9100841237455418412447da8ddaa2bbb810577de6bb18179f2384cccd6ff614

Analysis

max time kernel
226s
max time network
217s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-04-2023 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

paint.net.5.0.3.install.anycpu.web.exe
Size

1.1MB
MD5

7e736accc204ce002fcec6b5dc6214dd
SHA1

420464ab383313994b5534c72f7f2c0f7d509462
SHA256

ae41189fec1996afe1d193c606ddc228f0d24640ea01df77a626db75b2c29cb8
SHA512

5d838d7063f54a21584c3e379b59053731f5dcf0b6b03e5cd09498c613dfdd38d4257799d265bd4fad608efba67988e846fcab70adff066768fc4ac4cdcd2bfb
SSDEEP

24576:nLYYYYkv0+qcSSu29odPoagtIC0BuDgtYiY+kM7p1kz6I:nLYYYYkvSSu29oQiDjMMV1e

Score

9^/10

coreentity discovery evasion persistence trojan

Malware Config

Signatures

CoreEntity .NET Packer 1 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
C:\Windows\Installer\e596d95.msi	coreentity

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

paint.net.5.0.3.install.anycpu.web.exepaint.net.5.0.3.install.x64.exeSetupFrontEnd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	paint.net.5.0.3.install.anycpu.web.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	paint.net.5.0.3.install.x64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	SetupFrontEnd.exe

Executes dropped EXE 7 IoCs

Processes:

SetupShim.exeSetupDownloader.exepaint.net.5.0.3.install.x64.exeSetupShim.exeSetupFrontEnd.exepaintdotnet.exePaintDotNet.exe

pid	process
2272	SetupShim.exe
4596	SetupDownloader.exe
4624	paint.net.5.0.3.install.x64.exe
4556	SetupShim.exe
2276	SetupFrontEnd.exe
2592	paintdotnet.exe
1848	PaintDotNet.exe

Loads dropped DLL 64 IoCs

Processes:

SetupFrontEnd.exepaintdotnet.exe

pid	process
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2276	SetupFrontEnd.exe
2592	paintdotnet.exe
2592	paintdotnet.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

paintdotnet.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBF113F1-D7C8-477C-A23A-E600E7937E11}\InprocServer32	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBF113F1-D7C8-477C-A23A-E600E7937E11}\InprocServer32\ = "C:\\Program Files\\paint.net\\PaintDotNet.ShellExtension.x64.dll"	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBF113F1-D7C8-477C-A23A-E600E7937E11}\InprocServer32\ThreadingModel = "Apartment"	paintdotnet.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

SetupFrontEnd.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SetupFrontEnd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SetupFrontEnd.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exeSetupFrontEnd.exe

description	ioc	process
File created	C:\Program Files\paint.net\Microsoft.VisualBasic.Forms.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.SystemLayer.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.IO.Pipes.AccessControl.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Resources.Extensions.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Runtime.Serialization.Primitives.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.ES.resources	msiexec.exe
File created	C:\Program Files\paint.net\System.Security.Permissions.dll	msiexec.exe
File created	C:\Program Files\paint.net\UIAutomationClientSideProviders.dll	msiexec.exe
File created	C:\Program Files\paint.net\vcruntime140_1.dll	msiexec.exe
File created	C:\Program Files\paint.net\Bundled\DDSFileTypePlus\DdsFileTypePlus.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.PropertySystem.xml	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.be.resources	msiexec.exe
File created	C:\Program Files\paint.net\System.CodeDom.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Transactions.Local.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Windows.Forms.Design.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Windows.Core.pdb	msiexec.exe
File created	C:\Program Files\paint.net\System.Diagnostics.EventLog.dll	msiexec.exe
File created	C:\Program Files\paint.net\vcruntime140_cor3.dll	msiexec.exe
File created	C:\Program Files\paint.net\Bundled\DDSFileTypePlus\License.txt	msiexec.exe
File created	C:\Program Files\paint.net\D3DCompiler_47_cor3.dll	msiexec.exe
File created	C:\Program Files\paint.net\nethost.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.PropertySystem.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Resources.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Runtime.InteropServices.RuntimeInformation.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Transactions.dll	msiexec.exe
File created	C:\Program Files\paint.net\Bundled\WebPFileType\WebPFileType.dll	msiexec.exe
File created	C:\Program Files\paint.net\Bundled\WebPFileType\WebPFileType.pdb	msiexec.exe
File created	C:\Program Files\paint.net\mscordbi.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Effects.Core.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Collections.xml	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.it.resources	msiexec.exe
File created	C:\Program Files\paint.net\System.Data.DataSetExtensions.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Diagnostics.StackTrace.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.ObjectModel.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Reflection.MetadataLoadContext.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Text.Encodings.Web.dll	msiexec.exe
File created	C:\Program Files\paint.net\Bundled\WebPFileType\Third Party Notices.txt	msiexec.exe
File created	C:\Program Files\paint.net\Mono.Cecil.Pdb.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Fundamentals.xml	msiexec.exe
File created	C:\Program Files\paint.net\System.Globalization.Extensions.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.IO.UnmanagedMemoryStream.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Linq.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Private.DataContractSerialization.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Runtime.Loader.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Data.pdb	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Effects.Core.xml	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Fundamentals.pdb	msiexec.exe
File created	C:\Program Files\paint.net\System.Configuration.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Runtime.Serialization.Xml.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Text.Json.dll	msiexec.exe
File opened for modification	C:\Program Files\paint.net\Staging\PaintDotNet_x64_5.0.3.msi	SetupFrontEnd.exe
File created	C:\Program Files\paint.net\clrjit.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.ObjectModel.xml	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.lt.resources	msiexec.exe
File created	C:\Program Files\paint.net\System.Configuration.ConfigurationManager.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Diagnostics.TextWriterTraceListener.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Numerics.Vectors.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Resources.ResourceManager.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Runtime.CompilerServices.Unsafe.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Runtime.Numerics.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Windows.Forms.Legacy.dll	msiexec.exe
File created	C:\Program Files\paint.net\wpfgfx_cor3.dll	msiexec.exe
File created	C:\Program Files\paint.net\Resources\zh-cn\Images.PayPalDonate.gif	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.ObjectModel.dll	msiexec.exe

Drops file in Windows directory 11 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\e596d98.msi	msiexec.exe
File created	C:\Windows\Installer\{67D72105-13E9-4EB7-8059-28DFC3A2DCA1}\app_icon.ico	msiexec.exe
File created	C:\Windows\Installer\e596d95.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9BAA.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{67D72105-13E9-4EB7-8059-28DFC3A2DCA1}	msiexec.exe
File opened for modification	C:\Windows\Installer\{67D72105-13E9-4EB7-8059-28DFC3A2DCA1}\app_icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID5A6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e596d95.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a8dca56a4fb650f70000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a8dca56a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900a8dca56a000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a8dca56a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a8dca56a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20	msiexec.exe

