44c4deeae771faa1e8805c2e2f58b728ce32ea23f6a1812b710c513aec2af732

Analysis

max time kernel
145s
max time network
139s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
05/04/2024, 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

15KB
MD5

1767913640c1dc2ef177f47267818863
SHA1

6a8a916f48481ff955cd926a60caec272b1c9fd6
SHA256

44c4deeae771faa1e8805c2e2f58b728ce32ea23f6a1812b710c513aec2af732
SHA512

097647c235e58c64989758a0446d9ca9d75e241cc02b765dc6e5f25c830c792bdc6a849cd38faaac4c24ad258d572c550e45da91a250df572874072a7ace039d
SSDEEP

384:oR7DzeR5kVspa1kVsfkOxhgO928mqiUSJHsoXSZn66xCPtF66XuwAFykOyUH:SqRoH16ZH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
3220	SetupShim.exe
3100	SetupDownloader.exe
2116	paint.net.5.0.13.install.x64.exe
2088	SetupShim.exe
3080	SetupFrontEnd.exe

Loads dropped DLL 56 IoCs

pid	Process
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe
3080	SetupFrontEnd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\paint.net.5.0.13.install.anycpu.web.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2180	msedge.exe
2180	msedge.exe
4624	msedge.exe
4624	msedge.exe
4512	msedge.exe
4512	msedge.exe
4716	identity_helper.exe
4716	identity_helper.exe
2980	msedge.exe
2980	msedge.exe
6448	msedge.exe
6448	msedge.exe
6448	msedge.exe
6448	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

pid	Process
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3100	SetupDownloader.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2172	paint.net.5.0.13.install.anycpu.web.exe
3220	SetupShim.exe
2116	paint.net.5.0.13.install.x64.exe
2088	SetupShim.exe
3080	SetupFrontEnd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4624 wrote to memory of 4020	4624	msedge.exe	76
PID 4624 wrote to memory of 4020	4624	msedge.exe	76
PID 4624 wrote to memory of 896	4624	msedge.exe	77
PID 4624 wrote to memory of 896	4624	msedge.exe	77
PID 4624 wrote to memory of 896	4624	msedge.exe	77
PID 4624 wrote to memory of 896	4624	msedge.exe	77
PID 4624 wrote to memory of 896	4624	msedge.exe	77
PID 4624 wrote to memory of 896	4624	msedge.exe	77
PID 4624 wrote to memory of 896	4624	msedge.exe	77
PID 4624 wrote to memory of 896	4624	msedge.exe	77
PID 4624 wrote to memory of 896	4624	msedge.exe	77
PID 4624 wrote to memory of 896	4624	msedge.exe	77
PID 4624 wrote to memory of 896	4624	msedge.exe	77
PID 4624 wrote to memory of 896	4624	msedge.exe	77
PID 4624 wrote to memory of 896	4624	msedge.exe	77
PID 4624 wrote to memory of 896	4624	msedge.exe	77
PID 4624 wrote to memory of 896	4624	msedge.exe	77
PID 4624 wrote to memory of 896	4624	msedge.exe	77
PID 4624 wrote to memory of 896	4624	msedge.exe	77
PID 4624 wrote to memory of 896	4624	msedge.exe	77
PID 4624 wrote to memory of 896	4624	msedge.exe	77
PID 4624 wrote to memory of 896	4624	msedge.exe	77
PID 4624 wrote to memory of 896	4624	msedge.exe	77
PID 4624 wrote to memory of 896	4624	msedge.exe	77
PID 4624 wrote to memory of 896	4624	msedge.exe	77
PID 4624 wrote to memory of 896	4624	msedge.exe	77
PID 4624 wrote to memory of 896	4624	msedge.exe	77
PID 4624 wrote to memory of 896	4624	msedge.exe	77
PID 4624 wrote to memory of 896	4624	msedge.exe	77
PID 4624 wrote to memory of 896	4624	msedge.exe	77
PID 4624 wrote to memory of 896	4624	msedge.exe	77
PID 4624 wrote to memory of 896	4624	msedge.exe	77
PID 4624 wrote to memory of 896	4624	msedge.exe	77
PID 4624 wrote to memory of 896	4624	msedge.exe	77
PID 4624 wrote to memory of 896	4624	msedge.exe	77
PID 4624 wrote to memory of 896	4624	msedge.exe	77
PID 4624 wrote to memory of 896	4624	msedge.exe	77
PID 4624 wrote to memory of 896	4624	msedge.exe	77
PID 4624 wrote to memory of 896	4624	msedge.exe	77
PID 4624 wrote to memory of 896	4624	msedge.exe	77
PID 4624 wrote to memory of 896	4624	msedge.exe	77
PID 4624 wrote to memory of 896	4624	msedge.exe	77
PID 4624 wrote to memory of 2180	4624	msedge.exe	78
PID 4624 wrote to memory of 2180	4624	msedge.exe	78
PID 4624 wrote to memory of 5084	4624	msedge.exe	79
PID 4624 wrote to memory of 5084	4624	msedge.exe	79
PID 4624 wrote to memory of 5084	4624	msedge.exe	79
PID 4624 wrote to memory of 5084	4624	msedge.exe	79
PID 4624 wrote to memory of 5084	4624	msedge.exe	79
PID 4624 wrote to memory of 5084	4624	msedge.exe	79
PID 4624 wrote to memory of 5084	4624	msedge.exe	79
PID 4624 wrote to memory of 5084	4624	msedge.exe	79
PID 4624 wrote to memory of 5084	4624	msedge.exe	79
PID 4624 wrote to memory of 5084	4624	msedge.exe	79
PID 4624 wrote to memory of 5084	4624	msedge.exe	79
PID 4624 wrote to memory of 5084	4624	msedge.exe	79
PID 4624 wrote to memory of 5084	4624	msedge.exe	79
PID 4624 wrote to memory of 5084	4624	msedge.exe	79
PID 4624 wrote to memory of 5084	4624	msedge.exe	79
PID 4624 wrote to memory of 5084	4624	msedge.exe	79
PID 4624 wrote to memory of 5084	4624	msedge.exe	79
PID 4624 wrote to memory of 5084	4624	msedge.exe	79
PID 4624 wrote to memory of 5084	4624	msedge.exe	79
PID 4624 wrote to memory of 5084	4624	msedge.exe	79

