Behavioral Report

Analysis

max time kernel
246s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-03-2023 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

paint.net.5.0.2.install.anycpu.web.exe
Size

1MB
MD5

6a5e8c6eec9ab6ed7088bc35739e52d5
SHA1

be77e05970628d62c65b0bd609ef7ab5bb705c8f
SHA256

9d3edf7ade8ce94aaa6038e894562229e002a86840835e573caf1116e7b928a5
SHA512

e56e5356bee8d6d942f1bee7acd0a31fa03f51a7614df6f7bcdec89ec26cc3e7ea686892325938e7156f23c78814e0a9f04eeff255853939b157004ed6c12ed0
SSDEEP

24576:7rYYYYkWYCzwLhA29pQCo7jIC0BuDgwf0z:7rYYYYkvLhA29piUDjwe

Score

9^/10

coreentity discovery evasion persistence trojan

Malware Config

Signatures

CoreEntity .NET Packer 3 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
behavioral2/files/0x0006000000022ff9-1344.dat	coreentity
behavioral2/files/0x0006000000022ff9-1343.dat	coreentity
behavioral2/files/0x0008000000023205-1751.dat	coreentity

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

paint.net.5.0.2.install.anycpu.web.exepaint.net.5.0.2.install.x64.exeSetupFrontEnd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	paint.net.5.0.2.install.anycpu.web.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	paint.net.5.0.2.install.x64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	SetupFrontEnd.exe

Executes dropped EXE 7 IoCs

Processes:

SetupShim.exeSetupDownloader.exepaint.net.5.0.2.install.x64.exeSetupShim.exeSetupFrontEnd.exepaintdotnet.exePaintDotNet.exe

pid	process
2636	SetupShim.exe
3852	SetupDownloader.exe
4916	paint.net.5.0.2.install.x64.exe
1236	SetupShim.exe
1676	SetupFrontEnd.exe
1568	paintdotnet.exe
3444	PaintDotNet.exe

Loads dropped DLL 64 IoCs

Processes:

SetupFrontEnd.exepaintdotnet.exe

pid	process
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1676	SetupFrontEnd.exe
1568	paintdotnet.exe
1568	paintdotnet.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

paintdotnet.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBF113F1-D7C8-477C-A23A-E600E7937E11}\InprocServer32	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBF113F1-D7C8-477C-A23A-E600E7937E11}\InprocServer32\ = "C:\\Program Files\\paint.net\\PaintDotNet.ShellExtension.x64.dll"	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBF113F1-D7C8-477C-A23A-E600E7937E11}\InprocServer32\ThreadingModel = "Apartment"	paintdotnet.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

SetupFrontEnd.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SetupFrontEnd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SetupFrontEnd.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files\paint.net\Bundled\DDSFileTypePlus\DdsFileTypePlus.dll	msiexec.exe
File created	C:\Program Files\paint.net\Bundled\DDSFileTypePlus\License.txt	msiexec.exe
File created	C:\Program Files\paint.net\Microsoft.Win32.Registry.AccessControl.dll	msiexec.exe
File created	C:\Program Files\paint.net\Mono.Cecil.Mdb.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.uk.resources	msiexec.exe
File created	C:\Program Files\paint.net\System.Diagnostics.EventLog.Messages.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Runtime.Numerics.dll	msiexec.exe
File created	C:\Program Files\paint.net\Bundled\AvifFileType\AvifFileType.pdb	msiexec.exe
File created	C:\Program Files\paint.net\Crc32.NET.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.ComponentModel.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Effects.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Net.Ping.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Buffers.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.IO.FileSystem.Watcher.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Net.WebClient.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Windows.Forms.Legacy.dll	msiexec.exe
File created	C:\Program Files\paint.net\WindowsFormsIntegration.dll	msiexec.exe
File created	C:\Program Files\paint.net\PresentationCore.dll	msiexec.exe
File created	C:\Program Files\paint.net\PresentationNative_cor3.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Web.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.JA.resources	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.pl.resources	msiexec.exe
File created	C:\Program Files\paint.net\PdnRepair.exe	msiexec.exe
File created	C:\Program Files\paint.net\System.Collections.Concurrent.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Private.Xml.Linq.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Security.Cryptography.Xml.dll	msiexec.exe
File created	C:\Program Files\paint.net\WindowsBase.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.resources	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Windows.Core.xml	msiexec.exe
File created	C:\Program Files\paint.net\System.Diagnostics.Tools.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.IO.Compression.ZipFile.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Text.Encoding.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Threading.Tasks.Dataflow.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.ObjectModel.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.ObjectModel.xml	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.he.resources	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.sv.resources	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.UI.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Private.CoreLib.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Net.Quic.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Security.Cryptography.ProtectedData.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Threading.AccessControl.dll	msiexec.exe
File created	C:\Program Files\paint.net\Bundled\DDSFileTypePlus\DdsFileTypePlusIO_x64.dll	msiexec.exe
File created	C:\Program Files\paint.net\Mono.Cecil.Rocks.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.be.resources	msiexec.exe
File created	C:\Program Files\paint.net\PresentationFramework-SystemCore.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Reflection.Metadata.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Security.SecureString.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Xml.XDocument.dll	msiexec.exe
File created	C:\Program Files\paint.net\Microsoft.Win32.SystemEvents.dll	msiexec.exe
File created	C:\Program Files\paint.net\msquic.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.UI.pdb	msiexec.exe
File created	C:\Program Files\paint.net\System.Design.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Runtime.Serialization.dll	msiexec.exe
File created	C:\Program Files\paint.net\UIAutomationClientSideProviders.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Core.xml	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.PropertySystem.dll	msiexec.exe
File created	C:\Program Files\paint.net\PresentationFramework.Classic.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Net.HttpListener.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.fa.resources	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Systrace.pdb	msiexec.exe
File created	C:\Program Files\paint.net\System.ComponentModel.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Data.dll	msiexec.exe

Drops file in Windows directory 11 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI118A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{DBC43589-CC32-4502-BBEC-5B931AF4BD2E}\app_icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5B75.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{DBC43589-CC32-4502-BBEC-5B931AF4BD2E}	msiexec.exe
File created	C:\Windows\Installer\e58e250.msi	msiexec.exe
File created	C:\Windows\Installer\{DBC43589-CC32-4502-BBEC-5B931AF4BD2E}\app_icon.ico	msiexec.exe
File created	C:\Windows\Installer\e58e24d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58e24d.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000206f4107d723b55a0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000206f41070000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900206f4107000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000206f410700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000206f410700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20	msiexec.exe

Modifies registry class 64 IoCs

Processes:

paintdotnet.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\ShellEx	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.png	paintdotnet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98534CBD23CC2054BBCEB539A14FDBE2\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.heic\OpenWithProgids\paint.net.1	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tga\OpenWithProgids\paint.net.1	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98534CBD23CC2054BBCEB539A14FDBE2\SourceList\PackageName = "PaintDotNet_x64_5.0.2.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.ThumbnailProvider\CurVer	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\shell\edit	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.jfif	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.webp\OpenWithProgids\paint.net.1	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\CurVer	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.avif\OpenWithProgids\paint.net.1	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wmp\OpenWithProgids\paint.net.1	paintdotnet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98534CBD23CC2054BBCEB539A14FDBE2\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\CurVer\ = "paint.net.1"	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\ShellEx\{E357FCCD-A995-4576-B01F-234630154E96}	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdn\PerceivedType = "image"	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.bmp	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdn\ = "paint.net.1"	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.pdn	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.heic	paintdotnet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98534CBD23CC2054BBCEB539A14FDBE2\Version = "83886082"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98534CBD23CC2054BBCEB539A14FDBE2\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell\edit\command\ = "\"C:\\Program Files\\paint.net\\paintdotnet.exe\" \"%1\""	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell\print\command	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBF113F1-D7C8-477C-A23A-E600E7937E11}\InprocServer32\ = "C:\\Program Files\\paint.net\\PaintDotNet.ShellExtension.x64.dll"	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tga	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\FriendlyTypeName = "paint.net Image"	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98534CBD23CC2054BBCEB539A14FDBE2\PackageCode = "D3ABCFC2DF1E0544DA82015E6088D941"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\shell\edit\command	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.ThumbnailProvider.1\CLSID	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.jpeg	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tga\OpenWithProgids	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tiff\OpenWithProgids\paint.net.1	paintdotnet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98534CBD23CC2054BBCEB539A14FDBE2\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell\open	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paintdotnet\shell\open\command	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gif\OpenWithProgids\paint.net.1	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98534CBD23CC2054BBCEB539A14FDBE2\SourceList\Net\1 = "C:\\Program Files\\paint.net\\Staging\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98534CBD23CC2054BBCEB539A14FDBE2\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdn\ShellEx\{E357FCCD-A995-4576-B01F-234630154E96}	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.wmp	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\paintdotnet\ = "URL:paint.net"	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jpeg\OpenWithProgids\paint.net.1	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBF113F1-D7C8-477C-A23A-E600E7937E11}\ = "paint.net Thumbnail Provider"	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.ThumbnailProvider\CLSID	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.ThumbnailProvider	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdn\OpenWithProgids	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.avif	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell\edit\command	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\paintdotnet\URL Protocol	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.ThumbnailProvider\CurVer\ = "paint.net.ThumbnailProvider.1"	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.jpg	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.rle	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wmp\OpenWithProgids	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell\open\command\ = "\"C:\\Program Files\\paint.net\\paintdotnet.exe\" \"%1\""	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdn\ShellEx\{E357FCCD-A995-4576-B01F-234630154E96}\ = "{FBF113F1-D7C8-477C-A23A-E600E7937E11}"	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dds\OpenWithProgids	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.tga	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tif\OpenWithProgids\paint.net.1	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98534CBD23CC2054BBCEB539A14FDBE2\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98534CBD23CC2054BBCEB539A14FDBE2\Clients = 3a0000000000	msiexec.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