Modifies registry class 64 IoCs

Processes:

msiexec.exepaintdotnet.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50127D769E317BE4089582FD3C2ACD1A\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.ThumbnailProvider\CurVer	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rle\OpenWithProgids\paint.net.1	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tga\OpenWithProgids	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell\edit\command\ = "\"C:\\Program Files\\paint.net\\paintdotnet.exe\" \"%1\""	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell\open\command	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.pdn	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.bmp	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50127D769E317BE4089582FD3C2ACD1A\SourceList\PackageName = "PaintDotNet_x64_5.0.3.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.avif\OpenWithProgids	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jxr\OpenWithProgids\paint.net.1	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.tga	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\shell	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dds\OpenWithProgids	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.jpe	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\04F04A40702A84B4EA7DA65A234E2357	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50127D769E317BE4089582FD3C2ACD1A\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell\edit	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.ThumbnailProvider	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.tiff	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell\print\command\ = "\"C:\\Program Files\\paint.net\\paintdotnet.exe\" \"print:%1\""	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.heic\OpenWithProgids\paint.net.1	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jpe\OpenWithProgids\paint.net.1	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.rle	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.wdp	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50127D769E317BE4089582FD3C2ACD1A\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\DefaultIcon	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\paintdotnet\URL Protocol	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBF113F1-D7C8-477C-A23A-E600E7937E11}\InprocServer32\ThreadingModel = "Apartment"	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdn\ShellEx\{E357FCCD-A995-4576-B01F-234630154E96}	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.jpg	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tga	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wdp\OpenWithProgids\paint.net.1	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\DefaultIcon\ = "C:\\Program Files\\paint.net\\paintdotnet.exe,0"	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\ShellEx\{E357FCCD-A995-4576-B01F-234630154E96}	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\shell\edit\command\ = "\"C:\\Program Files\\paint.net\\paintdotnet.exe\" \"%1\""	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.heic	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.jfif	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.webp	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.png	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.webp\OpenWithProgids\paint.net.1	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tif\OpenWithProgids\paint.net.1	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50127D769E317BE4089582FD3C2ACD1A	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paintdotnet	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBF113F1-D7C8-477C-A23A-E600E7937E11}\ = "paint.net Thumbnail Provider"	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.ThumbnailProvider.1	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.jxr	paintdotnet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50127D769E317BE4089582FD3C2ACD1A\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50127D769E317BE4089582FD3C2ACD1A\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\FriendlyTypeName = "paint.net Image"	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdn\OpenWithProgids\paint.net.1	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell\print\command	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\shell\edit\command	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bmp\OpenWithProgids\paint.net.1	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\50127D769E317BE4089582FD3C2ACD1A\DefaultFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdn\OpenWithProgids	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wmp\OpenWithProgids	paintdotnet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50127D769E317BE4089582FD3C2ACD1A\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50127D769E317BE4089582FD3C2ACD1A\SourceList\LastUsedSource = "n;1;C:\\Program Files\\paint.net\\Staging\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paintdotnet\shell\open	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\paintdotnet\shell\open\command\ = "\"C:\\Program Files\\paint.net\\paintdotnet.exe\" %1"	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\ = "paint.net Image"	paintdotnet.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

SetupDownloader.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	SetupDownloader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	SetupDownloader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	SetupDownloader.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

2532 msiexec.exe
2532 msiexec.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

SetupFrontEnd.exePaintDotNet.exe

pid process

2276 SetupFrontEnd.exe
1848 PaintDotNet.exe

pid	process
2532	msiexec.exe
2532	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SetupDownloader.exeSetupFrontEnd.exevssvc.exemsiexec.exesrtasks.exe

description	pid	process
Token: SeDebugPrivilege	4596	SetupDownloader.exe
Token: SeDebugPrivilege	2276	SetupFrontEnd.exe
Token: SeBackupPrivilege	800	vssvc.exe
Token: SeRestorePrivilege	800	vssvc.exe
Token: SeAuditPrivilege	800	vssvc.exe
Token: SeBackupPrivilege	2276	SetupFrontEnd.exe
Token: SeRestorePrivilege	2276	SetupFrontEnd.exe
Token: SeShutdownPrivilege	2276	SetupFrontEnd.exe
Token: SeIncreaseQuotaPrivilege	2276	SetupFrontEnd.exe
Token: SeSecurityPrivilege	2532	msiexec.exe
Token: SeCreateTokenPrivilege	2276	SetupFrontEnd.exe
Token: SeAssignPrimaryTokenPrivilege	2276	SetupFrontEnd.exe
Token: SeLockMemoryPrivilege	2276	SetupFrontEnd.exe
Token: SeIncreaseQuotaPrivilege	2276	SetupFrontEnd.exe
Token: SeMachineAccountPrivilege	2276	SetupFrontEnd.exe
Token: SeTcbPrivilege	2276	SetupFrontEnd.exe
Token: SeSecurityPrivilege	2276	SetupFrontEnd.exe
Token: SeTakeOwnershipPrivilege	2276	SetupFrontEnd.exe
Token: SeLoadDriverPrivilege	2276	SetupFrontEnd.exe
Token: SeSystemProfilePrivilege	2276	SetupFrontEnd.exe
Token: SeSystemtimePrivilege	2276	SetupFrontEnd.exe
Token: SeProfSingleProcessPrivilege	2276	SetupFrontEnd.exe
Token: SeIncBasePriorityPrivilege	2276	SetupFrontEnd.exe
Token: SeCreatePagefilePrivilege	2276	SetupFrontEnd.exe
Token: SeCreatePermanentPrivilege	2276	SetupFrontEnd.exe
Token: SeBackupPrivilege	2276	SetupFrontEnd.exe
Token: SeRestorePrivilege	2276	SetupFrontEnd.exe
Token: SeShutdownPrivilege	2276	SetupFrontEnd.exe
Token: SeDebugPrivilege	2276	SetupFrontEnd.exe
Token: SeAuditPrivilege	2276	SetupFrontEnd.exe
Token: SeSystemEnvironmentPrivilege	2276	SetupFrontEnd.exe
Token: SeChangeNotifyPrivilege	2276	SetupFrontEnd.exe
Token: SeRemoteShutdownPrivilege	2276	SetupFrontEnd.exe
Token: SeUndockPrivilege	2276	SetupFrontEnd.exe
Token: SeSyncAgentPrivilege	2276	SetupFrontEnd.exe
Token: SeEnableDelegationPrivilege	2276	SetupFrontEnd.exe
Token: SeManageVolumePrivilege	2276	SetupFrontEnd.exe
Token: SeImpersonatePrivilege	2276	SetupFrontEnd.exe
Token: SeCreateGlobalPrivilege	2276	SetupFrontEnd.exe
Token: SeRestorePrivilege	2532	msiexec.exe
Token: SeTakeOwnershipPrivilege	2532	msiexec.exe
Token: SeBackupPrivilege	4404	srtasks.exe
Token: SeRestorePrivilege	4404	srtasks.exe
Token: SeSecurityPrivilege	4404	srtasks.exe
Token: SeTakeOwnershipPrivilege	4404	srtasks.exe
Token: SeBackupPrivilege	4404	srtasks.exe
Token: SeRestorePrivilege	4404	srtasks.exe
Token: SeSecurityPrivilege	4404	srtasks.exe
Token: SeTakeOwnershipPrivilege	4404	srtasks.exe
Token: SeRestorePrivilege	2532	msiexec.exe
Token: SeTakeOwnershipPrivilege	2532	msiexec.exe
Token: SeRestorePrivilege	2532	msiexec.exe
Token: SeTakeOwnershipPrivilege	2532	msiexec.exe
Token: SeRestorePrivilege	2532	msiexec.exe
Token: SeTakeOwnershipPrivilege	2532	msiexec.exe
Token: SeRestorePrivilege	2532	msiexec.exe
Token: SeTakeOwnershipPrivilege	2532	msiexec.exe
Token: SeRestorePrivilege	2532	msiexec.exe
Token: SeTakeOwnershipPrivilege	2532	msiexec.exe
Token: SeRestorePrivilege	2532	msiexec.exe
Token: SeTakeOwnershipPrivilege	2532	msiexec.exe
Token: SeRestorePrivilege	2532	msiexec.exe
Token: SeTakeOwnershipPrivilege	2532	msiexec.exe
Token: SeRestorePrivilege	2532	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

