7805fe3ed51586271c54f625091f394625e087a4157e3ad45e0222786772de8c

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-en-20211014
submitted
06-12-2021 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d19ad5fbe2455393c8b4bf7203754461.exe
Size

5.4MB
MD5

d19ad5fbe2455393c8b4bf7203754461
SHA1

db97f0945094fb160c3f7154d230ed268842a6e8
SHA256

7805fe3ed51586271c54f625091f394625e087a4157e3ad45e0222786772de8c
SHA512

43ee8f5e9b15a6736eff2179e46b8b68c7a968a3b12032356c7b98e3bbff8ccd4fcaf9a62ceba3f8fd0e244de635d90044825b5877e842a6a828fd5bedc1b921

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 4 IoCs

Processes:

WScript.exe

flow pid process

13 1060 WScript.exe
14 1060 WScript.exe
15 1060 WScript.exe
16 1060 WScript.exe
Executes dropped EXE 3 IoCs

Processes:

noahic.exepikingvp.exeDpEditor.exe

pid process

112 noahic.exe
1484 pikingvp.exe
1968 DpEditor.exe

flow	pid	process
13	1060	WScript.exe
14	1060	WScript.exe
15	1060	WScript.exe
16	1060	WScript.exe

pid	process
112	noahic.exe
1484	pikingvp.exe
1968	DpEditor.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

pikingvp.exeDpEditor.exenoahic.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	pikingvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DpEditor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DpEditor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	noahic.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	noahic.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	pikingvp.exe

Loads dropped DLL 10 IoCs

Processes:

d19ad5fbe2455393c8b4bf7203754461.exenoahic.exepikingvp.exeDpEditor.exe

pid	process
268	d19ad5fbe2455393c8b4bf7203754461.exe
268	d19ad5fbe2455393c8b4bf7203754461.exe
112	noahic.exe
112	noahic.exe
268	d19ad5fbe2455393c8b4bf7203754461.exe
1484	pikingvp.exe
1484	pikingvp.exe
112	noahic.exe
1968	DpEditor.exe
1968	DpEditor.exe

Themida packer 27 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\rheumy\noahic.exe	themida
C:\Users\Admin\AppData\Local\Temp\rheumy\noahic.exe	themida
C:\Users\Admin\AppData\Local\Temp\rheumy\noahic.exe	themida
\Users\Admin\AppData\Local\Temp\rheumy\noahic.exe	themida
\Users\Admin\AppData\Local\Temp\rheumy\noahic.exe	themida
\Users\Admin\AppData\Local\Temp\rheumy\pikingvp.exe	themida
\Users\Admin\AppData\Local\Temp\rheumy\pikingvp.exe	themida
C:\Users\Admin\AppData\Local\Temp\rheumy\pikingvp.exe	themida
C:\Users\Admin\AppData\Local\Temp\rheumy\pikingvp.exe	themida
\Users\Admin\AppData\Local\Temp\rheumy\pikingvp.exe	themida
behavioral1/memory/1484-71-0x0000000000040000-0x00000000006AB000-memory.dmp	themida
behavioral1/memory/112-73-0x0000000001090000-0x00000000017DC000-memory.dmp	themida
behavioral1/memory/1484-72-0x0000000000040000-0x00000000006AB000-memory.dmp	themida
behavioral1/memory/112-74-0x0000000001090000-0x00000000017DC000-memory.dmp	themida
behavioral1/memory/1484-75-0x0000000000040000-0x00000000006AB000-memory.dmp	themida
behavioral1/memory/1484-76-0x0000000000040000-0x00000000006AB000-memory.dmp	themida
behavioral1/memory/112-78-0x0000000001090000-0x00000000017DC000-memory.dmp	themida
behavioral1/memory/112-77-0x0000000001090000-0x00000000017DC000-memory.dmp	themida
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
behavioral1/memory/1968-89-0x0000000000CD0000-0x000000000141C000-memory.dmp	themida
behavioral1/memory/1968-90-0x0000000000CD0000-0x000000000141C000-memory.dmp	themida
behavioral1/memory/1968-91-0x0000000000CD0000-0x000000000141C000-memory.dmp	themida
behavioral1/memory/1968-92-0x0000000000CD0000-0x000000000141C000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

