970064829477d473fdb0c663c8282fb373fee12b4c34fc4d2dda7cf11c9148fc

Analysis

max time kernel
166s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2022 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

paint.net.4.3.12.install.x64.exe
Size

61.4MB
MD5

c355a5829ac1552e152310346918af9f
SHA1

751e2f9b513dc5489912a4d9ab9e64a7d78eeff4
SHA256

fc8d19614f448f5f345219f87f947813e14608b61cdd2812b36a4d1bfc4b2fc0
SHA512

72190d20b98f854c1b2135d045aad4949c19f0211f6bbfd8f824c6369f9841a5d0c13a48606fe63ce4cf6591780fb59db558c3b46b31118398e380da006980eb
SSDEEP

1572864:E1tiSf6SCXKvQK5G4ULJgJsFN82imwmf93lz/iExUI+OM:0t3Qy4MQi6RlcK

Score

10^/10

coreentity discovery evasion persistence trojan

Malware Config

Signatures

CoreEntity .NET Packer 2 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\paintdotnet.dll	coreentity
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\paintdotnet.dll	coreentity

Blocklisted process makes network request 3 IoCs

Processes:

msiexec.exe

flow pid process

66 3868 msiexec.exe
68 3868 msiexec.exe
70 3868 msiexec.exe
Executes dropped EXE 5 IoCs

Processes:

SetupShim.exeSetupDownloader.exeSetupFrontEnd.exepaintdotnet.exePaintDotNet.exe

pid process

2652 SetupShim.exe
4880 SetupDownloader.exe
3348 SetupFrontEnd.exe
464 paintdotnet.exe
4212 PaintDotNet.exe

flow	pid	process
66	3868	msiexec.exe
68	3868	msiexec.exe
70	3868	msiexec.exe

pid	process
2652	SetupShim.exe
4880	SetupDownloader.exe
3348	SetupFrontEnd.exe
464	paintdotnet.exe
4212	PaintDotNet.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

paintdotnet.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBF113F1-D7C8-477C-A23A-E600E7937E11}\InprocServer32	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBF113F1-D7C8-477C-A23A-E600E7937E11}\InprocServer32\ = "C:\\Program Files\\paint.net\\PaintDotNet.ShellExtension.x64.dll"	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBF113F1-D7C8-477C-A23A-E600E7937E11}\InprocServer32\ThreadingModel = "Apartment"	paintdotnet.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

paint.net.4.3.12.install.x64.exeSetupFrontEnd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	paint.net.4.3.12.install.x64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	SetupFrontEnd.exe

Loads dropped DLL 64 IoCs

Processes:

SetupFrontEnd.exepaintdotnet.exe

pid	process
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
3348	SetupFrontEnd.exe
464	paintdotnet.exe
464	paintdotnet.exe
464	paintdotnet.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

SetupFrontEnd.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SetupFrontEnd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SetupFrontEnd.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exeSetupFrontEnd.exe

description	ioc	process
File created	C:\Program Files\paint.net\Microsoft.DiaSymReader.Native.amd64.dll	msiexec.exe
File created	C:\Program Files\paint.net\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Program Files\paint.net\paintdotnet.ico	msiexec.exe
File created	C:\Program Files\paint.net\PresentationFramework-SystemXml.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.ComponentModel.TypeConverter.dll	msiexec.exe
File created	C:\Program Files\paint.net\api-ms-win-crt-locale-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\paint.net\api-ms-win-crt-stdio-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\paint.net\api-ms-win-crt-time-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Net.HttpListener.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Net.WebHeaderCollection.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Resources.Reader.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.IO.Compression.Native.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.IO.MemoryMappedFiles.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.IO.Pipes.AccessControl.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Security.Principal.Windows.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Text.Encoding.CodePages.dll	msiexec.exe
File created	C:\Program Files\paint.net\Bundled\AvifFileType\License.txt	msiexec.exe
File created	C:\Program Files\paint.net\api-ms-win-core-synch-l1-2-0.dll	msiexec.exe
File created	C:\Program Files\paint.net\PresentationNative_cor3.dll	msiexec.exe
File created	C:\Program Files\paint.net\PresentationFramework-SystemXmlLinq.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Diagnostics.Debug.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Net.Requests.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Numerics.Vectors.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Runtime.CompilerServices.Unsafe.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.ShellExtension.x64.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.fa.resources	msiexec.exe
File created	C:\Program Files\paint.net\PresentationFramework-SystemDrawing.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Transactions.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Reflection.Emit.ILGeneration.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Runtime.InteropServices.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Security.Cryptography.Cng.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Threading.AccessControl.dll	msiexec.exe
File created	C:\Program Files\paint.net\api-ms-win-core-fibers-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Framework.pdb	msiexec.exe
File created	C:\Program Files\paint.net\System.CodeDom.dll	msiexec.exe
File created	C:\Program Files\paint.net\DirectWriteForwarder.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.DE.resources	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.JA.resources	msiexec.exe
File created	C:\Program Files\paint.net\System.Globalization.Extensions.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Text.Encoding.dll	msiexec.exe
File opened for modification	C:\Program Files\paint.net\Staging\PaintDotNet_x64_2091372874.msi	SetupFrontEnd.exe
File created	C:\Program Files\paint.net\api-ms-win-core-profile-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\paint.net\dbgshim.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Data.pdb	msiexec.exe
File created	C:\Program Files\paint.net\System.Buffers.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Data.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.IO.FileSystem.Watcher.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Security.Cryptography.Primitives.dll	msiexec.exe
File created	C:\Program Files\paint.net\Resources\fr\Images.PayPalDonate.gif	msiexec.exe
File created	C:\Program Files\paint.net\License.txt	msiexec.exe
File created	C:\Program Files\paint.net\Mono.Cecil.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Net.Quic.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Security.Cryptography.Xml.dll	msiexec.exe
File created	C:\Program Files\paint.net\Bundled\DDSFileTypePlus\DdsFileTypePlusIO_x64.dll	msiexec.exe
File created	C:\Program Files\paint.net\Accessibility.dll	msiexec.exe
File created	C:\Program Files\paint.net\api-ms-win-core-file-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\paint.net\vcruntime140_cor3.dll	msiexec.exe
File created	C:\Program Files\paint.net\msvcp140.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.he.resources	msiexec.exe
File created	C:\Program Files\paint.net\System.Net.Security.dll	msiexec.exe
File created	C:\Program Files\paint.net\api-ms-win-core-rtlsupport-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\paint.net\paintdotnet.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.ValueTuple.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Security.Cryptography.OpenSsl.dll	msiexec.exe

