hxxps://github[.]com/paintdotnet/release/releases/download/v5[.]0[.]3/paint[.]net[.]5[.]0[.]3[.]install[.]anycpu[.]web[.]zip

System Information Discovery

Processes:

paint.net.5.0.3.install.x64.exeSetupFrontEnd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	paint.net.5.0.3.install.x64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	SetupFrontEnd.exe

Executes dropped EXE 7 IoCs

Processes:

SetupShim.exeSetupDownloader.exepaint.net.5.0.3.install.x64.exeSetupShim.exeSetupFrontEnd.exepaintdotnet.exePaintDotNet.exe

pid	process
3912	SetupShim.exe
4088	SetupDownloader.exe
3656	paint.net.5.0.3.install.x64.exe
4172	SetupShim.exe
1320	SetupFrontEnd.exe
4020	paintdotnet.exe
1384	PaintDotNet.exe

Loads dropped DLL 64 IoCs

Processes:

SetupFrontEnd.exepaintdotnet.exe

pid	process
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
1320	SetupFrontEnd.exe
4020	paintdotnet.exe
4020	paintdotnet.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

paintdotnet.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBF113F1-D7C8-477C-A23A-E600E7937E11}\InprocServer32	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBF113F1-D7C8-477C-A23A-E600E7937E11}\InprocServer32\ = "C:\\Program Files\\paint.net\\PaintDotNet.ShellExtension.x64.dll"	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBF113F1-D7C8-477C-A23A-E600E7937E11}\InprocServer32\ThreadingModel = "Apartment"	paintdotnet.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

SetupFrontEnd.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SetupFrontEnd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SetupFrontEnd.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.he.resources	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.sv.resources	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.ZH-CN.resources	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.SystemLayer.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Reflection.TypeExtensions.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Runtime.InteropServices.JavaScript.dll	msiexec.exe
File created	C:\Program Files\paint.net\D3DCompiler_47_cor3.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Primitives.xml	msiexec.exe
File created	C:\Program Files\paint.net\System.Runtime.Serialization.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Security.Cryptography.Csp.dll	msiexec.exe
File created	C:\Program Files\paint.net\mscordbi.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Diagnostics.Debug.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.IO.Pipes.AccessControl.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Net.ServicePoint.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Private.Xml.Linq.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Reflection.DispatchProxy.dll	msiexec.exe
File created	C:\Program Files\paint.net\clrjit.dll	msiexec.exe
File created	C:\Program Files\paint.net\ilasm.exe	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.ca.resources	msiexec.exe
File created	C:\Program Files\paint.net\System.Collections.Immutable.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.ComponentModel.EventBasedAsync.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Net.NetworkInformation.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Threading.Tasks.dll	msiexec.exe
File created	C:\Program Files\paint.net\createdump.exe	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Data.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Effects.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.sl.resources	msiexec.exe
File created	C:\Program Files\paint.net\System.Resources.ResourceManager.dll	msiexec.exe
File created	C:\Program Files\paint.net\Mono.Cecil.Rocks.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Data.xml	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.PropertySystem.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Text.Encoding.Extensions.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Web.HttpUtility.dll	msiexec.exe
File created	C:\Program Files\paint.net\UIAutomationTypes.dll	msiexec.exe
File created	C:\Program Files\paint.net\Microsoft.VisualBasic.dll	msiexec.exe
File created	C:\Program Files\paint.net\Microsoft.Win32.Registry.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Framework.xml	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Windows.Core.xml	msiexec.exe
File created	C:\Program Files\paint.net\System.Data.DataSetExtensions.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Net.HttpListener.dll	msiexec.exe
File created	C:\Program Files\paint.net\Bundled\WebPFileType\License.txt	msiexec.exe
File created	C:\Program Files\paint.net\Newtonsoft.Json.dll	msiexec.exe
File created	C:\Program Files\paint.net\paintdotnet.deps.json	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.UI.pdb	msiexec.exe
File created	C:\Program Files\paint.net\PresentationFramework.Luna.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Collections.Concurrent.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Diagnostics.PerformanceCounter.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Diagnostics.StackTrace.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Reflection.Extensions.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.nl.resources	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.PT-BR.resources	msiexec.exe
File created	C:\Program Files\paint.net\System.Windows.Input.Manipulations.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Security.Cryptography.Algorithms.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Security.Principal.Windows.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Threading.Tasks.Parallel.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.IO.FileSystem.AccessControl.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Threading.AccessControl.dll	msiexec.exe
File created	C:\Program Files\paint.net\paintdotnet.exe	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.UI.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Windows.Framework.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.IO.MemoryMappedFiles.dll	msiexec.exe
File created	C:\Program Files\paint.net\Bundled\WebPFileType\WebPFileType.pdb	msiexec.exe
File created	C:\Program Files\paint.net\msvcp140_1.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Core.dll	msiexec.exe

