0724a4302ad37929cb58cc90dad7c90459df4eba0bccbfb4008965d917a55209

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-en-20211208
submitted
21-12-2021 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e946313323a4fab93d139a9e3861e5ef.exe
Size

5.4MB
MD5

e946313323a4fab93d139a9e3861e5ef
SHA1

19c67ccdfbfc3971d31b5827f185009976072936
SHA256

0724a4302ad37929cb58cc90dad7c90459df4eba0bccbfb4008965d917a55209
SHA512

a85beddb32dbd48b802387b32a856f4fcb91916fcbc099e279c706e9ac553e75e34370a511720c9eee77f436922de71a68e746a5ed002282e13e44a1165b8ed0

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 4 IoCs

Processes:

WScript.exe

flow pid process

13 1264 WScript.exe
14 1264 WScript.exe
15 1264 WScript.exe
16 1264 WScript.exe
Executes dropped EXE 3 IoCs

Processes:

napaea.exeoutwitvp.exeDpEditor.exe

pid process

1468 napaea.exe
368 outwitvp.exe
1496 DpEditor.exe

flow	pid	process
13	1264	WScript.exe
14	1264	WScript.exe
15	1264	WScript.exe
16	1264	WScript.exe

pid	process
1468	napaea.exe
368	outwitvp.exe
1496	DpEditor.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

napaea.exeoutwitvp.exeDpEditor.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	napaea.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	napaea.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	outwitvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	outwitvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DpEditor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DpEditor.exe

Loads dropped DLL 10 IoCs

Processes:

e946313323a4fab93d139a9e3861e5ef.exenapaea.exeoutwitvp.exeDpEditor.exe

pid	process
968	e946313323a4fab93d139a9e3861e5ef.exe
968	e946313323a4fab93d139a9e3861e5ef.exe
1468	napaea.exe
1468	napaea.exe
968	e946313323a4fab93d139a9e3861e5ef.exe
368	outwitvp.exe
368	outwitvp.exe
1468	napaea.exe
1496	DpEditor.exe
1496	DpEditor.exe

Themida packer 27 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\patwin\napaea.exe	themida
C:\Users\Admin\AppData\Local\Temp\patwin\napaea.exe	themida
C:\Users\Admin\AppData\Local\Temp\patwin\napaea.exe	themida
\Users\Admin\AppData\Local\Temp\patwin\napaea.exe	themida
\Users\Admin\AppData\Local\Temp\patwin\napaea.exe	themida
behavioral1/memory/1468-63-0x00000000012F0000-0x00000000019C6000-memory.dmp	themida
behavioral1/memory/1468-65-0x00000000012F0000-0x00000000019C6000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe	themida
\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe	themida
behavioral1/memory/1468-69-0x00000000012F0000-0x00000000019C6000-memory.dmp	themida
behavioral1/memory/1468-70-0x00000000012F0000-0x00000000019C6000-memory.dmp	themida
\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe	themida
\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe	themida
C:\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe	themida
behavioral1/memory/368-74-0x00000000002F0000-0x00000000009D1000-memory.dmp	themida
behavioral1/memory/368-75-0x00000000002F0000-0x00000000009D1000-memory.dmp	themida
behavioral1/memory/368-76-0x00000000002F0000-0x00000000009D1000-memory.dmp	themida
behavioral1/memory/368-77-0x00000000002F0000-0x00000000009D1000-memory.dmp	themida
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
behavioral1/memory/1496-88-0x0000000000FC0000-0x0000000001696000-memory.dmp	themida
behavioral1/memory/1496-89-0x0000000000FC0000-0x0000000001696000-memory.dmp	themida
behavioral1/memory/1496-90-0x0000000000FC0000-0x0000000001696000-memory.dmp	themida
behavioral1/memory/1496-91-0x0000000000FC0000-0x0000000001696000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

napaea.exeoutwitvp.exeDpEditor.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	napaea.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	outwitvp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DpEditor.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

napaea.exeoutwitvp.exeDpEditor.exe

pid process

1468 napaea.exe
368 outwitvp.exe
1496 DpEditor.exe

flow	ioc
4	ip-api.com

pid	process
1468	napaea.exe
368	outwitvp.exe
1496	DpEditor.exe

Drops file in Program Files directory 3 IoCs

Processes:

e946313323a4fab93d139a9e3861e5ef.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	e946313323a4fab93d139a9e3861e5ef.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	e946313323a4fab93d139a9e3861e5ef.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	e946313323a4fab93d139a9e3861e5ef.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

outwitvp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	outwitvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	outwitvp.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