Drops file in Windows directory 11 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI61A8.tmp	msiexec.exe
File created	C:\Windows\Installer\e573e64.msi	msiexec.exe
File created	C:\Windows\Installer\{E91052A0-E7C9-4462-B7B5-2C7279F7203B}\app_icon.ico	msiexec.exe
File created	C:\Windows\Installer\e573e61.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E91052A0-E7C9-4462-B7B5-2C7279F7203B}	msiexec.exe
File opened for modification	C:\Windows\Installer\e573e61.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{E91052A0-E7C9-4462-B7B5-2C7279F7203B}\app_icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8A01.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000789d96067ff55f5b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000789d96060000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900789d9606000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20	msiexec.exe

Modifies registry class 64 IoCs

Processes:

paintdotnet.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell\open\command	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.ThumbnailProvider\CurVer\ = "paint.net.ThumbnailProvider.1"	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.dds\OpenWithProgids\paint.net.1	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.jfif	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\04F04A40702A84B4EA7DA65A234E2357\0A25019E9C7E26447B5BC227977F02B3	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\ShellEx\{E357FCCD-A995-4576-B01F-234630154E96}	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdn\PerceivedType = "image"	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gif\OpenWithProgids\paint.net.1	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tga\OpenWithProgids\paint.net.1	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdn\ShellEx\{E357FCCD-A995-4576-B01F-234630154E96}	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0A25019E9C7E26447B5BC227977F02B3	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.png\OpenWithProgids\paint.net.1	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A25019E9C7E26447B5BC227977F02B3\SourceList\PackageName = "PaintDotNet_x64_2091372874.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell\open\command\ = "\"C:\\Program Files\\paint.net\\paintdotnet.exe\" \"%1\""	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jfif\OpenWithProgids\paint.net.1	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tga\OpenWithProgids	paintdotnet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A25019E9C7E26447B5BC227977F02B3\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rle\OpenWithProgids\paint.net.1	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.jpg	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rle\OpenWithProgids	paintdotnet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A25019E9C7E26447B5BC227977F02B3\Version = "67305484"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.dib\OpenWithProgids\paint.net.1	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.ThumbnailProvider	paintdotnet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A25019E9C7E26447B5BC227977F02B3\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell\print	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A25019E9C7E26447B5BC227977F02B3\SourceList\Net\1 = "C:\\Program Files\\paint.net\\Staging\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell\edit	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.ThumbnailProvider\CLSID	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdn\OpenWithProgids\paint.net.1	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.dib	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jpeg\OpenWithProgids\paint.net.1	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0A25019E9C7E26447B5BC227977F02B3\DefaultFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A25019E9C7E26447B5BC227977F02B3	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jpg\OpenWithProgids\paint.net.1	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jpe\OpenWithProgids\paint.net.1	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBF113F1-D7C8-477C-A23A-E600E7937E11}\InprocServer32\ = "C:\\Program Files\\paint.net\\PaintDotNet.ShellExtension.x64.dll"	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.heic\OpenWithProgids\paint.net.1	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tif\OpenWithProgids\paint.net.1	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.wdp	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A25019E9C7E26447B5BC227977F02B3\ProductIcon = "C:\\Windows\\Installer\\{E91052A0-E7C9-4462-B7B5-2C7279F7203B}\\app_icon.ico"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A25019E9C7E26447B5BC227977F02B3\SourceList\LastUsedSource = "n;1;C:\\Program Files\\paint.net\\Staging\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\paintdotnet\shell\open\command\ = "\"C:\\Program Files\\paint.net\\paintdotnet.exe\" %1"	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.tiff	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A25019E9C7E26447B5BC227977F02B3\ProductName = "paint.net"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A25019E9C7E26447B5BC227977F02B3\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.ThumbnailProvider.1\CLSID\ = "{FBF113F1-D7C8-477C-A23A-E600E7937E11}"	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes	paintdotnet.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A25019E9C7E26447B5BC227977F02B3\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBF113F1-D7C8-477C-A23A-E600E7937E11}\InprocServer32	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdn\OpenWithProgids	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paintdotnet\shell	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\FriendlyAppName = "paint.net"	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell\edit\command	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell\open	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\FriendlyTypeName = "paint.net Image"	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\DefaultIcon\ = "C:\\Program Files\\paint.net\\paintdotnet.exe,0"	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paintdotnet\shell\open	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdn\ShellEx\{E357FCCD-A995-4576-B01F-234630154E96}\ = "{FBF113F1-D7C8-477C-A23A-E600E7937E11}"	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\shell\edit	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdn\ = "paint.net.1"	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A25019E9C7E26447B5BC227977F02B3\SourceList\Media	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

3868 msiexec.exe
3868 msiexec.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

SetupFrontEnd.exePaintDotNet.exe

pid process

3348 SetupFrontEnd.exe
4212 PaintDotNet.exe

pid	process
3868	msiexec.exe
3868	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SetupFrontEnd.exevssvc.exemsiexec.exesrtasks.exe