SetupDownloader.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	SetupDownloader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	SetupDownloader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	SetupDownloader.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

4008 msiexec.exe
4008 msiexec.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

SetupFrontEnd.exePaintDotNet.exe

pid process

1676 SetupFrontEnd.exe
3444 PaintDotNet.exe

pid	process
4008	msiexec.exe
4008	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SetupDownloader.exeSetupFrontEnd.exevssvc.exemsiexec.exesrtasks.exe

description	pid	process
Token: SeDebugPrivilege	3852	SetupDownloader.exe
Token: SeDebugPrivilege	1676	SetupFrontEnd.exe
Token: SeBackupPrivilege	3868	vssvc.exe
Token: SeRestorePrivilege	3868	vssvc.exe
Token: SeAuditPrivilege	3868	vssvc.exe
Token: SeBackupPrivilege	1676	SetupFrontEnd.exe
Token: SeRestorePrivilege	1676	SetupFrontEnd.exe
Token: SeShutdownPrivilege	1676	SetupFrontEnd.exe
Token: SeIncreaseQuotaPrivilege	1676	SetupFrontEnd.exe
Token: SeSecurityPrivilege	4008	msiexec.exe
Token: SeCreateTokenPrivilege	1676	SetupFrontEnd.exe
Token: SeAssignPrimaryTokenPrivilege	1676	SetupFrontEnd.exe
Token: SeLockMemoryPrivilege	1676	SetupFrontEnd.exe
Token: SeIncreaseQuotaPrivilege	1676	SetupFrontEnd.exe
Token: SeMachineAccountPrivilege	1676	SetupFrontEnd.exe
Token: SeTcbPrivilege	1676	SetupFrontEnd.exe
Token: SeSecurityPrivilege	1676	SetupFrontEnd.exe
Token: SeTakeOwnershipPrivilege	1676	SetupFrontEnd.exe
Token: SeLoadDriverPrivilege	1676	SetupFrontEnd.exe
Token: SeSystemProfilePrivilege	1676	SetupFrontEnd.exe
Token: SeSystemtimePrivilege	1676	SetupFrontEnd.exe
Token: SeProfSingleProcessPrivilege	1676	SetupFrontEnd.exe
Token: SeIncBasePriorityPrivilege	1676	SetupFrontEnd.exe
Token: SeCreatePagefilePrivilege	1676	SetupFrontEnd.exe
Token: SeCreatePermanentPrivilege	1676	SetupFrontEnd.exe
Token: SeBackupPrivilege	1676	SetupFrontEnd.exe
Token: SeRestorePrivilege	1676	SetupFrontEnd.exe
Token: SeShutdownPrivilege	1676	SetupFrontEnd.exe
Token: SeDebugPrivilege	1676	SetupFrontEnd.exe
Token: SeAuditPrivilege	1676	SetupFrontEnd.exe
Token: SeSystemEnvironmentPrivilege	1676	SetupFrontEnd.exe
Token: SeChangeNotifyPrivilege	1676	SetupFrontEnd.exe
Token: SeRemoteShutdownPrivilege	1676	SetupFrontEnd.exe
Token: SeUndockPrivilege	1676	SetupFrontEnd.exe
Token: SeSyncAgentPrivilege	1676	SetupFrontEnd.exe
Token: SeEnableDelegationPrivilege	1676	SetupFrontEnd.exe
Token: SeManageVolumePrivilege	1676	SetupFrontEnd.exe
Token: SeImpersonatePrivilege	1676	SetupFrontEnd.exe
Token: SeCreateGlobalPrivilege	1676	SetupFrontEnd.exe
Token: SeRestorePrivilege	4008	msiexec.exe
Token: SeTakeOwnershipPrivilege	4008	msiexec.exe
Token: SeBackupPrivilege	1132	srtasks.exe
Token: SeRestorePrivilege	1132	srtasks.exe
Token: SeSecurityPrivilege	1132	srtasks.exe
Token: SeTakeOwnershipPrivilege	1132	srtasks.exe
Token: SeRestorePrivilege	4008	msiexec.exe
Token: SeTakeOwnershipPrivilege	4008	msiexec.exe
Token: SeBackupPrivilege	1132	srtasks.exe
Token: SeRestorePrivilege	1132	srtasks.exe
Token: SeSecurityPrivilege	1132	srtasks.exe
Token: SeTakeOwnershipPrivilege	1132	srtasks.exe
Token: SeRestorePrivilege	4008	msiexec.exe
Token: SeTakeOwnershipPrivilege	4008	msiexec.exe
Token: SeRestorePrivilege	4008	msiexec.exe
Token: SeTakeOwnershipPrivilege	4008	msiexec.exe
Token: SeRestorePrivilege	4008	msiexec.exe
Token: SeTakeOwnershipPrivilege	4008	msiexec.exe
Token: SeRestorePrivilege	4008	msiexec.exe
Token: SeTakeOwnershipPrivilege	4008	msiexec.exe
Token: SeRestorePrivilege	4008	msiexec.exe
Token: SeTakeOwnershipPrivilege	4008	msiexec.exe
Token: SeRestorePrivilege	4008	msiexec.exe
Token: SeTakeOwnershipPrivilege	4008	msiexec.exe
Token: SeRestorePrivilege	4008	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

SetupFrontEnd.exePaintDotNet.exe

pid process

1676 SetupFrontEnd.exe
1676 SetupFrontEnd.exe
3444 PaintDotNet.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

SetupShim.exepaint.net.5.0.2.install.x64.exeSetupShim.exeSetupFrontEnd.exePaintDotNet.exe

pid	process
2636	SetupShim.exe
4916	paint.net.5.0.2.install.x64.exe
1236	SetupShim.exe
1676	SetupFrontEnd.exe
3444	PaintDotNet.exe
3444	PaintDotNet.exe
3444	PaintDotNet.exe
3444	PaintDotNet.exe
3444	PaintDotNet.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

paint.net.5.0.2.install.anycpu.web.exeSetupShim.exeSetupDownloader.exepaint.net.5.0.2.install.x64.exeSetupShim.exemsiexec.exeSetupFrontEnd.exe

