96a780f5b7e0a8a780d93beaa88544f03daeb6626f9cd1cc785163120744ecb3

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-en-20211104
submitted
03-12-2021 14:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8184e6cb56376660cf0756a1adef0671.exe
Size

5.3MB
MD5

8184e6cb56376660cf0756a1adef0671
SHA1

9bc48fddf1fe3eba10fb229723b256a350c66838
SHA256

96a780f5b7e0a8a780d93beaa88544f03daeb6626f9cd1cc785163120744ecb3
SHA512

4b7c7797702d46a825ad8eb27b9f1481b1940e7f9e57ceb687b165fc9b32a2a65f1c96a65b2e8591952ad231f71fbfaf56a22fab3cafe92bf87b8326f56d06a5

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 4 IoCs

Processes:

WScript.exe

flow pid process

13 976 WScript.exe
14 976 WScript.exe
15 976 WScript.exe
16 976 WScript.exe
Executes dropped EXE 3 IoCs

Processes:

orchic.exequothavp.exeDpEditor.exe

pid process

1492 orchic.exe
808 quothavp.exe
1712 DpEditor.exe

flow	pid	process
13	976	WScript.exe
14	976	WScript.exe
15	976	WScript.exe
16	976	WScript.exe

pid	process
1492	orchic.exe
808	quothavp.exe
1712	DpEditor.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

orchic.exequothavp.exeDpEditor.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	orchic.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	orchic.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	quothavp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	quothavp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DpEditor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DpEditor.exe

Loads dropped DLL 10 IoCs

Processes:

8184e6cb56376660cf0756a1adef0671.exeorchic.exequothavp.exeDpEditor.exe

pid	process
1080	8184e6cb56376660cf0756a1adef0671.exe
1080	8184e6cb56376660cf0756a1adef0671.exe
1492	orchic.exe
1492	orchic.exe
1080	8184e6cb56376660cf0756a1adef0671.exe
808	quothavp.exe
808	quothavp.exe
1492	orchic.exe
1712	DpEditor.exe
1712	DpEditor.exe

Themida packer 27 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\shovel\orchic.exe	themida
C:\Users\Admin\AppData\Local\Temp\shovel\orchic.exe	themida
\Users\Admin\AppData\Local\Temp\shovel\orchic.exe	themida
\Users\Admin\AppData\Local\Temp\shovel\orchic.exe	themida
C:\Users\Admin\AppData\Local\Temp\shovel\orchic.exe	themida
\Users\Admin\AppData\Local\Temp\shovel\quothavp.exe	themida
C:\Users\Admin\AppData\Local\Temp\shovel\quothavp.exe	themida
\Users\Admin\AppData\Local\Temp\shovel\quothavp.exe	themida
C:\Users\Admin\AppData\Local\Temp\shovel\quothavp.exe	themida
\Users\Admin\AppData\Local\Temp\shovel\quothavp.exe	themida
behavioral1/memory/1492-71-0x00000000013D0000-0x0000000001AB1000-memory.dmp	themida
behavioral1/memory/1492-72-0x00000000013D0000-0x0000000001AB1000-memory.dmp	themida
behavioral1/memory/808-73-0x0000000000160000-0x0000000000820000-memory.dmp	themida
behavioral1/memory/1492-76-0x00000000013D0000-0x0000000001AB1000-memory.dmp	themida
behavioral1/memory/808-75-0x0000000000160000-0x0000000000820000-memory.dmp	themida
behavioral1/memory/1492-74-0x00000000013D0000-0x0000000001AB1000-memory.dmp	themida
behavioral1/memory/808-77-0x0000000000160000-0x0000000000820000-memory.dmp	themida
behavioral1/memory/808-78-0x0000000000160000-0x0000000000820000-memory.dmp	themida
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
behavioral1/memory/1712-89-0x0000000000F20000-0x0000000001601000-memory.dmp	themida
behavioral1/memory/1712-90-0x0000000000F20000-0x0000000001601000-memory.dmp	themida
behavioral1/memory/1712-91-0x0000000000F20000-0x0000000001601000-memory.dmp	themida
behavioral1/memory/1712-92-0x0000000000F20000-0x0000000001601000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

orchic.exequothavp.exeDpEditor.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	orchic.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	quothavp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DpEditor.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

orchic.exequothavp.exeDpEditor.exe

pid process

1492 orchic.exe
808 quothavp.exe
1712 DpEditor.exe

flow	ioc
4	ip-api.com

pid	process
1492	orchic.exe
808	quothavp.exe
1712	DpEditor.exe

Drops file in Program Files directory 3 IoCs

Processes:

