c6aa02a56f11f479f9ae81a74af6cdf1fd8a13ab88e569aa01ab37604bbfc313

Resubmissions

20-12-2021 14:27

211220-rssysabfbl 10

20-12-2021 14:17

211220-rlpmsabehq 10

Analysis

max time kernel
206s
max time network
118s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-12-2021 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3d0d747febe769eff3b01ddf5317fd1.exe
Size

5.3MB
MD5

d3d0d747febe769eff3b01ddf5317fd1
SHA1

c2c9444fe6215578de88ee1d9577d636388d16e3
SHA256

c6aa02a56f11f479f9ae81a74af6cdf1fd8a13ab88e569aa01ab37604bbfc313
SHA512

8c53059e7bfa2e61ad23817083df408ef4be04719eb634e40c487aeb1d62db0ebb43b975c76a33b7ac02b9d8fe5b58d5743f853e5a20e8324e5a054a04b04894

Score

9^/10

evasion persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 4 IoCs

Processes:

WScript.exe

flow pid process

13 700 WScript.exe
14 700 WScript.exe
15 700 WScript.exe
16 700 WScript.exe
Executes dropped EXE 3 IoCs

Processes:

napaea.exeoutwitvp.exeDpEditor.exe

pid process

472 napaea.exe
584 outwitvp.exe
1864 DpEditor.exe

flow	pid	process
13	700	WScript.exe
14	700	WScript.exe
15	700	WScript.exe
16	700	WScript.exe

pid	process
472	napaea.exe
584	outwitvp.exe
1864	DpEditor.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

napaea.exeoutwitvp.exeDpEditor.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	napaea.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	outwitvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	outwitvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DpEditor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DpEditor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	napaea.exe

Drops startup file 1 IoCs

Processes:

DpEditor.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nssyncer.lnk DpEditor.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nssyncer.lnk	DpEditor.exe

Loads dropped DLL 11 IoCs

Processes:

d3d0d747febe769eff3b01ddf5317fd1.exenapaea.exeoutwitvp.exeDpEditor.exe

pid	process
1912	d3d0d747febe769eff3b01ddf5317fd1.exe
1912	d3d0d747febe769eff3b01ddf5317fd1.exe
472	napaea.exe
472	napaea.exe
1912	d3d0d747febe769eff3b01ddf5317fd1.exe
584	outwitvp.exe
584	outwitvp.exe
472	napaea.exe
1864	DpEditor.exe
1864	DpEditor.exe
1864	DpEditor.exe

Themida packer 28 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\patwin\napaea.exe	themida
C:\Users\Admin\AppData\Local\Temp\patwin\napaea.exe	themida
C:\Users\Admin\AppData\Local\Temp\patwin\napaea.exe	themida
\Users\Admin\AppData\Local\Temp\patwin\napaea.exe	themida
\Users\Admin\AppData\Local\Temp\patwin\napaea.exe	themida
\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe	themida
\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe	themida
C:\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe	themida
C:\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe	themida
\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe	themida
behavioral1/memory/472-70-0x00000000001F0000-0x00000000008E6000-memory.dmp	themida
behavioral1/memory/472-71-0x00000000001F0000-0x00000000008E6000-memory.dmp	themida
behavioral1/memory/472-72-0x00000000001F0000-0x00000000008E6000-memory.dmp	themida
behavioral1/memory/584-73-0x0000000000830000-0x0000000000E97000-memory.dmp	themida
behavioral1/memory/472-74-0x00000000001F0000-0x00000000008E6000-memory.dmp	themida
behavioral1/memory/584-75-0x0000000000830000-0x0000000000E97000-memory.dmp	themida
behavioral1/memory/584-76-0x0000000000830000-0x0000000000E97000-memory.dmp	themida
behavioral1/memory/584-77-0x0000000000830000-0x0000000000E97000-memory.dmp	themida
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
behavioral1/memory/1864-88-0x0000000000C00000-0x00000000012F6000-memory.dmp	themida
behavioral1/memory/1864-89-0x0000000000C00000-0x00000000012F6000-memory.dmp	themida
behavioral1/memory/1864-90-0x0000000000C00000-0x00000000012F6000-memory.dmp	themida
behavioral1/memory/1864-91-0x0000000000C00000-0x00000000012F6000-memory.dmp	themida
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