description	pid	process	target process
PID 3268 wrote to memory of 2636	3268	paint.net.5.0.2.install.anycpu.web.exe	SetupShim.exe
PID 3268 wrote to memory of 2636	3268	paint.net.5.0.2.install.anycpu.web.exe	SetupShim.exe
PID 3268 wrote to memory of 2636	3268	paint.net.5.0.2.install.anycpu.web.exe	SetupShim.exe
PID 2636 wrote to memory of 3852	2636	SetupShim.exe	SetupDownloader.exe
PID 2636 wrote to memory of 3852	2636	SetupShim.exe	SetupDownloader.exe
PID 3852 wrote to memory of 4916	3852	SetupDownloader.exe	paint.net.5.0.2.install.x64.exe
PID 3852 wrote to memory of 4916	3852	SetupDownloader.exe	paint.net.5.0.2.install.x64.exe
PID 3852 wrote to memory of 4916	3852	SetupDownloader.exe	paint.net.5.0.2.install.x64.exe
PID 4916 wrote to memory of 1236	4916	paint.net.5.0.2.install.x64.exe	SetupShim.exe
PID 4916 wrote to memory of 1236	4916	paint.net.5.0.2.install.x64.exe	SetupShim.exe
PID 4916 wrote to memory of 1236	4916	paint.net.5.0.2.install.x64.exe	SetupShim.exe
PID 1236 wrote to memory of 1676	1236	SetupShim.exe	SetupFrontEnd.exe
PID 1236 wrote to memory of 1676	1236	SetupShim.exe	SetupFrontEnd.exe
PID 4008 wrote to memory of 1568	4008	msiexec.exe	paintdotnet.exe
PID 4008 wrote to memory of 1568	4008	msiexec.exe	paintdotnet.exe
PID 1676 wrote to memory of 3444	1676	SetupFrontEnd.exe	PaintDotNet.exe
PID 1676 wrote to memory of 3444	1676	SetupFrontEnd.exe	PaintDotNet.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\paint.net.5.0.2.install.anycpu.web.exe
"C:\Users\Admin\AppData\Local\Temp\paint.net.5.0.2.install.anycpu.web.exe"
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3268

C:\Users\Admin\AppData\Local\Temp\7zS4CC1DCE6\SetupShim.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4CC1DCE6\SetupShim.exe" /suppressReboot
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2636

C:\Users\Admin\AppData\Local\Temp\7zS4CC1DCE6\x64\SetupDownloader\SetupDownloader.exe
"x64\SetupDownloader\SetupDownloader.exe" /SkipSuccessPrompt "C:\Users\Admin\AppData\Local\Temp\7zS4CC1DCE6\SetupShim.exe" /suppressReboot
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3852

C:\Users\Admin\AppData\Local\Temp\PdnSetupDownloader\9e6a6e8f-9c22-4d08-afd8-fae04cb8caaf\paint.net.5.0.2.install.x64.exe
"C:\Users\Admin\AppData\Local\Temp\PdnSetupDownloader\9e6a6e8f-9c22-4d08-afd8-fae04cb8caaf\paint.net.5.0.2.install.x64.exe" C:\Users\Admin\AppData\Local\Temp\7zS4CC1DCE6\SetupShim.exe
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4916

C:\Users\Admin\AppData\Local\Temp\7zS43390A57\SetupShim.exe
"C:\Users\Admin\AppData\Local\Temp\7zS43390A57\SetupShim.exe" /suppressReboot C:\Users\Admin\AppData\Local\Temp\7zS4CC1DCE6\SetupShim.exe
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1236

C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\SetupFrontEnd.exe
"x64\SetupFrontEnd.exe" "C:\Users\Admin\AppData\Local\Temp\7zS43390A57\SetupShim.exe" /suppressReboot C:\Users\Admin\AppData\Local\Temp\7zS4CC1DCE6\SetupShim.exe
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676

C:\Program Files\paint.net\PaintDotNet.exe
"C:\Program Files\paint.net\PaintDotNet.exe"
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3444

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3868

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:3
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4008

C:\Program Files\paint.net\paintdotnet.exe
"C:\Program Files\paint.net\paintdotnet.exe" /setupActions /install DESKTOPSHORTCUT=1 PDNUPDATING=0 SKIPCLEANUP=0 "PROGRAMSGROUP=" /disablePGO /skipEstablishNVProfile /skipRepairAttempt
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:1568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

00:00 00:00

Downloads

C:\Config.Msi\e58e24f.rbs
Filesize
79KB

MD5
4c58c25eeba57c96c66fbd8072b5c37f

SHA1
cee86b3a69bff534d3861fd68ab65e0627a73696

SHA256
b93f5e156d02850437dd50f06e1400ef63aa0b0480da02e7d9bca1eff9184317

SHA512
91c7d489e2b73bb9fdea603b71280e713d23b9cfb106f26a85410c073d5abaf9ec862b2c9c85dd7b8e74e3ee4512a2e377ac5fec906d19f8659b9ee6088376cc

Download Submit
C:\Config.Msi\e58e251.rbs
Filesize
663B

MD5
648bacb4afda673e9489c924b30c6f62

SHA1
5b690344dea998512eab33a9ec04f4d2ee05a21b

SHA256
9cffa4ea52f0034f2282c0e1bf1301f0d0bedaacd2a6ec3d1063bbb50700372c

SHA512
87af0c681145c2151c7f4124a6cbca45b9a6e6125d924714006b9148ef4657cb6f63d1f1693debed707438ad5d02be4d5974556fcd38f3d47b77af2551c6b03f

Download Submit
C:\Program Files\paint.net\mscordaccore_amd64_amd64_7.0.323.6910.dll
Filesize
1MB

MD5
8753cfc25b8785a7204e522d99ad50f2

SHA1
fde44f698b477755aa49cf9717d07ab1fdceadd0

SHA256
b9e9aed9f540350284b5274fbb27be1eaae107a339b8e58c89216fb1adf38e05

SHA512
2757a03a268f66f3cd766edaadab0a4b6d2f9e6d4fddf3c30608a434e1806c34ad4691c690d9105b9298687114bc5f9b4fc0ea4acdb42254ea78db265f94f5c5

Download Submit
C:\Program Files\paint.net\paintdotnet.runtimeconfig.json
Filesize
449B

MD5
5653eeba8fa7fcba355024cf1cdc3030

SHA1
352596de8ee84a1d18d61c2eb74cad8fe3efe92b

SHA256
c3a49dd86d68b783c5bf42d9a03381b68f93e2f7014ec8d2a111078cbc20f03a

SHA512
2151d877d38f738091a41b02013c547906c0e4cbccd3d68f720d9a187de02fdf336df3c2c42af38c93835902cec7d601dc0e825145fe23c8a48a51c463035b0a

Download Submit
C:\Program Files\paint.net\vcruntime140_cor3.dll
Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\SetupShim.exe
Filesize
136KB

MD5
db51c903838632898319669eb2271114

SHA1
25fa7935e834e56f7757321da7f84aad8d587eee

SHA256
babcd035c2f920004fcc922aa23c4fc55949b335b5e920bcec215a51c1e036d4

SHA512
a42fd32040317d351f98bf53e0832e1c9dfd7e1b45c5aba44dfbc79f25f88cc19dcb762410840cfa5cd63e8531496dfe25d63937af8758d712d06102e626fdbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\SetupShim.exe
Filesize
136KB

MD5
db51c903838632898319669eb2271114

SHA1
25fa7935e834e56f7757321da7f84aad8d587eee

SHA256
babcd035c2f920004fcc922aa23c4fc55949b335b5e920bcec215a51c1e036d4

SHA512
a42fd32040317d351f98bf53e0832e1c9dfd7e1b45c5aba44dfbc79f25f88cc19dcb762410840cfa5cd63e8531496dfe25d63937af8758d712d06102e626fdbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\PaintDotNet.Base.dll
Filesize
718KB

MD5
1cf53a29e427572615759900ca36c907

SHA1
0f023f73bed0833154de0282e3a5336879b9ef72

SHA256
23cd2f8a4bf0283833e772d583701b2b806273cd8ed2e8c2ac7fbeaf0ebcba2f

SHA512
fecd8e43b981bf0206a280eb3008f6156c7939b67d507bd892dc1cca63b4178db0490746da5386885256fc118a03875f0900f014741abfc99dd1958fed3c5fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\PaintDotNet.Base.dll
Filesize
718KB

MD5
1cf53a29e427572615759900ca36c907

SHA1
0f023f73bed0833154de0282e3a5336879b9ef72

SHA256
23cd2f8a4bf0283833e772d583701b2b806273cd8ed2e8c2ac7fbeaf0ebcba2f

SHA512
fecd8e43b981bf0206a280eb3008f6156c7939b67d507bd892dc1cca63b4178db0490746da5386885256fc118a03875f0900f014741abfc99dd1958fed3c5fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\PaintDotNet.ComponentModel.dll
Filesize
98KB

