289df7d7b2f0da4de90cf66ee44d60162fdb65e8f36744f724009d5879925d27

Analysis

max time kernel
539s
max time network
541s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

paint.net.5.0.13.install.anycpu.web.exe
Size

1.1MB
MD5

9e8c911802a8f387d536a340f39b2636
SHA1

85074c4e1574de523596950d33aa10fa27813813
SHA256

289df7d7b2f0da4de90cf66ee44d60162fdb65e8f36744f724009d5879925d27
SHA512

430e8fe20916fa9f8a2bec1f2d4d85ca555fae3c6e08622d8c4f36cb9c513beec51dca094acaf560bd5eb32a6a56753fd3594b7be92c9b89786290b1e122a9b3
SSDEEP

24576:/PYYYYkeBVMCOVI3YofBJT6F18BzgjIMbaF:/PYYYYksMCOVI9BJTSe8jnGF

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	paint.net.5.0.13.install.anycpu.web.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	paint.net.5.0.13.install.x64.exe

Executes dropped EXE 5 IoCs

pid	Process
1216	SetupShim.exe
404	SetupDownloader.exe
4928	paint.net.5.0.13.install.x64.exe
3004	SetupShim.exe
4840	SetupFrontEnd.exe

Loads dropped DLL 56 IoCs

pid	Process
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe
4840	SetupFrontEnd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 5 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 040000000100000010000000be954f16012122448ca8bc279602acf5030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2090000000100000016000000301406082b0601050507030306082b060105050703086200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e12700b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000000f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e2000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	SetupDownloader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 1900000001000000100000009f687581f7ef744ecfc12b9cee6238f10f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e0b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000006200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa2040000000100000010000000be954f16012122448ca8bc279602acf52000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	SetupDownloader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 5c000000010000000400000000100000040000000100000010000000be954f16012122448ca8bc279602acf5030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2090000000100000016000000301406082b0601050507030306082b060105050703086200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e12700b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000000f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e1900000001000000100000009f687581f7ef744ecfc12b9cee6238f12000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	SetupDownloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2	SetupDownloader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 0f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e0b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000006200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa22000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	SetupDownloader.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	404	SetupDownloader.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1216	SetupShim.exe
4928	paint.net.5.0.13.install.x64.exe
3004	SetupShim.exe
4840	SetupFrontEnd.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 1216	2244	paint.net.5.0.13.install.anycpu.web.exe	85
PID 2244 wrote to memory of 1216	2244	paint.net.5.0.13.install.anycpu.web.exe	85
PID 2244 wrote to memory of 1216	2244	paint.net.5.0.13.install.anycpu.web.exe	85
PID 1216 wrote to memory of 404	1216	SetupShim.exe	87
PID 1216 wrote to memory of 404	1216	SetupShim.exe	87
PID 404 wrote to memory of 4928	404	SetupDownloader.exe	104
PID 404 wrote to memory of 4928	404	SetupDownloader.exe	104
PID 404 wrote to memory of 4928	404	SetupDownloader.exe	104
PID 4928 wrote to memory of 3004	4928	paint.net.5.0.13.install.x64.exe	105
PID 4928 wrote to memory of 3004	4928	paint.net.5.0.13.install.x64.exe	105
PID 4928 wrote to memory of 3004	4928	paint.net.5.0.13.install.x64.exe	105
PID 3004 wrote to memory of 4840	3004	SetupShim.exe	106
PID 3004 wrote to memory of 4840	3004	SetupShim.exe	106