DpEditor.exe

pid process

1496 DpEditor.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

napaea.exeoutwitvp.exeDpEditor.exe

pid process

1468 napaea.exe
368 outwitvp.exe
1496 DpEditor.exe

pid	process
1496	DpEditor.exe

pid	process
1468	napaea.exe
368	outwitvp.exe
1496	DpEditor.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

e946313323a4fab93d139a9e3861e5ef.exeoutwitvp.exenapaea.exe

description	pid	process	target process
PID 968 wrote to memory of 1468	968	e946313323a4fab93d139a9e3861e5ef.exe	napaea.exe
PID 968 wrote to memory of 1468	968	e946313323a4fab93d139a9e3861e5ef.exe	napaea.exe
PID 968 wrote to memory of 1468	968	e946313323a4fab93d139a9e3861e5ef.exe	napaea.exe
PID 968 wrote to memory of 1468	968	e946313323a4fab93d139a9e3861e5ef.exe	napaea.exe
PID 968 wrote to memory of 1468	968	e946313323a4fab93d139a9e3861e5ef.exe	napaea.exe
PID 968 wrote to memory of 1468	968	e946313323a4fab93d139a9e3861e5ef.exe	napaea.exe
PID 968 wrote to memory of 1468	968	e946313323a4fab93d139a9e3861e5ef.exe	napaea.exe
PID 968 wrote to memory of 368	968	e946313323a4fab93d139a9e3861e5ef.exe	outwitvp.exe
PID 968 wrote to memory of 368	968	e946313323a4fab93d139a9e3861e5ef.exe	outwitvp.exe
PID 968 wrote to memory of 368	968	e946313323a4fab93d139a9e3861e5ef.exe	outwitvp.exe
PID 968 wrote to memory of 368	968	e946313323a4fab93d139a9e3861e5ef.exe	outwitvp.exe
PID 968 wrote to memory of 368	968	e946313323a4fab93d139a9e3861e5ef.exe	outwitvp.exe
PID 968 wrote to memory of 368	968	e946313323a4fab93d139a9e3861e5ef.exe	outwitvp.exe
PID 968 wrote to memory of 368	968	e946313323a4fab93d139a9e3861e5ef.exe	outwitvp.exe
PID 368 wrote to memory of 1512	368	outwitvp.exe	WScript.exe
PID 368 wrote to memory of 1512	368	outwitvp.exe	WScript.exe
PID 368 wrote to memory of 1512	368	outwitvp.exe	WScript.exe
PID 368 wrote to memory of 1512	368	outwitvp.exe	WScript.exe
PID 368 wrote to memory of 1512	368	outwitvp.exe	WScript.exe
PID 368 wrote to memory of 1512	368	outwitvp.exe	WScript.exe
PID 368 wrote to memory of 1512	368	outwitvp.exe	WScript.exe
PID 1468 wrote to memory of 1496	1468	napaea.exe	DpEditor.exe
PID 1468 wrote to memory of 1496	1468	napaea.exe	DpEditor.exe
PID 1468 wrote to memory of 1496	1468	napaea.exe	DpEditor.exe
PID 1468 wrote to memory of 1496	1468	napaea.exe	DpEditor.exe
PID 1468 wrote to memory of 1496	1468	napaea.exe	DpEditor.exe
PID 1468 wrote to memory of 1496	1468	napaea.exe	DpEditor.exe
PID 1468 wrote to memory of 1496	1468	napaea.exe	DpEditor.exe
PID 368 wrote to memory of 1264	368	outwitvp.exe	WScript.exe
PID 368 wrote to memory of 1264	368	outwitvp.exe	WScript.exe
PID 368 wrote to memory of 1264	368	outwitvp.exe	WScript.exe
PID 368 wrote to memory of 1264	368	outwitvp.exe	WScript.exe
PID 368 wrote to memory of 1264	368	outwitvp.exe	WScript.exe
PID 368 wrote to memory of 1264	368	outwitvp.exe	WScript.exe
PID 368 wrote to memory of 1264	368	outwitvp.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\e946313323a4fab93d139a9e3861e5ef.exe
"C:\Users\Admin\AppData\Local\Temp\e946313323a4fab93d139a9e3861e5ef.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:968
- C:\Users\Admin\AppData\Local\Temp\patwin\napaea.exe
  "C:\Users\Admin\AppData\Local\Temp\patwin\napaea.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
    "C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    PID:1496
- C:\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe
  "C:\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:368
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tswfpsp.vbs"
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vfvvmfa.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:1264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\patwin\napaea.exe

