a1610aadbe46ecc5edaab820bb734e3a3e96a69fe143777e7a03d7543fa99b19

Analysis

max time kernel
145s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2023 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

paint.net.5.0.6.install.anycpu.web.exe
Size

1.1MB
MD5

ad52908c0129162b12c9ac3497032e7c
SHA1

11c2912e94b15c9fc28ce462a62bbbd2bb63fd54
SHA256

39211d308d7b2cf9a73f2fd86a3c6b0bddfb4aa1e07e91760bb1d34e045572b5
SHA512

bc3958687a6b9639bbddb07ea8c684dc2ccd210d7c04bed600c8598d1c3d2d3fdad2e23e9f51ec550224b1b9ecf08c48ae637feab5f23638d8a48d76a3230388
SSDEEP

24576:KcYYYYkKmCi9OVPcxWoxdIC0BuDgocCX65T:KcYYYYksi9OVPQhSDjok5T

Score

9^/10

coreentity discovery evasion persistence trojan

Malware Config

Signatures

CoreEntity .NET Packer 1 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
C:\Windows\Installer\e579ad8.msi	coreentity

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

SetupFrontEnd.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SetupFrontEnd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SetupFrontEnd.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

paint.net.5.0.6.install.anycpu.web.exepaint.net.5.0.6.install.x64.exeSetupFrontEnd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	paint.net.5.0.6.install.anycpu.web.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	paint.net.5.0.6.install.x64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	SetupFrontEnd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exeSetupFrontEnd.exe

description	ioc	process
File created	C:\Program Files\paint.net\PaintDotNet.PropertySystem.dll	msiexec.exe
File created	C:\Program Files\paint.net\PresentationCore.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Diagnostics.DiagnosticSource.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Linq.Queryable.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Security.Cryptography.Pkcs.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Windows.Forms.Design.Editors.dll	msiexec.exe
File created	C:\Program Files\paint.net\clretwrc.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Collections.pdb	msiexec.exe
File created	C:\Program Files\paint.net\System.Xml.XmlDocument.dll	msiexec.exe
File created	C:\Program Files\paint.net\WindowsBase.dll	msiexec.exe
File created	C:\Program Files\paint.net\msvcp140_1.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.lt.resources	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.pl.resources	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.zh-TW.resources	msiexec.exe
File created	C:\Program Files\paint.net\System.Data.DataSetExtensions.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Numerics.dll	msiexec.exe
File created	C:\Program Files\paint.net\Bundled\DDSFileTypePlus\Readme.txt	msiexec.exe
File created	C:\Program Files\paint.net\License.txt	msiexec.exe
File created	C:\Program Files\paint.net\System.Formats.Asn1.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Numerics.Vectors.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Resources.Extensions.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Runtime.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Runtime.Extensions.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Threading.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Collections.NonGeneric.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.ComponentModel.DataAnnotations.dll	msiexec.exe
File created	C:\Program Files\paint.net\UIAutomationTypes.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.PT-BR.resources	msiexec.exe
File created	C:\Program Files\paint.net\System.IO.FileSystem.Watcher.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Reflection.Extensions.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Windows.Forms.Design.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Core.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.co.resources	msiexec.exe
File created	C:\Program Files\paint.net\PresentationFramework-SystemXmlLinq.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.IO.FileSystem.Primitives.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Private.Xml.Linq.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Runtime.Loader.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Transactions.dll	msiexec.exe
File created	C:\Program Files\paint.net\mscordbi.dll	msiexec.exe
File created	C:\Program Files\paint.net\PresentationFramework-SystemCore.dll	msiexec.exe
File created	C:\Program Files\paint.net\mscorrc.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Effects.Gpu.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Fundamentals.xml	msiexec.exe
File created	C:\Program Files\paint.net\System.IO.FileSystem.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.IO.FileSystem.DriveInfo.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.IO.IsolatedStorage.dll	msiexec.exe
File created	C:\Program Files\paint.net\Microsoft.Win32.Registry.AccessControl.dll	msiexec.exe
File created	C:\Program Files\paint.net\mscordaccore_amd64_amd64_7.0.523.17405.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Security.Permissions.dll	msiexec.exe
File created	C:\Program Files\paint.net\resx\PaintDotNet.Strings.3.resx	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Windows.dll	msiexec.exe
File created	C:\Program Files\paint.net\PresentationFramework.Classic.dll	msiexec.exe
File created	C:\Program Files\paint.net\PresentationFramework.Luna.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Buffers.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Diagnostics.Contracts.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Threading.Overlapped.dll	msiexec.exe
File opened for modification	C:\Program Files\paint.net\Staging	SetupFrontEnd.exe
File created	C:\Program Files\paint.net\netstandard.dll	msiexec.exe
File created	C:\Program Files\paint.net\vcruntime140_1.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.IO.Compression.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Linq.Expressions.dll	msiexec.exe
File created	C:\Program Files\paint.net\System.Reflection.Emit.dll	msiexec.exe
File created	C:\Program Files\paint.net\Mono.Cecil.Mdb.dll	msiexec.exe

Drops file in Windows directory 11 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{7C6DD0FA-7FC9-4BE7-A152-7763CBDEFA3E}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBDA3.tmp	msiexec.exe
File created	C:\Windows\Installer\e579adb.msi	msiexec.exe
File created	C:\Windows\Installer\e579ad8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e579ad8.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\{7C6DD0FA-7FC9-4BE7-A152-7763CBDEFA3E}\app_icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\{7C6DD0FA-7FC9-4BE7-A152-7763CBDEFA3E}\app_icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE754.tmp	msiexec.exe

Executes dropped EXE 7 IoCs

Processes:

SetupShim.exeSetupDownloader.exepaint.net.5.0.6.install.x64.exeSetupShim.exeSetupFrontEnd.exepaintdotnet.exePaintDotNet.exe

pid	process
1180	SetupShim.exe
216	SetupDownloader.exe
4932	paint.net.5.0.6.install.x64.exe
4880	SetupShim.exe
4040	SetupFrontEnd.exe
1772	paintdotnet.exe
984	PaintDotNet.exe

Loads dropped DLL 64 IoCs

Processes:

SetupFrontEnd.exepaintdotnet.exe

pid	process
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
4040	SetupFrontEnd.exe
1772	paintdotnet.exe
1772	paintdotnet.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

paintdotnet.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBF113F1-D7C8-477C-A23A-E600E7937E11}\InprocServer32	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBF113F1-D7C8-477C-A23A-E600E7937E11}\InprocServer32\ = "C:\\Program Files\\paint.net\\PaintDotNet.ShellExtension.x64.dll"	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBF113F1-D7C8-477C-A23A-E600E7937E11}\InprocServer32\ThreadingModel = "Apartment"	paintdotnet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000027c70fafd0cbe6b20000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000027c70faf0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090027c70faf000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000027c70faf00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000027c70faf00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20	msiexec.exe