C:\Users\Admin\AppData\Local\Temp\paint.net.5.0.13.install.anycpu.web.exe
"C:\Users\Admin\AppData\Local\Temp\paint.net.5.0.13.install.anycpu.web.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Local\Temp\7zS4C80BA17\SetupShim.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS4C80BA17\SetupShim.exe" /suppressReboot
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Users\Admin\AppData\Local\Temp\7zS4C80BA17\x64\SetupDownloader\SetupDownloader.exe
    "x64\SetupDownloader\SetupDownloader.exe" /SkipSuccessPrompt "C:\Users\Admin\AppData\Local\Temp\7zS4C80BA17\SetupShim.exe" /suppressReboot
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:404
  - - C:\Users\Admin\AppData\Local\Temp\PdnSetupDownloader\54a7e92d-366c-4158-bacf-d03f0f87a96f\paint.net.5.0.13.install.x64.exe
      "C:\Users\Admin\AppData\Local\Temp\PdnSetupDownloader\54a7e92d-366c-4158-bacf-d03f0f87a96f\paint.net.5.0.13.install.x64.exe" C:\Users\Admin\AppData\Local\Temp\7zS4C80BA17\SetupShim.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4928
    - - C:\Users\Admin\AppData\Local\Temp\7zS0437800F\SetupShim.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS0437800F\SetupShim.exe" /suppressReboot C:\Users\Admin\AppData\Local\Temp\7zS4C80BA17\SetupShim.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3004
      - C:\Users\Admin\AppData\Local\Temp\7zS0437800F\x64\SetupFrontEnd.exe
        
        "x64\SetupFrontEnd.exe" "C:\Users\Admin\AppData\Local\Temp\7zS0437800F\SetupShim.exe" /suppressReboot C:\Users\Admin\AppData\Local\Temp\7zS4C80BA17\SetupShim.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS0437800F\x64\PaintDotNet.Base.dll

Filesize
703KB

MD5
67209f29f0af4d8f96fdbc81ff30a085

SHA1
3b2d4156ce911664959fb6e50a9e8b069d57bb9a

SHA256
be69026a433678fa21792f912569ae9f6a631c95a624b0454756d5f40515fbc4

SHA512
3c763976992e65bcd82b0eb4dc95e6de44101dbd96200764e2c5a9eedf56ad40f0ce2a45b68ac4037346aa7b1e56bf0fee549f5a9c30305d01187425852940a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0437800F\x64\PaintDotNet.ComponentModel.dll

Filesize
107KB

MD5
ac67a0e763a2a12825cf230f03e23e3f

SHA1
e036cf205ac03dd1ab1d7b900c7ea76f55762801

SHA256
aa676befb41623bf841e6c79e44cbe42be28ff077cd0dd771019e496b6491980

SHA512
528ee535d935b5dd1959f046ac2cb3f01bb2eaf62f02e0a93819c80d77e315f84ef9b98f97179551874a9d0f1800a3106e1c648be7ac90ce51193e9385b33c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0437800F\x64\PaintDotNet.Core.dll

Filesize
1.6MB

MD5
72d5fec1be15ea38d27b5195c8fdc0e7

SHA1
c345ae3d39d9572631c5ed93d6e97da277dd2536

SHA256
f51c4730d964af69e3252d23e440d06693da2bd45fdb896dbbb2d5aafa6ca91a

SHA512
0e78ea297043d1d2ca4f34b8332920598c29fa8917f88ad8963ff2eeb72de8489a0c8b73f21b466da10e9ee30c59554e699b13e7797e46280c69c2ee4b3dd60a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0437800F\x64\PaintDotNet.Core.dll

Filesize
1.6MB

MD5
daf74fbdcc5391edd3706e4279d3219a

SHA1
4a1438ceea9855b04d90c401aadee0c3b924e424

SHA256
ccf58d5e51bc73ed40236e8cfb195c07358a722e1fd4553923ab09db32542167

SHA512
3fa9e800027ee59027beb75e97bddea6a8f1df7fdf4e394b4205b3aaf6fe1b07e47413d11cf9132fc89b95730fe2ed28e2fd0529dc1a5fd9854275c3e395ae91

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0437800F\x64\PaintDotNet.Framework.dll

Filesize
1.1MB

MD5
187e7fdd1d10378c905254d1606e8c9a

SHA1
88839e000aa4ab9d6fe2aff631a3e5abfb942f19

SHA256
284745171ca433a20bdb26216d137a3aee472beb5856666cda8ac316d1b811e8

SHA512
c50847a03d248b5393a03fcdad2af7fa554c62a0223466d930e6ea3265980aa1d41f225803eb7ace1ed7f1ea385fd8e38b2d463d0b7629a1e760a49a4dd6dbde