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff19623cb8,0x7fff19623cc8,0x7fff19623cd8
  2⤵
  PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,6964803582636598746,971407071163013173,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,6964803582636598746,971407071163013173,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,6964803582636598746,971407071163013173,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6964803582636598746,971407071163013173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6964803582636598746,971407071163013173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:3792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6964803582636598746,971407071163013173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6964803582636598746,971407071163013173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6964803582636598746,971407071163013173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,6964803582636598746,971407071163013173,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,6964803582636598746,971407071163013173,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6224 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6964803582636598746,971407071163013173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6964803582636598746,971407071163013173,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6964803582636598746,971407071163013173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:1132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6964803582636598746,971407071163013173,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:3768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6964803582636598746,971407071163013173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1672 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6964803582636598746,971407071163013173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6572 /prefetch:1
  2⤵
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6964803582636598746,971407071163013173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
  2⤵
  PID:1172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6964803582636598746,971407071163013173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6640 /prefetch:1
  2⤵
  PID:1988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6964803582636598746,971407071163013173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6964803582636598746,971407071163013173,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2660 /prefetch:1
  2⤵
  PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6964803582636598746,971407071163013173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6640 /prefetch:1
  2⤵
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6964803582636598746,971407071163013173,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6904 /prefetch:1
  2⤵
  PID:1808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6964803582636598746,971407071163013173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6636 /prefetch:1
  2⤵
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6964803582636598746,971407071163013173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7156 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1920,6964803582636598746,971407071163013173,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6976 /prefetch:8
  2⤵
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6964803582636598746,971407071163013173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:2596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6964803582636598746,971407071163013173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7032 /prefetch:1
  2⤵
  PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6964803582636598746,971407071163013173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
  2⤵
  PID:984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,6964803582636598746,971407071163013173,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5972 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,6964803582636598746,971407071163013173,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6128 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1072

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2184

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004EC 0x00000000000004E0
1⤵
PID:1140

