3bcfcd54895c4705b8cab8118731e1c871c7177cc5d60262a624f644ca3770f8

Resubmissions

10-07-2021 18:41

210710-epgrxwjdts 10

10-07-2021 18:20

210710-aqkx8q14hs 7

Analysis

max time kernel
117s
max time network
115s
platform
windows10_x64
resource
win10v20210410
submitted
10-07-2021 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

capa.exe
Size

17.0MB
MD5

4051dc738e3292a31ff4529009af59d0
SHA1

7058f538887a0b87a3b749f55fb36cf4be2cfdf8
SHA256

83e2c4e92c50812a4abe6eb1c586a0db0eac88ad700a0d85cc389205c6849616
SHA512

087fbb2ce4849472dcee6756d37e2eca2c181b6d18c1280c7fde20f576dbe90cad47b0b36d299a0d9c2b2bb9af545695fb5bd3f2b69b34c3ae275b1efae7025e

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 4336 created 2148	4336	WerFault.exe	PaintStudio.View.exe
PID 4808 created 4608	4808	WerFault.exe	PaintStudio.View.exe
PID 5084 created 4900	5084	WerFault.exe	PaintStudio.View.exe
PID 4160 created 4320	4160	WerFault.exe	PaintStudio.View.exe

Loads dropped DLL 15 IoCs

Processes:

capa.exe

pid	process
932	capa.exe
932	capa.exe
932	capa.exe
932	capa.exe
932	capa.exe
932	capa.exe
932	capa.exe
932	capa.exe
932	capa.exe
932	capa.exe
932	capa.exe
932	capa.exe
932	capa.exe
932	capa.exe
932	capa.exe

Drops file in Windows directory 1 IoCs

Processes:

mspaint.exe

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4336	2148	WerFault.exe	PaintStudio.View.exe
4808	4608	WerFault.exe	PaintStudio.View.exe
5084	4900	WerFault.exe	PaintStudio.View.exe
4160	4320	WerFault.exe	PaintStudio.View.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Modifies registry class 21 IoCs

Processes:

PaintStudio.View.exePaintStudio.View.exePaintStudio.View.exePaintStudio.View.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "51200"	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	PaintStudio.View.exe

Suspicious behavior: AddClipboardFormatListener 4 IoCs

Processes:

PaintStudio.View.exePaintStudio.View.exePaintStudio.View.exePaintStudio.View.exe

pid process

2148 PaintStudio.View.exe
4608 PaintStudio.View.exe
4900 PaintStudio.View.exe
4320 PaintStudio.View.exe

pid	process
2148	PaintStudio.View.exe
4608	PaintStudio.View.exe
4900	PaintStudio.View.exe
4320	PaintStudio.View.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

mspaint.exePaintStudio.View.exeWerFault.exemspaint.exePaintStudio.View.exeWerFault.exe

pid	process
2032	mspaint.exe
2032	mspaint.exe
2148	PaintStudio.View.exe
2148	PaintStudio.View.exe
2148	PaintStudio.View.exe
2148	PaintStudio.View.exe
2148	PaintStudio.View.exe
2148	PaintStudio.View.exe
2148	PaintStudio.View.exe
2148	PaintStudio.View.exe
2148	PaintStudio.View.exe
2148	PaintStudio.View.exe
2148	PaintStudio.View.exe
2148	PaintStudio.View.exe
2148	PaintStudio.View.exe
2148	PaintStudio.View.exe
4336	WerFault.exe
4336	WerFault.exe
4336	WerFault.exe
4336	WerFault.exe
4336	WerFault.exe
4336	WerFault.exe
4336	WerFault.exe
4336	WerFault.exe
4336	WerFault.exe
4336	WerFault.exe
4336	WerFault.exe
4336	WerFault.exe
4336	WerFault.exe
4336	WerFault.exe
4336	WerFault.exe
4336	WerFault.exe
4336	WerFault.exe
4336	WerFault.exe
2148	PaintStudio.View.exe
2148	PaintStudio.View.exe
2148	PaintStudio.View.exe
4564	mspaint.exe
4564	mspaint.exe
4608	PaintStudio.View.exe
4608	PaintStudio.View.exe
4608	PaintStudio.View.exe
4608	PaintStudio.View.exe
4608	PaintStudio.View.exe
4608	PaintStudio.View.exe
4608	PaintStudio.View.exe
4608	PaintStudio.View.exe
4608	PaintStudio.View.exe
4608	PaintStudio.View.exe
4608	PaintStudio.View.exe
4808	WerFault.exe
4808	WerFault.exe
4808	WerFault.exe
4808	WerFault.exe
4808	WerFault.exe
4808	WerFault.exe
4808	WerFault.exe
4808	WerFault.exe
4808	WerFault.exe
4808	WerFault.exe
4808	WerFault.exe
4808	WerFault.exe
4808	WerFault.exe
4808	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