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0437800F\x64\PaintDotNet.Fundamentals.dll

Filesize
1.1MB

MD5
59cfcd4063d71476eea8febf3618e09f

SHA1
08e6ddc3b0369230f98cb9464d3d01fc2cb47b90

SHA256
875cac39f1bd20414af40d3a983438ea1d042ba2bad792773c1bf27fdbfa5fb8

SHA512
fc85d0c38ba405d9458571ba65106c272bec92a8ebf1e9b4b1c9e2385f43dacc0d9db04699abaf0b4d54c4500b40ec7156e23d2e4956747d88d25bbcc300c24a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0437800F\x64\PaintDotNet.Fundamentals.dll

Filesize
1.2MB

MD5
eacce80a5a378201bc95680eda18f3f1

SHA1
55386894942ff6ed8ee08c377ee6905953839bd9

SHA256
d6832783deac4bcf07dfebd714504d3af5e38e94ac9e890fa0198a8d682b66af

SHA512
a8bfcad213297f60cb8a7b6e1c79e907f8d199d9c05f0d3b6b7df4efb181eda95078c947ded92df7e674da435a8d4569589bb5313d6503a97551f234e35a55ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0437800F\x64\PaintDotNet.ObjectModel.dll

Filesize
191KB

MD5
63260950a31a334c160d72935e121894

SHA1
5b55aeea0d9e59f2b7950b6324cc0a330b01e876

SHA256
7a47389d50017c70d614e1b57bddcfb9fb5c65e112d966f1b3bfc50ece445e54

SHA512
477d7ed2308098f546090251d1160086af4c3253ddc8d6a9699bec209f77b7a4abb112f39546b92ad6a738b5c42af3a0c1fd18dd6658473e4ff9ea8ececee588

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0437800F\x64\PaintDotNet.Primitives.dll

Filesize
1.1MB

MD5
e527547ef2cf312400f60f92f4286ecb

SHA1
37e58f85f8ceabf6afa472d2335f1d598258adcc

SHA256
338b83cf8f180a73a8a8d2dc2b90d344edabd63fdf84130f86d5efc01b8312d0

SHA512
48847c6777f2ec65c98ecec126f47cf7e5b88cdc4b68a6fbfcc7c57c9571f14a8b45a37bda68102eddfbd3d214db56c32a217a5da5a39f00241e87e7d699e351

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0437800F\x64\PaintDotNet.Runtime.dll

Filesize
82KB

MD5
a91cb6ea28f169248958bf47cfdf423a

SHA1
341f04887a8330868af35dd55ed12d6969264d55

SHA256
25712803301d7a0ba8aa6b521d2b655976506c6ba2e8a1c19c3a3052b33d2a25

SHA512
2f335a0e72e9e1df32d04a898f98546b201a9e150390b97628f2da89158dc0da841e86fb48954c66478643f0d61e5ea8c8db0da68628bc2e7199b9b5168a5306

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0437800F\x64\PaintDotNet.Strings.3.co.resources

Filesize
178KB

MD5
425ef7ba68111ec258a0468f6d800314

SHA1
2b59bb5921c3634722f28033e0d52c57725560f6

SHA256
1819d3637ee8fbe6165ee1e45dc4bb839ccbffd12a29f0acdb606d7cbba57476

SHA512
169d2ee3ad88bf1d219b77d755e4f895412679d7ec3eb41ec7247b79e97fa244e95ae3ea0016bb1c1297a183cc13e71b3b5cc68c34bb2604536ee005da950350

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0437800F\x64\PaintDotNet.Windows.dll

