3f8974ef9b6a429376d46e082bbb9cb418417f25dcc744837c5b36efaf4c3f35

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-en-20211208
submitted
25-12-2021 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b853012145aabac760af9e9a0fe37b3e.exe
Size

5.5MB
MD5

b853012145aabac760af9e9a0fe37b3e
SHA1

25bdf531d5fafeec8b02d3d2a09dfb5a1340e9c2
SHA256

3f8974ef9b6a429376d46e082bbb9cb418417f25dcc744837c5b36efaf4c3f35
SHA512

c66586730d1fc0751fc71b1e03597a7d6045d347221ed13179b393e8052f6c4050ce7e794861fc9fee2fd2fbc9a39dcb4e33530315b61b35784e487af0f95774

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 4 IoCs

Processes:

WScript.exe

flow pid process

13 1772 WScript.exe
14 1772 WScript.exe
15 1772 WScript.exe
16 1772 WScript.exe
Executes dropped EXE 3 IoCs

Processes:

hughoc.exekulmetvp.exeDpEditor.exe

pid process

1176 hughoc.exe
784 kulmetvp.exe
456 DpEditor.exe

flow	pid	process
13	1772	WScript.exe
14	1772	WScript.exe
15	1772	WScript.exe
16	1772	WScript.exe

pid	process
1176	hughoc.exe
784	kulmetvp.exe
456	DpEditor.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

kulmetvp.exehughoc.exeDpEditor.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	kulmetvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	kulmetvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	hughoc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	hughoc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DpEditor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DpEditor.exe

Loads dropped DLL 10 IoCs

Processes:

b853012145aabac760af9e9a0fe37b3e.exehughoc.exekulmetvp.exeDpEditor.exe

pid	process
960	b853012145aabac760af9e9a0fe37b3e.exe
960	b853012145aabac760af9e9a0fe37b3e.exe
1176	hughoc.exe
1176	hughoc.exe
960	b853012145aabac760af9e9a0fe37b3e.exe
784	kulmetvp.exe
784	kulmetvp.exe
1176	hughoc.exe
456	DpEditor.exe
456	DpEditor.exe

Themida packer 27 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe	themida
C:\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe	themida
C:\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe	themida
\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe	themida
\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe	themida
\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe	themida
\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe	themida
C:\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe	themida
C:\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe	themida
\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe	themida
behavioral1/memory/784-70-0x0000000000C40000-0x000000000131A000-memory.dmp	themida
behavioral1/memory/784-71-0x0000000000C40000-0x000000000131A000-memory.dmp	themida
behavioral1/memory/1176-72-0x0000000000A10000-0x00000000010F9000-memory.dmp	themida
behavioral1/memory/784-73-0x0000000000C40000-0x000000000131A000-memory.dmp	themida
behavioral1/memory/1176-74-0x0000000000A10000-0x00000000010F9000-memory.dmp	themida
behavioral1/memory/1176-77-0x0000000000A10000-0x00000000010F9000-memory.dmp	themida
behavioral1/memory/784-75-0x0000000000C40000-0x000000000131A000-memory.dmp	themida
behavioral1/memory/1176-76-0x0000000000A10000-0x00000000010F9000-memory.dmp	themida
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
behavioral1/memory/456-88-0x00000000011B0000-0x0000000001899000-memory.dmp	themida
behavioral1/memory/456-89-0x00000000011B0000-0x0000000001899000-memory.dmp	themida
behavioral1/memory/456-90-0x00000000011B0000-0x0000000001899000-memory.dmp	themida
behavioral1/memory/456-91-0x00000000011B0000-0x0000000001899000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

kulmetvp.exehughoc.exeDpEditor.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	kulmetvp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hughoc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DpEditor.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

hughoc.exekulmetvp.exeDpEditor.exe

pid process

1176 hughoc.exe
784 kulmetvp.exe
456 DpEditor.exe

flow	ioc
4	ip-api.com

pid	process
1176	hughoc.exe
784	kulmetvp.exe
456	DpEditor.exe

Drops file in Program Files directory 3 IoCs

Processes:

b853012145aabac760af9e9a0fe37b3e.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acledit.dll	b853012145aabac760af9e9a0fe37b3e.exe
File created	C:\Program Files (x86)\foler\olader\acppage.dll	b853012145aabac760af9e9a0fe37b3e.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	b853012145aabac760af9e9a0fe37b3e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

kulmetvp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	kulmetvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	kulmetvp.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

