a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196

Analysis

max time kernel
157s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
15-02-2022 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe
Size

3.1MB
MD5

a04867c5f9d320599b65764601f975e2
SHA1

6a8377a8b63d8dbaa32c8595c899694a86c4a527
SHA256

a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196
SHA512

c908c0436a6d50a41f26e701f96d3e85fc23ae44c98ef747d6e21d50239c8d41930fea7aefd9178a07bd5372f180a0db0261252f4f7625660a158d207fc0c2f4

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

50 4400 WScript.exe
Executes dropped EXE 3 IoCs

Processes:

clayer.exeforbarvp.exeDpEditor.exe

pid process

1696 clayer.exe
2208 forbarvp.exe
4256 DpEditor.exe

flow	pid	process
50	4400	WScript.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

forbarvp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	forbarvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	forbarvp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

forbarvp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	forbarvp.exe

Loads dropped DLL 1 IoCs

Processes:

a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe

pid process

2380 a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe

pid	process
2380	a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\hempen\forbarvp.exe	themida
C:\Users\Admin\AppData\Local\Temp\hempen\forbarvp.exe	themida
behavioral2/memory/2208-135-0x0000000000D40000-0x000000000140B000-memory.dmp	themida
behavioral2/memory/2208-136-0x0000000000D40000-0x000000000140B000-memory.dmp	themida
behavioral2/memory/2208-138-0x0000000000D40000-0x000000000140B000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

forbarvp.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA forbarvp.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

forbarvp.exe

pid process

2208 forbarvp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	forbarvp.exe

flow	ioc
16	ip-api.com

pid	process
2208	forbarvp.exe

Drops file in Program Files directory 3 IoCs

Processes:

a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe

Drops file in Windows directory 8 IoCs

Processes:

TiWorker.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

forbarvp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	forbarvp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	forbarvp.exe

Modifies registry class 1 IoCs

Processes:

forbarvp.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings forbarvp.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

DpEditor.exe

pid process

4256 DpEditor.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

forbarvp.exe

pid process

2208 forbarvp.exe
2208 forbarvp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings	forbarvp.exe

pid	process
4256	DpEditor.exe

pid	process
2208	forbarvp.exe
2208	forbarvp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	2392	svchost.exe
Token: SeCreatePagefilePrivilege	2392	svchost.exe
Token: SeShutdownPrivilege	2392	svchost.exe
Token: SeCreatePagefilePrivilege	2392	svchost.exe
Token: SeShutdownPrivilege	2392	svchost.exe
Token: SeCreatePagefilePrivilege	2392	svchost.exe
Token: SeSecurityPrivilege	4312	TiWorker.exe
Token: SeRestorePrivilege	4312	TiWorker.exe
Token: SeBackupPrivilege	4312	TiWorker.exe
Token: SeBackupPrivilege	4312	TiWorker.exe
Token: SeRestorePrivilege	4312	TiWorker.exe
Token: SeSecurityPrivilege	4312	TiWorker.exe
Token: SeBackupPrivilege	4312	TiWorker.exe
Token: SeRestorePrivilege	4312	TiWorker.exe
Token: SeSecurityPrivilege	4312	TiWorker.exe
Token: SeBackupPrivilege	4312	TiWorker.exe
Token: SeRestorePrivilege	4312	TiWorker.exe
Token: SeSecurityPrivilege	4312	TiWorker.exe
Token: SeBackupPrivilege	4312	TiWorker.exe
Token: SeRestorePrivilege	4312	TiWorker.exe
Token: SeSecurityPrivilege	4312	TiWorker.exe
Token: SeBackupPrivilege	4312	TiWorker.exe
Token: SeRestorePrivilege	4312	TiWorker.exe
Token: SeSecurityPrivilege	4312	TiWorker.exe
Token: SeBackupPrivilege	4312	TiWorker.exe
Token: SeRestorePrivilege	4312	TiWorker.exe
Token: SeSecurityPrivilege	4312	TiWorker.exe
Token: SeBackupPrivilege	4312	TiWorker.exe
Token: SeRestorePrivilege	4312	TiWorker.exe
Token: SeSecurityPrivilege	4312	TiWorker.exe
Token: SeBackupPrivilege	4312	TiWorker.exe
Token: SeRestorePrivilege	4312	TiWorker.exe
Token: SeSecurityPrivilege	4312	TiWorker.exe
Token: SeBackupPrivilege	4312	TiWorker.exe
Token: SeRestorePrivilege	4312	TiWorker.exe
Token: SeSecurityPrivilege	4312	TiWorker.exe
Token: SeBackupPrivilege	4312	TiWorker.exe
Token: SeRestorePrivilege	4312	TiWorker.exe
Token: SeSecurityPrivilege	4312	TiWorker.exe
Token: SeBackupPrivilege	4312	TiWorker.exe
Token: SeRestorePrivilege	4312	TiWorker.exe
Token: SeSecurityPrivilege	4312	TiWorker.exe
Token: SeBackupPrivilege	4312	TiWorker.exe
Token: SeRestorePrivilege	4312	TiWorker.exe
Token: SeSecurityPrivilege	4312	TiWorker.exe
Token: SeBackupPrivilege	4312	TiWorker.exe
Token: SeRestorePrivilege	4312	TiWorker.exe
Token: SeSecurityPrivilege	4312	TiWorker.exe
Token: SeBackupPrivilege	4312	TiWorker.exe
Token: SeRestorePrivilege	4312	TiWorker.exe
Token: SeSecurityPrivilege	4312	TiWorker.exe
Token: SeBackupPrivilege	4312	TiWorker.exe
Token: SeRestorePrivilege	4312	TiWorker.exe
Token: SeSecurityPrivilege	4312	TiWorker.exe
Token: SeBackupPrivilege	4312	TiWorker.exe
Token: SeRestorePrivilege	4312	TiWorker.exe
Token: SeSecurityPrivilege	4312	TiWorker.exe
Token: SeBackupPrivilege	4312	TiWorker.exe
Token: SeRestorePrivilege	4312	TiWorker.exe
Token: SeSecurityPrivilege	4312	TiWorker.exe
Token: SeBackupPrivilege	4312	TiWorker.exe
Token: SeRestorePrivilege	4312	TiWorker.exe
Token: SeSecurityPrivilege	4312	TiWorker.exe
Token: SeBackupPrivilege	4312	TiWorker.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