Filesize
1.4MB

MD5
3cb0fb1766b40e5e15f8200ff5a04014

SHA1
5fc6297881d071ab538907624f8eb1e8ac851135

SHA256
0ef51b1e752b10705659dc94c57bdf1361065022d64c861a5c5fe9f7fe3fe789

SHA512
74d4b1e72fa5c53d3d3cc86fb9fbeeca231ced1fba22a66c2d422acf31d96b6782773f076604e64e0aa82d996950fd64732c60aff5bd78020c6723d4d7ba8dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0437800F\x64\PaintDotNet.Windows.dll

Filesize
1.1MB

MD5
99f087f5a83e995a923d34bad9292abd

SHA1
dedef5e70d22a1c87ce6b9891978255aa0753f0e

SHA256
9f8182d8794822e4e6b7b9b19a9b42a47830644f566f9b3069f903ccb0078234

SHA512
f45d7bba418cb27b704ff85a90724924852cbaad3ad0023f284a9fef3d8a5d34e5b86f054c43ba1d70cfa322b6484d0cc79e0e0ffc372469cff5c97ed1f4ce51

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0437800F\x64\SetupFrontEnd.deps.json

Filesize
60KB

MD5
1ef485c7f1494b49e1626f3157c021b5

SHA1
56ea39bc0d6b9eb2fb28bc880b54198b1876f581

SHA256
287362b09598bff6ab981b1986b41acadce44d5fe59b65929a17e3e86fbe018a

SHA512
86b706392bdb4c74aa49639ef4eee51a87ca3cf935e0ed530018ae31170be7d55fb8df1c15132e62aa2141322f42f1349e6344edc0f35de004544b7859084552

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0437800F\x64\SetupFrontEnd.dll

Filesize
219KB

MD5
adcc0ec1a6274012b7ce00f90f35f5d3

SHA1
9b4a541e19e8fc723621eda0afec47f81e8f4344

SHA256
577ffda478064ed8ab1e86511d289a13ff7eec9996b080d919f8d4e0443ffa33

SHA512
226e65b95cbdf39e92bcec83a846a40a9546f5567711d867cedd38b1443e19ae22c959d885f85e4ae81b8bcc8540628a451a579538be7787ee2d2ff150fac3f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0437800F\x64\SetupFrontEnd.exe

Filesize
170KB

MD5
ceaadd8bcdbf2e2d5284a43ace3b3b80

SHA1
fc9f0e392204a94b948b606d7dca71c0e8166b12

SHA256
66b927ad2d3513289b3e8448ccf4e08c3c9a131901a69e324464fb20ca91a99a

SHA512
138994b110565b824cd2529c053b8b223b46a2ea392da2bf0fe0f0d1fa2f68bea08f8afde0ed605e99b64e7c370583ee56c14938ece512ba8be39bf0b4aae7e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0437800F\x64\SetupFrontEnd.runtimeconfig.json

Filesize
537B

MD5
311a502395c85c4dd495c5ae3ed9e8c4

SHA1
8eeabb3e7b2101259e7ecf61c11f583168897e3a

SHA256
26584fd178277ecc937602db04ec2716bc836bdca21270f5937b1805dbba14a4

SHA512
6a1ec7986faf841c179af297fcf2c24b50a2a407cccc64b6b25bb45dadae301a2ff26411f556d99ecae6e1a14aaabdaf8bb27f3fc6297c90346d5fa2b44871b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0437800F\x64\System.Collections.Concurrent.dll

Filesize
258KB

MD5
719090d56ebf34f97843f5669bbf66a8

SHA1
27b8af21d76ae6213157d119a6b3bd2bb7d66a7c

SHA256
18aff41c1a8afbcbc276ae50f6f51abff8282d5919c91c3bc61111ab0329a992

SHA512
bdb9f81c57fc07c72db82456144643ffff8310aadfce6bd057e782032b4e6cabdfd95d5bb73968e7ef32087237124b35e0fe71e1048bf3661d1a61e4087692d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0437800F\x64\System.Collections.Specialized.dll