DpEditor.exenoahic.exepikingvp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DpEditor.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	noahic.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	pikingvp.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

pikingvp.exenoahic.exeDpEditor.exe

pid process

1484 pikingvp.exe
112 noahic.exe
1968 DpEditor.exe

flow	ioc
4	ip-api.com

pid	process
1484	pikingvp.exe
112	noahic.exe
1968	DpEditor.exe

Drops file in Program Files directory 3 IoCs

Processes:

d19ad5fbe2455393c8b4bf7203754461.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	d19ad5fbe2455393c8b4bf7203754461.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	d19ad5fbe2455393c8b4bf7203754461.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	d19ad5fbe2455393c8b4bf7203754461.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

pikingvp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	pikingvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	pikingvp.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

DpEditor.exe

pid process

1968 DpEditor.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

noahic.exepikingvp.exeDpEditor.exe

pid process

112 noahic.exe
1484 pikingvp.exe
1968 DpEditor.exe

pid	process
1968	DpEditor.exe

pid	process
112	noahic.exe
1484	pikingvp.exe
1968	DpEditor.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

d19ad5fbe2455393c8b4bf7203754461.exepikingvp.exenoahic.exe

description	pid	process	target process
PID 268 wrote to memory of 112	268	d19ad5fbe2455393c8b4bf7203754461.exe	noahic.exe
PID 268 wrote to memory of 112	268	d19ad5fbe2455393c8b4bf7203754461.exe	noahic.exe
PID 268 wrote to memory of 112	268	d19ad5fbe2455393c8b4bf7203754461.exe	noahic.exe
PID 268 wrote to memory of 112	268	d19ad5fbe2455393c8b4bf7203754461.exe	noahic.exe
PID 268 wrote to memory of 112	268	d19ad5fbe2455393c8b4bf7203754461.exe	noahic.exe
PID 268 wrote to memory of 112	268	d19ad5fbe2455393c8b4bf7203754461.exe	noahic.exe
PID 268 wrote to memory of 112	268	d19ad5fbe2455393c8b4bf7203754461.exe	noahic.exe
PID 268 wrote to memory of 1484	268	d19ad5fbe2455393c8b4bf7203754461.exe	pikingvp.exe
PID 268 wrote to memory of 1484	268	d19ad5fbe2455393c8b4bf7203754461.exe	pikingvp.exe
PID 268 wrote to memory of 1484	268	d19ad5fbe2455393c8b4bf7203754461.exe	pikingvp.exe
PID 268 wrote to memory of 1484	268	d19ad5fbe2455393c8b4bf7203754461.exe	pikingvp.exe
PID 268 wrote to memory of 1484	268	d19ad5fbe2455393c8b4bf7203754461.exe	pikingvp.exe
PID 268 wrote to memory of 1484	268	d19ad5fbe2455393c8b4bf7203754461.exe	pikingvp.exe
PID 268 wrote to memory of 1484	268	d19ad5fbe2455393c8b4bf7203754461.exe	pikingvp.exe
PID 1484 wrote to memory of 1596	1484	pikingvp.exe	WScript.exe
PID 1484 wrote to memory of 1596	1484	pikingvp.exe	WScript.exe
PID 1484 wrote to memory of 1596	1484	pikingvp.exe	WScript.exe
PID 1484 wrote to memory of 1596	1484	pikingvp.exe	WScript.exe
PID 1484 wrote to memory of 1596	1484	pikingvp.exe	WScript.exe
PID 1484 wrote to memory of 1596	1484	pikingvp.exe	WScript.exe
PID 1484 wrote to memory of 1596	1484	pikingvp.exe	WScript.exe
PID 112 wrote to memory of 1968	112	noahic.exe	DpEditor.exe
PID 112 wrote to memory of 1968	112	noahic.exe	DpEditor.exe
PID 112 wrote to memory of 1968	112	noahic.exe	DpEditor.exe
PID 112 wrote to memory of 1968	112	noahic.exe	DpEditor.exe
PID 112 wrote to memory of 1968	112	noahic.exe	DpEditor.exe
PID 112 wrote to memory of 1968	112	noahic.exe	DpEditor.exe
PID 112 wrote to memory of 1968	112	noahic.exe	DpEditor.exe
PID 1484 wrote to memory of 1060	1484	pikingvp.exe	WScript.exe
PID 1484 wrote to memory of 1060	1484	pikingvp.exe	WScript.exe
PID 1484 wrote to memory of 1060	1484	pikingvp.exe	WScript.exe
PID 1484 wrote to memory of 1060	1484	pikingvp.exe	WScript.exe
PID 1484 wrote to memory of 1060	1484	pikingvp.exe	WScript.exe
PID 1484 wrote to memory of 1060	1484	pikingvp.exe	WScript.exe
PID 1484 wrote to memory of 1060	1484	pikingvp.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\d19ad5fbe2455393c8b4bf7203754461.exe
"C:\Users\Admin\AppData\Local\Temp\d19ad5fbe2455393c8b4bf7203754461.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:268