Drops file in Windows directory 11 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\e581ba1.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3D52.tmp	msiexec.exe
File created	C:\Windows\Installer\e581ba4.msi	msiexec.exe
File created	C:\Windows\Installer\{67D72105-13E9-4EB7-8059-28DFC3A2DCA1}\app_icon.ico	msiexec.exe
File created	C:\Windows\Installer\e581ba1.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{67D72105-13E9-4EB7-8059-28DFC3A2DCA1}	msiexec.exe
File opened for modification	C:\Windows\Installer\{67D72105-13E9-4EB7-8059-28DFC3A2DCA1}\app_icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI68B9.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

vssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009865abc95f2d4b980000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009865abc90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809009865abc9000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009865abc900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009865abc900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = d42e80ebae45d901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "234205463"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{B2F6DE5A-6AA0-4776-B9AE-B93D4EC9406C}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31028344"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "234205463"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31028344"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{38CB037C-E06B-11ED-9EF6-DE61172DF127} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "388863640"	iexplore.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe

Modifies registry class 64 IoCs

Processes:

paintdotnet.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paintdotnet\shell	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\shell\edit\command\ = "\"C:\\Program Files\\paint.net\\paintdotnet.exe\" \"%1\""	paintdotnet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50127D769E317BE4089582FD3C2ACD1A\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdn\OpenWithProgids	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bmp\OpenWithProgids\paint.net.1	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.dds\OpenWithProgids\paint.net.1	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.jpe	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tif\OpenWithProgids\paint.net.1	paintdotnet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50127D769E317BE4089582FD3C2ACD1A\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50127D769E317BE4089582FD3C2ACD1A\SourceList\Net\1 = "C:\\Program Files\\paint.net\\Staging\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paintdotnet\shell\open\command	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\FriendlyAppName = "paint.net"	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdn\PerceivedType = "image"	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.avif	paintdotnet.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50127D769E317BE4089582FD3C2ACD1A\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\paintdotnet\DefaultIcon\ = "C:\\Program Files\\paint.net\\paintdotnet.exe,0"	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\50127D769E317BE4089582FD3C2ACD1A	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50127D769E317BE4089582FD3C2ACD1A\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.wdp	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paintdotnet\shell\open	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBF113F1-D7C8-477C-A23A-E600E7937E11}\InprocServer32\ = "C:\\Program Files\\paint.net\\PaintDotNet.ShellExtension.x64.dll"	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.heic\OpenWithProgids\paint.net.1	paintdotnet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50127D769E317BE4089582FD3C2ACD1A\Version = "83886083"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\CurVer\ = "paint.net.1"	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paintdotnet\DefaultIcon	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\ShellEx\{E357FCCD-A995-4576-B01F-234630154E96}	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wmp\OpenWithProgids	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdn\ShellEx\{E357FCCD-A995-4576-B01F-234630154E96}\ = "{FBF113F1-D7C8-477C-A23A-E600E7937E11}"	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\shell	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.heic\OpenWithProgids	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jpg\OpenWithProgids\paint.net.1	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\shell\edit	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.bmp	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rle\OpenWithProgids\paint.net.1	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50127D769E317BE4089582FD3C2ACD1A\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.ThumbnailProvider\CurVer	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\shell\edit\command	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jfif\OpenWithProgids\paint.net.1	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tga\OpenWithProgids\paint.net.1	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.webp	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\ShellEx	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdn	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.jxr	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.tga	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50127D769E317BE4089582FD3C2ACD1A\PackageCode = "E6C4A3919FD404F45A92D4D8D93DA042"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jpe\OpenWithProgids\paint.net.1	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jpeg\OpenWithProgids\paint.net.1	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.avif\OpenWithProgids\paint.net.1	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell\edit\command	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\ShellEx\{E357FCCD-A995-4576-B01F-234630154E96}\ = "{FBF113F1-D7C8-477C-A23A-E600E7937E11}"	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.tif	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wdp\OpenWithProgids\paint.net.1	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.wmp	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.ThumbnailProvider\CLSID	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdn\OpenWithProgids\paint.net.1	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.gif	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.rle	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.webp\OpenWithProgids\paint.net.1	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\CurVer	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell\open\command	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBF113F1-D7C8-477C-A23A-E600E7937E11}\InprocServer32\ThreadingModel = "Apartment"	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50127D769E317BE4089582FD3C2ACD1A\ProductIcon = "C:\\Windows\\Installer\\{67D72105-13E9-4EB7-8059-28DFC3A2DCA1}\\app_icon.ico"	msiexec.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

