9100841237455418412447da8ddaa2bbb810577de6bb18179f2384cccd6ff614

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01/04/2023, 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

paint.net.5.0.3.install.anycpu.web.exe
Size

1.1MB
MD5

7e736accc204ce002fcec6b5dc6214dd
SHA1

420464ab383313994b5534c72f7f2c0f7d509462
SHA256

ae41189fec1996afe1d193c606ddc228f0d24640ea01df77a626db75b2c29cb8
SHA512

5d838d7063f54a21584c3e379b59053731f5dcf0b6b03e5cd09498c613dfdd38d4257799d265bd4fad608efba67988e846fcab70adff066768fc4ac4cdcd2bfb
SSDEEP

24576:nLYYYYkv0+qcSSu29odPoagtIC0BuDgtYiY+kM7p1kz6I:nLYYYYkvSSu29oQiDjMMV1e

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	paint.net.5.0.3.install.anycpu.web.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	paint.net.5.0.3.install.x64.exe

Executes dropped EXE 5 IoCs

pid	Process
2260	SetupShim.exe
3112	SetupDownloader.exe
2304	paint.net.5.0.3.install.x64.exe
4508	SetupShim.exe
3752	SetupFrontEnd.exe

Loads dropped DLL 62 IoCs

pid	Process
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe
3752	SetupFrontEnd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\paint.net\System.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Net.NameResolution.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Net.Quic.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.tr.resources	msiexec.exe
File created	C:\Program Files\paint.net\PresentationFramework-SystemXmlLinq.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Windows.Forms.Legacy.dll	msiexec.exe
File created	C:\Program Files\paint.net\PresentationUI.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Resources.Writer.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.th.resources	msiexec.exe
File created	C:\Program Files\paint.net\PresentationCore.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.IO.Compression.ZipFile.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Security.Cryptography.Encoding.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Security.Cryptography.Xml.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Security.SecureString.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Primitives.pdb	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.PropertySystem.xml	msiexec.exe
File created	C:\Program Files\paint.net\System.Windows.Forms.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Reflection.dll	msiexec.exe
File created	C:\Program Files\paint.net\Bundled\AvifFileType\AvifFileType.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Collections.Specialized.dll	msiexec.exe
File created	C:\Program Files\paint.net\paintdotnet.ico	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.DE.resources	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.KO.resources	msiexec.exe
File created	C:\Program Files\paint.net\System.Diagnostics.PerformanceCounter.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Diagnostics.StackTrace.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Reflection.Metadata.dll	msiexec.exe
File created	C:\Program Files\paint.net\DirectWriteForwarder.dll	msiexec.exe
File created	C:\Program Files\paint.net\ildasm.exe	msiexec.exe
File created	C:\Program Files\paint.net\System.Runtime.Handles.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Windows.pdb	msiexec.exe
File created	C:\Program Files\paint.net\PresentationFramework.Aero.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Drawing.Common.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.IO.FileSystem.DriveInfo.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Net.WebClient.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Xml.ReaderWriter.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Effects.Core.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.uk.resources	msiexec.exe
File created	C:\Program Files\paint.net\UIAutomationProvider.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.FR.resources	msiexec.exe
File created	C:\Program Files\paint.net\System.Web.HttpUtility.dll	msiexec.exe
File created	C:\Program Files\paint.net\netstandard.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.ca.resources	msiexec.exe
File created	C:\Program Files\paint.net\K4os.Compression.LZ4.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Windows.Framework.dll	msiexec.exe
File created	C:\Program Files\paint.net\paintdotnet.pdb	msiexec.exe
File created	C:\Program Files\paint.net\System.AppContext.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.IO.Compression.Brotli.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.IO.Compression.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.IO.FileSystem.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.IO.Pipes.dll	msiexec.exe
File created	C:\Program Files\paint.net\Resources\de\Images.PayPalDonate.gif	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Base.pdb	msiexec.exe
File created	C:\Program Files\paint.net\System.Windows.Controls.Ribbon.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Windows.dll	msiexec.exe
File created	C:\Program Files\paint.net\vcruntime140_1.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Private.Xml.Linq.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Threading.Tasks.Dataflow.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.pt-PT.resources	msiexec.exe
File created	C:\Program Files\paint.net\System.Diagnostics.DiagnosticSource.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Diagnostics.TraceSource.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Net.ServicePoint.dll	msiexec.exe
File created	C:\Program Files\paint.net\Bundled\DDSFileTypePlus\License.txt	msiexec.exe
File created	C:\Program Files\paint.net\nethost.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.JA.resources	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e57e8ad.msi	msiexec.exe
File created	C:\Windows\Installer\{67D72105-13E9-4EB7-8059-28DFC3A2DCA1}\app_icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\{67D72105-13E9-4EB7-8059-28DFC3A2DCA1}\app_icon.ico	msiexec.exe
File created	C:\Windows\Installer\e57e8aa.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57e8aa.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{67D72105-13E9-4EB7-8059-28DFC3A2DCA1}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5B4A.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009865abc95f2d4b980000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009865abc90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809009865abc9000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009865abc900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009865abc900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe

Modifies registry class 23 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\50127D769E317BE4089582FD3C2ACD1A\DefaultFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50127D769E317BE4089582FD3C2ACD1A	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50127D769E317BE4089582FD3C2ACD1A\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50127D769E317BE4089582FD3C2ACD1A\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50127D769E317BE4089582FD3C2ACD1A\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50127D769E317BE4089582FD3C2ACD1A\SourceList\Net\1 = "C:\\Program Files\\paint.net\\Staging\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50127D769E317BE4089582FD3C2ACD1A\SourceList\LastUsedSource = "n;1;C:\\Program Files\\paint.net\\Staging\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50127D769E317BE4089582FD3C2ACD1A\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50127D769E317BE4089582FD3C2ACD1A\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\04F04A40702A84B4EA7DA65A234E2357	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\04F04A40702A84B4EA7DA65A234E2357\50127D769E317BE4089582FD3C2ACD1A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50127D769E317BE4089582FD3C2ACD1A\SourceList\PackageName = "PaintDotNet_x64_5.0.3.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50127D769E317BE4089582FD3C2ACD1A\ProductName = "paint.net"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50127D769E317BE4089582FD3C2ACD1A\ProductIcon = "C:\\Windows\\Installer\\{67D72105-13E9-4EB7-8059-28DFC3A2DCA1}\\app_icon.ico"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50127D769E317BE4089582FD3C2ACD1A\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50127D769E317BE4089582FD3C2ACD1A\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50127D769E317BE4089582FD3C2ACD1A\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50127D769E317BE4089582FD3C2ACD1A\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\50127D769E317BE4089582FD3C2ACD1A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50127D769E317BE4089582FD3C2ACD1A\PackageCode = "E6C4A3919FD404F45A92D4D8D93DA042"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50127D769E317BE4089582FD3C2ACD1A\Version = "83886083"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50127D769E317BE4089582FD3C2ACD1A\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50127D769E317BE4089582FD3C2ACD1A\InstanceType = "0"	msiexec.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	SetupDownloader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	SetupDownloader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	SetupDownloader.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1976	msiexec.exe
1976	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3752	SetupFrontEnd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3112	SetupDownloader.exe
Token: SeDebugPrivilege	3752	SetupFrontEnd.exe
Token: SeBackupPrivilege	2096	vssvc.exe
Token: SeRestorePrivilege	2096	vssvc.exe
Token: SeAuditPrivilege	2096	vssvc.exe
Token: SeBackupPrivilege	3752	SetupFrontEnd.exe
Token: SeRestorePrivilege	3752	SetupFrontEnd.exe
Token: SeShutdownPrivilege	3752	SetupFrontEnd.exe
Token: SeIncreaseQuotaPrivilege	3752	SetupFrontEnd.exe
Token: SeSecurityPrivilege	1976	msiexec.exe
Token: SeCreateTokenPrivilege	3752	SetupFrontEnd.exe
Token: SeAssignPrimaryTokenPrivilege	3752	SetupFrontEnd.exe
Token: SeLockMemoryPrivilege	3752	SetupFrontEnd.exe
Token: SeIncreaseQuotaPrivilege	3752	SetupFrontEnd.exe
Token: SeMachineAccountPrivilege	3752	SetupFrontEnd.exe
Token: SeTcbPrivilege	3752	SetupFrontEnd.exe
Token: SeSecurityPrivilege	3752	SetupFrontEnd.exe
Token: SeTakeOwnershipPrivilege	3752	SetupFrontEnd.exe
Token: SeLoadDriverPrivilege	3752	SetupFrontEnd.exe
Token: SeSystemProfilePrivilege	3752	SetupFrontEnd.exe
Token: SeSystemtimePrivilege	3752	SetupFrontEnd.exe
Token: SeProfSingleProcessPrivilege	3752	SetupFrontEnd.exe
Token: SeIncBasePriorityPrivilege	3752	SetupFrontEnd.exe
Token: SeCreatePagefilePrivilege	3752	SetupFrontEnd.exe
Token: SeCreatePermanentPrivilege	3752	SetupFrontEnd.exe
Token: SeBackupPrivilege	3752	SetupFrontEnd.exe
Token: SeRestorePrivilege	3752	SetupFrontEnd.exe
Token: SeShutdownPrivilege	3752	SetupFrontEnd.exe
Token: SeDebugPrivilege	3752	SetupFrontEnd.exe
Token: SeAuditPrivilege	3752	SetupFrontEnd.exe
Token: SeSystemEnvironmentPrivilege	3752	SetupFrontEnd.exe
Token: SeChangeNotifyPrivilege	3752	SetupFrontEnd.exe
Token: SeRemoteShutdownPrivilege	3752	SetupFrontEnd.exe
Token: SeUndockPrivilege	3752	SetupFrontEnd.exe
Token: SeSyncAgentPrivilege	3752	SetupFrontEnd.exe
Token: SeEnableDelegationPrivilege	3752	SetupFrontEnd.exe
Token: SeManageVolumePrivilege	3752	SetupFrontEnd.exe
Token: SeImpersonatePrivilege	3752	SetupFrontEnd.exe
Token: SeCreateGlobalPrivilege	3752	SetupFrontEnd.exe
Token: SeRestorePrivilege	1976	msiexec.exe
Token: SeTakeOwnershipPrivilege	1976	msiexec.exe
Token: SeBackupPrivilege	672	srtasks.exe
Token: SeRestorePrivilege	672	srtasks.exe
Token: SeSecurityPrivilege	672	srtasks.exe
Token: SeTakeOwnershipPrivilege	672	srtasks.exe
Token: SeBackupPrivilege	672	srtasks.exe
Token: SeRestorePrivilege	672	srtasks.exe
Token: SeSecurityPrivilege	672	srtasks.exe
Token: SeTakeOwnershipPrivilege	672	srtasks.exe
Token: SeRestorePrivilege	1976	msiexec.exe
Token: SeTakeOwnershipPrivilege	1976	msiexec.exe
Token: SeRestorePrivilege	1976	msiexec.exe
Token: SeTakeOwnershipPrivilege	1976	msiexec.exe
Token: SeRestorePrivilege	1976	msiexec.exe
Token: SeTakeOwnershipPrivilege	1976	msiexec.exe
Token: SeRestorePrivilege	1976	msiexec.exe
Token: SeTakeOwnershipPrivilege	1976	msiexec.exe
Token: SeRestorePrivilege	1976	msiexec.exe
Token: SeTakeOwnershipPrivilege	1976	msiexec.exe
Token: SeRestorePrivilege	1976	msiexec.exe
Token: SeTakeOwnershipPrivilege	1976	msiexec.exe
Token: SeRestorePrivilege	1976	msiexec.exe
Token: SeTakeOwnershipPrivilege	1976	msiexec.exe
Token: SeRestorePrivilege	1976	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3752	SetupFrontEnd.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2260	SetupShim.exe
2304	paint.net.5.0.3.install.x64.exe
4508	SetupShim.exe
3752	SetupFrontEnd.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 2260	2144	paint.net.5.0.3.install.anycpu.web.exe	85
PID 2144 wrote to memory of 2260	2144	paint.net.5.0.3.install.anycpu.web.exe	85
PID 2144 wrote to memory of 2260	2144	paint.net.5.0.3.install.anycpu.web.exe	85
PID 2260 wrote to memory of 3112	2260	SetupShim.exe	87
PID 2260 wrote to memory of 3112	2260	SetupShim.exe	87
PID 3112 wrote to memory of 2304	3112	SetupDownloader.exe	93
PID 3112 wrote to memory of 2304	3112	SetupDownloader.exe	93
PID 3112 wrote to memory of 2304	3112	SetupDownloader.exe	93
PID 2304 wrote to memory of 4508	2304	paint.net.5.0.3.install.x64.exe	95
PID 2304 wrote to memory of 4508	2304	paint.net.5.0.3.install.x64.exe	95
PID 2304 wrote to memory of 4508	2304	paint.net.5.0.3.install.x64.exe	95
PID 4508 wrote to memory of 3752	4508	SetupShim.exe	96
PID 4508 wrote to memory of 3752	4508	SetupShim.exe	96

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\paint.net.5.0.3.install.anycpu.web.exe
"C:\Users\Admin\AppData\Local\Temp\paint.net.5.0.3.install.anycpu.web.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Users\Admin\AppData\Local\Temp\7zS06880A56\SetupShim.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS06880A56\SetupShim.exe" /suppressReboot
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Users\Admin\AppData\Local\Temp\7zS06880A56\x64\SetupDownloader\SetupDownloader.exe
    "x64\SetupDownloader\SetupDownloader.exe" /SkipSuccessPrompt "C:\Users\Admin\AppData\Local\Temp\7zS06880A56\SetupShim.exe" /suppressReboot
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3112
  - - C:\Users\Admin\AppData\Local\Temp\PdnSetupDownloader\0e3b1a23-6c76-4e0c-a24e-04c6fa95895b\paint.net.5.0.3.install.x64.exe
      "C:\Users\Admin\AppData\Local\Temp\PdnSetupDownloader\0e3b1a23-6c76-4e0c-a24e-04c6fa95895b\paint.net.5.0.3.install.x64.exe" C:\Users\Admin\AppData\Local\Temp\7zS06880A56\SetupShim.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2304
    - - C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\SetupShim.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\SetupShim.exe" /suppressReboot C:\Users\Admin\AppData\Local\Temp\7zS06880A56\SetupShim.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4508
      - C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\SetupFrontEnd.exe
        