Filesize
106KB

MD5
6c1534f90c812053156b73798f0777f8

SHA1
8c17b22ad2b1677c065f75c9d8d54b262ded1684

SHA256
f0e9daf07884c3105986c2d06b882ac52e5d9a551c33029d93994c6dc5a506da

SHA512
f3c38d61e11b623dfe910c86d59b609c51327a476cb5f17e1dc471c1b5940b3534e908674c1a99d9d7f85ac986aaabaff41799a4cd059c4b5be4fad963025579

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0437800F\x64\System.ComponentModel.Primitives.dll

Filesize
82KB

MD5
32297b08dbcf8c7bb7184e7c6a365d44

SHA1
c5c4ce634ad7e104990115fdc6802b91836dcd38

SHA256
98e980976c7206a73b6e5e04067f955ed1a6357f03ce2e6f8fa174261c5e0b24

SHA512
742d9756ffa97de87446eeca14df45900fc788a0e5f94318739d67818002a99370cafa087731e15535e40eee2c8f1d8ae24df66759aaa12259f3c6e9804f03d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0437800F\x64\System.ComponentModel.dll

Filesize
30KB

MD5
ec556255488d86f0ea2d19c85df90ea9

SHA1
da97bb14d5621f14bc1305e1b54f429ce401e8a3

SHA256
59348203abf0dc97d42d53e3ad816b2817ebaf5819ad142125a4e91537d80f84

SHA512
9058cefa0ecfb63a5f5cfa0c05101ac92489a0d5ae8ca04e7ecc35b52b0e4e2e93bb0477fedc88eba776d77f3a885889905923ee033e4143ef56424b56589767

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0437800F\x64\System.Drawing.Primitives.dll

Filesize
134KB

MD5
10ca6ea3f6ac91efc411724536d38423

SHA1
e72e80bcf8589ee0b388ebb7e4d1813b6bab96fd

SHA256
8c6ed6c378e30c535a8a7c71269045220f5633f4abf5f88799297e25f680715c

SHA512
8a32edd342e71ab469a9dedffea19df2691d6bc649f049b07504a696c058af351a36945c5e5c56e7ec277f21ee68a935afee8308fb2cd6cbbf93e06441b3bc57

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0437800F\x64\System.Private.CoreLib.dll

Filesize
2.2MB

MD5
593c0ac2db365fe23658f11dcf443692

SHA1
17d4a3260a7d96f5fbe0c0f39f48daabaf96e827

SHA256
a6126ba866bdba4b93d2babb92fca8a374a9cdd3610a8f817f20e39ea019d351

SHA512
e641dff96653f05c13bb94e57554114f1238dae935df180d7dd41c56ae912e0b26e479447fd219431be47b3ddf77d6f76a0d9fdb5566007ed0a3bc4efcd856f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0437800F\x64\System.Private.CoreLib.dll

Filesize
2.6MB

MD5
49133f3ce30183fddcafaee801d8d9a4

SHA1
98397b54a6b00ae2a7606c567547903af9e7a538

SHA256
f459445700842b9d63a9ac4b26f0cea6ceba3860859dcfcd846bae736fff8356

SHA512
116ecf4f5b1282e30f96d8df16e0359e29a67c78d4c582356687f2564dbd2c37a2b5c7b929ba7172bd9566f88033ee1c8c4fe9f31dad04562b3bb99917a9ee09

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0437800F\x64\System.Runtime.InteropServices.dll

Filesize
62KB

MD5
79733323c08f257b6f4f99aa6704cf18

SHA1
73d5a3dcfccff2c58a46b1486d6169c5e4f695e3

SHA256
7bf55aa42c732ce8070d6e5592c72e9449bbdc8f567e446662a0a1b258f77972

SHA512
91d793bd87ca77142bc7ab9a44dcc7b2f9073f81bc73edc8c47c85cd24f051beed6a4d82598fe70300d7ffd60e9c35913fe769d36e55d2bbf33e5960eb8d16f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0437800F\x64\System.Runtime.dll