SetupDownloader.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	SetupDownloader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	SetupDownloader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	SetupDownloader.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

2224 msiexec.exe
2224 msiexec.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

SetupFrontEnd.exePaintDotNet.exe

pid process

1320 SetupFrontEnd.exe
1384 PaintDotNet.exe

pid	process
2224	msiexec.exe
2224	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SetupDownloader.exeSetupFrontEnd.exevssvc.exemsiexec.exesrtasks.exe

description	pid	process
Token: SeDebugPrivilege	4088	SetupDownloader.exe
Token: SeDebugPrivilege	1320	SetupFrontEnd.exe
Token: SeBackupPrivilege	1624	vssvc.exe
Token: SeRestorePrivilege	1624	vssvc.exe
Token: SeAuditPrivilege	1624	vssvc.exe
Token: SeBackupPrivilege	1320	SetupFrontEnd.exe
Token: SeRestorePrivilege	1320	SetupFrontEnd.exe
Token: SeShutdownPrivilege	1320	SetupFrontEnd.exe
Token: SeIncreaseQuotaPrivilege	1320	SetupFrontEnd.exe
Token: SeSecurityPrivilege	2224	msiexec.exe
Token: SeCreateTokenPrivilege	1320	SetupFrontEnd.exe
Token: SeAssignPrimaryTokenPrivilege	1320	SetupFrontEnd.exe
Token: SeLockMemoryPrivilege	1320	SetupFrontEnd.exe
Token: SeIncreaseQuotaPrivilege	1320	SetupFrontEnd.exe
Token: SeMachineAccountPrivilege	1320	SetupFrontEnd.exe
Token: SeTcbPrivilege	1320	SetupFrontEnd.exe
Token: SeSecurityPrivilege	1320	SetupFrontEnd.exe
Token: SeTakeOwnershipPrivilege	1320	SetupFrontEnd.exe
Token: SeLoadDriverPrivilege	1320	SetupFrontEnd.exe
Token: SeSystemProfilePrivilege	1320	SetupFrontEnd.exe
Token: SeSystemtimePrivilege	1320	SetupFrontEnd.exe
Token: SeProfSingleProcessPrivilege	1320	SetupFrontEnd.exe
Token: SeIncBasePriorityPrivilege	1320	SetupFrontEnd.exe
Token: SeCreatePagefilePrivilege	1320	SetupFrontEnd.exe
Token: SeCreatePermanentPrivilege	1320	SetupFrontEnd.exe
Token: SeBackupPrivilege	1320	SetupFrontEnd.exe
Token: SeRestorePrivilege	1320	SetupFrontEnd.exe
Token: SeShutdownPrivilege	1320	SetupFrontEnd.exe
Token: SeDebugPrivilege	1320	SetupFrontEnd.exe
Token: SeAuditPrivilege	1320	SetupFrontEnd.exe
Token: SeSystemEnvironmentPrivilege	1320	SetupFrontEnd.exe
Token: SeChangeNotifyPrivilege	1320	SetupFrontEnd.exe
Token: SeRemoteShutdownPrivilege	1320	SetupFrontEnd.exe
Token: SeUndockPrivilege	1320	SetupFrontEnd.exe
Token: SeSyncAgentPrivilege	1320	SetupFrontEnd.exe
Token: SeEnableDelegationPrivilege	1320	SetupFrontEnd.exe
Token: SeManageVolumePrivilege	1320	SetupFrontEnd.exe
Token: SeImpersonatePrivilege	1320	SetupFrontEnd.exe
Token: SeCreateGlobalPrivilege	1320	SetupFrontEnd.exe
Token: SeRestorePrivilege	2224	msiexec.exe
Token: SeTakeOwnershipPrivilege	2224	msiexec.exe
Token: SeRestorePrivilege	2224	msiexec.exe
Token: SeTakeOwnershipPrivilege	2224	msiexec.exe
Token: SeBackupPrivilege	5040	srtasks.exe
Token: SeRestorePrivilege	5040	srtasks.exe
Token: SeSecurityPrivilege	5040	srtasks.exe
Token: SeTakeOwnershipPrivilege	5040	srtasks.exe
Token: SeBackupPrivilege	5040	srtasks.exe
Token: SeRestorePrivilege	5040	srtasks.exe
Token: SeSecurityPrivilege	5040	srtasks.exe
Token: SeTakeOwnershipPrivilege	5040	srtasks.exe
Token: SeRestorePrivilege	2224	msiexec.exe
Token: SeTakeOwnershipPrivilege	2224	msiexec.exe
Token: SeRestorePrivilege	2224	msiexec.exe
Token: SeTakeOwnershipPrivilege	2224	msiexec.exe
Token: SeRestorePrivilege	2224	msiexec.exe
Token: SeTakeOwnershipPrivilege	2224	msiexec.exe
Token: SeRestorePrivilege	2224	msiexec.exe
Token: SeTakeOwnershipPrivilege	2224	msiexec.exe
Token: SeRestorePrivilege	2224	msiexec.exe
Token: SeTakeOwnershipPrivilege	2224	msiexec.exe
Token: SeRestorePrivilege	2224	msiexec.exe
Token: SeTakeOwnershipPrivilege	2224	msiexec.exe
Token: SeRestorePrivilege	2224	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iexplore.exeSetupFrontEnd.exePaintDotNet.exe

