75418ef4eef30a8a01341680675b7384d2aabab97b0e61fe6e814c34f6731e38

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-en-20211208
submitted
26-12-2021 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FE68FE5A435D3067C0A5919B369470BE.exe
Size

5.4MB
MD5

fe68fe5a435d3067c0a5919b369470be
SHA1

3a87920670f578fe58f2fa485dfa3666939d679a
SHA256

75418ef4eef30a8a01341680675b7384d2aabab97b0e61fe6e814c34f6731e38
SHA512

54a0700b97a8c6cb0afd7936a7ef573392270fb330b072d88fcb540e7d65688dde3ada015e0abb1b19361b72617dcd2768f2bdf3c563256cab5ed3aef9688bb3

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 4 IoCs

Processes:

WScript.exe

flow pid process

13 1968 WScript.exe
14 1968 WScript.exe
15 1968 WScript.exe
16 1968 WScript.exe
Executes dropped EXE 3 IoCs

Processes:

hughoc.exekulmetvp.exeDpEditor.exe

pid process

1028 hughoc.exe
720 kulmetvp.exe
1872 DpEditor.exe

flow	pid	process
13	1968	WScript.exe
14	1968	WScript.exe
15	1968	WScript.exe
16	1968	WScript.exe

pid	process
1028	hughoc.exe
720	kulmetvp.exe
1872	DpEditor.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

kulmetvp.exeDpEditor.exehughoc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	kulmetvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	kulmetvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DpEditor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DpEditor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	hughoc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	hughoc.exe

Loads dropped DLL 10 IoCs

Processes:

FE68FE5A435D3067C0A5919B369470BE.exehughoc.exekulmetvp.exeDpEditor.exe

pid	process
944	FE68FE5A435D3067C0A5919B369470BE.exe
944	FE68FE5A435D3067C0A5919B369470BE.exe
1028	hughoc.exe
1028	hughoc.exe
944	FE68FE5A435D3067C0A5919B369470BE.exe
720	kulmetvp.exe
720	kulmetvp.exe
1028	hughoc.exe
1872	DpEditor.exe
1872	DpEditor.exe

Themida packer 27 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe	themida
C:\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe	themida
\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe	themida
\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe	themida
C:\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe	themida
\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe	themida
C:\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe	themida
\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe	themida
C:\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe	themida
\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe	themida
behavioral1/memory/1028-70-0x0000000001130000-0x0000000001823000-memory.dmp	themida
behavioral1/memory/1028-71-0x0000000001130000-0x0000000001823000-memory.dmp	themida
behavioral1/memory/1028-72-0x0000000001130000-0x0000000001823000-memory.dmp	themida
behavioral1/memory/1028-73-0x0000000001130000-0x0000000001823000-memory.dmp	themida
behavioral1/memory/720-74-0x0000000000890000-0x0000000000F0E000-memory.dmp	themida
behavioral1/memory/720-75-0x0000000000890000-0x0000000000F0E000-memory.dmp	themida
behavioral1/memory/720-76-0x0000000000890000-0x0000000000F0E000-memory.dmp	themida
behavioral1/memory/720-77-0x0000000000890000-0x0000000000F0E000-memory.dmp	themida
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
behavioral1/memory/1872-88-0x0000000000320000-0x0000000000A13000-memory.dmp	themida
behavioral1/memory/1872-89-0x0000000000320000-0x0000000000A13000-memory.dmp	themida
behavioral1/memory/1872-90-0x0000000000320000-0x0000000000A13000-memory.dmp	themida
behavioral1/memory/1872-91-0x0000000000320000-0x0000000000A13000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

hughoc.exekulmetvp.exeDpEditor.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hughoc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	kulmetvp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DpEditor.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

hughoc.exekulmetvp.exeDpEditor.exe

pid process

1028 hughoc.exe
720 kulmetvp.exe
1872 DpEditor.exe

flow	ioc
4	ip-api.com

pid	process
1028	hughoc.exe
720	kulmetvp.exe
1872	DpEditor.exe

Drops file in Program Files directory 3 IoCs

Processes:

