75418ef4eef30a8a01341680675b7384d2aabab97b0e61fe6e814c34f6731e38

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-en-20211208
submitted
25-12-2021 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe68fe5a435d3067c0a5919b369470be.exe
Size

5.4MB
MD5

fe68fe5a435d3067c0a5919b369470be
SHA1

3a87920670f578fe58f2fa485dfa3666939d679a
SHA256

75418ef4eef30a8a01341680675b7384d2aabab97b0e61fe6e814c34f6731e38
SHA512

54a0700b97a8c6cb0afd7936a7ef573392270fb330b072d88fcb540e7d65688dde3ada015e0abb1b19361b72617dcd2768f2bdf3c563256cab5ed3aef9688bb3

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 4 IoCs

Processes:

WScript.exe

flow pid process

13 876 WScript.exe
14 876 WScript.exe
15 876 WScript.exe
16 876 WScript.exe
Executes dropped EXE 3 IoCs

Processes:

hughoc.exekulmetvp.exeDpEditor.exe

pid process

596 hughoc.exe
1240 kulmetvp.exe
1712 DpEditor.exe

flow	pid	process
13	876	WScript.exe
14	876	WScript.exe
15	876	WScript.exe
16	876	WScript.exe

pid	process
596	hughoc.exe
1240	kulmetvp.exe
1712	DpEditor.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

kulmetvp.exehughoc.exeDpEditor.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	kulmetvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	hughoc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	hughoc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DpEditor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DpEditor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	kulmetvp.exe

Loads dropped DLL 10 IoCs

Processes:

fe68fe5a435d3067c0a5919b369470be.exehughoc.exekulmetvp.exeDpEditor.exe

pid	process
800	fe68fe5a435d3067c0a5919b369470be.exe
800	fe68fe5a435d3067c0a5919b369470be.exe
596	hughoc.exe
596	hughoc.exe
800	fe68fe5a435d3067c0a5919b369470be.exe
1240	kulmetvp.exe
1240	kulmetvp.exe
596	hughoc.exe
1712	DpEditor.exe
1712	DpEditor.exe

Themida packer 27 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe	themida
C:\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe	themida
\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe	themida
C:\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe	themida
\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe	themida
\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe	themida
C:\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe	themida
\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe	themida
\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe	themida
C:\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe	themida
behavioral1/memory/1240-70-0x0000000000100000-0x000000000077E000-memory.dmp	themida
behavioral1/memory/1240-71-0x0000000000100000-0x000000000077E000-memory.dmp	themida
behavioral1/memory/1240-72-0x0000000000100000-0x000000000077E000-memory.dmp	themida
behavioral1/memory/1240-73-0x0000000000100000-0x000000000077E000-memory.dmp	themida
behavioral1/memory/596-74-0x00000000001F0000-0x00000000008E3000-memory.dmp	themida
behavioral1/memory/596-75-0x00000000001F0000-0x00000000008E3000-memory.dmp	themida
behavioral1/memory/596-77-0x00000000001F0000-0x00000000008E3000-memory.dmp	themida
behavioral1/memory/596-76-0x00000000001F0000-0x00000000008E3000-memory.dmp	themida
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
behavioral1/memory/1712-89-0x00000000002B0000-0x00000000009A3000-memory.dmp	themida
behavioral1/memory/1712-88-0x00000000002B0000-0x00000000009A3000-memory.dmp	themida
behavioral1/memory/1712-90-0x00000000002B0000-0x00000000009A3000-memory.dmp	themida
behavioral1/memory/1712-91-0x00000000002B0000-0x00000000009A3000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