        "x64\SetupFrontEnd.exe" "C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\SetupShim.exe" /suppressReboot C:\Users\Admin\AppData\Local\Temp\7zS06880A56\SetupShim.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:3752

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:3
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:672

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\paint.net\mscordaccore_amd64_amd64_7.0.423.11508.dll

Filesize
1.3MB

MD5
a54257d04b9910dc618d1f7833a298f1

SHA1
bab917f9811f502d4928c0f0068d08c42827c6c9

SHA256
180b92fe910242114cdd5d605ea7254faedefd412b7b7100485b5dec3b7ad2cc

SHA512
23c4a9a0f84a0089ed43d02be855a0209f10a5bd5238c7a0a115c26e488ec0af1662429c32a4cc1b500d3c93f357e5d321dd435cc0bfd66bc52f81a34fe4627c

Download Submit
C:\Program Files\paint.net\paintdotnet.runtimeconfig.json

Filesize
449B

MD5
855798731cf9f727530fdf409006fc1b

SHA1
3433add3eb478374dd58d6b3147b34758487dee8

SHA256
a835bc55d5d331510c679221eb7de631db51edf41fe57022d499893bafe782d6

SHA512
f7749bbdead985f2d0556a6aa77583b39c563878fd5d6844dd31eb9c026b082d2deba7d3b84a3598b7745ca2a911d41e4672febc993e20f6d21421e4d7490fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\SetupShim.exe

Filesize
136KB

MD5
e2b8f4221931e23f65dcdb2fd051be8d

SHA1
76db9efa379bef5c65c8f2e1733bc6575747502a

SHA256
621499bdf212eb1aaf80b3d2c7befffcaa5fb2804b301d14690a236667a7908a

SHA512
700ef42e2199d6dad3a48ec8c562b43cc7210ed52e65bc2cc77b3f2905173be081f19a622efaab579fc098c165c0b3c5f3644cf98f81629a2f0d4a722014b5b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\SetupShim.exe

Filesize
136KB

MD5
e2b8f4221931e23f65dcdb2fd051be8d

SHA1
76db9efa379bef5c65c8f2e1733bc6575747502a

SHA256
621499bdf212eb1aaf80b3d2c7befffcaa5fb2804b301d14690a236667a7908a

SHA512
700ef42e2199d6dad3a48ec8c562b43cc7210ed52e65bc2cc77b3f2905173be081f19a622efaab579fc098c165c0b3c5f3644cf98f81629a2f0d4a722014b5b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\PaintDotNet.Base.dll

Filesize
718KB

MD5
2db7bf99c25c83a1297d2ac5da875331

SHA1
088df6faa8f3e86a07ccc4a7604b6c51c1d3d371

SHA256
0aab4adbcce2569aca4ce59997cba61d548b284c9734b5905f6c3a9f6e91b723

SHA512
5b2e95aa8a54ec25410042395b276d8b29d4dc4cdd1bd0a5d65bab0758c2bd1830a11609d317c9537a45d7516cf0d3ff613f7940d419ec5c26cb35cce05d9017

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\PaintDotNet.Base.dll

Filesize
718KB

MD5
2db7bf99c25c83a1297d2ac5da875331

SHA1
088df6faa8f3e86a07ccc4a7604b6c51c1d3d371

SHA256
0aab4adbcce2569aca4ce59997cba61d548b284c9734b5905f6c3a9f6e91b723

SHA512
5b2e95aa8a54ec25410042395b276d8b29d4dc4cdd1bd0a5d65bab0758c2bd1830a11609d317c9537a45d7516cf0d3ff613f7940d419ec5c26cb35cce05d9017

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\PaintDotNet.ComponentModel.dll

Filesize
98KB

MD5
c3f0602203022db89e1c8ff982aca603

SHA1
491db9889dd1b59b21ef234a56fa2fb637c286ab

SHA256
42503924190bf885450b376d4685e112aaa78e3a1e219703f210fb43f846fddd

SHA512
083b72c2a46de419eab12f97ddbb3acaff15736471e2eb2efc49b478459e7eb14242b2de5bd3df59f0be006f163457313b7e9aa338124c636273bdbe4682bd95

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\PaintDotNet.ComponentModel.dll

Filesize
98KB

MD5
c3f0602203022db89e1c8ff982aca603

SHA1
491db9889dd1b59b21ef234a56fa2fb637c286ab

SHA256
42503924190bf885450b376d4685e112aaa78e3a1e219703f210fb43f846fddd

SHA512
083b72c2a46de419eab12f97ddbb3acaff15736471e2eb2efc49b478459e7eb14242b2de5bd3df59f0be006f163457313b7e9aa338124c636273bdbe4682bd95

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\PaintDotNet.Core.dll

Filesize
2.2MB

MD5
862838027c0430730e79a9d84748feec

SHA1
9b0b0d47ad95f590cf8c79c6991f9629bff21a37

SHA256
344703b2bb0ddfb8bd1a0b892b0534a78d83fc49a90b8a1593f0123cdbc2bbd5

SHA512
e0fa882f14720ddc1a4ea7fa7958f331bbf167678edef0f3adefe0e6193ed64ddad6eb4ac55aa63e2a17fe8394829e8344f1d3470062cfe16f45e71825432b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\PaintDotNet.Core.dll

Filesize
2.2MB

MD5
862838027c0430730e79a9d84748feec

SHA1
9b0b0d47ad95f590cf8c79c6991f9629bff21a37

SHA256
344703b2bb0ddfb8bd1a0b892b0534a78d83fc49a90b8a1593f0123cdbc2bbd5

SHA512
e0fa882f14720ddc1a4ea7fa7958f331bbf167678edef0f3adefe0e6193ed64ddad6eb4ac55aa63e2a17fe8394829e8344f1d3470062cfe16f45e71825432b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\PaintDotNet.Framework.dll

Filesize
1.0MB

MD5
4dd915dce3ba0d65dba6ae12138815c1

SHA1
394615daef73866c3d51cd4909ea54fa67dff37b

SHA256
216b4701cee99e18f3cd6889eaca0ff21d6f0daf952ef0399b456986adfeddbe

SHA512
550d468f1c56ae96eab08a8c8f593a3d0ba0e7d94b096864df366c7ff44810c66555936d1f4f1ac1236716c9947e7bd98e732aef4302dee012a549111d6eb864