7zFM.exemspaint.exe

pid process

1044 7zFM.exe
4544 mspaint.exe

pid	process
1044	7zFM.exe
4544	mspaint.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

7zFM.exesvchost.exe7zG.exePaintStudio.View.exeWerFault.exePaintStudio.View.exeWerFault.exePaintStudio.View.exeWerFault.exePaintStudio.View.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	1044	7zFM.exe
Token: 35	1044	7zFM.exe
Token: SeSecurityPrivilege	1044	7zFM.exe
Token: SeSecurityPrivilege	1044	7zFM.exe
Token: SeTcbPrivilege	3404	svchost.exe
Token: SeRestorePrivilege	3404	svchost.exe
Token: SeRestorePrivilege	644	7zG.exe
Token: 35	644	7zG.exe
Token: SeDebugPrivilege	2148	PaintStudio.View.exe
Token: SeDebugPrivilege	2148	PaintStudio.View.exe
Token: SeDebugPrivilege	2148	PaintStudio.View.exe
Token: SeDebugPrivilege	4336	WerFault.exe
Token: SeDebugPrivilege	4608	PaintStudio.View.exe
Token: SeDebugPrivilege	4608	PaintStudio.View.exe
Token: SeDebugPrivilege	4808	WerFault.exe
Token: SeDebugPrivilege	4900	PaintStudio.View.exe
Token: SeDebugPrivilege	4900	PaintStudio.View.exe
Token: SeDebugPrivilege	5084	WerFault.exe
Token: SeDebugPrivilege	4320	PaintStudio.View.exe
Token: SeDebugPrivilege	4320	PaintStudio.View.exe
Token: SeDebugPrivilege	4160	WerFault.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

7zFM.exe

pid process

1044 7zFM.exe
1044 7zFM.exe
1044 7zFM.exe
1044 7zFM.exe

pid	process
1044	7zFM.exe
1044	7zFM.exe
1044	7zFM.exe
1044	7zFM.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

mspaint.exePaintStudio.View.exemspaint.exePaintStudio.View.exemspaint.exePaintStudio.View.exemspaint.exePaintStudio.View.exemspaint.exe

pid	process
2032	mspaint.exe
2148	PaintStudio.View.exe
4564	mspaint.exe
4608	PaintStudio.View.exe
4860	mspaint.exe
4900	PaintStudio.View.exe
628	mspaint.exe
4320	PaintStudio.View.exe
4544	mspaint.exe
4544	mspaint.exe
4544	mspaint.exe
4544	mspaint.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

capa.exesvchost.exe

description	pid	process	target process
PID 3724 wrote to memory of 932	3724	capa.exe	capa.exe
PID 3724 wrote to memory of 932	3724	capa.exe	capa.exe
PID 3404 wrote to memory of 2676	3404	svchost.exe	dashost.exe
PID 3404 wrote to memory of 2676	3404	svchost.exe	dashost.exe

C:\Users\Admin\AppData\Local\Temp\capa.exe
"C:\Users\Admin\AppData\Local\Temp\capa.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3724

C:\Users\Admin\AppData\Local\Temp\capa.exe
"C:\Users\Admin\AppData\Local\Temp\capa.exe"
2⤵
- Loads dropped DLL
PID:932

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1548

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Activision.cfg"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1044

