hxxp://www[.]oldversion[.]com/windows/paint-net-3-5-4

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
23-02-2024 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.oldversion.com/windows/paint-net-3-5-4

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5420	SetupShim.exe
4220	SetupFrontEnd.exe

Loads dropped DLL 2 IoCs

pid	Process
5700	Paint.NET.3.5.4.Install.exe
5700	Paint.NET.3.5.4.Install.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
256	discord.com
253	discord.com

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000039a337e041d2b58d0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000039a337e00000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090039a337e0000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d39a337e0000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000039a337e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1392040655-2056082574-619088944-1000\{87703B5A-78C9-4AD5-8450-F64737C4CA63}	msedge.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2944	msedge.exe
2944	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
5176	identity_helper.exe
5176	identity_helper.exe
3028	msedge.exe
3028	msedge.exe
4160	msedge.exe
4160	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 34 IoCs

pid	Process
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeBackupPrivilege	5500	vssvc.exe
Token: SeRestorePrivilege	5500	vssvc.exe
Token: SeAuditPrivilege	5500	vssvc.exe
Token: SeBackupPrivilege	4220	SetupFrontEnd.exe
Token: SeRestorePrivilege	4220	SetupFrontEnd.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5700	Paint.NET.3.5.4.Install.exe
5420	SetupShim.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 2948	3404	msedge.exe	61
PID 3404 wrote to memory of 2948	3404	msedge.exe	61
PID 3404 wrote to memory of 1528	3404	msedge.exe	89
PID 3404 wrote to memory of 1528	3404	msedge.exe	89
PID 3404 wrote to memory of 1528	3404	msedge.exe	89
PID 3404 wrote to memory of 1528	3404	msedge.exe	89
PID 3404 wrote to memory of 1528	3404	msedge.exe	89
PID 3404 wrote to memory of 1528	3404	msedge.exe	89
PID 3404 wrote to memory of 1528	3404	msedge.exe	89
PID 3404 wrote to memory of 1528	3404	msedge.exe	89
PID 3404 wrote to memory of 1528	3404	msedge.exe	89
PID 3404 wrote to memory of 1528	3404	msedge.exe	89
PID 3404 wrote to memory of 1528	3404	msedge.exe	89
PID 3404 wrote to memory of 1528	3404	msedge.exe	89
PID 3404 wrote to memory of 1528	3404	msedge.exe	89
PID 3404 wrote to memory of 1528	3404	msedge.exe	89
PID 3404 wrote to memory of 1528	3404	msedge.exe	89
PID 3404 wrote to memory of 1528	3404	msedge.exe	89
PID 3404 wrote to memory of 1528	3404	msedge.exe	89
PID 3404 wrote to memory of 1528	3404	msedge.exe	89
PID 3404 wrote to memory of 1528	3404	msedge.exe	89
PID 3404 wrote to memory of 1528	3404	msedge.exe	89
PID 3404 wrote to memory of 1528	3404	msedge.exe	89
PID 3404 wrote to memory of 1528	3404	msedge.exe	89
PID 3404 wrote to memory of 1528	3404	msedge.exe	89
PID 3404 wrote to memory of 1528	3404	msedge.exe	89
PID 3404 wrote to memory of 1528	3404	msedge.exe	89
PID 3404 wrote to memory of 1528	3404	msedge.exe	89
PID 3404 wrote to memory of 1528	3404	msedge.exe	89
PID 3404 wrote to memory of 1528	3404	msedge.exe	89
PID 3404 wrote to memory of 1528	3404	msedge.exe	89
PID 3404 wrote to memory of 1528	3404	msedge.exe	89
PID 3404 wrote to memory of 1528	3404	msedge.exe	89
PID 3404 wrote to memory of 1528	3404	msedge.exe	89
PID 3404 wrote to memory of 1528	3404	msedge.exe	89
PID 3404 wrote to memory of 1528	3404	msedge.exe	89
PID 3404 wrote to memory of 1528	3404	msedge.exe	89
PID 3404 wrote to memory of 1528	3404	msedge.exe	89
PID 3404 wrote to memory of 1528	3404	msedge.exe	89
PID 3404 wrote to memory of 1528	3404	msedge.exe	89
PID 3404 wrote to memory of 1528	3404	msedge.exe	89
PID 3404 wrote to memory of 1528	3404	msedge.exe	89
PID 3404 wrote to memory of 2944	3404	msedge.exe	90
PID 3404 wrote to memory of 2944	3404	msedge.exe	90
PID 3404 wrote to memory of 2800	3404	msedge.exe	91
PID 3404 wrote to memory of 2800	3404	msedge.exe	91
PID 3404 wrote to memory of 2800	3404	msedge.exe	91
PID 3404 wrote to memory of 2800	3404	msedge.exe	91
PID 3404 wrote to memory of 2800	3404	msedge.exe	91
PID 3404 wrote to memory of 2800	3404	msedge.exe	91
PID 3404 wrote to memory of 2800	3404	msedge.exe	91
PID 3404 wrote to memory of 2800	3404	msedge.exe	91
PID 3404 wrote to memory of 2800	3404	msedge.exe	91
PID 3404 wrote to memory of 2800	3404	msedge.exe	91
PID 3404 wrote to memory of 2800	3404	msedge.exe	91
PID 3404 wrote to memory of 2800	3404	msedge.exe	91
PID 3404 wrote to memory of 2800	3404	msedge.exe	91
PID 3404 wrote to memory of 2800	3404	msedge.exe	91
PID 3404 wrote to memory of 2800	3404	msedge.exe	91
PID 3404 wrote to memory of 2800	3404	msedge.exe	91
PID 3404 wrote to memory of 2800	3404	msedge.exe	91
PID 3404 wrote to memory of 2800	3404	msedge.exe	91
PID 3404 wrote to memory of 2800	3404	msedge.exe	91
PID 3404 wrote to memory of 2800	3404	msedge.exe	91