Modifies registry class 64 IoCs

Processes:

paintdotnet.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBF113F1-D7C8-477C-A23A-E600E7937E11}\InprocServer32	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\ShellEx	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\shell\edit\command	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.pdn	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wmp\OpenWithProgids\paint.net.1	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\FriendlyTypeName = "paint.net Image"	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\paintdotnet\shell\open\command\ = "\"C:\\Program Files\\paint.net\\paintdotnet.exe\" %1"	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rle\OpenWithProgids\paint.net.1	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tga\OpenWithProgids\paint.net.1	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell\edit	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.avif\OpenWithProgids	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.dds\OpenWithProgids\paint.net.1	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.wdp	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdn\OpenWithProgids	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.rle	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AF0DD6C79CF77EB41A257736BCEDAFE3\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBF113F1-D7C8-477C-A23A-E600E7937E11}	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.ThumbnailProvider.1	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jfif\OpenWithProgids\paint.net.1	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AF0DD6C79CF77EB41A257736BCEDAFE3\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\ShellEx\{E357FCCD-A995-4576-B01F-234630154E96}\ = "{FBF113F1-D7C8-477C-A23A-E600E7937E11}"	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell\open\command\ = "\"C:\\Program Files\\paint.net\\paintdotnet.exe\" \"%1\""	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBF113F1-D7C8-477C-A23A-E600E7937E11}\ = "paint.net Thumbnail Provider"	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.ThumbnailProvider\CurVer	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.avif	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.dib	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AF0DD6C79CF77EB41A257736BCEDAFE3\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell\edit\command	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\paintdotnet\DefaultIcon\ = "C:\\Program Files\\paint.net\\paintdotnet.exe,0"	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.dib\OpenWithProgids\paint.net.1	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\AF0DD6C79CF77EB41A257736BCEDAFE3	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\04F04A40702A84B4EA7DA65A234E2357\AF0DD6C79CF77EB41A257736BCEDAFE3	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell\open\command	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdn\ShellEx\{E357FCCD-A995-4576-B01F-234630154E96}	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\FriendlyAppName = "paint.net"	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rle\OpenWithProgids	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AF0DD6C79CF77EB41A257736BCEDAFE3\SourceList\Net\1 = "C:\\Program Files\\paint.net\\Staging\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\ = "paint.net Image"	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.png\OpenWithProgids\paint.net.1	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBF113F1-D7C8-477C-A23A-E600E7937E11}\InprocServer32\ = "C:\\Program Files\\paint.net\\PaintDotNet.ShellExtension.x64.dll"	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dds\OpenWithProgids	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.heic\OpenWithProgids	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.jfif	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.wmp	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wmp\OpenWithProgids	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\CurVer	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdn	paintdotnet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AF0DD6C79CF77EB41A257736BCEDAFE3\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AF0DD6C79CF77EB41A257736BCEDAFE3\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\DefaultIcon	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.dds	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.gif	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.heic\OpenWithProgids\paint.net.1	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jpe\OpenWithProgids\paint.net.1	paintdotnet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tga	paintdotnet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AF0DD6C79CF77EB41A257736BCEDAFE3\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AF0DD6C79CF77EB41A257736BCEDAFE3\SourceList\LastUsedSource = "n;1;C:\\Program Files\\paint.net\\Staging\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AF0DD6C79CF77EB41A257736BCEDAFE3\ProductIcon = "C:\\Windows\\Installer\\{7C6DD0FA-7FC9-4BE7-A152-7763CBDEFA3E}\\app_icon.ico"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gif\OpenWithProgids\paint.net.1	paintdotnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bmp\OpenWithProgids\paint.net.1	paintdotnet.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

SetupDownloader.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	SetupDownloader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	SetupDownloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	SetupDownloader.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

2460 msiexec.exe
2460 msiexec.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

SetupFrontEnd.exePaintDotNet.exe

pid process

4040 SetupFrontEnd.exe
984 PaintDotNet.exe

pid	process
2460	msiexec.exe
2460	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SetupDownloader.exeSetupFrontEnd.exevssvc.exemsiexec.exesrtasks.exe

description	pid	process
Token: SeDebugPrivilege	216	SetupDownloader.exe
Token: SeDebugPrivilege	4040	SetupFrontEnd.exe
Token: SeBackupPrivilege	1416	vssvc.exe
Token: SeRestorePrivilege	1416	vssvc.exe
Token: SeAuditPrivilege	1416	vssvc.exe
Token: SeBackupPrivilege	4040	SetupFrontEnd.exe
Token: SeRestorePrivilege	4040	SetupFrontEnd.exe
Token: SeShutdownPrivilege	4040	SetupFrontEnd.exe
Token: SeIncreaseQuotaPrivilege	4040	SetupFrontEnd.exe
Token: SeSecurityPrivilege	2460	msiexec.exe
Token: SeCreateTokenPrivilege	4040	SetupFrontEnd.exe
Token: SeAssignPrimaryTokenPrivilege	4040	SetupFrontEnd.exe
Token: SeLockMemoryPrivilege	4040	SetupFrontEnd.exe
Token: SeIncreaseQuotaPrivilege	4040	SetupFrontEnd.exe
Token: SeMachineAccountPrivilege	4040	SetupFrontEnd.exe
Token: SeTcbPrivilege	4040	SetupFrontEnd.exe
Token: SeSecurityPrivilege	4040	SetupFrontEnd.exe
Token: SeTakeOwnershipPrivilege	4040	SetupFrontEnd.exe
Token: SeLoadDriverPrivilege	4040	SetupFrontEnd.exe
Token: SeSystemProfilePrivilege	4040	SetupFrontEnd.exe
Token: SeSystemtimePrivilege	4040	SetupFrontEnd.exe
Token: SeProfSingleProcessPrivilege	4040	SetupFrontEnd.exe
Token: SeIncBasePriorityPrivilege	4040	SetupFrontEnd.exe
Token: SeCreatePagefilePrivilege	4040	SetupFrontEnd.exe
Token: SeCreatePermanentPrivilege	4040	SetupFrontEnd.exe
Token: SeBackupPrivilege	4040	SetupFrontEnd.exe
Token: SeRestorePrivilege	4040	SetupFrontEnd.exe
Token: SeShutdownPrivilege	4040	SetupFrontEnd.exe
Token: SeDebugPrivilege	4040	SetupFrontEnd.exe
Token: SeAuditPrivilege	4040	SetupFrontEnd.exe
Token: SeSystemEnvironmentPrivilege	4040	SetupFrontEnd.exe
Token: SeChangeNotifyPrivilege	4040	SetupFrontEnd.exe
Token: SeRemoteShutdownPrivilege	4040	SetupFrontEnd.exe
Token: SeUndockPrivilege	4040	SetupFrontEnd.exe
Token: SeSyncAgentPrivilege	4040	SetupFrontEnd.exe
Token: SeEnableDelegationPrivilege	4040	SetupFrontEnd.exe
Token: SeManageVolumePrivilege	4040	SetupFrontEnd.exe
Token: SeImpersonatePrivilege	4040	SetupFrontEnd.exe
Token: SeCreateGlobalPrivilege	4040	SetupFrontEnd.exe
Token: SeRestorePrivilege	2460	msiexec.exe
Token: SeTakeOwnershipPrivilege	2460	msiexec.exe
Token: SeRestorePrivilege	2460	msiexec.exe
Token: SeTakeOwnershipPrivilege	2460	msiexec.exe
Token: SeBackupPrivilege	4208	srtasks.exe
Token: SeRestorePrivilege	4208	srtasks.exe
Token: SeSecurityPrivilege	4208	srtasks.exe
Token: SeTakeOwnershipPrivilege	4208	srtasks.exe
Token: SeBackupPrivilege	4208	srtasks.exe
Token: SeRestorePrivilege	4208	srtasks.exe
Token: SeSecurityPrivilege	4208	srtasks.exe
Token: SeTakeOwnershipPrivilege	4208	srtasks.exe
Token: SeRestorePrivilege	2460	msiexec.exe
Token: SeTakeOwnershipPrivilege	2460	msiexec.exe
Token: SeRestorePrivilege	2460	msiexec.exe
Token: SeTakeOwnershipPrivilege	2460	msiexec.exe
Token: SeRestorePrivilege	2460	msiexec.exe
Token: SeTakeOwnershipPrivilege	2460	msiexec.exe
Token: SeRestorePrivilege	2460	msiexec.exe
Token: SeTakeOwnershipPrivilege	2460	msiexec.exe
Token: SeRestorePrivilege	2460	msiexec.exe
Token: SeTakeOwnershipPrivilege	2460	msiexec.exe
Token: SeRestorePrivilege	2460	msiexec.exe
Token: SeTakeOwnershipPrivilege	2460	msiexec.exe
Token: SeRestorePrivilege	2460	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