DpEditor.exekulmetvp.exehughoc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DpEditor.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	kulmetvp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hughoc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

kulmetvp.exehughoc.exeDpEditor.exe

pid process

1240 kulmetvp.exe
596 hughoc.exe
1712 DpEditor.exe

flow	ioc
4	ip-api.com

pid	process
1240	kulmetvp.exe
596	hughoc.exe
1712	DpEditor.exe

Drops file in Program Files directory 3 IoCs

Processes:

fe68fe5a435d3067c0a5919b369470be.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	fe68fe5a435d3067c0a5919b369470be.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	fe68fe5a435d3067c0a5919b369470be.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	fe68fe5a435d3067c0a5919b369470be.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

kulmetvp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	kulmetvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	kulmetvp.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

DpEditor.exe

pid process

1712 DpEditor.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

kulmetvp.exehughoc.exeDpEditor.exe

pid process

1240 kulmetvp.exe
596 hughoc.exe
1712 DpEditor.exe

pid	process
1712	DpEditor.exe

pid	process
1240	kulmetvp.exe
596	hughoc.exe
1712	DpEditor.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

fe68fe5a435d3067c0a5919b369470be.exekulmetvp.exehughoc.exe

description	pid	process	target process
PID 800 wrote to memory of 596	800	fe68fe5a435d3067c0a5919b369470be.exe	hughoc.exe
PID 800 wrote to memory of 596	800	fe68fe5a435d3067c0a5919b369470be.exe	hughoc.exe
PID 800 wrote to memory of 596	800	fe68fe5a435d3067c0a5919b369470be.exe	hughoc.exe
PID 800 wrote to memory of 596	800	fe68fe5a435d3067c0a5919b369470be.exe	hughoc.exe
PID 800 wrote to memory of 596	800	fe68fe5a435d3067c0a5919b369470be.exe	hughoc.exe
PID 800 wrote to memory of 596	800	fe68fe5a435d3067c0a5919b369470be.exe	hughoc.exe
PID 800 wrote to memory of 596	800	fe68fe5a435d3067c0a5919b369470be.exe	hughoc.exe
PID 800 wrote to memory of 1240	800	fe68fe5a435d3067c0a5919b369470be.exe	kulmetvp.exe
PID 800 wrote to memory of 1240	800	fe68fe5a435d3067c0a5919b369470be.exe	kulmetvp.exe
PID 800 wrote to memory of 1240	800	fe68fe5a435d3067c0a5919b369470be.exe	kulmetvp.exe
PID 800 wrote to memory of 1240	800	fe68fe5a435d3067c0a5919b369470be.exe	kulmetvp.exe
PID 800 wrote to memory of 1240	800	fe68fe5a435d3067c0a5919b369470be.exe	kulmetvp.exe
PID 800 wrote to memory of 1240	800	fe68fe5a435d3067c0a5919b369470be.exe	kulmetvp.exe
PID 800 wrote to memory of 1240	800	fe68fe5a435d3067c0a5919b369470be.exe	kulmetvp.exe
PID 1240 wrote to memory of 1752	1240	kulmetvp.exe	WScript.exe
PID 1240 wrote to memory of 1752	1240	kulmetvp.exe	WScript.exe
PID 1240 wrote to memory of 1752	1240	kulmetvp.exe	WScript.exe
PID 1240 wrote to memory of 1752	1240	kulmetvp.exe	WScript.exe
PID 1240 wrote to memory of 1752	1240	kulmetvp.exe	WScript.exe
PID 1240 wrote to memory of 1752	1240	kulmetvp.exe	WScript.exe
PID 1240 wrote to memory of 1752	1240	kulmetvp.exe	WScript.exe
PID 596 wrote to memory of 1712	596	hughoc.exe	DpEditor.exe
PID 596 wrote to memory of 1712	596	hughoc.exe	DpEditor.exe
PID 596 wrote to memory of 1712	596	hughoc.exe	DpEditor.exe
PID 596 wrote to memory of 1712	596	hughoc.exe	DpEditor.exe
PID 596 wrote to memory of 1712	596	hughoc.exe	DpEditor.exe
PID 596 wrote to memory of 1712	596	hughoc.exe	DpEditor.exe
PID 596 wrote to memory of 1712	596	hughoc.exe	DpEditor.exe
PID 1240 wrote to memory of 876	1240	kulmetvp.exe	WScript.exe
PID 1240 wrote to memory of 876	1240	kulmetvp.exe	WScript.exe
PID 1240 wrote to memory of 876	1240	kulmetvp.exe	WScript.exe
PID 1240 wrote to memory of 876	1240	kulmetvp.exe	WScript.exe
PID 1240 wrote to memory of 876	1240	kulmetvp.exe	WScript.exe
PID 1240 wrote to memory of 876	1240	kulmetvp.exe	WScript.exe
PID 1240 wrote to memory of 876	1240	kulmetvp.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\fe68fe5a435d3067c0a5919b369470be.exe
"C:\Users\Admin\AppData\Local\Temp\fe68fe5a435d3067c0a5919b369470be.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:800