Filesize
42KB

MD5
5c347538feb79f8988c911301a59bba5

SHA1
294874fc634cdd305df56ceaa3fc0ca53f044b1c

SHA256
c5af0a58f64aeb0004c6ba28d0b1b1cd321e6d01126b95203693d6544f5bb613

SHA512
0c7b106f7274c0423291e3414ce1873ad149c548a80cd4489c95d04c10dba5c5d3836b5f6dc74ada99ea7e8b92a80558f34ec0af1b99e5cb55b847e3a6d79cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0437800F\x64\System.Windows.Forms.Primitives.dll

Filesize
938KB

MD5
0ab1915911aa77f4a1360900e4184a43

SHA1
24821d5826cfac4424d6d584a9030bba598785bc

SHA256
7dcc36b8bbf0b3f4074b5facdd4e5a022f78e2e5049391dde96ad4272c14200d

SHA512
64dd9e38280b005a8085508ee536024e6d0643a8dcb4901faf763742af7d9b1cb76145769b57d139021474067bf8275d6cf2fa1ee5c66c5c3d7e49dc9ec711a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0437800F\x64\System.Windows.Forms.dll

Filesize
1.2MB

MD5
9d112ac487bba1eb2f3880eaded6cc0c

SHA1
230b779ed580524d1672f4525047eed2724dc54a

SHA256
14137ecee3e3fe2340bbfd5f85d1af4cec2d4edc4b13a3da6754f6d917e6d3d2

SHA512
64e5fc3d5a2c9ed26c240fe515ce4a308a8100d62a995ccc905cdd8a801c4fa46163617be69b3af0424f0c394b6871bccb2bacb60a1f407609cdf40e9d9554a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0437800F\x64\System.Windows.Forms.dll

Filesize
1.3MB

MD5
4a081021e25d6ea85f976c99af8f6b1f

SHA1
ed71f4014abaf85e678521483ec7b4cbae94bd32

SHA256
03b949b77c1c92054caab34221f6647c8a2afb73c2dedb80f2a311174c894ce1

SHA512
98bdadb04241d84e9ba8bb8a5f1284c3d4bcbb11ea5ad9aeb9e834555e6f20b7eadf89f7f76a7d249911120330ab35590ada308af0f040465c69e2214b356ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0437800F\x64\TerraFX.Interop.Windows.dll

Filesize
1003KB

MD5
6dd937738b99352618bd0326a91002cd

SHA1
8505c8d785b69e6f1bc008770a6014dce4e23f21

SHA256
9d7a578ccad3f0c39d92ae33050b65059287f428597e854d751f6d265435c6d1

SHA512
b2ecf17fccc70d8992f719a815439d65eceebedb6e8ded0baf8e47056f58b3500ddbd7c79ac1ccee47e409d16d37a0b96c98b3ea8012e9d6432cf4a4f14a3320

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0437800F\x64\clrjit.dll

Filesize
1.5MB

MD5
8b658473a01ffe6e1136cb7ebf56d7c0

SHA1
437d34e38d3ebaab6614c5fe8fa6c47bc7cf3591

SHA256
646a13d60f5a7478de72b1135a518652d9acdd82d4943cb57cf9d1d95ba47681

SHA512
33612685da60fdaa78853703ccd50dc9d0dc071eb01ffe565f7cd96c481ac132b8f955fd6c91d9530efb427b8cc43807792ea2ce0d9a4e5013ba4afebd4539e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0437800F\x64\coreclr.dll

Filesize
3.9MB

MD5
602d527cced787e40e684a7d7c5c29f7

SHA1
28bf7eb6baaa858cb7ae156d4f72e345c7d0d6c6

SHA256
62a6b45657e8c21074697353f126f873b2e78b63e0b2f561d9bdf7a0989c30af

SHA512
08e1088427577a1232a1f6155108e794a9df98b5f41b3fb7eeda4c7b67272cdcd53debd7aed6a3456b2da6763c0727cecf1d6e2cd9da1c324aea405f58cc8016