description	pid	process
Token: SeDebugPrivilege	3348	SetupFrontEnd.exe
Token: SeBackupPrivilege	1212	vssvc.exe
Token: SeRestorePrivilege	1212	vssvc.exe
Token: SeAuditPrivilege	1212	vssvc.exe
Token: SeBackupPrivilege	3348	SetupFrontEnd.exe
Token: SeRestorePrivilege	3348	SetupFrontEnd.exe
Token: SeShutdownPrivilege	3348	SetupFrontEnd.exe
Token: SeIncreaseQuotaPrivilege	3348	SetupFrontEnd.exe
Token: SeSecurityPrivilege	3868	msiexec.exe
Token: SeCreateTokenPrivilege	3348	SetupFrontEnd.exe
Token: SeAssignPrimaryTokenPrivilege	3348	SetupFrontEnd.exe
Token: SeLockMemoryPrivilege	3348	SetupFrontEnd.exe
Token: SeIncreaseQuotaPrivilege	3348	SetupFrontEnd.exe
Token: SeMachineAccountPrivilege	3348	SetupFrontEnd.exe
Token: SeTcbPrivilege	3348	SetupFrontEnd.exe
Token: SeSecurityPrivilege	3348	SetupFrontEnd.exe
Token: SeTakeOwnershipPrivilege	3348	SetupFrontEnd.exe
Token: SeLoadDriverPrivilege	3348	SetupFrontEnd.exe
Token: SeSystemProfilePrivilege	3348	SetupFrontEnd.exe
Token: SeSystemtimePrivilege	3348	SetupFrontEnd.exe
Token: SeProfSingleProcessPrivilege	3348	SetupFrontEnd.exe
Token: SeIncBasePriorityPrivilege	3348	SetupFrontEnd.exe
Token: SeCreatePagefilePrivilege	3348	SetupFrontEnd.exe
Token: SeCreatePermanentPrivilege	3348	SetupFrontEnd.exe
Token: SeBackupPrivilege	3348	SetupFrontEnd.exe
Token: SeRestorePrivilege	3348	SetupFrontEnd.exe
Token: SeShutdownPrivilege	3348	SetupFrontEnd.exe
Token: SeDebugPrivilege	3348	SetupFrontEnd.exe
Token: SeAuditPrivilege	3348	SetupFrontEnd.exe
Token: SeSystemEnvironmentPrivilege	3348	SetupFrontEnd.exe
Token: SeChangeNotifyPrivilege	3348	SetupFrontEnd.exe
Token: SeRemoteShutdownPrivilege	3348	SetupFrontEnd.exe
Token: SeUndockPrivilege	3348	SetupFrontEnd.exe
Token: SeSyncAgentPrivilege	3348	SetupFrontEnd.exe
Token: SeEnableDelegationPrivilege	3348	SetupFrontEnd.exe
Token: SeManageVolumePrivilege	3348	SetupFrontEnd.exe
Token: SeImpersonatePrivilege	3348	SetupFrontEnd.exe
Token: SeCreateGlobalPrivilege	3348	SetupFrontEnd.exe
Token: SeRestorePrivilege	3868	msiexec.exe
Token: SeTakeOwnershipPrivilege	3868	msiexec.exe
Token: SeBackupPrivilege	4392	srtasks.exe
Token: SeRestorePrivilege	4392	srtasks.exe
Token: SeSecurityPrivilege	4392	srtasks.exe
Token: SeTakeOwnershipPrivilege	4392	srtasks.exe
Token: SeRestorePrivilege	3868	msiexec.exe
Token: SeTakeOwnershipPrivilege	3868	msiexec.exe
Token: SeBackupPrivilege	4392	srtasks.exe
Token: SeRestorePrivilege	4392	srtasks.exe
Token: SeSecurityPrivilege	4392	srtasks.exe
Token: SeTakeOwnershipPrivilege	4392	srtasks.exe
Token: SeRestorePrivilege	3868	msiexec.exe
Token: SeTakeOwnershipPrivilege	3868	msiexec.exe
Token: SeRestorePrivilege	3868	msiexec.exe
Token: SeTakeOwnershipPrivilege	3868	msiexec.exe
Token: SeRestorePrivilege	3868	msiexec.exe
Token: SeTakeOwnershipPrivilege	3868	msiexec.exe
Token: SeRestorePrivilege	3868	msiexec.exe
Token: SeTakeOwnershipPrivilege	3868	msiexec.exe
Token: SeRestorePrivilege	3868	msiexec.exe
Token: SeTakeOwnershipPrivilege	3868	msiexec.exe
Token: SeRestorePrivilege	3868	msiexec.exe
Token: SeTakeOwnershipPrivilege	3868	msiexec.exe
Token: SeRestorePrivilege	3868	msiexec.exe
Token: SeTakeOwnershipPrivilege	3868	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

SetupFrontEnd.exePaintDotNet.exe

pid process

3348 SetupFrontEnd.exe
4212 PaintDotNet.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

SetupShim.exeSetupFrontEnd.exePaintDotNet.exe

pid process

2652 SetupShim.exe
3348 SetupFrontEnd.exe
4212 PaintDotNet.exe
4212 PaintDotNet.exe

pid	process
2652	SetupShim.exe
3348	SetupFrontEnd.exe
4212	PaintDotNet.exe
4212	PaintDotNet.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

paint.net.4.3.12.install.x64.exeSetupShim.exemsiexec.exeSetupFrontEnd.exe

description	pid	process	target process
PID 4924 wrote to memory of 2652	4924	paint.net.4.3.12.install.x64.exe	SetupShim.exe
PID 4924 wrote to memory of 2652	4924	paint.net.4.3.12.install.x64.exe	SetupShim.exe
PID 4924 wrote to memory of 2652	4924	paint.net.4.3.12.install.x64.exe	SetupShim.exe
PID 2652 wrote to memory of 4880	2652	SetupShim.exe	SetupDownloader.exe
PID 2652 wrote to memory of 4880	2652	SetupShim.exe	SetupDownloader.exe
PID 2652 wrote to memory of 3348	2652	SetupShim.exe	SetupFrontEnd.exe
PID 2652 wrote to memory of 3348	2652	SetupShim.exe	SetupFrontEnd.exe
PID 3868 wrote to memory of 464	3868	msiexec.exe	paintdotnet.exe
PID 3868 wrote to memory of 464	3868	msiexec.exe	paintdotnet.exe
PID 3348 wrote to memory of 4212	3348	SetupFrontEnd.exe	PaintDotNet.exe
PID 3348 wrote to memory of 4212	3348	SetupFrontEnd.exe	PaintDotNet.exe

C:\Users\Admin\AppData\Local\Temp\paint.net.4.3.12.install.x64.exe
"C:\Users\Admin\AppData\Local\Temp\paint.net.4.3.12.install.x64.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4924

C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\SetupShim.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\SetupShim.exe" /suppressReboot
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652

C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\SetupDownloader\SetupDownloader.exe
"x64\SetupDownloader\SetupDownloader.exe" /SkipSuccessPrompt "C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\SetupShim.exe" /suppressReboot
3⤵
- Executes dropped EXE
PID:4880

C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\SetupFrontEnd.exe
"x64\SetupFrontEnd.exe" "C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\SetupShim.exe" /suppressReboot
3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3348

C:\Program Files\paint.net\PaintDotNet.exe
"C:\Program Files\paint.net\PaintDotNet.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4212

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:3
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4392

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3868

C:\Program Files\paint.net\paintdotnet.exe
"C:\Program Files\paint.net\paintdotnet.exe" /setupActions /install DESKTOPSHORTCUT=1 PDNUPDATING=0 SKIPCLEANUP=0 "PROGRAMSGROUP=" /disablePGO /skipEstablishNVProfile /skipRepairAttempt
2⤵
- Executes dropped EXE
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:464

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\SetupShim.exe
Filesize
136KB

MD5
2c662cbb7fcd4bcc2f9dab3637f77a97

SHA1
3a627070f1d9249a7e864eb45913c93eca573ecf

SHA256
4c4acdc57c4e55cfb4215e8f5fe7bd3df685139402d7098a4d331ca76b6fd517

SHA512
9452b522f576ba0918b734c870d5cbba6d3b1b8fff06fc8422181389a8a60b009d8d4c79e98f6766cad1f67389e15a39af12ea95d591b8e69202cb7097d63f0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\SetupShim.exe
Filesize
136KB

MD5
2c662cbb7fcd4bcc2f9dab3637f77a97

SHA1
3a627070f1d9249a7e864eb45913c93eca573ecf

SHA256
4c4acdc57c4e55cfb4215e8f5fe7bd3df685139402d7098a4d331ca76b6fd517

SHA512
9452b522f576ba0918b734c870d5cbba6d3b1b8fff06fc8422181389a8a60b009d8d4c79e98f6766cad1f67389e15a39af12ea95d591b8e69202cb7097d63f0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\PaintDotNet.Base.dll
Filesize
5.0MB

