download:

/drawpad/drawpadsetup.exe

Full analysis: https://app.any.run/tasks/2abd3d49-996f-40d9-9302-a87a3a469e30
Verdict: Malicious activity
Analysis date: August 08, 2024, 13:32:14
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

9F85793A755E11DA9F19D8A91BFD905D

SHA1:

F654EAB6C06E8BD66CF2A4230DB75DC5A32175D9

SHA256:

283292D80DF6A437DB6BD25E3A5B28447E6AEAD40AE274334E3599C3DD256069

SSDEEP:

98304:B5k+ndEGyjNqQiq9I90kzpApQOkJaRZvPxjoYD7SZ8boEi7+4UVwySEkCSPKhEpW:Y2guT1+psG+o3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • nchsetup.exe (PID: 7060)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • drawpadsetup.exe (PID: 7020)
      • nchsetup.exe (PID: 7060)

    • Reads security settings of Internet Explorer

      • drawpadsetup.exe (PID: 7020)
      • nchsetup.exe (PID: 7060)

    • Reads the date of Windows installation

      • drawpadsetup.exe (PID: 7020)

    • Executable content was dropped or overwritten

      • drawpadsetup.exe (PID: 7020)
      • nchsetup.exe (PID: 7060)

    • Checks Windows Trust Settings

      • nchsetup.exe (PID: 7060)

    • Searches for installed software

      • nchsetup.exe (PID: 7060)

    • Creates a software uninstall entry

      • nchsetup.exe (PID: 7060)

    • Starts itself from another location

      • nchsetup.exe (PID: 7060)

  • INFO

    • Checks supported languages

      • drawpadsetup.exe (PID: 7020)
      • nchsetup.exe (PID: 7060)
      • drawpad.exe (PID: 6276)
      • drawpad.exe (PID: 5552)

    • Create files in a temporary directory

      • drawpadsetup.exe (PID: 7020)
      • drawpad.exe (PID: 6276)

    • Reads the computer name

      • drawpadsetup.exe (PID: 7020)
      • nchsetup.exe (PID: 7060)
      • drawpad.exe (PID: 6276)
      • drawpad.exe (PID: 5552)

    • Process checks computer location settings

      • drawpadsetup.exe (PID: 7020)

    • Creates files in the program directory

      • nchsetup.exe (PID: 7060)

    • Reads the machine GUID from the registry

      • nchsetup.exe (PID: 7060)

    • Reads the software policy settings

      • nchsetup.exe (PID: 7060)

    • Reads Microsoft Office registry keys

      • nchsetup.exe (PID: 7060)

    • Creates files or folders in the user directory

      • drawpad.exe (PID: 6276)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:06:26 00:01:50+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 2560
InitializedDataSize: 6868992
UninitializedDataSize: -
EntryPoint: 0x1286
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (Australian)
CharacterSet: Unicode
CompanyName: NCH Software
FileDescription: DrawPad Graphic Design Software
FileVersion: 11.45+
ProductVersion: 11.45+
ProductName: DrawPad
LegalCopyright: NCH Software
InternalName: DrawPad
OriginalFileName: DrawPad.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drawpadsetup.exe nchsetup.exe drawpad.exe no specs drawpad.exe no specs drawpadsetup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
5552"C:\Program Files (x86)\NCH Software\DrawPad\drawpad.exe" -installschedC:\Program Files (x86)\NCH Software\DrawPad\drawpad.exenchsetup.exe
User:
admin
Company:
NCH Software
Integrity Level:
MEDIUM
Description:
DrawPad Graphic Design Software
Exit code:
0
Version:
11.45+
Modules
Images
c:\program files (x86)\nch software\drawpad\drawpad.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\user32.dll
6276"C:\Program Files (x86)\NCH Software\DrawPad\drawpad.exe"C:\Program Files (x86)\NCH Software\DrawPad\drawpad.exenchsetup.exe
User:
admin
Company:
NCH Software
Integrity Level:
MEDIUM
Description:
DrawPad Graphic Design Software
Version:
11.45+
Modules
Images
c:\program files (x86)\nch software\drawpad\drawpad.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\user32.dll
6848"C:\Users\admin\AppData\Local\Temp\drawpadsetup.exe" C:\Users\admin\AppData\Local\Temp\drawpadsetup.exeexplorer.exe
User:
admin
Company:
NCH Software
Integrity Level:
MEDIUM
Description:
DrawPad Graphic Design Software
Exit code:
3221226540
Version:
11.45+
Modules
Images
c:\users\admin\appdata\local\temp\drawpadsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7020"C:\Users\admin\AppData\Local\Temp\drawpadsetup.exe" C:\Users\admin\AppData\Local\Temp\drawpadsetup.exe
explorer.exe
User:
admin
Company:
NCH Software
Integrity Level:
HIGH
Description:
DrawPad Graphic Design Software
Exit code:
0
Version:
11.45+
Modules
Images
c:\users\admin\appdata\local\temp\drawpadsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\setupapi.dll
7060"C:\Users\admin\AppData\Local\Temp\n1s\nchsetup.exe" -installer "C:\Users\admin\AppData\Local\Temp\drawpadsetup.exe" -instdata "C:\Users\admin\AppData\Local\Temp\n1s\nchdata.dat"C:\Users\admin\AppData\Local\Temp\n1s\nchsetup.exe
drawpadsetup.exe
User:
admin
Company:
NCH Software
Integrity Level:
HIGH
Description:
DrawPad Graphic Design Software
Exit code:
0
Version:
11.45+
Modules
Images
c:\users\admin\appdata\local\temp\n1s\nchsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\imm32.dll
Total events
19 939
Read events
19 601
Write events
325
Delete events
13