DpEditor.exe

pid process

456 DpEditor.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

kulmetvp.exehughoc.exeDpEditor.exe

pid process

784 kulmetvp.exe
1176 hughoc.exe
456 DpEditor.exe

pid	process
456	DpEditor.exe

pid	process
784	kulmetvp.exe
1176	hughoc.exe
456	DpEditor.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

b853012145aabac760af9e9a0fe37b3e.exekulmetvp.exehughoc.exe

description	pid	process	target process
PID 960 wrote to memory of 1176	960	b853012145aabac760af9e9a0fe37b3e.exe	hughoc.exe
PID 960 wrote to memory of 1176	960	b853012145aabac760af9e9a0fe37b3e.exe	hughoc.exe
PID 960 wrote to memory of 1176	960	b853012145aabac760af9e9a0fe37b3e.exe	hughoc.exe
PID 960 wrote to memory of 1176	960	b853012145aabac760af9e9a0fe37b3e.exe	hughoc.exe
PID 960 wrote to memory of 1176	960	b853012145aabac760af9e9a0fe37b3e.exe	hughoc.exe
PID 960 wrote to memory of 1176	960	b853012145aabac760af9e9a0fe37b3e.exe	hughoc.exe
PID 960 wrote to memory of 1176	960	b853012145aabac760af9e9a0fe37b3e.exe	hughoc.exe
PID 960 wrote to memory of 784	960	b853012145aabac760af9e9a0fe37b3e.exe	kulmetvp.exe
PID 960 wrote to memory of 784	960	b853012145aabac760af9e9a0fe37b3e.exe	kulmetvp.exe
PID 960 wrote to memory of 784	960	b853012145aabac760af9e9a0fe37b3e.exe	kulmetvp.exe
PID 960 wrote to memory of 784	960	b853012145aabac760af9e9a0fe37b3e.exe	kulmetvp.exe
PID 960 wrote to memory of 784	960	b853012145aabac760af9e9a0fe37b3e.exe	kulmetvp.exe
PID 960 wrote to memory of 784	960	b853012145aabac760af9e9a0fe37b3e.exe	kulmetvp.exe
PID 960 wrote to memory of 784	960	b853012145aabac760af9e9a0fe37b3e.exe	kulmetvp.exe
PID 784 wrote to memory of 1536	784	kulmetvp.exe	WScript.exe
PID 784 wrote to memory of 1536	784	kulmetvp.exe	WScript.exe
PID 784 wrote to memory of 1536	784	kulmetvp.exe	WScript.exe
PID 784 wrote to memory of 1536	784	kulmetvp.exe	WScript.exe
PID 784 wrote to memory of 1536	784	kulmetvp.exe	WScript.exe
PID 784 wrote to memory of 1536	784	kulmetvp.exe	WScript.exe
PID 784 wrote to memory of 1536	784	kulmetvp.exe	WScript.exe
PID 1176 wrote to memory of 456	1176	hughoc.exe	DpEditor.exe
PID 1176 wrote to memory of 456	1176	hughoc.exe	DpEditor.exe
PID 1176 wrote to memory of 456	1176	hughoc.exe	DpEditor.exe
PID 1176 wrote to memory of 456	1176	hughoc.exe	DpEditor.exe
PID 1176 wrote to memory of 456	1176	hughoc.exe	DpEditor.exe
PID 1176 wrote to memory of 456	1176	hughoc.exe	DpEditor.exe
PID 1176 wrote to memory of 456	1176	hughoc.exe	DpEditor.exe
PID 784 wrote to memory of 1772	784	kulmetvp.exe	WScript.exe
PID 784 wrote to memory of 1772	784	kulmetvp.exe	WScript.exe
PID 784 wrote to memory of 1772	784	kulmetvp.exe	WScript.exe
PID 784 wrote to memory of 1772	784	kulmetvp.exe	WScript.exe
PID 784 wrote to memory of 1772	784	kulmetvp.exe	WScript.exe
PID 784 wrote to memory of 1772	784	kulmetvp.exe	WScript.exe
PID 784 wrote to memory of 1772	784	kulmetvp.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\b853012145aabac760af9e9a0fe37b3e.exe
"C:\Users\Admin\AppData\Local\Temp\b853012145aabac760af9e9a0fe37b3e.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:960
- C:\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe
  "C:\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
    "C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    PID:456
- C:\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe
  "C:\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:784
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aopyjai.vbs"
    3⤵
    PID:1536
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\suxhpkxe.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:1772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aopyjai.vbs