MD5
a224699b3631264d59c8e4caa33c9a59

SHA1
5ac71e507c36d32d02229aadf1d8dd8d3f49b867

SHA256
f25d11643d243a545a3563bb13ccd31094c41cb56999ddafc03e8afaa9153cc8

SHA512
9e139089582ba983dfe248c6fb759523e8be3d829ef7561e31decb9af779371a7a343dcc629fa9c328cbc5b69ff50bfceb0084787d5e937a076438080dd9da65

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\PaintDotNet.Base.dll
Filesize
5.0MB

MD5
a224699b3631264d59c8e4caa33c9a59

SHA1
5ac71e507c36d32d02229aadf1d8dd8d3f49b867

SHA256
f25d11643d243a545a3563bb13ccd31094c41cb56999ddafc03e8afaa9153cc8

SHA512
9e139089582ba983dfe248c6fb759523e8be3d829ef7561e31decb9af779371a7a343dcc629fa9c328cbc5b69ff50bfceb0084787d5e937a076438080dd9da65

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\PaintDotNet.Core.dll
Filesize
5.5MB

MD5
a65a2da44464af76b9d0de5fadfabdbe

SHA1
c121cab964ecf6d23a7a05b53260d6188c81e9a9

SHA256
9c3b08d5cf746c74a6f3ae468daae0c04f77dec7a8d8c18e1d77b69ee4c45e97

SHA512
04bb375e8b8615c403eb4d8ec24dd8456966a421c030547540c73f6b31d89535e301e00e756b3a44cc6a109ea51c2eb3d04a412bfdc168381c19e79c7c2ecb97

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\PaintDotNet.Core.dll
Filesize
5.5MB

MD5
a65a2da44464af76b9d0de5fadfabdbe

SHA1
c121cab964ecf6d23a7a05b53260d6188c81e9a9

SHA256
9c3b08d5cf746c74a6f3ae468daae0c04f77dec7a8d8c18e1d77b69ee4c45e97

SHA512
04bb375e8b8615c403eb4d8ec24dd8456966a421c030547540c73f6b31d89535e301e00e756b3a44cc6a109ea51c2eb3d04a412bfdc168381c19e79c7c2ecb97

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\PaintDotNet.Framework.dll
Filesize
3.5MB

MD5
47c514c29b6b187f2f1a8c8a9bd97902

SHA1
39ed6897dcec2d2eec2ec688c0673c72d5622f65

SHA256
62fd89e7cc163c1803fe63c8fdf2c8aacfb8927c997eeb19d9c64853b71556f7

SHA512
7daa003cef89a35cfb135f39609984b98f868f4d4717ed8b43a25e4f491131eaa5a079e8731d065d89f3bce32f7f0d119a2331bc103e8339f0dfe4427343d173

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\PaintDotNet.Framework.dll
Filesize
3.5MB

MD5
47c514c29b6b187f2f1a8c8a9bd97902

SHA1
39ed6897dcec2d2eec2ec688c0673c72d5622f65

SHA256
62fd89e7cc163c1803fe63c8fdf2c8aacfb8927c997eeb19d9c64853b71556f7

SHA512
7daa003cef89a35cfb135f39609984b98f868f4d4717ed8b43a25e4f491131eaa5a079e8731d065d89f3bce32f7f0d119a2331bc103e8339f0dfe4427343d173

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\PaintDotNet.Resources.dll
Filesize
1.3MB

MD5
5f6cb01bbdce33b89b4dcedc2044c96c

SHA1
df418afd33ecaeb1490844754ef929cdb37ec965

SHA256
63c400dca83c270b4dfb8251d9443c2eadcfb9bbe7edbd005ded917c87a269fd

SHA512
8302a475de0c46c74748325ee3ee074e185bbed32506bac9abca3f29bdd0fa28cbe97f1687901596c65d1932b797353385ac68b33e60bc6d9990e5fb0fa337c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\PaintDotNet.Resources.dll
Filesize
1.3MB

MD5
5f6cb01bbdce33b89b4dcedc2044c96c

SHA1
df418afd33ecaeb1490844754ef929cdb37ec965

SHA256
63c400dca83c270b4dfb8251d9443c2eadcfb9bbe7edbd005ded917c87a269fd

SHA512
8302a475de0c46c74748325ee3ee074e185bbed32506bac9abca3f29bdd0fa28cbe97f1687901596c65d1932b797353385ac68b33e60bc6d9990e5fb0fa337c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\PaintDotNet.SystemLayer.dll
Filesize
1.9MB

MD5
7b5b3af75616214e601935a04fbfcf43

SHA1
698afc69db4b6b9c5ae312c2e67622dbb03fa44d

SHA256
a83a715b732aa0e026657f9248455c0c855ff713727ac44fb5788eafe0d6d131

SHA512
2c85a9ef62ca1d473a340eb7b7a25168add88745a5ab086ed309faad0ceb5a74c75af6cd56874421eaa7ababc1e0b89c5d78dca5fa16adb0cbee0fe86e338e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\PaintDotNet.SystemLayer.dll
Filesize
1.9MB

MD5
7b5b3af75616214e601935a04fbfcf43

SHA1
698afc69db4b6b9c5ae312c2e67622dbb03fa44d

SHA256
a83a715b732aa0e026657f9248455c0c855ff713727ac44fb5788eafe0d6d131

SHA512
2c85a9ef62ca1d473a340eb7b7a25168add88745a5ab086ed309faad0ceb5a74c75af6cd56874421eaa7ababc1e0b89c5d78dca5fa16adb0cbee0fe86e338e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\SetupDownloader\AsyncBridge.dll
Filesize
23KB

MD5
46a3b9624ee066c56d2173019dbf48ac

SHA1
5f270fcb98cf07a291ba06ff50bdda8f8b961820

SHA256
588b5c20b690b6756f0f2a65146d02fec66058db698a96694c061c10a33a7c9d

SHA512
20f6d76605094ba16e460697194c21a7f0cbb49b4074330d7a8698c0fd2a03d0255839870723ba79cb5055ac07ce8c713f3ccf02a7a8b8beb11cb246a7ccb338

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\SetupDownloader\Newtonsoft.Json.dll
Filesize
495KB

MD5
283544d7f0173e6b5bfbfbc23d1c2fb0

SHA1
3e33b2ef50dac60b7411a84779d61bdb0ed9d673

SHA256
9165e595b3a0de91ac91a38e742597e12ebb2a5a8fa53058d964a06ceaef7735

SHA512
150b45cd43dc5cf191c85524c15dea09fbb48766ad802851270eaacfd73f3d097fef8dcf0ea042184220e7bc71413677d88a206d8bbe60374986e4789054040b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\SetupDownloader\SetupDownloader.Configuration.json
Filesize
136B

