026d3f716835cf62c173491424a03002dd6ddda6b04a42b0e8c114257cdd7061

Analysis

max time kernel
145s
max time network
141s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
03-06-2023 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

paint.net.4.0.install.exe
Size

6.0MB
MD5

97ebb79a9721d8025e6659df039aea42
SHA1

db08d3443cf80444ff88641697af1e377c37f3f6
SHA256

026d3f716835cf62c173491424a03002dd6ddda6b04a42b0e8c114257cdd7061
SHA512

229d0164dce78c392303d1b8beb644909e870a577c4153f8e79a30607595b9a39ce40305b217d84917d18840f9835981c24802fb50f7c3336764f6c5eec11ce2
SSDEEP

98304:SHi1WlQj2MkiGNXjvcClj2oAQT49u/LWUKJfKRiROkjEieeGnHnF4ddOpOi2LNW0:Zf2MkVZLlvAQT49uCUKJfKRejZED6

Score

9^/10

coreentity discovery evasion persistence trojan

Malware Config

Signatures

CoreEntity .NET Packer 10 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\PdnSetup\PaintDotNet.exe	coreentity
behavioral1/memory/2984-237-0x000000001BCB0000-0x000000001BE60000-memory.dmp	coreentity
C:\Users\Admin\AppData\Local\Temp\PdnSetup\PaintDotNet_x64.msi	coreentity
C:\Users\Admin\AppData\Local\Temp\PdnSetup\PaintDotNet_x86.msi	coreentity
C:\Program Files\paint.net\Staging\PaintDotNet_x64_1798139967.msi	coreentity
C:\Windows\Installer\e56fd8f.msi	coreentity
C:\Program Files\paint.net\PaintDotNet.exe	coreentity
C:\Program Files\paint.net\PaintDotNet.pdb	coreentity
behavioral1/memory/4404-3847-0x000001F3EE700000-0x000001F3EE8B0000-memory.dmp	coreentity
behavioral1/memory/1136-6530-0x0000000000B10000-0x0000000000CC0000-memory.dmp	coreentity

Blocklisted process makes network request 4 IoCs

Processes:

msiexec.exe

flow pid process

13 596 msiexec.exe
15 596 msiexec.exe
17 596 msiexec.exe
19 596 msiexec.exe
Executes dropped EXE 4 IoCs

Processes:

SetupShim.exeSetupFrontEnd.exeSetupNgen.exePaintDotNet.exe

pid process

4448 SetupShim.exe
2984 SetupFrontEnd.exe
3024 SetupNgen.exe
1136 PaintDotNet.exe

flow	pid	process
13	596	msiexec.exe
15	596	msiexec.exe
17	596	msiexec.exe
19	596	msiexec.exe

pid	process
4448	SetupShim.exe
2984	SetupFrontEnd.exe
3024	SetupNgen.exe
1136	PaintDotNet.exe

Loads dropped DLL 64 IoCs

Processes:

paint.net.4.0.install.exeSetupFrontEnd.exeMsiExec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
4604	paint.net.4.0.install.exe
4604	paint.net.4.0.install.exe
2984	SetupFrontEnd.exe
2984	SetupFrontEnd.exe
2984	SetupFrontEnd.exe
2984	SetupFrontEnd.exe
2984	SetupFrontEnd.exe
2984	SetupFrontEnd.exe
1280	MsiExec.exe
1280	MsiExec.exe
3572	mscorsvw.exe
3572	mscorsvw.exe
4152	mscorsvw.exe
4152	mscorsvw.exe
3004	mscorsvw.exe
3004	mscorsvw.exe
4156	mscorsvw.exe
3004	mscorsvw.exe
4552	mscorsvw.exe
3916	mscorsvw.exe
3924	mscorsvw.exe
1344	mscorsvw.exe
916	mscorsvw.exe
1344	mscorsvw.exe
352	mscorsvw.exe
916	mscorsvw.exe
3936	mscorsvw.exe
3936	mscorsvw.exe
2248	mscorsvw.exe
3936	mscorsvw.exe
4716	mscorsvw.exe
4716	mscorsvw.exe
4716	mscorsvw.exe
4716	mscorsvw.exe
2248	mscorsvw.exe
4716	mscorsvw.exe
4956	mscorsvw.exe
4956	mscorsvw.exe
4956	mscorsvw.exe
4956	mscorsvw.exe
4956	mscorsvw.exe
4956	mscorsvw.exe
4956	mscorsvw.exe
4956	mscorsvw.exe
4956	mscorsvw.exe
4956	mscorsvw.exe
4956	mscorsvw.exe
4956	mscorsvw.exe
4956	mscorsvw.exe
4956	mscorsvw.exe
4956	mscorsvw.exe
5116	mscorsvw.exe
5116	mscorsvw.exe
5116	mscorsvw.exe
5116	mscorsvw.exe
5116	mscorsvw.exe
4200	mscorsvw.exe
5116	mscorsvw.exe
3024	mscorsvw.exe
3024	mscorsvw.exe
3024	mscorsvw.exe
3024	mscorsvw.exe
3024	mscorsvw.exe
3024	mscorsvw.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

SetupNgen.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D292F82A-50BE-4351-96CC-E86F3F8049DA}\InProcServer32	SetupNgen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D292F82A-50BE-4351-96CC-E86F3F8049DA}\InProcServer32\ThreadingModel = "Apartment"	SetupNgen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D292F82A-50BE-4351-96CC-E86F3F8049DA}\InProcServer32\ = "C:\\Program Files\\paint.net\\ShellExtension_x64.dll"	SetupNgen.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

SetupFrontEnd.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SetupFrontEnd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SetupFrontEnd.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in System32 directory 6 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\msvcp100.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcr100.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp100.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcomp100.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcomp100.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcr100.dll	msiexec.exe

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exeSetupFrontEnd.exe

description	ioc	process
File created	C:\Program Files\paint.net\Resources\en-US\Icons.OutlineEffectIcon.png	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.ZH-CN.resources	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.pdb	msiexec.exe
File created	C:\Program Files\paint.net\Resources\ru\Icons.FontBoldIcon.png	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Framework.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.da.resources	msiexec.exe
File created	C:\Program Files\paint.net\Resources\ru\Icons.FontItalicIcon.png	msiexec.exe
File created	C:\Program Files\paint.net\Resources\en-US\Icons.EdgeDetectEffect.png	msiexec.exe
File created	C:\Program Files\paint.net\UpdateMonitor.exe.config	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.exe.config	msiexec.exe
File opened for modification	C:\Program Files\paint.net\PaintDotNet.Data.pdb	SetupFrontEnd.exe
File created	C:\Program Files\paint.net\PaintDotNet.Core.dll	msiexec.exe
File created	C:\Program Files\paint.net\License.txt	msiexec.exe
File opened for modification	C:\Program Files\paint.net\PaintDotNet.Framework.pdb	SetupFrontEnd.exe
File opened for modification	C:\Program Files\paint.net\PaintDotNet.Effects.pdb	SetupFrontEnd.exe
File created	C:\Program Files\paint.net\PdnRepair.exe.config	msiexec.exe
File created	C:\Program Files\paint.net\Resources\en-US\Icons.MenuEditCutIcon.png	msiexec.exe
File created	C:\Program Files\paint.net\Resources\en-US\Icons.DentsEffectIcon.png	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.pt-PT.resources	msiexec.exe
File created	C:\Program Files\paint.net\Resources\es\Images.PayPalDonate.gif	msiexec.exe
File created	C:\Program Files\paint.net\Resources\es\Icons.FontUnderlineIcon.png	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.FR.resources	msiexec.exe
File created	C:\Program Files\paint.net\Resources\en-US\Icons.LineToolIcon.png	msiexec.exe
File created	C:\Program Files\paint.net\ShellExtension_x64.dll	msiexec.exe
File created	C:\Program Files\paint.net\Resources\fr\Images.PayPalDonate.gif	msiexec.exe
File created	C:\Program Files\paint.net\Resources\es\Icons.FontItalicIcon.png	msiexec.exe
File created	C:\Program Files\paint.net\Resources\zh-cn\Images.PayPalDonate.gif	msiexec.exe
File opened for modification	C:\Program Files\paint.net\PaintDotNet.Base.pdb	SetupFrontEnd.exe
File opened for modification	C:\Program Files\paint.net\UpdateMonitor.pdb	SetupFrontEnd.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.PT-BR.resources	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.resources	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.hu.resources	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.lt.resources	msiexec.exe
File created	C:\Program Files\paint.net\Resources\en-US\Icons.InkSketchEffectIcon.png	msiexec.exe
File created	C:\Program Files\paint.net\Resources\ja\Images.PayPalDonate.gif	msiexec.exe
File created	C:\Program Files\paint.net\Resources\en-US\Icons.MenuWindowToolsIcon.png	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Resources.dll	msiexec.exe
File created	C:\Program Files\paint.net\Resources\es\Icons.FontBoldIcon.png	msiexec.exe
File created	C:\Program Files\paint.net\Resources\ru\Icons.FontUnderlineIcon.png	msiexec.exe
File created	C:\Program Files\paint.net\UpdateMonitor.exe	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.ES.resources	msiexec.exe
File created	C:\Program Files\paint.net\SetupNgen.exe.config	msiexec.exe
File opened for modification	C:\Program Files\paint.net\PaintDotNet.SystemLayer.pdb	SetupFrontEnd.exe
File created	C:\Program Files\paint.net\PaintDotNet.Effects.dll	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Framework.pdb	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.RU.resources	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.DE.resources	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.hi.resources	msiexec.exe
File opened for modification	C:\Program Files\paint.net\PaintDotNet.pdb	SetupFrontEnd.exe
File opened for modification	C:\Program Files\paint.net\PaintDotNet.Resources.pdb	SetupFrontEnd.exe
File opened for modification	C:\Program Files\paint.net\Staging\PaintDotNet_x64_1798139967.msi	SetupFrontEnd.exe
File created	C:\Program Files\paint.net\PaintDotNet.SystemLayer.pdb	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.exe	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Data.dll	msiexec.exe
File created	C:\Program Files\paint.net\SetupNgen.exe	msiexec.exe
File created	C:\Program Files\paint.net\Resources\fr\Icons.FontBoldIcon.png	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.JA.resources	msiexec.exe
File opened for modification	C:\Program Files\paint.net\SetupNgen.pdb	SetupFrontEnd.exe
File created	C:\Program Files\paint.net\PdnRepair.pdb	msiexec.exe
File created	C:\Program Files\paint.net\PaintDotNet.Strings.3.fa.resources	msiexec.exe
File created	C:\Program Files\paint.net\Resources\en-US\Icons.InvertColorsEffect.png	msiexec.exe
File created	C:\Program Files\paint.net\Resources\ja\Icons.FontStrikeoutIcon.png	msiexec.exe
File created	C:\Program Files\paint.net\Resources\en-US\copying.txt	msiexec.exe
File opened for modification	C:\Program Files\paint.net\Staging	SetupFrontEnd.exe