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3404

C:\Windows\system32\dashost.exe
dashost.exe {1acaa498-b2bb-4689-896577d6f3a36690}
2⤵
PID:2676

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap4465:82:7zEvent5943 -ad -saa -- "C:\Users\Admin\AppData\Local\Temp\1"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:644

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\1.jpg" /ForceBootstrapPaint3D
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2032

C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
"C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca
1⤵
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2148

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2148 -s 3768
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\1.jpg" /ForceBootstrapPaint3D
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4564

C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
"C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca
1⤵
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4608

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4608 -s 3720
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4808

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\1.jpg" /ForceBootstrapPaint3D
1⤵
- Suspicious use of SetWindowsHookEx
PID:4860

C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
"C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca
1⤵
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4900

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4900 -s 3672
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5084

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\1.jpg" /ForceBootstrapPaint3D
1⤵
- Suspicious use of SetWindowsHookEx
PID:628

C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
"C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca
1⤵
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4320

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4320 -s 3652
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\1.jpg"
1⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
MD5
0c5631a720043265fae6066b9d3ce25d

SHA1
0cd9d2c75a80a5fb55ebd8ec77087aeb01caf6a2

SHA256
a31daf391f9fbf5e5d0c6c9e06126d236d5ac5c198aa6fa52c3d1830ef3a690b

SHA512
1acad89642418b90909112851ed08e9cda1e5c52233809c90e2f8268c45c0de9b1bbae8d591f38af4586c0388ac42b158d5db50e63b28c1c078b6eab0bb5d21e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
MD5
b7557afc47dd7fba248c500ded4e0ecf

SHA1
61942f86c03fcd96742355ce71f9df9140ccb759

SHA256
65cf3bb1bbaf0f06b97877a638791439f1fc25b04e748aa154061f58507c90a8

SHA512
e0054fc56a262767bc30e4139f8109d24dc762601ccd6a282157cb23b14d2f49ee38ce9a85c97d9fa2ee20d0320d3e4823b6d868e9d25f70c2037b35d409a6fc

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
MD5
6ad8967a600ebced92af70ce7a134c84

SHA1
593d25eb48c690ceb90eb93f55a929c6030846c7

SHA256
3136eba16c7ea1f98cf273b4a487095643ecb3c90b4e2dd9e37f690822ec7ca9

SHA512
4e70cfae6465f0666e6f0d26a75e54f2ba7be1544d0b7f74abd6c0122fc5a85d7364665045b1f37606e917f482d2ccf22837f78c077f8ff9d34941baa86832d0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json
MD5
404a3ec24e3ebf45be65e77f75990825

SHA1
1e05647cf0a74cedfdeabfa3e8ee33b919780a61

SHA256
cc45905af3aaa62601a69c748a06a2fa48eca3b28d44d8ec18764a7e8e4c3da2

SHA512
a55382b72267375821b0a229d3529ed54cef0f295f550d1e95661bafccec606aa1cd72e059d37d78e7d2927ae72e2919941251d233152f5eeb32ffdfc96023e5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json
MD5
404a3ec24e3ebf45be65e77f75990825

SHA1
1e05647cf0a74cedfdeabfa3e8ee33b919780a61

SHA256
cc45905af3aaa62601a69c748a06a2fa48eca3b28d44d8ec18764a7e8e4c3da2

SHA512
a55382b72267375821b0a229d3529ed54cef0f295f550d1e95661bafccec606aa1cd72e059d37d78e7d2927ae72e2919941251d233152f5eeb32ffdfc96023e5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json
MD5
404a3ec24e3ebf45be65e77f75990825

SHA1
1e05647cf0a74cedfdeabfa3e8ee33b919780a61

SHA256
cc45905af3aaa62601a69c748a06a2fa48eca3b28d44d8ec18764a7e8e4c3da2

SHA512
a55382b72267375821b0a229d3529ed54cef0f295f550d1e95661bafccec606aa1cd72e059d37d78e7d2927ae72e2919941251d233152f5eeb32ffdfc96023e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.jpg
MD5
e2bb769547bd440ce9b0a8ecae7fad86