MD5
2baf5f08f0f9dae45b6b35fb51c507e0

SHA1
6570a08aa237acfdfa0d7605a9e29367661ea31e

SHA256
4d65d0c09cc8e9a31fad0da411184f15affc3bfffe5d030a5c4e16e09edf4642

SHA512
cdc74e907458b66d0833933b4e4fd2f3d00ee449eefc0570d04fa49b9a3be54dc44856a7925465b7ccb2ac28022aee70cba5143636802bd95582976448a3c7da

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\SetupDownloader\SetupDownloader.exe
Filesize
271KB

MD5
27a7a27129de6f3989cdf68e17bb94da

SHA1
e00af46a1719a924dbfbff9b612f5d203f036e89

SHA256
2697f8e203bb29a30f75efd51ea2967f88bb9167dcfe214da177fa0899bbdd78

SHA512
19724354eb9a41210473b1d9c09ddceb49cd63ff203485e02f86463690a5d807fe8184cb2cbd08e7dd6ea00166a8d3c1248cfa20ed0afea5feff955bc232b4ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\SetupDownloader\SetupDownloader.exe
Filesize
271KB

MD5
27a7a27129de6f3989cdf68e17bb94da

SHA1
e00af46a1719a924dbfbff9b612f5d203f036e89

SHA256
2697f8e203bb29a30f75efd51ea2967f88bb9167dcfe214da177fa0899bbdd78

SHA512
19724354eb9a41210473b1d9c09ddceb49cd63ff203485e02f86463690a5d807fe8184cb2cbd08e7dd6ea00166a8d3c1248cfa20ed0afea5feff955bc232b4ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\SetupDownloader\SetupDownloader.exe.config
Filesize
523B

MD5
10feb20cbb33b60ba67c343584ff3385

SHA1
5cd23737e5f5aff246efb613b73568a10d146888

SHA256
3ddc67ffba50bad291526c9bae9bb45d12a70d6abe87bda4ac357cd73aa5420a

SHA512
89e72a5ab80a72d8344af5d3c2bc06e10da60be33ab043cae73cbdb039c6e6da80450f4c92dc07690281eb5a7505fdd39500d03597b5dd393683c9aee635f920

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\SetupDownloader\System.Threading.dll
Filesize
130KB

MD5
a99d956fe2e32a78930c8e9bcea3fbe4

SHA1
edce5bb617263c87e6ef496afaaaaaa61a7f756e

SHA256
ef1e1cbcadd43bdf347ddfe10cf62973b9f20be569dd45f5e6ff1cdd0dd1bd81

SHA512
1a6f238259b174e27ac1949d27296022511aea3821b7b14c7b4a667114040c99bfa74ce9aaa31013f39a68140de8963bf4c9d4643c51871b780610cb5efb790d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\SetupFrontEnd.deps.json
Filesize
52KB

MD5
43ecf415925850d6cf2ee2ad50bf225a

SHA1
64d13c3bab9fbfe77d5e5fb0da5333160d1e9b89

SHA256
e4ad1586a07814ede0b23a619ec570cef3de3fc9eda2bcd2efcd1833250d3a58

SHA512
3cf80b46bdf26b979d1970b6e79ad687d8aaecf155a2189cf6c512fe5575feab10f1be3d787dc8635eba6afe50bee16f0b403dd9b6fc12d055554fd914ce44a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\SetupFrontEnd.dll
Filesize
386KB

MD5
d3f48fd1890da30ea9af60f00146f1ba

SHA1
0f19978ee36e406050fa820b441a0a617bc3bf1f

SHA256
ac6dd422245ceb44a0785cb019ec60cf1f6af8b0391893bc6086211beedfcc49

SHA512
c0b7e0821e1e8cf8bb2c169f12f41e2d038e382d1583cb8036fe9c78ad27d82f4df69eb5e60048b0baad2de6030fe5e5e97764662250f2cde14f969e682af1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\SetupFrontEnd.dll
Filesize
386KB

MD5
d3f48fd1890da30ea9af60f00146f1ba

SHA1
0f19978ee36e406050fa820b441a0a617bc3bf1f

SHA256
ac6dd422245ceb44a0785cb019ec60cf1f6af8b0391893bc6086211beedfcc49

SHA512
c0b7e0821e1e8cf8bb2c169f12f41e2d038e382d1583cb8036fe9c78ad27d82f4df69eb5e60048b0baad2de6030fe5e5e97764662250f2cde14f969e682af1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\SetupFrontEnd.exe
Filesize
155KB

MD5
68840a439842e9a7a0378678b42a2a37

SHA1
d3c3ba6eadb73a9f71d11c926f84d2124ad17708

SHA256
ce87869e36be2d7efc95201ca73ede1ee89b20df395f4db5679a59ee2facb2ae

SHA512
c5811bbeafb6e7d773c9307a20eae28c202b8e3c1da0477163230bff60d2bae2f57988b6b92a45e3f7ff04ac99d5048b24e28d0778ae22a14df18dab3cfe5c25

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\SetupFrontEnd.exe
Filesize
155KB

MD5
68840a439842e9a7a0378678b42a2a37

SHA1
d3c3ba6eadb73a9f71d11c926f84d2124ad17708

SHA256
ce87869e36be2d7efc95201ca73ede1ee89b20df395f4db5679a59ee2facb2ae

SHA512
c5811bbeafb6e7d773c9307a20eae28c202b8e3c1da0477163230bff60d2bae2f57988b6b92a45e3f7ff04ac99d5048b24e28d0778ae22a14df18dab3cfe5c25

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\SetupFrontEnd.runtimeconfig.json
Filesize
449B

MD5
58e1a67d6e01d347c66b186e041f55cf

SHA1
5170e99e1e90d1a4a7f443e31f1db90d07e26d09

SHA256
bfd9f53f97959a852a97125a4422c559ae3e1c450af4b6de9d8c931547a85224

SHA512
fc28e55c661570469cce2d8eac503841ce9bf98866def75bfa865f046d58a0886ac14c2d2c25d16abb914606ab2015ba9bb295d27d435c92ec58b9079a1f7c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\System.Collections.Specialized.dll
Filesize
93KB

MD5
e03229e528019f707f87fe02f3a855cd

SHA1
5c93a51af93de8b982d52b6f166f594c6e4ff979

SHA256
000ae98457e4ebaa5e8f803a1a63a7643bce6f67754c9fffcf764a6e68f6480d

SHA512
8cc3a49f90cd892088701e7596487bcf5d3ded5ebc6f16013eba90d16207adcd5d25dfe7d30b1387063cf4c18e8e9cbf0e2b1efc0a89b8b3c2a28ec3fb71ddca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\System.Collections.Specialized.dll
Filesize
93KB

