Windows Analysis Report
IMG_5822.jpg

Overview

General Information

Sample name: IMG_5822.jpg
Analysis ID: 1500444
MD5: cc54a889dadf31dab3f86e18cba4c7af
SHA1: c55f5491a8a0f0b4be19324a67fca09946124760
SHA256: 16b847b5c89e8b7a2255e6b328205537699dd5abb0760ae84ba1c4716d210667
Infos:

Detection

Score: 1
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Creates files inside the system directory
Queries the volume information (name, serial number etc) of a device

Classification

Source: Binary string: cZVXOKE<8<0.PDBrfd source: mspaint.exe, 00000000.00000003.1747970077.000000000A920000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: ?31YMKocacWUdXVNB@ZNLA53C75;/-B64<0.PDBVJHocauigymkwkiTHFcWUnb`NB@:.,-! source: mspaint.exe, 00000000.00000003.1747970077.000000000A920000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: [OM<0.PDBNB@H;99,*- source: mspaint.exe, 00000000.00000003.1746231254.0000000007C30000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: 2)&:1.PDBVMJ[OMqheH?<3*'6-*D;8ULIypmmdaKB?F?<NGDVMJQHENEBLC@D;8:1.;/-@42=1/4(&3*'5,)/&#1(%<30B962)&/&#/&#0'$& source: mspaint.exe, 00000000.00000003.1746231254.0000000007C30000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: ofc<0.PDBKB?QHE<306-*D;8qheC:7sjg source: mspaint.exe, 00000000.00000003.1747970077.000000000BD20000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: 2)&5)'<0.pdb source: mspaint.exe, 00000000.00000003.1747970077.000000000A920000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: iVSE64=0.PDBJA>YPMofcwlhwlhPEANC?NC?YNJSJF\SOja]ulhwnjkb^UOJmgb~xsysn source: mspaint.exe, 00000000.00000003.1746231254.0000000007C30000.00000004.00000800.00020000.00000000.sdmp
Source: mspaint.exe, 00000000.00000002.2923453735.0000000007B40000.00000004.00000020.00020000.00000000.sdmp, IMG_5822.jpg String found in binary or memory: http://ns.apple.com/faceinfo/1.0/
Source: mspaint.exe, 00000000.00000002.2923453735.0000000007B30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.apple.com/faceinfo/1.0/V
Source: mspaint.exe, 00000000.00000002.2923453735.0000000007B40000.00000004.00000020.00020000.00000000.sdmp, IMG_5822.jpg String found in binary or memory: http://www.metadataworkinggroup.com/schemas/regions/
Source: mspaint.exe, 00000000.00000002.2921316363.0000000002A7D000.00000004.00000020.00020000.00000000.sdmp, mspaint.exe, 00000000.00000003.2604596747.0000000002AC2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.metadataworkinggroup.com/schemas/regions/%
Source: mspaint.exe, 00000000.00000002.2923453735.0000000007B30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.metadataworkinggroup.com/schemas/regions/2
Creates files inside the system directory
Source: C:\Windows\SysWOW64\mspaint.exe File created: C:\Windows\Debug\WIA Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe File created: C:\Windows\Debug\WIA\wiatrace.log Jump to behavior
Source: classification engine Classification label: clean1.winJPG@1/1@0/0
Source: C:\Windows\SysWOW64\mspaint.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe Section loaded: mfc42u.dll Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe Section loaded: msftedit.dll Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe Section loaded: uiribbon.dll Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe Section loaded: efswrt.dll Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe Section loaded: sti.dll Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe Section loaded: wiatrace.dll Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe Section loaded: windowscodecsext.dll Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe Section loaded: photometadatahandler.dll Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: IMG_5822.jpg Static file information: File size 3545942 > 1048576