FE68FE5A435D3067C0A5919B369470BE.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	FE68FE5A435D3067C0A5919B369470BE.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	FE68FE5A435D3067C0A5919B369470BE.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	FE68FE5A435D3067C0A5919B369470BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

kulmetvp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	kulmetvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	kulmetvp.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

DpEditor.exe

pid process

1872 DpEditor.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

hughoc.exekulmetvp.exeDpEditor.exe

pid process

1028 hughoc.exe
720 kulmetvp.exe
1872 DpEditor.exe

pid	process
1872	DpEditor.exe

pid	process
1028	hughoc.exe
720	kulmetvp.exe
1872	DpEditor.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

FE68FE5A435D3067C0A5919B369470BE.exekulmetvp.exehughoc.exe

description	pid	process	target process
PID 944 wrote to memory of 1028	944	FE68FE5A435D3067C0A5919B369470BE.exe	hughoc.exe
PID 944 wrote to memory of 1028	944	FE68FE5A435D3067C0A5919B369470BE.exe	hughoc.exe
PID 944 wrote to memory of 1028	944	FE68FE5A435D3067C0A5919B369470BE.exe	hughoc.exe
PID 944 wrote to memory of 1028	944	FE68FE5A435D3067C0A5919B369470BE.exe	hughoc.exe
PID 944 wrote to memory of 1028	944	FE68FE5A435D3067C0A5919B369470BE.exe	hughoc.exe
PID 944 wrote to memory of 1028	944	FE68FE5A435D3067C0A5919B369470BE.exe	hughoc.exe
PID 944 wrote to memory of 1028	944	FE68FE5A435D3067C0A5919B369470BE.exe	hughoc.exe
PID 944 wrote to memory of 720	944	FE68FE5A435D3067C0A5919B369470BE.exe	kulmetvp.exe
PID 944 wrote to memory of 720	944	FE68FE5A435D3067C0A5919B369470BE.exe	kulmetvp.exe
PID 944 wrote to memory of 720	944	FE68FE5A435D3067C0A5919B369470BE.exe	kulmetvp.exe
PID 944 wrote to memory of 720	944	FE68FE5A435D3067C0A5919B369470BE.exe	kulmetvp.exe
PID 944 wrote to memory of 720	944	FE68FE5A435D3067C0A5919B369470BE.exe	kulmetvp.exe
PID 944 wrote to memory of 720	944	FE68FE5A435D3067C0A5919B369470BE.exe	kulmetvp.exe
PID 944 wrote to memory of 720	944	FE68FE5A435D3067C0A5919B369470BE.exe	kulmetvp.exe
PID 720 wrote to memory of 612	720	kulmetvp.exe	WScript.exe
PID 720 wrote to memory of 612	720	kulmetvp.exe	WScript.exe
PID 720 wrote to memory of 612	720	kulmetvp.exe	WScript.exe
PID 720 wrote to memory of 612	720	kulmetvp.exe	WScript.exe
PID 720 wrote to memory of 612	720	kulmetvp.exe	WScript.exe
PID 720 wrote to memory of 612	720	kulmetvp.exe	WScript.exe
PID 720 wrote to memory of 612	720	kulmetvp.exe	WScript.exe
PID 1028 wrote to memory of 1872	1028	hughoc.exe	DpEditor.exe
PID 1028 wrote to memory of 1872	1028	hughoc.exe	DpEditor.exe
PID 1028 wrote to memory of 1872	1028	hughoc.exe	DpEditor.exe
PID 1028 wrote to memory of 1872	1028	hughoc.exe	DpEditor.exe
PID 1028 wrote to memory of 1872	1028	hughoc.exe	DpEditor.exe
PID 1028 wrote to memory of 1872	1028	hughoc.exe	DpEditor.exe
PID 1028 wrote to memory of 1872	1028	hughoc.exe	DpEditor.exe
PID 720 wrote to memory of 1968	720	kulmetvp.exe	WScript.exe
PID 720 wrote to memory of 1968	720	kulmetvp.exe	WScript.exe
PID 720 wrote to memory of 1968	720	kulmetvp.exe	WScript.exe
PID 720 wrote to memory of 1968	720	kulmetvp.exe	WScript.exe
PID 720 wrote to memory of 1968	720	kulmetvp.exe	WScript.exe
PID 720 wrote to memory of 1968	720	kulmetvp.exe	WScript.exe
PID 720 wrote to memory of 1968	720	kulmetvp.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\FE68FE5A435D3067C0A5919B369470BE.exe
"C:\Users\Admin\AppData\Local\Temp\FE68FE5A435D3067C0A5919B369470BE.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:944