MD5
badc4f454baec0a09629f2e90f03e7a0

SHA1
db7ae30a3fa96bd5e80e37a56fcddc4aeb6c4969

SHA256
34e3c9b2242ba0035a01ccb1bdc92fbb6502584ba521332f80a6e98247a3f391

SHA512
07f448f2411deb0761d0b494dfb0e4d05613ab67280c8434aa419b919640861702952149f509d75096591550d42391fedf3ed921bc0682b9a408f7ee8dde42e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe

MD5
0019785ef16b9d250b3663c51b8df159

SHA1
527fc20c982e535116755d3415acfc397235c21b

SHA256
5f81fe3b07dd7cb4cb007867040928b81b3d5abd8cae2997eeae24d056c12e83

SHA512
d474ef3f4ac5dd8f3456948bc6a484c178f97435958a22849bec056025bc1658d077bbe0d671a5c6c90166b5e15efa3ed95cee819f243d322aa2adafab3f3888

Download Submit
C:\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe

MD5
0019785ef16b9d250b3663c51b8df159

SHA1
527fc20c982e535116755d3415acfc397235c21b

SHA256
5f81fe3b07dd7cb4cb007867040928b81b3d5abd8cae2997eeae24d056c12e83

SHA512
d474ef3f4ac5dd8f3456948bc6a484c178f97435958a22849bec056025bc1658d077bbe0d671a5c6c90166b5e15efa3ed95cee819f243d322aa2adafab3f3888

Download Submit
C:\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe

MD5
9dd925d43100d4e9a466cc7d0681213d

SHA1
ba8945827c9aa094b5bcb8cb8aa2d1fad1e74d79

SHA256
82ee9213fbcd132441778404eaf72ff4867eaa78d6d919b4746b3d769d7640cf

SHA512
2677542ff54a2608de9cf35a0fef2383a646c93b7002fb64169fe947fa915d78f4ed5e5fd6dd8471672082db24268cb5c2e87e345afc054f8bb23e7a0fc913a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe

MD5
9dd925d43100d4e9a466cc7d0681213d

SHA1
ba8945827c9aa094b5bcb8cb8aa2d1fad1e74d79

SHA256
82ee9213fbcd132441778404eaf72ff4867eaa78d6d919b4746b3d769d7640cf

SHA512
2677542ff54a2608de9cf35a0fef2383a646c93b7002fb64169fe947fa915d78f4ed5e5fd6dd8471672082db24268cb5c2e87e345afc054f8bb23e7a0fc913a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\suxhpkxe.vbs