Drops file in Windows directory 64 IoCs

Processes:

msiexec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exengen.exengen.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exengen.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exengen.exemscorsvw.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSIB1E.tmp	msiexec.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\PaintDotNetc8826574#\eb6c494c5c54f64e92c330fa457475dc\PaintDotNet.SystemLayer.Native.x64.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Security\8391072310ccd84eecefe797cfd4a4a5\System.Security.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\PaintDotNet500b2e4f#\5021820aa2c4f946b4ebc95266b427a6\PaintDotNet.SystemLayer.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\cd03f7a1d6c4031c515fb3f50c42e268\System.Data.SqlXml.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\8bc-0\PaintDotNet.Core.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\PaintDotNet\e52a1813c98936ec37e4bbabc775591f\PaintDotNet.ni.exe.aux.tmp	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	ngen.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\3f0-0\System.Printing.dll	mscorsvw.exe
File created	C:\Windows\Installer\{3F5F509B-E226-417C-8CD1-CAAE756C328A}\_853F67D554F05449430E7E.exe	msiexec.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1038-0\System.Data.SqlXml.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\103c-0\PaintDotNet.Base.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\540-0\UIAutomationProvider.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\126c-0\PresentationUI.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualC\45d6b68ea71f898fee71f67739c5b8a1\Microsoft.VisualC.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\750-0\System.Drawing.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\PresentationUI\93309b55a9caa04c2f4fe06c13438631\PresentationUI.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Interop.WIA\fb5f243d0d8f9e1933d41860af5cb4b0\Interop.WIA.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\WindowsForm0b574481#\501c549eee2d5c10d2ba0f46aba60f47\WindowsFormsIntegration.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\indexc.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\9bc-0\Interop.WIA.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\314-0\PaintDotNet.Resources.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\5ac17cc5b92efda83e2925857f4fa655\System.Numerics.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationTypes\1e1a1bd97e618bc4934ee967bea27ae8\UIAutomationTypes.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Deployment\d6dc141d56f9c6624e1f60bf6f3d457b\System.Deployment.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\710-0\PaintDotNet.SystemLayer.Native.x86.dll	mscorsvw.exe
File opened for modification	C:\Windows\Installer\MSI465.tmp	msiexec.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\indexe.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\PaintDotNet.Data\6ddb944aafbb9bf4205ad3d45a9fdb05\PaintDotNet.Data.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	ngen.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\d80-0\System.Numerics.dll	mscorsvw.exe
File opened for modification	C:\Windows\Installer\MSI84E.tmp	msiexec.exe
File created	C:\Windows\Installer\e56fd92.msi	msiexec.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\UIAutomationProvider\dcd37a4654f172e28a4fe982bd478278\UIAutomationProvider.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\f60-0\ReachFramework.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\d80-0\ReachFramework.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\indexd.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\PaintDotNet.Core\e43c1d4c0092b56fe176335d63c3860b\PaintDotNet.Core.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\f30-0\Accessibility.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\394-0\System.Deployment.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\ecc-0\PaintDotNet.SystemLayer.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1ec-0\System.Deployment.dll	mscorsvw.exe
File opened for modification	C:\Windows\Installer\e56fd8f.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	ngen.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Accessibility\bbbbd997a1621cf1e739f922fe653459\Accessibility.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\190-0\System.Runtime.Serialization.Formatters.Soap.dll	mscorsvw.exe
File created	C:\Windows\Installer\SourceHash{3F5F509B-E226-417C-8CD1-CAAE756C328A}	msiexec.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\160-0\System.Runtime.Serialization.Formatters.Soap.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\PaintDotNet7afaaa15#\4dd3f1662e62eefa356c3c6269f652de\PaintDotNet.Framework.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationUI\efec1926513ece87ff644670cdd80031\PresentationUI.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\8c8-0\System.Printing.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data.SqlXml\3abef8eeb03dddf15f0ee7406c517b6e\System.Data.SqlXml.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationProvider\3bfcfe12488f0a2285f5f08274cbc13f\UIAutomationProvider.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\168-0\System.Windows.Forms.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Dired13b18a9#\6587db30c0be7c0a01732fbff2d30c8b\System.DirectoryServices.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	ngen.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\9744e094346545d417a938174608d0ad\System.Numerics.ni.dll.aux.tmp	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

svchost.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Modifies registry class 64 IoCs

Processes:

msiexec.exeSetupNgen.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\.jpe\OpenWithProgids	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|paint.net\|PaintDotNet.SystemLayer.Native.x64.dll\PaintDotNet.SystemLayer.Native.x64,Version="4.0.5288.36565",Culture="neutral",ProcessorArchitecture="AMD64" = 5e0039003d004700380044006200270027003900550031002e00330061007200210049004b0054003e006d0029005200540052004000640044002400590076006d0033006a006b0047005b0034006100710000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|paint.net\|PaintDotNet.exe	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\paint.net.ThumbExtract	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|paint.net\|PaintDotNet.SystemLayer.dll\PaintDotNet.SystemLayer,Version="4.0.5288.36565",Culture="neutral",ProcessorArchitecture="MSIL" = 5e0039003d004700380044006200270027003900550031002e00330061007200210049004b0054003e0064002800630052005b0027007a006a0046006500210070004d00780050005700790069005800210000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|paint.net\|PaintDotNet.Resources.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|paint.net\|SetupNgen.exe	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B905F5F3622EC714C81DACEA57C623A8	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell\print\command	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\jpegfile\shell\edit\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|paint.net\|PaintDotNet.Effects.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|paint.net\|PaintDotNet.Data.dll\PaintDotNet.Data,Version="4.0.5288.36565",Culture="neutral",ProcessorArchitecture="MSIL" = 5e0039003d004700380044006200270027003900550031002e00330061007200210049004b0054003e00570061006c0077007a00670030002b0032004a004d0066003d005f006b00630028007d006b006e0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B905F5F3622EC714C81DACEA57C623A8\Version = "67108864"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D292F82A-50BE-4351-96CC-E86F3F8049DA}	SetupNgen.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B905F5F3622EC714C81DACEA57C623A8\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}	SetupNgen.exe
Key created	\REGISTRY\MACHINE\Software\Classes\paint.net.1\shell\print\command	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B905F5F3622EC714C81DACEA57C623A8\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B905F5F3622EC714C81DACEA57C623A8\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bmp\OpenWithProgids\paint.net.1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jpe\OpenWithProgids\paint.net.1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tga\OpenWithProgids\Paint.NET.1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}\ = "{D292F82A-50BE-4351-96CC-E86F3F8049DA}"	SetupNgen.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|paint.net\|PaintDotNet.SystemLayer.Native.x86.dll\PaintDotNet.SystemLayer.Native.x86,Version="4.0.5288.36565",Culture="neutral",ProcessorArchitecture="x86" = 5e0039003d004700380044006200270027003900550031002e00330061007200210049004b0054003e005900700056006f0042005a0044002b006f005500640061003400210069006500350051004900390000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdn\ = "paint.net.1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B905F5F3622EC714C81DACEA57C623A8\DefaultFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B905F5F3622EC714C81DACEA57C623A8\SourceList\PackageName = "PaintDotNet_x64_1798139967.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell\open\command\ = "\"C:\\Program Files\\paint.net\\PaintDotNet.exe\" \"%1\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\shell\edit\command\ = "\"C:\\Program Files\\paint.net\\PaintDotNet.exe\" \"%1\""	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Paint.Picture\shell\edit\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.png\OpenWithProgids\paint.net.1	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D292F82A-50BE-4351-96CC-E86F3F8049DA}\InProcServer32	SetupNgen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell\print\command\ = "\"C:\\Program Files\\paint.net\\PaintDotNet.exe\" \"print:%1\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jpg\OpenWithProgids\paint.net.1	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.pdn\OpenWithProgids	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|paint.net\|PaintDotNet.Effects.dll\PaintDotNet.Effects,Version="4.0.5288.36565",Culture="neutral",ProcessorArchitecture="MSIL" = 5e0039003d004700380044006200270027003900550031002e00330061007200210049004b0054003e002b003200450031004f007e007100730030004c0055004700630075004d004c00660031004100610000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|paint.net\|PaintDotNet.Framework.dll	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B905F5F3622EC714C81DACEA57C623A8\PackageCode = "0E49DDAE35824CF42AB2E295D9325201"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell\edit\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\shell\edit	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.jpg\OpenWithProgids	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B905F5F3622EC714C81DACEA57C623A8\SourceList\LastUsedSource = "n;1;C:\\Program Files\\paint.net\\Staging\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\paint.net.ThumbExtract\CLSID	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B905F5F3622EC714C81DACEA57C623A8\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D292F82A-50BE-4351-96CC-E86F3F8049DA}	SetupNgen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\paint.net.1\shell\edit\command	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.bmp\OpenWithProgids	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\shell\edit\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|paint.net\|PaintDotNet.Data.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|paint.net\|PdnRepair.exe	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\04F04A40702A84B4EA7DA65A234E2357	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D292F82A-50BE-4351-96CC-E86F3F8049DA}\InProcServer32\ = "C:\\Program Files\\paint.net\\ShellExtension_x64.dll"	SetupNgen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B905F5F3622EC714C81DACEA57C623A8\ProductIcon = "C:\\Windows\\Installer\\{3F5F509B-E226-417C-8CD1-CAAE756C328A}\\_853F67D554F05449430E7E.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D292F82A-50BE-4351-96CC-E86F3F8049DA}\InProcServer32\ = "C:\\Program Files\\paint.net\\ShellExtension_x86.dll"	SetupNgen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell\edit\command\ = "\"C:\\Program Files\\paint.net\\PaintDotNet.exe\" \"%1\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\shell\edit\command\ = "\"C:\\Program Files\\paint.net\\PaintDotNet.exe\" \"%1\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tga\ = "paint.net.1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.ThumbExtract\CLSID\ = "{D292F82A-50BE-4351-96CC-E86F3F8049DA}"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|paint.net\|PaintDotNet.Framework.dll\PaintDotNet.Framework,Version="4.0.5288.36565",Culture="neutral",ProcessorArchitecture="MSIL" = 5e0039003d004700380044006200270027003900550031002e00330061007200210049004b0054003e0075007d004000350026006a006f0075007e0045005f005d006d004b003d006f00530039005e00390000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Paint.Picture\shell\edit\command\ = "\"C:\\Program Files\\paint.net\\PaintDotNet.exe\" \"%1\""	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

596 msiexec.exe
596 msiexec.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

