3A4D99A1600049410A5036D24E858962
SHA1:	3022619CDB4D01ABE98268768DE735384812C1FC
SHA-256:	9A0AF1C22E233A8A37FEC6A52DEB58862AF735B716C074B27E586A74F6ACEC2A
SHA-512:	CCCB616AECD23EC565AF874EACBF825B90D2BD7415FDD7E4982A4317ADE4801E43FC77CD7C5D10E8E8E5F5A9ED878681FCB9527B109426D0067333FF71964082
Malicious:	false
Reputation:	low
Preview:	.........................PNG........IHDR....................sRGB.........gAMA......a....,IDATx^..1.. ........E...zvw..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................d.<...]/.l.....IEND.B`.

C:\Users\user\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\WorkingFolder\Canvas_4.bin

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
File Type:	Matlab v4 mat-file (little endian) C\002, text, rows 11, columns 1230, imaginary
Category:	dropped
Size (bytes):	603
Entropy (8bit):	5.160194055413447
Encrypted:	false
SSDEEP:	12:vtfSv/7I9/XqQNAw+w+w+w+w+w+w+w+w+w+w+w+w+w+w+w+w+w+w+w+w+e3Ghz:vtfY+3e
MD5:	BE621CEE0FB8AE6035DD226E57F5D52D
SHA1:	9061BED5C2C4D952D52040B854BA310E5C651DDF
SHA-256:	D756807968C6507332F8DE3DF40990CDE7B0994F5CC4DA446E41870FCF7195BF
SHA-512:	1CF585F6BC1E80B027278E1D9BE5C097FAB258920B692870EBD878C9A89C39C3E82E8676E08DDFBE820EA14FFA1E06B10072E770E9804A1972D24ABE3060813F
Malicious:	false
Reputation:	low
Preview:	....................C....PNG........IHDR.............G7Qu....sRGB.........gAMA......a.....IDATx^..1............z'O.....n...q 0....8.....@`.....q 0....8.....@`.....q 0....8.....@`.....q 0....8.....@`.....q 0....8.....@`.....q 0....8.....@`.....q 0....8.....@`.....q 0....8.....@`.....q 0....8.....@`.....q 0....8.....@`.....q 0....8.....@`.....q 0....8.....@`.....q 0....8.....@`.....q 0....8.....@`.....q 0....8.....@`.....q 0....8.....@`.....q 0....8.....@`.....q 0....8.....@`.....q 0....8.....@`.....q 0....8.....@`.....q 0....8.....@`.....q 0....8............]........IEND.B`.

C:\Users\user\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\WorkingFolder\EngineConfigId.bin

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
File Type:	data
Category:	dropped
Size (bytes):	88
Entropy (8bit):	2.9160161239667026
Encrypted:	false
SSDEEP:	3:vlllhelqbSiFqhzIGCSOdTh6:vtIlViFXG/OdTh6
MD5:	2CB0D4339341E6189CD737B364CDCD82
SHA1:	52CB91F3D2F92C50D60630507182BB442F4AD6BD
SHA-256:	54332C4C577158182D35F4C8DCF1ACA73FF880B053F03B8E6E85E2BAB8C40938
SHA-512:	282D0047DB4C0B8A4BFF0935F8308CBDBC83DBE4AAF5CF77D193A697D77E4AD8EBE7D157FF89CFA65F6BCF445CE421E29D245082B2783E5DF8CA9000C2E97002
Malicious:	false
Reputation:	low
Preview:	........&...{.A.9.2.A.5.9.C.6.-.7.2.7.8.-.4.6.D.D.-.9.9.F.2.-.1.C.7.B.F.7.1.E.1.1.5.B.}.

C:\Users\user\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\WorkingFolder\SceneData.bin

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
File Type:	data
Category:	dropped
Size (bytes):	22
Entropy (8bit):	1.6729330318733675
Encrypted:	false
SSDEEP:	3:vlllZhldG:vtZhlM
MD5:	DCF8BE4FA8C3A466400AD0DCD428C9D0
SHA1:	3C28C788831A74D78AF450409B77085A83293E65
SHA-256:	372232B0C6A3FA3A2332CB94DDE7ED9DA846A64942D006E93F0D531E2A70B1BE
SHA-512:	DEC50D7999E81822074A3E42F7B8626BDF7084EF6361F8BDA1FD1A7C9FCC43511DE3B6A612446A5F47D55AD0C5CC3624A9D34CF8DCACD249C7B90B58D218D7F1
Malicious:	false
Reputation:	low
Preview:	......................