DpEditor.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NCH Sync Service = "C:\\Users\\Admin\\AppData\\Roaming\\NCH Software\\DrawPad\\DpEditor.exe"	DpEditor.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

outwitvp.exenapaea.exeDpEditor.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	outwitvp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	napaea.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DpEditor.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

outwitvp.exenapaea.exeDpEditor.exe

pid process

584 outwitvp.exe
472 napaea.exe
1864 DpEditor.exe

flow	ioc
4	ip-api.com

pid	process
584	outwitvp.exe
472	napaea.exe
1864	DpEditor.exe

Drops file in Program Files directory 3 IoCs

Processes:

d3d0d747febe769eff3b01ddf5317fd1.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	d3d0d747febe769eff3b01ddf5317fd1.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	d3d0d747febe769eff3b01ddf5317fd1.exe
File created	C:\Program Files (x86)\foler\olader\acppage.dll	d3d0d747febe769eff3b01ddf5317fd1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

outwitvp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	outwitvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	outwitvp.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

DpEditor.exe

pid process

1864 DpEditor.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

napaea.exeoutwitvp.exeDpEditor.exe

pid process

472 napaea.exe
584 outwitvp.exe
1864 DpEditor.exe

pid	process
1864	DpEditor.exe

pid	process
472	napaea.exe
584	outwitvp.exe
1864	DpEditor.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

d3d0d747febe769eff3b01ddf5317fd1.exeoutwitvp.exenapaea.exe

description	pid	process	target process
PID 1912 wrote to memory of 472	1912	d3d0d747febe769eff3b01ddf5317fd1.exe	napaea.exe
PID 1912 wrote to memory of 472	1912	d3d0d747febe769eff3b01ddf5317fd1.exe	napaea.exe
PID 1912 wrote to memory of 472	1912	d3d0d747febe769eff3b01ddf5317fd1.exe	napaea.exe
PID 1912 wrote to memory of 472	1912	d3d0d747febe769eff3b01ddf5317fd1.exe	napaea.exe
PID 1912 wrote to memory of 472	1912	d3d0d747febe769eff3b01ddf5317fd1.exe	napaea.exe
PID 1912 wrote to memory of 472	1912	d3d0d747febe769eff3b01ddf5317fd1.exe	napaea.exe
PID 1912 wrote to memory of 472	1912	d3d0d747febe769eff3b01ddf5317fd1.exe	napaea.exe
PID 1912 wrote to memory of 584	1912	d3d0d747febe769eff3b01ddf5317fd1.exe	outwitvp.exe
PID 1912 wrote to memory of 584	1912	d3d0d747febe769eff3b01ddf5317fd1.exe	outwitvp.exe
PID 1912 wrote to memory of 584	1912	d3d0d747febe769eff3b01ddf5317fd1.exe	outwitvp.exe
PID 1912 wrote to memory of 584	1912	d3d0d747febe769eff3b01ddf5317fd1.exe	outwitvp.exe
PID 1912 wrote to memory of 584	1912	d3d0d747febe769eff3b01ddf5317fd1.exe	outwitvp.exe
PID 1912 wrote to memory of 584	1912	d3d0d747febe769eff3b01ddf5317fd1.exe	outwitvp.exe
PID 1912 wrote to memory of 584	1912	d3d0d747febe769eff3b01ddf5317fd1.exe	outwitvp.exe
PID 584 wrote to memory of 844	584	outwitvp.exe	WScript.exe
PID 584 wrote to memory of 844	584	outwitvp.exe	WScript.exe
PID 584 wrote to memory of 844	584	outwitvp.exe	WScript.exe
PID 584 wrote to memory of 844	584	outwitvp.exe	WScript.exe
PID 584 wrote to memory of 844	584	outwitvp.exe	WScript.exe
PID 584 wrote to memory of 844	584	outwitvp.exe	WScript.exe
PID 584 wrote to memory of 844	584	outwitvp.exe	WScript.exe
PID 472 wrote to memory of 1864	472	napaea.exe	DpEditor.exe
PID 472 wrote to memory of 1864	472	napaea.exe	DpEditor.exe
PID 472 wrote to memory of 1864	472	napaea.exe	DpEditor.exe
PID 472 wrote to memory of 1864	472	napaea.exe	DpEditor.exe
PID 472 wrote to memory of 1864	472	napaea.exe	DpEditor.exe
PID 472 wrote to memory of 1864	472	napaea.exe	DpEditor.exe
PID 472 wrote to memory of 1864	472	napaea.exe	DpEditor.exe
PID 584 wrote to memory of 700	584	outwitvp.exe	WScript.exe
PID 584 wrote to memory of 700	584	outwitvp.exe	WScript.exe
PID 584 wrote to memory of 700	584	outwitvp.exe	WScript.exe
PID 584 wrote to memory of 700	584	outwitvp.exe	WScript.exe
PID 584 wrote to memory of 700	584	outwitvp.exe	WScript.exe
PID 584 wrote to memory of 700	584	outwitvp.exe	WScript.exe
PID 584 wrote to memory of 700	584	outwitvp.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\d3d0d747febe769eff3b01ddf5317fd1.exe
"C:\Users\Admin\AppData\Local\Temp\d3d0d747febe769eff3b01ddf5317fd1.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1912

