download:

/drawpad/drawpadsetup.exe

Full analysis: https://app.any.run/tasks/2abd3d49-996f-40d9-9302-a87a3a469e30
Verdict: Malicious activity
Analysis date: August 08, 2024, 13:32:14
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

9F85793A755E11DA9F19D8A91BFD905D

SHA1:

F654EAB6C06E8BD66CF2A4230DB75DC5A32175D9

SHA256:

283292D80DF6A437DB6BD25E3A5B28447E6AEAD40AE274334E3599C3DD256069

SSDEEP:

98304:B5k+ndEGyjNqQiq9I90kzpApQOkJaRZvPxjoYD7SZ8boEi7+4UVwySEkCSPKhEpW:Y2guT1+psG+o3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • nchsetup.exe (PID: 7060)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • drawpadsetup.exe (PID: 7020)
      • nchsetup.exe (PID: 7060)

    • Reads security settings of Internet Explorer

      • drawpadsetup.exe (PID: 7020)
      • nchsetup.exe (PID: 7060)

    • Executable content was dropped or overwritten

      • drawpadsetup.exe (PID: 7020)
      • nchsetup.exe (PID: 7060)

    • Reads the date of Windows installation

      • drawpadsetup.exe (PID: 7020)

    • Checks Windows Trust Settings

      • nchsetup.exe (PID: 7060)

    • Searches for installed software

      • nchsetup.exe (PID: 7060)

    • Starts itself from another location

      • nchsetup.exe (PID: 7060)

    • Creates a software uninstall entry

      • nchsetup.exe (PID: 7060)

  • INFO

    • Checks supported languages

      • drawpadsetup.exe (PID: 7020)
      • nchsetup.exe (PID: 7060)
      • drawpad.exe (PID: 6276)
      • drawpad.exe (PID: 5552)

    • Reads the computer name

      • drawpadsetup.exe (PID: 7020)
      • nchsetup.exe (PID: 7060)
      • drawpad.exe (PID: 6276)
      • drawpad.exe (PID: 5552)

    • Process checks computer location settings

      • drawpadsetup.exe (PID: 7020)

    • Create files in a temporary directory

      • drawpadsetup.exe (PID: 7020)
      • drawpad.exe (PID: 6276)

    • Creates files in the program directory

      • nchsetup.exe (PID: 7060)

    • Reads the machine GUID from the registry

      • nchsetup.exe (PID: 7060)

    • Reads Microsoft Office registry keys

      • nchsetup.exe (PID: 7060)

    • Reads the software policy settings

      • nchsetup.exe (PID: 7060)

    • Creates files or folders in the user directory

      • drawpad.exe (PID: 6276)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:06:26 00:01:50+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 2560
InitializedDataSize: 6868992
UninitializedDataSize: -
EntryPoint: 0x1286
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (Australian)
CharacterSet: Unicode
CompanyName: NCH Software
FileDescription: DrawPad Graphic Design Software
FileVersion: 11.45+
ProductVersion: 11.45+
ProductName: DrawPad
LegalCopyright: NCH Software
InternalName: DrawPad
OriginalFileName: DrawPad.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drawpadsetup.exe nchsetup.exe drawpad.exe no specs drawpad.exe no specs drawpadsetup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
5552"C:\Program Files (x86)\NCH Software\DrawPad\drawpad.exe" -installschedC:\Program Files (x86)\NCH Software\DrawPad\drawpad.exenchsetup.exe
User:
admin
Company:
NCH Software
Integrity Level:
MEDIUM
Description:
DrawPad Graphic Design Software
Exit code:
0
Version:
11.45+
Modules
Images
c:\program files (x86)\nch software\drawpad\drawpad.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\user32.dll
6276"C:\Program Files (x86)\NCH Software\DrawPad\drawpad.exe"C:\Program Files (x86)\NCH Software\DrawPad\drawpad.exenchsetup.exe
User:
admin
Company:
NCH Software
Integrity Level:
MEDIUM
Description:
DrawPad Graphic Design Software
Version:
11.45+
Modules
Images
c:\program files (x86)\nch software\drawpad\drawpad.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\user32.dll
6848"C:\Users\admin\AppData\Local\Temp\drawpadsetup.exe" C:\Users\admin\AppData\Local\Temp\drawpadsetup.exeexplorer.exe
User:
admin
Company:
NCH Software
Integrity Level:
MEDIUM
Description:
DrawPad Graphic Design Software
Exit code:
3221226540
Version:
11.45+
Modules
Images
c:\users\admin\appdata\local\temp\drawpadsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7020"C:\Users\admin\AppData\Local\Temp\drawpadsetup.exe" C:\Users\admin\AppData\Local\Temp\drawpadsetup.exe
explorer.exe
User:
admin
Company:
NCH Software
Integrity Level:
HIGH
Description:
DrawPad Graphic Design Software
Exit code:
0
Version:
11.45+
Modules
Images
c:\users\admin\appdata\local\temp\drawpadsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\setupapi.dll
7060"C:\Users\admin\AppData\Local\Temp\n1s\nchsetup.exe" -installer "C:\Users\admin\AppData\Local\Temp\drawpadsetup.exe" -instdata "C:\Users\admin\AppData\Local\Temp\n1s\nchdata.dat"C:\Users\admin\AppData\Local\Temp\n1s\nchsetup.exe
drawpadsetup.exe
User:
admin
Company:
NCH Software
Integrity Level:
HIGH
Description:
DrawPad Graphic Design Software
Exit code:
0
Version:
11.45+
Modules
Images
c:\users\admin\appdata\local\temp\n1s\nchsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\imm32.dll
Total events
19 939
Read events
19 601
Write events
325
Delete events
13