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0437800F\x64\coreclr.dll

Filesize
3.8MB

MD5
a583ec186d4faf017ce2105180a5a5ea

SHA1
43a11b20d669b3d29828ff8bf34018bf6d91f968

SHA256
c26de01f9e5716c5df6d1fc76894b23f73145d99d65671aaeee49c5ac24d51b4

SHA512
f50dd58505378f9c8a5ca5c6e06b951658e40c8744714d7cedd5971410a8e6ef169d5c30d660ffd547e04e14deeeee1c8ca02b3d9671f99cc7f15d42eb0044b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0437800F\x64\hostfxr.dll

Filesize
377KB

MD5
b8d57c792c3fc5a405bfae7fdd471ebb

SHA1
d60d1ebf0f554005b7d6b0a6e66ac135aa45ebd9

SHA256
5ba9ded20b1a28daa809f60939543d7893a6f767402da4bd2c9ce57c4641226c

SHA512
c3fdb823a6a8a0bc0fc872f2816b423b1e760d2f0541b8c2ecf3432b284b6e2ee07568e4a841afa2e08d14d3900781c635dac553903ee70a70494073bd93b96d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0437800F\x64\hostpolicy.dll

Filesize
387KB

MD5
07d32c17cefc890238c9d4c836b21ad3

SHA1
8901bbd735f5366ff77733821fd0bfaee778b453

SHA256
61d3284520ffd8199f68642bbefd84336e35f6ae71ae6b9e4813a80f1bfd099a

SHA512
497ea9f6b59b78fa2dfa11916af53eb0d9e430d73374cde6564558031ef66703b22954d571404adb5957f3e635612c03be66ec872aae47a1de2321f2f078e7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C80BA17\SetupShim.exe

Filesize
152KB

MD5
ed82da8ce63807986d06e19ce59d7869

SHA1
545de4373061d6628c047929147ea3590daed3ec

SHA256
cbaf647f029408fbd79290f6727ce9a3cc4c9bcfac19c74a09981b4bc849a3dc

SHA512
fc78b01952bb23e4b108b493a0e20c157faca263eaeb912ad670a5cb2fe5f6c8e4e075b9cf34299ec3dfa1214acc36bfd34767f33fc31f81d178fcabbd2d698a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C80BA17\x64\SetupDownloader\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C80BA17\x64\SetupDownloader\SetupDownloader.Configuration.json

Filesize
135B

MD5
8ca6779446e31e219589a08769448da2

SHA1
efc2d9e4b0f99daf0333406610d8031a5a8aed2f

SHA256
2b23a17e993b7837a89365cdd328541f58ddfd4ab2b45285058284eee5733613

SHA512
a6a863880835dcca879534ec8a353e2d7fef9c4410edfe41b59bac561492cc6084330c7aad1d2e8a9590b2a3d7551a0b8b6d45ced4d235f01b596d69b593bbf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C80BA17\x64\SetupDownloader\SetupDownloader.exe

Filesize
279KB

MD5
67662d81cc89357be411c8fd981f7333

SHA1
caab54c00eecb39b8818892123dc78369a72e178

SHA256
46b80d6a0c515274dbe615a86441e93eb656683cfe7c48ef80aca4ed5aa9c01e

SHA512
463ec7b8dd9c32ba1ec492d13330c19d5c57ea7000bc83a3c8162bef9354b144b390149bed49807aba251e35a25ae190c537ad6bf46eb1ffe4723ce6be2d5c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C80BA17\x64\SetupDownloader\SetupDownloader.exe.config

Filesize
218B

MD5
59efd5b23c940deca60238b287720310

SHA1
0067c8388dd359af895a1ca854970bdaf4e58f6e

SHA256
907801fc6262ae2e70f9ad104f903e3580f195bbab4ad27d79c9e571da970d86

SHA512
8ed8f6fe3564bdda0bd85752a15e7ec9380df8f366dcef9dedb826e5b62c188000ee79b7cbf61d1c01b7bcab92562a4895794f4ed540e943299973e3dee4270f

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetupDownloader\54a7e92d-366c-4158-bacf-d03f0f87a96f\paint.net.5.0.13.install.x64.exe