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.oldversion.com/windows/paint-net-3-5-4
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffca69f46f8,0x7ffca69f4708,0x7ffca69f4718
  2⤵
  PID:2948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
  2⤵
  PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
  2⤵
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:3768
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6544 /prefetch:8
  2⤵
  PID:5160
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6544 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6308 /prefetch:1
  2⤵
  PID:5304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:5396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6620 /prefetch:1
  2⤵
  PID:5432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:5420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:5984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7180 /prefetch:1
  2⤵
  PID:6036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
  2⤵
  PID:5140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6928 /prefetch:1
  2⤵
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
  2⤵
  PID:5616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7552 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:6060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:5356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
  2⤵
  PID:5352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7596 /prefetch:1
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7452 /prefetch:8
  2⤵
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7084 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:5432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7764 /prefetch:1
  2⤵
  PID:876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:1
  2⤵
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7396 /prefetch:1
  2⤵
  PID:3584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7872 /prefetch:1
  2⤵
  PID:460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7648 /prefetch:1
  2⤵
  PID:5564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:5576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6636 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=8008 /prefetch:8
  2⤵
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6948 /prefetch:1
  2⤵
  PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8120 /prefetch:1
  2⤵
  PID:5624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7984 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,784654349921229184,6341927437687151383,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3224 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4300

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1044

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4936

C:\Users\Admin\Downloads\3.5.4_Paint.NET.3.5.4.Install\Paint.NET.3.5.4.Install.exe
"C:\Users\Admin\Downloads\3.5.4_Paint.NET.3.5.4.Install\Paint.NET.3.5.4.Install.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5700
- C:\Users\Admin\AppData\Local\Temp\PdnSetup\SetupShim.exe
  SetupShim.exe /suppressReboot
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5420
- - C:\Users\Admin\AppData\Local\Temp\PdnSetup\SetupFrontEnd.exe
    "SetupFrontEnd.exe" SetupShim.exe /suppressReboot
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4220

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:5500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
343e73b39eb89ceab25618efc0cd8c8c

SHA1
6a5c7dcfd4cd4088793de6a3966aa914a07faf4c

SHA256
6ea83db86f592a3416738a1f1de5db00cd0408b0de820256d09d9bee9e291223

SHA512
54f321405b91fe397b50597b80564cff3a4b7ccb9aaf47cdf832a0932f30a82ed034ca75a422506c7b609a95b2ed97db58d517089cd85e38187112525ca499cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d4c957a0a66b47d997435ead0940becf

SHA1
1aed2765dd971764b96455003851f8965e3ae07d

SHA256
53fa86fbddf4cdddab1f884c7937ba334fce81ddc59e9b2522fec2d19c7fc163

SHA512
19cd43e9756829911685916ce9ac8f0375f2f686bfffdf95a6259d8ee767d487151fc938e88b8aada5777364a313ad6b2af8bc1aa601c59f0163cbca7c108fbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
54KB