SetupFrontEnd.exePaintDotNet.exe

pid process

4040 SetupFrontEnd.exe
4040 SetupFrontEnd.exe
984 PaintDotNet.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

SetupShim.exepaint.net.5.0.6.install.x64.exeSetupShim.exeSetupFrontEnd.exePaintDotNet.exe

pid	process
1180	SetupShim.exe
4932	paint.net.5.0.6.install.x64.exe
4880	SetupShim.exe
4040	SetupFrontEnd.exe
984	PaintDotNet.exe
984	PaintDotNet.exe
984	PaintDotNet.exe
984	PaintDotNet.exe
984	PaintDotNet.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

paint.net.5.0.6.install.anycpu.web.exeSetupShim.exeSetupDownloader.exepaint.net.5.0.6.install.x64.exeSetupShim.exemsiexec.exeSetupFrontEnd.exe

description	pid	process	target process
PID 4456 wrote to memory of 1180	4456	paint.net.5.0.6.install.anycpu.web.exe	SetupShim.exe
PID 4456 wrote to memory of 1180	4456	paint.net.5.0.6.install.anycpu.web.exe	SetupShim.exe
PID 4456 wrote to memory of 1180	4456	paint.net.5.0.6.install.anycpu.web.exe	SetupShim.exe
PID 1180 wrote to memory of 216	1180	SetupShim.exe	SetupDownloader.exe
PID 1180 wrote to memory of 216	1180	SetupShim.exe	SetupDownloader.exe
PID 216 wrote to memory of 4932	216	SetupDownloader.exe	paint.net.5.0.6.install.x64.exe
PID 216 wrote to memory of 4932	216	SetupDownloader.exe	paint.net.5.0.6.install.x64.exe
PID 216 wrote to memory of 4932	216	SetupDownloader.exe	paint.net.5.0.6.install.x64.exe
PID 4932 wrote to memory of 4880	4932	paint.net.5.0.6.install.x64.exe	SetupShim.exe
PID 4932 wrote to memory of 4880	4932	paint.net.5.0.6.install.x64.exe	SetupShim.exe
PID 4932 wrote to memory of 4880	4932	paint.net.5.0.6.install.x64.exe	SetupShim.exe
PID 4880 wrote to memory of 4040	4880	SetupShim.exe	SetupFrontEnd.exe
PID 4880 wrote to memory of 4040	4880	SetupShim.exe	SetupFrontEnd.exe
PID 2460 wrote to memory of 1772	2460	msiexec.exe	paintdotnet.exe
PID 2460 wrote to memory of 1772	2460	msiexec.exe	paintdotnet.exe
PID 4040 wrote to memory of 984	4040	SetupFrontEnd.exe	PaintDotNet.exe
PID 4040 wrote to memory of 984	4040	SetupFrontEnd.exe	PaintDotNet.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\paint.net.5.0.6.install.anycpu.web.exe
"C:\Users\Admin\AppData\Local\Temp\paint.net.5.0.6.install.anycpu.web.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4456

C:\Users\Admin\AppData\Local\Temp\7zS86127BC6\SetupShim.exe
"C:\Users\Admin\AppData\Local\Temp\7zS86127BC6\SetupShim.exe" /suppressReboot
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1180

C:\Users\Admin\AppData\Local\Temp\7zS86127BC6\x64\SetupDownloader\SetupDownloader.exe
"x64\SetupDownloader\SetupDownloader.exe" /SkipSuccessPrompt "C:\Users\Admin\AppData\Local\Temp\7zS86127BC6\SetupShim.exe" /suppressReboot
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:216

C:\Users\Admin\AppData\Local\Temp\PdnSetupDownloader\3c24fc7b-fdda-494b-95b2-c5f6aef41a8e\paint.net.5.0.6.install.x64.exe
"C:\Users\Admin\AppData\Local\Temp\PdnSetupDownloader\3c24fc7b-fdda-494b-95b2-c5f6aef41a8e\paint.net.5.0.6.install.x64.exe" C:\Users\Admin\AppData\Local\Temp\7zS86127BC6\SetupShim.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4932

C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\SetupShim.exe
"C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\SetupShim.exe" /suppressReboot C:\Users\Admin\AppData\Local\Temp\7zS86127BC6\SetupShim.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4880

C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\SetupFrontEnd.exe
"x64\SetupFrontEnd.exe" "C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\SetupShim.exe" /suppressReboot C:\Users\Admin\AppData\Local\Temp\7zS86127BC6\SetupShim.exe
6⤵
- Checks whether UAC is enabled
- Checks computer location settings
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4040

C:\Program Files\paint.net\PaintDotNet.exe
"C:\Program Files\paint.net\PaintDotNet.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:984

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:3
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4208

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460

C:\Program Files\paint.net\paintdotnet.exe
"C:\Program Files\paint.net\paintdotnet.exe" /setupActions /install DESKTOPSHORTCUT=1 PDNUPDATING=0 SKIPCLEANUP=0 "PROGRAMSGROUP=" /disablePGO /skipEstablishNVProfile /skipRepairAttempt
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:1772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e579ada.rbs
Filesize
79KB

MD5
c2821ffb0b15ff93224feff70d3bd099

SHA1
1005927d10fbb14e9512b2dd6964fb89c3e794db

SHA256
bf83bcfbb8745cb153f2698c6eda112b4cd4d0aadc7a75906a4b824121cb58b5

SHA512
605e5b793c6db47c3e443d632d5a519fb4c349179d4c6f8f2a38e670e874ad48ee972b25363a1a991ccb88837b55fc2078ce6d202684db3d08f5337f53bcfb1d

Download Submit
C:\Config.Msi\e579adc.rbs
Filesize
663B

MD5
810ba11c17af18372d0d5983c671b9c1

SHA1
705276d8d1159cec13589635923fecce915b22f7

SHA256
5d783ee24161abd5192a4bfaf79f3d88a7919e7e6553221d31c466b6dedcf74e

SHA512
9c1f64f5de4359e3972365089ef8dec74f059b9a61efbbd9d76f62f23d9965c5134eeb8f955a925a517bb0772433132cd106052406999f3b0be80250b38034e0

Download Submit
C:\Program Files\paint.net\mscordaccore_amd64_amd64_7.0.523.17405.dll
Filesize
1.3MB

MD5
e220516299f53c675b3f7c0edd4435ea

SHA1
2ec1faa84d0e73145a63c6f90548c77bbeb4dc10

SHA256
a0d9a1dcd87a9dee85bca67f01396498ec13c836de4494ea7255c8d2c37c66d7

SHA512
3113bd6b555e86a28f7f9ec814824b459b00da78f0535995724061ad088f2939311c35a5f425ebc08010e30a48c884f7a36995d002fbfd3d2c69ddec79a80c75

Download Submit
C:\Program Files\paint.net\paintdotnet.runtimeconfig.json
Filesize
449B

MD5
f2330957e97da90a05792669b280ca33

SHA1
b3ec252b38b3e370fa7092b6562fc3bd17ffc951

SHA256
0f771ce46ef69e972adcd6b2006e588d59ff446b287e6d3f6096845778a7a7ac

SHA512
8801e6d62871c4c37cdc95d724343769681438d32e8a7e5b1a08a5eb6c6defa0b501febbf1f191e71e9ae26ffd5a11a2e5cf9b0e137e4e5f82bc0340da6f5142

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\SetupShim.exe
Filesize
137KB

MD5
583f2dbfc70e9d21bac97ee8c2cd2f9c

SHA1
1ab837e3da7cec7ee167e313c868715a60c32b68

SHA256
d4487ae1b8e5e1d0dbcbf833dfa93a33dc6fcf9451def518ed8c42e4ec3a18b5

SHA512
9ecfdc5518ff5bbb5e6afc995b65247c39caafadae0a7f3fe73fa0102c43e88b0095b58918e2df806c1f071c3d000f5fbfbea398d4046a2f50005f8761d56a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\SetupShim.exe
Filesize
137KB

MD5
583f2dbfc70e9d21bac97ee8c2cd2f9c

SHA1
1ab837e3da7cec7ee167e313c868715a60c32b68

SHA256
d4487ae1b8e5e1d0dbcbf833dfa93a33dc6fcf9451def518ed8c42e4ec3a18b5

SHA512
9ecfdc5518ff5bbb5e6afc995b65247c39caafadae0a7f3fe73fa0102c43e88b0095b58918e2df806c1f071c3d000f5fbfbea398d4046a2f50005f8761d56a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\PaintDotNet.Base.dll
Filesize
718KB