Modification events

(PID) Process:(7020) drawpadsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(7020) drawpadsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(7020) drawpadsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(7020) drawpadsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(7060) nchsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:DrawPadInstall
Value:
C:\Users\admin\AppData\Local\Temp\drawpadsetup.exe
(PID) Process:(7060) nchsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\NCH Software\DrawPad\Software
Operation:writeName:SVar
Value:
DRAWPADRelatedprogramspaidoff
(PID) Process:(7060) nchsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\NCH Software\DrawPad\Settings
Operation:writeName:InstalledByAdmin
Value:
1
(PID) Process:(7060) nchsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\NCH Software\DrawPad\UsageStatsChoice
Operation:writeName:llinad
Value:
1
(PID) Process:(7060) nchsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\NCH Software\DrawPad\Software
Operation:writeName:SVar
Value:
DRAWPADRelatedprogramspaidoffLLIBInstquickoff
(PID) Process:(7060) nchsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\NCH Software\DrawPad\Settings
Operation:writeName:InstallerPath
Value:
C:\Program Files (x86)\NCH Software\DrawPad
Executable files
5
Suspicious files
88
Text files
64
Unknown types
0

Dropped files

PID
Process
Filename
Type
7020drawpadsetup.exeC:\Users\admin\AppData\Local\Temp\n1s\nchsetup.cabcompressed
MD5:95CF5061A60476A977CAF9FCD3882B1B
SHA256:0D679BD2DFBC0FCAD6E3EB12267E8377F823F47B0234EA1B169CB4B98E604BC1
7060nchsetup.exeC:\ProgramData\NCH Software\DrawPad\Brushes\brush_erase.pngimage
MD5:123299C6C09E5DFB2E213C72D007779C
SHA256:BC463360B58F87084B3B194CDA756EBC095D1BA0138BCF3AE60F678CB967D480
7020drawpadsetup.exeC:\Users\admin\AppData\Local\Temp\n1s\nchsetup.exeexecutable
MD5:1106D9A628516A0908FB8068CA660F28
SHA256:04A39939DC2FD541DF6801130E175CF8FFEE08BB80F38FB3D8CB3340FA7EA40F
7020drawpadsetup.exeC:\Users\admin\AppData\Local\Temp\n1s\nchdata.datexecutable
MD5:3EDFAB6A7BD9CEAFB40B270213D818F1
SHA256:449D752AD083761CFA98FBEA76640B26AA5C3C92B1E3B6F80B55DA3FA417C20D
7060nchsetup.exeC:\Program Files (x86)\NCH Software\DrawPad\shellmenu.dllexecutable
MD5:9AD57930930B43C16A8ED3E66E1E2E03
SHA256:6F9073D33F263D84D5855F398A8BABE8F80B6EAA74D217C62F1CA771378E59F4
7060nchsetup.exeC:\Program Files (x86)\NCH Software\DrawPad\shellmenub.msixcompressed
MD5:5994D42ACC0AC9E6D16EE1AB95CCFAF6
SHA256:46304BD97E8481ABA19AAA907B357D12C0F47EDAC7C9C178E0927571C868CC13
7060nchsetup.exeC:\ProgramData\NCH Software\DrawPad\Brushes\brush_paint.pngimage
MD5:1E55ED29A66CBCB33F44F7AC324F9820
SHA256:F81139BA4F230A472510C44FE860794EBF759A1AF25B90F89AD5267ADE2E936C
7060nchsetup.exeC:\Program Files (x86)\NCH Software\DrawPad\shellmenua.msixcompressed
MD5:4A735A053471A92E725A0371E53DA06C
SHA256:BCD3AEACBFAB1BF4C6D14BCC5C63ED354D5532AB4ABEA21769E2B0E6F1AB8EB2
7060nchsetup.exeC:\ProgramData\NCH Software\DrawPad\Templates\thumbs_text.xmltext
MD5:AC6EAB9347F025321B1736EA8B1B7E1B
SHA256:70FF3A04B75C2808405B35FA55CD8D53B16758E728148A813C9B973167E17C7E
7060nchsetup.exeC:\ProgramData\NCH Software\DrawPad\Brushes\colorpicker_fill.pngimage
MD5:0B8ABAA4EB5A83F6605B8749BB35A766
SHA256:CF81F650E642C9E44653CDBEFAA29B6F987C5693CA488EC414B0AA0049ADEB22
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
38
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3812
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6528
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6564
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5796
RUXIMICS.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3888
svchost.exe
239.255.255.250:1900
whitelisted
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4064
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
20.190.159.75:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3812
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
5336
SearchApp.exe
92.123.104.59:443
www.bing.com
Akamai International B.V.
DE
unknown
5336
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.212.174
whitelisted
login.live.com
  • 20.190.159.75
  • 40.126.31.71
  • 40.126.31.67
  • 20.190.159.0
  • 40.126.31.73
  • 20.190.159.68
  • 40.126.31.69
  • 20.190.159.4
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
www.bing.com
  • 92.123.104.59
  • 92.123.104.58
  • 92.123.104.42
  • 92.123.104.43
  • 92.123.104.56
  • 92.123.104.49
  • 92.123.104.45
  • 92.123.104.57
  • 92.123.104.46
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
th.bing.com
  • 92.123.104.12
  • 92.123.104.10
  • 92.123.104.67
  • 92.123.104.7
  • 92.123.104.5
  • 92.123.104.11
  • 92.123.104.9
  • 92.123.104.6
  • 92.123.104.4
whitelisted
fd.api.iris.microsoft.com
  • 20.31.169.57
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
slscr.update.microsoft.com
  • 40.127.169.103
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/drawpad/drawpadsetup.exe