SetupFrontEnd.exePaintDotNet.exe

pid process

2984 SetupFrontEnd.exe
1136 PaintDotNet.exe

pid	process
596	msiexec.exe
596	msiexec.exe

pid	process
2984	SetupFrontEnd.exe
1136	PaintDotNet.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SetupFrontEnd.exevssvc.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	2984	SetupFrontEnd.exe
Token: SeBackupPrivilege	4692	vssvc.exe
Token: SeRestorePrivilege	4692	vssvc.exe
Token: SeAuditPrivilege	4692	vssvc.exe
Token: SeBackupPrivilege	2984	SetupFrontEnd.exe
Token: SeRestorePrivilege	2984	SetupFrontEnd.exe
Token: SeShutdownPrivilege	2984	SetupFrontEnd.exe
Token: SeIncreaseQuotaPrivilege	2984	SetupFrontEnd.exe
Token: SeSecurityPrivilege	596	msiexec.exe
Token: SeCreateTokenPrivilege	2984	SetupFrontEnd.exe
Token: SeAssignPrimaryTokenPrivilege	2984	SetupFrontEnd.exe
Token: SeLockMemoryPrivilege	2984	SetupFrontEnd.exe
Token: SeIncreaseQuotaPrivilege	2984	SetupFrontEnd.exe
Token: SeMachineAccountPrivilege	2984	SetupFrontEnd.exe
Token: SeTcbPrivilege	2984	SetupFrontEnd.exe
Token: SeSecurityPrivilege	2984	SetupFrontEnd.exe
Token: SeTakeOwnershipPrivilege	2984	SetupFrontEnd.exe
Token: SeLoadDriverPrivilege	2984	SetupFrontEnd.exe
Token: SeSystemProfilePrivilege	2984	SetupFrontEnd.exe
Token: SeSystemtimePrivilege	2984	SetupFrontEnd.exe
Token: SeProfSingleProcessPrivilege	2984	SetupFrontEnd.exe
Token: SeIncBasePriorityPrivilege	2984	SetupFrontEnd.exe
Token: SeCreatePagefilePrivilege	2984	SetupFrontEnd.exe
Token: SeCreatePermanentPrivilege	2984	SetupFrontEnd.exe
Token: SeBackupPrivilege	2984	SetupFrontEnd.exe
Token: SeRestorePrivilege	2984	SetupFrontEnd.exe
Token: SeShutdownPrivilege	2984	SetupFrontEnd.exe
Token: SeDebugPrivilege	2984	SetupFrontEnd.exe
Token: SeAuditPrivilege	2984	SetupFrontEnd.exe
Token: SeSystemEnvironmentPrivilege	2984	SetupFrontEnd.exe
Token: SeChangeNotifyPrivilege	2984	SetupFrontEnd.exe
Token: SeRemoteShutdownPrivilege	2984	SetupFrontEnd.exe
Token: SeUndockPrivilege	2984	SetupFrontEnd.exe
Token: SeSyncAgentPrivilege	2984	SetupFrontEnd.exe
Token: SeEnableDelegationPrivilege	2984	SetupFrontEnd.exe
Token: SeManageVolumePrivilege	2984	SetupFrontEnd.exe
Token: SeImpersonatePrivilege	2984	SetupFrontEnd.exe
Token: SeCreateGlobalPrivilege	2984	SetupFrontEnd.exe
Token: SeRestorePrivilege	596	msiexec.exe
Token: SeTakeOwnershipPrivilege	596	msiexec.exe
Token: SeRestorePrivilege	596	msiexec.exe
Token: SeTakeOwnershipPrivilege	596	msiexec.exe
Token: SeRestorePrivilege	596	msiexec.exe
Token: SeTakeOwnershipPrivilege	596	msiexec.exe
Token: SeRestorePrivilege	596	msiexec.exe
Token: SeTakeOwnershipPrivilege	596	msiexec.exe
Token: SeRestorePrivilege	596	msiexec.exe
Token: SeTakeOwnershipPrivilege	596	msiexec.exe
Token: SeRestorePrivilege	596	msiexec.exe
Token: SeTakeOwnershipPrivilege	596	msiexec.exe
Token: SeRestorePrivilege	596	msiexec.exe
Token: SeTakeOwnershipPrivilege	596	msiexec.exe
Token: SeRestorePrivilege	596	msiexec.exe
Token: SeTakeOwnershipPrivilege	596	msiexec.exe
Token: SeRestorePrivilege	596	msiexec.exe
Token: SeTakeOwnershipPrivilege	596	msiexec.exe
Token: SeRestorePrivilege	596	msiexec.exe
Token: SeTakeOwnershipPrivilege	596	msiexec.exe
Token: SeRestorePrivilege	596	msiexec.exe
Token: SeTakeOwnershipPrivilege	596	msiexec.exe
Token: SeRestorePrivilege	596	msiexec.exe
Token: SeTakeOwnershipPrivilege	596	msiexec.exe
Token: SeRestorePrivilege	596	msiexec.exe
Token: SeTakeOwnershipPrivilege	596	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

SetupFrontEnd.exePaintDotNet.exe

pid process

2984 SetupFrontEnd.exe
1136 PaintDotNet.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

PaintDotNet.exe

pid process

1136 PaintDotNet.exe

pid	process
2984	SetupFrontEnd.exe
1136	PaintDotNet.exe

pid	process
1136	PaintDotNet.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

paint.net.4.0.install.exeSetupShim.exemsiexec.exeSetupNgen.exeSetupFrontEnd.exengen.exe

description	pid	process	target process
PID 4604 wrote to memory of 4448	4604	paint.net.4.0.install.exe	SetupShim.exe
PID 4604 wrote to memory of 4448	4604	paint.net.4.0.install.exe	SetupShim.exe
PID 4604 wrote to memory of 4448	4604	paint.net.4.0.install.exe	SetupShim.exe
PID 4448 wrote to memory of 2984	4448	SetupShim.exe	SetupFrontEnd.exe
PID 4448 wrote to memory of 2984	4448	SetupShim.exe	SetupFrontEnd.exe
PID 596 wrote to memory of 1280	596	msiexec.exe	MsiExec.exe
PID 596 wrote to memory of 1280	596	msiexec.exe	MsiExec.exe
PID 596 wrote to memory of 1280	596	msiexec.exe	MsiExec.exe
PID 596 wrote to memory of 3024	596	msiexec.exe	SetupNgen.exe
PID 596 wrote to memory of 3024	596	msiexec.exe	SetupNgen.exe
PID 3024 wrote to memory of 2768	3024	SetupNgen.exe	ngen.exe
PID 3024 wrote to memory of 2768	3024	SetupNgen.exe	ngen.exe
PID 3024 wrote to memory of 3008	3024	SetupNgen.exe	ngen.exe
PID 3024 wrote to memory of 3008	3024	SetupNgen.exe	ngen.exe
PID 3024 wrote to memory of 4416	3024	SetupNgen.exe	ngen.exe
PID 3024 wrote to memory of 4416	3024	SetupNgen.exe	ngen.exe
PID 3024 wrote to memory of 4864	3024	SetupNgen.exe	ngen.exe
PID 3024 wrote to memory of 4864	3024	SetupNgen.exe	ngen.exe
PID 3024 wrote to memory of 2840	3024	SetupNgen.exe	ngen.exe
PID 3024 wrote to memory of 2840	3024	SetupNgen.exe	ngen.exe
PID 3024 wrote to memory of 3800	3024	SetupNgen.exe	ngen.exe
PID 3024 wrote to memory of 3800	3024	SetupNgen.exe	ngen.exe
PID 3024 wrote to memory of 4972	3024	SetupNgen.exe	ngen.exe
PID 3024 wrote to memory of 4972	3024	SetupNgen.exe	ngen.exe
PID 3024 wrote to memory of 4412	3024	SetupNgen.exe	ngen.exe
PID 3024 wrote to memory of 4412	3024	SetupNgen.exe	ngen.exe
PID 3024 wrote to memory of 4216	3024	SetupNgen.exe	ngen.exe
PID 3024 wrote to memory of 4216	3024	SetupNgen.exe	ngen.exe
PID 3024 wrote to memory of 3656	3024	SetupNgen.exe	ngen.exe
PID 3024 wrote to memory of 3656	3024	SetupNgen.exe	ngen.exe
PID 3024 wrote to memory of 3756	3024	SetupNgen.exe	ngen.exe
PID 3024 wrote to memory of 3756	3024	SetupNgen.exe	ngen.exe
PID 3024 wrote to memory of 4940	3024	SetupNgen.exe	ngen.exe
PID 3024 wrote to memory of 4940	3024	SetupNgen.exe	ngen.exe
PID 3024 wrote to memory of 4940	3024	SetupNgen.exe	ngen.exe
PID 3024 wrote to memory of 2888	3024	SetupNgen.exe	ngen.exe
PID 3024 wrote to memory of 2888	3024	SetupNgen.exe	ngen.exe
PID 3024 wrote to memory of 2888	3024	SetupNgen.exe	ngen.exe
PID 2984 wrote to memory of 700	2984	SetupFrontEnd.exe	ngen.exe
PID 2984 wrote to memory of 700	2984	SetupFrontEnd.exe	ngen.exe
PID 2984 wrote to memory of 2156	2984	SetupFrontEnd.exe	ngen.exe
PID 2984 wrote to memory of 2156	2984	SetupFrontEnd.exe	ngen.exe
PID 2984 wrote to memory of 4548	2984	SetupFrontEnd.exe	ngen.exe
PID 2984 wrote to memory of 4548	2984	SetupFrontEnd.exe	ngen.exe
PID 2984 wrote to memory of 4984	2984	SetupFrontEnd.exe	ngen.exe
PID 2984 wrote to memory of 4984	2984	SetupFrontEnd.exe	ngen.exe
PID 2984 wrote to memory of 4304	2984	SetupFrontEnd.exe	ngen.exe
PID 2984 wrote to memory of 4304	2984	SetupFrontEnd.exe	ngen.exe
PID 2984 wrote to memory of 4204	2984	SetupFrontEnd.exe	ngen.exe
PID 2984 wrote to memory of 4204	2984	SetupFrontEnd.exe	ngen.exe
PID 2984 wrote to memory of 1816	2984	SetupFrontEnd.exe	ngen.exe
PID 2984 wrote to memory of 1816	2984	SetupFrontEnd.exe	ngen.exe
PID 2984 wrote to memory of 4040	2984	SetupFrontEnd.exe	ngen.exe
PID 2984 wrote to memory of 4040	2984	SetupFrontEnd.exe	ngen.exe
PID 2984 wrote to memory of 3004	2984	SetupFrontEnd.exe	ngen.exe
PID 2984 wrote to memory of 3004	2984	SetupFrontEnd.exe	ngen.exe
PID 2984 wrote to memory of 1168	2984	SetupFrontEnd.exe	ngen.exe
PID 2984 wrote to memory of 1168	2984	SetupFrontEnd.exe	ngen.exe
PID 2984 wrote to memory of 4132	2984	SetupFrontEnd.exe	ngen.exe
PID 2984 wrote to memory of 4132	2984	SetupFrontEnd.exe	ngen.exe
PID 2984 wrote to memory of 3560	2984	SetupFrontEnd.exe	ngen.exe
PID 2984 wrote to memory of 3560	2984	SetupFrontEnd.exe	ngen.exe
PID 2984 wrote to memory of 3560	2984	SetupFrontEnd.exe	ngen.exe
PID 3560 wrote to memory of 3336	3560	ngen.exe	mscorsvw.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\paint.net.4.0.install.exe
"C:\Users\Admin\AppData\Local\Temp\paint.net.4.0.install.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4604

C:\Users\Admin\AppData\Local\Temp\PdnSetup\SetupShim.exe
SetupShim.exe /suppressReboot
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448

C:\Users\Admin\AppData\Local\Temp\PdnSetup\SetupFrontEnd.exe
"SetupFrontEnd.exe" SetupShim.exe /suppressReboot
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\paint.net\Interop.WIA.dll" /AppBase:"C:\Program Files\paint.net"
4⤵
PID:700

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 0 -NGENProcess 164 -Pipe 170 -Comment "NGen Worker Process"
5⤵
PID:1524

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 0 -NGENProcess 16c -Pipe 20c -Comment "NGen Worker Process"
5⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3572

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\paint.net\PaintDotNet.Base.dll" /AppBase:"C:\Program Files\paint.net"
4⤵
PID:2156

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 0 -NGENProcess 164 -Pipe 170 -Comment "NGen Worker Process"
5⤵
PID:1872

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 0 -NGENProcess 1a0 -Pipe 234 -Comment "NGen Worker Process"
5⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:4152

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 0 -NGENProcess 22c -Pipe 240 -Comment "NGen Worker Process"
5⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:4156

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 0 -NGENProcess 290 -Pipe 238 -Comment "NGen Worker Process"
5⤵
- Loads dropped DLL
PID:3004

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 0 -NGENProcess 244 -Pipe 270 -Comment "NGen Worker Process"
5⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:4552

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 0 -NGENProcess 290 -Pipe 16c -Comment "NGen Worker Process"
5⤵
- Loads dropped DLL
PID:3916

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 0 -NGENProcess 25c -Pipe 22c -Comment "NGen Worker Process"
5⤵
- Loads dropped DLL
PID:3924

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 0 -NGENProcess 258 -Pipe 1a0 -Comment "NGen Worker Process"
5⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1344

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 0 -NGENProcess 290 -Pipe 294 -Comment "NGen Worker Process"
5⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:916

