Malware Analysis Report

2025-04-14 07:58

Sample ID 231031-lkzhpshb83
Target PaintDotNet_x64_5.0.11.msi
SHA256 053d7f5aa89926bcc1886e7b41cf0096baafa0f5dffcb7f5a7fbfe0ef54505ff
Tags
persistence strela
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

053d7f5aa89926bcc1886e7b41cf0096baafa0f5dffcb7f5a7fbfe0ef54505ff

Threat Level: Known bad

The file PaintDotNet_x64_5.0.11.msi was found to be: Known bad.

Malicious Activity Summary

persistence strela

Strela family

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Registers COM server for autorun

Blocklisted process makes network request

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Modifies registry class

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-31 09:37

Signatures

Strela family

strela

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-31 09:36

Reported

2023-10-31 09:41

Platform

win7-20231020-en

Max time kernel

118s

Max time network

134s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\PaintDotNet_x64_5.0.11.msi

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\PaintDotNet_x64_5.0.11.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Network

Files

C:\Users\Admin\AppData\Local\Temp\Cab71A9.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar71AC.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-31 09:36

Reported

2023-10-31 09:41

Platform

win10v2004-20231020-en

Max time kernel

149s

Max time network

161s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\PaintDotNet_x64_5.0.11.msi

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation C:\Program Files\paint.net\paintdotnet.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBF113F1-D7C8-477C-A23A-E600E7937E11}\InprocServer32 C:\Program Files\paint.net\paintdotnet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBF113F1-D7C8-477C-A23A-E600E7937E11}\InprocServer32\ = "C:\\Program Files\\paint.net\\PaintDotNet.ShellExtension.x64.dll" C:\Program Files\paint.net\paintdotnet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBF113F1-D7C8-477C-A23A-E600E7937E11}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\paint.net\paintdotnet.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\paint.net\vcruntime140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\PaintDotNet.Base.pdb C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\PaintDotNet.Core.xml C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\PaintDotNet.Data.xml C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\PaintDotNet.Strings.3.ca.resources C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\System.Numerics.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\mscorlib.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\System.Diagnostics.Process.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\Bundled\WebPFileType\Readme.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\PaintDotNet.UI.pdb C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\ComputeSharp.Core.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\PaintDotNet.ComponentModel.pdb C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\PaintDotNet.Effects.Legacy.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\PaintDotNet.Strings.3.fa.resources C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\System.Diagnostics.Contracts.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\System.Diagnostics.Tracing.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\System.Net.Http.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\paintdotnet.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\System.IO.Compression.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\System.Reflection.Primitives.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\System.Reflection.Extensions.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\hostpolicy.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\mscordaccore.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\System.Runtime.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\Bundled\AvifFileType\Third Party Notices.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\Mono.Cecil.Mdb.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\mscordbi.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\PaintDotNet.Systrace.pdb C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\PresentationFramework.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\System.Globalization.Calendars.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\Resources\zh-cn\Images.PayPalDonate.gif C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\System.Configuration.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\System.Net.ServicePoint.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\PaintDotNet.Strings.3.hu.resources C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\PaintDotNet.Strings.3.lt.resources C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\PaintDotNet.Strings.3.zh-TW.resources C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\System.Data.Common.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\System.Linq.Expressions.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\Microsoft.Windows.SDK.NET.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\System.Runtime.Handles.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\PaintDotNet.Framework.xml C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\PresentationFramework.Aero.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\System.AppContext.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\System.Linq.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\System.Net.NetworkInformation.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\System.Xml.XDocument.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\Microsoft.DiaSymReader.Native.amd64.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\PaintDotNet.Framework.pdb C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\PaintDotNet.Strings.3.el.resources C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\PresentationCore.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\System.Net.WebProxy.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\PaintDotNet.Core.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\PaintDotNet.Resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\System.Data.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\System.IO.Compression.Brotli.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\paintdotnet.runtimeconfig.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\System.IO.UnmanagedMemoryStream.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\System.Reflection.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\System.Threading.Channels.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\wpfgfx_cor3.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\Resources\de\Images.PayPalDonate.gif C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\System.Diagnostics.PerformanceCounter.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\System.ObjectModel.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\paint.net\vcruntime140_cor3.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{019781E7-35CF-47A0-BD56-B1099A3E92EF}\app_icon.ico C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI69E1.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e584b1d.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e584b1d.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{019781E7-35CF-47A0-BD56-B1099A3E92EF} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5C15.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e584b1f.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{019781E7-35CF-47A0-BD56-B1099A3E92EF}\app_icon.ico C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000ce060165ac6eec080000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000ce0601650000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900ce060165000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dce060165000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000ce06016500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\paint.net\paintdotnet.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\paint.net\paintdotnet.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1A\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1B C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1c C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\04F04A40702A84B4EA7DA65A234E2357\7E187910FC530A74DB651B90A9E329FE C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes C:\Program Files\paint.net\paintdotnet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.pdn C:\Program Files\paint.net\paintdotnet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.jpe\OpenWithProgids\paint.net.1 C:\Program Files\paint.net\paintdotnet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.rle\OpenWithProgids C:\Program Files\paint.net\paintdotnet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E187910FC530A74DB651B90A9E329FE\SourceList\PackageName = "PaintDotNet_x64_5.0.11.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell\edit C:\Program Files\paint.net\paintdotnet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\paintdotnet\URL Protocol C:\Program Files\paint.net\paintdotnet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\paintdotnet\shell\open\command\ = "\"C:\\Program Files\\paint.net\\paintdotnet.exe\" %1" C:\Program Files\paint.net\paintdotnet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell\edit\command\ = "\"C:\\Program Files\\paint.net\\paintdotnet.exe\" \"%1\"" C:\Program Files\paint.net\paintdotnet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.webp\OpenWithProgids\paint.net.1 C:\Program Files\paint.net\paintdotnet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E187910FC530A74DB651B90A9E329FE\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pdn\ShellEx C:\Program Files\paint.net\paintdotnet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tga C:\Program Files\paint.net\paintdotnet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.wmp C:\Program Files\paint.net\paintdotnet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.ThumbnailProvider\CurVer C:\Program Files\paint.net\paintdotnet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.gif\OpenWithProgids\paint.net.1 C:\Program Files\paint.net\paintdotnet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tga\OpenWithProgids\paint.net.1 C:\Program Files\paint.net\paintdotnet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.wdp C:\Program Files\paint.net\paintdotnet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7E187910FC530A74DB651B90A9E329FE C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\CurVer\ = "paint.net.1" C:\Program Files\paint.net\paintdotnet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\paintdotnet\shell C:\Program Files\paint.net\paintdotnet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\ShellEx C:\Program Files\paint.net\paintdotnet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBF113F1-D7C8-477C-A23A-E600E7937E11}\InprocServer32 C:\Program Files\paint.net\paintdotnet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe C:\Program Files\paint.net\paintdotnet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\shell\edit C:\Program Files\paint.net\paintdotnet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rle\OpenWithProgids\paint.net.1 C:\Program Files\paint.net\paintdotnet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\shell\edit\command\ = "\"C:\\Program Files\\paint.net\\paintdotnet.exe\" \"%1\"" C:\Program Files\paint.net\paintdotnet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pdn\PerceivedType = "image" C:\Program Files\paint.net\paintdotnet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.heic\OpenWithProgids\paint.net.1 C:\Program Files\paint.net\paintdotnet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E187910FC530A74DB651B90A9E329FE\ProductName = "paint.net" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E187910FC530A74DB651B90A9E329FE\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\CurVer C:\Program Files\paint.net\paintdotnet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.ThumbnailProvider C:\Program Files\paint.net\paintdotnet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\ShellEx\{E357FCCD-A995-4576-B01F-234630154E96}\ = "{FBF113F1-D7C8-477C-A23A-E600E7937E11}" C:\Program Files\paint.net\paintdotnet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.webp C:\Program Files\paint.net\paintdotnet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\DefaultIcon\ = "C:\\Program Files\\paint.net\\paintdotnet.exe,0" C:\Program Files\paint.net\paintdotnet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pdn\OpenWithProgids C:\Program Files\paint.net\paintdotnet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.avif\OpenWithProgids C:\Program Files\paint.net\paintdotnet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell\open\command C:\Program Files\paint.net\paintdotnet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pdn C:\Program Files\paint.net\paintdotnet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dds\OpenWithProgids C:\Program Files\paint.net\paintdotnet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wdp\OpenWithProgids\paint.net.1 C:\Program Files\paint.net\paintdotnet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\ = "paint.net Image" C:\Program Files\paint.net\paintdotnet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tga\OpenWithProgids C:\Program Files\paint.net\paintdotnet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.tif C:\Program Files\paint.net\paintdotnet.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E187910FC530A74DB651B90A9E329FE\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell\print\command\ = "\"C:\\Program Files\\paint.net\\paintdotnet.exe\" \"print:%1\"" C:\Program Files\paint.net\paintdotnet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E187910FC530A74DB651B90A9E329FE\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell\open C:\Program Files\paint.net\paintdotnet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.jpeg\OpenWithProgids\paint.net.1 C:\Program Files\paint.net\paintdotnet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.png C:\Program Files\paint.net\paintdotnet.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E187910FC530A74DB651B90A9E329FE\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pdn\ = "paint.net.1" C:\Program Files\paint.net\paintdotnet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dib\OpenWithProgids\paint.net.1 C:\Program Files\paint.net\paintdotnet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.jpe C:\Program Files\paint.net\paintdotnet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.gif C:\Program Files\paint.net\paintdotnet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tif\OpenWithProgids\paint.net.1 C:\Program Files\paint.net\paintdotnet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wmp\OpenWithProgids\paint.net.1 C:\Program Files\paint.net\paintdotnet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\paintdotnet\ = "URL:paint.net" C:\Program Files\paint.net\paintdotnet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.ThumbnailProvider\CLSID C:\Program Files\paint.net\paintdotnet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\shell\edit\command C:\Program Files\paint.net\paintdotnet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.dib C:\Program Files\paint.net\paintdotnet.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E187910FC530A74DB651B90A9E329FE\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files\paint.net\paintdotnet.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\PaintDotNet_x64_5.0.11.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Program Files\paint.net\paintdotnet.exe