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4540

C:\Users\Admin\AppData\Local\Temp\Temp1_paint.net.5.0.13.install.anycpu.web.zip\paint.net.5.0.13.install.anycpu.web.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_paint.net.5.0.13.install.anycpu.web.zip\paint.net.5.0.13.install.anycpu.web.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2172
- C:\Users\Admin\AppData\Local\Temp\7zSC78E9968\SetupShim.exe
  "C:\Users\Admin\AppData\Local\Temp\7zSC78E9968\SetupShim.exe" /suppressReboot
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3220
- - C:\Users\Admin\AppData\Local\Temp\7zSC78E9968\x64\SetupDownloader\SetupDownloader.exe
    "x64\SetupDownloader\SetupDownloader.exe" /SkipSuccessPrompt "C:\Users\Admin\AppData\Local\Temp\7zSC78E9968\SetupShim.exe" /suppressReboot
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3100
  - - C:\Users\Admin\AppData\Local\Temp\PdnSetupDownloader\31f55c59-5946-462a-89ee-5295effd4bf9\paint.net.5.0.13.install.x64.exe
      "C:\Users\Admin\AppData\Local\Temp\PdnSetupDownloader\31f55c59-5946-462a-89ee-5295effd4bf9\paint.net.5.0.13.install.x64.exe" C:\Users\Admin\AppData\Local\Temp\7zSC78E9968\SetupShim.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2116
    - - C:\Users\Admin\AppData\Local\Temp\7zS448C29F8\SetupShim.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS448C29F8\SetupShim.exe" /suppressReboot C:\Users\Admin\AppData\Local\Temp\7zSC78E9968\SetupShim.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2088
      - C:\Users\Admin\AppData\Local\Temp\7zS448C29F8\x64\SetupFrontEnd.exe
        
        "x64\SetupFrontEnd.exe" "C:\Users\Admin\AppData\Local\Temp\7zS448C29F8\SetupShim.exe" /suppressReboot C:\Users\Admin\AppData\Local\Temp\7zSC78E9968\SetupShim.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c65e704fc47bc3d9d2c45a244bb74d76

SHA1
3e7917feebea866e0909e089e0b976b4a0947a6e

SHA256
2e5d6a5eeb72575f974d5fa3cdff7ad4d87a361399ffdd4b03f93cdbdec3a110

SHA512
36c3be0e5fbc23c5c0ad2e14cfb1cf7913bea9a5aeb83f9f6fcf5dbc52a94d8ccb370cef723b0cda82b5fba1941b6a9ff57f77ff0076a2c5cf4250711e3dd909

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5c3ea95e17becd26086dd59ba83b8e84

SHA1
7943b2a84dcf26240afc77459ffaaf269bfef29f

SHA256
a241c88bb86182b5998d9818e6e054d29b201b53f4f1a6b9b2ee8ba22dd238dc

SHA512
64c905e923298528783dc64450c96390dc5edbda51f553c04d88ee944b0c660b05392dc0c823d7fb47f604b04061390b285f982dfcc767c8168ccb00d7e94e21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\45ff0355-f2d8-43be-87df-cf8310241a83.tmp

Filesize
6KB

MD5
d695306918e7ac0bf307509dba41e1c7

SHA1
a54d465d97a2fa9d2376431961d48e6970203c0f

SHA256
a7dcf6195aa608791dab5e0fadc42465d953f763bef544f9db6be310e2da5432

SHA512
ecb2d08c1bde86fd41a1b575a6047efdfcf0ea698b12984b98007d7cc2ccb305a9cfdf6011a379baff50525ba77a3a40f4b3a740f3c61b25a0376ebc937b8627

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
19KB

MD5
d99a122d7cb17a0759f9693e8d105bd0

SHA1
9321bba75c561fc3c43aa28b2191a0eaedc76d5a

SHA256
8db37aed80b8f1dc10aa3a9d81a49a79a68d17c76406a0e0e8909e721d9f8668

SHA512
f05734fbbacec02251affb9850db468ee1840adb67b8213a816a2893afb3c9bd95dc25b7ed83ba93158efc718de5d41cb3411074de6da52441733d6ec1aff2f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
746KB