Filesize
30.8MB

MD5
524d3de14d2fe7c32020bfa7870533d7

SHA1
08cb1397928426f9f704b3b019096be6cd11c942

SHA256
0a356b3c9516b96d0a6451255d197fd2a3ddf758f9bdbeb30868c6272ff64068

SHA512
f25c3afbc9cb7756985d17dc5b7368290cbd1cc5411abbc80a177190b5e860f147417939d769c6bbaf37890174c579e57b1318842a933442ee9fde31eeca20a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetupDownloader\54a7e92d-366c-4158-bacf-d03f0f87a96f\paint.net.5.0.13.install.x64.exe

Filesize
49.1MB

MD5
f4b0a4c7b99b2e8fab16b78521e5a981

SHA1
2bd7911bc2adc0073ba47a4d56b25ca555511bc6

SHA256
c778c26f7283b4655424c65b5d228ccc8bbe0e1b10786e816511953f0739414d

SHA512
53bfa4c5edfda324531f5c5aa2e065c6954c6f2d554fa5e5f265bf267c1a05fd2b7ff5b390ef3e000927a9f4198bbf22a52a7cf85bf62be8302f544b9a6236c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdnSetupShim.log

Filesize
135B

MD5
41bd35ae8fc3bcb00d0bd59584944989

SHA1
a7f1bd275dd6081a732761a06ecc8069e5e7dbae

SHA256
69ae960398d374078818055916ebe5fb0ef093a2529bd952ada113f13606f25f

SHA512
b5c47e88c8ca4ce58104abed1224943dae1fed42984cc17ea8c8448ac8f968c79861bacf4a588ee519352eee0112f9654a911809c8adcbcc1c56c17bc9fa3b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdnSetupShim.log

Filesize
1002B

MD5
e8aba8ac8ca148baa5ae173a09d9cd25

SHA1
b48c76d96045955b31c3e01f94282a82e504823e

SHA256
9f514d78971ce32632b630106259577442e4c5face9dfb66d739a7d25f856044

SHA512
0f9ef63ab6f210aada97950d5d4e1834ca89d5face1a2967534be680a7ffc0be26d26f465dd758b0d92e442ff5737849939fa48412fddc558a1f7aeb6e2d8252

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdnSetupShim.log

Filesize
775B

MD5
55febb15a7d6d30d07d0b376c2e8ef5e

SHA1
ad535136b79c8cede5b6f7617581574e8e43ef9b

SHA256
7a48347972208368902c7555ca01e434f16d75459a6ca03af70ccc3c51c2ce96

SHA512
c17c3281bc4aa5660e8b10496fe595dc925d2332fdcedfcf771d0eb06728af615014fdfba80b1a12b8eec64a5dc9b4a98e8ba26821b8d8939d66aac43fd7076e

Download Submit
memory/404-59-0x000002617BF70000-0x000002617BF80000-memory.dmp

Filesize
64KB

Download
memory/404-53-0x00007FFB14240000-0x00007FFB14D01000-memory.dmp

Filesize
10.8MB

Download
memory/404-52-0x000002617BFA0000-0x000002617C052000-memory.dmp

Filesize
712KB

Download
memory/404-55-0x000002617A590000-0x000002617A5B2000-memory.dmp

Filesize
136KB

Download
memory/404-50-0x000002617A140000-0x000002617A186000-memory.dmp

Filesize
280KB

Download
memory/404-56-0x000002617BF70000-0x000002617BF80000-memory.dmp

Filesize
64KB

Download
memory/404-57-0x00007FFB14240000-0x00007FFB14D01000-memory.dmp

Filesize
10.8MB

Download
memory/404-58-0x000002617BF70000-0x000002617BF80000-memory.dmp

Filesize
64KB

Download
memory/404-60-0x000002617BF70000-0x000002617BF80000-memory.dmp

Filesize
64KB

Download
memory/404-62-0x000002617CB80000-0x000002617CB92000-memory.dmp

Filesize
72KB

Download