"C:\Program Files\paint.net\paintdotnet.exe" /setupActions /install DESKTOPSHORTCUT=1 PDNUPDATING= SKIPCLEANUP= "PROGRAMSGROUP=" /disablePGO /skipEstablishNVProfile /skipRepairAttempt

C:\Program Files\paint.net\paintdotnet.exe

"C:\Program Files\paint.net\paintdotnet.exe"

C:\Program Files\paint.net\paintdotnet.exe

"C:\Program Files\paint.net\paintdotnet.exe" "/showCrashLog=C:\Users\Admin\AppData\Local\paint.net\CrashLogs\pdncrash.1.log"

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
NL 104.85.1.163:80 www.microsoft.com tcp
US 8.8.8.8:53 203.33.253.131.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 163.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 121.208.253.8.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50

MD5 9562248b3405f19a5be0a1216a69c6c1
SHA1 6ce71f868286d4607e8fdf708af013eb5d42f8a3
SHA256 00584b049de431696370868949c01ab79d351ec7a01fd0c1d224e67a6df4c9f8
SHA512 88aa0e62cea8047f10a1196d390744178c33330e71278c84f1c845cce4b78e54eaf4d3d139dcb85eca9e7fe3ac73bb580103c761c389c2fcbb507ba397d95d86

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\86844F70250DD8EF225D6B4178798C21_2CDE88B3CC9A35A2EA16DC0201366139