SHA1
b3a0cdcc03d06ec0332e916788cab9bcc92b54e4

SHA256
9d7a9565ddc43390f735e3e78b69623119be5a35f17b7a5a14e86ca454ab992e

SHA512
d4c6cfbdac21a00a8315f6e8f4df08fa29a11c36e59ed3b47f0a99dcb81d16d4c80c3fa6f2a7248a8c730b577851e901a0bac541f525b1f9c88a8096bf7cfdc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37242\VCRUNTIME140.dll
MD5
ade7aac069131f54e4294f722c17a412

SHA1
fede04724bdd280dae2c3ce04db0fe5f6e54988d

SHA256
92d50f7c4055718812cd3d823aa2821d6718eb55d2ab2bac55c2e47260c25a76

SHA512
76a810a41eb739fba2b4c437ed72eda400e71e3089f24c79bdabcb8aab0148d80bd6823849e5392140f423addb7613f0fc83895b9c01e85888d774e0596fc048

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37242\_bz2.pyd
MD5
0083b7118baca26c44df117a40b8e974

SHA1
218176d616a57fd2057a34c98f510ac8b7d0f550

SHA256
e1f791a3f5e277880d56f21006cec8e0b93ca50cd4464b2b4c6e88ab3ca5234d

SHA512
e093937e4f1c8e3c321e2059a3dda703f0d3df88deba2b15656bca87a258a9cd4dc677859cb1879157d4e60e10efb4d35c402135960ef2afddfef9c388077b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37242\_ctypes.pyd
MD5
9755d3747e407ca70a4855bc9e98cfb9

SHA1
5a1871716715ba7f898afaae8c182bd8199ed60a

SHA256
213937a90b1b91a31d3d4b240129e30f36108f46589ba68cd07920ce18c572c2

SHA512
fb2d709b4a8f718c1ab33a1b65ac990052e3a5a0d8dd57f415b4b12bce95189397bfddb5fb3a7fc1776c191eb92fd28e3aaebbebdf1024ecd99e412376ca4467

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37242\_hashlib.pyd
MD5
f6f10f79867e33929e8c3263beaee423

SHA1
91ed04e12da5e5bed607f1957ede5057d78c275f

SHA256
c66d0a524a9d6c7f110273ffb14fb0ead440bf42f7a3957554f8b053331a7c3c

SHA512
30004621f7ee267e18987922b3e4243da6080cc7fcff8caa9cc8fdf795ba156ffba8c163a621959c2696cea6835398b046ff3175c0d02154532a93395391124b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37242\_lzma.pyd
MD5
e63bf80e04ae950ef22d8fc100d6495f

SHA1
f2340ecaa46cb1737abcb19dbab6de9e3cbc51d7

SHA256
f4016a1a8eb34aaf4f20d6c2fdbb02992cc5125f5c32f0335c6dfbeedb9add5c

SHA512
cd70c7c99e5fb131567aa2213abd5f811e2a271ac12a2210be6a04728c696c407814e4535e7ca19ca86a2d3311d822cc6985864a2e178e1b36faf6bc828e621f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37242\_ruamel_yaml.cp38-win_amd64.pyd
MD5
1bf012c76a3288d6ef6586b1dc270f19

SHA1
8ec29f8b7627918b9c12e9873d314abb3171fbe4

SHA256
8ab5bbe2f26ed3e48918b9b2ee3e0cefd01a6b678819a92108cf5c566a0a435e

SHA512
4c00245d0b50b5ed9fae1be19c47ffaec076843fc0ff6031d6619c01b2c37310b2b7f8ddf569badd94f844cb2b8b4e57e7a3d69c9c1a70269df14bacbf7e16c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37242\_socket.pyd
MD5
ee5c9250e766a02aa745a0d1493a387c

SHA1
0e6e86b7cda5f99e719dab8bdcae21558e7def10

SHA256
28b23ef979ff75b3cc44fce358b7ed087488105e3186249163504cd719567ccf

SHA512
ba4ad7d081b307f220212a9fbf982f925ac742eec64b3c9ed2bdbf3d06a589b1acc992d9585dec077de3b7f9e814a7115470a89307123491a3aff0ac3d795419