C:\Users\Admin\AppData\Local\Temp\rheumy\noahic.exe
"C:\Users\Admin\AppData\Local\Temp\rheumy\noahic.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:112

C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:1968

C:\Users\Admin\AppData\Local\Temp\rheumy\pikingvp.exe
"C:\Users\Admin\AppData\Local\Temp\rheumy\pikingvp.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eslwexurkyti.vbs"
3⤵
PID:1596

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\mphdcms.vbs"
3⤵
- Blocklisted process makes network request
PID:1060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eslwexurkyti.vbs
MD5
512db1de1251fc775d5878d471b83be1

SHA1
c08dc70e782ab232ff15a38f8447299582c61f37

SHA256
232abf473d9bee85e45d1d3bc9bde074c26110d4fa9a812b720ddbab0a68f6d0

SHA512
08a69c4ae655200ef8ed5fd39f29709b971f51c7d6f0ecf839e66a1ba4dd178da2b2b15d96e8381e9d3a99ff10bf3ed6457b11c3f84e8fda53e1181e6a2a9953

Download Submit
C:\Users\Admin\AppData\Local\Temp\mphdcms.vbs
MD5
73bc58ade5b6078398b4cef68bcd4baa

SHA1
07caa8a15a748f9aadcf4aa5fe4f1dced15cf89d

SHA256
e47e71c35e6d609401c95a059e0f6d78d6cf124a1ae876fd1b5bc3ed3ccb357c

SHA512
8b01a451b49b91aa27a101e6878084cab4e4f47bd2259e74a899767b00fbe62b7ddf3b7baeaab82ddead4f7c04fcae704521001d44591af810009e92238844eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\rheumy\noahic.exe
MD5
bea267e61710103a9c4fb93e293fce83

SHA1
33aeb83f904c289d3dc1469981ce3739d4357879

SHA256
afbe8f04f6dfc3b33aeb9fb669d0abd43770ccd7f71cc70f74bb99935bd46ba3

SHA512
c8cfc57b8bae2ac59edc395cb3f2c96ddfaaf2424ee6e2891f62a5e03535adcff628c70d49c41ef0693dae4e55f9fabe41d1b0b39453c51189dbdc4b94346512

Download Submit
C:\Users\Admin\AppData\Local\Temp\rheumy\noahic.exe
MD5
bea267e61710103a9c4fb93e293fce83

SHA1
33aeb83f904c289d3dc1469981ce3739d4357879

SHA256
afbe8f04f6dfc3b33aeb9fb669d0abd43770ccd7f71cc70f74bb99935bd46ba3

SHA512
c8cfc57b8bae2ac59edc395cb3f2c96ddfaaf2424ee6e2891f62a5e03535adcff628c70d49c41ef0693dae4e55f9fabe41d1b0b39453c51189dbdc4b94346512

Download Submit
C:\Users\Admin\AppData\Local\Temp\rheumy\pikingvp.exe
MD5
e0fdcfe02625d8a48acd00ce606b0341

SHA1
f4899424cf6774bf6fab063313343e760b66bb85

SHA256
d0d82aa1c76ee04abc3e80afd330ab7b68f74f45fd658b3f0813fca153d8bf84

SHA512
b6f3a8b2b9fbc50163c2a6224958aecafe72349a71942c7031aa2be65c8d4de2c3cdfabac88a4981047690ae71af0e2e9f111e7fbca0e26f9e488054168ec33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rheumy\pikingvp.exe
MD5
e0fdcfe02625d8a48acd00ce606b0341