SetupFrontEnd.exePaintDotNet.exe

pid process

2276 SetupFrontEnd.exe
1848 PaintDotNet.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

SetupShim.exepaint.net.5.0.3.install.x64.exeSetupShim.exeSetupFrontEnd.exePaintDotNet.exe

pid	process
2272	SetupShim.exe
4624	paint.net.5.0.3.install.x64.exe
4556	SetupShim.exe
2276	SetupFrontEnd.exe
1848	PaintDotNet.exe
1848	PaintDotNet.exe
1848	PaintDotNet.exe
1848	PaintDotNet.exe
1848	PaintDotNet.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

paint.net.5.0.3.install.anycpu.web.exeSetupShim.exeSetupDownloader.exepaint.net.5.0.3.install.x64.exeSetupShim.exemsiexec.exeSetupFrontEnd.exe

description	pid	process	target process
PID 2080 wrote to memory of 2272	2080	paint.net.5.0.3.install.anycpu.web.exe	SetupShim.exe
PID 2080 wrote to memory of 2272	2080	paint.net.5.0.3.install.anycpu.web.exe	SetupShim.exe
PID 2080 wrote to memory of 2272	2080	paint.net.5.0.3.install.anycpu.web.exe	SetupShim.exe
PID 2272 wrote to memory of 4596	2272	SetupShim.exe	SetupDownloader.exe
PID 2272 wrote to memory of 4596	2272	SetupShim.exe	SetupDownloader.exe
PID 4596 wrote to memory of 4624	4596	SetupDownloader.exe	paint.net.5.0.3.install.x64.exe
PID 4596 wrote to memory of 4624	4596	SetupDownloader.exe	paint.net.5.0.3.install.x64.exe
PID 4596 wrote to memory of 4624	4596	SetupDownloader.exe	paint.net.5.0.3.install.x64.exe
PID 4624 wrote to memory of 4556	4624	paint.net.5.0.3.install.x64.exe	SetupShim.exe
PID 4624 wrote to memory of 4556	4624	paint.net.5.0.3.install.x64.exe	SetupShim.exe
PID 4624 wrote to memory of 4556	4624	paint.net.5.0.3.install.x64.exe	SetupShim.exe
PID 4556 wrote to memory of 2276	4556	SetupShim.exe	SetupFrontEnd.exe
PID 4556 wrote to memory of 2276	4556	SetupShim.exe	SetupFrontEnd.exe
PID 2532 wrote to memory of 2592	2532	msiexec.exe	paintdotnet.exe
PID 2532 wrote to memory of 2592	2532	msiexec.exe	paintdotnet.exe
PID 2276 wrote to memory of 1848	2276	SetupFrontEnd.exe	PaintDotNet.exe
PID 2276 wrote to memory of 1848	2276	SetupFrontEnd.exe	PaintDotNet.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\paint.net.5.0.3.install.anycpu.web.exe
"C:\Users\Admin\AppData\Local\Temp\paint.net.5.0.3.install.anycpu.web.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2080

C:\Users\Admin\AppData\Local\Temp\7zS028CF8D6\SetupShim.exe
"C:\Users\Admin\AppData\Local\Temp\7zS028CF8D6\SetupShim.exe" /suppressReboot
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2272

C:\Users\Admin\AppData\Local\Temp\7zS028CF8D6\x64\SetupDownloader\SetupDownloader.exe
"x64\SetupDownloader\SetupDownloader.exe" /SkipSuccessPrompt "C:\Users\Admin\AppData\Local\Temp\7zS028CF8D6\SetupShim.exe" /suppressReboot
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4596

C:\Users\Admin\AppData\Local\Temp\PdnSetupDownloader\93573199-ecc8-4709-91ed-0f183d48a581\paint.net.5.0.3.install.x64.exe
"C:\Users\Admin\AppData\Local\Temp\PdnSetupDownloader\93573199-ecc8-4709-91ed-0f183d48a581\paint.net.5.0.3.install.x64.exe" C:\Users\Admin\AppData\Local\Temp\7zS028CF8D6\SetupShim.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4624

C:\Users\Admin\AppData\Local\Temp\7zS0123D457\SetupShim.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0123D457\SetupShim.exe" /suppressReboot C:\Users\Admin\AppData\Local\Temp\7zS028CF8D6\SetupShim.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4556

C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\SetupFrontEnd.exe
"x64\SetupFrontEnd.exe" "C:\Users\Admin\AppData\Local\Temp\7zS0123D457\SetupShim.exe" /suppressReboot C:\Users\Admin\AppData\Local\Temp\7zS028CF8D6\SetupShim.exe
6⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2276

C:\Program Files\paint.net\PaintDotNet.exe
"C:\Program Files\paint.net\PaintDotNet.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1848

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:800

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:3
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4404

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532

C:\Program Files\paint.net\paintdotnet.exe
"C:\Program Files\paint.net\paintdotnet.exe" /setupActions /install DESKTOPSHORTCUT=1 PDNUPDATING=0 SKIPCLEANUP=0 "PROGRAMSGROUP=" /disablePGO /skipEstablishNVProfile /skipRepairAttempt
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:2592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e596d97.rbs
Filesize
79KB

MD5
df0fc92d90f0d35a90ca01bdd5814a7b

SHA1
cefd771b3c071964bb84fac6bccac98fe78c3d89

SHA256
ffe5bcc31c07bf3bafc36b980f323d0825c08dce30bc752b41797420c9385e3f

SHA512
b733dbdb7730a097dd4f638c12355f3e6bf1e4d99b31138855dfe59f8e8fc67a00d26193a49a384409adc4d15782375ceb7d534f0aea9312c5841f4183dff4f7

Download Submit
C:\Config.Msi\e596d99.rbs
Filesize
663B

MD5
3afafb10964a5559c77343c0321de3ae

SHA1
690f5b8fa872e889c3548b7766690e39c3d6a47e

SHA256
e2bde9e1810d39dfd02041a5f2eff61d31f8c1991e110c2370f3578fe32145f6

SHA512
3f1e660617e42c680f537464a544c4e1565108da481962a8383d7df2e29ab5ff7c64d4f701c48b29343c1a65a4f69a3050bc8e0b1d7720653dfe0cb274882a0c

Download Submit
C:\Program Files\paint.net\mscordaccore_amd64_amd64_7.0.423.11508.dll
Filesize
1.3MB

MD5
a54257d04b9910dc618d1f7833a298f1

SHA1
bab917f9811f502d4928c0f0068d08c42827c6c9

SHA256
180b92fe910242114cdd5d605ea7254faedefd412b7b7100485b5dec3b7ad2cc

SHA512
23c4a9a0f84a0089ed43d02be855a0209f10a5bd5238c7a0a115c26e488ec0af1662429c32a4cc1b500d3c93f357e5d321dd435cc0bfd66bc52f81a34fe4627c

Download Submit
C:\Program Files\paint.net\paintdotnet.runtimeconfig.json
Filesize
449B

MD5
855798731cf9f727530fdf409006fc1b

SHA1
3433add3eb478374dd58d6b3147b34758487dee8

SHA256
a835bc55d5d331510c679221eb7de631db51edf41fe57022d499893bafe782d6

SHA512
f7749bbdead985f2d0556a6aa77583b39c563878fd5d6844dd31eb9c026b082d2deba7d3b84a3598b7745ca2a911d41e4672febc993e20f6d21421e4d7490fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\SetupShim.exe
Filesize
136KB

MD5
e2b8f4221931e23f65dcdb2fd051be8d

SHA1
76db9efa379bef5c65c8f2e1733bc6575747502a

SHA256
621499bdf212eb1aaf80b3d2c7befffcaa5fb2804b301d14690a236667a7908a

SHA512
700ef42e2199d6dad3a48ec8c562b43cc7210ed52e65bc2cc77b3f2905173be081f19a622efaab579fc098c165c0b3c5f3644cf98f81629a2f0d4a722014b5b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\SetupShim.exe
Filesize
136KB

MD5
e2b8f4221931e23f65dcdb2fd051be8d

SHA1
76db9efa379bef5c65c8f2e1733bc6575747502a

SHA256
621499bdf212eb1aaf80b3d2c7befffcaa5fb2804b301d14690a236667a7908a

SHA512
700ef42e2199d6dad3a48ec8c562b43cc7210ed52e65bc2cc77b3f2905173be081f19a622efaab579fc098c165c0b3c5f3644cf98f81629a2f0d4a722014b5b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\PaintDotNet.Base.dll
Filesize
718KB