MD5
fd296171a25cf6bd57881c0cb56367dc

SHA1
a04fc328843dfa8782910f1d7cb2b193f4e5b157

SHA256
666a0dd7003f5c126660245dc901e7aee1593771b2829ad84cb0f1c67118ba9e

SHA512
1efde3324abd4feba47178d45760da8be2f82f5de24034c3c8e1ed72a5d8dc0d57a9c67c025daa2cc4d49d6dcc7da15ab48fb7ea702605a7f20b1c2c194e5708

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe

MD5
0019785ef16b9d250b3663c51b8df159

SHA1
527fc20c982e535116755d3415acfc397235c21b

SHA256
5f81fe3b07dd7cb4cb007867040928b81b3d5abd8cae2997eeae24d056c12e83

SHA512
d474ef3f4ac5dd8f3456948bc6a484c178f97435958a22849bec056025bc1658d077bbe0d671a5c6c90166b5e15efa3ed95cee819f243d322aa2adafab3f3888

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe

MD5
0019785ef16b9d250b3663c51b8df159

SHA1
527fc20c982e535116755d3415acfc397235c21b

SHA256
5f81fe3b07dd7cb4cb007867040928b81b3d5abd8cae2997eeae24d056c12e83

SHA512
d474ef3f4ac5dd8f3456948bc6a484c178f97435958a22849bec056025bc1658d077bbe0d671a5c6c90166b5e15efa3ed95cee819f243d322aa2adafab3f3888

Download Submit
\Users\Admin\AppData\Local\Temp\nsnCF70.tmp\UAC.dll

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe

MD5
0019785ef16b9d250b3663c51b8df159

SHA1
527fc20c982e535116755d3415acfc397235c21b

SHA256
5f81fe3b07dd7cb4cb007867040928b81b3d5abd8cae2997eeae24d056c12e83

SHA512
d474ef3f4ac5dd8f3456948bc6a484c178f97435958a22849bec056025bc1658d077bbe0d671a5c6c90166b5e15efa3ed95cee819f243d322aa2adafab3f3888

Download Submit
\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe

MD5
0019785ef16b9d250b3663c51b8df159

SHA1
527fc20c982e535116755d3415acfc397235c21b

SHA256
5f81fe3b07dd7cb4cb007867040928b81b3d5abd8cae2997eeae24d056c12e83

SHA512
d474ef3f4ac5dd8f3456948bc6a484c178f97435958a22849bec056025bc1658d077bbe0d671a5c6c90166b5e15efa3ed95cee819f243d322aa2adafab3f3888

Download Submit
\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe

MD5
0019785ef16b9d250b3663c51b8df159

SHA1
527fc20c982e535116755d3415acfc397235c21b

SHA256
5f81fe3b07dd7cb4cb007867040928b81b3d5abd8cae2997eeae24d056c12e83

SHA512
d474ef3f4ac5dd8f3456948bc6a484c178f97435958a22849bec056025bc1658d077bbe0d671a5c6c90166b5e15efa3ed95cee819f243d322aa2adafab3f3888

Download Submit
\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe

MD5
9dd925d43100d4e9a466cc7d0681213d

SHA1
ba8945827c9aa094b5bcb8cb8aa2d1fad1e74d79

SHA256
82ee9213fbcd132441778404eaf72ff4867eaa78d6d919b4746b3d769d7640cf

SHA512
2677542ff54a2608de9cf35a0fef2383a646c93b7002fb64169fe947fa915d78f4ed5e5fd6dd8471672082db24268cb5c2e87e345afc054f8bb23e7a0fc913a7

Download Submit
\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe

MD5
9dd925d43100d4e9a466cc7d0681213d

SHA1
ba8945827c9aa094b5bcb8cb8aa2d1fad1e74d79

SHA256
82ee9213fbcd132441778404eaf72ff4867eaa78d6d919b4746b3d769d7640cf

SHA512
2677542ff54a2608de9cf35a0fef2383a646c93b7002fb64169fe947fa915d78f4ed5e5fd6dd8471672082db24268cb5c2e87e345afc054f8bb23e7a0fc913a7