MD5
b767a6d9687f675ff12741efbf6215d0

SHA1
0c3207eed6df6b2dba7b70f01de68b950d2417bc

SHA256
c951af82550a5ced4e81464adb206ee2fa6ed7bdf96e5ebf3e263c6573542dbd

SHA512
c71c6d1cfe03fa91f1f503f7920d5d958e04f6460b9e8318e0a0025dad30174e327278c68eb2cea8fb019d07dae0b0d861307d4751fa05b310dc4524abd7641b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
1b77b23cacea30dd3b519536336ac867

SHA1
bc12bbdbaeb2298df95f2464cf1ccbd921534b44

SHA256
4bb97f883860e1b892cd9abcd51f39a105b85d50c654b1dc4df550f7f52e6b5f

SHA512
b19fb4244f9717d005948f15960c393fcaca6d3e073c3b87f1a70824e0de4eff03e8bb8ae4b18a7a0c71a76cc0e9967eae9395d33fa02fc464558529bb2f4e9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
a31e52e8f4b84eb8958ed4ef4c3689bb

SHA1
2bea28652c8cf994e124899db534f67d0e41d81f

SHA256
5f6493c73099c3812424def9c2077e1375f8ce3705b194c85ec5b193972e293f

SHA512
ce6b6ccff7cb1d6934b14578c7d93db7cec5e9c9be3aad5ba53f46a9ddc235fa9f19ff0c555675d04243a1e2698b9cf7d9caa5c61f5b39cc71396199f346202d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
b320323accd9eb0a3a34c45a52cab5d8

SHA1
b1eb7f0a7e2b6aeaeccc123405d227ea76fd14e5

SHA256
b4b4c7410e000be607d7c58a774efb40f5f2041dda80c1f21cb61cf42e063020

SHA512
0a1a82a1eb365d188fb7f3b8435946cbc773713403444c2c034534643e25bb2f09fa76031345acc534429d121d75da58210c34821dbd17e71dffb3e8791161ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
80062faa60586fa093335cb30ebf7727

SHA1
7fb5e39a9aa9988ed32c1a99ee22c08e4a435b81

SHA256
3842def0e73ad1c04d768366c0b0a2ebc020620f6b31dc08705787e11905fb8a

SHA512
6ee8e53113e210eb471c9a3361e8e86e5d2d011827c67c1b54928d67567c737d847eb13f15baf72cc4f1ba8610e101e17d5b48cd8c3540df504161246c0a1105

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
8cecebeee1169fa648b9d207741d727e

SHA1
6e493fd68e390df59921677773c4856c67e52b0f

SHA256
17a51656c013495eb050e9590d14c9550313bf5f56a840b617e556e63c499936

SHA512
a9f440f8a9d929292add685b8da023093a7889621aba6903d1220f775e43b09e8ff75a670ed52b03034e2608caad0b7ff1bc2a000b0ebf88cc430f3966c9bcda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d00c05770d17ac7522a79d246bff784e

SHA1
d646c763e0df7bb6c488569a07750b89416824ef

SHA256
b40de39e00248e795e157898523776f757322aa46e14bef42dc856a4a213e5b6

SHA512
7eb1c152e28505c8c16a293d18296dada34bf0add7ca3ba795aa2f5104f6d7e715fb35705aa4c4cc617338ec7b3e20b80c3a1cb40049549ef3631538b18cc3eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
11ab9a321322f07ad2b01f613d243fb1

SHA1
4b7548c09e7537766a23233771aceeeb2ba78c89

SHA256
c1b83d3e433c3cc690e84f64bbd19e2894f1bcfe8e6db18ad2b484fec62efaa5

SHA512
44f332ebdc744c8b9e1777315fc76d7d0f157e69dc72b3aad48a1cd03661cc4b8bec767cf6e4d7a45f21b626ed1554524d5673f2ec731c96d5afa52a50c93379

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
0b7561aa80f40c47fc55fd4fa69874a5

SHA1
528c0fbecd0cc6f445183e81d9a66aa78308e0b7

SHA256
75924c61f6056626fc2781bbf2da3d08891c472091c5a5dac5c3e80dc26486aa

SHA512
85f6a10f9ed4b70499d2672ae91a2b0eb8bd397e026347d52bc311ff1e244cd254a297bf5cfb61418a1400229af79a96731b3e89d068cdc84dd8b16882e49b4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
fb9f583291eec3e0fe192b15e3acbe02