SHA1
f4899424cf6774bf6fab063313343e760b66bb85

SHA256
d0d82aa1c76ee04abc3e80afd330ab7b68f74f45fd658b3f0813fca153d8bf84

SHA512
b6f3a8b2b9fbc50163c2a6224958aecafe72349a71942c7031aa2be65c8d4de2c3cdfabac88a4981047690ae71af0e2e9f111e7fbca0e26f9e488054168ec33b

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
bea267e61710103a9c4fb93e293fce83

SHA1
33aeb83f904c289d3dc1469981ce3739d4357879

SHA256
afbe8f04f6dfc3b33aeb9fb669d0abd43770ccd7f71cc70f74bb99935bd46ba3

SHA512
c8cfc57b8bae2ac59edc395cb3f2c96ddfaaf2424ee6e2891f62a5e03535adcff628c70d49c41ef0693dae4e55f9fabe41d1b0b39453c51189dbdc4b94346512

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
bea267e61710103a9c4fb93e293fce83

SHA1
33aeb83f904c289d3dc1469981ce3739d4357879

SHA256
afbe8f04f6dfc3b33aeb9fb669d0abd43770ccd7f71cc70f74bb99935bd46ba3

SHA512
c8cfc57b8bae2ac59edc395cb3f2c96ddfaaf2424ee6e2891f62a5e03535adcff628c70d49c41ef0693dae4e55f9fabe41d1b0b39453c51189dbdc4b94346512

Download Submit
\Users\Admin\AppData\Local\Temp\nstF4BC.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Local\Temp\rheumy\noahic.exe
MD5
bea267e61710103a9c4fb93e293fce83

SHA1
33aeb83f904c289d3dc1469981ce3739d4357879

SHA256
afbe8f04f6dfc3b33aeb9fb669d0abd43770ccd7f71cc70f74bb99935bd46ba3

SHA512
c8cfc57b8bae2ac59edc395cb3f2c96ddfaaf2424ee6e2891f62a5e03535adcff628c70d49c41ef0693dae4e55f9fabe41d1b0b39453c51189dbdc4b94346512

Download Submit
\Users\Admin\AppData\Local\Temp\rheumy\noahic.exe
MD5
bea267e61710103a9c4fb93e293fce83

SHA1
33aeb83f904c289d3dc1469981ce3739d4357879

SHA256
afbe8f04f6dfc3b33aeb9fb669d0abd43770ccd7f71cc70f74bb99935bd46ba3

SHA512
c8cfc57b8bae2ac59edc395cb3f2c96ddfaaf2424ee6e2891f62a5e03535adcff628c70d49c41ef0693dae4e55f9fabe41d1b0b39453c51189dbdc4b94346512

Download Submit
\Users\Admin\AppData\Local\Temp\rheumy\noahic.exe
MD5
bea267e61710103a9c4fb93e293fce83

SHA1
33aeb83f904c289d3dc1469981ce3739d4357879

SHA256
afbe8f04f6dfc3b33aeb9fb669d0abd43770ccd7f71cc70f74bb99935bd46ba3

SHA512
c8cfc57b8bae2ac59edc395cb3f2c96ddfaaf2424ee6e2891f62a5e03535adcff628c70d49c41ef0693dae4e55f9fabe41d1b0b39453c51189dbdc4b94346512

Download Submit
\Users\Admin\AppData\Local\Temp\rheumy\pikingvp.exe
MD5
e0fdcfe02625d8a48acd00ce606b0341

SHA1
f4899424cf6774bf6fab063313343e760b66bb85

SHA256
d0d82aa1c76ee04abc3e80afd330ab7b68f74f45fd658b3f0813fca153d8bf84

SHA512
b6f3a8b2b9fbc50163c2a6224958aecafe72349a71942c7031aa2be65c8d4de2c3cdfabac88a4981047690ae71af0e2e9f111e7fbca0e26f9e488054168ec33b

Download Submit
\Users\Admin\AppData\Local\Temp\rheumy\pikingvp.exe
MD5
e0fdcfe02625d8a48acd00ce606b0341

SHA1
f4899424cf6774bf6fab063313343e760b66bb85

SHA256
d0d82aa1c76ee04abc3e80afd330ab7b68f74f45fd658b3f0813fca153d8bf84

SHA512
b6f3a8b2b9fbc50163c2a6224958aecafe72349a71942c7031aa2be65c8d4de2c3cdfabac88a4981047690ae71af0e2e9f111e7fbca0e26f9e488054168ec33b