MD5
63140a357e1a6ee17ec48a7a9f8dd159

SHA1
d4a42330033da80d1ef4c059a957ede445c85473

SHA256
41491f8b394d5f0c2a505a71729a2787b304811d6131be6ec147d0b1474c3c58

SHA512
3d78a152a2ba921c223e7142ba2680f0c8849363cea9825dd92fae8e7f5f232be84c8d35797ba1385224ada8beb579875452fcb00561921fd619367453213702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
8f599c692daa30a9b2fe449480cef17a

SHA1
1d3645b20b9a2747bafffffc52f28830e98fa875

SHA256
fc1bcd56de6f1d4cafbd985857201dbf34f7b7e490dd516d502851240313d4b8

SHA512
0506d75a70959bee09ab337d375f881dbed18e1e39f0f9dc9462becfcd769bae5705aa8a0efe1355121f32bbc69049c6a430a8ee5a28974a71704fd6a72617dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
840B

MD5
82978343082461706b8eeedcb6524e16

SHA1
9e9a812ea0b02b1c69309a399e072f7f06cb5a5e

SHA256
b6fdd5ca5be226f5ede73370ae6dd4d950244501f9c3a2b04cc0b1081fc842ec

SHA512
fdb655510817614d94929f02f5ca987f6aa9c1af7e6a63bcfd41b3c7de14976e9c414d502fc0745e9c86e25582d58a54c7b233bc458360e537bd7406642317b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
ddb0c8cbfb947f8c5adc1f1b41f634d6

SHA1
b6797a78da75e46260362b0fb84a6fbc435433c3

SHA256
46b6f8c22624c704d6c17a5e981203c31694321ca59a40eb44d8740e47d65ff1

SHA512
09a144c85f4b64e8b3ae6872e47b042213fd985fb139eecce1e0559972b4120e6ba05ef198c61b1418f9b5b6f35662fc20be46e52187ad6469dec31a61c6e155

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
2966beb5f6efa91b20e2aea93e1cf4bb

SHA1
3bcb66416091a52edf3cbe4eea786d001c22057c

SHA256
3d69f6b0d3003d4446736352f9a6eed779195bb62f3bf1104780f2a56d063a50

SHA512
77755129f97996ed0a6876a9feec05dcfba42a9a693d96845a4e44ddae3b2bc768e379f18862a5ed559a7fc0ce0a0e093af973093cfd9a24ab3a552ca09fa606

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0c94274db2743cd9e075b00156244f0e

SHA1
34554c3b68a427d31efe3b70fa21d41aaa9d6aec

SHA256
e3f8d731a4790b2df1e3b2b46ff4138c655f8191cdef7b4246dcb0db247869b5

SHA512
488c8a6100b82cd05f77b5f923316e7fa577a9b1932dfff2bab9bd056d81a4fb731c996ecdc5e2eee3b38629529c8396d2f1df95cce91a988ba89a088bebed59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e0d5316a6f407d8ea57c9ffb0f03dc00

SHA1
ddfa1754adcb25777d161cc0d35e712fcd0e4bc6

SHA256
dd0918d445c941a44ead0e9a0f9f6c3014821822cc83cfd59402b76fbcbc3da1

SHA512
adb6e3bd9466ae9ef46dd89709a281b48d7194cf1ccdff297ce9e3236970eece14fa11628cde4dcd83a3524ec7195990dc66575fafb28b3db8fb0553c5dd6573

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e69f27f5dd816d7c2bb835e285752264

SHA1
c46e69aa3b40188fe98738188381155c8a1d2e52

SHA256
74b98dadadb2485c1a7eee540dfef0e4140eea05485156d12417df0af5eb590e

SHA512
81b2783f5ad24217aafc50b4395b171669d5aca5532015d7f4e67042d2ec4f5e94d6877cd61c79dc5ed7357fa31abe840848d46dd7c1dcd200ec452237c5d487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8f56012827b2a423353644c187f90100

SHA1
3026d0e0802f6fd9a59c8ee8bc09eb37d6d683fd

SHA256
18c30766eff5f5ae45e41c1fb2231434fd93ecd9e3084295cfd84f6476396e00

SHA512
6e1d3fced69794576fb8e3a741b7dbda6a6d5b8fc2384c000495948de0c885f001d579bb9711da407a72bc069f4504a2119486c56b9a3ee236e93d5c81e7550b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
f39f68ad28b022767327a296050db152