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\PaintDotNet.Framework.dll

Filesize
1.0MB

MD5
4dd915dce3ba0d65dba6ae12138815c1

SHA1
394615daef73866c3d51cd4909ea54fa67dff37b

SHA256
216b4701cee99e18f3cd6889eaca0ff21d6f0daf952ef0399b456986adfeddbe

SHA512
550d468f1c56ae96eab08a8c8f593a3d0ba0e7d94b096864df366c7ff44810c66555936d1f4f1ac1236716c9947e7bd98e732aef4302dee012a549111d6eb864

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\PaintDotNet.Fundamentals.dll

Filesize
1.3MB

MD5
a90bfac16d161027972fcb4d96632e01

SHA1
4a6121d6b0c2c1e0d629c511758e8ec59970d272

SHA256
6c5cca663c1cff15a4ff7f466638a1e94eef34b0358ad78c4038debe4f4dd568

SHA512
0a50bf93e7bebcd60273e1136e1fef7c36a5656c414842fae8a9db63188bed7bf4f4d20edbd12250e59f8afb914a7b41592dd7a113bf43759615221fad10041a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\PaintDotNet.Fundamentals.dll

Filesize
1.3MB

MD5
a90bfac16d161027972fcb4d96632e01

SHA1
4a6121d6b0c2c1e0d629c511758e8ec59970d272

SHA256
6c5cca663c1cff15a4ff7f466638a1e94eef34b0358ad78c4038debe4f4dd568

SHA512
0a50bf93e7bebcd60273e1136e1fef7c36a5656c414842fae8a9db63188bed7bf4f4d20edbd12250e59f8afb914a7b41592dd7a113bf43759615221fad10041a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\PaintDotNet.ObjectModel.dll

Filesize
182KB

MD5
fb75ef98bca52b2500b7f02b34732814

SHA1
67e20fb5d32cb197e3a7d72857f218dbb6c0ca1f

SHA256
46fcbd795100a148c14dcf5a9f64f5d4cbdecefe080541cf1c40f34ee592d6d9

SHA512
9e6b38aaa60e90165a5af5d74f17bc7317a6e0f9207a1db0a17a6231584372343c26f99e00a7c7cdcfa8d331d58722889735386c0de6485177d90ef2bfb9edf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\PaintDotNet.ObjectModel.dll

Filesize
182KB

MD5
fb75ef98bca52b2500b7f02b34732814

SHA1
67e20fb5d32cb197e3a7d72857f218dbb6c0ca1f

SHA256
46fcbd795100a148c14dcf5a9f64f5d4cbdecefe080541cf1c40f34ee592d6d9

SHA512
9e6b38aaa60e90165a5af5d74f17bc7317a6e0f9207a1db0a17a6231584372343c26f99e00a7c7cdcfa8d331d58722889735386c0de6485177d90ef2bfb9edf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\PaintDotNet.Primitives.dll

Filesize
934KB

MD5
71266031fba2a9ed024fbe83d5169ab2

SHA1
f081273799c5e56eb2973d2f21c8857307996dfb

SHA256
8a6165cbd053dda6e069ada7eee5328633bf0b9a92050a91902b56d723768b01

SHA512
c35ead84db6cb5369fbb3b3b1f127beeb66f5b71e43be93f332e5be3c7ac69b4ef3c13cb53489db73f8228fb7951ad016cedbd867fefd20a678d0c6efc2b9423

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\PaintDotNet.Primitives.dll

Filesize
934KB

MD5
71266031fba2a9ed024fbe83d5169ab2

SHA1
f081273799c5e56eb2973d2f21c8857307996dfb

SHA256
8a6165cbd053dda6e069ada7eee5328633bf0b9a92050a91902b56d723768b01

SHA512
c35ead84db6cb5369fbb3b3b1f127beeb66f5b71e43be93f332e5be3c7ac69b4ef3c13cb53489db73f8228fb7951ad016cedbd867fefd20a678d0c6efc2b9423

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\PaintDotNet.Runtime.dll

Filesize
74KB

MD5
3e36bded83cbd67eae5aebb01f7683c0

SHA1
1c9107b95654bb40a9a327e27124d1b8028a3022

SHA256
ad5851f50036363355f014b9d59d8e74d47d9ce01861dfec5d6b46f195fc04f6

SHA512
e524da8da9f28fae6e1ffdb25a6b576ffb462481e6c74f46f727abe019c9aad1f58719fdb2df156a5e1740f54e618abc490555b2ce32eb224c9a0bff7a944fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\PaintDotNet.Strings.3.co.resources

Filesize
176KB

MD5
c0dec6327462f7728ae5dfdbf47edc80

SHA1
d8bddc3e01cd2e06d29099c96bad2e18e0b798aa

SHA256
700f2eb136f01f4f5059e4e76a21263e642528734aba9cc2f257642893adce0c

SHA512
c9582e4647c7c004f08b027cd8b68769856e05ccd9d5e886512921b219317e6ee0a477ca4aaa42ca6d08277920ce528cdcaeef95b8e4c0d89bd50e9e2693d28a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\PaintDotNet.Windows.dll

Filesize
3.6MB

MD5
de72d4bfe376a4993d82a40bb077f7c9

SHA1
6a893e3b66c33b63097d9b3c1637c27d0b594e91

SHA256
3041d4185c0fa4d3589e5f3a987702c319a47a345b9ee80662796018297fc641

SHA512
d8fa2c0f521f6722a97d2f1f50d1a57e53a2305def38d03cf4376f9e54580951bf2a5b47744baba3449ef21335bca120f3356eea169fcf437de900c57f642bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\PaintDotNet.Windows.dll

Filesize
3.6MB

MD5
de72d4bfe376a4993d82a40bb077f7c9

SHA1
6a893e3b66c33b63097d9b3c1637c27d0b594e91

SHA256
3041d4185c0fa4d3589e5f3a987702c319a47a345b9ee80662796018297fc641

SHA512
d8fa2c0f521f6722a97d2f1f50d1a57e53a2305def38d03cf4376f9e54580951bf2a5b47744baba3449ef21335bca120f3356eea169fcf437de900c57f642bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\SetupFrontEnd.deps.json

Filesize
60KB

MD5
75bb5ed174e86611f66d39b720c48a1e

SHA1
ef75601cf845237a634e4f716a2b22b69d3392ad

SHA256
1b596086933e124a090bf0875fe5b9d1c632d6e6108e84caf34f5c497b8bf5ff

SHA512
3a6a17d8e708c752f813916583c326384c87bd9252006a24913998d828753ddf586ff3c6a7b764328b432be76fcbdab802192257e4fb888415701f3ba35acef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\SetupFrontEnd.dll

Filesize
210KB

MD5
82d84b7b86059ba373bd470369a47e48

SHA1
b7252d76866b665b0a20fd66e884d15f8573aece

SHA256
51d17e65b4fbdcc144f2056cf903813057c91e7b7841d239eb8676e1ed6e6471

SHA512
fee38581c9bdb10ff2221e8fa2840c5e06c8ac91450f9250c7ebbb3e95b1c4bfc9f1b77785372519ab5be0f7471a41801082951ce81eb4c6c8575b49852a12ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\SetupFrontEnd.dll