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 0 -NGENProcess 290 -Pipe 2a8 -Comment "NGen Worker Process"
5⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:352

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 0 -NGENProcess 264 -Pipe 2a0 -Comment "NGen Worker Process"
5⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3936

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 0 -NGENProcess 23c -Pipe 2b4 -Comment "NGen Worker Process"
5⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2248

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 0 -NGENProcess 2a8 -Pipe 2a0 -Comment "NGen Worker Process"
5⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:4716

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\paint.net\PaintDotNet.SystemLayer.Native.x64.dll" /AppBase:"C:\Program Files\paint.net"
4⤵
PID:4548

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 0 -NGENProcess 164 -Pipe 170 -Comment "NGen Worker Process"
5⤵
- Loads dropped DLL
PID:4956

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 0 -NGENProcess 20c -Pipe 214 -Comment "NGen Worker Process"
5⤵
- Loads dropped DLL
PID:4200

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 0 -NGENProcess 22c -Pipe 224 -Comment "NGen Worker Process"
5⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:5116

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\paint.net\PaintDotNet.SystemLayer.Native.x86.dll" /AppBase:"C:\Program Files\paint.net"
4⤵
PID:4984

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 180 -InterruptEvent 0 -NGENProcess 170 -Pipe 17c -Comment "NGen Worker Process"
5⤵
PID:1920

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\paint.net\PaintDotNet.SystemLayer.dll" /AppBase:"C:\Program Files\paint.net"
4⤵
PID:4304

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 0 -NGENProcess 164 -Pipe 170 -Comment "NGen Worker Process"
5⤵
- Loads dropped DLL
PID:3024

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 0 -NGENProcess 174 -Pipe 248 -Comment "NGen Worker Process"
5⤵
- Drops file in Windows directory
PID:2492

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 0 -NGENProcess 164 -Pipe 230 -Comment "NGen Worker Process"
5⤵
- Drops file in Windows directory
PID:3788

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\paint.net\PaintDotNet.Resources.dll" /AppBase:"C:\Program Files\paint.net"
4⤵
PID:4204

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 0 -NGENProcess 164 -Pipe 170 -Comment "NGen Worker Process"
5⤵
PID:3716

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 0 -NGENProcess 214 -Pipe 21c -Comment "NGen Worker Process"
5⤵
- Drops file in Windows directory
PID:788

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\paint.net\PaintDotNet.Core.dll" /AppBase:"C:\Program Files\paint.net"
4⤵
PID:1816

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 17c -InterruptEvent 0 -NGENProcess 16c -Pipe 178 -Comment "NGen Worker Process"
5⤵
PID:4012

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 0 -NGENProcess 22c -Pipe 1a0 -Comment "NGen Worker Process"
5⤵
- Drops file in Windows directory
PID:2236

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\paint.net\PaintDotNet.Data.dll" /AppBase:"C:\Program Files\paint.net"
4⤵
PID:4040

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 0 -NGENProcess 164 -Pipe 170 -Comment "NGen Worker Process"
5⤵
PID:3020

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 0 -NGENProcess 248 -Pipe 23c -Comment "NGen Worker Process"
5⤵
- Drops file in Windows directory
PID:5080

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 0 -NGENProcess 218 -Pipe 174 -Comment "NGen Worker Process"
5⤵
- Drops file in Windows directory
PID:3528

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\paint.net\PaintDotNet.Effects.dll" /AppBase:"C:\Program Files\paint.net"
4⤵
PID:3004

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 180 -InterruptEvent 0 -NGENProcess 170 -Pipe 17c -Comment "NGen Worker Process"
5⤵
PID:220

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 0 -NGENProcess 21c -Pipe 230 -Comment "NGen Worker Process"
5⤵
PID:2760

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\paint.net\PaintDotNet.Framework.dll" /AppBase:"C:\Program Files\paint.net"
4⤵
PID:1168

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 17c -InterruptEvent 0 -NGENProcess 16c -Pipe 178 -Comment "NGen Worker Process"
5⤵
PID:3732

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\paint.net\PaintDotNet.exe" /AppBase:"C:\Program Files\paint.net"
4⤵
PID:4132

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 17c -InterruptEvent 0 -NGENProcess 16c -Pipe 178 -Comment "NGen Worker Process"
5⤵
PID:4404

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 0 -NGENProcess 20c -Pipe 214 -Comment "NGen Worker Process"
5⤵
- Drops file in Windows directory
PID:3024

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 0 -NGENProcess 17c -Pipe 1a0 -Comment "NGen Worker Process"
5⤵
- Drops file in Windows directory
PID:4020

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 0 -NGENProcess 278 -Pipe 20c -Comment "NGen Worker Process"
5⤵
PID:5044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" install "C:\Program Files\paint.net\Interop.WIA.dll" /AppBase:"C:\Program Files\paint.net"
4⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 0 -NGENProcess 1bc -Pipe 1cc -Comment "NGen Worker Process"
5⤵
PID:3336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 0 -NGENProcess 1c8 -Pipe 24c -Comment "NGen Worker Process"
5⤵
- Drops file in Windows directory
PID:4164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" install "C:\Program Files\paint.net\PaintDotNet.SystemLayer.Native.x86.dll" /AppBase:"C:\Program Files\paint.net"
4⤵
- Drops file in Windows directory
PID:312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 0 -NGENProcess 1b8 -Pipe 1c4 -Comment "NGen Worker Process"
5⤵
PID:4536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 0 -NGENProcess 278 -Pipe 280 -Comment "NGen Worker Process"
5⤵
- Drops file in Windows directory
PID:2744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 0 -NGENProcess 1c0 -Pipe 28c -Comment "NGen Worker Process"
5⤵
- Drops file in Windows directory
PID:1576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 0 -NGENProcess 2bc -Pipe 1c8 -Comment "NGen Worker Process"
5⤵
PID:3456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 0 -NGENProcess 288 -Pipe 284 -Comment "NGen Worker Process"
5⤵
- Drops file in Windows directory
PID:1872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 0 -NGENProcess 2c0 -Pipe 294 -Comment "NGen Worker Process"
5⤵
- Drops file in Windows directory
PID:3888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 0 -NGENProcess 2c0 -Pipe 2bc -Comment "NGen Worker Process"
5⤵
- Drops file in Windows directory
PID:496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 0 -NGENProcess 2dc -Pipe 2e0 -Comment "NGen Worker Process"
5⤵
PID:208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 0 -NGENProcess 2f4 -Pipe 2d0 -Comment "NGen Worker Process"
5⤵
- Drops file in Windows directory
PID:4404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 0 -NGENProcess 2dc -Pipe 2e4 -Comment "NGen Worker Process"
5⤵
PID:2492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 0 -NGENProcess 304 -Pipe 2f0 -Comment "NGen Worker Process"
5⤵
- Drops file in Windows directory
PID:3232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 0 -NGENProcess 2c0 -Pipe 2a0 -Comment "NGen Worker Process"
5⤵
- Drops file in Windows directory
PID:492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 0 -NGENProcess 30c -Pipe 2c4 -Comment "NGen Worker Process"
5⤵
- Drops file in Windows directory
PID:1808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 0 -NGENProcess 30c -Pipe 2e8 -Comment "NGen Worker Process"
5⤵
- Drops file in Windows directory
PID:360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 0 -NGENProcess 2f4 -Pipe 278 -Comment "NGen Worker Process"
5⤵
- Drops file in Windows directory
PID:400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 0 -NGENProcess 288 -Pipe 1f4 -Comment "NGen Worker Process"
5⤵
- Drops file in Windows directory
PID:3456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 0 -NGENProcess 288 -Pipe 2f4 -Comment "NGen Worker Process"
5⤵
- Drops file in Windows directory
PID:1008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 0 -NGENProcess 308 -Pipe 2c4 -Comment "NGen Worker Process"
5⤵
- Drops file in Windows directory
PID:3756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 0 -NGENProcess 2d8 -Pipe 31c -Comment "NGen Worker Process"
5⤵
- Drops file in Windows directory
PID:4548

C:\Program Files\paint.net\PaintDotNet.exe
"C:\Program Files\paint.net\PaintDotNet.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1136

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:5048

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:3
1⤵
PID:816

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:596

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 01BF5FD985699579C7D65A4094BFDDE4
2⤵
- Loads dropped DLL
PID:1280

C:\Program Files\paint.net\SetupNgen.exe
"C:\Program Files\paint.net\SetupNgen.exe" /install DESKTOPSHORTCUT=1 PDNUPDATING=0 SKIPCLEANUP=0 "PROGRAMSGROUP=" QUEUENGEN=1
2⤵
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\paint.net\Interop.WIA.dll" /queue /AppBase:"C:\Program Files\paint.net"
3⤵
PID:2768

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\paint.net\PaintDotNet.Base.dll" /queue /AppBase:"C:\Program Files\paint.net"
3⤵
PID:3008

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\paint.net\PaintDotNet.SystemLayer.Native.x64.dll" /queue /AppBase:"C:\Program Files\paint.net"
3⤵
PID:4416

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\paint.net\PaintDotNet.SystemLayer.Native.x86.dll" /queue /AppBase:"C:\Program Files\paint.net"
3⤵
PID:4864

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\paint.net\PaintDotNet.SystemLayer.dll" /queue /AppBase:"C:\Program Files\paint.net"
3⤵
PID:2840

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\paint.net\PaintDotNet.Resources.dll" /queue /AppBase:"C:\Program Files\paint.net"
3⤵
PID:3800

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\paint.net\PaintDotNet.Core.dll" /queue /AppBase:"C:\Program Files\paint.net"
3⤵
PID:4972

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\paint.net\PaintDotNet.Framework.dll" /queue /AppBase:"C:\Program Files\paint.net"
3⤵
PID:4412

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\paint.net\PaintDotNet.Data.dll" /queue /AppBase:"C:\Program Files\paint.net"
3⤵
PID:4216

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\paint.net\PaintDotNet.Effects.dll" /queue /AppBase:"C:\Program Files\paint.net"
3⤵
PID:3656

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\paint.net\PaintDotNet.exe" /queue /AppBase:"C:\Program Files\paint.net"
3⤵
PID:3756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" install "C:\Program Files\paint.net\Interop.WIA.dll" /queue /AppBase:"C:\Program Files\paint.net"
3⤵
- Drops file in Windows directory
PID:4940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" install "C:\Program Files\paint.net\PaintDotNet.SystemLayer.Native.x86.dll" /queue /AppBase:"C:\Program Files\paint.net"
3⤵
- Drops file in Windows directory
PID:2888

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e56fd91.rbs
Filesize
37KB

MD5
4f091eb396133c855e57a877f82199fa

SHA1
ae50fd668e4e7e62a2382abfdf03de4dbf50c039

SHA256
ebc05d2a5e5059e984f280d0c62ccb73a90905956756d1c00c3521a456c6a564

SHA512
d81c12974ee4e3eff5d73493dd75639708e265a69f8de8e033decf7efc8ec500910bb53d94b517cf92668cd9d6dd38f64d4f5bf8ae590e374219677925cace92

Download Submit
C:\Program Files\paint.net\Interop.WIA.dll
Filesize
48KB

MD5
2f27e1285d2dca05f11a61669bdc9320

SHA1
2cd77451e67451545498b705e02a990f5a389603

SHA256
a4d410fb947f6861162584a19fe3e2ea787c38a9982e3377a1322f7ecf4ffefd

SHA512
7558857d0609bac18b210bc9f6f63d7be8990d1746f02826ebea25a8ab9b135619b67f254bee4112d59d42313e400034ea44384956bb27d4b9f8b55c787571c7