C:\Users\Admin\AppData\Local\Temp\patwin\napaea.exe
"C:\Users\Admin\AppData\Local\Temp\patwin\napaea.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:472

C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:1864

C:\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe
"C:\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ritigohwqgy.vbs"
3⤵
PID:844

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\qbkmbiaeuocj.vbs"
3⤵
- Blocklisted process makes network request
PID:700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\patwin\napaea.exe
MD5
af36c20219a8f5fa58d205a9e5db1cc1

SHA1
17356b91dd8292bddea7300c3a9fc1a98fccd11f

SHA256
3276687dad3c0a8d82bd752b2591c7d0b89c823a2e9761b4db8c95e9cd842f81

SHA512
443ba7a6c07ee2076f823a5a70ef6dffb60e5f36dc413672f8194e6e46abcb47dc364812f2b2b76e1da914e8d64322111cc78e7875608c205a5331302ecc1e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\patwin\napaea.exe
MD5
af36c20219a8f5fa58d205a9e5db1cc1

SHA1
17356b91dd8292bddea7300c3a9fc1a98fccd11f

SHA256
3276687dad3c0a8d82bd752b2591c7d0b89c823a2e9761b4db8c95e9cd842f81

SHA512
443ba7a6c07ee2076f823a5a70ef6dffb60e5f36dc413672f8194e6e46abcb47dc364812f2b2b76e1da914e8d64322111cc78e7875608c205a5331302ecc1e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe
MD5
9baf6cadcbff7a3b885e589d411f8e8a

SHA1
35af631df140d421c0e0d012cbb3a63198e02b9b

SHA256
c0d120c7cd7b3932c62fa85150cb19656fc5801fbc662ac184b283c45e40566b

SHA512
72548c529695d15e4915808261b176cf28eb1ef56f569b38128a2984216013f9793ac31a1a7b156be0386621c26698a1a424e02bd6ffd8d17e9795e71c9b2ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe
MD5
9baf6cadcbff7a3b885e589d411f8e8a

SHA1
35af631df140d421c0e0d012cbb3a63198e02b9b

SHA256
c0d120c7cd7b3932c62fa85150cb19656fc5801fbc662ac184b283c45e40566b

SHA512
72548c529695d15e4915808261b176cf28eb1ef56f569b38128a2984216013f9793ac31a1a7b156be0386621c26698a1a424e02bd6ffd8d17e9795e71c9b2ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbkmbiaeuocj.vbs
MD5
3025a767ac81e6a46948b577360419ef

SHA1
55094ba6fa5be44dc7b3b7676c6332b9442d56e8

SHA256
2a4b0f542e553140ae768e3185628597a1c316b47eb56890caae53ae69e2574f

SHA512
52ba6acc66acb7ac89d80e588a15c3fe1f9387af22d8906d4a793a3a667960a6b963710106e50cb4b4bee4d26fab0ba3242e992e7ed863af38043339366252d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ritigohwqgy.vbs
MD5
0825ca7f7e217be9ce0a3761fe5fa2bc