MD5
e03229e528019f707f87fe02f3a855cd

SHA1
5c93a51af93de8b982d52b6f166f594c6e4ff979

SHA256
000ae98457e4ebaa5e8f803a1a63a7643bce6f67754c9fffcf764a6e68f6480d

SHA512
8cc3a49f90cd892088701e7596487bcf5d3ded5ebc6f16013eba90d16207adcd5d25dfe7d30b1387063cf4c18e8e9cbf0e2b1efc0a89b8b3c2a28ec3fb71ddca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\System.ComponentModel.Primitives.dll
Filesize
73KB

MD5
fe59bf684a15645c85c23696f42cdd3f

SHA1
aa5e1bb46f85ab31018008fffce7d1929b743657

SHA256
8dce9e2e75a7c5e7165d8ceddcdabf393117bce0dc27a213bbdfd9f9e5e9bbbb

SHA512
61104c6282cf6890facdde2df708ceeb8c4a5a6a77b0a556031cb9bb9480b8d30ca9119c7b3bfd2a8a6c1a8f7a2f56cb1785bf5deebd2e92720bc4e69b0fad88

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\System.ComponentModel.Primitives.dll
Filesize
73KB

MD5
fe59bf684a15645c85c23696f42cdd3f

SHA1
aa5e1bb46f85ab31018008fffce7d1929b743657

SHA256
8dce9e2e75a7c5e7165d8ceddcdabf393117bce0dc27a213bbdfd9f9e5e9bbbb

SHA512
61104c6282cf6890facdde2df708ceeb8c4a5a6a77b0a556031cb9bb9480b8d30ca9119c7b3bfd2a8a6c1a8f7a2f56cb1785bf5deebd2e92720bc4e69b0fad88

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\System.ComponentModel.TypeConverter.dll
Filesize
727KB

MD5
1283b9a47ec6090b0846d3b0b2a5a3f2

SHA1
e6ca832fc47e7cf8b268f6baf168c3c88c4a4d83

SHA256
454310dae946189b96fc7e373fa08640c54dd236abd4008939524881a0840f92

SHA512
106b205a75ab0c281d04af28b7a1e1a1392cc4d8008b43b2b7509c34b47a02a23bf2262bd1213f9a7f2fa489f7bcd0b99bb8daf073ced77887b2d7e690407068

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\System.ComponentModel.TypeConverter.dll
Filesize
727KB

MD5
1283b9a47ec6090b0846d3b0b2a5a3f2

SHA1
e6ca832fc47e7cf8b268f6baf168c3c88c4a4d83

SHA256
454310dae946189b96fc7e373fa08640c54dd236abd4008939524881a0840f92

SHA512
106b205a75ab0c281d04af28b7a1e1a1392cc4d8008b43b2b7509c34b47a02a23bf2262bd1213f9a7f2fa489f7bcd0b99bb8daf073ced77887b2d7e690407068

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\System.ComponentModel.dll
Filesize
18KB

MD5
ba41dfcc279c81a17974cd65d3a6bd91

SHA1
0bba7c6aabc3be220a1d9918278dcd2c51fdbe8b

SHA256
c9e1d661fe5152805703f663358a60ac0038c329392588a66aaa9ffb1665a5a5

SHA512
fb26e0801217dbfa45093cb0fd50a632ae12f11cb15ba6f1a3cba170e824b02e62e8415f0a00dc6260e9fc8f8c85ed353b61c466e3b9cfa6b10b665cf29c69b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\System.ComponentModel.dll
Filesize
18KB

MD5
ba41dfcc279c81a17974cd65d3a6bd91

SHA1
0bba7c6aabc3be220a1d9918278dcd2c51fdbe8b

SHA256
c9e1d661fe5152805703f663358a60ac0038c329392588a66aaa9ffb1665a5a5

SHA512
fb26e0801217dbfa45093cb0fd50a632ae12f11cb15ba6f1a3cba170e824b02e62e8415f0a00dc6260e9fc8f8c85ed353b61c466e3b9cfa6b10b665cf29c69b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\System.Drawing.Primitives.dll
Filesize
127KB

MD5
22e282badae79b051d8eea43a4ef7a01

SHA1
9ddf1c97a06d686c76f2bf3a759f8582deeaa2c8

SHA256
581960d48b9e91c802d77bb87996f2722acb4f4230170f6d7638c21ff7635ef1

SHA512
8f2a91cd4a5d832b5d48c82a953fed8d204518269d15cdf482cb1570bffcd83228dca6b82eb35301b2d882e45d39296ab6a6a93288c170cb3bbd5df576233c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\System.Drawing.Primitives.dll
Filesize
127KB

MD5
22e282badae79b051d8eea43a4ef7a01

SHA1
9ddf1c97a06d686c76f2bf3a759f8582deeaa2c8

SHA256
581960d48b9e91c802d77bb87996f2722acb4f4230170f6d7638c21ff7635ef1

SHA512
8f2a91cd4a5d832b5d48c82a953fed8d204518269d15cdf482cb1570bffcd83228dca6b82eb35301b2d882e45d39296ab6a6a93288c170cb3bbd5df576233c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\System.Private.CoreLib.dll
Filesize
10.1MB

MD5
1af8685bb8e67c6841b1f2150b0aec4c

SHA1
3b15c45109cbb61b1600bafede5275f1947934c5

SHA256
30a3a396ea1edd01ddbef642decf688def749c685880f4037c037d94aa7f0269

SHA512
404cdc52176cd34336c876fff884db6035b888da5d7ea102609317b4feca18a0d9ee882cf45cf317cbc3e8f1de339762bf03bd8a946fd04e23c21964e7a43686

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\System.Private.CoreLib.dll
Filesize
10.1MB

MD5
1af8685bb8e67c6841b1f2150b0aec4c

SHA1
3b15c45109cbb61b1600bafede5275f1947934c5

SHA256
30a3a396ea1edd01ddbef642decf688def749c685880f4037c037d94aa7f0269

SHA512
404cdc52176cd34336c876fff884db6035b888da5d7ea102609317b4feca18a0d9ee882cf45cf317cbc3e8f1de339762bf03bd8a946fd04e23c21964e7a43686

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\System.Runtime.InteropServices.RuntimeInformation.dll
Filesize
31KB

MD5
82fa6a3f535ba77b450a6e9b56606fc4

SHA1
34a7400c869ca5bc3d7c18692bd0df11904918a8

SHA256
8afa2512e935e2b6b3ebdb720493b0f0fce1bcd932b3d89423f46d527e3dd872

SHA512
10b8f9802cf4626a13e05a367248f70f6caaa205d1d72e19d2c919c404570a9e23e6315f86a402fadc4a6da8769ee223f95e43ef8c12e11bf673d4c1a1605d13

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\System.Runtime.InteropServices.RuntimeInformation.dll
Filesize
31KB

MD5
82fa6a3f535ba77b450a6e9b56606fc4

SHA1
34a7400c869ca5bc3d7c18692bd0df11904918a8

SHA256
8afa2512e935e2b6b3ebdb720493b0f0fce1bcd932b3d89423f46d527e3dd872

SHA512
10b8f9802cf4626a13e05a367248f70f6caaa205d1d72e19d2c919c404570a9e23e6315f86a402fadc4a6da8769ee223f95e43ef8c12e11bf673d4c1a1605d13