MD5
75182fea96cd2dea68a23d360fb647c8

SHA1
992c5fe1ac704528a505bb42162a421e3d29b7cb

SHA256
3eca25c6a211415959e59d89e6f8c6a9b1d1c45bfbb9ce8bfc133c66958dc97c

SHA512
649aa18d4303f42fb9b8dc90994f8d40aa45a07f2842edfce1a389c0f1c2510f7828b233b7205e2171e8a147eed7c3a18efd162e060c83ad1f0fbbd3f4a56ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\patwin\napaea.exe

MD5
75182fea96cd2dea68a23d360fb647c8

SHA1
992c5fe1ac704528a505bb42162a421e3d29b7cb

SHA256
3eca25c6a211415959e59d89e6f8c6a9b1d1c45bfbb9ce8bfc133c66958dc97c

SHA512
649aa18d4303f42fb9b8dc90994f8d40aa45a07f2842edfce1a389c0f1c2510f7828b233b7205e2171e8a147eed7c3a18efd162e060c83ad1f0fbbd3f4a56ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe

MD5
948b5f54439e4bcfd1c17cb9ae8d1ed3

SHA1
e7236e3cb35a7c9caace5aa7f570dbb2311ba736

SHA256
ee2955c290f9dc1a8026adcced932aaab678f5227f54fddf6a018fc81f7b01de

SHA512
e6fa55501c1f151780d81ccf2db1dcb17953c89fb6fe3b577f9d751c09bd42dc5924ff09e69843fb50f64f96b34d743d6ef1e2c02059b1efd8854ecdbfc40adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe

MD5
948b5f54439e4bcfd1c17cb9ae8d1ed3

SHA1
e7236e3cb35a7c9caace5aa7f570dbb2311ba736

SHA256
ee2955c290f9dc1a8026adcced932aaab678f5227f54fddf6a018fc81f7b01de

SHA512
e6fa55501c1f151780d81ccf2db1dcb17953c89fb6fe3b577f9d751c09bd42dc5924ff09e69843fb50f64f96b34d743d6ef1e2c02059b1efd8854ecdbfc40adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tswfpsp.vbs

MD5
0e6c8a2a201e7cfbbefb15d1ee30eb47

SHA1
8b49a26918a6487f0fd93e4a0bbbf27a03d519a1

SHA256
f5e1f756c3fa50f62057339d434b60f0faea47e85e2c58fc349feae472026190

SHA512
0e5508f5887912a25fb7b965db10897297f06f8f427ed1e1c360457ac27ff37b66e74751e99bb7c486403af76f0858a8638a2573304ca076762086b52da156ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\vfvvmfa.vbs

MD5
561d20a33c19e15336d154f972915975

SHA1
2b6fb5b6764c1e85bfdfc21e1295df955b7b28f6

SHA256
81f24da9222ab0d41a3c6efd319fbfa97a56cd1d36ccb5c538eefb94cbd9daf9

SHA512
abf53f178190bfaea9ad6c2c9684b5e697561856bcf264a0b6950c01ca21778e9276bf27df43dc5c7a6e5190aa6030fb12e77959f4e24997729498a0215f9d07