MD5
2db7bf99c25c83a1297d2ac5da875331

SHA1
088df6faa8f3e86a07ccc4a7604b6c51c1d3d371

SHA256
0aab4adbcce2569aca4ce59997cba61d548b284c9734b5905f6c3a9f6e91b723

SHA512
5b2e95aa8a54ec25410042395b276d8b29d4dc4cdd1bd0a5d65bab0758c2bd1830a11609d317c9537a45d7516cf0d3ff613f7940d419ec5c26cb35cce05d9017

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\PaintDotNet.Base.dll
Filesize
718KB

MD5
2db7bf99c25c83a1297d2ac5da875331

SHA1
088df6faa8f3e86a07ccc4a7604b6c51c1d3d371

SHA256
0aab4adbcce2569aca4ce59997cba61d548b284c9734b5905f6c3a9f6e91b723

SHA512
5b2e95aa8a54ec25410042395b276d8b29d4dc4cdd1bd0a5d65bab0758c2bd1830a11609d317c9537a45d7516cf0d3ff613f7940d419ec5c26cb35cce05d9017

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\PaintDotNet.ComponentModel.dll
Filesize
98KB

MD5
c3f0602203022db89e1c8ff982aca603

SHA1
491db9889dd1b59b21ef234a56fa2fb637c286ab

SHA256
42503924190bf885450b376d4685e112aaa78e3a1e219703f210fb43f846fddd

SHA512
083b72c2a46de419eab12f97ddbb3acaff15736471e2eb2efc49b478459e7eb14242b2de5bd3df59f0be006f163457313b7e9aa338124c636273bdbe4682bd95

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\PaintDotNet.ComponentModel.dll
Filesize
98KB

MD5
c3f0602203022db89e1c8ff982aca603

SHA1
491db9889dd1b59b21ef234a56fa2fb637c286ab

SHA256
42503924190bf885450b376d4685e112aaa78e3a1e219703f210fb43f846fddd

SHA512
083b72c2a46de419eab12f97ddbb3acaff15736471e2eb2efc49b478459e7eb14242b2de5bd3df59f0be006f163457313b7e9aa338124c636273bdbe4682bd95

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\PaintDotNet.Core.dll
Filesize
2.2MB

MD5
862838027c0430730e79a9d84748feec

SHA1
9b0b0d47ad95f590cf8c79c6991f9629bff21a37

SHA256
344703b2bb0ddfb8bd1a0b892b0534a78d83fc49a90b8a1593f0123cdbc2bbd5

SHA512
e0fa882f14720ddc1a4ea7fa7958f331bbf167678edef0f3adefe0e6193ed64ddad6eb4ac55aa63e2a17fe8394829e8344f1d3470062cfe16f45e71825432b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\PaintDotNet.Core.dll
Filesize
2.2MB

MD5
862838027c0430730e79a9d84748feec

SHA1
9b0b0d47ad95f590cf8c79c6991f9629bff21a37

SHA256
344703b2bb0ddfb8bd1a0b892b0534a78d83fc49a90b8a1593f0123cdbc2bbd5

SHA512
e0fa882f14720ddc1a4ea7fa7958f331bbf167678edef0f3adefe0e6193ed64ddad6eb4ac55aa63e2a17fe8394829e8344f1d3470062cfe16f45e71825432b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\PaintDotNet.Framework.dll
Filesize
1.0MB

MD5
4dd915dce3ba0d65dba6ae12138815c1

SHA1
394615daef73866c3d51cd4909ea54fa67dff37b

SHA256
216b4701cee99e18f3cd6889eaca0ff21d6f0daf952ef0399b456986adfeddbe

SHA512
550d468f1c56ae96eab08a8c8f593a3d0ba0e7d94b096864df366c7ff44810c66555936d1f4f1ac1236716c9947e7bd98e732aef4302dee012a549111d6eb864

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\PaintDotNet.Framework.dll
Filesize
1.0MB

MD5
4dd915dce3ba0d65dba6ae12138815c1

SHA1
394615daef73866c3d51cd4909ea54fa67dff37b

SHA256
216b4701cee99e18f3cd6889eaca0ff21d6f0daf952ef0399b456986adfeddbe

SHA512
550d468f1c56ae96eab08a8c8f593a3d0ba0e7d94b096864df366c7ff44810c66555936d1f4f1ac1236716c9947e7bd98e732aef4302dee012a549111d6eb864

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\PaintDotNet.Fundamentals.dll
Filesize
1.3MB

MD5
a90bfac16d161027972fcb4d96632e01

SHA1
4a6121d6b0c2c1e0d629c511758e8ec59970d272

SHA256
6c5cca663c1cff15a4ff7f466638a1e94eef34b0358ad78c4038debe4f4dd568

SHA512
0a50bf93e7bebcd60273e1136e1fef7c36a5656c414842fae8a9db63188bed7bf4f4d20edbd12250e59f8afb914a7b41592dd7a113bf43759615221fad10041a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\PaintDotNet.Fundamentals.dll
Filesize
1.3MB

MD5
a90bfac16d161027972fcb4d96632e01

SHA1
4a6121d6b0c2c1e0d629c511758e8ec59970d272

SHA256
6c5cca663c1cff15a4ff7f466638a1e94eef34b0358ad78c4038debe4f4dd568

SHA512
0a50bf93e7bebcd60273e1136e1fef7c36a5656c414842fae8a9db63188bed7bf4f4d20edbd12250e59f8afb914a7b41592dd7a113bf43759615221fad10041a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\PaintDotNet.ObjectModel.dll
Filesize
182KB

MD5
fb75ef98bca52b2500b7f02b34732814

SHA1
67e20fb5d32cb197e3a7d72857f218dbb6c0ca1f

SHA256
46fcbd795100a148c14dcf5a9f64f5d4cbdecefe080541cf1c40f34ee592d6d9

SHA512
9e6b38aaa60e90165a5af5d74f17bc7317a6e0f9207a1db0a17a6231584372343c26f99e00a7c7cdcfa8d331d58722889735386c0de6485177d90ef2bfb9edf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\PaintDotNet.ObjectModel.dll
Filesize
182KB

MD5
fb75ef98bca52b2500b7f02b34732814

SHA1
67e20fb5d32cb197e3a7d72857f218dbb6c0ca1f

SHA256
46fcbd795100a148c14dcf5a9f64f5d4cbdecefe080541cf1c40f34ee592d6d9

SHA512
9e6b38aaa60e90165a5af5d74f17bc7317a6e0f9207a1db0a17a6231584372343c26f99e00a7c7cdcfa8d331d58722889735386c0de6485177d90ef2bfb9edf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\PaintDotNet.Primitives.dll
Filesize
934KB

MD5
71266031fba2a9ed024fbe83d5169ab2

SHA1
f081273799c5e56eb2973d2f21c8857307996dfb

SHA256
8a6165cbd053dda6e069ada7eee5328633bf0b9a92050a91902b56d723768b01

SHA512
c35ead84db6cb5369fbb3b3b1f127beeb66f5b71e43be93f332e5be3c7ac69b4ef3c13cb53489db73f8228fb7951ad016cedbd867fefd20a678d0c6efc2b9423

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\PaintDotNet.Primitives.dll
Filesize
934KB

MD5
71266031fba2a9ed024fbe83d5169ab2

SHA1
f081273799c5e56eb2973d2f21c8857307996dfb

SHA256
8a6165cbd053dda6e069ada7eee5328633bf0b9a92050a91902b56d723768b01

SHA512
c35ead84db6cb5369fbb3b3b1f127beeb66f5b71e43be93f332e5be3c7ac69b4ef3c13cb53489db73f8228fb7951ad016cedbd867fefd20a678d0c6efc2b9423