Filesize
210KB

MD5
82d84b7b86059ba373bd470369a47e48

SHA1
b7252d76866b665b0a20fd66e884d15f8573aece

SHA256
51d17e65b4fbdcc144f2056cf903813057c91e7b7841d239eb8676e1ed6e6471

SHA512
fee38581c9bdb10ff2221e8fa2840c5e06c8ac91450f9250c7ebbb3e95b1c4bfc9f1b77785372519ab5be0f7471a41801082951ce81eb4c6c8575b49852a12ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\SetupFrontEnd.exe

Filesize
162KB

MD5
37acf526b16c96bf8fd1cdf3510fc596

SHA1
1a1e39d6cebb09d4c7dbc8fa376c53ba91c4b71e

SHA256
e2c9b45c50a7d4e671c9a483f87babd13421ed9a2c986cc915e4209a6162929c

SHA512
998341de0dfbf02712b48f01eff7f0de31eb319c779a8011772204eda513b635e6bb5fc3e247056244974356fbcb00ebfcfd4f4cd2af60af3a2e81b2ebe80172

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\SetupFrontEnd.exe

Filesize
162KB

MD5
37acf526b16c96bf8fd1cdf3510fc596

SHA1
1a1e39d6cebb09d4c7dbc8fa376c53ba91c4b71e

SHA256
e2c9b45c50a7d4e671c9a483f87babd13421ed9a2c986cc915e4209a6162929c

SHA512
998341de0dfbf02712b48f01eff7f0de31eb319c779a8011772204eda513b635e6bb5fc3e247056244974356fbcb00ebfcfd4f4cd2af60af3a2e81b2ebe80172

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\SetupFrontEnd.runtimeconfig.json

Filesize
449B

MD5
855798731cf9f727530fdf409006fc1b

SHA1
3433add3eb478374dd58d6b3147b34758487dee8

SHA256
a835bc55d5d331510c679221eb7de631db51edf41fe57022d499893bafe782d6

SHA512
f7749bbdead985f2d0556a6aa77583b39c563878fd5d6844dd31eb9c026b082d2deba7d3b84a3598b7745ca2a911d41e4672febc993e20f6d21421e4d7490fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\System.Collections.Concurrent.dll

Filesize
258KB

MD5
a3213606edbfe542e4a4c80360eae446

SHA1
1c9928c54987788f8ab4fe53705eb7a8d1481ad1

SHA256
689b62857903e110fba88b8c977ee5ca7b943f632a84a9fb9c5f64977873c350

SHA512
f5de4f21b70212a45d958add4a9a4b236a3eb35e071e748851f753b7d040349ccfa0f08ed9600bdeb2efa2fddb78e1a45cdc544a09bc48af449d8c683a449c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\System.Collections.Concurrent.dll

Filesize
258KB

MD5
a3213606edbfe542e4a4c80360eae446

SHA1
1c9928c54987788f8ab4fe53705eb7a8d1481ad1

SHA256
689b62857903e110fba88b8c977ee5ca7b943f632a84a9fb9c5f64977873c350

SHA512
f5de4f21b70212a45d958add4a9a4b236a3eb35e071e748851f753b7d040349ccfa0f08ed9600bdeb2efa2fddb78e1a45cdc544a09bc48af449d8c683a449c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\System.Collections.Specialized.dll

Filesize
106KB

MD5
859ade54c2a26e9f73b28f01984255d1

SHA1
22eb5f78c298b656dd6eab105f0e39b1442a23ef

SHA256
7943c8c3c0f759108e1dd8b1ea69502e8261d9e3e275051b75cce82242bae0e7

SHA512
aa72d67309e4c3d5f3ee0800dc9d1246d88ff081ff6cf519ee9c9009ddf10dfe98997389f012797b99302db2c04657a4e351bdbed11b49d14136245292ceb9fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\System.Collections.Specialized.dll

Filesize
106KB

MD5
859ade54c2a26e9f73b28f01984255d1

SHA1
22eb5f78c298b656dd6eab105f0e39b1442a23ef

SHA256
7943c8c3c0f759108e1dd8b1ea69502e8261d9e3e275051b75cce82242bae0e7

SHA512
aa72d67309e4c3d5f3ee0800dc9d1246d88ff081ff6cf519ee9c9009ddf10dfe98997389f012797b99302db2c04657a4e351bdbed11b49d14136245292ceb9fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\System.ComponentModel.Primitives.dll

Filesize
82KB

MD5
b5c9e2bb66a63a06a2ad90924fe354ed

SHA1
883cf2f249e9dad2a3558d6263e7f17056e46321

SHA256
263a81ee06efb6107ef92225d824321d2b62a6f9141efaa44ba95f23a5c39a12

SHA512
9fd0bc6e81fd1a78ea7d0da4f03b71ce04889b6412e5bba57fda513e15b982a1c85b3e913fbcabf356a3d7b809ef470224f77e6cd75db018e2449239f1b046d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\System.ComponentModel.Primitives.dll

Filesize
82KB

MD5
b5c9e2bb66a63a06a2ad90924fe354ed

SHA1
883cf2f249e9dad2a3558d6263e7f17056e46321

SHA256
263a81ee06efb6107ef92225d824321d2b62a6f9141efaa44ba95f23a5c39a12

SHA512
9fd0bc6e81fd1a78ea7d0da4f03b71ce04889b6412e5bba57fda513e15b982a1c85b3e913fbcabf356a3d7b809ef470224f77e6cd75db018e2449239f1b046d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\System.ComponentModel.dll

Filesize
30KB

MD5
ab8ec6d232fe963d1c7d9690c8d2b8a6

SHA1
6453f555c5f017f647d90a6a78a8183ca104af1a

SHA256
ab374776cf9e2c92dfc687fb7612bb7d8558679cb01802ef6d58f2aa51cb65ad

SHA512
a0981f0b00a6c74679c40f0e96dc4c432fcfc727a448ee3eda52e8855003161a8af95a8537fef76809c29a3b8daaf74e00dab713a963a151b81412a5804c85c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\System.ComponentModel.dll

Filesize
30KB

MD5
ab8ec6d232fe963d1c7d9690c8d2b8a6

SHA1
6453f555c5f017f647d90a6a78a8183ca104af1a

SHA256
ab374776cf9e2c92dfc687fb7612bb7d8558679cb01802ef6d58f2aa51cb65ad

SHA512
a0981f0b00a6c74679c40f0e96dc4c432fcfc727a448ee3eda52e8855003161a8af95a8537fef76809c29a3b8daaf74e00dab713a963a151b81412a5804c85c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\System.Drawing.Primitives.dll

Filesize
134KB

MD5
5b45dc4fe64241dc8bc912367f40f5f7

SHA1
32be46d76e5513be1aec0880e13a76473898d9f0

SHA256
0059d93762d28faa920ffb4b82900dc9d7ab8fd5ac9416abad45876070f07c49

SHA512
9698e362e1c01bfa63fc7dcaa4a412862712b044b1bebe289c670eb625ee3c9ab384a7f1482d656bb2e220be7625dd4164e40c857465d381330f8e561ad17340