C:\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe
"C:\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1028

C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:1872

C:\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe
"C:\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:720

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\akujqgvq.vbs"
3⤵
PID:612

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\viedltfgjwin.vbs"
3⤵
- Blocklisted process makes network request
PID:1968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\akujqgvq.vbs
MD5
9f99249769a4725dc8e76d3a02272059

SHA1
a5016e51537371039409d870c848acb631732c2a

SHA256
f0ac159d7217f21a23c5d5d7d6e5dde1b036a1fc9887f30f9c55aa892a3034bf

SHA512
e97fa7383a56d7456adfd75b1809c32be873a57762865bdda5ea6ff2647cac24b3016506b349e54640754d649e47d96078da31553dc76c2b04f485c7594cb648

Download Submit
C:\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe
MD5
cdc30e8f1b8cad5f1f32b15bebab91c7

SHA1
d83dbbda1edc163de1fc423ac25d32a73737b039

SHA256
6d92ca52403244434264a0ab79ec968142c94947d571c65dc3f35c72df0f2d05

SHA512
3421945e29d0e35b06f0fbb3fe5160eb69cbe82fd0a27be949e1792c3bba90b9b3168d241757cb495604b994f4220fec4cd164718bfdecbde4fafc5a3960c7ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe
MD5
cdc30e8f1b8cad5f1f32b15bebab91c7

SHA1
d83dbbda1edc163de1fc423ac25d32a73737b039

SHA256
6d92ca52403244434264a0ab79ec968142c94947d571c65dc3f35c72df0f2d05

SHA512
3421945e29d0e35b06f0fbb3fe5160eb69cbe82fd0a27be949e1792c3bba90b9b3168d241757cb495604b994f4220fec4cd164718bfdecbde4fafc5a3960c7ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe
MD5
9062a4db90e132dc070cd970a0321a07

SHA1
bacb274e2603f05edb9d10aa93d8de04531d6e5b

SHA256
39a3e454238f4d20ee0596b28fe2577eb8b3b7bf80181b4aaee4b8a9481ae478

SHA512
167accc76bd4074ae4e8127d6e8bfcd753ab482992de26dc68d94f238d357ce7aafca494b9336a05e16162413e1e10e4e1a2986c41f936724d8fc99521319867

Download Submit
C:\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe
MD5
9062a4db90e132dc070cd970a0321a07

SHA1
bacb274e2603f05edb9d10aa93d8de04531d6e5b

SHA256
39a3e454238f4d20ee0596b28fe2577eb8b3b7bf80181b4aaee4b8a9481ae478

SHA512
167accc76bd4074ae4e8127d6e8bfcd753ab482992de26dc68d94f238d357ce7aafca494b9336a05e16162413e1e10e4e1a2986c41f936724d8fc99521319867

Download Submit
C:\Users\Admin\AppData\Local\Temp\viedltfgjwin.vbs
MD5
f56f3005f38b185c43a5a6da39ffd4a4