MD5 4976c60051dd32c762f134432a7a2c87
SHA1 219b365b4c9de66c1be94c9ff889eca4f15e8a9a
SHA256 ce22015a87d541f19f0796c61c74ec0dc98f019be3a5c5ff305c9e7ae540cafb
SHA512 2c962cdaa9721a6868b118f0e629daaa5d5c4d4f8c2ea0df8f31bfcaeb4a672237b833c4279eae20ede235fe2e7ba4ed0985f884b8fab4c259b36cc68d7c7774

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\49855FCDFA62840A2838AEF1EFAC3C9B

MD5 36172551ee1be54a19f9bcd3fb317f43
SHA1 ed162ac0d378d6d724bb323c92352aa22b946acf
SHA256 3bdb2cd2f3cd51483d8a7dc1c9461556513bca190e4d3c2c0e915ffc7c6b3b7d
SHA512 fc3c97382f0f24113675feeca769abe167b601f6fabe49c38256df17d1620ebf473d3bdcfbfa39671e243788c89eb66a0a4f4285a29901a6d801ee5dc5fce44e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\49855FCDFA62840A2838AEF1EFAC3C9B

MD5 fe3ff0a574fa8dc2aea77609607a4123
SHA1 cfbc72478b8d3c35bff346e26291d7063e58d941
SHA256 3e341cda0765b860af60e172a79540c43d3ccba8211af10e14c9bed15b51d0ee
SHA512 b3c39b64f3c54ee9fdfcb454b151f4802aeb047d605dee072cad783e55853b47134b5f126d66497274bdf2c833bb2460061fef96103688879802cbe65b88f577

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7850C7BAFAC9456B4B92328A61976502_A0954CE132A4412D395C5C218DA419B1

MD5 4dae5cb9baaeb2250d2bd6c99fe145be
SHA1 6df6c05426d2be50885862a5e7cc45c4f18e2212
SHA256 f4003a4097f6f2ab7898109c9c2ff607a31afb844422c1c10a8b55d74b4d536f
SHA512 1e2ac10387b1e8c2fb4c57da321ae763b7ce78aa23c5254b4940f12de7324e3c3838a93d45f3d3873411a50a405ff7e4cce593ea393803c50c54042525546d42

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7850C7BAFAC9456B4B92328A61976502_A0954CE132A4412D395C5C218DA419B1

MD5 33a2c485df26093e0f95bf86decb14da
SHA1 3eeb9fcc19836400009eb77c487e5ec7ed274f4f
SHA256 d3b7003bd0d04e15966c998821ea4017f06cc183a8db148ba4e594c024d76dec
SHA512 58b9d04eabe5f149e4d6fbb1b51bcb2334e93b39cf4e96f865cb88b0d867f0247d6c15ff8b66ca7b38e5063a80824bf60ae206579c81a5dc1a0b3a7d0b82c3d5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\86844F70250DD8EF225D6B4178798C21_2CDE88B3CC9A35A2EA16DC0201366139

MD5 179dfcc29fdc4bd2f2a356b9e209932f
SHA1 8c2154ee581069a993cc0a2e6552c3d5fefbf83d
SHA256 61a3a8626c0263297a5244e6626533852055814ea9d6173acc8efa695371bdb0
SHA512 d6f831585393c16f02cc04f0e376d00f1af88469c4dea3aff30edcf4d7aa3973e25fe39d6dca74aaa2ef892142fed22221d4c155ea2b470c203dbb21ffa791c6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50

MD5 292097cae1b2a4bea431613b0688c06a
SHA1 327e4f389a8912e76bf73ef2d3c7aa2d85f68c11
SHA256 f800fe7c2e1e7730e3b0b1dcf47effc7cc4f5a8cef3bdde8436031c2495a9cf4
SHA512 8397de73ee80a720a239a8af97348765e3939ae250d7d944222a7f7e1d218b34eae248e1c0c533964e67cdd736e141090acda377404882d103d29810d42ad376

C:\Program Files\paint.net\PaintDotNet.Strings.3.da.resources

MD5 337cac3e42cc9be7f9695017c8eba68b
SHA1 bbf8b3ed15cc50d35d6a0a8697abcf9a94251bd4
SHA256 3d7d6b17480774fad14ac11752d36b00aee318b3e2ef0cf7ba7e93f56869b5ce
SHA512 4f7d647b8a21892eb6c38075284e9c5cc3a7ab95ee36386f34399f107b0d88c1ca665451cc44e01089878fbf9bc52262f6ef90a114b2b6d2856acb7a2b547efc

C:\Program Files\paint.net\paintdotnet.exe

MD5 67fed31fed186feb043c9ea4b7b10895
SHA1 6af035551bef7e5247cbfa081c1e857d2d5ab5d0
SHA256 b21dea15899007a050caeccab1bbd2d03de70b955ea16a97e4f7541ebfe9f2d6
SHA512 fe919416c92c201193377ccf9e7ebe3caae046b7f41f95f43b9dda0f6cfcee6f5c039237c62cecca0df1dd30f26be5f25eeda02b55ca1820b4d17bf0d3ba407a

C:\Program Files\paint.net\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Program Files\paint.net\vcruntime140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Program Files\paint.net\vcruntime140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Program Files\paint.net\vcruntime140_1.dll

MD5 f8dfa78045620cf8a732e67d1b1eb53d
SHA1 ff9a604d8c99405bfdbbf4295825d3fcbc792704
SHA256 a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5
SHA512 ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

C:\Program Files\paint.net\hostfxr.dll

MD5 91c2b6c1351bb69a33a2c96b670efd98
SHA1 e01d073e785d13307ba1c348f92cba24bfce5fbc
SHA256 e3ae7c3c7caefcc4460ba2b1a5556f286d6ebc234f47489cc9eb05be53cee062
SHA512 0be099a2299c6af265a5922ce72b1badc4093f69be4d2a8a401abf82fcfd5d955b0b5b4a853fb8c6219e2a26d7d116adb4fa95ac134594b4ed6afbf5d1dd5dab

