Windows Analysis Report
image000000.jpg

Overview

General Information

Sample name:	image000000.jpg
Analysis ID:	1544162
MD5:	faf29f88755e2eeb1d2b4def3f12c3e9
SHA1:	31dbadffad8a95d98c3360b129b372ab681c84f2
SHA256:	8f52b19ecd7bcacc4ab18f350e62c9380c3626f1ddc2901bf20845e3b2b4ab2f

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Creates files inside the system directory

Queries the volume information (name, serial number etc) of a device

Classification

Signatures

Creates files inside the system directory

Source: C:\Windows\SysWOW64\mspaint.exe	File created: C:\Windows\Debug\WIA			Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	File created: C:\Windows\Debug\WIA\wiatrace.log			Jump to behavior

Source: classification engine

Classification label: clean1.winJPG@1/1@0/0

Source: C:\Windows\SysWOW64\mspaint.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mspaint.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: uiribbon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: efswrt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: sti.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: wiatrace.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: photometadatahandler.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: coremessaging.dll	Jump to behavior

Source: C:\Windows\SysWOW64\mspaint.exe

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: mspaint.exe, 00000000.00000002.2938693247.0000000008008000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qsdMQeMUgNXeLVaHRcKShPXgOWcKSeLVeLVfMWhPXjRZiQYfNVdMRnW\
Source: mspaint.exe, 00000000.00000002.2938693247.0000000008008000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ims]_^GKgPTeNRfOSfPRdONePNgRPfQPdMQeMUjQ[dKU_GOgPTjUTfRMfQOkPYgKXfJWiMZkO\iL[fIXfIXiL\iL\iL\iL\iK^iK^iK^iK^iJ_iJ_iJ_iJ_iJ_iK^iK^iK^iL\iL\iL\iL[iL[iL[iL[iL[iMZiMZiL[iL[iL[iL[iL[iL[iL\iL\iL\iL\iK^iK^iK^iK^iL\iL\iL\iL\iL\iL\iL\iL\iL\iL[iL[iL[iL[iL[iL[iL[gM[gM[gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\gL\fLZfM[iR`
Source: mspaint.exe, 00000000.00000002.2937002798.00000000033AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\VBU~c
Source: mspaint.exe, 00000000.00000002.2938693247.0000000008008000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kfdONdMQeMUgMZiN^cKWvba

Source: C:\Windows\SysWOW64\mspaint.exe

Process information queried: ProcessInformation

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\mspaint.exe

Queries volume information: C:\Users\user\Desktop\image000000.jpg VolumeInformation

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1544162
Product:	CloudBasic
Start time:	23:28:33
Start date:	28.10.2024
Sample:	image000000.jpg
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	faf29f88755e2eeb1d2b4def3f12c3e9
SHA1:	31dbadffad8a95d98c3360b129b372ab681c84f2
SHA256:	8f52b19ecd7bcacc4ab18f350e62c9380c3626f1ddc2901bf20845e3b2b4ab2f
Filetype:	JFIF JPEG Bitmap (4007/3) 50.02%

Windows Analysis Report
image000000.jpg

Overview

General Information

Detection

Signatures

Classification

Signatures

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report image000000.jpg

Overview

General Information

Detection

Signatures

Classification

Signatures

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
image000000.jpg