SHA1
d6ab07a55028733b74535a70944806acf781a2d1

SHA256
02918ed8524d5025b07ced96837341fe9cb8cd2f642dfd8d63a3dd19bc2d0ee7

SHA512
1c2133d24ee6f12495d1fdcb797ab3b17c6a7eb196e21ce0e75ba40dc7f6dfc22f304076088bc8c1c7627e7be5c72a5329ab4ed695be21351dde0217c1dca80f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
0ba21bb30705b993cb0dbb8b6aec4d09

SHA1
5b89d98107039db92aba7f03012635f3b3b72b6b

SHA256
3c8d166391dea2683ffcca5eed741195eb0c38d49e1182b609eb62f405450fe6

SHA512
b03b2bcd467c151c2356538d46992ab76534f294c5ece8127ac54a1f135b08494e001bac6da1364f9ab4862df1eb1bd033deff8e2e22acd274c3cd45dcd300b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5812d7.TMP

Filesize
371B

MD5
81fe5d78f6832aef2464372d69f304a8

SHA1
27b18d81b8f70001e63d7a493dbb82875ba5c1d2

SHA256
38e59790c68a6860717f22ca0d92c69447e507e1ce4145d11a660b1d963adc3f

SHA512
4fab0276b908e7decc38186ead134d45d0e0919f6fd16214b79cd6193c32e8966c4435c116c0a64b30789c06c0c6902e7f22f8126b780bb6b0192eb7ed178863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9793e10182fa528687805ad2b20623f4

SHA1
f0b0572d6810052c80c4de3672e01ec84b01ab6b

SHA256
988c0ec8b0ce55d3126c61104412fc5b9f80ecd3ab9d31a5a89de0b269b6f91b

SHA512
87bbb9e85aa02cbea3b80be0de23a3049bd618904622849a9d6e43dd9916d924b5d0741197b6aa2475c9bec3be1a39d317d61f9bae4aa9f7a6285c6fe19714ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c8d2632867296128c759f0ed2480d22c

SHA1
d42f75205ca9dbd1124884b42b66fd02ae9bec38

SHA256
a944c3d757399a909ce99a566aecac883a3203e44160dab36b52132633fe5f80

SHA512
bae36da1c863414626d918cb9afa1e95c09efb5667d2e68aea9fbd31ef3c85721a76c61b79e3f6cc4820df69282e30243668bbf86f3ab6585e5794f26586878f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS448C29F8\x64\PaintDotNet.Core.dll

Filesize
2.3MB

MD5
a70e63f4eb0221b68639a4a0f7cf4fb0

SHA1
4bd0653d4a0fd8db3cca1fc3f6488ae5ba81b96a

SHA256
1613afa5cdc8cb397977e3d05f137bf7c50156a9f304204040964e0177b02f9c

SHA512
7ef71ac4df60e3c47731c41a41403fb176674090f62b70509cfdbc840f3adc85609c655d8461bb012ac6784d13a6bb8224ab2740d954830cba0324fb295c7e2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS448C29F8\x64\PaintDotNet.Framework.dll

Filesize
1.1MB

MD5
187e7fdd1d10378c905254d1606e8c9a

SHA1
88839e000aa4ab9d6fe2aff631a3e5abfb942f19

SHA256
284745171ca433a20bdb26216d137a3aee472beb5856666cda8ac316d1b811e8

SHA512
c50847a03d248b5393a03fcdad2af7fa554c62a0223466d930e6ea3265980aa1d41f225803eb7ace1ed7f1ea385fd8e38b2d463d0b7629a1e760a49a4dd6dbde

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS448C29F8\x64\PaintDotNet.Strings.3.co.resources

Filesize
178KB

MD5
425ef7ba68111ec258a0468f6d800314

SHA1
2b59bb5921c3634722f28033e0d52c57725560f6

SHA256
1819d3637ee8fbe6165ee1e45dc4bb839ccbffd12a29f0acdb606d7cbba57476

SHA512
169d2ee3ad88bf1d219b77d755e4f895412679d7ec3eb41ec7247b79e97fa244e95ae3ea0016bb1c1297a183cc13e71b3b5cc68c34bb2604536ee005da950350