C:\Program Files\paint.net\hostfxr.dll

MD5 91c2b6c1351bb69a33a2c96b670efd98
SHA1 e01d073e785d13307ba1c348f92cba24bfce5fbc
SHA256 e3ae7c3c7caefcc4460ba2b1a5556f286d6ebc234f47489cc9eb05be53cee062
SHA512 0be099a2299c6af265a5922ce72b1badc4093f69be4d2a8a401abf82fcfd5d955b0b5b4a853fb8c6219e2a26d7d116adb4fa95ac134594b4ed6afbf5d1dd5dab

C:\Program Files\paint.net\VCRUNTIME140_1.dll

MD5 f8dfa78045620cf8a732e67d1b1eb53d
SHA1 ff9a604d8c99405bfdbbf4295825d3fcbc792704
SHA256 a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5
SHA512 ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

C:\Program Files\paint.net\hostpolicy.dll

MD5 9095418d670598ba5348090af00ca778
SHA1 1777cd3a69ee1779403a6fadd12dad270cd01339
SHA256 e2f2db7c49ce7e47bf088eb0bd4a015c812744c1ad9f2d126a0f1fe3ae00972a
SHA512 643982880e3db8063b851ebc6f3979a703b12a090663308c6d4592e0410f452c6f260a6429a6b7e725bbc38e5c8cba7eeaae27638e94f0d658bc5e7e6c158b78

C:\Program Files\paint.net\hostpolicy.dll

MD5 9095418d670598ba5348090af00ca778
SHA1 1777cd3a69ee1779403a6fadd12dad270cd01339
SHA256 e2f2db7c49ce7e47bf088eb0bd4a015c812744c1ad9f2d126a0f1fe3ae00972a
SHA512 643982880e3db8063b851ebc6f3979a703b12a090663308c6d4592e0410f452c6f260a6429a6b7e725bbc38e5c8cba7eeaae27638e94f0d658bc5e7e6c158b78

C:\Program Files\paint.net\paintdotnet.deps.json

MD5 c917ab1b2587e92b915b411e2b707a5c
SHA1 6e37233b20aaf85712591d90d58e81e7454ee12d
SHA256 dce226b6091a6d89382e844686d1732da75480ad66b8960d6e79dd9db913295f
SHA512 0e0975951336b7da74a05793ed0e670933790b87cb3ed4fae31d6edebd5446267619ccdd64ae435d21e4847fc5e503657583b03ea72e791f63aacb0ecf647480

C:\Program Files\paint.net\paintdotnet.runtimeconfig.json

MD5 1d66b0d5a0b1f4f4c659c186c5168b34
SHA1 f5a16eaeef55d0fe0d663cca1e77422c207cee9c
SHA256 cf0c43d65350b7687ab941faa3d7000cd5faf9c6e33ece9f167ffac83a28ae9c
SHA512 27484632d04e058a07e2e360bb28290f888eaa5899da968b9fbd991d6094f29e4e0ffdfc5955b417a59a8845fdadcb23684fb9221d0070279e987b7f9aacef5d

C:\Program Files\paint.net\coreclr.dll

MD5 f0cf91795693693d552c10e33b7e7a1d
SHA1 56e21e54f9f78c1f41cfd3d83309a50fc9b376a9
SHA256 698ca6e2185b6d6a790b25e18b35c11529c5e5e51bf6bdbfa09ee46fdd5c3479
SHA512 17a897ee3b9c9dd64d9f0b30fbefa2af2faf38ff8c65ba2ded0a7a32317b8d652a1216bc6365c6106eec16cc6b49d6dd4b3baabeded73061ea7252520ce81207

C:\Program Files\paint.net\System.Private.CoreLib.dll

MD5 3a6ce8e0d8ef7463eaf3360e8bcd9d1d
SHA1 7706d6f85bfc7b4269dd60cfd8a812400aa65c48
SHA256 e562c61da860455e1de85a4a0509af4a4a32a79ac7f1d8146fc12e551ba78df5
SHA512 c8d99ed94e6d49b4ca89c8ba6a1d6cb44fdbcc84c203c078490cadcd96ffc2b88f2d7a23248b86e6199b18be2b75367d04b6f2c7226b39cb5bd499bc586fb5f6

C:\Program Files\paint.net\clrjit.dll

MD5 216ad19c2963e1b413dc1b1d7390afd0
SHA1 0f0486b3a0bddba1f40706f8a2dee032da638d12
SHA256 6b225ecaa3567b97d786051e34f48f342d7543ffa0d493ec22958ab771bda930
SHA512 0a8c61cd60dbcf6d3a221a1a11c9145a0c0ad589863bcd6dfeb36da82417396abc6e38ca10242c0656694379d11be678c59947f2447feebdc7fb1f0bfd499d44

C:\Program Files\paint.net\clrjit.dll

MD5 216ad19c2963e1b413dc1b1d7390afd0
SHA1 0f0486b3a0bddba1f40706f8a2dee032da638d12
SHA256 6b225ecaa3567b97d786051e34f48f342d7543ffa0d493ec22958ab771bda930
SHA512 0a8c61cd60dbcf6d3a221a1a11c9145a0c0ad589863bcd6dfeb36da82417396abc6e38ca10242c0656694379d11be678c59947f2447feebdc7fb1f0bfd499d44

C:\Program Files\paint.net\System.Private.CoreLib.dll

MD5 3a6ce8e0d8ef7463eaf3360e8bcd9d1d
SHA1 7706d6f85bfc7b4269dd60cfd8a812400aa65c48
SHA256 e562c61da860455e1de85a4a0509af4a4a32a79ac7f1d8146fc12e551ba78df5
SHA512 c8d99ed94e6d49b4ca89c8ba6a1d6cb44fdbcc84c203c078490cadcd96ffc2b88f2d7a23248b86e6199b18be2b75367d04b6f2c7226b39cb5bd499bc586fb5f6