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\PaintDotNet.Runtime.dll
Filesize
74KB

MD5
3e36bded83cbd67eae5aebb01f7683c0

SHA1
1c9107b95654bb40a9a327e27124d1b8028a3022

SHA256
ad5851f50036363355f014b9d59d8e74d47d9ce01861dfec5d6b46f195fc04f6

SHA512
e524da8da9f28fae6e1ffdb25a6b576ffb462481e6c74f46f727abe019c9aad1f58719fdb2df156a5e1740f54e618abc490555b2ce32eb224c9a0bff7a944fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\PaintDotNet.Strings.3.co.resources
Filesize
176KB

MD5
c0dec6327462f7728ae5dfdbf47edc80

SHA1
d8bddc3e01cd2e06d29099c96bad2e18e0b798aa

SHA256
700f2eb136f01f4f5059e4e76a21263e642528734aba9cc2f257642893adce0c

SHA512
c9582e4647c7c004f08b027cd8b68769856e05ccd9d5e886512921b219317e6ee0a477ca4aaa42ca6d08277920ce528cdcaeef95b8e4c0d89bd50e9e2693d28a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\PaintDotNet.Windows.dll
Filesize
3.6MB

MD5
de72d4bfe376a4993d82a40bb077f7c9

SHA1
6a893e3b66c33b63097d9b3c1637c27d0b594e91

SHA256
3041d4185c0fa4d3589e5f3a987702c319a47a345b9ee80662796018297fc641

SHA512
d8fa2c0f521f6722a97d2f1f50d1a57e53a2305def38d03cf4376f9e54580951bf2a5b47744baba3449ef21335bca120f3356eea169fcf437de900c57f642bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\PaintDotNet.Windows.dll
Filesize
3.6MB

MD5
de72d4bfe376a4993d82a40bb077f7c9

SHA1
6a893e3b66c33b63097d9b3c1637c27d0b594e91

SHA256
3041d4185c0fa4d3589e5f3a987702c319a47a345b9ee80662796018297fc641

SHA512
d8fa2c0f521f6722a97d2f1f50d1a57e53a2305def38d03cf4376f9e54580951bf2a5b47744baba3449ef21335bca120f3356eea169fcf437de900c57f642bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\SetupFrontEnd.deps.json
Filesize
60KB

MD5
75bb5ed174e86611f66d39b720c48a1e

SHA1
ef75601cf845237a634e4f716a2b22b69d3392ad

SHA256
1b596086933e124a090bf0875fe5b9d1c632d6e6108e84caf34f5c497b8bf5ff

SHA512
3a6a17d8e708c752f813916583c326384c87bd9252006a24913998d828753ddf586ff3c6a7b764328b432be76fcbdab802192257e4fb888415701f3ba35acef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\SetupFrontEnd.dll
Filesize
210KB

MD5
82d84b7b86059ba373bd470369a47e48

SHA1
b7252d76866b665b0a20fd66e884d15f8573aece

SHA256
51d17e65b4fbdcc144f2056cf903813057c91e7b7841d239eb8676e1ed6e6471

SHA512
fee38581c9bdb10ff2221e8fa2840c5e06c8ac91450f9250c7ebbb3e95b1c4bfc9f1b77785372519ab5be0f7471a41801082951ce81eb4c6c8575b49852a12ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\SetupFrontEnd.dll
Filesize
210KB

MD5
82d84b7b86059ba373bd470369a47e48

SHA1
b7252d76866b665b0a20fd66e884d15f8573aece

SHA256
51d17e65b4fbdcc144f2056cf903813057c91e7b7841d239eb8676e1ed6e6471

SHA512
fee38581c9bdb10ff2221e8fa2840c5e06c8ac91450f9250c7ebbb3e95b1c4bfc9f1b77785372519ab5be0f7471a41801082951ce81eb4c6c8575b49852a12ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\SetupFrontEnd.exe
Filesize
162KB

MD5
37acf526b16c96bf8fd1cdf3510fc596

SHA1
1a1e39d6cebb09d4c7dbc8fa376c53ba91c4b71e

SHA256
e2c9b45c50a7d4e671c9a483f87babd13421ed9a2c986cc915e4209a6162929c

SHA512
998341de0dfbf02712b48f01eff7f0de31eb319c779a8011772204eda513b635e6bb5fc3e247056244974356fbcb00ebfcfd4f4cd2af60af3a2e81b2ebe80172

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\SetupFrontEnd.exe
Filesize
162KB

MD5
37acf526b16c96bf8fd1cdf3510fc596

SHA1
1a1e39d6cebb09d4c7dbc8fa376c53ba91c4b71e

SHA256
e2c9b45c50a7d4e671c9a483f87babd13421ed9a2c986cc915e4209a6162929c

SHA512
998341de0dfbf02712b48f01eff7f0de31eb319c779a8011772204eda513b635e6bb5fc3e247056244974356fbcb00ebfcfd4f4cd2af60af3a2e81b2ebe80172

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\SetupFrontEnd.runtimeconfig.json
Filesize
449B

MD5
855798731cf9f727530fdf409006fc1b

SHA1
3433add3eb478374dd58d6b3147b34758487dee8

SHA256
a835bc55d5d331510c679221eb7de631db51edf41fe57022d499893bafe782d6

SHA512
f7749bbdead985f2d0556a6aa77583b39c563878fd5d6844dd31eb9c026b082d2deba7d3b84a3598b7745ca2a911d41e4672febc993e20f6d21421e4d7490fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\System.Collections.Concurrent.dll
Filesize
258KB

MD5
a3213606edbfe542e4a4c80360eae446

SHA1
1c9928c54987788f8ab4fe53705eb7a8d1481ad1

SHA256
689b62857903e110fba88b8c977ee5ca7b943f632a84a9fb9c5f64977873c350

SHA512
f5de4f21b70212a45d958add4a9a4b236a3eb35e071e748851f753b7d040349ccfa0f08ed9600bdeb2efa2fddb78e1a45cdc544a09bc48af449d8c683a449c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\System.Collections.Concurrent.dll
Filesize
258KB

MD5
a3213606edbfe542e4a4c80360eae446

SHA1
1c9928c54987788f8ab4fe53705eb7a8d1481ad1

SHA256
689b62857903e110fba88b8c977ee5ca7b943f632a84a9fb9c5f64977873c350

SHA512
f5de4f21b70212a45d958add4a9a4b236a3eb35e071e748851f753b7d040349ccfa0f08ed9600bdeb2efa2fddb78e1a45cdc544a09bc48af449d8c683a449c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\System.Collections.Specialized.dll
Filesize
106KB

MD5
859ade54c2a26e9f73b28f01984255d1

SHA1
22eb5f78c298b656dd6eab105f0e39b1442a23ef

SHA256
7943c8c3c0f759108e1dd8b1ea69502e8261d9e3e275051b75cce82242bae0e7

SHA512
aa72d67309e4c3d5f3ee0800dc9d1246d88ff081ff6cf519ee9c9009ddf10dfe98997389f012797b99302db2c04657a4e351bdbed11b49d14136245292ceb9fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\System.Collections.Specialized.dll
Filesize
106KB

MD5
859ade54c2a26e9f73b28f01984255d1

SHA1
22eb5f78c298b656dd6eab105f0e39b1442a23ef

SHA256
7943c8c3c0f759108e1dd8b1ea69502e8261d9e3e275051b75cce82242bae0e7

SHA512
aa72d67309e4c3d5f3ee0800dc9d1246d88ff081ff6cf519ee9c9009ddf10dfe98997389f012797b99302db2c04657a4e351bdbed11b49d14136245292ceb9fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\System.ComponentModel.Primitives.dll
Filesize
82KB