MD5
85a011052f83162b31d78e7c515a8d5e

SHA1
be7d91c62ccba4e971bfa0cf82f65d87706d6bc7

SHA256
92a847f24993b6d79a8f88f132dc7579b605de97adbb1824676ee41b0604a90f

SHA512
97e5369cd63d94fad2fe26dd7340230fb61e68e4884c47442716723233abf0f86f0a413b0ed30efba4c58617c5ddca6f379b581ca07984e948a2522aab60afe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\PaintDotNet.ComponentModel.dll
Filesize
98KB

MD5
85a011052f83162b31d78e7c515a8d5e

SHA1
be7d91c62ccba4e971bfa0cf82f65d87706d6bc7

SHA256
92a847f24993b6d79a8f88f132dc7579b605de97adbb1824676ee41b0604a90f

SHA512
97e5369cd63d94fad2fe26dd7340230fb61e68e4884c47442716723233abf0f86f0a413b0ed30efba4c58617c5ddca6f379b581ca07984e948a2522aab60afe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\PaintDotNet.Core.dll
Filesize
2MB

MD5
c8355d166cef6f93f2f47774a0776467

SHA1
3aad0094ba42ddad5b7f09a269666608ff61ea43

SHA256
5b525c55dab076d859b6e295d41f1d11ad72bdd8c4c9f0276d6367b905f0d016

SHA512
20697b959024ee159e5dbdc7e0b070294cd531d27ff7aa911b556c91f22f579bc7f57b412172a92c6593a8015370d4a91fdbc299ad4b0a00516cf743f88defc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\PaintDotNet.Core.dll
Filesize
2MB

MD5
c8355d166cef6f93f2f47774a0776467

SHA1
3aad0094ba42ddad5b7f09a269666608ff61ea43

SHA256
5b525c55dab076d859b6e295d41f1d11ad72bdd8c4c9f0276d6367b905f0d016

SHA512
20697b959024ee159e5dbdc7e0b070294cd531d27ff7aa911b556c91f22f579bc7f57b412172a92c6593a8015370d4a91fdbc299ad4b0a00516cf743f88defc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\PaintDotNet.Framework.dll
Filesize
1010KB

MD5
f577126db967a0eefbdb78ef4f90234c

SHA1
2913c381e2dc10f35f51fd001e05a5f6d776c43d

SHA256
52d9976c5dc0b39d41a2c8e981c348fd481db7c55c32ff894bfb4d0cc49639d6

SHA512
168a626a5e4bb0bf77a351c27a8f0d250948e3968570546fcb6f8bc657535da883ba4e6dbeb72d06c7326f2b40454f9c595d79ff5996ab64e8d5040fae774266

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\PaintDotNet.Framework.dll
Filesize
1010KB

MD5
f577126db967a0eefbdb78ef4f90234c

SHA1
2913c381e2dc10f35f51fd001e05a5f6d776c43d

SHA256
52d9976c5dc0b39d41a2c8e981c348fd481db7c55c32ff894bfb4d0cc49639d6

SHA512
168a626a5e4bb0bf77a351c27a8f0d250948e3968570546fcb6f8bc657535da883ba4e6dbeb72d06c7326f2b40454f9c595d79ff5996ab64e8d5040fae774266

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\PaintDotNet.ObjectModel.dll
Filesize
182KB

MD5
9ed7ba99bbc0d61dd08352a58055b175

SHA1
675a0adf156c2a88224483b8469c027e7554d71e

SHA256
4118f6e2dea0c8caf0e7b822c52a373af15d8bcdb8038ea8145ac0bd9b25c3c4

SHA512
4d498f2604f3ca43912705eb8a19f95a7e930e8babbd5ac0025a0175cd06b1e49d31d5e126100b9fe2fef89c9486ffad7b40695cbb0133c927a01cf2d81484d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\PaintDotNet.ObjectModel.dll
Filesize
182KB

MD5
9ed7ba99bbc0d61dd08352a58055b175

SHA1
675a0adf156c2a88224483b8469c027e7554d71e

SHA256
4118f6e2dea0c8caf0e7b822c52a373af15d8bcdb8038ea8145ac0bd9b25c3c4

SHA512
4d498f2604f3ca43912705eb8a19f95a7e930e8babbd5ac0025a0175cd06b1e49d31d5e126100b9fe2fef89c9486ffad7b40695cbb0133c927a01cf2d81484d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\PaintDotNet.Strings.3.co.resources
Filesize
176KB

MD5
d52f605089a5909444cd3d00121b9eca

SHA1
4585d03750c24cb46cd0d47b271019fdd8248163

SHA256
85f434ade1a64d4719fa1759446bc2451cac9c81ff063bf4c54eff684625d815

SHA512
37ced0bd1c88c67f2aa6efe7c76566a2f39f3fedae4da245752b844f0cebea0a3e4345e74987bb5102cc461b7b9d1e5a4dc6c1131c01bca485a7790159eb1e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\PaintDotNet.SystemLayer.dll
Filesize
822KB

MD5
493573b8673f0cb870bf13e974aee4bb

SHA1
2eb14acc0752ecbf940bf9a07e818984afde1ef3

SHA256
d42522b8a8f17ea6305fedb896ca9d7b0a3cfdc7b19b73b11fbbae4cd3e8c824

SHA512
ec7609b44f2df92e65489bf1a9fdbfeb3ea9d478541fd095f649d1fbca84de9a6d917dda650aa149e9a53fd0499945ebff7db1eb10aa8a09298ee77f2ce1cf59

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\PaintDotNet.SystemLayer.dll
Filesize
822KB

MD5
493573b8673f0cb870bf13e974aee4bb

SHA1
2eb14acc0752ecbf940bf9a07e818984afde1ef3

SHA256
d42522b8a8f17ea6305fedb896ca9d7b0a3cfdc7b19b73b11fbbae4cd3e8c824

SHA512
ec7609b44f2df92e65489bf1a9fdbfeb3ea9d478541fd095f649d1fbca84de9a6d917dda650aa149e9a53fd0499945ebff7db1eb10aa8a09298ee77f2ce1cf59

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\PaintDotNet.Windows.Framework.dll
Filesize
6MB

MD5
b1153ab797a04e0850abdd40fe5b2380

SHA1
81c1cabd92db044315d27a3885084c0eef34da29

SHA256
cec516bd9b4837f096e19e69f1c7079622319cc4590a8989fe6619a78d42ed4f

SHA512
a5628e51675da65e207d287a5039cf476de31cb5d139a8a7f28d67f3ff2b7d072ac7fc448c4c19df019717a6795fe22eca8998ced298ed8cb1b89daacb3ec3d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\PaintDotNet.Windows.dll
Filesize
3MB

MD5
9175025bcbca0f749d6500a842e9f048

SHA1
361941df6e4d3e9a4ec1b340a7a1e06c02e85c45

SHA256
616009e382db7b7d5f7cb9af73cc501f05a879bb9d67045d483fa69e6ac4a0e3

SHA512
4dc770f39cb3489c2c1c1078f35bf50b6e5eec83217863ea57a12d77db70a91d1fc9e5932ec0b32c6de8f54efc8eedcadc3ea18ae383bda95eb59c1c542d18da

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\PaintDotNet.Windows.dll
Filesize
3MB

MD5
9175025bcbca0f749d6500a842e9f048

SHA1
361941df6e4d3e9a4ec1b340a7a1e06c02e85c45

SHA256
616009e382db7b7d5f7cb9af73cc501f05a879bb9d67045d483fa69e6ac4a0e3

SHA512
4dc770f39cb3489c2c1c1078f35bf50b6e5eec83217863ea57a12d77db70a91d1fc9e5932ec0b32c6de8f54efc8eedcadc3ea18ae383bda95eb59c1c542d18da

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\SetupFrontEnd.deps.json
Filesize
59KB

MD5
28b6e9050c62d0117e97e70a5bac36f4

SHA1
0ba79797c1f1da83353b589a87724c75440df931

SHA256
1db2bb606660cf0de98c5260d44f29b17357466d216e90dc937c2e2bf0a1330f

SHA512
16166b440b1c81c8a1598da8c2fbeddfb9eb271f9467d2f567543f0a452a2d35fccc2ba231b8b0524de0aeecedc509882d5908b4b99c3b9c703849cf2e9e2450