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS448C29F8\x64\SetupFrontEnd.deps.json

Filesize
60KB

MD5
1ef485c7f1494b49e1626f3157c021b5

SHA1
56ea39bc0d6b9eb2fb28bc880b54198b1876f581

SHA256
287362b09598bff6ab981b1986b41acadce44d5fe59b65929a17e3e86fbe018a

SHA512
86b706392bdb4c74aa49639ef4eee51a87ca3cf935e0ed530018ae31170be7d55fb8df1c15132e62aa2141322f42f1349e6344edc0f35de004544b7859084552

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS448C29F8\x64\SetupFrontEnd.dll

Filesize
219KB

MD5
adcc0ec1a6274012b7ce00f90f35f5d3

SHA1
9b4a541e19e8fc723621eda0afec47f81e8f4344

SHA256
577ffda478064ed8ab1e86511d289a13ff7eec9996b080d919f8d4e0443ffa33

SHA512
226e65b95cbdf39e92bcec83a846a40a9546f5567711d867cedd38b1443e19ae22c959d885f85e4ae81b8bcc8540628a451a579538be7787ee2d2ff150fac3f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS448C29F8\x64\SetupFrontEnd.exe

Filesize
170KB

MD5
ceaadd8bcdbf2e2d5284a43ace3b3b80

SHA1
fc9f0e392204a94b948b606d7dca71c0e8166b12

SHA256
66b927ad2d3513289b3e8448ccf4e08c3c9a131901a69e324464fb20ca91a99a

SHA512
138994b110565b824cd2529c053b8b223b46a2ea392da2bf0fe0f0d1fa2f68bea08f8afde0ed605e99b64e7c370583ee56c14938ece512ba8be39bf0b4aae7e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS448C29F8\x64\SetupFrontEnd.runtimeconfig.json

Filesize
537B

MD5
311a502395c85c4dd495c5ae3ed9e8c4

SHA1
8eeabb3e7b2101259e7ecf61c11f583168897e3a

SHA256
26584fd178277ecc937602db04ec2716bc836bdca21270f5937b1805dbba14a4

SHA512
6a1ec7986faf841c179af297fcf2c24b50a2a407cccc64b6b25bb45dadae301a2ff26411f556d99ecae6e1a14aaabdaf8bb27f3fc6297c90346d5fa2b44871b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS448C29F8\x64\System.Private.CoreLib.dll

Filesize
11.1MB

MD5
b180dd583d2361a17915cf8c9d04960b

SHA1
54cf747784f83f7a84238135b1a3386eb6adfa3f

SHA256
e895dacc02e823659bb6edd7eafb0e29e5c8e0a0273e27322fc882cf609ff542

SHA512
7d493f43bd5b405c19159017c386f3bfd00bb429b070fb626918e131ce43bf3d7d0278eae0ef2b9ea8be5469d3d7b67236904c27a438dfdd40f9d68aa5c69eb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS448C29F8\x64\System.Windows.Forms.dll

Filesize
12.7MB

MD5
fa2bc2e05fbb6ddc0bbe1f6cb938b6a4

SHA1
cc4b81e4b65c57bfcd459726ac88a129f92f5fb8

SHA256
f85b8cf2fe3ccc29280677e1e9461fdb3c75ba5d1a31b373b4d0a20c76cba894

SHA512
ebb7db28d544a63753346ccea16acc36bbca30eae595962b1d13d95161c60e7737ef3db5677a9316071c898a5f05931d8909d0e91fe1cf5a955e5562792d5658

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS448C29F8\x64\clrjit.dll

Filesize
1.5MB

MD5
8b658473a01ffe6e1136cb7ebf56d7c0

SHA1
437d34e38d3ebaab6614c5fe8fa6c47bc7cf3591

SHA256
646a13d60f5a7478de72b1135a518652d9acdd82d4943cb57cf9d1d95ba47681

SHA512
33612685da60fdaa78853703ccd50dc9d0dc071eb01ffe565f7cd96c481ac132b8f955fd6c91d9530efb427b8cc43807792ea2ce0d9a4e5013ba4afebd4539e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS448C29F8\x64\coreclr.dll