MD5
b5c9e2bb66a63a06a2ad90924fe354ed

SHA1
883cf2f249e9dad2a3558d6263e7f17056e46321

SHA256
263a81ee06efb6107ef92225d824321d2b62a6f9141efaa44ba95f23a5c39a12

SHA512
9fd0bc6e81fd1a78ea7d0da4f03b71ce04889b6412e5bba57fda513e15b982a1c85b3e913fbcabf356a3d7b809ef470224f77e6cd75db018e2449239f1b046d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\System.ComponentModel.Primitives.dll
Filesize
82KB

MD5
b5c9e2bb66a63a06a2ad90924fe354ed

SHA1
883cf2f249e9dad2a3558d6263e7f17056e46321

SHA256
263a81ee06efb6107ef92225d824321d2b62a6f9141efaa44ba95f23a5c39a12

SHA512
9fd0bc6e81fd1a78ea7d0da4f03b71ce04889b6412e5bba57fda513e15b982a1c85b3e913fbcabf356a3d7b809ef470224f77e6cd75db018e2449239f1b046d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\System.ComponentModel.dll
Filesize
30KB

MD5
ab8ec6d232fe963d1c7d9690c8d2b8a6

SHA1
6453f555c5f017f647d90a6a78a8183ca104af1a

SHA256
ab374776cf9e2c92dfc687fb7612bb7d8558679cb01802ef6d58f2aa51cb65ad

SHA512
a0981f0b00a6c74679c40f0e96dc4c432fcfc727a448ee3eda52e8855003161a8af95a8537fef76809c29a3b8daaf74e00dab713a963a151b81412a5804c85c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\System.ComponentModel.dll
Filesize
30KB

MD5
ab8ec6d232fe963d1c7d9690c8d2b8a6

SHA1
6453f555c5f017f647d90a6a78a8183ca104af1a

SHA256
ab374776cf9e2c92dfc687fb7612bb7d8558679cb01802ef6d58f2aa51cb65ad

SHA512
a0981f0b00a6c74679c40f0e96dc4c432fcfc727a448ee3eda52e8855003161a8af95a8537fef76809c29a3b8daaf74e00dab713a963a151b81412a5804c85c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\System.Drawing.Primitives.dll
Filesize
134KB

MD5
5b45dc4fe64241dc8bc912367f40f5f7

SHA1
32be46d76e5513be1aec0880e13a76473898d9f0

SHA256
0059d93762d28faa920ffb4b82900dc9d7ab8fd5ac9416abad45876070f07c49

SHA512
9698e362e1c01bfa63fc7dcaa4a412862712b044b1bebe289c670eb625ee3c9ab384a7f1482d656bb2e220be7625dd4164e40c857465d381330f8e561ad17340

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\System.Drawing.Primitives.dll
Filesize
134KB

MD5
5b45dc4fe64241dc8bc912367f40f5f7

SHA1
32be46d76e5513be1aec0880e13a76473898d9f0

SHA256
0059d93762d28faa920ffb4b82900dc9d7ab8fd5ac9416abad45876070f07c49

SHA512
9698e362e1c01bfa63fc7dcaa4a412862712b044b1bebe289c670eb625ee3c9ab384a7f1482d656bb2e220be7625dd4164e40c857465d381330f8e561ad17340

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\System.Private.CoreLib.dll
Filesize
11.1MB

MD5
4f4b9d74c1a9a3f20a036458a20aa901

SHA1
030569f9ee43f8b09f663f2c635b332dcc833d81

SHA256
207152788866278b2826e467bc2468c73422aa72482b2730c355cd2414010cb5

SHA512
afa4161ffe497879e5c1a4c0ed5b976e778dd356fd3acc391354f23238b64c48c55742a9fd39485e7e4f7014019e1f2ce436109c5a5dcac8828845976dcc5498

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\System.Private.CoreLib.dll
Filesize
11.1MB

MD5
4f4b9d74c1a9a3f20a036458a20aa901

SHA1
030569f9ee43f8b09f663f2c635b332dcc833d81

SHA256
207152788866278b2826e467bc2468c73422aa72482b2730c355cd2414010cb5

SHA512
afa4161ffe497879e5c1a4c0ed5b976e778dd356fd3acc391354f23238b64c48c55742a9fd39485e7e4f7014019e1f2ce436109c5a5dcac8828845976dcc5498

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\System.Runtime.InteropServices.dll
Filesize
62KB

MD5
98d1838ded9e7a035c00eceecc51210e

SHA1
7925cc1fbc286e38d74a6cd64eb666a74af4f747

SHA256
eb3bec2ca3af9f8cb905a47059f948b67dcb6d96b85764a1ef1534a5a9a1394b

SHA512
f1ec1790f41a9813a5d2aa02d1001604f895262eb00dc65ed8a7f6a08ebd49eb1843bebc24018e0b1b530181db618bea9257e0ecfcb40475b484c974a2ef16ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\System.Runtime.InteropServices.dll
Filesize
62KB

MD5
98d1838ded9e7a035c00eceecc51210e

SHA1
7925cc1fbc286e38d74a6cd64eb666a74af4f747

SHA256
eb3bec2ca3af9f8cb905a47059f948b67dcb6d96b85764a1ef1534a5a9a1394b

SHA512
f1ec1790f41a9813a5d2aa02d1001604f895262eb00dc65ed8a7f6a08ebd49eb1843bebc24018e0b1b530181db618bea9257e0ecfcb40475b484c974a2ef16ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\System.Runtime.dll
Filesize
42KB

MD5
1a84053ebe07166c871edd7c7c181a83

SHA1
c379c00bea94663aa1ba0a4eb6e456ca2847d31e

SHA256
6948236074aa133f57fa7c9bc2557bafbec1b05834bbc2bab707c41b2ab7a4a9

SHA512
b639b60437cf75c903e531cc3c95613ff2e27a1428e822a1a26a2057343568b8a6a11a2741786a254833fa7c9491aedeaaed3acdf061331b81e4071ad9cf6ca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\System.Windows.Forms.Primitives.dll
Filesize
938KB

MD5
240854502cd2fd551a5c2540a02c5a3f

SHA1
562a9f3337b2e2ebfc1098064272ea0c9ffb9448

SHA256
04e658695c092a03691cda46859667b613c71b60d6d8d4835b712c70d4ceef42

SHA512
f142d0284694999f365f4001ca57f9710c158ea02edb86179c912388f8ed0efd4e1417c0528f77db7d8cb65d5a54a590c2803c4607ae019abd20041cdd84c891

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\System.Windows.Forms.Primitives.dll
Filesize
938KB

MD5
240854502cd2fd551a5c2540a02c5a3f

SHA1
562a9f3337b2e2ebfc1098064272ea0c9ffb9448

SHA256
04e658695c092a03691cda46859667b613c71b60d6d8d4835b712c70d4ceef42

SHA512
f142d0284694999f365f4001ca57f9710c158ea02edb86179c912388f8ed0efd4e1417c0528f77db7d8cb65d5a54a590c2803c4607ae019abd20041cdd84c891

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\System.Windows.Forms.dll
Filesize
12.7MB

MD5
2e7272756190f51683c6c171068b3b28

SHA1
963e3f9f416f1ef44881873a006e57066948a823

SHA256
2b49d2d1c5a93a99b6c1c8545b559177aa215de363d67eb5243d69282a6b6969

SHA512
500953146f107c9df2399a7727907059c2c0970316daf1f648f28f683cb07198c96ee0d1b9ba5381ea74e37d7183878533a484fa72b4fa4f92094c3c9ce1ddb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\System.Windows.Forms.dll
Filesize
12.7MB

MD5
2e7272756190f51683c6c171068b3b28

SHA1
963e3f9f416f1ef44881873a006e57066948a823

SHA256
2b49d2d1c5a93a99b6c1c8545b559177aa215de363d67eb5243d69282a6b6969

SHA512
500953146f107c9df2399a7727907059c2c0970316daf1f648f28f683cb07198c96ee0d1b9ba5381ea74e37d7183878533a484fa72b4fa4f92094c3c9ce1ddb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\TerraFX.Interop.Windows.dll
Filesize
966KB