clayer.exe

pid	process
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

clayer.exe

pid	process
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe
1696	clayer.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exeforbarvp.execlayer.exe

description	pid	process	target process
PID 2380 wrote to memory of 1696	2380	a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe	clayer.exe
PID 2380 wrote to memory of 1696	2380	a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe	clayer.exe
PID 2380 wrote to memory of 1696	2380	a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe	clayer.exe
PID 2380 wrote to memory of 2208	2380	a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe	forbarvp.exe
PID 2380 wrote to memory of 2208	2380	a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe	forbarvp.exe
PID 2380 wrote to memory of 2208	2380	a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe	forbarvp.exe
PID 2208 wrote to memory of 3396	2208	forbarvp.exe	WScript.exe
PID 2208 wrote to memory of 3396	2208	forbarvp.exe	WScript.exe
PID 2208 wrote to memory of 3396	2208	forbarvp.exe	WScript.exe
PID 1696 wrote to memory of 4256	1696	clayer.exe	DpEditor.exe
PID 1696 wrote to memory of 4256	1696	clayer.exe	DpEditor.exe
PID 1696 wrote to memory of 4256	1696	clayer.exe	DpEditor.exe
PID 2208 wrote to memory of 4400	2208	forbarvp.exe	WScript.exe
PID 2208 wrote to memory of 4400	2208	forbarvp.exe	WScript.exe
PID 2208 wrote to memory of 4400	2208	forbarvp.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe
"C:\Users\Admin\AppData\Local\Temp\a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2380

C:\Users\Admin\AppData\Local\Temp\hempen\clayer.exe
"C:\Users\Admin\AppData\Local\Temp\hempen\clayer.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:4256

C:\Users\Admin\AppData\Local\Temp\hempen\forbarvp.exe
"C:\Users\Admin\AppData\Local\Temp\hempen\forbarvp.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\snkmuyv.vbs"
3⤵
PID:3396

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\mtpvwynmef.vbs"
3⤵
- Blocklisted process makes network request
PID:4400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4312

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
45b54f39adcc2ad93fc2807ddd2510a2

SHA1
7c9eb0e0541977bb484d23ca1ddf56a0bf064f97

SHA256
5c770e06100a5b8e6ac92b55f1d1f9de2179a6c1edc923e919b8a91355a06857

SHA512
7555792a11a71460930a02461c8fc72e31d56dd01d2fb448664a0e3749e609192b343c1636ad61d2de60b220b62233bc633b0223c4a97e0ee3bed3feb512c6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\hempen\clayer.exe
MD5
a9b07ab88765c14f3a37ddaa3548bbea

SHA1
64e57975e760302e17ef0821e208d178035d0d1c

SHA256
8f6ac9c6b7c5b8012b5d47f5d7a0d5dafe0ccd05c6f1d5de1bec2230bd4b1b17

SHA512
eec12c491cbe959227ee064426206da47582a1d0168e9b4de8007068056d0052fc75bd2d792c3779860982c9b159168d9c807af5f40ff606d47c7130ccef2a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\hempen\clayer.exe
MD5
a9b07ab88765c14f3a37ddaa3548bbea