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\System.Drawing.Primitives.dll

Filesize
134KB

MD5
5b45dc4fe64241dc8bc912367f40f5f7

SHA1
32be46d76e5513be1aec0880e13a76473898d9f0

SHA256
0059d93762d28faa920ffb4b82900dc9d7ab8fd5ac9416abad45876070f07c49

SHA512
9698e362e1c01bfa63fc7dcaa4a412862712b044b1bebe289c670eb625ee3c9ab384a7f1482d656bb2e220be7625dd4164e40c857465d381330f8e561ad17340

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\System.Private.CoreLib.dll

Filesize
11.1MB

MD5
4f4b9d74c1a9a3f20a036458a20aa901

SHA1
030569f9ee43f8b09f663f2c635b332dcc833d81

SHA256
207152788866278b2826e467bc2468c73422aa72482b2730c355cd2414010cb5

SHA512
afa4161ffe497879e5c1a4c0ed5b976e778dd356fd3acc391354f23238b64c48c55742a9fd39485e7e4f7014019e1f2ce436109c5a5dcac8828845976dcc5498

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\System.Private.CoreLib.dll

Filesize
11.1MB

MD5
4f4b9d74c1a9a3f20a036458a20aa901

SHA1
030569f9ee43f8b09f663f2c635b332dcc833d81

SHA256
207152788866278b2826e467bc2468c73422aa72482b2730c355cd2414010cb5

SHA512
afa4161ffe497879e5c1a4c0ed5b976e778dd356fd3acc391354f23238b64c48c55742a9fd39485e7e4f7014019e1f2ce436109c5a5dcac8828845976dcc5498

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\System.Runtime.InteropServices.dll

Filesize
62KB

MD5
98d1838ded9e7a035c00eceecc51210e

SHA1
7925cc1fbc286e38d74a6cd64eb666a74af4f747

SHA256
eb3bec2ca3af9f8cb905a47059f948b67dcb6d96b85764a1ef1534a5a9a1394b

SHA512
f1ec1790f41a9813a5d2aa02d1001604f895262eb00dc65ed8a7f6a08ebd49eb1843bebc24018e0b1b530181db618bea9257e0ecfcb40475b484c974a2ef16ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\System.Runtime.InteropServices.dll

Filesize
62KB

MD5
98d1838ded9e7a035c00eceecc51210e

SHA1
7925cc1fbc286e38d74a6cd64eb666a74af4f747

SHA256
eb3bec2ca3af9f8cb905a47059f948b67dcb6d96b85764a1ef1534a5a9a1394b

SHA512
f1ec1790f41a9813a5d2aa02d1001604f895262eb00dc65ed8a7f6a08ebd49eb1843bebc24018e0b1b530181db618bea9257e0ecfcb40475b484c974a2ef16ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\System.Runtime.dll

Filesize
42KB

MD5
1a84053ebe07166c871edd7c7c181a83

SHA1
c379c00bea94663aa1ba0a4eb6e456ca2847d31e

SHA256
6948236074aa133f57fa7c9bc2557bafbec1b05834bbc2bab707c41b2ab7a4a9

SHA512
b639b60437cf75c903e531cc3c95613ff2e27a1428e822a1a26a2057343568b8a6a11a2741786a254833fa7c9491aedeaaed3acdf061331b81e4071ad9cf6ca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\System.Windows.Forms.Primitives.dll

Filesize
938KB

MD5
240854502cd2fd551a5c2540a02c5a3f

SHA1
562a9f3337b2e2ebfc1098064272ea0c9ffb9448

SHA256
04e658695c092a03691cda46859667b613c71b60d6d8d4835b712c70d4ceef42

SHA512
f142d0284694999f365f4001ca57f9710c158ea02edb86179c912388f8ed0efd4e1417c0528f77db7d8cb65d5a54a590c2803c4607ae019abd20041cdd84c891

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\System.Windows.Forms.Primitives.dll

Filesize
938KB

MD5
240854502cd2fd551a5c2540a02c5a3f

SHA1
562a9f3337b2e2ebfc1098064272ea0c9ffb9448

SHA256
04e658695c092a03691cda46859667b613c71b60d6d8d4835b712c70d4ceef42

SHA512
f142d0284694999f365f4001ca57f9710c158ea02edb86179c912388f8ed0efd4e1417c0528f77db7d8cb65d5a54a590c2803c4607ae019abd20041cdd84c891

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\System.Windows.Forms.dll

Filesize
12.7MB

MD5
2e7272756190f51683c6c171068b3b28

SHA1
963e3f9f416f1ef44881873a006e57066948a823

SHA256
2b49d2d1c5a93a99b6c1c8545b559177aa215de363d67eb5243d69282a6b6969

SHA512
500953146f107c9df2399a7727907059c2c0970316daf1f648f28f683cb07198c96ee0d1b9ba5381ea74e37d7183878533a484fa72b4fa4f92094c3c9ce1ddb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\System.Windows.Forms.dll

Filesize
12.7MB

MD5
2e7272756190f51683c6c171068b3b28

SHA1
963e3f9f416f1ef44881873a006e57066948a823

SHA256
2b49d2d1c5a93a99b6c1c8545b559177aa215de363d67eb5243d69282a6b6969

SHA512
500953146f107c9df2399a7727907059c2c0970316daf1f648f28f683cb07198c96ee0d1b9ba5381ea74e37d7183878533a484fa72b4fa4f92094c3c9ce1ddb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\TerraFX.Interop.Windows.dll

Filesize
966KB

MD5
b5d02ceacecfa4350292991f3d3bd72f

SHA1
44ad5b10395a0269e6b9e685c27ce44bf5fc41f5

SHA256
d86006ce0ca86dcd3990c9e06e77c60fd95bbfd2aef98d51ffa3ac4d6c3e64b7

SHA512
40b87995c3438edb78066f6fd820761bb553e2d1abb8671d205b8112b239a59c1b69724816634fc0c4d670d1c50dfda1f11be676d54f90aa22ebf5d08216f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\TerraFX.Interop.Windows.dll

Filesize
966KB

MD5
b5d02ceacecfa4350292991f3d3bd72f

SHA1
44ad5b10395a0269e6b9e685c27ce44bf5fc41f5

SHA256
d86006ce0ca86dcd3990c9e06e77c60fd95bbfd2aef98d51ffa3ac4d6c3e64b7

SHA512
40b87995c3438edb78066f6fd820761bb553e2d1abb8671d205b8112b239a59c1b69724816634fc0c4d670d1c50dfda1f11be676d54f90aa22ebf5d08216f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\clrjit.dll

Filesize
1.5MB

MD5
214103ec27a3334f1a54572e06edd7f0

SHA1
2331ad94c2014ee301130d58841fbbfa56bd9571

SHA256
98e88c84b1e9f40fd9a53779b4b2bc720282f546ff6eb875ca2bdcde3caa819a

SHA512
81155dda5d36b54c91f99fd08ed86c71cb98faddf0a98fa14264448327b88318bbb4fa9ab53f6f94eedc4fd71a3eaa169d1bda437c74ef7f3979e1f335ae7813