MD5
b5d02ceacecfa4350292991f3d3bd72f

SHA1
44ad5b10395a0269e6b9e685c27ce44bf5fc41f5

SHA256
d86006ce0ca86dcd3990c9e06e77c60fd95bbfd2aef98d51ffa3ac4d6c3e64b7

SHA512
40b87995c3438edb78066f6fd820761bb553e2d1abb8671d205b8112b239a59c1b69724816634fc0c4d670d1c50dfda1f11be676d54f90aa22ebf5d08216f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\TerraFX.Interop.Windows.dll
Filesize
966KB

MD5
b5d02ceacecfa4350292991f3d3bd72f

SHA1
44ad5b10395a0269e6b9e685c27ce44bf5fc41f5

SHA256
d86006ce0ca86dcd3990c9e06e77c60fd95bbfd2aef98d51ffa3ac4d6c3e64b7

SHA512
40b87995c3438edb78066f6fd820761bb553e2d1abb8671d205b8112b239a59c1b69724816634fc0c4d670d1c50dfda1f11be676d54f90aa22ebf5d08216f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\clrjit.dll
Filesize
1.5MB

MD5
214103ec27a3334f1a54572e06edd7f0

SHA1
2331ad94c2014ee301130d58841fbbfa56bd9571

SHA256
98e88c84b1e9f40fd9a53779b4b2bc720282f546ff6eb875ca2bdcde3caa819a

SHA512
81155dda5d36b54c91f99fd08ed86c71cb98faddf0a98fa14264448327b88318bbb4fa9ab53f6f94eedc4fd71a3eaa169d1bda437c74ef7f3979e1f335ae7813

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\clrjit.dll
Filesize
1.5MB

MD5
214103ec27a3334f1a54572e06edd7f0

SHA1
2331ad94c2014ee301130d58841fbbfa56bd9571

SHA256
98e88c84b1e9f40fd9a53779b4b2bc720282f546ff6eb875ca2bdcde3caa819a

SHA512
81155dda5d36b54c91f99fd08ed86c71cb98faddf0a98fa14264448327b88318bbb4fa9ab53f6f94eedc4fd71a3eaa169d1bda437c74ef7f3979e1f335ae7813

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\coreclr.dll
Filesize
4.9MB

MD5
af772e60472ea250d3352cf128952555

SHA1
e0ccf9ae5fc81d5efa5e3cce4f5815d04fb90629

SHA256
eb730b08abc2fbcca0fa5d80fa0ca9400608db09165108c7b31eb55f36540173

SHA512
8d67c3f831b5078e315c93c0fa2b5d3db476f405efc42221217216806774bf676e283858b28e495b91559f395673a446693a79d104b6e095ba3f982010d89911

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\coreclr.dll
Filesize
4.9MB

MD5
af772e60472ea250d3352cf128952555

SHA1
e0ccf9ae5fc81d5efa5e3cce4f5815d04fb90629

SHA256
eb730b08abc2fbcca0fa5d80fa0ca9400608db09165108c7b31eb55f36540173

SHA512
8d67c3f831b5078e315c93c0fa2b5d3db476f405efc42221217216806774bf676e283858b28e495b91559f395673a446693a79d104b6e095ba3f982010d89911

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\hostfxr.dll
Filesize
373KB

MD5
272bee5405e37cb80ac1be7594014561

SHA1
b1ec2f31cf43b2f94ccb791bd2dec73634469cd3

SHA256
ef79f293eee7ac8a4d448e31e2f2b6d2627e436889f7a6561296d97eef70cde2

SHA512
6aca18c89be621dec402e1534ad41e26d9c77d4b0c3f66919dec977681b5ef9afaf0f19f1ab4fb19f295bf294deb5f7b1e51921e6a67b680217615038791dbac

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\hostfxr.dll
Filesize
373KB

MD5
272bee5405e37cb80ac1be7594014561

SHA1
b1ec2f31cf43b2f94ccb791bd2dec73634469cd3

SHA256
ef79f293eee7ac8a4d448e31e2f2b6d2627e436889f7a6561296d97eef70cde2

SHA512
6aca18c89be621dec402e1534ad41e26d9c77d4b0c3f66919dec977681b5ef9afaf0f19f1ab4fb19f295bf294deb5f7b1e51921e6a67b680217615038791dbac

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\hostpolicy.dll
Filesize
383KB

MD5
36cc628074a9288e94a9964a27d17a59

SHA1
06222857ba30e2aa026894dfafd6ea2876705a9d

SHA256
05ed73a9eae0ba8465d6a2fe9239a403939d565bbbd51ff44bc0489f3d3a7b53

SHA512
c95ae58b2de59692c83797c48d52830be0fbfdd0f3a5fff557a5ba82c63704ef3dec6e5a2315b68e665d41e58845932047fe6380125496040a424601b9c06825

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0123D457\x64\hostpolicy.dll
Filesize
383KB

MD5
36cc628074a9288e94a9964a27d17a59

SHA1
06222857ba30e2aa026894dfafd6ea2876705a9d

SHA256
05ed73a9eae0ba8465d6a2fe9239a403939d565bbbd51ff44bc0489f3d3a7b53

SHA512
c95ae58b2de59692c83797c48d52830be0fbfdd0f3a5fff557a5ba82c63704ef3dec6e5a2315b68e665d41e58845932047fe6380125496040a424601b9c06825

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS028CF8D6\SetupShim.exe
Filesize
136KB

MD5
e2b8f4221931e23f65dcdb2fd051be8d

SHA1
76db9efa379bef5c65c8f2e1733bc6575747502a

SHA256
621499bdf212eb1aaf80b3d2c7befffcaa5fb2804b301d14690a236667a7908a

SHA512
700ef42e2199d6dad3a48ec8c562b43cc7210ed52e65bc2cc77b3f2905173be081f19a622efaab579fc098c165c0b3c5f3644cf98f81629a2f0d4a722014b5b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS028CF8D6\SetupShim.exe
Filesize
136KB

MD5
e2b8f4221931e23f65dcdb2fd051be8d

SHA1
76db9efa379bef5c65c8f2e1733bc6575747502a

SHA256
621499bdf212eb1aaf80b3d2c7befffcaa5fb2804b301d14690a236667a7908a

SHA512
700ef42e2199d6dad3a48ec8c562b43cc7210ed52e65bc2cc77b3f2905173be081f19a622efaab579fc098c165c0b3c5f3644cf98f81629a2f0d4a722014b5b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS028CF8D6\SetupShim.exe
Filesize
136KB

MD5
e2b8f4221931e23f65dcdb2fd051be8d

SHA1
76db9efa379bef5c65c8f2e1733bc6575747502a

SHA256
621499bdf212eb1aaf80b3d2c7befffcaa5fb2804b301d14690a236667a7908a

SHA512
700ef42e2199d6dad3a48ec8c562b43cc7210ed52e65bc2cc77b3f2905173be081f19a622efaab579fc098c165c0b3c5f3644cf98f81629a2f0d4a722014b5b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS028CF8D6\x64\SetupDownloader\Newtonsoft.Json.dll
Filesize
695KB

MD5
715a1fbee4665e99e859eda667fe8034

SHA1
e13c6e4210043c4976dcdc447ea2b32854f70cc6

SHA256
c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e

SHA512
bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS028CF8D6\x64\SetupDownloader\SetupDownloader.Configuration.json
Filesize
135B

MD5
8ca6779446e31e219589a08769448da2

SHA1
efc2d9e4b0f99daf0333406610d8031a5a8aed2f

SHA256
2b23a17e993b7837a89365cdd328541f58ddfd4ab2b45285058284eee5733613

SHA512
a6a863880835dcca879534ec8a353e2d7fef9c4410edfe41b59bac561492cc6084330c7aad1d2e8a9590b2a3d7551a0b8b6d45ced4d235f01b596d69b593bbf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS028CF8D6\x64\SetupDownloader\SetupDownloader.exe
Filesize
263KB