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\SetupFrontEnd.dll
Filesize
210KB

MD5
7661fbc617c62838da8d27fa8fe41e69

SHA1
173c1d28c5bec798dd1ba2a6e077809f6cda2abe

SHA256
9c06869c94371a1754f90fa0475f3987f1177dff0b5e3b88a555b3971ce78b81

SHA512
099165b23c85e0a70e7f337a822d23a9880c7c31f240f0f20bebf186359e17bfc1ccd40d7119f4c16502401e06e8e1a3b7ee5e8cbc4a47160c552a76798044ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\SetupFrontEnd.dll
Filesize
210KB

MD5
7661fbc617c62838da8d27fa8fe41e69

SHA1
173c1d28c5bec798dd1ba2a6e077809f6cda2abe

SHA256
9c06869c94371a1754f90fa0475f3987f1177dff0b5e3b88a555b3971ce78b81

SHA512
099165b23c85e0a70e7f337a822d23a9880c7c31f240f0f20bebf186359e17bfc1ccd40d7119f4c16502401e06e8e1a3b7ee5e8cbc4a47160c552a76798044ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\SetupFrontEnd.exe
Filesize
162KB

MD5
ecd1b6c532545defb118d10bb666575e

SHA1
3209041ed6b54c274b0a66e6121955b500fd42c5

SHA256
5610b309cc56efd174fdf45feec265b086ee9ff55efb0d3862fff81348e78fb0

SHA512
dd2522cac5ab3062492851e72892c99a0aa8e2c1d9e056c1fb18fdd882a433dd93a6b1e68f1c49f3de6f4e88f7a684f695a86f82bbd8f3c811ffe0a4b40ee152

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\SetupFrontEnd.exe
Filesize
162KB

MD5
ecd1b6c532545defb118d10bb666575e

SHA1
3209041ed6b54c274b0a66e6121955b500fd42c5

SHA256
5610b309cc56efd174fdf45feec265b086ee9ff55efb0d3862fff81348e78fb0

SHA512
dd2522cac5ab3062492851e72892c99a0aa8e2c1d9e056c1fb18fdd882a433dd93a6b1e68f1c49f3de6f4e88f7a684f695a86f82bbd8f3c811ffe0a4b40ee152

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\SetupFrontEnd.runtimeconfig.json
Filesize
449B

MD5
5653eeba8fa7fcba355024cf1cdc3030

SHA1
352596de8ee84a1d18d61c2eb74cad8fe3efe92b

SHA256
c3a49dd86d68b783c5bf42d9a03381b68f93e2f7014ec8d2a111078cbc20f03a

SHA512
2151d877d38f738091a41b02013c547906c0e4cbccd3d68f720d9a187de02fdf336df3c2c42af38c93835902cec7d601dc0e825145fe23c8a48a51c463035b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\System.Collections.Specialized.dll
Filesize
106KB

MD5
d266ccdac8a4beab6b1df38847c06ee3

SHA1
9ab6aefe5142becb42a24069b2c1df9148d1c9fd

SHA256
12737b63f59707891828a0c5fecd716e34aa35be795bb5b19547185104e22aa3

SHA512
d100df0e44e34d7b466976093a1fb8287203a29381a34a8f315c5931b4b9fc132024935d02534101570b34a40e80b3972d3061ace5be3b8428ea531d65ebe054

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\System.Collections.Specialized.dll
Filesize
106KB

MD5
d266ccdac8a4beab6b1df38847c06ee3

SHA1
9ab6aefe5142becb42a24069b2c1df9148d1c9fd

SHA256
12737b63f59707891828a0c5fecd716e34aa35be795bb5b19547185104e22aa3

SHA512
d100df0e44e34d7b466976093a1fb8287203a29381a34a8f315c5931b4b9fc132024935d02534101570b34a40e80b3972d3061ace5be3b8428ea531d65ebe054

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\System.ComponentModel.Primitives.dll
Filesize
82KB

MD5
facfdafa0ae200ca0633d319a17e0cd1

SHA1
534d0549fa4dd93da4edf6b09a0e4fe64488cfd6

SHA256
8b176b5697c67ffd3f5ad4ec60bf4efd2bd5d0ad902bb96f6b05ef48bea0124c

SHA512
d44cad0fab5d1e150ae806e2e81dbe68caf36d6e64907f43d861c5c7681f93313982a3aa1dd9bb36848d71ee60dfb10548b57f856bd317a9ce70198837fd8e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\System.ComponentModel.Primitives.dll
Filesize
82KB

MD5
facfdafa0ae200ca0633d319a17e0cd1

SHA1
534d0549fa4dd93da4edf6b09a0e4fe64488cfd6

SHA256
8b176b5697c67ffd3f5ad4ec60bf4efd2bd5d0ad902bb96f6b05ef48bea0124c

SHA512
d44cad0fab5d1e150ae806e2e81dbe68caf36d6e64907f43d861c5c7681f93313982a3aa1dd9bb36848d71ee60dfb10548b57f856bd317a9ce70198837fd8e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\System.ComponentModel.dll
Filesize
30KB

MD5
03529f44b676b450990e523c6c50208a

SHA1
4046f0095fa3a01ec771d749961e3aed356efaf8

SHA256
b69c45559d45e199152ed3b558ec9656fd52ecc05cd0456adccecc72e276ae9e

SHA512
ae0610381848bbd5993cb95b2f9c8ba18eace61b496883df7946f8c3509e03fdbd45558e74020045f98dbed95a257743f8a3f055e9b2e519e782b678119c23fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\System.ComponentModel.dll
Filesize
30KB

MD5
03529f44b676b450990e523c6c50208a

SHA1
4046f0095fa3a01ec771d749961e3aed356efaf8

SHA256
b69c45559d45e199152ed3b558ec9656fd52ecc05cd0456adccecc72e276ae9e

SHA512
ae0610381848bbd5993cb95b2f9c8ba18eace61b496883df7946f8c3509e03fdbd45558e74020045f98dbed95a257743f8a3f055e9b2e519e782b678119c23fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\System.Drawing.Primitives.dll
Filesize
134KB

MD5
98fdeb87ea5ea177d59f9696a8ad4037

SHA1
7c9e811e273c73e7f1966feade5185bacdab4bfb

SHA256
6f9f317c606db86f5e708a991c70641a3b7246a14b8f6b4a771b65111b409c91

SHA512
030b179196292a23d9c92c61c0661d00aa2321d91ef6c90e2ffd22d593ded19bce8c22203269e3b6608eb1fa55a1ae9f2102501935299261f30865d073101220

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\System.Drawing.Primitives.dll
Filesize
134KB

MD5
98fdeb87ea5ea177d59f9696a8ad4037

SHA1
7c9e811e273c73e7f1966feade5185bacdab4bfb

SHA256
6f9f317c606db86f5e708a991c70641a3b7246a14b8f6b4a771b65111b409c91

SHA512
030b179196292a23d9c92c61c0661d00aa2321d91ef6c90e2ffd22d593ded19bce8c22203269e3b6608eb1fa55a1ae9f2102501935299261f30865d073101220

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\System.Private.CoreLib.dll
Filesize
11MB

MD5
df68b7a4b26558b45a358e300bfd1fff

SHA1
97172af4477cacc71501e7ad8a7b1c23aa5292ee

SHA256
c3c1f001304c11fc0ec037a8aac9348c82aea824f3b50a308aebdf2c47f579b9

SHA512
e6d895cf2720a1bbb5138db2cad2aad2e4768ba1934406bb812fb2d5ccdbbb341dcf95ace2d7dd3d0209d5ee8aa143c31f195e7a43912c2a12eff1e411198125

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\System.Private.CoreLib.dll
Filesize
11MB

MD5
df68b7a4b26558b45a358e300bfd1fff

SHA1
97172af4477cacc71501e7ad8a7b1c23aa5292ee

SHA256
c3c1f001304c11fc0ec037a8aac9348c82aea824f3b50a308aebdf2c47f579b9

SHA512
e6d895cf2720a1bbb5138db2cad2aad2e4768ba1934406bb812fb2d5ccdbbb341dcf95ace2d7dd3d0209d5ee8aa143c31f195e7a43912c2a12eff1e411198125

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\System.Runtime.InteropServices.dll
Filesize
62KB