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe

MD5
75182fea96cd2dea68a23d360fb647c8

SHA1
992c5fe1ac704528a505bb42162a421e3d29b7cb

SHA256
3eca25c6a211415959e59d89e6f8c6a9b1d1c45bfbb9ce8bfc133c66958dc97c

SHA512
649aa18d4303f42fb9b8dc90994f8d40aa45a07f2842edfce1a389c0f1c2510f7828b233b7205e2171e8a147eed7c3a18efd162e060c83ad1f0fbbd3f4a56ec0

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe

MD5
75182fea96cd2dea68a23d360fb647c8

SHA1
992c5fe1ac704528a505bb42162a421e3d29b7cb

SHA256
3eca25c6a211415959e59d89e6f8c6a9b1d1c45bfbb9ce8bfc133c66958dc97c

SHA512
649aa18d4303f42fb9b8dc90994f8d40aa45a07f2842edfce1a389c0f1c2510f7828b233b7205e2171e8a147eed7c3a18efd162e060c83ad1f0fbbd3f4a56ec0

Download Submit
\Users\Admin\AppData\Local\Temp\nsdCC74.tmp\UAC.dll

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Local\Temp\patwin\napaea.exe

MD5
75182fea96cd2dea68a23d360fb647c8

SHA1
992c5fe1ac704528a505bb42162a421e3d29b7cb

SHA256
3eca25c6a211415959e59d89e6f8c6a9b1d1c45bfbb9ce8bfc133c66958dc97c

SHA512
649aa18d4303f42fb9b8dc90994f8d40aa45a07f2842edfce1a389c0f1c2510f7828b233b7205e2171e8a147eed7c3a18efd162e060c83ad1f0fbbd3f4a56ec0

Download Submit
\Users\Admin\AppData\Local\Temp\patwin\napaea.exe

MD5
75182fea96cd2dea68a23d360fb647c8

SHA1
992c5fe1ac704528a505bb42162a421e3d29b7cb

SHA256
3eca25c6a211415959e59d89e6f8c6a9b1d1c45bfbb9ce8bfc133c66958dc97c

SHA512
649aa18d4303f42fb9b8dc90994f8d40aa45a07f2842edfce1a389c0f1c2510f7828b233b7205e2171e8a147eed7c3a18efd162e060c83ad1f0fbbd3f4a56ec0

Download Submit
\Users\Admin\AppData\Local\Temp\patwin\napaea.exe

MD5
75182fea96cd2dea68a23d360fb647c8

SHA1
992c5fe1ac704528a505bb42162a421e3d29b7cb

SHA256
3eca25c6a211415959e59d89e6f8c6a9b1d1c45bfbb9ce8bfc133c66958dc97c

SHA512
649aa18d4303f42fb9b8dc90994f8d40aa45a07f2842edfce1a389c0f1c2510f7828b233b7205e2171e8a147eed7c3a18efd162e060c83ad1f0fbbd3f4a56ec0

Download Submit
\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe

MD5
948b5f54439e4bcfd1c17cb9ae8d1ed3

SHA1
e7236e3cb35a7c9caace5aa7f570dbb2311ba736

SHA256
ee2955c290f9dc1a8026adcced932aaab678f5227f54fddf6a018fc81f7b01de

SHA512
e6fa55501c1f151780d81ccf2db1dcb17953c89fb6fe3b577f9d751c09bd42dc5924ff09e69843fb50f64f96b34d743d6ef1e2c02059b1efd8854ecdbfc40adf

Download Submit
\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe

MD5
948b5f54439e4bcfd1c17cb9ae8d1ed3

SHA1
e7236e3cb35a7c9caace5aa7f570dbb2311ba736

SHA256
ee2955c290f9dc1a8026adcced932aaab678f5227f54fddf6a018fc81f7b01de

SHA512
e6fa55501c1f151780d81ccf2db1dcb17953c89fb6fe3b577f9d751c09bd42dc5924ff09e69843fb50f64f96b34d743d6ef1e2c02059b1efd8854ecdbfc40adf