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\System.Runtime.InteropServices.dll
Filesize
50KB

MD5
a5e599717ffcb8d6b863ee0d4810d3f4

SHA1
b620005c738214756aaca04157f122b68e7b33e2

SHA256
16cb844698cfda630ebc9b22a598cd44cf6920ce88d1caac9d7042ed1e09b88f

SHA512
0a4690c7c13a23f814c5658bc9beae32e33448c7c7b109dc4684904e0021c86be1557d1bbe6a09f60b4d6620ba833bc301618ddd99cc0be8c08baabd4d6b901a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\System.Runtime.InteropServices.dll
Filesize
50KB

MD5
a5e599717ffcb8d6b863ee0d4810d3f4

SHA1
b620005c738214756aaca04157f122b68e7b33e2

SHA256
16cb844698cfda630ebc9b22a598cd44cf6920ce88d1caac9d7042ed1e09b88f

SHA512
0a4690c7c13a23f814c5658bc9beae32e33448c7c7b109dc4684904e0021c86be1557d1bbe6a09f60b4d6620ba833bc301618ddd99cc0be8c08baabd4d6b901a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\System.Runtime.dll
Filesize
41KB

MD5
83e4f7a918fa3ee8e573423fbd18acf2

SHA1
fa1cc21b687c239b2d4ba276c538d6c33bde6045

SHA256
301cd1655c519d9b528eaf52b950f321b2462f6cc35a9ef8a0f91ce19eb5834d

SHA512
40b88c17eeaace6e5eb1bd86fb8d84b6d4e0d284bb749e7f9655d4949de8c0fb7a9aaedbeba6da5becdc92f687cec2c2a39da7cb162ec36322de70889b662dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\System.Windows.Forms.Primitives.dll
Filesize
773KB

MD5
f81d47776866cd6684e3bb9dfb46cd8c

SHA1
0544e8ec595c6f635e31fbc79574f5096ecba917

SHA256
d548181fae0c45f56ec23dcf99500a1beb53edcff855bc5504105876c6a9b7a1

SHA512
881bf7d2c0a9822f24ec729974dfb5741f9ed1956d8246f95b6de3fb03278df434a036a8d972509e6615e02808f0cd4cfdd439034e9a88634f2902fe3fa3beda

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\System.Windows.Forms.Primitives.dll
Filesize
773KB

MD5
f81d47776866cd6684e3bb9dfb46cd8c

SHA1
0544e8ec595c6f635e31fbc79574f5096ecba917

SHA256
d548181fae0c45f56ec23dcf99500a1beb53edcff855bc5504105876c6a9b7a1

SHA512
881bf7d2c0a9822f24ec729974dfb5741f9ed1956d8246f95b6de3fb03278df434a036a8d972509e6615e02808f0cd4cfdd439034e9a88634f2902fe3fa3beda

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\System.Windows.Forms.dll
Filesize
12.7MB

MD5
331a01207e2b972622fc12685efc7ebe

SHA1
0c8afee47474fab643966e371eb7a8d308952006

SHA256
b4af3c451d5c10a32769bd4c3d98d9f1d4f9fbf53439b3c2dbae8cab9aba6cf5

SHA512
d918a696a9a452e55bc2170c66d93fdce1a044ed7994258cfa004b41de43bf8c6996d7c7431312f03783c2060bd8eeed0fd9daee07d22dd491edd7c67bd81177

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\System.Windows.Forms.dll
Filesize
12.7MB

MD5
331a01207e2b972622fc12685efc7ebe

SHA1
0c8afee47474fab643966e371eb7a8d308952006

SHA256
b4af3c451d5c10a32769bd4c3d98d9f1d4f9fbf53439b3c2dbae8cab9aba6cf5

SHA512
d918a696a9a452e55bc2170c66d93fdce1a044ed7994258cfa004b41de43bf8c6996d7c7431312f03783c2060bd8eeed0fd9daee07d22dd491edd7c67bd81177

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\System.Windows.Forms.dll
Filesize
12.7MB

MD5
331a01207e2b972622fc12685efc7ebe

SHA1
0c8afee47474fab643966e371eb7a8d308952006

SHA256
b4af3c451d5c10a32769bd4c3d98d9f1d4f9fbf53439b3c2dbae8cab9aba6cf5

SHA512
d918a696a9a452e55bc2170c66d93fdce1a044ed7994258cfa004b41de43bf8c6996d7c7431312f03783c2060bd8eeed0fd9daee07d22dd491edd7c67bd81177

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\TerraFX.Interop.Windows.dll
Filesize
256KB

MD5
ca58f9b7883a12b7cd4aef658059d2ca

SHA1
52d928e0216a3f6119bc8a4fb6eadd73f55d32b7

SHA256
add3d9e235b8ee562a5e298a78651e29ded93df72848efe781d1c67ddae2aa9a

SHA512
83f777cdf59c04a678f05de9386f189daf002ab46296476434ac5fb02f62dd62450828fd83df0cf851f83dd278009d7e8c5e6380da2021821300e3d2b30bd51d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\TerraFX.Interop.Windows.dll
Filesize
256KB

MD5
ca58f9b7883a12b7cd4aef658059d2ca

SHA1
52d928e0216a3f6119bc8a4fb6eadd73f55d32b7

SHA256
add3d9e235b8ee562a5e298a78651e29ded93df72848efe781d1c67ddae2aa9a

SHA512
83f777cdf59c04a678f05de9386f189daf002ab46296476434ac5fb02f62dd62450828fd83df0cf851f83dd278009d7e8c5e6380da2021821300e3d2b30bd51d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\clrjit.dll
Filesize
1.4MB

MD5
1972eb629b743754e28318ecf7e04628

SHA1
783f6b6f1de5168cb21b3fb7d929ad6899524d06

SHA256
e0d30abf7dde33dfe2165f8e9e63220ff9f2738ea81570275e7f1fdceabdebaf

SHA512
db2fcc3b5b0426b22fe776b0edf78c23c0ab4706217c5dbf6d0823427ecb7e3225d8bf112f25b2e81edc8fec39805335c2e4331b0ce9217de8e5ca87069a0c7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\clrjit.dll
Filesize
1.4MB

MD5
1972eb629b743754e28318ecf7e04628

SHA1
783f6b6f1de5168cb21b3fb7d929ad6899524d06

SHA256
e0d30abf7dde33dfe2165f8e9e63220ff9f2738ea81570275e7f1fdceabdebaf

SHA512
db2fcc3b5b0426b22fe776b0edf78c23c0ab4706217c5dbf6d0823427ecb7e3225d8bf112f25b2e81edc8fec39805335c2e4331b0ce9217de8e5ca87069a0c7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\coreclr.dll
Filesize
4.9MB