SHA1
ac1d0e83feaea75bd6af2cd216973b5c9317bf2a

SHA256
80a956e6431c2894a608d2ff43ce8a3b24566d3198f63d70295f4fc86da363cd

SHA512
2af0e3c00c1c41f815e3b9096a78bc347554a18934683ab5ad7267aa1180ff0a9f9e90ccff9731d41fc86efb1312fa1586bda57703ca922def94ade3d359b71a

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
cdc30e8f1b8cad5f1f32b15bebab91c7

SHA1
d83dbbda1edc163de1fc423ac25d32a73737b039

SHA256
6d92ca52403244434264a0ab79ec968142c94947d571c65dc3f35c72df0f2d05

SHA512
3421945e29d0e35b06f0fbb3fe5160eb69cbe82fd0a27be949e1792c3bba90b9b3168d241757cb495604b994f4220fec4cd164718bfdecbde4fafc5a3960c7ad

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
cdc30e8f1b8cad5f1f32b15bebab91c7

SHA1
d83dbbda1edc163de1fc423ac25d32a73737b039

SHA256
6d92ca52403244434264a0ab79ec968142c94947d571c65dc3f35c72df0f2d05

SHA512
3421945e29d0e35b06f0fbb3fe5160eb69cbe82fd0a27be949e1792c3bba90b9b3168d241757cb495604b994f4220fec4cd164718bfdecbde4fafc5a3960c7ad

Download Submit
\Users\Admin\AppData\Local\Temp\nsiD9FB.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe
MD5
cdc30e8f1b8cad5f1f32b15bebab91c7

SHA1
d83dbbda1edc163de1fc423ac25d32a73737b039

SHA256
6d92ca52403244434264a0ab79ec968142c94947d571c65dc3f35c72df0f2d05

SHA512
3421945e29d0e35b06f0fbb3fe5160eb69cbe82fd0a27be949e1792c3bba90b9b3168d241757cb495604b994f4220fec4cd164718bfdecbde4fafc5a3960c7ad

Download Submit
\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe
MD5
cdc30e8f1b8cad5f1f32b15bebab91c7

SHA1
d83dbbda1edc163de1fc423ac25d32a73737b039

SHA256
6d92ca52403244434264a0ab79ec968142c94947d571c65dc3f35c72df0f2d05

SHA512
3421945e29d0e35b06f0fbb3fe5160eb69cbe82fd0a27be949e1792c3bba90b9b3168d241757cb495604b994f4220fec4cd164718bfdecbde4fafc5a3960c7ad

Download Submit
\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe
MD5
cdc30e8f1b8cad5f1f32b15bebab91c7

SHA1
d83dbbda1edc163de1fc423ac25d32a73737b039

SHA256
6d92ca52403244434264a0ab79ec968142c94947d571c65dc3f35c72df0f2d05

SHA512
3421945e29d0e35b06f0fbb3fe5160eb69cbe82fd0a27be949e1792c3bba90b9b3168d241757cb495604b994f4220fec4cd164718bfdecbde4fafc5a3960c7ad

Download Submit
\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe
MD5
9062a4db90e132dc070cd970a0321a07

SHA1
bacb274e2603f05edb9d10aa93d8de04531d6e5b

SHA256
39a3e454238f4d20ee0596b28fe2577eb8b3b7bf80181b4aaee4b8a9481ae478

SHA512
167accc76bd4074ae4e8127d6e8bfcd753ab482992de26dc68d94f238d357ce7aafca494b9336a05e16162413e1e10e4e1a2986c41f936724d8fc99521319867

Download Submit
\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe
MD5
9062a4db90e132dc070cd970a0321a07

SHA1
bacb274e2603f05edb9d10aa93d8de04531d6e5b

SHA256
39a3e454238f4d20ee0596b28fe2577eb8b3b7bf80181b4aaee4b8a9481ae478

SHA512
167accc76bd4074ae4e8127d6e8bfcd753ab482992de26dc68d94f238d357ce7aafca494b9336a05e16162413e1e10e4e1a2986c41f936724d8fc99521319867