SHA1
069628d23e0c3ccfda346fca2227397bb677825d

SHA256
857c168a6d24e9135b1f83df874df32bf231cc1c10941ad3a92feeb45760e9ac

SHA512
ff7ac2f3ca9a29ddc849524d5a74ca5665c7a08deaca5a4a836e02d51b501518e37ecdd95616739ef6524d15356f608ef40e736a6d12f3a075cb097ad34c54a4

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
af36c20219a8f5fa58d205a9e5db1cc1

SHA1
17356b91dd8292bddea7300c3a9fc1a98fccd11f

SHA256
3276687dad3c0a8d82bd752b2591c7d0b89c823a2e9761b4db8c95e9cd842f81

SHA512
443ba7a6c07ee2076f823a5a70ef6dffb60e5f36dc413672f8194e6e46abcb47dc364812f2b2b76e1da914e8d64322111cc78e7875608c205a5331302ecc1e4e

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
af36c20219a8f5fa58d205a9e5db1cc1

SHA1
17356b91dd8292bddea7300c3a9fc1a98fccd11f

SHA256
3276687dad3c0a8d82bd752b2591c7d0b89c823a2e9761b4db8c95e9cd842f81

SHA512
443ba7a6c07ee2076f823a5a70ef6dffb60e5f36dc413672f8194e6e46abcb47dc364812f2b2b76e1da914e8d64322111cc78e7875608c205a5331302ecc1e4e

Download Submit
\Users\Admin\AppData\Local\Temp\nsnAC18.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Local\Temp\patwin\napaea.exe
MD5
af36c20219a8f5fa58d205a9e5db1cc1

SHA1
17356b91dd8292bddea7300c3a9fc1a98fccd11f

SHA256
3276687dad3c0a8d82bd752b2591c7d0b89c823a2e9761b4db8c95e9cd842f81

SHA512
443ba7a6c07ee2076f823a5a70ef6dffb60e5f36dc413672f8194e6e46abcb47dc364812f2b2b76e1da914e8d64322111cc78e7875608c205a5331302ecc1e4e

Download Submit
\Users\Admin\AppData\Local\Temp\patwin\napaea.exe
MD5
af36c20219a8f5fa58d205a9e5db1cc1

SHA1
17356b91dd8292bddea7300c3a9fc1a98fccd11f

SHA256
3276687dad3c0a8d82bd752b2591c7d0b89c823a2e9761b4db8c95e9cd842f81

SHA512
443ba7a6c07ee2076f823a5a70ef6dffb60e5f36dc413672f8194e6e46abcb47dc364812f2b2b76e1da914e8d64322111cc78e7875608c205a5331302ecc1e4e

Download Submit
\Users\Admin\AppData\Local\Temp\patwin\napaea.exe
MD5
af36c20219a8f5fa58d205a9e5db1cc1

SHA1
17356b91dd8292bddea7300c3a9fc1a98fccd11f

SHA256
3276687dad3c0a8d82bd752b2591c7d0b89c823a2e9761b4db8c95e9cd842f81

SHA512
443ba7a6c07ee2076f823a5a70ef6dffb60e5f36dc413672f8194e6e46abcb47dc364812f2b2b76e1da914e8d64322111cc78e7875608c205a5331302ecc1e4e

Download Submit
\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe
MD5
9baf6cadcbff7a3b885e589d411f8e8a

SHA1
35af631df140d421c0e0d012cbb3a63198e02b9b

SHA256
c0d120c7cd7b3932c62fa85150cb19656fc5801fbc662ac184b283c45e40566b

SHA512
72548c529695d15e4915808261b176cf28eb1ef56f569b38128a2984216013f9793ac31a1a7b156be0386621c26698a1a424e02bd6ffd8d17e9795e71c9b2ed3

Download Submit
\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe
MD5
9baf6cadcbff7a3b885e589d411f8e8a

SHA1
35af631df140d421c0e0d012cbb3a63198e02b9b

SHA256
c0d120c7cd7b3932c62fa85150cb19656fc5801fbc662ac184b283c45e40566b

SHA512
72548c529695d15e4915808261b176cf28eb1ef56f569b38128a2984216013f9793ac31a1a7b156be0386621c26698a1a424e02bd6ffd8d17e9795e71c9b2ed3

Download Submit
\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe
MD5
9baf6cadcbff7a3b885e589d411f8e8a