Download Submit
\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe

MD5
9dd925d43100d4e9a466cc7d0681213d

SHA1
ba8945827c9aa094b5bcb8cb8aa2d1fad1e74d79

SHA256
82ee9213fbcd132441778404eaf72ff4867eaa78d6d919b4746b3d769d7640cf

SHA512
2677542ff54a2608de9cf35a0fef2383a646c93b7002fb64169fe947fa915d78f4ed5e5fd6dd8471672082db24268cb5c2e87e345afc054f8bb23e7a0fc913a7

Download Submit
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe

MD5
0019785ef16b9d250b3663c51b8df159

SHA1
527fc20c982e535116755d3415acfc397235c21b

SHA256
5f81fe3b07dd7cb4cb007867040928b81b3d5abd8cae2997eeae24d056c12e83

SHA512
d474ef3f4ac5dd8f3456948bc6a484c178f97435958a22849bec056025bc1658d077bbe0d671a5c6c90166b5e15efa3ed95cee819f243d322aa2adafab3f3888

Download Submit
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe

MD5
0019785ef16b9d250b3663c51b8df159

SHA1
527fc20c982e535116755d3415acfc397235c21b

SHA256
5f81fe3b07dd7cb4cb007867040928b81b3d5abd8cae2997eeae24d056c12e83

SHA512
d474ef3f4ac5dd8f3456948bc6a484c178f97435958a22849bec056025bc1658d077bbe0d671a5c6c90166b5e15efa3ed95cee819f243d322aa2adafab3f3888

Download Submit
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe

MD5
0019785ef16b9d250b3663c51b8df159

SHA1
527fc20c982e535116755d3415acfc397235c21b

SHA256
5f81fe3b07dd7cb4cb007867040928b81b3d5abd8cae2997eeae24d056c12e83

SHA512
d474ef3f4ac5dd8f3456948bc6a484c178f97435958a22849bec056025bc1658d077bbe0d671a5c6c90166b5e15efa3ed95cee819f243d322aa2adafab3f3888

Download Submit
memory/456-82-0x0000000000000000-mapping.dmp

Download
memory/456-88-0x00000000011B0000-0x0000000001899000-memory.dmp

Filesize
6.9MB

Download
memory/456-91-0x00000000011B0000-0x0000000001899000-memory.dmp

Filesize
6.9MB

Download
memory/456-90-0x00000000011B0000-0x0000000001899000-memory.dmp

Filesize
6.9MB

Download
memory/456-89-0x00000000011B0000-0x0000000001899000-memory.dmp

Filesize
6.9MB

Download
memory/784-75-0x0000000000C40000-0x000000000131A000-memory.dmp

Filesize
6.9MB

Download
memory/784-71-0x0000000000C40000-0x000000000131A000-memory.dmp

Filesize
6.9MB

Download
memory/784-73-0x0000000000C40000-0x000000000131A000-memory.dmp

Filesize
6.9MB

Download
memory/784-64-0x0000000000000000-mapping.dmp

Download
memory/784-70-0x0000000000C40000-0x000000000131A000-memory.dmp

Filesize
6.9MB

Download
memory/960-54-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/1176-57-0x0000000000000000-mapping.dmp

Download
memory/1176-77-0x0000000000A10000-0x00000000010F9000-memory.dmp

Filesize
6.9MB

Download
memory/1176-76-0x0000000000A10000-0x00000000010F9000-memory.dmp

Filesize
6.9MB

Download
memory/1176-74-0x0000000000A10000-0x00000000010F9000-memory.dmp

Filesize
6.9MB

Download
memory/1176-72-0x0000000000A10000-0x00000000010F9000-memory.dmp

Filesize
6.9MB

Download
memory/1536-78-0x0000000000000000-mapping.dmp

Download
memory/1772-92-0x0000000000000000-mapping.dmp

Download