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\clrjit.dll

Filesize
1.5MB

MD5
214103ec27a3334f1a54572e06edd7f0

SHA1
2331ad94c2014ee301130d58841fbbfa56bd9571

SHA256
98e88c84b1e9f40fd9a53779b4b2bc720282f546ff6eb875ca2bdcde3caa819a

SHA512
81155dda5d36b54c91f99fd08ed86c71cb98faddf0a98fa14264448327b88318bbb4fa9ab53f6f94eedc4fd71a3eaa169d1bda437c74ef7f3979e1f335ae7813

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\coreclr.dll

Filesize
4.9MB

MD5
af772e60472ea250d3352cf128952555

SHA1
e0ccf9ae5fc81d5efa5e3cce4f5815d04fb90629

SHA256
eb730b08abc2fbcca0fa5d80fa0ca9400608db09165108c7b31eb55f36540173

SHA512
8d67c3f831b5078e315c93c0fa2b5d3db476f405efc42221217216806774bf676e283858b28e495b91559f395673a446693a79d104b6e095ba3f982010d89911

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\coreclr.dll

Filesize
4.9MB

MD5
af772e60472ea250d3352cf128952555

SHA1
e0ccf9ae5fc81d5efa5e3cce4f5815d04fb90629

SHA256
eb730b08abc2fbcca0fa5d80fa0ca9400608db09165108c7b31eb55f36540173

SHA512
8d67c3f831b5078e315c93c0fa2b5d3db476f405efc42221217216806774bf676e283858b28e495b91559f395673a446693a79d104b6e095ba3f982010d89911

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\hostfxr.dll

Filesize
373KB

MD5
272bee5405e37cb80ac1be7594014561

SHA1
b1ec2f31cf43b2f94ccb791bd2dec73634469cd3

SHA256
ef79f293eee7ac8a4d448e31e2f2b6d2627e436889f7a6561296d97eef70cde2

SHA512
6aca18c89be621dec402e1534ad41e26d9c77d4b0c3f66919dec977681b5ef9afaf0f19f1ab4fb19f295bf294deb5f7b1e51921e6a67b680217615038791dbac

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\hostfxr.dll

Filesize
373KB

MD5
272bee5405e37cb80ac1be7594014561

SHA1
b1ec2f31cf43b2f94ccb791bd2dec73634469cd3

SHA256
ef79f293eee7ac8a4d448e31e2f2b6d2627e436889f7a6561296d97eef70cde2

SHA512
6aca18c89be621dec402e1534ad41e26d9c77d4b0c3f66919dec977681b5ef9afaf0f19f1ab4fb19f295bf294deb5f7b1e51921e6a67b680217615038791dbac

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\hostpolicy.dll

Filesize
383KB

MD5
36cc628074a9288e94a9964a27d17a59

SHA1
06222857ba30e2aa026894dfafd6ea2876705a9d

SHA256
05ed73a9eae0ba8465d6a2fe9239a403939d565bbbd51ff44bc0489f3d3a7b53

SHA512
c95ae58b2de59692c83797c48d52830be0fbfdd0f3a5fff557a5ba82c63704ef3dec6e5a2315b68e665d41e58845932047fe6380125496040a424601b9c06825

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS009A92D6\x64\hostpolicy.dll

Filesize
383KB

MD5
36cc628074a9288e94a9964a27d17a59

SHA1
06222857ba30e2aa026894dfafd6ea2876705a9d

SHA256
05ed73a9eae0ba8465d6a2fe9239a403939d565bbbd51ff44bc0489f3d3a7b53

SHA512
c95ae58b2de59692c83797c48d52830be0fbfdd0f3a5fff557a5ba82c63704ef3dec6e5a2315b68e665d41e58845932047fe6380125496040a424601b9c06825

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS06880A56\SetupShim.exe

Filesize
136KB

MD5
e2b8f4221931e23f65dcdb2fd051be8d

SHA1
76db9efa379bef5c65c8f2e1733bc6575747502a

SHA256
621499bdf212eb1aaf80b3d2c7befffcaa5fb2804b301d14690a236667a7908a

SHA512
700ef42e2199d6dad3a48ec8c562b43cc7210ed52e65bc2cc77b3f2905173be081f19a622efaab579fc098c165c0b3c5f3644cf98f81629a2f0d4a722014b5b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS06880A56\SetupShim.exe

Filesize
136KB

MD5
e2b8f4221931e23f65dcdb2fd051be8d

SHA1
76db9efa379bef5c65c8f2e1733bc6575747502a

SHA256
621499bdf212eb1aaf80b3d2c7befffcaa5fb2804b301d14690a236667a7908a

SHA512
700ef42e2199d6dad3a48ec8c562b43cc7210ed52e65bc2cc77b3f2905173be081f19a622efaab579fc098c165c0b3c5f3644cf98f81629a2f0d4a722014b5b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS06880A56\SetupShim.exe

Filesize
136KB

MD5
e2b8f4221931e23f65dcdb2fd051be8d

SHA1
76db9efa379bef5c65c8f2e1733bc6575747502a

SHA256
621499bdf212eb1aaf80b3d2c7befffcaa5fb2804b301d14690a236667a7908a

SHA512
700ef42e2199d6dad3a48ec8c562b43cc7210ed52e65bc2cc77b3f2905173be081f19a622efaab579fc098c165c0b3c5f3644cf98f81629a2f0d4a722014b5b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS06880A56\x64\SetupDownloader\Newtonsoft.Json.dll

Filesize
695KB

MD5
715a1fbee4665e99e859eda667fe8034

SHA1
e13c6e4210043c4976dcdc447ea2b32854f70cc6

SHA256
c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e

SHA512
bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS06880A56\x64\SetupDownloader\SetupDownloader.Configuration.json

Filesize
135B

MD5
8ca6779446e31e219589a08769448da2

SHA1
efc2d9e4b0f99daf0333406610d8031a5a8aed2f

SHA256
2b23a17e993b7837a89365cdd328541f58ddfd4ab2b45285058284eee5733613

SHA512
a6a863880835dcca879534ec8a353e2d7fef9c4410edfe41b59bac561492cc6084330c7aad1d2e8a9590b2a3d7551a0b8b6d45ced4d235f01b596d69b593bbf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS06880A56\x64\SetupDownloader\SetupDownloader.exe

Filesize
263KB

MD5
4ec105376265ad264f8ae81f7910697d

SHA1
2bfd7aec6b525421b1d8959bae23ba79edef27c1

SHA256
25b826f01283de2346ed61f81581fdb7fe34415a5cd97cda708136701796a87f

SHA512
8a5d95c2ddf4eb90bca6d44308f2c2534aeecf99dc5428886318eb49aec505942082cf17c2d1ef4cf580e50966349d9f77a83b63e0567812e347137023b6d66c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS06880A56\x64\SetupDownloader\SetupDownloader.exe