MD5
e31b6fb60d050aa48ff3ef07ee328774

SHA1
5a28a778566856b8a9a578ea7e72d32b9edf0c30

SHA256
f218bca40230158afd7d9c3e0c4e604e6c75d8cc089013c6b86b05670c5ead60

SHA512
b5841e4e9e4d26942a68b50d8a4298b636608525a83f2550c5693248ca79c9f221455c35714d958503766f1c571637283b43aac758e36b60873043a301417f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\System.Runtime.InteropServices.dll
Filesize
62KB

MD5
e31b6fb60d050aa48ff3ef07ee328774

SHA1
5a28a778566856b8a9a578ea7e72d32b9edf0c30

SHA256
f218bca40230158afd7d9c3e0c4e604e6c75d8cc089013c6b86b05670c5ead60

SHA512
b5841e4e9e4d26942a68b50d8a4298b636608525a83f2550c5693248ca79c9f221455c35714d958503766f1c571637283b43aac758e36b60873043a301417f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\System.Runtime.dll
Filesize
42KB

MD5
ed234e38f8a495d72bc9a09c994586bf

SHA1
f705cb25476684043e53e218cff38d25c2a39485

SHA256
3b3334e456862d406be6d07438c91fd74f5c1eb75d7f2a4a634b2e4c9d1d8da9

SHA512
a67ec1cba68870e16b151578c49fb05c0b35c763fa59cf8c791ce2793bea2af402d4e43f155c23ce3aeba1e1004fd5968ebf59ec273c61aea7b6a5a07ecbbf6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\System.Threading.dll
Filesize
86KB

MD5
b5ef5c13ff2ebb10956c4c88dde9291d

SHA1
696f9a370d5484e18929aef6e2852c9a1648bd6b

SHA256
cd6858a7ffb8cbf1b76100d3aa16968c9ed2dd4e7baa877e804a899920c9b1e5

SHA512
a69bd968c8cf54606d8753d77692460687de71c722546780ab468d3df11422a9b9b1cea2a11aea34ee58feb9072773b011659f86feaed3743d53eda6406bd9a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\System.Threading.dll
Filesize
86KB

MD5
b5ef5c13ff2ebb10956c4c88dde9291d

SHA1
696f9a370d5484e18929aef6e2852c9a1648bd6b

SHA256
cd6858a7ffb8cbf1b76100d3aa16968c9ed2dd4e7baa877e804a899920c9b1e5

SHA512
a69bd968c8cf54606d8753d77692460687de71c722546780ab468d3df11422a9b9b1cea2a11aea34ee58feb9072773b011659f86feaed3743d53eda6406bd9a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\System.Windows.Forms.Primitives.dll
Filesize
938KB

MD5
2c4e345796dad80b1a759e870a8a3ad9

SHA1
f2070511c877aa75c33d81a9e389b0b304561b29

SHA256
7d8d937eb21dec9b14d7c9850ab4e4ed35371c81951064a52e5dd35d08f258b1

SHA512
b73ee44081a86897ea65301a44c1226e11118800ebe5b40dbe524ea6dab89590341768662395175d0faa85956cb80cdc9a9178d9d044ebd30fab08a56fbd37da

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\System.Windows.Forms.Primitives.dll
Filesize
938KB

MD5
2c4e345796dad80b1a759e870a8a3ad9

SHA1
f2070511c877aa75c33d81a9e389b0b304561b29

SHA256
7d8d937eb21dec9b14d7c9850ab4e4ed35371c81951064a52e5dd35d08f258b1

SHA512
b73ee44081a86897ea65301a44c1226e11118800ebe5b40dbe524ea6dab89590341768662395175d0faa85956cb80cdc9a9178d9d044ebd30fab08a56fbd37da

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\System.Windows.Forms.dll
Filesize
12MB

MD5
868c8f0294d962d59e42cd99f84df7db

SHA1
4000ed87508a8ae6c2f5734c88b36f63aad7cf7e

SHA256
0f011e8a2c0e8012460d2d3f8c4f8770479114a7a82190f2cee0d549d0464f3a

SHA512
72fb85ba781b5ccda918d1f3935df81ff03ce0db48652647db1242a5c0fccdbeb245489115bc245f0e1f1aad5f1245f4f96f8ed0ff692ff3838adaf4179cb7a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\System.Windows.Forms.dll
Filesize
12MB

MD5
868c8f0294d962d59e42cd99f84df7db

SHA1
4000ed87508a8ae6c2f5734c88b36f63aad7cf7e

SHA256
0f011e8a2c0e8012460d2d3f8c4f8770479114a7a82190f2cee0d549d0464f3a

SHA512
72fb85ba781b5ccda918d1f3935df81ff03ce0db48652647db1242a5c0fccdbeb245489115bc245f0e1f1aad5f1245f4f96f8ed0ff692ff3838adaf4179cb7a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\TerraFX.Interop.Windows.dll
Filesize
874KB

MD5
02e0e4acaf12073066b467486d0358af

SHA1
3e7f37711fc8e8219aa1f99cb6b6aa8a6d78e476

SHA256
8e8844e26f2f9b50b5b2d2990e56c5dbd2ee90f613977ed469b5c16db253d80d

SHA512
7ef5bf3ff33c89cd8d39c25d365db047bac628282f74ac6a6b4b54602faddb50aafcb638498147be13b78d2241194967ed4779e402e4c174e78060625cf32c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\TerraFX.Interop.Windows.dll
Filesize
874KB

MD5
02e0e4acaf12073066b467486d0358af

SHA1
3e7f37711fc8e8219aa1f99cb6b6aa8a6d78e476

SHA256
8e8844e26f2f9b50b5b2d2990e56c5dbd2ee90f613977ed469b5c16db253d80d

SHA512
7ef5bf3ff33c89cd8d39c25d365db047bac628282f74ac6a6b4b54602faddb50aafcb638498147be13b78d2241194967ed4779e402e4c174e78060625cf32c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\clrjit.dll
Filesize
1MB

MD5
ece00d3324e879add5c7928dbbb9338c

SHA1
68e9fe01016c6d0dce5d0e29111b49e60330867b

SHA256
6f86ee8b4b17306ab623a2f4310151fec97d98abd774316ce10d40cdb8507a2f

SHA512
50b2ef7df03c920b103bfb17363b27d46d953f99217790c9acaa12357940a97fc8b5872e6e1665b88303db6c2bb55ca4175fd3c78c942ad9dd7c72c3c9c66315

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\clrjit.dll
Filesize
1MB

MD5
ece00d3324e879add5c7928dbbb9338c

SHA1
68e9fe01016c6d0dce5d0e29111b49e60330867b

SHA256
6f86ee8b4b17306ab623a2f4310151fec97d98abd774316ce10d40cdb8507a2f

SHA512
50b2ef7df03c920b103bfb17363b27d46d953f99217790c9acaa12357940a97fc8b5872e6e1665b88303db6c2bb55ca4175fd3c78c942ad9dd7c72c3c9c66315

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\coreclr.dll
Filesize
4MB

MD5
d221f609769e83ea77fd159f3ae009cd

SHA1
a0117b8f30085ee22de5756eb758af8efbd64080

SHA256
8f12e8464a0e8009f60e6d30beef4ce2f03e6f890580c567174d48f199e2fe61

SHA512
d3624a1b404cfc07632abf69002c4f2131012925f9af5c1d45729b98ab532951dea3f336107746318c6f77f0165914f5acefcceeb60b6658414ab7b3beef8bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\coreclr.dll
Filesize
4MB

MD5
d221f609769e83ea77fd159f3ae009cd

SHA1
a0117b8f30085ee22de5756eb758af8efbd64080

SHA256
8f12e8464a0e8009f60e6d30beef4ce2f03e6f890580c567174d48f199e2fe61

SHA512
d3624a1b404cfc07632abf69002c4f2131012925f9af5c1d45729b98ab532951dea3f336107746318c6f77f0165914f5acefcceeb60b6658414ab7b3beef8bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\hostfxr.dll
Filesize
373KB

MD5
07292fe45226d0860160e191476bd1e7

SHA1
d347d1b1f9356fe2d59b1a7c1c32b6799c527b30

SHA256
0ee83d7180cc7a716f5d8089bf2bfbed6a3a88d92f2a5519e8ff507ed35b72de

SHA512
42c7366b09f87780c8e1153ad556d904d98abb3f6800319893f75d644b0fd350149df64591b72b3f3ebdc51effa7e6c2c15ad0885513e81bd7c6613423ebe3a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\hostfxr.dll
Filesize
373KB