MD5
4ec105376265ad264f8ae81f7910697d

SHA1
2bfd7aec6b525421b1d8959bae23ba79edef27c1

SHA256
25b826f01283de2346ed61f81581fdb7fe34415a5cd97cda708136701796a87f

SHA512
8a5d95c2ddf4eb90bca6d44308f2c2534aeecf99dc5428886318eb49aec505942082cf17c2d1ef4cf580e50966349d9f77a83b63e0567812e347137023b6d66c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS028CF8D6\x64\SetupDownloader\SetupDownloader.exe
Filesize
263KB

MD5
4ec105376265ad264f8ae81f7910697d

SHA1
2bfd7aec6b525421b1d8959bae23ba79edef27c1

SHA256
25b826f01283de2346ed61f81581fdb7fe34415a5cd97cda708136701796a87f

SHA512
8a5d95c2ddf4eb90bca6d44308f2c2534aeecf99dc5428886318eb49aec505942082cf17c2d1ef4cf580e50966349d9f77a83b63e0567812e347137023b6d66c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS028CF8D6\x64\SetupDownloader\SetupDownloader.exe
Filesize
263KB

MD5
4ec105376265ad264f8ae81f7910697d

SHA1
2bfd7aec6b525421b1d8959bae23ba79edef27c1

SHA256
25b826f01283de2346ed61f81581fdb7fe34415a5cd97cda708136701796a87f

SHA512
8a5d95c2ddf4eb90bca6d44308f2c2534aeecf99dc5428886318eb49aec505942082cf17c2d1ef4cf580e50966349d9f77a83b63e0567812e347137023b6d66c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS028CF8D6\x64\SetupDownloader\SetupDownloader.exe.config
Filesize
218B

MD5
8f692dcbf1e68398b5dac3eba59872b0

SHA1
18011f5291790b0f49561385731ec5c6ad855415

SHA256
8c422938a58df86d88f29c61ff27006f0b3c9bb4742b11486bc5a01a6344129b

SHA512
e4bab07f4b9a9f725865e0e9f11fa31a4a1841399044f5976818782739b13d6c2012edf98199c5823ee9ecb3da40e7f3e2f88ab1394547801afa8b5b9dad9e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetupDownloader\93573199-ecc8-4709-91ed-0f183d48a581\paint.net.5.0.3.install.x64.exe
Filesize
62.1MB

MD5
20846a76b4cf1326fb68c41c5f62b701

SHA1
8c166732fe568e165dc5d56aea1bf0d4648b3a0a

SHA256
fa166f62134343ccfdf29c3b64a98bcb7c564e100a86e28c8f79826833a6a675

SHA512
d08ef470ff376936f3931ecf1b6d4fba65bfcd2fc2b70d2489f680126504a232220cdad4c5063bc89dcc47e92254effb4d32ca013cfa31dcf4608e40619df4b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetupDownloader\93573199-ecc8-4709-91ed-0f183d48a581\paint.net.5.0.3.install.x64.exe
Filesize
62.1MB

MD5
20846a76b4cf1326fb68c41c5f62b701

SHA1
8c166732fe568e165dc5d56aea1bf0d4648b3a0a

SHA256
fa166f62134343ccfdf29c3b64a98bcb7c564e100a86e28c8f79826833a6a675

SHA512
d08ef470ff376936f3931ecf1b6d4fba65bfcd2fc2b70d2489f680126504a232220cdad4c5063bc89dcc47e92254effb4d32ca013cfa31dcf4608e40619df4b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdnSetupShim.log
Filesize
135B

MD5
03cdaa37007c2d2a7e8876e18e63dbe2

SHA1
44c9085b3113dc58b85cc7869f8f22a9c82338e8

SHA256
28af2169c77f022252c1b8097c374cf5323d51f0fd514ca30dfa8373b34ed42e

SHA512
94eca2df1cd9c7d8cbb582c5d8cd92440b1ebd8b32eddb632bac421153bf57a7c19cbd8bfe66b35e4d71d3bfd2d705f7ec8d8da02af65b4b8a271c4077c9ba33

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdnSetupShim.log
Filesize
932B

MD5
45b8f5240401bbba9ec295c89feb5392

SHA1
9109e1db9395c13d83060ac18132f5043a972a1d

SHA256
0627a11f36b76489bff0e156adc771df065ce257c78a0e76909f72927d6e75dd

SHA512
d3dec8eef1e837b0767d2065de168e67e0fa3249833b4dac99d3dcf588a37ef69dcd6a5183006cff375515d7443a88ca92c9c23fd91b1f7a8a81426028d5c4ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdnSetupShim.log
Filesize
775B

MD5
edfecd8a901416cbd3f79a3916695bdd

SHA1
2a931d785fe6b8b72a8b3e5a6f4aca2579134e05

SHA256
1bbf7411bef607db5a992d11a9cb41c411846000b4a342519e72e4bbd7a3cd63

SHA512
7e6a00a6167f5703f174b40d2ca6c6c259d02f8e1c2e8ae1ca91c758ec90d57b61303aabae31b01c4989027df10f3feebcb7e58de3a239de656c8cd8615437a6

Download Submit
C:\Windows\Installer\e596d95.msi
Filesize
205.9MB

MD5
e0c1955661b236343201895f752924dc

SHA1
48cf9f1459703250a3f1a1b70280fd7c59fc458f

SHA256
e136fefcc96e247242dd50f193c0f213d9bb477c9be87ff2e6908dc60242c31b

SHA512
35b1b649cd315973b853acaac547bf547a15a9603a96e05aef39914d0d85fd66aec26254a984fd17ad42f5d94b7376b49a071784071dafdebf040d3a61843f97

Download Submit
C:\Windows\Installer\{67D72105-13E9-4EB7-8059-28DFC3A2DCA1}\app_icon.ico
Filesize
75KB

MD5
d47d5e7a8a90d00db1644a40555d14c2

SHA1
652eae27caf68d1903616910f46bcca27f6623b0

SHA256
9c6063ea5b8a118f1aeab0c201f5bc7fa5d630dcfd80d0c8bf3efe67bfde6953

SHA512
ecf923b823e246416ad4f010647a14c764325ff83752d542313ccd74143f800c1d37f14952e02ed78813f0417c94a0e5eccb02daecabf242444cd5d6a635ec8a

Download Submit
memory/1848-2226-0x000001C4D0D50000-0x000001C4D0D60000-memory.dmp

Filesize
64KB

Download
memory/1848-2229-0x000001C4D1A70000-0x000001C4D1A74000-memory.dmp

Filesize
16KB

Download
memory/4596-193-0x0000016634370000-0x0000016634380000-memory.dmp

Filesize
64KB

Download
memory/4596-189-0x0000016634370000-0x0000016634380000-memory.dmp

Filesize
64KB

Download
memory/4596-190-0x0000016634370000-0x0000016634380000-memory.dmp

Filesize
64KB

Download
memory/4596-183-0x0000016619E40000-0x0000016619E86000-memory.dmp

Filesize
280KB

Download
memory/4596-185-0x0000016635060000-0x0000016635112000-memory.dmp

Filesize
712KB

Download
memory/4596-188-0x0000016634370000-0x0000016634380000-memory.dmp

Filesize
64KB

Download
memory/4596-192-0x0000016634370000-0x0000016634380000-memory.dmp

Filesize
64KB

Download
memory/4596-191-0x0000016634370000-0x0000016634380000-memory.dmp

Filesize
64KB

Download
memory/4596-195-0x00000166342E0000-0x00000166342F2000-memory.dmp

Filesize
72KB

Download
memory/4596-187-0x000001661A240000-0x000001661A262000-memory.dmp

Filesize
136KB

Download