MD5
e466377d92dd26273f6c4a6cfa0a8dcc

SHA1
a0dc95bea8965e463d12219f87eeac194f848281

SHA256
9a52ac832465ed700fb0a3b63aa4a5693288a485aaf8b27a8fd643072a414f6f

SHA512
d16e0f16e7ea4aa8c77ceb31f9e73f12ab4be40d389b681025d056196dac9f45b7694e4bd31048b4807f9204b8e26400805b42d6fe489ed058217a350e771fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\PaintDotNet.Base.dll
Filesize
718KB

MD5
e466377d92dd26273f6c4a6cfa0a8dcc

SHA1
a0dc95bea8965e463d12219f87eeac194f848281

SHA256
9a52ac832465ed700fb0a3b63aa4a5693288a485aaf8b27a8fd643072a414f6f

SHA512
d16e0f16e7ea4aa8c77ceb31f9e73f12ab4be40d389b681025d056196dac9f45b7694e4bd31048b4807f9204b8e26400805b42d6fe489ed058217a350e771fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\PaintDotNet.ComponentModel.dll
Filesize
98KB

MD5
2a3f54698a44f04422cd371bd25c735a

SHA1
ade712b43aff9cd5d514b56466866b3a8271c0bd

SHA256
67b8779f323cf7e82613ff58d5d64aa4fad60963e60b0bc54b6fd1ad3f873269

SHA512
98cc4b236a982ed2afdde998fc598121602d1c4dc19acb2d50d0cdc66d483363c5165b7d4468c5356bdb30c0e67727422db5190f02b6400e43c257ae9a7d1df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\PaintDotNet.ComponentModel.dll
Filesize
98KB

MD5
2a3f54698a44f04422cd371bd25c735a

SHA1
ade712b43aff9cd5d514b56466866b3a8271c0bd

SHA256
67b8779f323cf7e82613ff58d5d64aa4fad60963e60b0bc54b6fd1ad3f873269

SHA512
98cc4b236a982ed2afdde998fc598121602d1c4dc19acb2d50d0cdc66d483363c5165b7d4468c5356bdb30c0e67727422db5190f02b6400e43c257ae9a7d1df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\PaintDotNet.Core.dll
Filesize
2.2MB

MD5
8b37d11dc0361e6b97349ea132ff7c9c

SHA1
593de8727395a1647951d68cdae112c4fbb99658

SHA256
9d9c1f02d7231b543a15211fd06c0834b98e8595d964d65b75d1d1ed3583d307

SHA512
fa08773cdf3465f3ec6c2c8b213157410d7fa711ce5b28aab66b77373502a5a64c53576fc0e647ea712509cd20d397a5352e2e7519d463c878b905ef73571d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\PaintDotNet.Core.dll
Filesize
2.2MB

MD5
8b37d11dc0361e6b97349ea132ff7c9c

SHA1
593de8727395a1647951d68cdae112c4fbb99658

SHA256
9d9c1f02d7231b543a15211fd06c0834b98e8595d964d65b75d1d1ed3583d307

SHA512
fa08773cdf3465f3ec6c2c8b213157410d7fa711ce5b28aab66b77373502a5a64c53576fc0e647ea712509cd20d397a5352e2e7519d463c878b905ef73571d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\PaintDotNet.Framework.dll
Filesize
1.0MB

MD5
f697e14f8ecbebc998eb0a595c4f5e90

SHA1
e34261d8a373aa32139748ba8981ac198162d8d5

SHA256
17292b265e9e5eb128d7478ccf7f88a61ef070c3ea212906b407fcadd78353e1

SHA512
86d762badc552d82b2af7502637231dbc838b105bb129e328afbec8bdfbb39e05eccd376ce1ae08f94299bf4dfba2211a387193643fae42b479bb54dd1427c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\PaintDotNet.Framework.dll
Filesize
1.0MB

MD5
f697e14f8ecbebc998eb0a595c4f5e90

SHA1
e34261d8a373aa32139748ba8981ac198162d8d5

SHA256
17292b265e9e5eb128d7478ccf7f88a61ef070c3ea212906b407fcadd78353e1

SHA512
86d762badc552d82b2af7502637231dbc838b105bb129e328afbec8bdfbb39e05eccd376ce1ae08f94299bf4dfba2211a387193643fae42b479bb54dd1427c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\PaintDotNet.Fundamentals.dll
Filesize
1.3MB

MD5
8eea4b27af1fc95d737c3a92262c68f1

SHA1
589dd49b8ae1377b0f9c9cfb7efae6fed9476371

SHA256
13203c52792cb0a2b828879aa8cac42b33d409a115efe451f1155ad4b67ee48c

SHA512
697a2140d6f49d54b02f94ac0ec41be597b3349e55e70fdc725057aedcdc38c9b4195744a9ee24f1750944eb83930735f4364b29436f7c140bbe6747c7174e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\PaintDotNet.Fundamentals.dll
Filesize
1.3MB

MD5
8eea4b27af1fc95d737c3a92262c68f1

SHA1
589dd49b8ae1377b0f9c9cfb7efae6fed9476371

SHA256
13203c52792cb0a2b828879aa8cac42b33d409a115efe451f1155ad4b67ee48c

SHA512
697a2140d6f49d54b02f94ac0ec41be597b3349e55e70fdc725057aedcdc38c9b4195744a9ee24f1750944eb83930735f4364b29436f7c140bbe6747c7174e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\PaintDotNet.ObjectModel.dll
Filesize
182KB

MD5
3c0738e71f361399e9816d410fcdc705

SHA1
b76f779d263229ac459a78d49b8622010066d3d8

SHA256
bac1576947389a9eb9411026aeba63f189caafb3a726f02508fe740dddc5083d

SHA512
620bc43db705cca4d3b96277f7b4b76e033af18bbef9d6480f78b6abb954f4d6e4d9bc55a0a6577a588d420b0926ce9c7aecacc4d7a8d23da354b0d455e2ece8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\PaintDotNet.ObjectModel.dll
Filesize
182KB

MD5
3c0738e71f361399e9816d410fcdc705

SHA1
b76f779d263229ac459a78d49b8622010066d3d8

SHA256
bac1576947389a9eb9411026aeba63f189caafb3a726f02508fe740dddc5083d

SHA512
620bc43db705cca4d3b96277f7b4b76e033af18bbef9d6480f78b6abb954f4d6e4d9bc55a0a6577a588d420b0926ce9c7aecacc4d7a8d23da354b0d455e2ece8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\PaintDotNet.Primitives.dll
Filesize
1.1MB

MD5
2bdf14d97d1413d86a3cc0331a94bd9e

SHA1
70fb16b0952fde2c2a4fac889d69a02da6f85386

SHA256
676cd84dfc4157d6df0e4f960e441bcfbb7124ad64b17dc864c4481bbc4e326a

SHA512
7b377544ebb172758024b5ded9000cf2102591c291f71eb9146748d74cdfd0747e72c25c1beaef90ee52158a1f3855711353e507aff8542d693e37e1be4f5691

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\PaintDotNet.Primitives.dll
Filesize
1.1MB

MD5
2bdf14d97d1413d86a3cc0331a94bd9e

SHA1
70fb16b0952fde2c2a4fac889d69a02da6f85386

SHA256
676cd84dfc4157d6df0e4f960e441bcfbb7124ad64b17dc864c4481bbc4e326a

SHA512
7b377544ebb172758024b5ded9000cf2102591c291f71eb9146748d74cdfd0747e72c25c1beaef90ee52158a1f3855711353e507aff8542d693e37e1be4f5691

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\PaintDotNet.Runtime.dll
Filesize
78KB

MD5
084980a9fa5c16d4aab70cdf6c873aea

SHA1
c5b1dbd6a96c7a3217a69df9c531de5230cb4a66

SHA256
461aefbed91434ed8e2ea53d98f20a73e390cf8cc133507caf1b8bc46970b515

SHA512
257092368d4fa9215c035a3838dc4c78628592129d9a6262e2288120160d7995e18da0a09ab3c199a82d7f240a3896c08dce2f0cd2ab6b9784807cd9f07c7037