C:\Program Files\paint.net\coreclr.dll

MD5 f0cf91795693693d552c10e33b7e7a1d
SHA1 56e21e54f9f78c1f41cfd3d83309a50fc9b376a9
SHA256 698ca6e2185b6d6a790b25e18b35c11529c5e5e51bf6bdbfa09ee46fdd5c3479
SHA512 17a897ee3b9c9dd64d9f0b30fbefa2af2faf38ff8c65ba2ded0a7a32317b8d652a1216bc6365c6106eec16cc6b49d6dd4b3baabeded73061ea7252520ce81207

C:\Program Files\paint.net\paintdotnet.dll

MD5 5eccdf209cdbe4804db9d14d9dbe48d2
SHA1 c3e6dc1e99062ff4884cac512811b472326a7844
SHA256 bc674d4bb5c5a35407acc40d284c8ecaa483dc3e74668fca7df67f3d13b33f71
SHA512 adac5d83fa76cfa31a4e7f621bb4bb8dadb0fa3d484bd0482c137efca8c1be19d7c875580406b922eb0d4a745a0694d30987a440473b9ded9ef7c9f183193370

C:\Program Files\paint.net\System.Runtime.dll

MD5 9f4be93f4dd1d267908bcbe4905e619d
SHA1 e20601872bebc16fcc74e90dae97a0edc65d500d
SHA256 681732904057da5ab5ed2b355f642c9906637718fc7349bbc20df7abc3240966
SHA512 2bda762da702e7cca53b3d722e9bf7f2c7cad34fdd4a4e4cdd9d728635464cc176f250d580b5e6f28b666ec265a5fdb9054998558139ed5b53d29dc0ecab7086

C:\Program Files\paint.net\paintdotnet.dll

MD5 5eccdf209cdbe4804db9d14d9dbe48d2
SHA1 c3e6dc1e99062ff4884cac512811b472326a7844
SHA256 bc674d4bb5c5a35407acc40d284c8ecaa483dc3e74668fca7df67f3d13b33f71
SHA512 adac5d83fa76cfa31a4e7f621bb4bb8dadb0fa3d484bd0482c137efca8c1be19d7c875580406b922eb0d4a745a0694d30987a440473b9ded9ef7c9f183193370

C:\Program Files\paint.net\System.Diagnostics.Tracing.dll

MD5 f46ec3e99895a25ec02ed732cd86cbd5
SHA1 37e10dd441c8b060d51dee2b8978619a8ad45cd0
SHA256 38f3cc9582ecdcf3e92359cb8e0d7c5684c1e09239d0d24d8d47efeb5e5d0342
SHA512 75c441aac18771d3cc8e2f069a7b9466bd2431d98029dd31c46e5d3c8c7a3a08269022ce1c7c8084949e7ee6ac2cb5b6acbce5d1a177284da0a882d73d030bd4

C:\Program Files\paint.net\PaintDotNet.Fundamentals.dll

MD5 07d89742f2185c9fa3a20522d3fd2535
SHA1 1d71c190ceb0b88ba0ccbb4965d10d6ab5e9bc47
SHA256 a3b2c28d63ead0a1e1daeac7c8eee69501af5fa12a9fa1bc7366a7a95300d57a
SHA512 25db6435a5a95f77ae9fca2d2b11361cdcc207e02a915bc6d922b3af38c18b320b011860eef4fe37615a968f6d41d5b2f73c62d3e7268c72c298ac7882f801b3

C:\Program Files\paint.net\PaintDotNet.Fundamentals.dll

MD5 07d89742f2185c9fa3a20522d3fd2535
SHA1 1d71c190ceb0b88ba0ccbb4965d10d6ab5e9bc47
SHA256 a3b2c28d63ead0a1e1daeac7c8eee69501af5fa12a9fa1bc7366a7a95300d57a
SHA512 25db6435a5a95f77ae9fca2d2b11361cdcc207e02a915bc6d922b3af38c18b320b011860eef4fe37615a968f6d41d5b2f73c62d3e7268c72c298ac7882f801b3

C:\Program Files\paint.net\System.Windows.Forms.dll

MD5 9e3da9ef1f14a21a7f37a81b7289a9a3
SHA1 56bf6e41c3ca8f916d692baee32eec723ea6c0da
SHA256 211c206993e2b8c2fc9734002977224a3e30bd2b499a9381e84a9baf11888d96
SHA512 44ccbfde3e6bf95e1eb51dfa39cf9d513315e09f198f3596c028559e38fe5c08daf6f37d39eb3ace632f33b7acb61e9c35235c7d1f1148c7e7aad5e871dbfa09

C:\Program Files\paint.net\System.Windows.Forms.dll

MD5 9e3da9ef1f14a21a7f37a81b7289a9a3
SHA1 56bf6e41c3ca8f916d692baee32eec723ea6c0da
SHA256 211c206993e2b8c2fc9734002977224a3e30bd2b499a9381e84a9baf11888d96
SHA512 44ccbfde3e6bf95e1eb51dfa39cf9d513315e09f198f3596c028559e38fe5c08daf6f37d39eb3ace632f33b7acb61e9c35235c7d1f1148c7e7aad5e871dbfa09

C:\Program Files\paint.net\PaintDotNet.Base.dll

MD5 6885d2b0ff26a2adc92c8915fd8fafbd
SHA1 b29ead720e727d173c4d950484c0497d95ffeb47
SHA256 8654e7b34d00f1b7b7cec4873037cda510737fe6f464f7fd9460d33f1eaf2173
SHA512 fbbc2af7f9d7aa83dd282d3a6404720b25f12596a187b8be75cca8547dd80b2d6c821e09e55bb74def3fae2e80aaa67f289c435b4c7fe37fe1692ce35441995c

C:\Program Files\paint.net\PaintDotNet.Primitives.dll

MD5 822b0c9e003fe6e05d06691c9dc5e195
SHA1 b03929208f1e9055ef70d7149d75b0f1ff2a4539
SHA256 cde5924b0ba1e51a5e36cf0d63580de741e491f6c8ca30cb5f293e1449a1ad53
SHA512 449bed5f56a98c48df2a71ea7f3b616c66082671fc93da63bfa8fe199e8fd6397083f2cbf67fd69a9b76db55ab2c7032396bd9380a98c60b3dd38ee265e5f4a4