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37242\base_library.zip
MD5
f93f8a27e57799857afe17f6ad872bc0

SHA1
7e485a0b3f2331b6a7ff7f933f42a1db22a2af60

SHA256
29a52735bb173445604132b18e7e8390c2b1b3a131a6082fdfd0d3b569b05154

SHA512
641ec102ad9b6e019b454d9fbd45746e4c3caf2284693d4046af33184afe5aed2b461f7bfc04257c5f82999b9a33fdc56052407006b062f611915107d6a7aa5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37242\libcrypto-1_1.dll
MD5
89511df61678befa2f62f5025c8c8448

SHA1
df3961f833b4964f70fcf1c002d9fd7309f53ef8

SHA256
296426e7ce11bc3d1cfa9f2aeb42f60c974da4af3b3efbeb0ba40e92e5299fdf

SHA512
9af069ea13551a4672fdd4635d3242e017837b76ab2815788148dd4c44b4cf3a650d43ac79cd2122e1e51e01fb5164e71ff81a829395bdb8e50bb50a33f0a668

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37242\libffi-7.dll
MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37242\pyexpat.pyd
MD5
a9e03036e55c680004576490efa6a792

SHA1
8a1948f1ba8b4bb9e34f29eade786fc85949d74c

SHA256
70fe25f01eafbf730deb95fd101b220149bb2eeea690b24b20f6f4bcdb0f04ed

SHA512
fa664233ceaa848901d19091f01cbd3ada8dd1a30de352dca693c4394e243941405edb0fe09fc9fb404fe18a5455c78aa8ce64f7037e63ac9574c2aec5ee4267

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37242\python38.dll
MD5
c381edf39a0c3ed74f1df4a44fbab4ba

SHA1
688af6616d5f2f67ff9f49dc6790583825fb82ab

SHA256
f8c622753feb3cec062a535f2a285b17f6d118fee0bf8ed5a2f3d06ca53e729d

SHA512
88abc4ef225593e176050a6526b4873c08aca3b464616b502e64e7995368e82ec413cdf9e0bc8902994b2be25aa0aaf2e5135977599e57a0e8e1809f2b67eeec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37242\select.pyd
MD5
6e3e3565f98e23bee501c54a4b8833db

SHA1
a4c9ecbd00c774e210eb9216e03d7945b3406c2c

SHA256
71a2198c2f9c8cb117f3ea41dc96b9ae9899f64f21392778d1516986f72d434b

SHA512
359aac4a443a013f06295e1a370f89d4452ea75fd2d11776f4eccf605b59caf529baffdcc3cef3eeb59e44a42beaf927bed908b507ac479cccc870768a620fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37242\ucrtbase.dll
MD5
bb0e3819e308a153c99fa6bccf2f4e77

SHA1
d96dc06cb9f441869c5088aaee4e55a81fa14387

SHA256
83e7252e6af0e63bd80bc996eed6cb687c36b94f20a55a16145d5e68076b1587

SHA512
7eb23a895bc4fac0cda16b1ab8cdcdacac7ade76519b5d9e14d2917025f3cdd7fc4bd16d22df59a8dfe7b110eb8a8ce98a50355aa32d8c49bcab3596bd0a01ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37242\unicodedata.pyd
MD5
0a22c143ab1dbd20e6ed6a4cb5fe1e43

SHA1
2eb837eb204d7467caad4a82e7b9932553cc9011

SHA256
d0b8deabc7bc531c0c45f17ffc75c55b1ac9ff71347b74753096050eec6235db

SHA512
8a48246bbf1dfbae63aafca8bb9ae5c14c9dbb60dcc43a1030d7ea11033cba8d6e780ab9620eeadf303f5a3a9167bddec4b2fa23dbe526b95db5c297c9f688d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37242\yaml\_yaml.cp38-win_amd64.pyd
MD5
4ed0e37e4973bcdfe85bbc7583642bbe