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\PaintDotNet.Strings.3.co.resources
Filesize
177KB

MD5
0091aebe915f4aae5c7e92d8c5556e5d

SHA1
afcdadecd93f3355e2b61b8755369d0e5d5b66ee

SHA256
63f2f666911b477adff700e80ee4545456ce55e9ede3511265d37f006d8e09e1

SHA512
37d11b81f651257e8605c7b11eba366d4407a0f7e5682cc89a64c43e9c2cf0630d71f9c4feeac8601353a041abb60bcafc9bf17b9d33808e8af5a1e2e67724a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\PaintDotNet.Windows.dll
Filesize
3.9MB

MD5
32d695e96b381b31d54d2a837eb138fa

SHA1
9dbd477d9e648ae6f70c58bb07a63b709fed57db

SHA256
ef7c966dcbaacb3ede031f17e477c5040efc51e0e7e680d73f2c726de838f187

SHA512
01567d2e4a29d86164c882f5ef3e27a9943faabb4236e9c7e4727d754ca9f18ba16ea8d442544d66bc3328172bbd1e7e273da670562c0e6a8b311b967b2a64b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\PaintDotNet.Windows.dll
Filesize
3.9MB

MD5
32d695e96b381b31d54d2a837eb138fa

SHA1
9dbd477d9e648ae6f70c58bb07a63b709fed57db

SHA256
ef7c966dcbaacb3ede031f17e477c5040efc51e0e7e680d73f2c726de838f187

SHA512
01567d2e4a29d86164c882f5ef3e27a9943faabb4236e9c7e4727d754ca9f18ba16ea8d442544d66bc3328172bbd1e7e273da670562c0e6a8b311b967b2a64b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\SetupFrontEnd.deps.json
Filesize
60KB

MD5
57b47a9493d340204852deb6b9718c30

SHA1
8368531f6e9603ee496b9acdab6db72aafe3816e

SHA256
8f16a82217776a6d4fce0b30da6106c3aa277ea325acf4643b71617b4c5200ce

SHA512
8c755489a75336b58b1810e678ff64b65f673baf4897224b87cccdadf477b3ed0040dedc03d312b7fa3ff04150056efdfd3359a02de867063ce35515ad39db8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\SetupFrontEnd.dll
Filesize
210KB

MD5
0f329344983bef59db5aeddac3a096c5

SHA1
40d2cd50c3e6dd0fdecb5ffe51196aba6531cacb

SHA256
bcdaa7ca05100a3794f72f1b018f0d28e335691b1d6cea02bdf7de309d5f8ed2

SHA512
552e21de791bb6b8c51a723c6bae19ee1ad321251b2e5b466af766c732eb8d91f6ace878355e9b35df964e2eb3ba3f231699f945832b18ace96715d066935317

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\SetupFrontEnd.dll
Filesize
210KB

MD5
0f329344983bef59db5aeddac3a096c5

SHA1
40d2cd50c3e6dd0fdecb5ffe51196aba6531cacb

SHA256
bcdaa7ca05100a3794f72f1b018f0d28e335691b1d6cea02bdf7de309d5f8ed2

SHA512
552e21de791bb6b8c51a723c6bae19ee1ad321251b2e5b466af766c732eb8d91f6ace878355e9b35df964e2eb3ba3f231699f945832b18ace96715d066935317

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\SetupFrontEnd.exe
Filesize
162KB

MD5
4fdbe94fc55b884211a7514289d25c62

SHA1
625d119b3c20eb62cea075a410780948779b194f

SHA256
3bf840ee90756e03eb9fe2934ea386a81d7d748a77e50d28d07dde58da9c0f77

SHA512
07165de226757c6766dd340327a761155f35ef8b0b1a348d3d1755a1f16816adbe685df19ae0ff77b73e1444e54e82a81e41f538fd87ba2ff01ed94df0bbacc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\SetupFrontEnd.exe
Filesize
162KB

MD5
4fdbe94fc55b884211a7514289d25c62

SHA1
625d119b3c20eb62cea075a410780948779b194f

SHA256
3bf840ee90756e03eb9fe2934ea386a81d7d748a77e50d28d07dde58da9c0f77

SHA512
07165de226757c6766dd340327a761155f35ef8b0b1a348d3d1755a1f16816adbe685df19ae0ff77b73e1444e54e82a81e41f538fd87ba2ff01ed94df0bbacc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\SetupFrontEnd.runtimeconfig.json
Filesize
449B

MD5
f2330957e97da90a05792669b280ca33

SHA1
b3ec252b38b3e370fa7092b6562fc3bd17ffc951

SHA256
0f771ce46ef69e972adcd6b2006e588d59ff446b287e6d3f6096845778a7a7ac

SHA512
8801e6d62871c4c37cdc95d724343769681438d32e8a7e5b1a08a5eb6c6defa0b501febbf1f191e71e9ae26ffd5a11a2e5cf9b0e137e4e5f82bc0340da6f5142

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\System.Collections.Concurrent.dll
Filesize
258KB

MD5
f35f124256b4aff8e9b0b0ddf24ffb1d

SHA1
39a050538d2823f876bc0cae4dd98d560daeb22d

SHA256
9e7898cbb350dfd92c5d223e69ecf24459753527b558b43e040578cd48b1e4de

SHA512
da0fc038772dfaa85f816da52b67244edfd4d7f15c14923effd939eccdf7fca07e1361e4f376faa727303b185e3ac5d1f02697a4c6a4d939337765a83d60c4ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\System.Collections.Concurrent.dll
Filesize
258KB

MD5
f35f124256b4aff8e9b0b0ddf24ffb1d

SHA1
39a050538d2823f876bc0cae4dd98d560daeb22d

SHA256
9e7898cbb350dfd92c5d223e69ecf24459753527b558b43e040578cd48b1e4de

SHA512
da0fc038772dfaa85f816da52b67244edfd4d7f15c14923effd939eccdf7fca07e1361e4f376faa727303b185e3ac5d1f02697a4c6a4d939337765a83d60c4ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\System.Collections.Specialized.dll
Filesize
106KB

MD5
7451588c6e2c170dcc5d4d420f49ed5d

SHA1
3f0ee1f6281b406ca0c8ea22a3b2d72108fd0b49

SHA256
cc9cce9d2c2482e48374d1fce6b8ba1c4a5e324a86b56c05c05b6baa68ccfd85

SHA512
b13ac7c2cfe7a1c7150841d65eb30f8a0231f7ff78c5ea5c7d52da7316907495fb64ec3b939a64bb8fa112a7f47620bb9e20ec9ce0f3110391dff5a51334e648

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\System.Collections.Specialized.dll
Filesize
106KB

MD5
7451588c6e2c170dcc5d4d420f49ed5d

SHA1
3f0ee1f6281b406ca0c8ea22a3b2d72108fd0b49

SHA256
cc9cce9d2c2482e48374d1fce6b8ba1c4a5e324a86b56c05c05b6baa68ccfd85

SHA512
b13ac7c2cfe7a1c7150841d65eb30f8a0231f7ff78c5ea5c7d52da7316907495fb64ec3b939a64bb8fa112a7f47620bb9e20ec9ce0f3110391dff5a51334e648

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\System.ComponentModel.Primitives.dll
Filesize
82KB

MD5
a0f4d64e217c2bfac7180b57e4bb0c12

SHA1
b64b9949acbc459aaa6719e2b0bfc94995c8a363

SHA256
b318271073603b82389f9cdd98dba474e2c43a59752c349b769f5221a6d1d20f

SHA512
abab27dc1f6c9a4fb3d37f605d31b035400b4acf7ad1d38bc78d11aa390075ddd49f8a81ec4c6d540c0cc7ae791a83600629ed6741862bf8b4e5c2f7f09de064

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\System.ComponentModel.Primitives.dll
Filesize
82KB