SHA1
35af631df140d421c0e0d012cbb3a63198e02b9b

SHA256
c0d120c7cd7b3932c62fa85150cb19656fc5801fbc662ac184b283c45e40566b

SHA512
72548c529695d15e4915808261b176cf28eb1ef56f569b38128a2984216013f9793ac31a1a7b156be0386621c26698a1a424e02bd6ffd8d17e9795e71c9b2ed3

Download Submit
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
af36c20219a8f5fa58d205a9e5db1cc1

SHA1
17356b91dd8292bddea7300c3a9fc1a98fccd11f

SHA256
3276687dad3c0a8d82bd752b2591c7d0b89c823a2e9761b4db8c95e9cd842f81

SHA512
443ba7a6c07ee2076f823a5a70ef6dffb60e5f36dc413672f8194e6e46abcb47dc364812f2b2b76e1da914e8d64322111cc78e7875608c205a5331302ecc1e4e

Download Submit
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
af36c20219a8f5fa58d205a9e5db1cc1

SHA1
17356b91dd8292bddea7300c3a9fc1a98fccd11f

SHA256
3276687dad3c0a8d82bd752b2591c7d0b89c823a2e9761b4db8c95e9cd842f81

SHA512
443ba7a6c07ee2076f823a5a70ef6dffb60e5f36dc413672f8194e6e46abcb47dc364812f2b2b76e1da914e8d64322111cc78e7875608c205a5331302ecc1e4e

Download Submit
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
af36c20219a8f5fa58d205a9e5db1cc1

SHA1
17356b91dd8292bddea7300c3a9fc1a98fccd11f

SHA256
3276687dad3c0a8d82bd752b2591c7d0b89c823a2e9761b4db8c95e9cd842f81

SHA512
443ba7a6c07ee2076f823a5a70ef6dffb60e5f36dc413672f8194e6e46abcb47dc364812f2b2b76e1da914e8d64322111cc78e7875608c205a5331302ecc1e4e

Download Submit
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
af36c20219a8f5fa58d205a9e5db1cc1

SHA1
17356b91dd8292bddea7300c3a9fc1a98fccd11f

SHA256
3276687dad3c0a8d82bd752b2591c7d0b89c823a2e9761b4db8c95e9cd842f81

SHA512
443ba7a6c07ee2076f823a5a70ef6dffb60e5f36dc413672f8194e6e46abcb47dc364812f2b2b76e1da914e8d64322111cc78e7875608c205a5331302ecc1e4e

Download Submit
memory/472-74-0x00000000001F0000-0x00000000008E6000-memory.dmp

Filesize
7.0MB

Download
memory/472-72-0x00000000001F0000-0x00000000008E6000-memory.dmp

Filesize
7.0MB

Download
memory/472-71-0x00000000001F0000-0x00000000008E6000-memory.dmp

Filesize
7.0MB

Download
memory/472-57-0x0000000000000000-mapping.dmp

Download
memory/472-70-0x00000000001F0000-0x00000000008E6000-memory.dmp

Filesize
7.0MB

Download
memory/584-75-0x0000000000830000-0x0000000000E97000-memory.dmp

Filesize
6.4MB

Download
memory/584-76-0x0000000000830000-0x0000000000E97000-memory.dmp

Filesize
6.4MB

Download
memory/584-77-0x0000000000830000-0x0000000000E97000-memory.dmp

Filesize
6.4MB

Download
memory/584-73-0x0000000000830000-0x0000000000E97000-memory.dmp

Filesize
6.4MB

Download
memory/584-64-0x0000000000000000-mapping.dmp

Download
memory/700-92-0x0000000000000000-mapping.dmp

Download
memory/844-78-0x0000000000000000-mapping.dmp

Download
memory/1864-89-0x0000000000C00000-0x00000000012F6000-memory.dmp

Filesize
7.0MB

Download
memory/1864-90-0x0000000000C00000-0x00000000012F6000-memory.dmp

Filesize
7.0MB

Download
memory/1864-91-0x0000000000C00000-0x00000000012F6000-memory.dmp

Filesize
7.0MB

Download
memory/1864-88-0x0000000000C00000-0x00000000012F6000-memory.dmp

Filesize
7.0MB

Download
memory/1864-82-0x0000000000000000-mapping.dmp

Download
memory/1912-54-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download