C:\Program Files\paint.net\System.Private.Uri.dll

MD5 c17dd75ed17791de980749c83b24fb95
SHA1 3ea547af75b94bf21f803f98187064f5c2b11198
SHA256 ee2f0ecda732c3f9f0b64a39911596aeb31edee123e543cb2f63b46351132692
SHA512 2a18b5c09df846f99b23cefd651949377208f2e453266c44774487fbdc76e98dacef6fe0aab36d61d8584a385849f2ce35249946aed84be02982d9133763435d

C:\Program Files\paint.net\PaintDotNet.SystemLayer.Native.x64.dll

MD5 e45bf68048561d489a48298f20d3fab7
SHA1 f1402412ab5959571b685de30646f877ea7a6299
SHA256 0db056ebc5861252b3f7bbebb54f9dda72d1ecf87c4dac758149e99e44518e8c
SHA512 b013318dbda230b54dccd6aae9f2615e2b1f714b68224b96b015b0778e794c6861365721d58ebe6d110115f7475817e1a5a566de08d508e14106f1a86c609b08

memory/2840-498-0x00007FFB99440000-0x00007FFB9993A000-memory.dmp

C:\Program Files\paint.net\System.Private.Uri.dll

MD5 c17dd75ed17791de980749c83b24fb95
SHA1 3ea547af75b94bf21f803f98187064f5c2b11198
SHA256 ee2f0ecda732c3f9f0b64a39911596aeb31edee123e543cb2f63b46351132692
SHA512 2a18b5c09df846f99b23cefd651949377208f2e453266c44774487fbdc76e98dacef6fe0aab36d61d8584a385849f2ce35249946aed84be02982d9133763435d

C:\Program Files\paint.net\System.Diagnostics.Process.dll

MD5 6d0ac10b370d3f7e7b99e15c0a0b8e5f
SHA1 9902f50c3a7dcf18e338222dad939e6dc0d9b456
SHA256 a977e9d72e27c9cae253e06b511db0f2ddd1bdee0697c1305bb05b3ecfe2adce
SHA512 336f7c165101e3d33dd15a435c4933381dc02e26cb5c8aa817756766084981329cbe19a3f94bb624aea4b4c164b24e80ade1fc5070b6960bb83eed7cc1ce3662

C:\Program Files\paint.net\System.Diagnostics.Process.dll

MD5 6d0ac10b370d3f7e7b99e15c0a0b8e5f
SHA1 9902f50c3a7dcf18e338222dad939e6dc0d9b456
SHA256 a977e9d72e27c9cae253e06b511db0f2ddd1bdee0697c1305bb05b3ecfe2adce
SHA512 336f7c165101e3d33dd15a435c4933381dc02e26cb5c8aa817756766084981329cbe19a3f94bb624aea4b4c164b24e80ade1fc5070b6960bb83eed7cc1ce3662

C:\Program Files\paint.net\PaintDotNet.Systrace.dll

MD5 4f5856c5c7b35691fba4987b513bf9a3
SHA1 e530f01950615b480cad5851b8cea98833c84494
SHA256 38587550070d62003786290df49313db27f359954a05e6acef56104832932435
SHA512 b176c9aa6869cdf6fd77b069aeaac3d459d22debac869884322a2c38da98bc5b06906fc2566284356ccae2386dd3fc7e3952b80259e78c3eee338b815fc4efeb

C:\Program Files\paint.net\PaintDotNet.Systrace.dll

MD5 4f5856c5c7b35691fba4987b513bf9a3
SHA1 e530f01950615b480cad5851b8cea98833c84494
SHA256 38587550070d62003786290df49313db27f359954a05e6acef56104832932435
SHA512 b176c9aa6869cdf6fd77b069aeaac3d459d22debac869884322a2c38da98bc5b06906fc2566284356ccae2386dd3fc7e3952b80259e78c3eee338b815fc4efeb

C:\Program Files\paint.net\PaintDotNet.SystemLayer.dll

MD5 796c43592b923ea2e84acc307fe9e65b
SHA1 80a18955a275d827e0243ba0261913b60067be24
SHA256 230b84a0a9038d3777e578a73238ff727561dea9a565d984054b0588151243eb
SHA512 7c0ff0b1ea35fa030dc5ddf7d3d9d38d8ea54e2b4ac7d383de50e08bd64464aca234c10fc572a9be3c27d721c0a76048ec3e7c69186536e8cce5b48b057c68b2

C:\Program Files\paint.net\PaintDotNet.SystemLayer.dll

MD5 796c43592b923ea2e84acc307fe9e65b
SHA1 80a18955a275d827e0243ba0261913b60067be24
SHA256 230b84a0a9038d3777e578a73238ff727561dea9a565d984054b0588151243eb
SHA512 7c0ff0b1ea35fa030dc5ddf7d3d9d38d8ea54e2b4ac7d383de50e08bd64464aca234c10fc572a9be3c27d721c0a76048ec3e7c69186536e8cce5b48b057c68b2

C:\Program Files\paint.net\System.Threading.dll

MD5 26550d4b13dc83529994da481d2312de
SHA1 394f62f625c5cbd583669949e3d7a693ea9841f5
SHA256 6194dcb19c20b28456b5966b4bb3ddce92e888630d15a3e790d6bd3a8a5d6a6f
SHA512 e905bef4c84ff92ff8611710539070ddc4026666d106605e186be1d4454969e32994cecd7178a00231b8e1e564ab10edeaa848adb7e98842029e0cbf7157c91f