MD5
a0f4d64e217c2bfac7180b57e4bb0c12

SHA1
b64b9949acbc459aaa6719e2b0bfc94995c8a363

SHA256
b318271073603b82389f9cdd98dba474e2c43a59752c349b769f5221a6d1d20f

SHA512
abab27dc1f6c9a4fb3d37f605d31b035400b4acf7ad1d38bc78d11aa390075ddd49f8a81ec4c6d540c0cc7ae791a83600629ed6741862bf8b4e5c2f7f09de064

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\System.ComponentModel.dll
Filesize
30KB

MD5
93fe56394be631bedb2715a3be331b93

SHA1
335e73dadef938ba54e0e707c449f5361f44c839

SHA256
3bcfdbf2155a9bf27152f0b165f1d328f40adf2ebd91a21f065fe9fd6f7aacba

SHA512
239dbcd2bded977b794828398f0f4f36dfa9a8d3917dfd940dfee40342e471bbbab892d0d9496a233501064a138195ae763db49ec4dc5d8d20acfb5e6a027f0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\System.ComponentModel.dll
Filesize
30KB

MD5
93fe56394be631bedb2715a3be331b93

SHA1
335e73dadef938ba54e0e707c449f5361f44c839

SHA256
3bcfdbf2155a9bf27152f0b165f1d328f40adf2ebd91a21f065fe9fd6f7aacba

SHA512
239dbcd2bded977b794828398f0f4f36dfa9a8d3917dfd940dfee40342e471bbbab892d0d9496a233501064a138195ae763db49ec4dc5d8d20acfb5e6a027f0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\System.Drawing.Primitives.dll
Filesize
134KB

MD5
2e6e14d3b64d00db699b1d50bf39d9e5

SHA1
9939a01679c663d4eb0cab92186a9d3bbdb39e73

SHA256
0407e892bfc68a72be31fb0bbc5773b33066623810907ff2cc5ad086c2af0319

SHA512
f5c751c9fa8092854465146c9b615a60604010bdab568ef23964a5a00938594909518be6cfd20dedc1c6fb9defc1dc1f04b2d4da57c1f02b17cad13a3c9e330d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\System.Drawing.Primitives.dll
Filesize
134KB

MD5
2e6e14d3b64d00db699b1d50bf39d9e5

SHA1
9939a01679c663d4eb0cab92186a9d3bbdb39e73

SHA256
0407e892bfc68a72be31fb0bbc5773b33066623810907ff2cc5ad086c2af0319

SHA512
f5c751c9fa8092854465146c9b615a60604010bdab568ef23964a5a00938594909518be6cfd20dedc1c6fb9defc1dc1f04b2d4da57c1f02b17cad13a3c9e330d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\System.Private.CoreLib.dll
Filesize
11.1MB

MD5
33d14f2723a321b8c8839676eba9eebd

SHA1
cd3368030cd45b2a407aa1853b40a40eb8d2d747

SHA256
9cf56895c8bb50b3958d4e2c4dd4a144765287c8d0e2e8d509bb7cc6407fa10d

SHA512
21ee500ad255ce038f92cf96f723060a54ee1c2ecbab181e2297b2507e958e7e612e28d9136d73bd55544273946a06b7bd2d1ca5c234020cb16387af0a5b9457

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\System.Private.CoreLib.dll
Filesize
11.1MB

MD5
33d14f2723a321b8c8839676eba9eebd

SHA1
cd3368030cd45b2a407aa1853b40a40eb8d2d747

SHA256
9cf56895c8bb50b3958d4e2c4dd4a144765287c8d0e2e8d509bb7cc6407fa10d

SHA512
21ee500ad255ce038f92cf96f723060a54ee1c2ecbab181e2297b2507e958e7e612e28d9136d73bd55544273946a06b7bd2d1ca5c234020cb16387af0a5b9457

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\System.Runtime.InteropServices.dll
Filesize
62KB

MD5
39ad35035a228bbe1593d5dfac16ef20

SHA1
ae2bd77ec0f23d5d4992ecf66eb0faffeaa5f37c

SHA256
698ab2dda5f320f34fae5f265a9730a6c18b5eb5d73d06142dc3613271f84e2d

SHA512
7e3e6f0d4f4575627cd9d4b395ee0cb4fa67c0d3048b479d5018fd001a080619a31ec8b6815c60d42ed798cebc5f57bab1ff3d3a93aa23f29c42bd937985ea2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\System.Runtime.InteropServices.dll
Filesize
62KB

MD5
39ad35035a228bbe1593d5dfac16ef20

SHA1
ae2bd77ec0f23d5d4992ecf66eb0faffeaa5f37c

SHA256
698ab2dda5f320f34fae5f265a9730a6c18b5eb5d73d06142dc3613271f84e2d

SHA512
7e3e6f0d4f4575627cd9d4b395ee0cb4fa67c0d3048b479d5018fd001a080619a31ec8b6815c60d42ed798cebc5f57bab1ff3d3a93aa23f29c42bd937985ea2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\System.Runtime.dll
Filesize
42KB

MD5
7d768c62cf7bbe6235d502ea1ae1a024

SHA1
770dc80c08dd20cce956edcdf0ebb9129debc9fb

SHA256
65439eff6ccd823c844265e04eafc95f949e65fe849b14af15b008c20c3966fa

SHA512
c4a93384fb67803fdaeba0d28cab88e53b3ba6bb5c6b98c7ad202df4de79097fda33fffb7cf2b3207f3623b015ae467fb55e0a50fc33ab65c89c170798d3cf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\System.Windows.Forms.Primitives.dll
Filesize
938KB

MD5
99a70b1779aa825990d139cc792f8f89

SHA1
6bcf3f75e0dab7bcbd0aa30c649e4fc68f30bf7c

SHA256
83d2481e27877dc248b8d5136db861d0a38d4486a5784e0d186b549ec723dc9a

SHA512
dc83efa0f981116bf2c7031c764d75f5cf740ce854a91a20acf1b54ab16f9a1c1ce4d26ca65cb281a244b0962fbff94afe6e3b3daeb3c4c98785836ff21dd4b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\System.Windows.Forms.Primitives.dll
Filesize
938KB

MD5
99a70b1779aa825990d139cc792f8f89

SHA1
6bcf3f75e0dab7bcbd0aa30c649e4fc68f30bf7c

SHA256
83d2481e27877dc248b8d5136db861d0a38d4486a5784e0d186b549ec723dc9a

SHA512
dc83efa0f981116bf2c7031c764d75f5cf740ce854a91a20acf1b54ab16f9a1c1ce4d26ca65cb281a244b0962fbff94afe6e3b3daeb3c4c98785836ff21dd4b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\System.Windows.Forms.dll
Filesize
12.7MB

MD5
1d43fcf600015b709a5025d9ca281be9

SHA1
98e20844c575790ba4a0e7b75d7b554c2252f92e

SHA256
a620b6bbf6a3b87133f0e8741a70930a5b9be0ac84090748ff3c302e1a032757

SHA512
7ca8ebfa4b1de8590276f44616913581edca07be83d5c3ecba13608146f89ca23b45a8eefb70c4441b281e9bf9d051334cff037b523c5fdc25c7779c4fd67916

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\System.Windows.Forms.dll
Filesize
12.7MB

MD5
1d43fcf600015b709a5025d9ca281be9

SHA1
98e20844c575790ba4a0e7b75d7b554c2252f92e

SHA256
a620b6bbf6a3b87133f0e8741a70930a5b9be0ac84090748ff3c302e1a032757

SHA512
7ca8ebfa4b1de8590276f44616913581edca07be83d5c3ecba13608146f89ca23b45a8eefb70c4441b281e9bf9d051334cff037b523c5fdc25c7779c4fd67916

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\TerraFX.Interop.Windows.dll
Filesize
974KB

MD5
0454e61bc0f036b6b0017f639c8f94d3

SHA1
f06b3f6eb13e7c40ee0799c74915803d5c3db13a

SHA256
38f11c67e16dfb97e262175d8ae3b99a85bf42f9988b140446631ad1738abfe9

SHA512
7bb8f065276818978b0788ea0a7d9a6242133287a9103948326b624d36c2851a9343e8ed8e31a3a7c335f9dfac085de4645f5fe2ba125def516d265f9de90bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\TerraFX.Interop.Windows.dll
Filesize
974KB