8184e6cb56376660cf0756a1adef0671.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	8184e6cb56376660cf0756a1adef0671.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	8184e6cb56376660cf0756a1adef0671.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	8184e6cb56376660cf0756a1adef0671.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

quothavp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	quothavp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	quothavp.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

DpEditor.exe

pid process

1712 DpEditor.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

orchic.exequothavp.exeDpEditor.exe

pid process

1492 orchic.exe
808 quothavp.exe
1712 DpEditor.exe

pid	process
1712	DpEditor.exe

pid	process
1492	orchic.exe
808	quothavp.exe
1712	DpEditor.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

8184e6cb56376660cf0756a1adef0671.exequothavp.exeorchic.exe

description	pid	process	target process
PID 1080 wrote to memory of 1492	1080	8184e6cb56376660cf0756a1adef0671.exe	orchic.exe
PID 1080 wrote to memory of 1492	1080	8184e6cb56376660cf0756a1adef0671.exe	orchic.exe
PID 1080 wrote to memory of 1492	1080	8184e6cb56376660cf0756a1adef0671.exe	orchic.exe
PID 1080 wrote to memory of 1492	1080	8184e6cb56376660cf0756a1adef0671.exe	orchic.exe
PID 1080 wrote to memory of 1492	1080	8184e6cb56376660cf0756a1adef0671.exe	orchic.exe
PID 1080 wrote to memory of 1492	1080	8184e6cb56376660cf0756a1adef0671.exe	orchic.exe
PID 1080 wrote to memory of 1492	1080	8184e6cb56376660cf0756a1adef0671.exe	orchic.exe
PID 1080 wrote to memory of 808	1080	8184e6cb56376660cf0756a1adef0671.exe	quothavp.exe
PID 1080 wrote to memory of 808	1080	8184e6cb56376660cf0756a1adef0671.exe	quothavp.exe
PID 1080 wrote to memory of 808	1080	8184e6cb56376660cf0756a1adef0671.exe	quothavp.exe
PID 1080 wrote to memory of 808	1080	8184e6cb56376660cf0756a1adef0671.exe	quothavp.exe
PID 1080 wrote to memory of 808	1080	8184e6cb56376660cf0756a1adef0671.exe	quothavp.exe
PID 1080 wrote to memory of 808	1080	8184e6cb56376660cf0756a1adef0671.exe	quothavp.exe
PID 1080 wrote to memory of 808	1080	8184e6cb56376660cf0756a1adef0671.exe	quothavp.exe
PID 808 wrote to memory of 1292	808	quothavp.exe	WScript.exe
PID 808 wrote to memory of 1292	808	quothavp.exe	WScript.exe
PID 808 wrote to memory of 1292	808	quothavp.exe	WScript.exe
PID 808 wrote to memory of 1292	808	quothavp.exe	WScript.exe
PID 808 wrote to memory of 1292	808	quothavp.exe	WScript.exe
PID 808 wrote to memory of 1292	808	quothavp.exe	WScript.exe
PID 808 wrote to memory of 1292	808	quothavp.exe	WScript.exe
PID 1492 wrote to memory of 1712	1492	orchic.exe	DpEditor.exe
PID 1492 wrote to memory of 1712	1492	orchic.exe	DpEditor.exe
PID 1492 wrote to memory of 1712	1492	orchic.exe	DpEditor.exe
PID 1492 wrote to memory of 1712	1492	orchic.exe	DpEditor.exe
PID 1492 wrote to memory of 1712	1492	orchic.exe	DpEditor.exe
PID 1492 wrote to memory of 1712	1492	orchic.exe	DpEditor.exe
PID 1492 wrote to memory of 1712	1492	orchic.exe	DpEditor.exe
PID 808 wrote to memory of 976	808	quothavp.exe	WScript.exe
PID 808 wrote to memory of 976	808	quothavp.exe	WScript.exe
PID 808 wrote to memory of 976	808	quothavp.exe	WScript.exe
PID 808 wrote to memory of 976	808	quothavp.exe	WScript.exe
PID 808 wrote to memory of 976	808	quothavp.exe	WScript.exe
PID 808 wrote to memory of 976	808	quothavp.exe	WScript.exe
PID 808 wrote to memory of 976	808	quothavp.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\8184e6cb56376660cf0756a1adef0671.exe
"C:\Users\Admin\AppData\Local\Temp\8184e6cb56376660cf0756a1adef0671.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1080