SHA1
5beb50ecc8b6451e2633064f4061bb79f32ef6b4

SHA256
0d1feb559ee20ba187e80154a9fed1495772ab4157a29584fb7fbd1c3b9e57e8

SHA512
9162e7ade5830c22c3e2bc55bce9b3bc83d919f42e9559554fd7aea6c4d17ae5429bdf13116fe3cfa826655278675198ee5033720e6043b2ed9ba00b99d47669

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI37242\VCRUNTIME140.dll
MD5
ade7aac069131f54e4294f722c17a412

SHA1
fede04724bdd280dae2c3ce04db0fe5f6e54988d

SHA256
92d50f7c4055718812cd3d823aa2821d6718eb55d2ab2bac55c2e47260c25a76

SHA512
76a810a41eb739fba2b4c437ed72eda400e71e3089f24c79bdabcb8aab0148d80bd6823849e5392140f423addb7613f0fc83895b9c01e85888d774e0596fc048

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI37242\_bz2.pyd
MD5
0083b7118baca26c44df117a40b8e974

SHA1
218176d616a57fd2057a34c98f510ac8b7d0f550

SHA256
e1f791a3f5e277880d56f21006cec8e0b93ca50cd4464b2b4c6e88ab3ca5234d

SHA512
e093937e4f1c8e3c321e2059a3dda703f0d3df88deba2b15656bca87a258a9cd4dc677859cb1879157d4e60e10efb4d35c402135960ef2afddfef9c388077b85

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI37242\_ctypes.pyd
MD5
9755d3747e407ca70a4855bc9e98cfb9

SHA1
5a1871716715ba7f898afaae8c182bd8199ed60a

SHA256
213937a90b1b91a31d3d4b240129e30f36108f46589ba68cd07920ce18c572c2

SHA512
fb2d709b4a8f718c1ab33a1b65ac990052e3a5a0d8dd57f415b4b12bce95189397bfddb5fb3a7fc1776c191eb92fd28e3aaebbebdf1024ecd99e412376ca4467

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI37242\_hashlib.pyd
MD5
f6f10f79867e33929e8c3263beaee423

SHA1
91ed04e12da5e5bed607f1957ede5057d78c275f

SHA256
c66d0a524a9d6c7f110273ffb14fb0ead440bf42f7a3957554f8b053331a7c3c

SHA512
30004621f7ee267e18987922b3e4243da6080cc7fcff8caa9cc8fdf795ba156ffba8c163a621959c2696cea6835398b046ff3175c0d02154532a93395391124b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI37242\_lzma.pyd
MD5
e63bf80e04ae950ef22d8fc100d6495f

SHA1
f2340ecaa46cb1737abcb19dbab6de9e3cbc51d7

SHA256
f4016a1a8eb34aaf4f20d6c2fdbb02992cc5125f5c32f0335c6dfbeedb9add5c

SHA512
cd70c7c99e5fb131567aa2213abd5f811e2a271ac12a2210be6a04728c696c407814e4535e7ca19ca86a2d3311d822cc6985864a2e178e1b36faf6bc828e621f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI37242\_ruamel_yaml.cp38-win_amd64.pyd
MD5
1bf012c76a3288d6ef6586b1dc270f19

SHA1
8ec29f8b7627918b9c12e9873d314abb3171fbe4

SHA256
8ab5bbe2f26ed3e48918b9b2ee3e0cefd01a6b678819a92108cf5c566a0a435e

SHA512
4c00245d0b50b5ed9fae1be19c47ffaec076843fc0ff6031d6619c01b2c37310b2b7f8ddf569badd94f844cb2b8b4e57e7a3d69c9c1a70269df14bacbf7e16c8

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI37242\_socket.pyd
MD5
ee5c9250e766a02aa745a0d1493a387c

SHA1
0e6e86b7cda5f99e719dab8bdcae21558e7def10

SHA256
28b23ef979ff75b3cc44fce358b7ed087488105e3186249163504cd719567ccf

SHA512
ba4ad7d081b307f220212a9fbf982f925ac742eec64b3c9ed2bdbf3d06a589b1acc992d9585dec077de3b7f9e814a7115470a89307123491a3aff0ac3d795419