SHA1
934c9a02831d7b14e932f3fa8261b17ec5dca8ec

SHA256
e7efd25ff02e067f9018a91250269fb333092a15353bb3cc2d186f2927e7e71b

SHA512
c08a03b313eba30c75e411d28ff7baccbe0f9b0fa484743114f8db232e18c79b72f5b77471313b2cabe0541f8c351bb3eb375ff3f908158afd5d4caa3c7c8b13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
a9c8b9c8b109e42e1dedc66bdbfa2966

SHA1
3c569eceeebd1f04ddfea08a9b3a39abe77bf0c8

SHA256
762ea2b2ea0728b7054009779f766a9dac058c059fed0e7e976d2fa6fdf3d5fc

SHA512
f7b19beec547363211d970afca968909ab687adeeb4aab1de4b44e1a87985419adcad83657f26e30a7b0e45915de7432870dfa4b1b5c885ae6004ff2eb6c59c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
7e6a5baa22c7445ffa6abe0ab7595d82

SHA1
8885444879ace3c608ef0342ef144c7583db0dc2

SHA256
5b9c51ee3af7cc19dd65a9fd677b9d085c60eb6feeb694ea96946d2dfa7099fb

SHA512
7a3260acaae7c788aa49d9c04d89e1444a7cf838f2055de73dc3c0bf372444d1ec4a4a68719514cd651a52f5f6fe855bb7232359e9a886ea19f5ff561b7b193a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
128367f6e10db0174935b47c1dc69286

SHA1
7db93bbd957e858f80f3b4ded3cd7678dd9c3745

SHA256
acdd1671bfc34cdbc1e29286c53fd2ae7f22fa49855590dce151ff704b3adb86

SHA512
052c6a99f2464328ddb1bc5519be6d77d527bfb10f28dda5ebbbb96d3886c2ba86030ee6f81df6bb16e39966ee4ea714e4bcea51581c5c3214da0f6c80690f6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
470880727814297f7fbcc8f0a05b2626

SHA1
d1d8d5e5ae4da7bb92a75e0bd436eca7b67fb0ec

SHA256
418b20cc7d8ea321487b28ccda526f61aeea370bb30833c5313afe8dc22b0884

SHA512
36af82d75aded4201bd7295aadef11be86a6ec707700cb04918d3080696810e0f00b85cd1a4ca3b6cf99181d1791e75419fdecaca8ec8108a936cd65af43121a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
e01386e7db0556cfdaf1f0bab50f5b61

SHA1
9b3d0ad936016e7abb678b73f4295cc9ca863e0c

SHA256
f26631bdca46130865dd6caf8c2cb5244e97486d1586298e8a198e7ac8c44a12

SHA512
7f106956b029b6de1c4841a70aa1396ded5517e6ef966318f415c23a75f3082a3943d4c17172849f7d4538d37ea7fe784cb8c13f34105f7d347a363639138207

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
b5e31ac48e1b2ebcd25ac0d685dbff97

SHA1
d4136c7ee31619aa5948eec670f1ada4e4ab9139

SHA256
9553ae2b2c610f87392f2189cac89761443e814d7a7dba137680791029ccefb8

SHA512
03879b82be3e9c6fdaf6f1c76ddbe4ce4c3d331fa1c958512f2252478eecfe128065ef1c69a29da76f48f123efe5fdf512fb376464a5b5a8b71046e9fb649d61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
78d5995314e8df27b14ddd0379abd915

SHA1
cb18f36d8cdfe5ad35eb0435b3d835ceb54c26da

SHA256
2bdb690146cb832ef5b189e0e91e98899062b19002078ba23415de6a9e3e029d

SHA512
e4fcb4df142290dbb50dd23156a2f7baffa26c0d8ad68ddb45c5c9a5c26fc61e1efb47e49b0f4c51530b921e391b52c90a7cba280c0d7815a12fff8c742e0d68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe578f8e.TMP

Filesize
1KB

MD5
1f9f420db9b3f9cdab502a2293bd5d3a

SHA1
08e4a4850918d56ae62e596338ecc7177bf50b43

SHA256
9ebed563c25e3ddd7ff17be219fc2e3200d729369468a152b192918c401dc8f0

SHA512
b25e1fd70fb59ec394d63127f27bd4c90decc2157c49fd56cc6e4f7d6631817eb093050476cf31e0a2988591853f305fdbcf48d4adf6ee2e26c99c2f52ae3527

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
0444b16dbc5a2b80885e74cbd8008f13

SHA1
fe423deaa0a6c6d7a2fab8ef473b21baf3796954

SHA256
969b06f556e93332a8de394afddef08f260d5ca59ec936225d5492eb988cfe21

SHA512
d8a5536afdbc714d5b19c6d4556bab98a8dd940b1301469000e8ad671f0fe27047149a7f184199e977f41c15d6607948d076accbebcd3b2b59dd86de88bf9691