C:\Users\Admin\AppData\Local\Temp\shovel\orchic.exe
"C:\Users\Admin\AppData\Local\Temp\shovel\orchic.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1492

C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:1712

C:\Users\Admin\AppData\Local\Temp\shovel\quothavp.exe
"C:\Users\Admin\AppData\Local\Temp\shovel\quothavp.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bkuftmt.vbs"
3⤵
PID:1292

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\uumgpmtjuyhy.vbs"
3⤵
- Blocklisted process makes network request
PID:976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bkuftmt.vbs
MD5
698ba06fd158221d3c07270d7f28dc06

SHA1
acc2816ae9d800c051a5a581d2a9ec5563808021

SHA256
5fdcc37e4c9039a585193d81adf23316d1d78d36bfed69d9821fbd6aec889c57

SHA512
1745f1be07db604023a0d6aef02ab39d982766434f0328bdc3a608013d5653ac155f28f96cf4a53c454d58fc3e12ac0d0e0a6608470a19f005c800d97be5f295

Download Submit
C:\Users\Admin\AppData\Local\Temp\shovel\orchic.exe
MD5
9316d0e5a1bd9f6813077b3f11d26b6e

SHA1
707e38615d3f4fb54b0d49c9ace51de2f21069de

SHA256
c5dc08f10bf632e34ce1057c6423597141fed6125a5282e0a2d3f3361c75fefb

SHA512
122a19da734bb0a8c0a3cec6c6cda14af7a6fe460f8fe74fb27e9104bef6ceba2cca0f608e5bca52888edbc31c2911ce4aaf7cc644f8bb491e0fbbd51238160f

Download Submit
C:\Users\Admin\AppData\Local\Temp\shovel\orchic.exe
MD5
9316d0e5a1bd9f6813077b3f11d26b6e

SHA1
707e38615d3f4fb54b0d49c9ace51de2f21069de

SHA256
c5dc08f10bf632e34ce1057c6423597141fed6125a5282e0a2d3f3361c75fefb

SHA512
122a19da734bb0a8c0a3cec6c6cda14af7a6fe460f8fe74fb27e9104bef6ceba2cca0f608e5bca52888edbc31c2911ce4aaf7cc644f8bb491e0fbbd51238160f

Download Submit
C:\Users\Admin\AppData\Local\Temp\shovel\quothavp.exe
MD5
b554ac040604842b3f5e186193896f2c

SHA1
b403f2b366d042770080f659227666855f95ef46

SHA256
a3aba366cb6f248137c74919386228c12d1b43faea175e36de7a6261d3ee9d39

SHA512
63d08930078582a20fdf0e1d06a9c36855126f89f39de49a40d2db4a4891997d31fb310eb14f8c34270edf065a0c219efe1f82ea76da7f8227534940765a78ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\shovel\quothavp.exe
MD5
b554ac040604842b3f5e186193896f2c

SHA1
b403f2b366d042770080f659227666855f95ef46

SHA256
a3aba366cb6f248137c74919386228c12d1b43faea175e36de7a6261d3ee9d39

SHA512
63d08930078582a20fdf0e1d06a9c36855126f89f39de49a40d2db4a4891997d31fb310eb14f8c34270edf065a0c219efe1f82ea76da7f8227534940765a78ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\uumgpmtjuyhy.vbs
MD5
adb8cfb0861cc00b95a31ecc23ff35ba