Download Submit
C:\Program Files\paint.net\PaintDotNet.Base.dll
Filesize
794KB

MD5
381eb33956d7ca29700f22cdb6d0ae95

SHA1
aff7e0f810075b84cc7a4bb487af9abccf57ec71

SHA256
be16c77910eb11512531497fc0243604067c94c886a2716d91a59e494403390f

SHA512
9b9364cc1f9c5c93610566f0bd6b177b73ffb469180615d207c29a1328f39caa73ee51736b7ad1c225daef9856159d122853549d2c449f89bce5621860f34482

Download Submit
C:\Program Files\paint.net\PaintDotNet.Base.pdb
Filesize
2.9MB

MD5
51e7a87e3f02998969323a126a7782c2

SHA1
59f4db83507c745da6191c7f8f027f7f43ea0d0d

SHA256
faa97d3d9a1f8cda51432b10d20396587fd29c9a57db97b4c29a466c37a166ab

SHA512
ac27a80c926dd486ad691de4ac5f2a2ade14bda3fbd4f3fd53be179ec2cdd397acf60698701f3f7db79ff5b22ef1da8d3ee6cceb9d9247b0f7a81b1fd2bd423e

Download Submit
C:\Program Files\paint.net\PaintDotNet.Core.pdb
Filesize
1.7MB

MD5
fcf76659dfa850aaa4bb4d85c7ba9c06

SHA1
da931739be43e8706538016533528545e68593dd

SHA256
668fadc7743e4a399a57469f29f36c6a70336942053514e1552f296eab840647

SHA512
3f3f0329159ec79b8bfd06cf6148c9e7d3a8c154a209ea16c0cad3a2161cc0e8fd040a4a461b820ccb507ce6421a5c81e686fec724a56cdbfc347ff56ca3bbe3

Download Submit
C:\Program Files\paint.net\PaintDotNet.Data.pdb
Filesize
259KB

MD5
1f73eb0e163eaea2b897b62b0f1bdfbd

SHA1
8c529d243289cba8f0739d4ab4c0528f201b8029

SHA256
7b6753f3132bcf684592d8ef6f870d730b747a6c6b95836238abeb060bedc0bb

SHA512
33e55f13af7b41a572b9487eb32c43a63774b16d2c62af94269c9735385951c4a2c9b8675dd781ce50eb0393022d508658123c8069aeb6c2a97ea13b7d204a59

Download Submit
C:\Program Files\paint.net\PaintDotNet.Effects.pdb
Filesize
481KB

MD5
238253a2128a7d69fecf8c6f2210c95b

SHA1
d98d3c4e0535443eccff2efff0b4be00c78fb98d

SHA256
13a5cdef877e744e043ac7e9925421c2de875ef568b4bba782ae71a71b394925

SHA512
a608e678b7cae0cf862319a3d1cfc12a9c60af50031acc94ae05084a77d5beb050cfd332321b6b29ba836656ada6eb5dd4ebbd2432c5f110684276e243ca7142

Download Submit
C:\Program Files\paint.net\PaintDotNet.Framework.pdb
Filesize
981KB

MD5
b661e2434c1a4b2320bc7e83c4141d1c

SHA1
62e702a32ead37d5c4734ef9061d490318185357

SHA256
d5a48f7285768161831c5a93a04674a5c88ffb510c0ab5bf206fd57b2a0316c2

SHA512
6a9b6f2905403e8cbb87aaf28787e8257605b40e984af677d9f41569d9a6396f56ce755c7517cb9c70d35075ccb74bdf7426f65d43c7875c171e1d58f44b61a9

Download Submit
C:\Program Files\paint.net\PaintDotNet.Resources.dll
Filesize
406KB

MD5
b2e9b31ec11a6eca753862d95015e59f

SHA1
07631de7203b16cd6809f5a9ceac552a19b163f6

SHA256
fca8eac426511bcfe95ae0f0c46e802a498bf9a191b9260800c80e4725ee2539

SHA512
ca48ddae39e21fc1fb9e9d4db07a7c5ef9008c72994ce8d9daa0d49b856ea322d57bcd22daeea2a703258d5f7ec237ff3c9e41682ff15e078ee49333a5a4ad20

Download Submit
C:\Program Files\paint.net\PaintDotNet.Resources.pdb
Filesize
49KB

MD5
1efc13b6fcc3c57324dd4a76d88cfa5b

SHA1
7f601a6a34dd749b53d8bc10e00b1282a10e7b0e

SHA256
9ad68f97ee6391d0477f9be3df1e048fc5382c817ff8122e496e15b6323429ab

SHA512
5675fd98ca2fd4d214b0db44fed4e4a0e8a79a19c4c5f0b11622907363d60a99d7b42211764f9fbd1672457f01d28cec95902e0ad79a6aefd8d9eb55de29eed4

Download Submit
C:\Program Files\paint.net\PaintDotNet.Strings.3.resources
Filesize
135KB

MD5
08ec0ab8f42bffaa2b6f6f2b649ca5e5

SHA1
a93abb4663efa354719f145a49f63464ee79c6d6

SHA256
40668d4cb37854408c8cee1bc6eee18fe5f6950ade73db4595037e6386bfcdd8

SHA512
22b6c4c71a2de78b5d6d36fdcb6dade4b4db8e4828345dc1cde0ae11d65b602de7ae0bd1225c48e7d411a3a63e1332c796a7adc3cdd248a890342c0e0b6ad326

Download Submit
C:\Program Files\paint.net\PaintDotNet.SystemLayer.pdb
Filesize
745KB

MD5
b173c830dc7e0ec1cc9f64f6ced1d853

SHA1
88561c791e240eed8157a0fcdb3b8944c95c51d4

SHA256
c304cdda19b57aefe642d6a983073cc7560213441ef151f935dd15817720172e

SHA512
faad3ead3308a9c55501120524dbc2b16e2301fdc0d7e400f6cd0e2b3dd144f38f416bcf5fc19b95c02b8b88c1e2f8bdac6b3bcdf4a3927258a0a0015b731759

Download Submit
C:\Program Files\paint.net\PaintDotNet.exe
Filesize
1.7MB

MD5
adc273cc4012c7769a54b65a5dcac3ff

SHA1
591d1672ea19125c5be0c0f1fb6632285ab5bb05

SHA256
21fff783ae53c6e96afc8a314e5c07ea806631a370519eae72cd4442d881f806

SHA512
9403b334c1cafd394a5283bc4c20f6683e128080da70e5c880a756df7c058f8bf9e0b75774db3d07aad199455f98a220b306c0f759d8ded292308fc50450262b

Download Submit
C:\Program Files\paint.net\PaintDotNet.pdb
Filesize
4.6MB

MD5
ea4517458557e7e32d91afebe32c19ab

SHA1
f021d37086647935a3315e7d2b18adebf398adee

SHA256
707ed3de6082e9a9d262a65a0affd5a1584c7606619feef9faea3cbaac9b5029

SHA512
643516c0fc3b97b7f093d196b85049c81dc3a6437b759403111854f5717044b52c0749d66976e0964abf687e0dcb7a0112f1384b26e57ff869b7f676ced79937

Download Submit
C:\Program Files\paint.net\PdnRepair.pdb
Filesize
13KB

MD5
b00fb5a328c2f6503ff1624bc0611c77

SHA1
3166dabca4d9fc12da33bd8e785c1323bc769edc

SHA256
0bb1da8b5bf93f7520e810ddaed03e1f1dd414f69692b7e150135243823e60a5

SHA512
f916f57c4f8db1f8b8d4fa15cdff113a004f3e5b81f82962134f0c0d64f70ec3b36db3c2d7835289d916ffed4c9a77968e1757e6732405d52a22815d4a12e5d2

Download Submit
C:\Program Files\paint.net\SetupNgen.exe
Filesize
30KB

MD5
79007be3193f29c1faf70d25cfdbcde8

SHA1
9e9653ee59cf994c5cb8a6f88dbae85b96d6bbcb

SHA256
a482122d8a7992cbbeea4edb29f771acd623f32a7324f76b4712240b665ccde5

SHA512
0d210ff97071e9ccb16f1472691b8eadc6fe5e5b6d61b909b3b11f46f5a04b15527d02482379ee742c6094f32a15aa228bc728a36eb41e7d7f0a26dde6559eeb

Download Submit
C:\Program Files\paint.net\SetupNgen.exe
Filesize
30KB

MD5
79007be3193f29c1faf70d25cfdbcde8

SHA1
9e9653ee59cf994c5cb8a6f88dbae85b96d6bbcb

SHA256
a482122d8a7992cbbeea4edb29f771acd623f32a7324f76b4712240b665ccde5

SHA512
0d210ff97071e9ccb16f1472691b8eadc6fe5e5b6d61b909b3b11f46f5a04b15527d02482379ee742c6094f32a15aa228bc728a36eb41e7d7f0a26dde6559eeb

Download Submit
C:\Program Files\paint.net\SetupNgen.exe.config
Filesize
254B

MD5
1bc345dbc4faeaec4f63cb8312126d5d

SHA1
43524734459d1990f7474c3cd1f1bf1b7db85a1d

SHA256
da6b5d988c4664f6ba13cef82c32a86df56ae7b7a195cb5fceabd09d277fac14

SHA512
33d2b803a4352483400ef79b3f4b49aeb84030eebc4db9b1d88b55a482d169fc00cdbe88142c3a31294e853464bb5849993f690ab522e026c921c05d55b02375

Download Submit
C:\Program Files\paint.net\SetupNgen.pdb
Filesize
29KB

MD5
d5551d86fcf99d0e6f9d1ac1687f0f59

SHA1
1ead8b78b31c1aee2353fe3b093dae77ecc07049

SHA256
e9192b524ee1f64de922509cc61d3372ef8642bc34a93a6f9a76c50b4037db2b

SHA512
7fa7344e6914dc9b0a441853969d20c6bd7dcfa25ac7fca97e640dac568691039c1a259b29cf06d620be8ac48d5528c19ab804802d2f9b58c7b6a66acc8e7ba4

Download Submit
C:\Program Files\paint.net\Staging\PaintDotNet_x64_1798139967.msi
Filesize
24.5MB

MD5
7abeb9e926a4ec9bba9bb1e3c4a33835

SHA1
e689fff295235305cda78a7bb28c717473dd596a

SHA256
d82ec0e8600494e67e3e961d50d9ec315a38b3837a6bdc85008393a5af11804a

SHA512
67fdb972738c4b29b0b3645f5bfaa99608331a70992f48fda7496ab3195dfa4b0749807a10558070c7c0edf30369e7ffa5be22c0a6efeb25c2b68ddc91bcf105

Download Submit
C:\Program Files\paint.net\UpdateMonitor.pdb
Filesize
13KB

MD5
9f435ded54a6cb8474a41a0f0e457eb8

SHA1
ecfd52ebe313cba2e63b0f7202d3bfd50ef5267e

SHA256
e3ec1ca6ef0673e4936f7a6b5c4f1bff7d42665451b11f0df9b65a42bfbcd9d5

SHA512
3b61cdbb0753a60bc3a6a1ae286c91d193f5c1b455732e056523ef1d10aeea6fb704308187a14f389e2bf362983bcb98f361cc7a506d187fbcbd64416b732873

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnMsiInstall.log
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\Native.x64\MSVCP100.dll
Filesize
593KB

MD5
caed4a65caf1ef80aa81e9b135326658

SHA1
a3daf85194d0b149a91e13ba83a5e4a8968427ac

SHA256
a55f33a3a03273a8ba957506946a6b7e51576eb76e588e8de8c14fa46a886860

SHA512
2ce82b3df6c29d84fb9b12c92aa8dafdeab36d21a9d3c4acaf87b70b8acc53cc81537ef39b75ee674ee44b00a2853d7434216fa55bdd7ba17a6d8fbc76d4a8a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\Native.x64\MSVCR100.dll
Filesize
808KB