MD5
136ae18a33f456a70463a396474f3600

SHA1
276a61e8222a3d77c238a22795268fcf27d9f1ac

SHA256
35ec15d344f99d4c076c2ca47751cb7aa9d0cf75227cc5e354ae7d7c00c0bf37

SHA512
a31f7d8196cbf9980c3bdfbe0443d455767392c9ff83c7e527f410e35ec14e563e19bceef74faf71b55ea987be66bafd4073dade56fe5afeede8a500bc61cf53

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\coreclr.dll
Filesize
4.9MB

MD5
136ae18a33f456a70463a396474f3600

SHA1
276a61e8222a3d77c238a22795268fcf27d9f1ac

SHA256
35ec15d344f99d4c076c2ca47751cb7aa9d0cf75227cc5e354ae7d7c00c0bf37

SHA512
a31f7d8196cbf9980c3bdfbe0443d455767392c9ff83c7e527f410e35ec14e563e19bceef74faf71b55ea987be66bafd4073dade56fe5afeede8a500bc61cf53

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\hostfxr.dll
Filesize
366KB

MD5
4fc4fb4d77a7ef49ee5133b5b6a194ed

SHA1
8c63016cd28a0c3896ccb5f98d5aaa08a9e281d8

SHA256
cc39ab9baa38b4cf39dbc34dcc920202c69570baf67f4f947c02b8fdf0e61fc5

SHA512
5c647ce6a15a61d9bb10660aa29eafe5f2509cc63408efb3659b5036a21d268b9ffe825a4bf67d9c8e78005e7a414cc782a20538a135b9a8b0ed6329702c9fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\hostfxr.dll
Filesize
366KB

MD5
4fc4fb4d77a7ef49ee5133b5b6a194ed

SHA1
8c63016cd28a0c3896ccb5f98d5aaa08a9e281d8

SHA256
cc39ab9baa38b4cf39dbc34dcc920202c69570baf67f4f947c02b8fdf0e61fc5

SHA512
5c647ce6a15a61d9bb10660aa29eafe5f2509cc63408efb3659b5036a21d268b9ffe825a4bf67d9c8e78005e7a414cc782a20538a135b9a8b0ed6329702c9fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\hostpolicy.dll
Filesize
383KB

MD5
8920df1b3ab0660090b204d2881fbb4e

SHA1
ec8ec146c4226aece015d3b00439d0b505083dd1

SHA256
5b72566804a8cb4ac2d5d28438a6d197456e29299758dae57140b1c5ab84bbb4

SHA512
3ef742965369ca788e2ac229bf3f19648cc145f0a12f36c64f3e617039f32bccc0f24bc9736519ef7c12cd4e18831678d021d0268801bed4b593cdea1ee35ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\hostpolicy.dll
Filesize
383KB

MD5
8920df1b3ab0660090b204d2881fbb4e

SHA1
ec8ec146c4226aece015d3b00439d0b505083dd1

SHA256
5b72566804a8cb4ac2d5d28438a6d197456e29299758dae57140b1c5ab84bbb4

SHA512
3ef742965369ca788e2ac229bf3f19648cc145f0a12f36c64f3e617039f32bccc0f24bc9736519ef7c12cd4e18831678d021d0268801bed4b593cdea1ee35ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\mscorrc.dll
Filesize
143KB

MD5
3f623a087ed2fd714c2763a8f7954583

SHA1
d7fe83ad5997619594daf1c88ef63281ecd19ecf

SHA256
5aa6b0f0a2b220053b2663b97ec91200c850bc207bb56a7bfb18fcb2ad9bdb6b

SHA512
0c08d799ebb7dff1979644be48fa66100977c50e86c092f42a8743c8e4530765b8f6bc6b9d89daaa34296d1ef9f281fab52fdd45bec51bf524c811154282d069

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\paintdotnet.dll
Filesize
13.1MB

MD5
9cdd9d1f74973ebc04c756081cee5de2

SHA1
63a50d7740feb5f4aafa1ccc0df92c59ff41fdf8

SHA256
40a07b59fb930f77fdf0d85025e827a4063c77d7677147f5f6dd6cc9f3aa0332

SHA512
9a78cf5c9b311692272c8769920ec9de277158d41c05cd3b0f96fa6b14c805ec384e99ca8adffdd142c2612611e67c35dc6bb2f7bdf0ad519c5462577e1cbc24

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\paintdotnet.dll
Filesize
13.1MB

MD5
9cdd9d1f74973ebc04c756081cee5de2

SHA1
63a50d7740feb5f4aafa1ccc0df92c59ff41fdf8

SHA256
40a07b59fb930f77fdf0d85025e827a4063c77d7677147f5f6dd6cc9f3aa0332

SHA512
9a78cf5c9b311692272c8769920ec9de277158d41c05cd3b0f96fa6b14c805ec384e99ca8adffdd142c2612611e67c35dc6bb2f7bdf0ad519c5462577e1cbc24

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\vcruntime140.dll
Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\vcruntime140.dll
Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\vcruntime140_1.dll
Filesize
37KB

MD5
75e78e4bf561031d39f86143753400ff

SHA1
324c2a99e39f8992459495182677e91656a05206

SHA256
1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e

SHA512
ce4daf46bce44a89d21308c63e2de8b757a23be2630360209c4a25eb13f1f66a04fbb0a124761a33bbf34496f2f2a02b8df159b4b62f1b6241e1dbfb0e5d9756

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC33D81A6\x64\vcruntime140_1.dll
Filesize
37KB

MD5
75e78e4bf561031d39f86143753400ff

SHA1
324c2a99e39f8992459495182677e91656a05206

SHA256
1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e

SHA512
ce4daf46bce44a89d21308c63e2de8b757a23be2630360209c4a25eb13f1f66a04fbb0a124761a33bbf34496f2f2a02b8df159b4b62f1b6241e1dbfb0e5d9756

Download Submit
memory/464-204-0x0000000000000000-mapping.dmp

Download
memory/2652-132-0x0000000000000000-mapping.dmp

Download
memory/3348-148-0x0000000000000000-mapping.dmp

Download
memory/4212-205-0x0000000000000000-mapping.dmp

Download
memory/4880-146-0x000001F26C540000-0x000001F26C54C000-memory.dmp

Filesize
48KB

Download
memory/4880-147-0x00007FFC86440000-0x00007FFC86F01000-memory.dmp

Filesize
10.8MB

Download
memory/4880-143-0x000001F26C480000-0x000001F26C500000-memory.dmp

Filesize
512KB

Download
memory/4880-141-0x000001F26BA70000-0x000001F26BA98000-memory.dmp

Filesize
160KB

Download
memory/4880-139-0x000001F269DE0000-0x000001F269E28000-memory.dmp

Filesize
288KB

Download
memory/4880-135-0x0000000000000000-mapping.dmp

Download