MD5
0454e61bc0f036b6b0017f639c8f94d3

SHA1
f06b3f6eb13e7c40ee0799c74915803d5c3db13a

SHA256
38f11c67e16dfb97e262175d8ae3b99a85bf42f9988b140446631ad1738abfe9

SHA512
7bb8f065276818978b0788ea0a7d9a6242133287a9103948326b624d36c2851a9343e8ed8e31a3a7c335f9dfac085de4645f5fe2ba125def516d265f9de90bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\clrjit.dll
Filesize
1.5MB

MD5
1944e1cad1dff136d961bd4c567ab536

SHA1
64c33252387c6119562fb6d64f41e17686fa30e0

SHA256
e4e2f9926a5bf80ea9eca08256fe53d82ad0a1e7429c7d99dc31e07d4b07c0de

SHA512
d5a4ac7452d08574085eecbce1d6dd3f9cfe342a5a0e2cc0d5c8bdc1fc86d26d66cb42d23c2584ec6c3f48bc978b40909d12a7b5cb1c6d557bd657d92f6e7c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\clrjit.dll
Filesize
1.5MB

MD5
1944e1cad1dff136d961bd4c567ab536

SHA1
64c33252387c6119562fb6d64f41e17686fa30e0

SHA256
e4e2f9926a5bf80ea9eca08256fe53d82ad0a1e7429c7d99dc31e07d4b07c0de

SHA512
d5a4ac7452d08574085eecbce1d6dd3f9cfe342a5a0e2cc0d5c8bdc1fc86d26d66cb42d23c2584ec6c3f48bc978b40909d12a7b5cb1c6d557bd657d92f6e7c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\coreclr.dll
Filesize
4.9MB

MD5
f0c2c4028309e62d5393f0a449d33ca0

SHA1
f00c7571110c3299db9831099e8093c74ef81a3a

SHA256
4901f89adc8808661b9b0fd020b89be7ebb974e2850535ee0b12307ce8ecd308

SHA512
f59231de2c2d99e3db6602529d8e687ac1d0934b6476bc89fbf16d20d146557740d1b131d63e3f540a43aa7dfb7e2717aba8f0874051f6a8d95c635b72c26f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\coreclr.dll
Filesize
4.9MB

MD5
f0c2c4028309e62d5393f0a449d33ca0

SHA1
f00c7571110c3299db9831099e8093c74ef81a3a

SHA256
4901f89adc8808661b9b0fd020b89be7ebb974e2850535ee0b12307ce8ecd308

SHA512
f59231de2c2d99e3db6602529d8e687ac1d0934b6476bc89fbf16d20d146557740d1b131d63e3f540a43aa7dfb7e2717aba8f0874051f6a8d95c635b72c26f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\hostfxr.dll
Filesize
373KB

MD5
b3c8e3532cfe5db5ded3ee152160a706

SHA1
e0952547ce5859a2ed75b7c5d21a8ebb9c7a7865

SHA256
4fdd2377e909748a0e092e42ce69c143d28c04daa8c15c6aa5415409cd492739

SHA512
e2b0bf6a8772f0b6131531e9323df0fc3f7775fe49034fd0823761d47d931e593f1b07f531cc685dad8c71d98b2f245ef6bc674eb8f8cdc4430c28d372da6af4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\hostfxr.dll
Filesize
373KB

MD5
b3c8e3532cfe5db5ded3ee152160a706

SHA1
e0952547ce5859a2ed75b7c5d21a8ebb9c7a7865

SHA256
4fdd2377e909748a0e092e42ce69c143d28c04daa8c15c6aa5415409cd492739

SHA512
e2b0bf6a8772f0b6131531e9323df0fc3f7775fe49034fd0823761d47d931e593f1b07f531cc685dad8c71d98b2f245ef6bc674eb8f8cdc4430c28d372da6af4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\hostpolicy.dll
Filesize
383KB

MD5
362885d37b53353eb77ff442f676a4fb

SHA1
66302a14adbd83889022334bd909b6edcc2eb2ed

SHA256
e6e5f73004d74973b38317bd55055aceb92b8bfd88e6368ef2baef8fb841155d

SHA512
efc04b4f1b189e49db22bc71a5e75126c4bc9766cb2c7c4688061705633648b3e977122c169ecd414b3033703eb4a727eae7a4358ba07dbd637e2b36b61b2a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443EEF86\x64\hostpolicy.dll
Filesize
383KB

MD5
362885d37b53353eb77ff442f676a4fb

SHA1
66302a14adbd83889022334bd909b6edcc2eb2ed

SHA256
e6e5f73004d74973b38317bd55055aceb92b8bfd88e6368ef2baef8fb841155d

SHA512
efc04b4f1b189e49db22bc71a5e75126c4bc9766cb2c7c4688061705633648b3e977122c169ecd414b3033703eb4a727eae7a4358ba07dbd637e2b36b61b2a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS86127BC6\SetupShim.exe
Filesize
137KB

MD5
583f2dbfc70e9d21bac97ee8c2cd2f9c

SHA1
1ab837e3da7cec7ee167e313c868715a60c32b68

SHA256
d4487ae1b8e5e1d0dbcbf833dfa93a33dc6fcf9451def518ed8c42e4ec3a18b5

SHA512
9ecfdc5518ff5bbb5e6afc995b65247c39caafadae0a7f3fe73fa0102c43e88b0095b58918e2df806c1f071c3d000f5fbfbea398d4046a2f50005f8761d56a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS86127BC6\SetupShim.exe
Filesize
137KB

MD5
583f2dbfc70e9d21bac97ee8c2cd2f9c

SHA1
1ab837e3da7cec7ee167e313c868715a60c32b68

SHA256
d4487ae1b8e5e1d0dbcbf833dfa93a33dc6fcf9451def518ed8c42e4ec3a18b5

SHA512
9ecfdc5518ff5bbb5e6afc995b65247c39caafadae0a7f3fe73fa0102c43e88b0095b58918e2df806c1f071c3d000f5fbfbea398d4046a2f50005f8761d56a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS86127BC6\SetupShim.exe
Filesize
137KB

MD5
583f2dbfc70e9d21bac97ee8c2cd2f9c

SHA1
1ab837e3da7cec7ee167e313c868715a60c32b68

SHA256
d4487ae1b8e5e1d0dbcbf833dfa93a33dc6fcf9451def518ed8c42e4ec3a18b5

SHA512
9ecfdc5518ff5bbb5e6afc995b65247c39caafadae0a7f3fe73fa0102c43e88b0095b58918e2df806c1f071c3d000f5fbfbea398d4046a2f50005f8761d56a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS86127BC6\x64\SetupDownloader\Newtonsoft.Json.dll
Filesize
695KB

MD5
715a1fbee4665e99e859eda667fe8034

SHA1
e13c6e4210043c4976dcdc447ea2b32854f70cc6

SHA256
c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e

SHA512
bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS86127BC6\x64\SetupDownloader\SetupDownloader.Configuration.json
Filesize
135B

MD5
8ca6779446e31e219589a08769448da2

SHA1
efc2d9e4b0f99daf0333406610d8031a5a8aed2f

SHA256
2b23a17e993b7837a89365cdd328541f58ddfd4ab2b45285058284eee5733613

SHA512
a6a863880835dcca879534ec8a353e2d7fef9c4410edfe41b59bac561492cc6084330c7aad1d2e8a9590b2a3d7551a0b8b6d45ced4d235f01b596d69b593bbf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS86127BC6\x64\SetupDownloader\SetupDownloader.exe
Filesize
263KB