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI37242\libcrypto-1_1.dll
MD5
89511df61678befa2f62f5025c8c8448

SHA1
df3961f833b4964f70fcf1c002d9fd7309f53ef8

SHA256
296426e7ce11bc3d1cfa9f2aeb42f60c974da4af3b3efbeb0ba40e92e5299fdf

SHA512
9af069ea13551a4672fdd4635d3242e017837b76ab2815788148dd4c44b4cf3a650d43ac79cd2122e1e51e01fb5164e71ff81a829395bdb8e50bb50a33f0a668

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI37242\libffi-7.dll
MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI37242\pyexpat.pyd
MD5
a9e03036e55c680004576490efa6a792

SHA1
8a1948f1ba8b4bb9e34f29eade786fc85949d74c

SHA256
70fe25f01eafbf730deb95fd101b220149bb2eeea690b24b20f6f4bcdb0f04ed

SHA512
fa664233ceaa848901d19091f01cbd3ada8dd1a30de352dca693c4394e243941405edb0fe09fc9fb404fe18a5455c78aa8ce64f7037e63ac9574c2aec5ee4267

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI37242\python38.dll
MD5
c381edf39a0c3ed74f1df4a44fbab4ba

SHA1
688af6616d5f2f67ff9f49dc6790583825fb82ab

SHA256
f8c622753feb3cec062a535f2a285b17f6d118fee0bf8ed5a2f3d06ca53e729d

SHA512
88abc4ef225593e176050a6526b4873c08aca3b464616b502e64e7995368e82ec413cdf9e0bc8902994b2be25aa0aaf2e5135977599e57a0e8e1809f2b67eeec

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI37242\select.pyd
MD5
6e3e3565f98e23bee501c54a4b8833db

SHA1
a4c9ecbd00c774e210eb9216e03d7945b3406c2c

SHA256
71a2198c2f9c8cb117f3ea41dc96b9ae9899f64f21392778d1516986f72d434b

SHA512
359aac4a443a013f06295e1a370f89d4452ea75fd2d11776f4eccf605b59caf529baffdcc3cef3eeb59e44a42beaf927bed908b507ac479cccc870768a620fed

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI37242\ucrtbase.dll
MD5
bb0e3819e308a153c99fa6bccf2f4e77

SHA1
d96dc06cb9f441869c5088aaee4e55a81fa14387

SHA256
83e7252e6af0e63bd80bc996eed6cb687c36b94f20a55a16145d5e68076b1587

SHA512
7eb23a895bc4fac0cda16b1ab8cdcdacac7ade76519b5d9e14d2917025f3cdd7fc4bd16d22df59a8dfe7b110eb8a8ce98a50355aa32d8c49bcab3596bd0a01ed

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI37242\unicodedata.pyd
MD5
0a22c143ab1dbd20e6ed6a4cb5fe1e43

SHA1
2eb837eb204d7467caad4a82e7b9932553cc9011

SHA256
d0b8deabc7bc531c0c45f17ffc75c55b1ac9ff71347b74753096050eec6235db

SHA512
8a48246bbf1dfbae63aafca8bb9ae5c14c9dbb60dcc43a1030d7ea11033cba8d6e780ab9620eeadf303f5a3a9167bddec4b2fa23dbe526b95db5c297c9f688d8

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI37242\yaml\_yaml.cp38-win_amd64.pyd
MD5
4ed0e37e4973bcdfe85bbc7583642bbe

SHA1
5beb50ecc8b6451e2633064f4061bb79f32ef6b4

SHA256
0d1feb559ee20ba187e80154a9fed1495772ab4157a29584fb7fbd1c3b9e57e8

SHA512
9162e7ade5830c22c3e2bc55bce9b3bc83d919f42e9559554fd7aea6c4d17ae5429bdf13116fe3cfa826655278675198ee5033720e6043b2ed9ba00b99d47669

Download Submit
memory/932-114-0x0000000000000000-mapping.dmp

Download
memory/2676-146-0x0000000000000000-mapping.dmp

Download