Download Submit
\Users\Admin\AppData\Local\Temp\rheumy\pikingvp.exe
MD5
e0fdcfe02625d8a48acd00ce606b0341

SHA1
f4899424cf6774bf6fab063313343e760b66bb85

SHA256
d0d82aa1c76ee04abc3e80afd330ab7b68f74f45fd658b3f0813fca153d8bf84

SHA512
b6f3a8b2b9fbc50163c2a6224958aecafe72349a71942c7031aa2be65c8d4de2c3cdfabac88a4981047690ae71af0e2e9f111e7fbca0e26f9e488054168ec33b

Download Submit
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
bea267e61710103a9c4fb93e293fce83

SHA1
33aeb83f904c289d3dc1469981ce3739d4357879

SHA256
afbe8f04f6dfc3b33aeb9fb669d0abd43770ccd7f71cc70f74bb99935bd46ba3

SHA512
c8cfc57b8bae2ac59edc395cb3f2c96ddfaaf2424ee6e2891f62a5e03535adcff628c70d49c41ef0693dae4e55f9fabe41d1b0b39453c51189dbdc4b94346512

Download Submit
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
bea267e61710103a9c4fb93e293fce83

SHA1
33aeb83f904c289d3dc1469981ce3739d4357879

SHA256
afbe8f04f6dfc3b33aeb9fb669d0abd43770ccd7f71cc70f74bb99935bd46ba3

SHA512
c8cfc57b8bae2ac59edc395cb3f2c96ddfaaf2424ee6e2891f62a5e03535adcff628c70d49c41ef0693dae4e55f9fabe41d1b0b39453c51189dbdc4b94346512

Download Submit
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
bea267e61710103a9c4fb93e293fce83

SHA1
33aeb83f904c289d3dc1469981ce3739d4357879

SHA256
afbe8f04f6dfc3b33aeb9fb669d0abd43770ccd7f71cc70f74bb99935bd46ba3

SHA512
c8cfc57b8bae2ac59edc395cb3f2c96ddfaaf2424ee6e2891f62a5e03535adcff628c70d49c41ef0693dae4e55f9fabe41d1b0b39453c51189dbdc4b94346512

Download Submit
memory/112-73-0x0000000001090000-0x00000000017DC000-memory.dmp

Filesize
7.3MB

Download
memory/112-58-0x0000000000000000-mapping.dmp

Download
memory/112-74-0x0000000001090000-0x00000000017DC000-memory.dmp

Filesize
7.3MB

Download
memory/112-78-0x0000000001090000-0x00000000017DC000-memory.dmp

Filesize
7.3MB

Download
memory/112-77-0x0000000001090000-0x00000000017DC000-memory.dmp

Filesize
7.3MB

Download
memory/268-55-0x00000000754F1000-0x00000000754F3000-memory.dmp

Filesize
8KB

Download
memory/1060-93-0x0000000000000000-mapping.dmp

Download
memory/1484-71-0x0000000000040000-0x00000000006AB000-memory.dmp

Filesize
6.4MB

Download
memory/1484-65-0x0000000000000000-mapping.dmp

Download
memory/1484-76-0x0000000000040000-0x00000000006AB000-memory.dmp

Filesize
6.4MB

Download
memory/1484-75-0x0000000000040000-0x00000000006AB000-memory.dmp

Filesize
6.4MB

Download
memory/1484-72-0x0000000000040000-0x00000000006AB000-memory.dmp

Filesize
6.4MB

Download
memory/1596-79-0x0000000000000000-mapping.dmp

Download
memory/1968-83-0x0000000000000000-mapping.dmp

Download
memory/1968-91-0x0000000000CD0000-0x000000000141C000-memory.dmp

Filesize
7.3MB

Download
memory/1968-92-0x0000000000CD0000-0x000000000141C000-memory.dmp

Filesize
7.3MB

Download
memory/1968-90-0x0000000000CD0000-0x000000000141C000-memory.dmp

Filesize
7.3MB

Download
memory/1968-89-0x0000000000CD0000-0x000000000141C000-memory.dmp

Filesize
7.3MB

Download