Filesize
263KB

MD5
4ec105376265ad264f8ae81f7910697d

SHA1
2bfd7aec6b525421b1d8959bae23ba79edef27c1

SHA256
25b826f01283de2346ed61f81581fdb7fe34415a5cd97cda708136701796a87f

SHA512
8a5d95c2ddf4eb90bca6d44308f2c2534aeecf99dc5428886318eb49aec505942082cf17c2d1ef4cf580e50966349d9f77a83b63e0567812e347137023b6d66c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS06880A56\x64\SetupDownloader\SetupDownloader.exe

Filesize
263KB

MD5
4ec105376265ad264f8ae81f7910697d

SHA1
2bfd7aec6b525421b1d8959bae23ba79edef27c1

SHA256
25b826f01283de2346ed61f81581fdb7fe34415a5cd97cda708136701796a87f

SHA512
8a5d95c2ddf4eb90bca6d44308f2c2534aeecf99dc5428886318eb49aec505942082cf17c2d1ef4cf580e50966349d9f77a83b63e0567812e347137023b6d66c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS06880A56\x64\SetupDownloader\SetupDownloader.exe.config

Filesize
218B

MD5
8f692dcbf1e68398b5dac3eba59872b0

SHA1
18011f5291790b0f49561385731ec5c6ad855415

SHA256
8c422938a58df86d88f29c61ff27006f0b3c9bb4742b11486bc5a01a6344129b

SHA512
e4bab07f4b9a9f725865e0e9f11fa31a4a1841399044f5976818782739b13d6c2012edf98199c5823ee9ecb3da40e7f3e2f88ab1394547801afa8b5b9dad9e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetupDownloader\0e3b1a23-6c76-4e0c-a24e-04c6fa95895b\paint.net.5.0.3.install.x64.exe

Filesize
62.1MB

MD5
20846a76b4cf1326fb68c41c5f62b701

SHA1
8c166732fe568e165dc5d56aea1bf0d4648b3a0a

SHA256
fa166f62134343ccfdf29c3b64a98bcb7c564e100a86e28c8f79826833a6a675

SHA512
d08ef470ff376936f3931ecf1b6d4fba65bfcd2fc2b70d2489f680126504a232220cdad4c5063bc89dcc47e92254effb4d32ca013cfa31dcf4608e40619df4b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetupDownloader\0e3b1a23-6c76-4e0c-a24e-04c6fa95895b\paint.net.5.0.3.install.x64.exe

Filesize
62.1MB

MD5
20846a76b4cf1326fb68c41c5f62b701

SHA1
8c166732fe568e165dc5d56aea1bf0d4648b3a0a

SHA256
fa166f62134343ccfdf29c3b64a98bcb7c564e100a86e28c8f79826833a6a675

SHA512
d08ef470ff376936f3931ecf1b6d4fba65bfcd2fc2b70d2489f680126504a232220cdad4c5063bc89dcc47e92254effb4d32ca013cfa31dcf4608e40619df4b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdnSetupShim.log

Filesize
135B

MD5
655f44518efbad8e854cde33c00b9331

SHA1
61be79af634233ea396b9bcfa32b0f0cc68198f1

SHA256
707b52e80da7d35c90e09624a9eaee727573da5fbf9628e470e9782226062d77

SHA512
659f18008b83b34a2b5dc627227501e2a230bca2de4c9d2d7015c1ecbcfa75e115d45224517499c72416e272df6fed670eca30ec96e692e341ba26302a3cc315

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdnSetupShim.log

Filesize
736B

MD5
bc8e3ecd73c63592efa800fff6c7a072

SHA1
d82eff44b2193f5cb1a80b06fd4be328295cfee8

SHA256
29a664e6f5fe1c8ac67ccf845096c38dce2f63730595e43a9e7fd8bbfbf00351

SHA512
5e5e02ed0f99ed59278e092450275dc4b0a294d4503aca1837f0aec00c3997a09365082c9e8214a0bc84e17455555be0784d37ec383a67c96e82a93a396ef6e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdnSetupShim.log

Filesize
775B

MD5
372a765450f4ad8fe9a8d97777247492

SHA1
4fd69514c958393f0bd8c4cae8712de6058facff

SHA256
0a7be59ed55c4abe8aadccfb8b4b9b1580d95061385a3f58d6fd57561aae0ae6

SHA512
d6cef46d0710f83b3eaf47baea868ff76b6ea2d1bcea21fbd05d86bf3014281ac40496f33be7b202bea74bccebd0878cfb1f1b254bd95ea8032e631b6d3cc439

Download Submit
C:\Windows\Installer\e57e8aa.msi

Filesize
26.9MB

MD5
fcbe93185c4db7e7c967215c92c271e7

SHA1
cca7c7602c447ec5a7d46d2b461e01359b112c24

SHA256
afdfe9cdf961ac94993c29d7f5f35c7a4c1263eec4e10dda9d50d01c15fc6bc1

SHA512
c79af800e158727e189e631f3d2b9e494a9c64ba6c092c490a9f4b1ea4e5d365964396087b6a1b6f4187f6239527dc2cac12d54eb06b9dfdc92e061aa06f6282

Download Submit
C:\Windows\Installer\{67D72105-13E9-4EB7-8059-28DFC3A2DCA1}\app_icon.ico

Filesize
75KB

MD5
d47d5e7a8a90d00db1644a40555d14c2

SHA1
652eae27caf68d1903616910f46bcca27f6623b0

SHA256
9c6063ea5b8a118f1aeab0c201f5bc7fa5d630dcfd80d0c8bf3efe67bfde6953

SHA512
ecf923b823e246416ad4f010647a14c764325ff83752d542313ccd74143f800c1d37f14952e02ed78813f0417c94a0e5eccb02daecabf242444cd5d6a635ec8a

Download Submit
memory/3112-185-0x000001F2598E0000-0x000001F259992000-memory.dmp

Filesize
712KB

Download
memory/3112-193-0x000001F25A550000-0x000001F25A560000-memory.dmp

Filesize
64KB

Download
memory/3112-195-0x000001F259870000-0x000001F259882000-memory.dmp

Filesize
72KB

Download
memory/3112-192-0x000001F25A550000-0x000001F25A560000-memory.dmp

Filesize
64KB

Download
memory/3112-183-0x000001F23DDD0000-0x000001F23DE16000-memory.dmp

Filesize
280KB

Download
memory/3112-191-0x000001F25A550000-0x000001F25A560000-memory.dmp

Filesize
64KB

Download
memory/3112-189-0x000001F25A550000-0x000001F25A560000-memory.dmp

Filesize
64KB

Download
memory/3112-190-0x000001F25A550000-0x000001F25A560000-memory.dmp

Filesize
64KB

Download
memory/3112-187-0x000001F23E1A0000-0x000001F23E1C2000-memory.dmp

Filesize
136KB

Download
memory/3112-188-0x000001F25A550000-0x000001F25A560000-memory.dmp

Filesize
64KB

Download