Source: Binary string: cZVXOKE<8<0.PDBrfd source: mspaint.exe, 00000000.00000003.1747970077.000000000A920000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: ?31YMKocacWUdXVNB@ZNLA53C75;/-B64<0.PDBVJHocauigymkwkiTHFcWUnb`NB@:.,-! source: mspaint.exe, 00000000.00000003.1747970077.000000000A920000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: [OM<0.PDBNB@H;99,*- source: mspaint.exe, 00000000.00000003.1746231254.0000000007C30000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: 2)&:1.PDBVMJ[OMqheH?<3*'6-*D;8ULIypmmdaKB?F?<NGDVMJQHENEBLC@D;8:1.;/-@42=1/4(&3*'5,)/&#1(%<30B962)&/&#/&#0'$& source: mspaint.exe, 00000000.00000003.1746231254.0000000007C30000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: ofc<0.PDBKB?QHE<306-*D;8qheC:7sjg source: mspaint.exe, 00000000.00000003.1747970077.000000000BD20000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: 2)&5)'<0.pdb source: mspaint.exe, 00000000.00000003.1747970077.000000000A920000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: iVSE64=0.PDBJA>YPMofcwlhwlhPEANC?NC?YNJSJF\SOja]ulhwnjkb^UOJmgb~xsysn source: mspaint.exe, 00000000.00000003.1746231254.0000000007C30000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\mspaint.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: mspaint.exe, 00000000.00000003.1746231254.0000000009030000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Y`yU\uW^wU\uPWpRXoPVmNTkNTkPVmRXoQWnPVmCI`>D[7?V6>U:BYCKbLTkS\pYcuT^pS]oDN`?I[<FX>HZBL^=GY<FX9CU>HZ=GY9CUAK]GQcBJ[FN_EM^=EVHQ_OXfGN]RYhahwcjyX_nGN]>ET7>M38G27F69H58G47F47F69H9<K<?N=@O:=L9<K7:I69H69H25D25D7:I58G47F47F8;J8;J9<K:=L=@O<?N=@O:=L47F58G:=L;>M8;J+-?-1C48J7;M48J37I48J26H48J26H.2D-1C15G59K48J15G18I.6G/6G.6G/6G/7H4;N9@S9@S4;N5<O8?R5<O29L5<O8?R5<P29M29M3:N18L29M4;O5<P29M3:N5<P6=Q6=Q4;O3:N18L4:Q19P-5L-5L.4K,2I-3J+1H.4K.4K*0G%+B!)@"*A%-D+3J09M2=Q8CY<F^<Gb=Hc=Ie=Ie9Gc:Hd;Ie8Fb7Dd=JjDPrBQrHWxFWxFWxHYzL]~Qb
Source: mspaint.exe, 00000000.00000003.1747970077.000000000BD20000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: qPwhGn_MsgNthHpdIqeMujOwlV
Source: mspaint.exe, 00000000.00000003.1746231254.0000000009030000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: hcd`[]f_dd]df]ge\f[R\\T[d\cwovmci\UZQGMTMRTKN]VYYRUPKLUPQ|wx
Source: mspaint.exe, 00000000.00000003.1747970077.000000000BD20000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: z^pc\pc[obXoaXoaUn`Yrd`zl_yk\yja~o_~oWvgQpaKi\@aSBfVJn^Lp`MqaTwiWzlSwiOseKrcKrcIqeMuiItgDobDobBm`DrfEsgHviJxkIwjIwjIwjGuhEsfDreFscHueHueFscFqbHsdR}nT
Source: mspaint.exe, 00000000.00000003.1747970077.000000000BD20000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: xf{sdxsaupctpevrarn_pl\ngYkd[mfZleWja^qh`pibrkgxol}tizqctkctkfwnctkari`og_nf_nf`oganf`kcdpdgqemujrxmw}r
Source: mspaint.exe, 00000000.00000003.1746231254.0000000009030000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: P[vNYtDMhHRjEOgITjFQgCNdS]uT^vPWpNUnBJa?G^<D[2:Q/6J4;O18L29M6<O=CV=CV28K*0C+1D,2E)/B.4G5;N8>Q?EXGM`CI\:@S:@SAF[@EZ=BW7<Q<AVCH]@EZ<AV5:O5:O7<Q6;P27L16K6;P>CX5:O8=R:?T;@U,1F',A-4H3:N.5I,3G-6J4=Q8AU8AU7@T5>R6>U8@W:BY;CZ4<S8@W9AX5=T4;T18Q29R5<U4;T6=V@G`IPiOUlHNe@F]FLc@F]BH_?E\AG^JPgPVmCI`FLc9?VEKbFLcNTkBIb8?X.5N18QMTmX_x\c|DKdJQjDKdELeNUnTYrSXqTYrY^wsy
Source: mspaint.exe, 00000000.00000003.1747970077.0000000009F20000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: W_|^e~HOhHOhU\uY`yT[tQXqY`yRYrFMfGLeOTmOTmJOhJOhKPiIOfDJaNTkZ`wPVmCI`GMdQWnQWnMSjNTkTZqSYpSYpV\sMSjQVoUZsX]v[`yX\uX\ucg
Source: mspaint.exe, 00000000.00000003.1747970077.000000000A920000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: }VMCI@7C:1;2)5)#."
Source: mspaint.exe, 00000000.00000003.1746231254.0000000009030000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: &=#+B'.G%0F'.G)4J.5N,6N.8P3=U3=U4>V<F^AKc>H`=G_<F^1;S6@X;E]6@X=G_EOg@Ka@H_JSgMVjHQeJQeNUiQXkRYlQWjPViPWhNUfMQcKOaPUdV[jPWfZap_fwbizcgyaewW]pDJ]BH[LRePWkGNbEL`CJ^HQeMUlS]uPZrPZrMWoGRmLWrQ\wOZuDOjKXrQ^xIVpHSoT_{Xc
Source: mspaint.exe, 00000000.00000003.1747970077.000000000BD20000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tKviIqeMuiJpdQwkPvjTznX~rSymJpdFl`Dj^?fW;bS;bSJqbW
Source: mspaint.exe, 00000000.00000003.1747970077.000000000BD20000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: wRwgJo_MrbGl\BgWEl\El\El\Gn^HqbJsdKteMvgIteJufIvfGtdFscFscFscDqa@k^ItgKsgEmaIqeMuiKsgLthNvjQymRznOwkLthIqeGocGoc?hY?hY<eV;dUAj[Cl]@k\Cn_@l[=iX8dS4`O5aP;gV@jY@jYBiYCjZFm]Dk[Fk[Gl\EjZEjZEi[Ptf_
Source: C:\Windows\SysWOW64\mspaint.exe Process information queried: ProcessInformation Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\mspaint.exe Queries volume information: C:\Users\user\Desktop\IMG_5822.jpg VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1500444 Sample: IMG_5822.jpg Startdate: 28/08/2024 Architecture: WINDOWS Score: 1 4 mspaint.exe 1 3 2->4         started       
No contacted IP infos