SHA1
64e57975e760302e17ef0821e208d178035d0d1c

SHA256
8f6ac9c6b7c5b8012b5d47f5d7a0d5dafe0ccd05c6f1d5de1bec2230bd4b1b17

SHA512
eec12c491cbe959227ee064426206da47582a1d0168e9b4de8007068056d0052fc75bd2d792c3779860982c9b159168d9c807af5f40ff606d47c7130ccef2a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\hempen\forbarvp.exe
MD5
db9f562738a4cd6adbfde0669264da02

SHA1
350c4acbd7a7b26e3ef5d4aaaecf660c7a8a07d1

SHA256
52ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191

SHA512
35b7d1f9f40e49563092c523a0a27554d22e8587e3378aea46711d20c155ac2746d24c19c15c7db3a915480e04ef738d6d19cac6a5ce1c6b881a506b2ee968e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\hempen\forbarvp.exe
MD5
db9f562738a4cd6adbfde0669264da02

SHA1
350c4acbd7a7b26e3ef5d4aaaecf660c7a8a07d1

SHA256
52ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191

SHA512
35b7d1f9f40e49563092c523a0a27554d22e8587e3378aea46711d20c155ac2746d24c19c15c7db3a915480e04ef738d6d19cac6a5ce1c6b881a506b2ee968e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mtpvwynmef.vbs
MD5
d956dc58076990f6c46204c2092c68d8

SHA1
776c3549aee65fa76a029626e72ff1bb308be865

SHA256
b40816e298b76558e7413eab7a5c50d92cebb97395417d44d4d2305fbd39332c

SHA512
450ec63c5a50459bca03369146c4c9dd8aeb01e4b98921163a3487a469e7a91ab6375e8c2844ae8c5010d30ef3c5ccaf10924afc7ec1deb9c316cc99eb0769c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp5727.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\snkmuyv.vbs
MD5
94a63239575cfa837147e1d13bdd56ce

SHA1
a35287332eeb690209810f9e459e5391aa7ee4fe

SHA256
f05303d0c42a88e092602d8f4dbf1fafbefa1c24de36f72529e76777bc35bcb3

SHA512
fe7e23e9a5bca7f047f55c1b780b48a3cb4bc5d17695c8cd515fba19863cd88d2340c834da3bb8446a7761e7a28b3ac25d51ddddfbeb67d165d8d518036e2754

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
a9b07ab88765c14f3a37ddaa3548bbea

SHA1
64e57975e760302e17ef0821e208d178035d0d1c

SHA256
8f6ac9c6b7c5b8012b5d47f5d7a0d5dafe0ccd05c6f1d5de1bec2230bd4b1b17

SHA512
eec12c491cbe959227ee064426206da47582a1d0168e9b4de8007068056d0052fc75bd2d792c3779860982c9b159168d9c807af5f40ff606d47c7130ccef2a33

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
a9b07ab88765c14f3a37ddaa3548bbea

SHA1
64e57975e760302e17ef0821e208d178035d0d1c

SHA256
8f6ac9c6b7c5b8012b5d47f5d7a0d5dafe0ccd05c6f1d5de1bec2230bd4b1b17

SHA512
eec12c491cbe959227ee064426206da47582a1d0168e9b4de8007068056d0052fc75bd2d792c3779860982c9b159168d9c807af5f40ff606d47c7130ccef2a33

Download Submit
memory/1696-144-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/1696-145-0x0000000002410000-0x0000000002458000-memory.dmp

Filesize
288KB

Download
memory/1696-143-0x0000000000402000-0x0000000000404000-memory.dmp

Filesize
8KB

Download
memory/2208-135-0x0000000000D40000-0x000000000140B000-memory.dmp

Filesize
6.8MB

Download
memory/2208-138-0x0000000000D40000-0x000000000140B000-memory.dmp

Filesize
6.8MB

Download
memory/2208-137-0x00000000776E4000-0x00000000776E6000-memory.dmp

Filesize
8KB

Download
memory/2208-136-0x0000000000D40000-0x000000000140B000-memory.dmp

Filesize
6.8MB

Download
memory/2392-142-0x000001BC5D820000-0x000001BC5D824000-memory.dmp

Filesize
16KB

Download
memory/2392-141-0x000001BC5B2F0000-0x000001BC5B300000-memory.dmp

Filesize
64KB

Download
memory/2392-140-0x000001BC5ABA0000-0x000001BC5ABB0000-memory.dmp

Filesize
64KB

Download
memory/4256-151-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/4256-152-0x0000000002300000-0x0000000002348000-memory.dmp

Filesize
288KB

Download