MD5
aed6d63cfa5a3ef7021af9c457fee994

SHA1
f6ad746ef520b03df6cf0f5a2512d0df964c4688

SHA256
b4bfa27f677295b00a1df9a7e14db4b75cac2dd41b898d4e9a378eccce3699f0

SHA512
5573b17eb19d13cc96df5d66ef60cc8ff98e1ac9d8582a870ed2befa28ee271fb41741a92aa703234150fceadf4a436d10b8a6518c1816d0c804eb1261650d2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\Native.x64\PaintDotNet.SystemLayer.Native.x64.dll
Filesize
1.0MB

MD5
5c372538fb93fd12dc3fd23b5ac4b17b

SHA1
6f8eced5bc66cb647e3e628b8e02e86d6150525d

SHA256
901d7d88656f688647e66445027f45277214233c7da7e18109234b72e5aaa4b2

SHA512
1c9464aef3df86f60e7655d4266dc3eaebdf52627fc975007a85719789ead2d3b730bbf6d501753270a2754d79490ab26dfa7698fb1d6c035550cc05ea1c5057

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\Native.x64\VCOMP100.DLL
Filesize
55KB

MD5
c4e2adbf3568ec3d4ee4ecde3e78e181

SHA1
6f6f43866f864c6e4293a1d9cdea748dc306dfd2

SHA256
1a40da0020b5296b0016e1127e32cc00a8000920f08941aa6967cc07d84e17d8

SHA512
ad4fdc2472adf26dcaca190f59acd9418d9ed7df28a4be2d26a82232aab989db803df0f8c055b4653d5b5a9db5002a7091568df43f8156c8fc91529f33a2d50d

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\PaintDotNet.Base.dll
Filesize
794KB

MD5
381eb33956d7ca29700f22cdb6d0ae95

SHA1
aff7e0f810075b84cc7a4bb487af9abccf57ec71

SHA256
be16c77910eb11512531497fc0243604067c94c886a2716d91a59e494403390f

SHA512
9b9364cc1f9c5c93610566f0bd6b177b73ffb469180615d207c29a1328f39caa73ee51736b7ad1c225daef9856159d122853549d2c449f89bce5621860f34482

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\PaintDotNet.Base.pdb
Filesize
2.9MB

MD5
51e7a87e3f02998969323a126a7782c2

SHA1
59f4db83507c745da6191c7f8f027f7f43ea0d0d

SHA256
faa97d3d9a1f8cda51432b10d20396587fd29c9a57db97b4c29a466c37a166ab

SHA512
ac27a80c926dd486ad691de4ac5f2a2ade14bda3fbd4f3fd53be179ec2cdd397acf60698701f3f7db79ff5b22ef1da8d3ee6cceb9d9247b0f7a81b1fd2bd423e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\PaintDotNet.Core.dll
Filesize
545KB

MD5
a687da498111542c173cce461134532d

SHA1
56054a4bda54d680afc6af5211b0fbb8ba18a4e3

SHA256
e58f94e93f5fe5c7982276be6d3d084064141f4fc979d4360d4efeff715b8f32

SHA512
5e7cc65ddb2a3e7420d36f022abcf06b3ad70fd1606c7cdeffb5a7ef2d9b228d1bb5b93154d16c079f676088a80671705af24c675c1ee91c6fbe08611ed90c00

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\PaintDotNet.Core.pdb
Filesize
1.7MB

MD5
fcf76659dfa850aaa4bb4d85c7ba9c06

SHA1
da931739be43e8706538016533528545e68593dd

SHA256
668fadc7743e4a399a57469f29f36c6a70336942053514e1552f296eab840647

SHA512
3f3f0329159ec79b8bfd06cf6148c9e7d3a8c154a209ea16c0cad3a2161cc0e8fd040a4a461b820ccb507ce6421a5c81e686fec724a56cdbfc347ff56ca3bbe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\PaintDotNet.Framework.dll
Filesize
324KB

MD5
84fe7040be6053b7c20f5abf5844e3a4

SHA1
c738f7d9414142826eb38881b99dd3364473c82e

SHA256
de80bbb07c7bf021c5ae5a125665ea581e8b27bec1b7c403f3561d489ab12750

SHA512
fd324f814ea3041fcc662fb66c9bd458efc761c19bbe710b74ef55f0b5c27582bb2edf4abc7b43f67516139dad0e8ae7776f7e38320a8d93285435a7962c6e6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\PaintDotNet.Resources.dll
Filesize
406KB

MD5
b2e9b31ec11a6eca753862d95015e59f

SHA1
07631de7203b16cd6809f5a9ceac552a19b163f6

SHA256
fca8eac426511bcfe95ae0f0c46e802a498bf9a191b9260800c80e4725ee2539

SHA512
ca48ddae39e21fc1fb9e9d4db07a7c5ef9008c72994ce8d9daa0d49b856ea322d57bcd22daeea2a703258d5f7ec237ff3c9e41682ff15e078ee49333a5a4ad20

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\PaintDotNet.Strings.3.KO.resources
Filesize
145KB

MD5
4f41b2726a4756653d3127d52d9d9473

SHA1
979a4047b2c947f7059924113531c1eb1b1211a0

SHA256
38eedddb8b18589268cd72efd114e75cf72cd811aae3a5fa6ea212c81901fc9d

SHA512
2dbd5a3184fb433924809cfd43dda5e791efa818ca4860fb5e6c9e78bd1be84cb0d9f7447d67ea10c227c5405ac60653f9eddabbee0caed100f20076728fe925

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\PaintDotNet.Strings.3.resources
Filesize
135KB

MD5
08ec0ab8f42bffaa2b6f6f2b649ca5e5

SHA1
a93abb4663efa354719f145a49f63464ee79c6d6

SHA256
40668d4cb37854408c8cee1bc6eee18fe5f6950ade73db4595037e6386bfcdd8

SHA512
22b6c4c71a2de78b5d6d36fdcb6dade4b4db8e4828345dc1cde0ae11d65b602de7ae0bd1225c48e7d411a3a63e1332c796a7adc3cdd248a890342c0e0b6ad326

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\PaintDotNet.SystemLayer.dll
Filesize
546KB

MD5
e8a3b3b7c13b2ab9d0338c6db771a715

SHA1
af551779ca4d5e4f218b689c742d4bac0cb27a6f

SHA256
b50e58c1f829409e8290130ac9a9d29b4c344e8a7cfbc5ee27b14fe064897c34

SHA512
7ef2a48e4693234dd098016ea06ed7aa105db7b93406aba2da36e1bb0d58dbaad2bd5c01771b1a58a1455043896bf81803e85a8437f4c5a71e3e70de97d48fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\PaintDotNet.SystemLayer.pdb
Filesize
745KB

MD5
b173c830dc7e0ec1cc9f64f6ced1d853

SHA1
88561c791e240eed8157a0fcdb3b8944c95c51d4

SHA256
c304cdda19b57aefe642d6a983073cc7560213441ef151f935dd15817720172e

SHA512
faad3ead3308a9c55501120524dbc2b16e2301fdc0d7e400f6cd0e2b3dd144f38f416bcf5fc19b95c02b8b88c1e2f8bdac6b3bcdf4a3927258a0a0015b731759

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\PaintDotNet.exe
Filesize
1.7MB

MD5
dabc9d92aea441025ce8c28ea4559cf8

SHA1
07a60cf8404dcfadc469e8b23e7277ec5731c35c

SHA256
fc30fff35b3a49ef9b30b3f9fb61543875da799064f1653d3209589a6ec0f901

SHA512
5fecb4a22649067f040c058ef6282e2d1b7af55be132817481c6c035d506e4c1b812ac73ea6607009f4a44024d56191996a506b483648e5cf39aa52451a82cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\PaintDotNet_x64.msi
Filesize
24.5MB

MD5
7abeb9e926a4ec9bba9bb1e3c4a33835

SHA1
e689fff295235305cda78a7bb28c717473dd596a

SHA256
d82ec0e8600494e67e3e961d50d9ec315a38b3837a6bdc85008393a5af11804a

SHA512
67fdb972738c4b29b0b3645f5bfaa99608331a70992f48fda7496ab3195dfa4b0749807a10558070c7c0edf30369e7ffa5be22c0a6efeb25c2b68ddc91bcf105

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\PaintDotNet_x86.msi
Filesize
24.5MB

MD5
0f62629b202d027121ba2ef4bc27d84d

SHA1
b147745c971bf4b1f537e1493f6de255427ded70

SHA256
2be682aa9502029df2863b79669d689dcded14d9b9569be4680b7e8d2b5d3a77

SHA512
aca29118aaf8d24de5b69f85c5468ebe71c2527dfc8fe3956f51b4765764c99c6d449e3c5621ab7e127063f58db21279b51c45db3dca0aac5f12638be02c352d

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\SetupFrontEnd.exe
Filesize
87KB

MD5
206c0d4f87bd6e39739c0cfa263d6f6a

SHA1
daa7462cebe7b8542f297b1ebb775c2e376f4e5d

SHA256
df165504f703cdb967db31e4a41c46ee529218559d78757af6477c505262f638

SHA512
ce1e9adaa1b6d58e63d7e0a98eed58575e49467e611ee9cecd56cdf7cdd13d260ad96a91b2bf710017bac40e8517185b7564a40431e8d11fec28af13ba28f73e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\SetupFrontEnd.exe
Filesize
87KB

MD5
206c0d4f87bd6e39739c0cfa263d6f6a

SHA1
daa7462cebe7b8542f297b1ebb775c2e376f4e5d

SHA256
df165504f703cdb967db31e4a41c46ee529218559d78757af6477c505262f638

SHA512
ce1e9adaa1b6d58e63d7e0a98eed58575e49467e611ee9cecd56cdf7cdd13d260ad96a91b2bf710017bac40e8517185b7564a40431e8d11fec28af13ba28f73e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\SetupFrontEnd.exe.config
Filesize
427B

MD5
4c5edd8d3ece900cbf84c2e46d74181b

SHA1
4bb9c069c8aa3d73c0198bd4ca4c61e337b907a6

SHA256
2f38fcc122157d8d01c226c0e24243ab4b914e0907b426c52fd676b62fc01dc6

SHA512
36b9ac7a63bf0dd06f70f2f021ef07ecebc8003cf6e16035e4e8e01dc18d11da79d51eef17d72a80ebb12cacad987cd2640df783cf126ce2c6a4b6fe57991148

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\SetupFrontEnd.pdb
Filesize
125KB

MD5
85196954d12e64ca5e40eda39b8db55c

SHA1
0d515dc5d4c6212d526db69108ab212cf15beb26

SHA256
617cc8782eda3a62f4b0ec9fafd46c61ba68e3aaa5d81d664745f21c2482d1b7

SHA512
d2cae7412e82cd4f4fa3ec00cccf8cc4f20412d335c04d3e722dff56a639d6a51e67cfda5209b52b3b318f1be1426ab37b9701cb9623f709f257a61efd7c4839

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\SetupShim.exe
Filesize
79KB

MD5
ed3a8f3f53130d1b3681e44b4aae890e

SHA1
0b01354b0b52b08a436e114ce8d25d2fac655810

SHA256
b8eb5307deb4508e91ed1a29fa04a4800485073e450bbbe55e35bd9c8bce58dc

SHA512
9ae42d38bf75a5db64056f16af23252178e22a5b672e2235722705908c1b3dba886bcd576c6464a0c4168fd9c54a87fbca03c688dec4cc23a46cb5597ba4c78b

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\SetupShim.exe
Filesize
79KB