pid process

4988 iexplore.exe
4988 iexplore.exe
1320 SetupFrontEnd.exe
1384 PaintDotNet.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

iexplore.exeIEXPLORE.EXEpaint.net.5.0.3.install.anycpu.web.exeSetupShim.exepaint.net.5.0.3.install.x64.exeSetupShim.exeSetupFrontEnd.exePaintDotNet.exe

pid	process
4988	iexplore.exe
4988	iexplore.exe
1984	IEXPLORE.EXE
1984	IEXPLORE.EXE
3980	paint.net.5.0.3.install.anycpu.web.exe
3912	SetupShim.exe
3656	paint.net.5.0.3.install.x64.exe
4172	SetupShim.exe
1320	SetupFrontEnd.exe
1384	PaintDotNet.exe
1384	PaintDotNet.exe
1384	PaintDotNet.exe
1384	PaintDotNet.exe
1384	PaintDotNet.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

iexplore.exepaint.net.5.0.3.install.anycpu.web.exeSetupShim.exeSetupDownloader.exepaint.net.5.0.3.install.x64.exeSetupShim.exemsiexec.exeSetupFrontEnd.exe

description	pid	process	target process
PID 4988 wrote to memory of 1984	4988	iexplore.exe	IEXPLORE.EXE
PID 4988 wrote to memory of 1984	4988	iexplore.exe	IEXPLORE.EXE
PID 4988 wrote to memory of 1984	4988	iexplore.exe	IEXPLORE.EXE
PID 3980 wrote to memory of 3912	3980	paint.net.5.0.3.install.anycpu.web.exe	SetupShim.exe
PID 3980 wrote to memory of 3912	3980	paint.net.5.0.3.install.anycpu.web.exe	SetupShim.exe
PID 3980 wrote to memory of 3912	3980	paint.net.5.0.3.install.anycpu.web.exe	SetupShim.exe
PID 3912 wrote to memory of 4088	3912	SetupShim.exe	SetupDownloader.exe
PID 3912 wrote to memory of 4088	3912	SetupShim.exe	SetupDownloader.exe
PID 4088 wrote to memory of 3656	4088	SetupDownloader.exe	paint.net.5.0.3.install.x64.exe
PID 4088 wrote to memory of 3656	4088	SetupDownloader.exe	paint.net.5.0.3.install.x64.exe
PID 4088 wrote to memory of 3656	4088	SetupDownloader.exe	paint.net.5.0.3.install.x64.exe
PID 3656 wrote to memory of 4172	3656	paint.net.5.0.3.install.x64.exe	SetupShim.exe
PID 3656 wrote to memory of 4172	3656	paint.net.5.0.3.install.x64.exe	SetupShim.exe
PID 3656 wrote to memory of 4172	3656	paint.net.5.0.3.install.x64.exe	SetupShim.exe
PID 4172 wrote to memory of 1320	4172	SetupShim.exe	SetupFrontEnd.exe
PID 4172 wrote to memory of 1320	4172	SetupShim.exe	SetupFrontEnd.exe
PID 2224 wrote to memory of 4020	2224	msiexec.exe	paintdotnet.exe
PID 2224 wrote to memory of 4020	2224	msiexec.exe	paintdotnet.exe
PID 1320 wrote to memory of 1384	1320	SetupFrontEnd.exe	PaintDotNet.exe
PID 1320 wrote to memory of 1384	1320	SetupFrontEnd.exe	PaintDotNet.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/paintdotnet/release/releases/download/v5.0.3/paint.net.5.0.3.install.anycpu.web.zip