C:\Program Files\paint.net\System.Threading.dll

MD5 26550d4b13dc83529994da481d2312de
SHA1 394f62f625c5cbd583669949e3d7a693ea9841f5
SHA256 6194dcb19c20b28456b5966b4bb3ddce92e888630d15a3e790d6bd3a8a5d6a6f
SHA512 e905bef4c84ff92ff8611710539070ddc4026666d106605e186be1d4454969e32994cecd7178a00231b8e1e564ab10edeaa848adb7e98842029e0cbf7157c91f

C:\Program Files\paint.net\PointerToolkit.dll

MD5 4e66b8a8104e08fe88860686465158d3
SHA1 62f9eedaf8ced1407294e33f49924dc34733d07d
SHA256 32c1f0c68a4d0fcf9fd9562effef37c12ad944e6ea15e1edb1b64a1a775f882e
SHA512 282a16f09edc9decf77a09167397bebf38c80a68de5627442d74fcffd0027732f26ff2daf66266d645abef96cfce3017d812fa56db14dda10e8a4a5ce6ea8688

C:\Program Files\paint.net\PointerToolkit.dll

MD5 4e66b8a8104e08fe88860686465158d3
SHA1 62f9eedaf8ced1407294e33f49924dc34733d07d
SHA256 32c1f0c68a4d0fcf9fd9562effef37c12ad944e6ea15e1edb1b64a1a775f882e
SHA512 282a16f09edc9decf77a09167397bebf38c80a68de5627442d74fcffd0027732f26ff2daf66266d645abef96cfce3017d812fa56db14dda10e8a4a5ce6ea8688

C:\Program Files\paint.net\PaintDotNet.Runtime.dll

MD5 1ceae95a2c5846bcd4c7bf4f53db859d
SHA1 68a4fb2f487c3fd04aa91e6f4ecdde12cfe4b951
SHA256 5970c84d8d1b15a4f4fcca8a2eb1cc0a8de0d38307cc91a446c3548e73095d89
SHA512 3aac4c4e78f3918b7f25a77fe05a77c05277f2c4390f8c1db8bcd4986ebaf1c46431114f2c311d4ab7ce70fad3024eabc84dc1725a5279b9031c82b88452b6e8

C:\Program Files\paint.net\PaintDotNet.Runtime.dll

MD5 1ceae95a2c5846bcd4c7bf4f53db859d
SHA1 68a4fb2f487c3fd04aa91e6f4ecdde12cfe4b951
SHA256 5970c84d8d1b15a4f4fcca8a2eb1cc0a8de0d38307cc91a446c3548e73095d89
SHA512 3aac4c4e78f3918b7f25a77fe05a77c05277f2c4390f8c1db8bcd4986ebaf1c46431114f2c311d4ab7ce70fad3024eabc84dc1725a5279b9031c82b88452b6e8

C:\Program Files\paint.net\PaintDotNet.Primitives.dll

MD5 822b0c9e003fe6e05d06691c9dc5e195
SHA1 b03929208f1e9055ef70d7149d75b0f1ff2a4539
SHA256 cde5924b0ba1e51a5e36cf0d63580de741e491f6c8ca30cb5f293e1449a1ad53
SHA512 449bed5f56a98c48df2a71ea7f3b616c66082671fc93da63bfa8fe199e8fd6397083f2cbf67fd69a9b76db55ab2c7032396bd9380a98c60b3dd38ee265e5f4a4

C:\Program Files\paint.net\TerraFX.Interop.Windows.dll

MD5 64e467d48876ae65bdff218796a3d6ca
SHA1 709695a652096f00048af28d0247ab4413659ea0
SHA256 a33ac6bf656bbed711700d3d13acc3ff59654b929561c5a2e2f1cfb74ecc140f
SHA512 8daea65b15924c7c896e93c5ef1495ba2eba08b7bc2805464737f061863ec780d10c6139a84160705fc4ec11f518dcbb77baa6da05ba94a1a88e47711fa0c937

C:\Program Files\paint.net\TerraFX.Interop.Windows.dll

MD5 64e467d48876ae65bdff218796a3d6ca
SHA1 709695a652096f00048af28d0247ab4413659ea0
SHA256 a33ac6bf656bbed711700d3d13acc3ff59654b929561c5a2e2f1cfb74ecc140f
SHA512 8daea65b15924c7c896e93c5ef1495ba2eba08b7bc2805464737f061863ec780d10c6139a84160705fc4ec11f518dcbb77baa6da05ba94a1a88e47711fa0c937

C:\Program Files\paint.net\PaintDotNet.Windows.dll

MD5 e3aa4e63c193937cc4dfb44e155f337d
SHA1 cea87fcf8d639c0bf920aa63eb532c7e96691820
SHA256 5a52d97e1e02330c3c69e5f305d33b5d009225e1bbb3f4852bbbccbc472dd6b7
SHA512 8614af510c9f70c30e2cd53c9313dfbc5a08976625f50678ddfd650ccd2b4639e39db5deb6b8ec267a4c51f8459e1e9c50f9f84292e3ccd29237edce11b6f0b6

C:\Program Files\paint.net\PaintDotNet.Windows.dll

MD5 e3aa4e63c193937cc4dfb44e155f337d
SHA1 cea87fcf8d639c0bf920aa63eb532c7e96691820
SHA256 5a52d97e1e02330c3c69e5f305d33b5d009225e1bbb3f4852bbbccbc472dd6b7
SHA512 8614af510c9f70c30e2cd53c9313dfbc5a08976625f50678ddfd650ccd2b4639e39db5deb6b8ec267a4c51f8459e1e9c50f9f84292e3ccd29237edce11b6f0b6

C:\Program Files\paint.net\PaintDotNet.ComponentModel.dll

MD5 916391ac430dd0f5ca5a88496b5cb825
SHA1 ca18a8c62793faaecd1cfaa9353adfb79a88096e
SHA256 0ff1a22b7f53b4a68d13d485d9ea5ff981342126c08114123162db77d2a0d9fd
SHA512 8b4014c2477adfb65995404353d58f419083d330d98d36e329763a3138027d74ce31f2910ae11acfe13bdb71ccf483388533bfe6f465cf61bf5327128aa4e306