MD5
ed3a8f3f53130d1b3681e44b4aae890e

SHA1
0b01354b0b52b08a436e114ce8d25d2fac655810

SHA256
b8eb5307deb4508e91ed1a29fa04a4800485073e450bbbe55e35bd9c8bce58dc

SHA512
9ae42d38bf75a5db64056f16af23252178e22a5b672e2235722705908c1b3dba886bcd576c6464a0c4168fd9c54a87fbca03c688dec4cc23a46cb5597ba4c78b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp5403.tmp\System.dll
Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdnSetupShim.log
Filesize
592B

MD5
e3084cc308c3797979a835c25cf5f259

SHA1
4aa1e44440e70d2c4e9a71505f848f74d873e3ab

SHA256
5220a08c29ca1e6259e047ee71f9f628c830b24f1f595bbfadb50a2a1a5e3624

SHA512
e61762b45c445a06e4e8f67e0e6da273939438976e1f5a6209aa6ce000492498215702a68dc561ecba8cec42ad814e1c921fb27289f20b4921f5728ac6da411a

Download Submit
C:\Windows\Installer\MSI465.tmp
Filesize
231KB

MD5
5494165b1384faeefdd3d5133df92f5a

SHA1
b7b82805f1a726c4eee39152d1a6a59031d7798c

SHA256
ba0ad3a4d2112b269e379a2231128e7ebe23e95d5d04878d6ee8815e657bb055

SHA512
ecd5012df2a060fa58664e856a84716f162d3420e7a7a1368612451ec65f2dcd674c7031d780a6c9d357700f6baeb31325748bc29270850ee4070079f15be613

Download Submit
C:\Windows\Installer\MSI84E.tmp
Filesize
231KB

MD5
5494165b1384faeefdd3d5133df92f5a

SHA1
b7b82805f1a726c4eee39152d1a6a59031d7798c

SHA256
ba0ad3a4d2112b269e379a2231128e7ebe23e95d5d04878d6ee8815e657bb055

SHA512
ecd5012df2a060fa58664e856a84716f162d3420e7a7a1368612451ec65f2dcd674c7031d780a6c9d357700f6baeb31325748bc29270850ee4070079f15be613

Download Submit
C:\Windows\Installer\e56fd8f.msi
Filesize
24.5MB

MD5
7abeb9e926a4ec9bba9bb1e3c4a33835

SHA1
e689fff295235305cda78a7bb28c717473dd596a

SHA256
d82ec0e8600494e67e3e961d50d9ec315a38b3837a6bdc85008393a5af11804a

SHA512
67fdb972738c4b29b0b3645f5bfaa99608331a70992f48fda7496ab3195dfa4b0749807a10558070c7c0edf30369e7ffa5be22c0a6efeb25c2b68ddc91bcf105

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log
Filesize
22KB

MD5
e72c8a26104bcff1da02cdb52bf33f1c

SHA1
920bda237a5bed4721765625810eec2cf34f4a6c

SHA256
e56d69964262b95324032b76c626a772e6d185ed71033519a0e16feac8961bd6

SHA512
6789d9b64a2833ca9f92fd7157ce42532f1633e9ac374928e06a1d11228b50a487dfdfb54f2427dfc668ea6dcc781f76e87e234adf72017af8fb98618665b4a6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log
Filesize
22KB

MD5
658cf38056c409aa6e94271990f40f1a

SHA1
bbc622d6732e2387256f76b756830b008ed22077

SHA256
66b8811e7a985249762a2b395906a212ac7e89d7852bf767e90570160ccb80f0

SHA512
f12e947fc4b6252d1439acf337395d760dfad6de6a7019c2fb54fb579950e547249f82104c0a7b219d84b053ee304d62c6899a7ab286f14398cd98e05d07f6fa

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Interop.WIA\75b63ac42ed11be29a1db1e46615dabb\Interop.WIA.ni.dll
Filesize
92KB

MD5
39287d92c7a99ac1e3999d82409bcb71

SHA1
3058842993880740ae1b9124e06ec58bbf033484

SHA256
93cc5583fb4acf1d4e10860f0a4c54ff032affbbd19736b0b67004064b57031d

SHA512
1400c8e5485dbe4082859bee5ef42428e2c6bcdb05f84ce9f73927ea7afae46d1790af1a34c802b25ee84423f2767fb6b4e3305f1d9cbf499f5a3e7717d94508

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Interop.WIA\ca3814c748b66e2980433ea7f75a8920\Interop.WIA.ni.dll
Filesize
256KB

MD5
c3e48c24be2e2a6bd47c155f94a68f19

SHA1
9f63096374d986fc34a8f138a3b28b1095fa1b5b

SHA256
5ab82c2974c36b646019c5fc5f5b5478bc13917d6ff0cdcb300dcf372e9005aa

SHA512
2a08661b2085285e1b70204f63245ce493ccee46f08845ab4888b7a4d29062261e8261273a680ab0d25744c6d4c5ae9a3273adf3116fae22d7b69eb319b25dc5

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\cd03f7a1d6c4031c515fb3f50c42e268\System.Data.SqlXml.ni.dll
Filesize
3.0MB

MD5
0bdbc8f0fb2097d58e463ab73f8c44d8

SHA1
c159252064305d27d4b6dfbfdbdc233ac331a453

SHA256
6cf016fbbee0fd57d6c44b81d913d8206fb7262413d9d15f7c62e7dfe5d5147a

SHA512
91afc6b85cbff3fbf4688c117effb8faa1268a2c16e29176a51807204529b40607cda3d6b5a83583a908c791c96073610fe7640f6a934578cc126b560f5d4803

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\cd03f7a1d6c4031c515fb3f50c42e268\System.Data.SqlXml.ni.dll.aux
Filesize
708B

MD5
cc288359dd8b9708bb4d4e51320b6db6

SHA1
9b6843309992113b33d59e2fa5acb8ba0e07d858

SHA256
739e072b761a10d032a06e6cf7291796cea2b8213dfc8b21f29e206d1a5103fe

SHA512
bb9e751afd0bfb51b6c5b119bc501f2ba0a036d4cb942c5b40ecd342eb749c316e463f0c858c5c4b79ce83b86fb4d1d72ecfa25208d3d741a2561404e5f8ae0d

Download Submit
\Users\Admin\AppData\Local\Temp\PdnSetup\Native.x64\PaintDotNet.SystemLayer.Native.x64.dll
Filesize
1.0MB

MD5
5c372538fb93fd12dc3fd23b5ac4b17b

SHA1
6f8eced5bc66cb647e3e628b8e02e86d6150525d

SHA256
901d7d88656f688647e66445027f45277214233c7da7e18109234b72e5aaa4b2

SHA512
1c9464aef3df86f60e7655d4266dc3eaebdf52627fc975007a85719789ead2d3b730bbf6d501753270a2754d79490ab26dfa7698fb1d6c035550cc05ea1c5057

Download Submit
\Users\Admin\AppData\Local\Temp\PdnSetup\Native.x64\PaintDotNet.SystemLayer.Native.x64.dll
Filesize
1.0MB

MD5
5c372538fb93fd12dc3fd23b5ac4b17b

SHA1
6f8eced5bc66cb647e3e628b8e02e86d6150525d

SHA256
901d7d88656f688647e66445027f45277214233c7da7e18109234b72e5aaa4b2

SHA512
1c9464aef3df86f60e7655d4266dc3eaebdf52627fc975007a85719789ead2d3b730bbf6d501753270a2754d79490ab26dfa7698fb1d6c035550cc05ea1c5057

Download Submit
\Users\Admin\AppData\Local\Temp\PdnSetup\Native.x64\PaintDotNet.SystemLayer.Native.x64.dll
Filesize
1.0MB

MD5
5c372538fb93fd12dc3fd23b5ac4b17b

SHA1
6f8eced5bc66cb647e3e628b8e02e86d6150525d

SHA256
901d7d88656f688647e66445027f45277214233c7da7e18109234b72e5aaa4b2

SHA512
1c9464aef3df86f60e7655d4266dc3eaebdf52627fc975007a85719789ead2d3b730bbf6d501753270a2754d79490ab26dfa7698fb1d6c035550cc05ea1c5057

Download Submit
\Users\Admin\AppData\Local\Temp\PdnSetup\Native.x64\msvcp100.dll
Filesize
593KB

MD5
caed4a65caf1ef80aa81e9b135326658

SHA1
a3daf85194d0b149a91e13ba83a5e4a8968427ac

SHA256
a55f33a3a03273a8ba957506946a6b7e51576eb76e588e8de8c14fa46a886860

SHA512
2ce82b3df6c29d84fb9b12c92aa8dafdeab36d21a9d3c4acaf87b70b8acc53cc81537ef39b75ee674ee44b00a2853d7434216fa55bdd7ba17a6d8fbc76d4a8a3

Download Submit
\Users\Admin\AppData\Local\Temp\PdnSetup\Native.x64\msvcr100.dll
Filesize
808KB

MD5
aed6d63cfa5a3ef7021af9c457fee994

SHA1
f6ad746ef520b03df6cf0f5a2512d0df964c4688

SHA256
b4bfa27f677295b00a1df9a7e14db4b75cac2dd41b898d4e9a378eccce3699f0

SHA512
5573b17eb19d13cc96df5d66ef60cc8ff98e1ac9d8582a870ed2befa28ee271fb41741a92aa703234150fceadf4a436d10b8a6518c1816d0c804eb1261650d2d

Download Submit
\Users\Admin\AppData\Local\Temp\PdnSetup\Native.x64\vcomp100.dll
Filesize
55KB

MD5
c4e2adbf3568ec3d4ee4ecde3e78e181

SHA1
6f6f43866f864c6e4293a1d9cdea748dc306dfd2

SHA256
1a40da0020b5296b0016e1127e32cc00a8000920f08941aa6967cc07d84e17d8

SHA512
ad4fdc2472adf26dcaca190f59acd9418d9ed7df28a4be2d26a82232aab989db803df0f8c055b4653d5b5a9db5002a7091568df43f8156c8fc91529f33a2d50d

Download Submit
\Users\Admin\AppData\Local\Temp\nsp5403.tmp\System.dll
Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\nsp5403.tmp\System.dll
Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Windows\Installer\MSI465.tmp
Filesize
231KB

MD5
5494165b1384faeefdd3d5133df92f5a

SHA1
b7b82805f1a726c4eee39152d1a6a59031d7798c

SHA256
ba0ad3a4d2112b269e379a2231128e7ebe23e95d5d04878d6ee8815e657bb055

SHA512
ecd5012df2a060fa58664e856a84716f162d3420e7a7a1368612451ec65f2dcd674c7031d780a6c9d357700f6baeb31325748bc29270850ee4070079f15be613

Download Submit
\Windows\Installer\MSI84E.tmp
Filesize
231KB

MD5
5494165b1384faeefdd3d5133df92f5a

SHA1
b7b82805f1a726c4eee39152d1a6a59031d7798c

SHA256
ba0ad3a4d2112b269e379a2231128e7ebe23e95d5d04878d6ee8815e657bb055

SHA512
ecd5012df2a060fa58664e856a84716f162d3420e7a7a1368612451ec65f2dcd674c7031d780a6c9d357700f6baeb31325748bc29270850ee4070079f15be613

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP253B.tmp\Interop.WIA.dll
Filesize
256KB

MD5
c3e48c24be2e2a6bd47c155f94a68f19

SHA1
9f63096374d986fc34a8f138a3b28b1095fa1b5b

SHA256
5ab82c2974c36b646019c5fc5f5b5478bc13917d6ff0cdcb300dcf372e9005aa

SHA512
2a08661b2085285e1b70204f63245ce493ccee46f08845ab4888b7a4d29062261e8261273a680ab0d25744c6d4c5ae9a3273adf3116fae22d7b69eb319b25dc5