MD5
07292fe45226d0860160e191476bd1e7

SHA1
d347d1b1f9356fe2d59b1a7c1c32b6799c527b30

SHA256
0ee83d7180cc7a716f5d8089bf2bfbed6a3a88d92f2a5519e8ff507ed35b72de

SHA512
42c7366b09f87780c8e1153ad556d904d98abb3f6800319893f75d644b0fd350149df64591b72b3f3ebdc51effa7e6c2c15ad0885513e81bd7c6613423ebe3a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\hostpolicy.dll
Filesize
382KB

MD5
7d7edb04eef25cc94ccde47f45169ec7

SHA1
e155a20bdf4de0487493d44ccd167e36cbfd4af6

SHA256
402a29f533cdb6f945fd52c03bafd0330e2a57613f2d6b42b45aa7d929196958

SHA512
e3cb1e3bbf31aa9d0ca87e05254b9fe6a9b3e201fe58bf23c9e5ce2a1b6f81fc93f9a51cb65f3ff7575bbfc9a73ef32ac8f9b7195bb2b87bf50e37f64f2f6afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\hostpolicy.dll
Filesize
382KB

MD5
7d7edb04eef25cc94ccde47f45169ec7

SHA1
e155a20bdf4de0487493d44ccd167e36cbfd4af6

SHA256
402a29f533cdb6f945fd52c03bafd0330e2a57613f2d6b42b45aa7d929196958

SHA512
e3cb1e3bbf31aa9d0ca87e05254b9fe6a9b3e201fe58bf23c9e5ce2a1b6f81fc93f9a51cb65f3ff7575bbfc9a73ef32ac8f9b7195bb2b87bf50e37f64f2f6afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\paintdotnet.dll
Filesize
7MB

MD5
3534b6402463fba5d76c2913f7b088ca

SHA1
f0f3690651d28708107082834126852d024978c9

SHA256
e069c6bd90a91218910cd6a0776eac74c5bc32772659c410362213cfbc779371

SHA512
cb4bba8050c4cd5a2044a26bd4ae3bf55e98cbc26e445d6cb19e88de91c8be2419bdef5cf57df63d25fef64aff58e63cf6fd3bea565b222acd749117832e60d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43390A57\x64\paintdotnet.dll
Filesize
7MB

MD5
3534b6402463fba5d76c2913f7b088ca

SHA1
f0f3690651d28708107082834126852d024978c9

SHA256
e069c6bd90a91218910cd6a0776eac74c5bc32772659c410362213cfbc779371

SHA512
cb4bba8050c4cd5a2044a26bd4ae3bf55e98cbc26e445d6cb19e88de91c8be2419bdef5cf57df63d25fef64aff58e63cf6fd3bea565b222acd749117832e60d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4CC1DCE6\SetupShim.exe
Filesize
136KB

MD5
db51c903838632898319669eb2271114

SHA1
25fa7935e834e56f7757321da7f84aad8d587eee

SHA256
babcd035c2f920004fcc922aa23c4fc55949b335b5e920bcec215a51c1e036d4

SHA512
a42fd32040317d351f98bf53e0832e1c9dfd7e1b45c5aba44dfbc79f25f88cc19dcb762410840cfa5cd63e8531496dfe25d63937af8758d712d06102e626fdbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4CC1DCE6\SetupShim.exe
Filesize
136KB

MD5
db51c903838632898319669eb2271114

SHA1
25fa7935e834e56f7757321da7f84aad8d587eee

SHA256
babcd035c2f920004fcc922aa23c4fc55949b335b5e920bcec215a51c1e036d4

SHA512
a42fd32040317d351f98bf53e0832e1c9dfd7e1b45c5aba44dfbc79f25f88cc19dcb762410840cfa5cd63e8531496dfe25d63937af8758d712d06102e626fdbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4CC1DCE6\SetupShim.exe
Filesize
136KB

MD5
db51c903838632898319669eb2271114

SHA1
25fa7935e834e56f7757321da7f84aad8d587eee

SHA256
babcd035c2f920004fcc922aa23c4fc55949b335b5e920bcec215a51c1e036d4

SHA512
a42fd32040317d351f98bf53e0832e1c9dfd7e1b45c5aba44dfbc79f25f88cc19dcb762410840cfa5cd63e8531496dfe25d63937af8758d712d06102e626fdbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4CC1DCE6\x64\SetupDownloader\Newtonsoft.Json.dll
Filesize
695KB

MD5
715a1fbee4665e99e859eda667fe8034

SHA1
e13c6e4210043c4976dcdc447ea2b32854f70cc6

SHA256
c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e

SHA512
bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4CC1DCE6\x64\SetupDownloader\SetupDownloader.Configuration.json
Filesize
135B

MD5
8ca6779446e31e219589a08769448da2

SHA1
efc2d9e4b0f99daf0333406610d8031a5a8aed2f

SHA256
2b23a17e993b7837a89365cdd328541f58ddfd4ab2b45285058284eee5733613

SHA512
a6a863880835dcca879534ec8a353e2d7fef9c4410edfe41b59bac561492cc6084330c7aad1d2e8a9590b2a3d7551a0b8b6d45ced4d235f01b596d69b593bbf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4CC1DCE6\x64\SetupDownloader\SetupDownloader.exe
Filesize
263KB

MD5
bf4f4864bcecd94eefa400a6ae55edbf

SHA1
eb106dbbe2c4d659cdd225229f9b82001152295a

SHA256
fb50d98597661e5f8386f0ea44f036031547f4e1c806d8aa38717337ed4fea95

SHA512
9bc97bbabb8023adb2544f59107a2e56346f787ed4f8ef042210601ad92cba54898d2e099946f87e11d5e72f0f1d637df11f7c028ff4e5ccaab7d265b307fb2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4CC1DCE6\x64\SetupDownloader\SetupDownloader.exe
Filesize
263KB

MD5
bf4f4864bcecd94eefa400a6ae55edbf

SHA1
eb106dbbe2c4d659cdd225229f9b82001152295a

SHA256
fb50d98597661e5f8386f0ea44f036031547f4e1c806d8aa38717337ed4fea95

SHA512
9bc97bbabb8023adb2544f59107a2e56346f787ed4f8ef042210601ad92cba54898d2e099946f87e11d5e72f0f1d637df11f7c028ff4e5ccaab7d265b307fb2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4CC1DCE6\x64\SetupDownloader\SetupDownloader.exe
Filesize
263KB

MD5
bf4f4864bcecd94eefa400a6ae55edbf

SHA1
eb106dbbe2c4d659cdd225229f9b82001152295a

SHA256
fb50d98597661e5f8386f0ea44f036031547f4e1c806d8aa38717337ed4fea95

SHA512
9bc97bbabb8023adb2544f59107a2e56346f787ed4f8ef042210601ad92cba54898d2e099946f87e11d5e72f0f1d637df11f7c028ff4e5ccaab7d265b307fb2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4CC1DCE6\x64\SetupDownloader\SetupDownloader.exe.config
Filesize
218B

MD5
8f692dcbf1e68398b5dac3eba59872b0

SHA1
18011f5291790b0f49561385731ec5c6ad855415

SHA256
8c422938a58df86d88f29c61ff27006f0b3c9bb4742b11486bc5a01a6344129b

SHA512
e4bab07f4b9a9f725865e0e9f11fa31a4a1841399044f5976818782739b13d6c2012edf98199c5823ee9ecb3da40e7f3e2f88ab1394547801afa8b5b9dad9e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetupDownloader\9e6a6e8f-9c22-4d08-afd8-fae04cb8caaf\paint.net.5.0.2.install.x64.exe
Filesize
61MB

MD5
ea9d42d85a902d06cac5a296ad274489

SHA1
169daa55bbe24114a3bf73553041fed22119a8f6

SHA256
3a93fa5e111285d1704884a325680ced7730d679949d9269794100a931dfee7c

SHA512
2d887582f0f407259c24545b0777a744258dae855594f46e0414dd2c23041be2b45ad04d477a6c2e84342c35f5df33b1efc744c620e275a8fea571defd0de9a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetupDownloader\9e6a6e8f-9c22-4d08-afd8-fae04cb8caaf\paint.net.5.0.2.install.x64.exe
Filesize
61MB