SHA1
7a825480d57508127586babea69807fe40339d37

SHA256
ce87a936603c3bef0d9b44b266f1bdb56e3f7634cfabe6bb0d863d4b8de55320

SHA512
16667f3b713b8c457b5314c3a5fd2a68333c9b0f0229f321b962d21e3abf8d3b3a046a45a31ded594ba9c06f8c992714c8fb8e172ca2fa2bed4b6963d34b78dc

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
9316d0e5a1bd9f6813077b3f11d26b6e

SHA1
707e38615d3f4fb54b0d49c9ace51de2f21069de

SHA256
c5dc08f10bf632e34ce1057c6423597141fed6125a5282e0a2d3f3361c75fefb

SHA512
122a19da734bb0a8c0a3cec6c6cda14af7a6fe460f8fe74fb27e9104bef6ceba2cca0f608e5bca52888edbc31c2911ce4aaf7cc644f8bb491e0fbbd51238160f

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
9316d0e5a1bd9f6813077b3f11d26b6e

SHA1
707e38615d3f4fb54b0d49c9ace51de2f21069de

SHA256
c5dc08f10bf632e34ce1057c6423597141fed6125a5282e0a2d3f3361c75fefb

SHA512
122a19da734bb0a8c0a3cec6c6cda14af7a6fe460f8fe74fb27e9104bef6ceba2cca0f608e5bca52888edbc31c2911ce4aaf7cc644f8bb491e0fbbd51238160f

Download Submit
\Users\Admin\AppData\Local\Temp\nsiBEDD.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Local\Temp\shovel\orchic.exe
MD5
9316d0e5a1bd9f6813077b3f11d26b6e

SHA1
707e38615d3f4fb54b0d49c9ace51de2f21069de

SHA256
c5dc08f10bf632e34ce1057c6423597141fed6125a5282e0a2d3f3361c75fefb

SHA512
122a19da734bb0a8c0a3cec6c6cda14af7a6fe460f8fe74fb27e9104bef6ceba2cca0f608e5bca52888edbc31c2911ce4aaf7cc644f8bb491e0fbbd51238160f

Download Submit
\Users\Admin\AppData\Local\Temp\shovel\orchic.exe
MD5
9316d0e5a1bd9f6813077b3f11d26b6e

SHA1
707e38615d3f4fb54b0d49c9ace51de2f21069de

SHA256
c5dc08f10bf632e34ce1057c6423597141fed6125a5282e0a2d3f3361c75fefb

SHA512
122a19da734bb0a8c0a3cec6c6cda14af7a6fe460f8fe74fb27e9104bef6ceba2cca0f608e5bca52888edbc31c2911ce4aaf7cc644f8bb491e0fbbd51238160f

Download Submit
\Users\Admin\AppData\Local\Temp\shovel\orchic.exe
MD5
9316d0e5a1bd9f6813077b3f11d26b6e

SHA1
707e38615d3f4fb54b0d49c9ace51de2f21069de

SHA256
c5dc08f10bf632e34ce1057c6423597141fed6125a5282e0a2d3f3361c75fefb

SHA512
122a19da734bb0a8c0a3cec6c6cda14af7a6fe460f8fe74fb27e9104bef6ceba2cca0f608e5bca52888edbc31c2911ce4aaf7cc644f8bb491e0fbbd51238160f

Download Submit
\Users\Admin\AppData\Local\Temp\shovel\quothavp.exe
MD5
b554ac040604842b3f5e186193896f2c

SHA1
b403f2b366d042770080f659227666855f95ef46

SHA256
a3aba366cb6f248137c74919386228c12d1b43faea175e36de7a6261d3ee9d39

SHA512
63d08930078582a20fdf0e1d06a9c36855126f89f39de49a40d2db4a4891997d31fb310eb14f8c34270edf065a0c219efe1f82ea76da7f8227534940765a78ea

Download Submit
\Users\Admin\AppData\Local\Temp\shovel\quothavp.exe
MD5
b554ac040604842b3f5e186193896f2c

SHA1
b403f2b366d042770080f659227666855f95ef46

SHA256
a3aba366cb6f248137c74919386228c12d1b43faea175e36de7a6261d3ee9d39

SHA512
63d08930078582a20fdf0e1d06a9c36855126f89f39de49a40d2db4a4891997d31fb310eb14f8c34270edf065a0c219efe1f82ea76da7f8227534940765a78ea