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9a303e7ee4e1e58e7978ee67812a06dd

SHA1
37f3b94eee91b7c6b94749cc49ee3bbb5bcd0372

SHA256
daf6e6b8a402c249ff9c61d413431366d0688510801de0eabbdbcc95c35f297b

SHA512
4e36029f959ca16279526b309512c13cf2eb54308c445d09c14b3c879e48f9a6c9c41fdea167ff7373412b9d8f412f561fcd7494deb63bc526127fbeb3706bfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4822708b4afdb94dc0a792f316fb5431

SHA1
c26e17011a8466ea84e5c889c2a27ea37008bde9

SHA256
6965e2b88caa0222e3bdd86b56ee57fa9b9d4a14b023c27765afcb6eca236c0a

SHA512
a368ab6b51e83da8b54adef13e00e27a594d530c006826a85e9b271edd1139e37a82244f931c7378eb920aa3367a7bd02957e0e0aa541c5c9fc96f92b1be1254

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\PaintDotNet.Base.dll

Filesize
149KB

MD5
32a83877e569cdda3674fde05ed863f3

SHA1
fe5167b0a786f8021022ec1f94c828f090318a11

SHA256
c881fe111e5763d2494871716af7b29881470c858ce4abaf880423d9be5d592d

SHA512
a7b5893afca46d4b62f890f8b7f86f028fe98513fa1ed21f49a9642bbffec831f3ce3f5f373f3c5990abd3c00843b5160a3913b357555aa8125776eaf7683f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\PaintDotNet.Core.dll

Filesize
321KB

MD5
4a4e4cc3c6ce8b81ad05be9a225a03ae

SHA1
d1751237b698b21022c3806059aa808013a05fde

SHA256
6394398f89e920544e95b242ce79b2e7ea33e2e3c476dc5b340880f0a0148e73

SHA512
200a0dfb66eb592f33296f0fc0116397bd3ae70addd45da57a39a333eee3bb38857d1ff47aca562fc3077aa64efa6607020552f09c6b833e0a568916124be128

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\PaintDotNet.Resources.dll

Filesize
355KB

MD5
f7b61e4668796d062c7cc443f618f439

SHA1
a627c4efad01164142d38b82a1749337c09af1f0

SHA256
c5fcbb1d996d90b87775b26bcd97c4aa3f146dbe5d66eb7fc491b4e38c97ce78

SHA512
f79cf8fa2c5b8d57570d70e80e001a1ad8717eac8b99288906c13ec228c24a777bd72143be3d41d3dbce75a200b7f452ea5ea25491953dddddb4c99b8f42a3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\PaintDotNet.Strings.3.PT-BR.resources

Filesize
121KB

MD5
24e713c8f44c1661fa20f5f627170143

SHA1
0ce08c8f9e229e6611a39c1dd558e21440ea71aa

SHA256
548686d3f285aa81fd4de309cb9c9a1847e8ac5bc0a5c1573111caf322689279

SHA512
3e80f39e213eb71608c6b297742a1ce878b5f8e79131b7b471263b81d235f33dc34e514df9d188324f657ae1600f4aba0ff4e5ed8943cdf684956bbf9d486d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\PaintDotNet.Strings.3.resources

Filesize
116KB

MD5
4b679ebbf170c373ba5581c9d89df421

SHA1
349b8133aefd284fd2117d1f1f9f63648514c765

SHA256
332c1987c407aaf8f1d6dd77fe1001366484354c05806bff0a7c4aafd64bc9a9

SHA512
fd55fdac0f5c01f45937852f93f2e924fe2bcb2e4f1650d41bf708f20a733ed2fccaac52ac9723125a47e6812cc02ab935a1f2713bd91a237552c95073daba2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\PaintDotNet.SystemLayer.dll

Filesize
287KB

MD5
43feed9b2ee921db785419097a14439e

SHA1
e255221947adad8faad96bbf8dc4e153ef4ce798

SHA256
f4d48210d708eafd489ede72caf7e0eed8f7315acab7274d30ee0f51a803753a

SHA512
7122f7d0e6ab70dda194a31b703c4ba39af3332ead489809d2ec77801346ebe8bbebce5bf6b634f599923353b87bda97ef2fbd93992672249cf122f6e8b557ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\PaintDotNet.msi