Download Submit
\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe
MD5
9062a4db90e132dc070cd970a0321a07

SHA1
bacb274e2603f05edb9d10aa93d8de04531d6e5b

SHA256
39a3e454238f4d20ee0596b28fe2577eb8b3b7bf80181b4aaee4b8a9481ae478

SHA512
167accc76bd4074ae4e8127d6e8bfcd753ab482992de26dc68d94f238d357ce7aafca494b9336a05e16162413e1e10e4e1a2986c41f936724d8fc99521319867

Download Submit
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
cdc30e8f1b8cad5f1f32b15bebab91c7

SHA1
d83dbbda1edc163de1fc423ac25d32a73737b039

SHA256
6d92ca52403244434264a0ab79ec968142c94947d571c65dc3f35c72df0f2d05

SHA512
3421945e29d0e35b06f0fbb3fe5160eb69cbe82fd0a27be949e1792c3bba90b9b3168d241757cb495604b994f4220fec4cd164718bfdecbde4fafc5a3960c7ad

Download Submit
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
cdc30e8f1b8cad5f1f32b15bebab91c7

SHA1
d83dbbda1edc163de1fc423ac25d32a73737b039

SHA256
6d92ca52403244434264a0ab79ec968142c94947d571c65dc3f35c72df0f2d05

SHA512
3421945e29d0e35b06f0fbb3fe5160eb69cbe82fd0a27be949e1792c3bba90b9b3168d241757cb495604b994f4220fec4cd164718bfdecbde4fafc5a3960c7ad

Download Submit
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
cdc30e8f1b8cad5f1f32b15bebab91c7

SHA1
d83dbbda1edc163de1fc423ac25d32a73737b039

SHA256
6d92ca52403244434264a0ab79ec968142c94947d571c65dc3f35c72df0f2d05

SHA512
3421945e29d0e35b06f0fbb3fe5160eb69cbe82fd0a27be949e1792c3bba90b9b3168d241757cb495604b994f4220fec4cd164718bfdecbde4fafc5a3960c7ad

Download Submit
memory/612-78-0x0000000000000000-mapping.dmp

Download
memory/720-64-0x0000000000000000-mapping.dmp

Download
memory/720-76-0x0000000000890000-0x0000000000F0E000-memory.dmp

Filesize
6.5MB

Download
memory/720-77-0x0000000000890000-0x0000000000F0E000-memory.dmp

Filesize
6.5MB

Download
memory/720-75-0x0000000000890000-0x0000000000F0E000-memory.dmp

Filesize
6.5MB

Download
memory/720-74-0x0000000000890000-0x0000000000F0E000-memory.dmp

Filesize
6.5MB

Download
memory/944-54-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/1028-70-0x0000000001130000-0x0000000001823000-memory.dmp

Filesize
6.9MB

Download
memory/1028-72-0x0000000001130000-0x0000000001823000-memory.dmp

Filesize
6.9MB

Download
memory/1028-71-0x0000000001130000-0x0000000001823000-memory.dmp

Filesize
6.9MB

Download
memory/1028-73-0x0000000001130000-0x0000000001823000-memory.dmp

Filesize
6.9MB

Download
memory/1028-57-0x0000000000000000-mapping.dmp

Download
memory/1872-82-0x0000000000000000-mapping.dmp

Download
memory/1872-88-0x0000000000320000-0x0000000000A13000-memory.dmp

Filesize
6.9MB

Download
memory/1872-89-0x0000000000320000-0x0000000000A13000-memory.dmp

Filesize
6.9MB

Download
memory/1872-90-0x0000000000320000-0x0000000000A13000-memory.dmp

Filesize
6.9MB

Download
memory/1872-91-0x0000000000320000-0x0000000000A13000-memory.dmp

Filesize
6.9MB

Download
memory/1968-92-0x0000000000000000-mapping.dmp

Download