MD5
ea9d42d85a902d06cac5a296ad274489

SHA1
169daa55bbe24114a3bf73553041fed22119a8f6

SHA256
3a93fa5e111285d1704884a325680ced7730d679949d9269794100a931dfee7c

SHA512
2d887582f0f407259c24545b0777a744258dae855594f46e0414dd2c23041be2b45ad04d477a6c2e84342c35f5df33b1efc744c620e275a8fea571defd0de9a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdnSetupShim.log
Filesize
135B

MD5
0b7bb0dcac58a3eecadccd4db6f697a1

SHA1
84c1d87fd923a78319a72b666fa59a9ec9885c03

SHA256
5056c5021c6f532fbcd6c2f03e4eca6be532bd9dcd3687d37d60d2fcc7885747

SHA512
30ef326237b287e66274fb6005322fb48ac442faa382218ce2bf182edbdd7820d607e65f77234ab1ff1eac8e90b1d39cc70d14e4423c524d13a1c5a53329b6ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdnSetupShim.log
Filesize
932B

MD5
ac23dfd58db49b714d535146d1d050f1

SHA1
0e43df4acd2ec2c3f4a346f4cac07a8bd3b6354d

SHA256
a1180aaecf016b85b19a0a464825482b24ce4e81ee1ed5b32cee094b1434793e

SHA512
75c12fc72ffd73ae0fb6d28e20356b31964201907d5973fa969eb91c8b8295de17b369c51472078daa32e30067f8f804b28b3634cc56ec55f691cec0c50674ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdnSetupShim.log
Filesize
775B

MD5
2b7f35e7f0429641f201b343a11b1a5f

SHA1
96791e904947f4637bc83fae430053ab47802e64

SHA256
f252627d6309e91e07cec1a84b3d768940072fdf17c00564aacbd468fa4ed53d

SHA512
27b8ba66344f48f6d0e2c84ba73f81ab7571502eac031ad360347292dc7ddf80354abe2975d148058175ecf0bb7a24dec08f9a30711d2f055012dd01d555ecea

Download Submit
C:\Users\Admin\AppData\Local\paint.net\SessionData\1339633224\1843685841.ch.lz4
Filesize
1KB

MD5
47ba5b5472dee820a2e35c9034551120

SHA1
d0042539533979dde93c1160ce06e9ea94f07e5b

SHA256
897e4ebf3037906685011a77ccbb24444cefe1d201db28de22bc02bd1abee3f9

SHA512
59b0523131bb5837f26d8fcac902b86da76608b0d91bb60d00ee18bc0c757fa13278285f50be45568c27f62f991510f7fccbd47523920ed8245bdecba389cea0

Download Submit
C:\Users\Admin\AppData\Local\paint.net\SessionData\1339633224\3716457.ch.lz4
Filesize
1KB

MD5
2640e1dc1b6d9436ec00d7067a6caa7b

SHA1
6afad2c2b214cefde4bb21f087816b9cdf0bd205

SHA256
9bd8576e74b5129cdcdb8878b75fcafac18c1aa0603ad90f10c3288ddf86b802

SHA512
256efc2e267794cba0bf5584ccb2e872ef2cf08b121ce141eace444bf28d6b5ffa6d57a817c4b2de2c5e7ef7e6640dea748b7600a73ee6c2288ff0abd2c2b308

Download Submit
C:\Users\Admin\AppData\Local\paint.net\SessionData\1339633224\531152418.ch.lz4
Filesize
554B

MD5
ecf803b59c44f420324f2c6734933ae7

SHA1
42b221b4416870e9dfd75c7365f9da7d4ce8a2f8

SHA256
2875312283fa8f35b745755510ae34b05ba5f10a28f2406089f51c8723fe4ca8

SHA512
f61a385670d892563f76a0207ed9199990050d6e126cb2be41c9ffc6c3953751d993990b62ca87869ee37fe6defea283f19645d90606896fb541ce0c87f48026

Download Submit
C:\Users\Admin\AppData\Local\paint.net\SessionData\1339633224\725891575.ch.lz4
Filesize
1KB

MD5
569ff12347f65da99090862df4d756bf

SHA1
8d4043aafb9ed8369f01a4bc568acfc549144b6b

SHA256
e2ffa17d5fdb5fd5421153b8cbfcaed188a96c21016fd9749dcaa3522726e3e1

SHA512
545af345605fc8ce6baf1c0546586de5285d40045fe93dfb7a61c76843ed350ef643dd8ead4a358098ab7fdba79f511046989400900a8238d62e78d51370dd28

Download Submit
C:\Users\Admin\AppData\Local\paint.net\SessionData\1339633224\774963854.ch.lz4
Filesize
1KB

MD5
48a4470cbb018094866c1b8fa733af73

SHA1
07e9851e014f9d276a72e613cf06bb34d83faca4

SHA256
3a3f16e3f8d4f69b306a89a4d9a7c54789f27618165091b00d4c399f484bb03e

SHA512
9ed2679159a303af740edff94a2a1f69cc3d3b647121ea6a49d5801a01e12110273b0ad72c2dbdcab36980f5fbf43c6b018c625b6f4951e8501cb2642d686319

Download Submit
C:\Windows\Installer\e58e24d.msi
Filesize
204MB

MD5
de6a045f5ef68a96f1fb0549ec958be9

SHA1
d50e72ee01dabf72691895efd5722f448dd28bde

SHA256
14fb04493868d2cc676fac34c249691e82fe828b444e98f8cb223cc76d793487

SHA512
712f0146a1de0e291f15637dc099c4bf277d96becdec070dc69796398c8961287e88b43fc95caea4bab71563d3e5a11efb2507c68cbd7d8e0275a77ceb2b1055

Download Submit
C:\Windows\Installer\{DBC43589-CC32-4502-BBEC-5B931AF4BD2E}\app_icon.ico
Filesize
75KB

MD5
d47d5e7a8a90d00db1644a40555d14c2

SHA1
652eae27caf68d1903616910f46bcca27f6623b0

SHA256
9c6063ea5b8a118f1aeab0c201f5bc7fa5d630dcfd80d0c8bf3efe67bfde6953

SHA512
ecf923b823e246416ad4f010647a14c764325ff83752d542313ccd74143f800c1d37f14952e02ed78813f0417c94a0e5eccb02daecabf242444cd5d6a635ec8a

Download Submit
memory/3444-2256-0x00000244F0D70000-0x00000244F0D80000-memory.dmp

Filesize
64KB

Download
memory/3444-2231-0x00000244ECE50000-0x00000244ECE60000-memory.dmp

Filesize
64KB

Download
memory/3444-2259-0x00000244F1640000-0x00000244F1644000-memory.dmp

Filesize
16KB

Download
memory/3444-2246-0x00000244F0D80000-0x00000244F0D84000-memory.dmp

Filesize
16KB

Download
memory/3444-2232-0x00000244ECE90000-0x00000244ECE94000-memory.dmp

Filesize
16KB

Download
memory/3852-191-0x00000200F9CF0000-0x00000200F9D00000-memory.dmp

Filesize
64KB

Download
memory/3852-195-0x00000200F9F30000-0x00000200F9F42000-memory.dmp

Filesize
72KB

Download
memory/3852-192-0x00000200F9CF0000-0x00000200F9D00000-memory.dmp

Filesize
64KB

Download
memory/3852-185-0x00000200FB770000-0x00000200FB822000-memory.dmp

Filesize
712KB

Download
memory/3852-193-0x00000200F9CF0000-0x00000200F9D00000-memory.dmp

Filesize
64KB

Download
memory/3852-190-0x00000200F9CF0000-0x00000200F9D00000-memory.dmp

Filesize
64KB

Download
memory/3852-189-0x00000200F9CF0000-0x00000200F9D00000-memory.dmp

Filesize
64KB

Download
memory/3852-183-0x00000200F9940000-0x00000200F9986000-memory.dmp

Filesize
280KB

Download
memory/3852-188-0x00000200F9CF0000-0x00000200F9D00000-memory.dmp

Filesize
64KB

Download
memory/3852-187-0x00000200F9D30000-0x00000200F9D52000-memory.dmp

Filesize
136KB

Download