Filesize
6.3MB

MD5
28b5626a49434d65a597c4613e4aeadd

SHA1
9d1d722a7889ea76eadb328797fd11f23b64c799

SHA256
936a804244d6dd6da8b3bdf36b4740a0cfd87ea1c5a66807e431e65e381c4bac

SHA512
8d83abc28a6d80dd0c9466cba60b8ee454356001a6fd009f9feb160f22cc214d0bd1683c81491dbe6599eec953cde507115f280dfb69fef75db5215fa7a2af61

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\SetupFrontEnd.exe

Filesize
103KB

MD5
f52394a404a7c1f80ea8638ae5003a20

SHA1
7ae511e77db676edd45873ed9a906a9087eabd06

SHA256
22bff2a5469c11bbc718ada5a3a627e6752dd2d72ab4589122483027c4156029

SHA512
1d91486c1510ec8c6905a6bd2859897ec65363438cc3243d133404752820c14139d6ffe2cd00f8bc1126ef302ceaa324060b3c0cf121660e28b8ad4cc2274dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\SetupFrontEnd.exe.config

Filesize
370B

MD5
817174712847d293195adf4014f1d53e

SHA1
06d189de4de70cf74afc7b8d4a4f8fca773ff0ba

SHA256
62f51626d5377bf6a6cafb4e8abf98c64fbae4edc6d03e0efdbae942b723842d

SHA512
cc46f139197b607b3d9ba80899b9423eaa164156f90242beb81a945ffa9922c9f824fe127656a1050824f90aa287af680de7faeea3043ad6e0fb4dc63783cab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\SetupShim.exe

Filesize
66KB

MD5
01b70512ed1d1a44c6414321dd7377bb

SHA1
3fa6bc742a92047d74893d691a76cb8e8a55214e

SHA256
1a3016cf5cec075d7f734233733bc40adf84e7ea7c595fa2c9b838620baff577

SHA512
7aeb29cd19e6f185318710e257ff2143c49e81cd2631dac06071b444365ee879d9a676d190058015822706c99b351206fa59b0b500d9748b4dfd18830d0de059

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl3919.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 59192.crdownload

Filesize
4.8MB

MD5
0d8073dc0ff79779dd628055819beecd

SHA1
23ef4341579247e87f1f0d615a972a0a1a47e58e

SHA256
2a933b748e93d2b3ec0267d27a0b39ae65b424cfd2d7ac0bf713682fdfe6b827

SHA512
23273a6d8c8f814a911cc14c94b507191cf7c34f91d93168ff804b6e8b9d0fd74e4ef4fa59acfb2c07d4b93131ef05d6ab7f9317b7c4c4522c09accef4d3a2f1

Download Submit
memory/4220-1112-0x000000001C760000-0x000000001C7BE000-memory.dmp

Filesize
376KB

Download
memory/4220-1114-0x000000001B760000-0x000000001B768000-memory.dmp

Filesize
32KB

Download
memory/4220-1102-0x00007FFC92540000-0x00007FFC92EE1000-memory.dmp

Filesize
9.6MB

Download
memory/4220-1110-0x000000001C6B0000-0x000000001C6FA000-memory.dmp

Filesize
296KB

Download
memory/4220-1101-0x000000001B690000-0x000000001B6E6000-memory.dmp

Filesize
344KB

Download
memory/4220-1104-0x00007FFC92540000-0x00007FFC92EE1000-memory.dmp

Filesize
9.6MB

Download
memory/4220-1103-0x000000001BF50000-0x000000001C41E000-memory.dmp

Filesize
4.8MB

Download
memory/4220-1108-0x000000001B6F0000-0x000000001B71A000-memory.dmp

Filesize
168KB

Download
memory/4220-1115-0x000000001EE60000-0x000000001EF96000-memory.dmp

Filesize
1.2MB

Download
memory/4220-1116-0x0000000001160000-0x0000000001170000-memory.dmp

Filesize
64KB

Download
memory/4220-1106-0x000000001C5C0000-0x000000001C65C000-memory.dmp

Filesize
624KB

Download
memory/4220-1118-0x0000000001160000-0x0000000001170000-memory.dmp

Filesize
64KB

Download
memory/4220-1119-0x0000000001160000-0x0000000001170000-memory.dmp

Filesize
64KB

Download
memory/4220-1105-0x0000000001160000-0x0000000001170000-memory.dmp

Filesize
64KB

Download
memory/4220-1138-0x00007FFC92540000-0x00007FFC92EE1000-memory.dmp

Filesize
9.6MB

Download