Filesize
4.9MB

MD5
615d17308d83b63db00faafd2f43975c

SHA1
4d12ffd6c29057d20b146b81c5aa71ad23d9f99c

SHA256
1ef554db5d359354f6e6c6ebe9c31726e1dd092479dce4be4502e7d031653aa2

SHA512
6687bf6e9c0cc86c4fe400513ce898a79a9b514d99f2b6a371ebf5433aaeab00f1b14fdca1b6ce5bdd10c7b88129eef8713fb4e169cd4d19ee11d52476bb447b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS448C29F8\x64\hostfxr.dll

Filesize
377KB

MD5
b8d57c792c3fc5a405bfae7fdd471ebb

SHA1
d60d1ebf0f554005b7d6b0a6e66ac135aa45ebd9

SHA256
5ba9ded20b1a28daa809f60939543d7893a6f767402da4bd2c9ce57c4641226c

SHA512
c3fdb823a6a8a0bc0fc872f2816b423b1e760d2f0541b8c2ecf3432b284b6e2ee07568e4a841afa2e08d14d3900781c635dac553903ee70a70494073bd93b96d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS448C29F8\x64\hostpolicy.dll

Filesize
387KB

MD5
07d32c17cefc890238c9d4c836b21ad3

SHA1
8901bbd735f5366ff77733821fd0bfaee778b453

SHA256
61d3284520ffd8199f68642bbefd84336e35f6ae71ae6b9e4813a80f1bfd099a

SHA512
497ea9f6b59b78fa2dfa11916af53eb0d9e430d73374cde6564558031ef66703b22954d571404adb5957f3e635612c03be66ec872aae47a1de2321f2f078e7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC78E9968\SetupShim.exe

Filesize
152KB

MD5
ed82da8ce63807986d06e19ce59d7869

SHA1
545de4373061d6628c047929147ea3590daed3ec

SHA256
cbaf647f029408fbd79290f6727ce9a3cc4c9bcfac19c74a09981b4bc849a3dc

SHA512
fc78b01952bb23e4b108b493a0e20c157faca263eaeb912ad670a5cb2fe5f6c8e4e075b9cf34299ec3dfa1214acc36bfd34767f33fc31f81d178fcabbd2d698a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC78E9968\x64\SetupDownloader\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC78E9968\x64\SetupDownloader\SetupDownloader.Configuration.json

Filesize
135B

MD5
8ca6779446e31e219589a08769448da2

SHA1
efc2d9e4b0f99daf0333406610d8031a5a8aed2f

SHA256
2b23a17e993b7837a89365cdd328541f58ddfd4ab2b45285058284eee5733613

SHA512
a6a863880835dcca879534ec8a353e2d7fef9c4410edfe41b59bac561492cc6084330c7aad1d2e8a9590b2a3d7551a0b8b6d45ced4d235f01b596d69b593bbf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC78E9968\x64\SetupDownloader\SetupDownloader.exe

Filesize
279KB

MD5
67662d81cc89357be411c8fd981f7333

SHA1
caab54c00eecb39b8818892123dc78369a72e178

SHA256
46b80d6a0c515274dbe615a86441e93eb656683cfe7c48ef80aca4ed5aa9c01e

SHA512
463ec7b8dd9c32ba1ec492d13330c19d5c57ea7000bc83a3c8162bef9354b144b390149bed49807aba251e35a25ae190c537ad6bf46eb1ffe4723ce6be2d5c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC78E9968\x64\SetupDownloader\SetupDownloader.exe.config

Filesize
218B

MD5
59efd5b23c940deca60238b287720310

SHA1
0067c8388dd359af895a1ca854970bdaf4e58f6e

SHA256
907801fc6262ae2e70f9ad104f903e3580f195bbab4ad27d79c9e571da970d86

SHA512
8ed8f6fe3564bdda0bd85752a15e7ec9380df8f366dcef9dedb826e5b62c188000ee79b7cbf61d1c01b7bcab92562a4895794f4ed540e943299973e3dee4270f