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4988

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4988 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1984

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3584

C:\Users\Admin\AppData\Local\Temp\Temp1_paint.net.5.0.3.install.anycpu.web.zip\paint.net.5.0.3.install.anycpu.web.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_paint.net.5.0.3.install.anycpu.web.zip\paint.net.5.0.3.install.anycpu.web.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3980

C:\Users\Admin\AppData\Local\Temp\7zSC8F3A6F6\SetupShim.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC8F3A6F6\SetupShim.exe" /suppressReboot
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3912

C:\Users\Admin\AppData\Local\Temp\7zSC8F3A6F6\x64\SetupDownloader\SetupDownloader.exe
"x64\SetupDownloader\SetupDownloader.exe" /SkipSuccessPrompt "C:\Users\Admin\AppData\Local\Temp\7zSC8F3A6F6\SetupShim.exe" /suppressReboot
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4088

C:\Users\Admin\AppData\Local\Temp\PdnSetupDownloader\012fe196-9800-4d04-a949-7cb74b92e52d\paint.net.5.0.3.install.x64.exe
"C:\Users\Admin\AppData\Local\Temp\PdnSetupDownloader\012fe196-9800-4d04-a949-7cb74b92e52d\paint.net.5.0.3.install.x64.exe" C:\Users\Admin\AppData\Local\Temp\7zSC8F3A6F6\SetupShim.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3656

C:\Users\Admin\AppData\Local\Temp\7zS84EBD077\SetupShim.exe
"C:\Users\Admin\AppData\Local\Temp\7zS84EBD077\SetupShim.exe" /suppressReboot C:\Users\Admin\AppData\Local\Temp\7zSC8F3A6F6\SetupShim.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4172

C:\Users\Admin\AppData\Local\Temp\7zS84EBD077\x64\SetupFrontEnd.exe
"x64\SetupFrontEnd.exe" "C:\Users\Admin\AppData\Local\Temp\7zS84EBD077\SetupShim.exe" /suppressReboot C:\Users\Admin\AppData\Local\Temp\7zSC8F3A6F6\SetupShim.exe
6⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1320

C:\Program Files\paint.net\PaintDotNet.exe
"C:\Program Files\paint.net\PaintDotNet.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1384

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:3
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224

C:\Program Files\paint.net\paintdotnet.exe
"C:\Program Files\paint.net\paintdotnet.exe" /setupActions /install DESKTOPSHORTCUT=1 PDNUPDATING=0 SKIPCLEANUP=0 "PROGRAMSGROUP=" /disablePGO /skipEstablishNVProfile /skipRepairAttempt
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:4020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

System Information Discovery