C:\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe
"C:\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:596

C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:1712

C:\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe
"C:\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\beiwpglt.vbs"
3⤵
PID:1752

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lklqokcrude.vbs"
3⤵
- Blocklisted process makes network request
PID:876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\beiwpglt.vbs
MD5
99ffa6c1fb44c1ba1129bf7690bda137

SHA1
2d8500377eb872a6ff844162e415f6f0ebefd551

SHA256
14a3826d2c0592bdf3b27eaabaee50a8d8b00c792b7b55874aa826e4637a24de

SHA512
05165278a99dd67c36b6aba4928fa5c762e8e37ea39777c2f7042f159343097ab73972f1a932d7f34249a34d28ecf7c7411f762e58b5596db2a403038c489247

Download Submit
C:\Users\Admin\AppData\Local\Temp\lklqokcrude.vbs
MD5
0e3ef4db0ed1a23c6f36f33ef4d25848

SHA1
e0fd35f507a8c897c7198f8a93bf931cd1926778

SHA256
9de756c874ad2939e65d1d6db7e64640e2c049933f844fa01c0856715ed12567

SHA512
13a7dd813f09be47c7a7058d0660bd8efd34f2f824279455f7564494f8ef26ddd2f1a711d758fc0687e0cca471a92cf57c888a810ebbd9e65d94541c72159305

Download Submit
C:\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe
MD5
cdc30e8f1b8cad5f1f32b15bebab91c7

SHA1
d83dbbda1edc163de1fc423ac25d32a73737b039

SHA256
6d92ca52403244434264a0ab79ec968142c94947d571c65dc3f35c72df0f2d05

SHA512
3421945e29d0e35b06f0fbb3fe5160eb69cbe82fd0a27be949e1792c3bba90b9b3168d241757cb495604b994f4220fec4cd164718bfdecbde4fafc5a3960c7ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe
MD5
cdc30e8f1b8cad5f1f32b15bebab91c7

SHA1
d83dbbda1edc163de1fc423ac25d32a73737b039

SHA256
6d92ca52403244434264a0ab79ec968142c94947d571c65dc3f35c72df0f2d05

SHA512
3421945e29d0e35b06f0fbb3fe5160eb69cbe82fd0a27be949e1792c3bba90b9b3168d241757cb495604b994f4220fec4cd164718bfdecbde4fafc5a3960c7ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe
MD5
9062a4db90e132dc070cd970a0321a07

SHA1
bacb274e2603f05edb9d10aa93d8de04531d6e5b

SHA256
39a3e454238f4d20ee0596b28fe2577eb8b3b7bf80181b4aaee4b8a9481ae478

SHA512
167accc76bd4074ae4e8127d6e8bfcd753ab482992de26dc68d94f238d357ce7aafca494b9336a05e16162413e1e10e4e1a2986c41f936724d8fc99521319867

Download Submit
C:\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe
MD5
9062a4db90e132dc070cd970a0321a07