C:\Users\user\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json (copy)

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2559
Entropy (8bit):	5.440474440107185
Encrypted:	false
SSDEEP:	48:Y2O2M1MKtr7vQD1sN+J2sG91OMJMRUgFgQkXMJMK2+R/9VUXc4m6YAZnL:H27vQ266OGooGt9M
MD5:	F4E4A03EBD0AB3A953C56A300D61D223
SHA1:	97A9ACF22C3BDD6989D7C120C21077C4D5A9A80E
SHA-256:	52BFB22AA2D7B0CE083D312FB8FA8DCDA3063207186F99FC259AEBD9064CBEDC
SHA-512:	12AA71EEA45720A4D7D057DA0B662635671E4CD165AD2E0D30A3D2A43950B47DD60C26C1BBBE049418F815850E571B8D93E4C8B8CBBD686ABC3CF7926BA719C2
Malicious:	false
Reputation:	low
Preview:	{"APP.COMMUNITY.CLIENTTYPE":"Microsoft.Paint3D","APP.COMMUNITY.GLTF.EXPORT.ENABLED":"True","APP.COMMUNITY.GLTF.IMPORT.ENABLED":"True","APP.FILEOPERATIONS.FORMAT.FBX.EXPORT.ENABLED":"True","APP.FILEOPERATIONS.FORMAT.FBX.IMPORT.ENABLED":"True","TOOLS.EDITINFREEVIEW.ENABLED":"True","APP.COMMUNITY.HUBBLE.ENVIRONMENT":"PROD","APP.COMMUNITY.HUBBLE.REQUEST1PHOST":"True","APP.COMMUNITY.HUBBLE.USEWEBVIEW":"False","APP.COMMUNITY.ENABLEDFORLOCALE":"True","APP.FILEOPERATIONS.IMPORT.SEPARATEOBJECTS.ENABLED":"True","APP.TEXTURES.CANVAS3D.DUALLAYER.ENABLED":"True","APP.CMS.CONFIGENDPOINT":"http://go.microsoft.com/fwlink/?LinkId=828137","APP.CMS.KILLSWITCHTURNEDON":"False","APP.CMS.MINIMUMAPPVERSION":"3.1710.30028.0","APP.COMMUNITY.ANONYMOUSBROWSE.ENABLED":"True","APP.COMMUNITY.ENABLEDFORLANGUAGE":"True","APP.COMMUNITY.ENDPOINTCONFIGJSON":"{\"EnvironmentOverrides\": { \"PREVIEW\": { \"TokenScope\": \"service::remix3d.com::MBI_SSL\", \"BrowseUri\": \"https://www.preview.remix3d.com/\", \"ProfileUri\":