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetupDownloader\31f55c59-5946-462a-89ee-5295effd4bf9\paint.net.5.0.13.install.x64.exe

Filesize
62.8MB

MD5
a910361558e67a37451c94c284f9e993

SHA1
94a78d4026d5438fd1332a1eebdf38691b2994f2

SHA256
4730c736870f20da06a0a322becfa05eb63e862a7a36385339f54965c911e15a

SHA512
e7112aa39970d080b0872d78559f696d266dd0a67676a1c429c6c3b5dcddb1c4b19b95382a45573e3f7e8d61723e4d2b1080ac0dbf502d41a5b064d5795bc2c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdnSetupShim.log

Filesize
135B

MD5
7012bc9a81e5cfb2ecdd5c0e9173f825

SHA1
42d0c4b771f2a0344c098c73985bef3ae42993a5

SHA256
d91511d6e1a007b52489cf90b622df0b192485c2050915e597e7d6f347c2c9b9

SHA512
0f97c490c0bdcdacc4989ef369a0a42235da2606556577f411d64d79ea54f1e4f83dd61d387fa4dc4ac77c64cdc83d1ad8e9c753eede33f2101152fe10d3e349

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdnSetupShim.log

Filesize
932B

MD5
5686c07cd9d78c4c06e2bdd258ce472b

SHA1
0091b64ab313868a786e143e7ff5d9e08ed101fd

SHA256
ece7973cee1841222eb2d787db8bbce3cdb99d36f208dd2cba704b9d758b00b9

SHA512
0400cc9fc4549547b3358b36d478fdb0c0b47063ff96d34a2544e21c9812169babf731e1a6dd60fb3cd186c66a9c673c8ff0564f7e7e2fb32e5762c06ad15d78

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdnSetupShim.log

Filesize
775B

MD5
60b4e0979edf020d184c0104e59c5448

SHA1
79cd9727efbcfcd3b6b9a7837186d270433350c7

SHA256
3c4a83aa3e6c81c61e8417b90ced2e0aa5fb15be51b6cc4a30c420f8bb547e0f

SHA512
825b69e327c1c12dae3462a4bab933f6403c9dc50cca13cf1bec7c3983fd3cab22fdac2ccc159ef9178bb001ab83ee77d24e84d887559bcf6d4b60dee6f92136

Download Submit
C:\Users\Admin\Downloads\paint.net.5.0.13.install.anycpu.web.zip:Zone.Identifier

Filesize
679B

MD5
c6978e2c26d900086170e2d9ba3caae3

SHA1
32b2409d5b6f43edb419fe616b3c326d45ab43b2

SHA256
b5d3d93e3b8bcff0debda9a6625c373790b454d8568294202ee5e069dac66491

SHA512
6329b9fa17722e6d9e2b7d086043012b3bedac071bf157ab28e96c21ab775350a21d27d30a9f2699d6071bb9124f78ffcdae493f0953ab502330c757db098c55

Download Submit
memory/3100-774-0x000002215EEB0000-0x000002215EEC0000-memory.dmp

Filesize
64KB

Download
memory/3100-426-0x000002215EEC0000-0x000002215EF72000-memory.dmp

Filesize
712KB

Download
memory/3100-424-0x0000022144920000-0x0000022144966000-memory.dmp

Filesize
280KB

Download
memory/3100-427-0x00007FFF046E0000-0x00007FFF051A2000-memory.dmp

Filesize
10.8MB

Download
memory/3100-429-0x0000022144DE0000-0x0000022144E02000-memory.dmp

Filesize
136KB

Download
memory/3100-431-0x000002215EEB0000-0x000002215EEC0000-memory.dmp

Filesize
64KB

Download
memory/3100-773-0x00007FFF046E0000-0x00007FFF051A2000-memory.dmp

Filesize
10.8MB

Download
memory/3100-430-0x000002215EEB0000-0x000002215EEC0000-memory.dmp

Filesize
64KB

Download
memory/3100-1582-0x000002215EEB0000-0x000002215EEC0000-memory.dmp

Filesize
64KB

Download
memory/3100-460-0x000002215F300000-0x000002215F312000-memory.dmp

Filesize
72KB

Download