SHA1
bacb274e2603f05edb9d10aa93d8de04531d6e5b

SHA256
39a3e454238f4d20ee0596b28fe2577eb8b3b7bf80181b4aaee4b8a9481ae478

SHA512
167accc76bd4074ae4e8127d6e8bfcd753ab482992de26dc68d94f238d357ce7aafca494b9336a05e16162413e1e10e4e1a2986c41f936724d8fc99521319867

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
cdc30e8f1b8cad5f1f32b15bebab91c7

SHA1
d83dbbda1edc163de1fc423ac25d32a73737b039

SHA256
6d92ca52403244434264a0ab79ec968142c94947d571c65dc3f35c72df0f2d05

SHA512
3421945e29d0e35b06f0fbb3fe5160eb69cbe82fd0a27be949e1792c3bba90b9b3168d241757cb495604b994f4220fec4cd164718bfdecbde4fafc5a3960c7ad

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
cdc30e8f1b8cad5f1f32b15bebab91c7

SHA1
d83dbbda1edc163de1fc423ac25d32a73737b039

SHA256
6d92ca52403244434264a0ab79ec968142c94947d571c65dc3f35c72df0f2d05

SHA512
3421945e29d0e35b06f0fbb3fe5160eb69cbe82fd0a27be949e1792c3bba90b9b3168d241757cb495604b994f4220fec4cd164718bfdecbde4fafc5a3960c7ad

Download Submit
\Users\Admin\AppData\Local\Temp\nstBDE4.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe
MD5
cdc30e8f1b8cad5f1f32b15bebab91c7

SHA1
d83dbbda1edc163de1fc423ac25d32a73737b039

SHA256
6d92ca52403244434264a0ab79ec968142c94947d571c65dc3f35c72df0f2d05

SHA512
3421945e29d0e35b06f0fbb3fe5160eb69cbe82fd0a27be949e1792c3bba90b9b3168d241757cb495604b994f4220fec4cd164718bfdecbde4fafc5a3960c7ad

Download Submit
\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe
MD5
cdc30e8f1b8cad5f1f32b15bebab91c7

SHA1
d83dbbda1edc163de1fc423ac25d32a73737b039

SHA256
6d92ca52403244434264a0ab79ec968142c94947d571c65dc3f35c72df0f2d05

SHA512
3421945e29d0e35b06f0fbb3fe5160eb69cbe82fd0a27be949e1792c3bba90b9b3168d241757cb495604b994f4220fec4cd164718bfdecbde4fafc5a3960c7ad

Download Submit
\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe
MD5
cdc30e8f1b8cad5f1f32b15bebab91c7

SHA1
d83dbbda1edc163de1fc423ac25d32a73737b039

SHA256
6d92ca52403244434264a0ab79ec968142c94947d571c65dc3f35c72df0f2d05

SHA512
3421945e29d0e35b06f0fbb3fe5160eb69cbe82fd0a27be949e1792c3bba90b9b3168d241757cb495604b994f4220fec4cd164718bfdecbde4fafc5a3960c7ad

Download Submit
\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe
MD5
9062a4db90e132dc070cd970a0321a07

SHA1
bacb274e2603f05edb9d10aa93d8de04531d6e5b

SHA256
39a3e454238f4d20ee0596b28fe2577eb8b3b7bf80181b4aaee4b8a9481ae478

SHA512
167accc76bd4074ae4e8127d6e8bfcd753ab482992de26dc68d94f238d357ce7aafca494b9336a05e16162413e1e10e4e1a2986c41f936724d8fc99521319867

Download Submit
\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe
MD5
9062a4db90e132dc070cd970a0321a07

SHA1
bacb274e2603f05edb9d10aa93d8de04531d6e5b

SHA256
39a3e454238f4d20ee0596b28fe2577eb8b3b7bf80181b4aaee4b8a9481ae478

SHA512
167accc76bd4074ae4e8127d6e8bfcd753ab482992de26dc68d94f238d357ce7aafca494b9336a05e16162413e1e10e4e1a2986c41f936724d8fc99521319867