C:\Program Files\paint.net\PaintDotNet.ComponentModel.dll

MD5 916391ac430dd0f5ca5a88496b5cb825
SHA1 ca18a8c62793faaecd1cfaa9353adfb79a88096e
SHA256 0ff1a22b7f53b4a68d13d485d9ea5ff981342126c08114123162db77d2a0d9fd
SHA512 8b4014c2477adfb65995404353d58f419083d330d98d36e329763a3138027d74ce31f2910ae11acfe13bdb71ccf483388533bfe6f465cf61bf5327128aa4e306

C:\Program Files\paint.net\PaintDotNet.Collections.dll

MD5 51d9905e7851da53c2fffa0a12233a9b
SHA1 369e3ba4b45d54b6b365cfe54f22bfe28e7aaeac
SHA256 b04ead386b430a9bc93c2ab71f1c7c08bddd2a322d57ee28f0f143e3ac01cea6
SHA512 f0da1686e3bbda44e2c0b58981317813e0c110233c9fa928773f135aed98a01e9a06a9feecf72c1215c5df1b8eb0dcc74253c3deb33aabc107e2a5f975dc76eb

C:\Program Files\paint.net\PaintDotNet.Collections.dll

MD5 51d9905e7851da53c2fffa0a12233a9b
SHA1 369e3ba4b45d54b6b365cfe54f22bfe28e7aaeac
SHA256 b04ead386b430a9bc93c2ab71f1c7c08bddd2a322d57ee28f0f143e3ac01cea6
SHA512 f0da1686e3bbda44e2c0b58981317813e0c110233c9fa928773f135aed98a01e9a06a9feecf72c1215c5df1b8eb0dcc74253c3deb33aabc107e2a5f975dc76eb

C:\Program Files\paint.net\System.Collections.Concurrent.dll

MD5 97e06faa0af2a1cbf0f04f16c3a7acd8
SHA1 fa2e4ab1ead892092aca3498e7f4e8c632489ccc
SHA256 67e910575e1929bc6e7d681d4b7600c3ee208193aa5e92c43e018a75fb1862d4
SHA512 5db303afde9885d01798909be388c57ec60915f921212a673f7cede0cfef1977a213809329d15bfdb946727fa8f4b3b4b042572b7201a237275618435a882c0a

C:\Program Files\paint.net\System.Collections.Concurrent.dll

MD5 97e06faa0af2a1cbf0f04f16c3a7acd8
SHA1 fa2e4ab1ead892092aca3498e7f4e8c632489ccc
SHA256 67e910575e1929bc6e7d681d4b7600c3ee208193aa5e92c43e018a75fb1862d4
SHA512 5db303afde9885d01798909be388c57ec60915f921212a673f7cede0cfef1977a213809329d15bfdb946727fa8f4b3b4b042572b7201a237275618435a882c0a

C:\Program Files\paint.net\PaintDotNet.Base.dll

MD5 6885d2b0ff26a2adc92c8915fd8fafbd
SHA1 b29ead720e727d173c4d950484c0497d95ffeb47
SHA256 8654e7b34d00f1b7b7cec4873037cda510737fe6f464f7fd9460d33f1eaf2173
SHA512 fbbc2af7f9d7aa83dd282d3a6404720b25f12596a187b8be75cca8547dd80b2d6c821e09e55bb74def3fae2e80aaa67f289c435b4c7fe37fe1692ce35441995c

C:\Program Files\paint.net\System.Threading.Thread.dll

MD5 3eb83651807805ceda5388c8b21ceb24
SHA1 69f214e1877bce64dd4f8c3c4f8d51189e57d3f6
SHA256 20f4d536865a920ae2b42145fec24c7adee5d2d7a11b3abd290854ae4618c8fe
SHA512 853950d1bad71cd69ad85b940a83067278249efa46e34f9bd149e26a44e68f4c8ddedc55ee381e69831325d4ed153698b34473645f9c71fe6a824ad42c25f0a8

memory/2840-502-0x00007FFB99440000-0x00007FFB9993A000-memory.dmp

C:\Config.Msi\e584b20.rbs

MD5 516eac097d7b2e572cdf6b7da518078c
SHA1 bf0d0d9ff090a4f11e075a9a28f459490335a678
SHA256 33ebaac6f460740a85306eee9fc0fa7459b235681cfccd2432510119ce3917d5
SHA512 e9bb99f2dfa6d8d809c64940b45d68b7d3a4fb38fed0cb6879073214a40773a98f6ff6c978353723e2e6ef5f66f00b44658568241eb0402532ca11fc44222fef

C:\Config.Msi\e584b1e.rbs

MD5 0e8a4d807da0a46a7f24b7782c7d3a28
SHA1 9c7180cdb6e48f991f8a545a23d910f6912328f7
SHA256 7fea293d58fb3789ec87311ae6119a9d8b0e73ff42a32ff86bfac5503668347d
SHA512 368df447b803cc35b3fb61d9994bde5db5047abbc9481f13d8813a9968db8ac8cfb833aed1ec4dc8da6e31a8b5d5998e497f6661d3c7438b37f421d0dbff83bd

C:\Windows\Installer\e584b1d.msi

MD5 5927bd08fbcb605ed7e457df5883eac8
SHA1 69c15d19617f27affd89f224dfe223b736a5a253
SHA256 053d7f5aa89926bcc1886e7b41cf0096baafa0f5dffcb7f5a7fbfe0ef54505ff
SHA512 a13eee79aef068b092b33e08f48d76a7aaef9d5182e976ecb685e903573ca30acf6fff64d978cf8f6e0427c616444d28218a7a83bd2a0c2c305eca5389fce807

memory/4876-517-0x00007FFB9C340000-0x00007FFB9C83A000-memory.dmp

memory/4960-521-0x00007FFB9C340000-0x00007FFB9C83A000-memory.dmp

memory/4876-523-0x00007FFB9C340000-0x00007FFB9C83A000-memory.dmp