C:\Users\user\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json.~tmp

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2559
Entropy (8bit):	5.440474440107185
Encrypted:	false
SSDEEP:	48:Y2O2M1MKtr7vQD1sN+J2sG91OMJMRUgFgQkXMJMK2+R/9VUXc4m6YAZnL:H27vQ266OGooGt9M
MD5:	F4E4A03EBD0AB3A953C56A300D61D223
SHA1:	97A9ACF22C3BDD6989D7C120C21077C4D5A9A80E
SHA-256:	52BFB22AA2D7B0CE083D312FB8FA8DCDA3063207186F99FC259AEBD9064CBEDC
SHA-512:	12AA71EEA45720A4D7D057DA0B662635671E4CD165AD2E0D30A3D2A43950B47DD60C26C1BBBE049418F815850E571B8D93E4C8B8CBBD686ABC3CF7926BA719C2
Malicious:	false
Preview:	{"APP.COMMUNITY.CLIENTTYPE":"Microsoft.Paint3D","APP.COMMUNITY.GLTF.EXPORT.ENABLED":"True","APP.COMMUNITY.GLTF.IMPORT.ENABLED":"True","APP.FILEOPERATIONS.FORMAT.FBX.EXPORT.ENABLED":"True","APP.FILEOPERATIONS.FORMAT.FBX.IMPORT.ENABLED":"True","TOOLS.EDITINFREEVIEW.ENABLED":"True","APP.COMMUNITY.HUBBLE.ENVIRONMENT":"PROD","APP.COMMUNITY.HUBBLE.REQUEST1PHOST":"True","APP.COMMUNITY.HUBBLE.USEWEBVIEW":"False","APP.COMMUNITY.ENABLEDFORLOCALE":"True","APP.FILEOPERATIONS.IMPORT.SEPARATEOBJECTS.ENABLED":"True","APP.TEXTURES.CANVAS3D.DUALLAYER.ENABLED":"True","APP.CMS.CONFIGENDPOINT":"http://go.microsoft.com/fwlink/?LinkId=828137","APP.CMS.KILLSWITCHTURNEDON":"False","APP.CMS.MINIMUMAPPVERSION":"3.1710.30028.0","APP.COMMUNITY.ANONYMOUSBROWSE.ENABLED":"True","APP.COMMUNITY.ENABLEDFORLANGUAGE":"True","APP.COMMUNITY.ENDPOINTCONFIGJSON":"{\"EnvironmentOverrides\": { \"PREVIEW\": { \"TokenScope\": \"service::remix3d.com::MBI_SSL\", \"BrowseUri\": \"https://www.preview.remix3d.com/\", \"ProfileUri\":

Static File Info

General

File type:	PNG image data, 1230 x 176, 8-bit/color RGBA, non-interlaced
Entropy (8bit):	7.655059424186753
TrID:	Portable Network Graphics (16016/1) 100.00%
File name:	proxy[1].png
File size:	8'809 bytes
MD5:	0fbedb10ed339d1b065b66200c5ce802
SHA1:	7b930d85e38fbcf4742565fc4896d8757b43a318
SHA256:	44dc36f4fbd4d55b95dcf49843a2660662213f9e0da23322a57399c8937df033
SHA512:	f04ea7f3ffa5b583babe717ea46507a6f60e48f40bfc28e87613e94bd87fe300d6a9462c4694748d2257766d9c9f3acb8057162753e27e27fe9650196312ed18
SSDEEP:	192:D5aTKIaW2bfiTH7RnjOFpmaXl0aq3M8k5Tkdm+JyHgM2mKDdzuWT:9aTKIa1ziTNnjOnmaXlBq3MP5TToyAM2
TLSH:	DB02AFC2EA4149E0C7362B7A8CE78A5F9D9140E1E1E02E7349D5D527CEF7250E04D7D2
File Content Preview:	.PNG........IHDR...............".....tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27

File Icon


Icon Hash:	74f0f0e4c6d6e0e4

Target ID:	16
Start time:	15:33:09
Start date:	22/05/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Imagebase:	0x7ff6418e0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	15:33:42
Start date:	22/05/2024
Path:	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe"
Imagebase:	0x7ff703880000
File size:	3'378'176 bytes
MD5 hash:	7E11B5F9F7A7FE66809577EC83971972
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report proxy[1].png

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json (copy)

C:\Users\user\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json.~tmp

C:\Users\user\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\WorkingFolder\Canvas_0.bin

C:\Users\user\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\WorkingFolder\Canvas_1.bin

C:\Users\user\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\WorkingFolder\Canvas_2.bin

C:\Users\user\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\WorkingFolder\Canvas_3.bin

C:\Users\user\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\WorkingFolder\Canvas_4.bin

C:\Users\user\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\WorkingFolder\EngineConfigId.bin

C:\Users\user\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\WorkingFolder\SceneData.bin

C:\Users\user\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json (copy)

C:\Users\user\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json.~tmp

Static File Info

General

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: rundll32.exePID: 1940, Parent PID: 804

General

Chronological Activities

Analysis Process: PaintStudio.View.exePID: 2752, Parent PID: 3800

General

Chronological Activities

Disassembly

Windows Analysis Report
proxy[1].png