MD5
91f901e4b53bd39fe97d4db34ba2fc9d

SHA1
3db25d307e49601bc703ac85e02f09637833b26f

SHA256
f57778e1672a0f1cad81f270894557b59bda690a38c2cae47f1d8d387e6a3311

SHA512
84e0d4e9205783479f34530676b9af82ae3dfd2bbf81c92619dfe236194cc0830e40b94583fbb396850a4fc8516b296607a7d953ce8a1f8739200bfade9e1d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS86127BC6\x64\SetupDownloader\SetupDownloader.exe
Filesize
263KB

MD5
91f901e4b53bd39fe97d4db34ba2fc9d

SHA1
3db25d307e49601bc703ac85e02f09637833b26f

SHA256
f57778e1672a0f1cad81f270894557b59bda690a38c2cae47f1d8d387e6a3311

SHA512
84e0d4e9205783479f34530676b9af82ae3dfd2bbf81c92619dfe236194cc0830e40b94583fbb396850a4fc8516b296607a7d953ce8a1f8739200bfade9e1d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS86127BC6\x64\SetupDownloader\SetupDownloader.exe
Filesize
263KB

MD5
91f901e4b53bd39fe97d4db34ba2fc9d

SHA1
3db25d307e49601bc703ac85e02f09637833b26f

SHA256
f57778e1672a0f1cad81f270894557b59bda690a38c2cae47f1d8d387e6a3311

SHA512
84e0d4e9205783479f34530676b9af82ae3dfd2bbf81c92619dfe236194cc0830e40b94583fbb396850a4fc8516b296607a7d953ce8a1f8739200bfade9e1d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS86127BC6\x64\SetupDownloader\SetupDownloader.exe.config
Filesize
218B

MD5
8f692dcbf1e68398b5dac3eba59872b0

SHA1
18011f5291790b0f49561385731ec5c6ad855415

SHA256
8c422938a58df86d88f29c61ff27006f0b3c9bb4742b11486bc5a01a6344129b

SHA512
e4bab07f4b9a9f725865e0e9f11fa31a4a1841399044f5976818782739b13d6c2012edf98199c5823ee9ecb3da40e7f3e2f88ab1394547801afa8b5b9dad9e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetupDownloader\3c24fc7b-fdda-494b-95b2-c5f6aef41a8e\paint.net.5.0.6.install.x64.exe
Filesize
62.3MB

MD5
2c830a4ba9861b2b23fdc181551c81f3

SHA1
e17da9e63c74f06cd330515a4229e119ac6f6df4

SHA256
841122c2aeb3952f4b91d0581e69a9615689c0478bf3a56635e7020900e32d07

SHA512
45500961136b8eeb5bea4185365148d65208c99adda6fa5d231e3fa8cd88223438e4018b3424f61ac57c10f042fe45b06b9da5943c668779906330b7f084b66e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetupDownloader\3c24fc7b-fdda-494b-95b2-c5f6aef41a8e\paint.net.5.0.6.install.x64.exe
Filesize
62.3MB

MD5
2c830a4ba9861b2b23fdc181551c81f3

SHA1
e17da9e63c74f06cd330515a4229e119ac6f6df4

SHA256
841122c2aeb3952f4b91d0581e69a9615689c0478bf3a56635e7020900e32d07

SHA512
45500961136b8eeb5bea4185365148d65208c99adda6fa5d231e3fa8cd88223438e4018b3424f61ac57c10f042fe45b06b9da5943c668779906330b7f084b66e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdnSetupShim.log
Filesize
135B

MD5
aadf7ddeb6ef09604041d9d170f4dcff

SHA1
5210785f650b15e69d3b7ffb73ee94af6c226ceb

SHA256
0f38bb25ac2cb3ab9b4706930a7944343fcdc43a2d7baa82774f0a05153ce613

SHA512
6b224a71838abeee4c598983e5f33347fe7884622ff371dc3c0b781172d4b7b4f748cfbff94c53214bf8dfb573c1a0f793ab63693e9dfd199c090a3e3e9156af

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdnSetupShim.log
Filesize
932B

MD5
9a92af7f126d5117e97bd58f865a8179

SHA1
6a703caef06311399d1723d1bb41f9fafe14f3a8

SHA256
3e0dfbbb6fd28408c166b732fbd8fcea3245b4a1e1a65969562cda3eb7eef315

SHA512
4be77197d27a948a42d946308b4e15aa8332b190c4cfcb46c8ff981e6ba65f07b236dbc2a0ebb7eb2c5167bd61c6bf67bfcc066d69445dee46b0cd7c5dfa4e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdnSetupShim.log
Filesize
932B

MD5
9a92af7f126d5117e97bd58f865a8179

SHA1
6a703caef06311399d1723d1bb41f9fafe14f3a8

SHA256
3e0dfbbb6fd28408c166b732fbd8fcea3245b4a1e1a65969562cda3eb7eef315

SHA512
4be77197d27a948a42d946308b4e15aa8332b190c4cfcb46c8ff981e6ba65f07b236dbc2a0ebb7eb2c5167bd61c6bf67bfcc066d69445dee46b0cd7c5dfa4e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdnSetupShim.log
Filesize
775B

MD5
7e052e0a6693dbef7a6c7f2bbae10dab

SHA1
34c20f5415129672b000ddefc9177951bf36ef2e

SHA256
4af2cb2e789546fc625d9ee321c8d4513afc051527cf27f43af9cfd3d7ebffee

SHA512
e8ecbb540a4e5dd1192cc71cc1550b4b1c1be59eaf6df9b36e7bd6c0965b08126cf9f84bde45d7f0ed6c83b32fa9b2c54c3a14b2b6c5374dc623ee02870bc8f3

Download Submit
C:\Windows\Installer\e579ad8.msi
Filesize
207.0MB

MD5
4dfc1b4ed86cd5b15274dce080eec663

SHA1
fba91c7f80009937774c4ebd79a2dd7299ff923d

SHA256
26ced4f0b87208339b08d7b41b6223c5597d3fd081be64450d102d621a27b334

SHA512
9976fd61db5ac025a7db6b30899d2eba15a4b88afe297927685224f6f868acaa7e537af4e54bf62421685f7fe073a09409658a2b4de050131a8ddea2310364cd

Download Submit
C:\Windows\Installer\{7C6DD0FA-7FC9-4BE7-A152-7763CBDEFA3E}\app_icon.ico
Filesize
75KB

MD5
d47d5e7a8a90d00db1644a40555d14c2

SHA1
652eae27caf68d1903616910f46bcca27f6623b0

SHA256
9c6063ea5b8a118f1aeab0c201f5bc7fa5d630dcfd80d0c8bf3efe67bfde6953

SHA512
ecf923b823e246416ad4f010647a14c764325ff83752d542313ccd74143f800c1d37f14952e02ed78813f0417c94a0e5eccb02daecabf242444cd5d6a635ec8a

Download Submit
memory/216-202-0x0000017176D60000-0x0000017176D70000-memory.dmp

Filesize
64KB

Download
memory/216-203-0x0000017176D60000-0x0000017176D70000-memory.dmp

Filesize
64KB

Download
memory/216-193-0x0000017176D60000-0x0000017176D70000-memory.dmp

Filesize
64KB

Download
memory/216-192-0x0000017176D00000-0x0000017176D12000-memory.dmp

Filesize
72KB

Download
memory/216-190-0x0000017176D60000-0x0000017176D70000-memory.dmp

Filesize
64KB

Download
memory/216-189-0x0000017176D60000-0x0000017176D70000-memory.dmp

Filesize
64KB

Download
memory/216-188-0x0000017176D60000-0x0000017176D70000-memory.dmp

Filesize
64KB

Download
memory/216-185-0x00000171760A0000-0x0000017176152000-memory.dmp

Filesize
712KB

Download
memory/216-187-0x0000017176BE0000-0x0000017176C02000-memory.dmp

Filesize
136KB

Download
memory/216-183-0x0000017173C10000-0x0000017173C56000-memory.dmp

Filesize
280KB

Download
memory/984-1790-0x000001E3C71D0000-0x000001E3C71D4000-memory.dmp

Filesize
16KB

Download
memory/984-1789-0x000001E3C7180000-0x000001E3C7190000-memory.dmp

Filesize
64KB

Download