Download Submit
\Users\Admin\AppData\Local\Temp\shovel\quothavp.exe
MD5
b554ac040604842b3f5e186193896f2c

SHA1
b403f2b366d042770080f659227666855f95ef46

SHA256
a3aba366cb6f248137c74919386228c12d1b43faea175e36de7a6261d3ee9d39

SHA512
63d08930078582a20fdf0e1d06a9c36855126f89f39de49a40d2db4a4891997d31fb310eb14f8c34270edf065a0c219efe1f82ea76da7f8227534940765a78ea

Download Submit
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
9316d0e5a1bd9f6813077b3f11d26b6e

SHA1
707e38615d3f4fb54b0d49c9ace51de2f21069de

SHA256
c5dc08f10bf632e34ce1057c6423597141fed6125a5282e0a2d3f3361c75fefb

SHA512
122a19da734bb0a8c0a3cec6c6cda14af7a6fe460f8fe74fb27e9104bef6ceba2cca0f608e5bca52888edbc31c2911ce4aaf7cc644f8bb491e0fbbd51238160f

Download Submit
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
9316d0e5a1bd9f6813077b3f11d26b6e

SHA1
707e38615d3f4fb54b0d49c9ace51de2f21069de

SHA256
c5dc08f10bf632e34ce1057c6423597141fed6125a5282e0a2d3f3361c75fefb

SHA512
122a19da734bb0a8c0a3cec6c6cda14af7a6fe460f8fe74fb27e9104bef6ceba2cca0f608e5bca52888edbc31c2911ce4aaf7cc644f8bb491e0fbbd51238160f

Download Submit
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
9316d0e5a1bd9f6813077b3f11d26b6e

SHA1
707e38615d3f4fb54b0d49c9ace51de2f21069de

SHA256
c5dc08f10bf632e34ce1057c6423597141fed6125a5282e0a2d3f3361c75fefb

SHA512
122a19da734bb0a8c0a3cec6c6cda14af7a6fe460f8fe74fb27e9104bef6ceba2cca0f608e5bca52888edbc31c2911ce4aaf7cc644f8bb491e0fbbd51238160f

Download Submit
memory/808-73-0x0000000000160000-0x0000000000820000-memory.dmp

Filesize
6.8MB

Download
memory/808-75-0x0000000000160000-0x0000000000820000-memory.dmp

Filesize
6.8MB

Download
memory/808-77-0x0000000000160000-0x0000000000820000-memory.dmp

Filesize
6.8MB

Download
memory/808-78-0x0000000000160000-0x0000000000820000-memory.dmp

Filesize
6.8MB

Download
memory/808-65-0x0000000000000000-mapping.dmp

Download
memory/976-93-0x0000000000000000-mapping.dmp

Download
memory/1080-55-0x0000000075A61000-0x0000000075A63000-memory.dmp

Filesize
8KB

Download
memory/1292-79-0x0000000000000000-mapping.dmp

Download
memory/1492-58-0x0000000000000000-mapping.dmp

Download
memory/1492-74-0x00000000013D0000-0x0000000001AB1000-memory.dmp

Filesize
6.9MB

Download
memory/1492-76-0x00000000013D0000-0x0000000001AB1000-memory.dmp

Filesize
6.9MB

Download
memory/1492-72-0x00000000013D0000-0x0000000001AB1000-memory.dmp

Filesize
6.9MB

Download
memory/1492-71-0x00000000013D0000-0x0000000001AB1000-memory.dmp

Filesize
6.9MB

Download
memory/1712-83-0x0000000000000000-mapping.dmp

Download
memory/1712-89-0x0000000000F20000-0x0000000001601000-memory.dmp

Filesize
6.9MB

Download
memory/1712-90-0x0000000000F20000-0x0000000001601000-memory.dmp

Filesize
6.9MB

Download
memory/1712-91-0x0000000000F20000-0x0000000001601000-memory.dmp

Filesize
6.9MB

Download
memory/1712-92-0x0000000000F20000-0x0000000001601000-memory.dmp

Filesize
6.9MB

Download