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP253B.tmp\Interop.WIA.dll
Filesize
256KB

MD5
c3e48c24be2e2a6bd47c155f94a68f19

SHA1
9f63096374d986fc34a8f138a3b28b1095fa1b5b

SHA256
5ab82c2974c36b646019c5fc5f5b5478bc13917d6ff0cdcb300dcf372e9005aa

SHA512
2a08661b2085285e1b70204f63245ce493ccee46f08845ab4888b7a4d29062261e8261273a680ab0d25744c6d4c5ae9a3273adf3116fae22d7b69eb319b25dc5

Download Submit
\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\cd03f7a1d6c4031c515fb3f50c42e268\System.Data.SqlXml.ni.dll
Filesize
3.0MB

MD5
0bdbc8f0fb2097d58e463ab73f8c44d8

SHA1
c159252064305d27d4b6dfbfdbdc233ac331a453

SHA256
6cf016fbbee0fd57d6c44b81d913d8206fb7262413d9d15f7c62e7dfe5d5147a

SHA512
91afc6b85cbff3fbf4688c117effb8faa1268a2c16e29176a51807204529b40607cda3d6b5a83583a908c791c96073610fe7640f6a934578cc126b560f5d4803

Download Submit
\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\cd03f7a1d6c4031c515fb3f50c42e268\System.Data.SqlXml.ni.dll
Filesize
3.0MB

MD5
0bdbc8f0fb2097d58e463ab73f8c44d8

SHA1
c159252064305d27d4b6dfbfdbdc233ac331a453

SHA256
6cf016fbbee0fd57d6c44b81d913d8206fb7262413d9d15f7c62e7dfe5d5147a

SHA512
91afc6b85cbff3fbf4688c117effb8faa1268a2c16e29176a51807204529b40607cda3d6b5a83583a908c791c96073610fe7640f6a934578cc126b560f5d4803

Download Submit
\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\cd03f7a1d6c4031c515fb3f50c42e268\System.Data.SqlXml.ni.dll
Filesize
3.0MB

MD5
0bdbc8f0fb2097d58e463ab73f8c44d8

SHA1
c159252064305d27d4b6dfbfdbdc233ac331a453

SHA256
6cf016fbbee0fd57d6c44b81d913d8206fb7262413d9d15f7c62e7dfe5d5147a

SHA512
91afc6b85cbff3fbf4688c117effb8faa1268a2c16e29176a51807204529b40607cda3d6b5a83583a908c791c96073610fe7640f6a934578cc126b560f5d4803

Download Submit
\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\cd03f7a1d6c4031c515fb3f50c42e268\System.Data.SqlXml.ni.dll
Filesize
3.0MB

MD5
0bdbc8f0fb2097d58e463ab73f8c44d8

SHA1
c159252064305d27d4b6dfbfdbdc233ac331a453

SHA256
6cf016fbbee0fd57d6c44b81d913d8206fb7262413d9d15f7c62e7dfe5d5147a

SHA512
91afc6b85cbff3fbf4688c117effb8faa1268a2c16e29176a51807204529b40607cda3d6b5a83583a908c791c96073610fe7640f6a934578cc126b560f5d4803

Download Submit
memory/220-3754-0x000002847AD00000-0x000002847AD34000-memory.dmp

Filesize
208KB

Download
memory/352-682-0x0000064449980000-0x00000644499D6000-memory.dmp

Filesize
344KB

Download
memory/1136-6530-0x0000000000B10000-0x0000000000CC0000-memory.dmp

Filesize
1.7MB

Download
memory/1136-6532-0x000000001BB10000-0x000000001BB20000-memory.dmp

Filesize
64KB

Download
memory/1136-6533-0x000000001BB10000-0x000000001BB20000-memory.dmp

Filesize
64KB

Download
memory/1136-6536-0x000000001BB10000-0x000000001BB20000-memory.dmp

Filesize
64KB

Download
memory/1136-6658-0x000000001BB10000-0x000000001BB20000-memory.dmp

Filesize
64KB

Download
memory/1344-654-0x00000644308A0000-0x00000644308C2000-memory.dmp

Filesize
136KB

Download
memory/1524-437-0x000001C3751C0000-0x000001C3751D0000-memory.dmp

Filesize
64KB

Download
memory/1524-441-0x000001C373310000-0x000001C373320000-memory.dmp

Filesize
64KB

Download
memory/1808-4889-0x0000000009530000-0x0000000009628000-memory.dmp

Filesize
992KB

Download
memory/1872-459-0x00000172A5430000-0x00000172A5452000-memory.dmp

Filesize
136KB

Download
memory/1872-458-0x00000172A56D0000-0x00000172A5782000-memory.dmp

Filesize
712KB

Download
memory/1872-457-0x000001728D2C0000-0x000001728D310000-memory.dmp

Filesize
320KB

Download
memory/1872-460-0x000001728CF10000-0x000001728CF1E000-memory.dmp

Filesize
56KB

Download
memory/1872-461-0x00000172A5460000-0x00000172A5498000-memory.dmp

Filesize
224KB

Download
memory/1872-462-0x00000172A5830000-0x00000172A58D0000-memory.dmp

Filesize
640KB

Download
memory/1872-463-0x00000172A59B0000-0x00000172A5A84000-memory.dmp

Filesize
848KB

Download
memory/1872-464-0x00000172A5790000-0x00000172A57EA000-memory.dmp

Filesize
360KB

Download
memory/1872-465-0x00000172A5A90000-0x00000172A5B66000-memory.dmp

Filesize
856KB

Download
memory/1872-466-0x000001728D290000-0x000001728D2A2000-memory.dmp

Filesize
72KB

Download
memory/1872-467-0x00000172A54D0000-0x00000172A54F2000-memory.dmp

Filesize
136KB

Download
memory/1920-3004-0x0000000000910000-0x0000000000A08000-memory.dmp

Filesize
992KB

Download
memory/2984-237-0x000000001BCB0000-0x000000001BE60000-memory.dmp

Filesize
1.7MB

Download
memory/2984-263-0x000000001BC60000-0x000000001BC70000-memory.dmp

Filesize
64KB

Download
memory/2984-256-0x000000001BC60000-0x000000001BC70000-memory.dmp

Filesize
64KB

Download
memory/2984-229-0x00000000009E0000-0x00000000009FA000-memory.dmp

Filesize
104KB

Download
memory/2984-231-0x000000001B4C0000-0x000000001B54E000-memory.dmp

Filesize
568KB

Download
memory/2984-233-0x000000001B930000-0x000000001B9FC000-memory.dmp

Filesize
816KB

Download
memory/2984-235-0x000000001B550000-0x000000001B5DA000-memory.dmp

Filesize
552KB

Download
memory/2984-242-0x000000001BC60000-0x000000001BC70000-memory.dmp

Filesize
64KB

Download
memory/2984-259-0x000000001BC60000-0x000000001BC70000-memory.dmp

Filesize
64KB

Download
memory/2984-262-0x000000001BC60000-0x000000001BC70000-memory.dmp

Filesize
64KB

Download
memory/2984-246-0x000000001BE60000-0x000000001BF6E000-memory.dmp

Filesize
1.1MB

Download
memory/2984-258-0x000000001BC60000-0x000000001BC70000-memory.dmp

Filesize
64KB

Download
memory/2984-239-0x000000001BB00000-0x000000001BB6A000-memory.dmp

Filesize
424KB

Download
memory/2984-260-0x000000001BC60000-0x000000001BC70000-memory.dmp

Filesize
64KB

Download
memory/2984-261-0x000000001BC60000-0x000000001BC70000-memory.dmp

Filesize
64KB

Download
memory/2984-241-0x0000000002A70000-0x0000000002AC6000-memory.dmp

Filesize
344KB

Download
memory/3004-538-0x0000064449A20000-0x0000064449B13000-memory.dmp

Filesize
972KB

Download
memory/3020-3668-0x0000020133440000-0x000002013345A000-memory.dmp

Filesize
104KB

Download
memory/3024-3049-0x000001D7E26A0000-0x000001D7E26B0000-memory.dmp

Filesize
64KB

Download
memory/3024-399-0x0000000000C70000-0x0000000000C7C000-memory.dmp

Filesize
48KB

Download
memory/3336-4608-0x00000000076A0000-0x00000000076B0000-memory.dmp

Filesize
64KB

Download
memory/3916-604-0x0000064430900000-0x00000644309AB000-memory.dmp

Filesize
684KB

Download
memory/3924-610-0x00000644300E0000-0x0000064430114000-memory.dmp

Filesize
208KB

Download
memory/4152-486-0x00000644451A0000-0x0000064445496000-memory.dmp

Filesize
3.0MB

Download
memory/4156-515-0x00000644A0000000-0x00000644A04B8000-memory.dmp

Filesize
4.7MB

Download
memory/4404-3847-0x000001F3EE700000-0x000001F3EE8B0000-memory.dmp

Filesize
1.7MB

Download
memory/4404-3848-0x000001F3EE380000-0x000001F3EE39C000-memory.dmp

Filesize
112KB

Download
memory/4404-3849-0x000001F3EE3A0000-0x000001F3EE3B2000-memory.dmp

Filesize
72KB

Download
memory/4536-4635-0x0000000009ED0000-0x0000000009F2B000-memory.dmp

Filesize
364KB

Download
memory/4536-4637-0x0000000009E70000-0x0000000009E82000-memory.dmp

Filesize
72KB

Download
memory/4536-4628-0x0000000009CD0000-0x0000000009D20000-memory.dmp

Filesize
320KB

Download
memory/4536-4629-0x0000000009F30000-0x0000000009FE2000-memory.dmp

Filesize
712KB

Download
memory/4536-4630-0x0000000009C10000-0x0000000009C1A000-memory.dmp

Filesize
40KB

Download
memory/4536-4631-0x0000000009C20000-0x0000000009C2E000-memory.dmp

Filesize
56KB

Download
memory/4536-4632-0x0000000009D60000-0x0000000009D98000-memory.dmp

Filesize
224KB

Download
memory/4536-4633-0x000000000A0F0000-0x000000000A190000-memory.dmp

Filesize
640KB

Download
memory/4536-4634-0x000000000A270000-0x000000000A344000-memory.dmp

Filesize
848KB

Download
memory/4536-4626-0x0000000009DA0000-0x0000000009E6C000-memory.dmp

Filesize
816KB

Download
memory/4536-4636-0x000000000A350000-0x000000000A426000-memory.dmp

Filesize
856KB

Download
memory/4536-4627-0x0000000009B90000-0x0000000009BB2000-memory.dmp

Filesize
136KB

Download
memory/4536-4638-0x000000000A930000-0x000000000AE2E000-memory.dmp

Filesize
5.0MB

Download
memory/4536-4639-0x000000000A210000-0x000000000A232000-memory.dmp

Filesize
136KB

Download
memory/4536-4640-0x000000000A4A0000-0x000000000A506000-memory.dmp

Filesize
408KB

Download
memory/4536-4625-0x0000000007A10000-0x0000000007A18000-memory.dmp

Filesize
32KB

Download
memory/4536-4624-0x0000000009C30000-0x0000000009CC2000-memory.dmp

Filesize
584KB

Download
memory/4536-4623-0x0000000009A90000-0x0000000009B88000-memory.dmp

Filesize
992KB

Download
memory/4552-566-0x0000064443EC0000-0x0000064443F0F000-memory.dmp

Filesize
316KB

Download
memory/4956-2936-0x0000011450820000-0x0000011450828000-memory.dmp

Filesize
32KB

Download
memory/4956-2935-0x00000000004D0000-0x00000000005DE000-memory.dmp

Filesize
1.1MB

Download