Download Submit
\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe

MD5
948b5f54439e4bcfd1c17cb9ae8d1ed3

SHA1
e7236e3cb35a7c9caace5aa7f570dbb2311ba736

SHA256
ee2955c290f9dc1a8026adcced932aaab678f5227f54fddf6a018fc81f7b01de

SHA512
e6fa55501c1f151780d81ccf2db1dcb17953c89fb6fe3b577f9d751c09bd42dc5924ff09e69843fb50f64f96b34d743d6ef1e2c02059b1efd8854ecdbfc40adf

Download Submit
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe

MD5
75182fea96cd2dea68a23d360fb647c8

SHA1
992c5fe1ac704528a505bb42162a421e3d29b7cb

SHA256
3eca25c6a211415959e59d89e6f8c6a9b1d1c45bfbb9ce8bfc133c66958dc97c

SHA512
649aa18d4303f42fb9b8dc90994f8d40aa45a07f2842edfce1a389c0f1c2510f7828b233b7205e2171e8a147eed7c3a18efd162e060c83ad1f0fbbd3f4a56ec0

Download Submit
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe

MD5
75182fea96cd2dea68a23d360fb647c8

SHA1
992c5fe1ac704528a505bb42162a421e3d29b7cb

SHA256
3eca25c6a211415959e59d89e6f8c6a9b1d1c45bfbb9ce8bfc133c66958dc97c

SHA512
649aa18d4303f42fb9b8dc90994f8d40aa45a07f2842edfce1a389c0f1c2510f7828b233b7205e2171e8a147eed7c3a18efd162e060c83ad1f0fbbd3f4a56ec0

Download Submit
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe

MD5
75182fea96cd2dea68a23d360fb647c8

SHA1
992c5fe1ac704528a505bb42162a421e3d29b7cb

SHA256
3eca25c6a211415959e59d89e6f8c6a9b1d1c45bfbb9ce8bfc133c66958dc97c

SHA512
649aa18d4303f42fb9b8dc90994f8d40aa45a07f2842edfce1a389c0f1c2510f7828b233b7205e2171e8a147eed7c3a18efd162e060c83ad1f0fbbd3f4a56ec0

Download Submit
memory/368-74-0x00000000002F0000-0x00000000009D1000-memory.dmp

Filesize
6.9MB

Download
memory/368-66-0x0000000000000000-mapping.dmp

Download
memory/368-76-0x00000000002F0000-0x00000000009D1000-memory.dmp

Filesize
6.9MB

Download
memory/368-77-0x00000000002F0000-0x00000000009D1000-memory.dmp

Filesize
6.9MB

Download
memory/368-75-0x00000000002F0000-0x00000000009D1000-memory.dmp

Filesize
6.9MB

Download
memory/968-54-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download
memory/1264-92-0x0000000000000000-mapping.dmp

Download
memory/1468-69-0x00000000012F0000-0x00000000019C6000-memory.dmp

Filesize
6.8MB

Download
memory/1468-70-0x00000000012F0000-0x00000000019C6000-memory.dmp

Filesize
6.8MB

Download
memory/1468-65-0x00000000012F0000-0x00000000019C6000-memory.dmp

Filesize
6.8MB

Download
memory/1468-63-0x00000000012F0000-0x00000000019C6000-memory.dmp

Filesize
6.8MB

Download
memory/1468-57-0x0000000000000000-mapping.dmp

Download
memory/1496-82-0x0000000000000000-mapping.dmp

Download
memory/1496-88-0x0000000000FC0000-0x0000000001696000-memory.dmp

Filesize
6.8MB

Download
memory/1496-89-0x0000000000FC0000-0x0000000001696000-memory.dmp

Filesize
6.8MB

Download
memory/1496-90-0x0000000000FC0000-0x0000000001696000-memory.dmp

Filesize
6.8MB

Download
memory/1496-91-0x0000000000FC0000-0x0000000001696000-memory.dmp

Filesize
6.8MB

Download
memory/1512-78-0x0000000000000000-mapping.dmp

Download