Download Submit
\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe
MD5
9062a4db90e132dc070cd970a0321a07

SHA1
bacb274e2603f05edb9d10aa93d8de04531d6e5b

SHA256
39a3e454238f4d20ee0596b28fe2577eb8b3b7bf80181b4aaee4b8a9481ae478

SHA512
167accc76bd4074ae4e8127d6e8bfcd753ab482992de26dc68d94f238d357ce7aafca494b9336a05e16162413e1e10e4e1a2986c41f936724d8fc99521319867

Download Submit
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
cdc30e8f1b8cad5f1f32b15bebab91c7

SHA1
d83dbbda1edc163de1fc423ac25d32a73737b039

SHA256
6d92ca52403244434264a0ab79ec968142c94947d571c65dc3f35c72df0f2d05

SHA512
3421945e29d0e35b06f0fbb3fe5160eb69cbe82fd0a27be949e1792c3bba90b9b3168d241757cb495604b994f4220fec4cd164718bfdecbde4fafc5a3960c7ad

Download Submit
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
cdc30e8f1b8cad5f1f32b15bebab91c7

SHA1
d83dbbda1edc163de1fc423ac25d32a73737b039

SHA256
6d92ca52403244434264a0ab79ec968142c94947d571c65dc3f35c72df0f2d05

SHA512
3421945e29d0e35b06f0fbb3fe5160eb69cbe82fd0a27be949e1792c3bba90b9b3168d241757cb495604b994f4220fec4cd164718bfdecbde4fafc5a3960c7ad

Download Submit
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
cdc30e8f1b8cad5f1f32b15bebab91c7

SHA1
d83dbbda1edc163de1fc423ac25d32a73737b039

SHA256
6d92ca52403244434264a0ab79ec968142c94947d571c65dc3f35c72df0f2d05

SHA512
3421945e29d0e35b06f0fbb3fe5160eb69cbe82fd0a27be949e1792c3bba90b9b3168d241757cb495604b994f4220fec4cd164718bfdecbde4fafc5a3960c7ad

Download Submit
memory/596-74-0x00000000001F0000-0x00000000008E3000-memory.dmp

Filesize
6.9MB

Download
memory/596-75-0x00000000001F0000-0x00000000008E3000-memory.dmp

Filesize
6.9MB

Download
memory/596-77-0x00000000001F0000-0x00000000008E3000-memory.dmp

Filesize
6.9MB

Download
memory/596-76-0x00000000001F0000-0x00000000008E3000-memory.dmp

Filesize
6.9MB

Download
memory/596-57-0x0000000000000000-mapping.dmp

Download
memory/800-54-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/876-92-0x0000000000000000-mapping.dmp

Download
memory/1240-71-0x0000000000100000-0x000000000077E000-memory.dmp

Filesize
6.5MB

Download
memory/1240-72-0x0000000000100000-0x000000000077E000-memory.dmp

Filesize
6.5MB

Download
memory/1240-70-0x0000000000100000-0x000000000077E000-memory.dmp

Filesize
6.5MB

Download
memory/1240-64-0x0000000000000000-mapping.dmp

Download
memory/1240-73-0x0000000000100000-0x000000000077E000-memory.dmp

Filesize
6.5MB

Download
memory/1712-82-0x0000000000000000-mapping.dmp

Download
memory/1712-89-0x00000000002B0000-0x00000000009A3000-memory.dmp

Filesize
6.9MB

Download
memory/1712-88-0x00000000002B0000-0x00000000009A3000-memory.dmp

Filesize
6.9MB

Download
memory/1712-90-0x00000000002B0000-0x00000000009A3000-memory.dmp

Filesize
6.9MB

Download
memory/1712-91-0x00000000002B0000-0x00000000009A3000-memory.dmp

Filesize
6.9MB

Download
memory/1752-78-0x0000000000000000-mapping.dmp

Download