Modification events

(PID) Process:(7020) drawpadsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(7020) drawpadsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(7020) drawpadsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(7020) drawpadsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(7060) nchsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:DrawPadInstall
Value:
C:\Users\admin\AppData\Local\Temp\drawpadsetup.exe
(PID) Process:(7060) nchsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\NCH Software\DrawPad\Software
Operation:writeName:SVar
Value:
DRAWPADRelatedprogramspaidoff
(PID) Process:(7060) nchsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\NCH Software\DrawPad\Settings
Operation:writeName:InstalledByAdmin
Value:
1
(PID) Process:(7060) nchsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\NCH Software\DrawPad\UsageStatsChoice
Operation:writeName:llinad
Value:
1
(PID) Process:(7060) nchsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\NCH Software\DrawPad\Software
Operation:writeName:SVar
Value:
DRAWPADRelatedprogramspaidoffLLIBInstquickoff
(PID) Process:(7060) nchsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\NCH Software\DrawPad\Settings
Operation:writeName:InstallerPath
Value:
C:\Program Files (x86)\NCH Software\DrawPad
Executable files
5
Suspicious files
88
Text files
64
Unknown types
0

Dropped files

PID
Process
Filename
Type
7020drawpadsetup.exeC:\Users\admin\AppData\Local\Temp\n1s\nchdata.cabcompressed
MD5:436270A0724AA8A57DCB5F9E12436849
SHA256:62A87F36A665E81A3669FF511F2C3C0A649A9C512A68A24A22636F1E95E89E79
7020drawpadsetup.exeC:\Users\admin\AppData\Local\Temp\n1s\nchdata.datexecutable
MD5:3EDFAB6A7BD9CEAFB40B270213D818F1
SHA256:449D752AD083761CFA98FBEA76640B26AA5C3C92B1E3B6F80B55DA3FA417C20D
7060nchsetup.exeC:\Program Files (x86)\NCH Software\DrawPad\shellmenu.dllexecutable
MD5:9AD57930930B43C16A8ED3E66E1E2E03
SHA256:6F9073D33F263D84D5855F398A8BABE8F80B6EAA74D217C62F1CA771378E59F4
7020drawpadsetup.exeC:\Users\admin\AppData\Local\Temp\n1s\nchsetup.exeexecutable
MD5:1106D9A628516A0908FB8068CA660F28
SHA256:04A39939DC2FD541DF6801130E175CF8FFEE08BB80F38FB3D8CB3340FA7EA40F
7060nchsetup.exeC:\ProgramData\NCH Software\DrawPad\Brushes\brush.drbbinary
MD5:B10AB74B54C90207FB90A39B99ED5E20
SHA256:CC1A7A711DB59C1D43541EB7150425763EE8F2DEC644ABA2B9279E5163462C9F
7060nchsetup.exeC:\Program Files (x86)\NCH Software\DrawPad\shellmenub.msixcompressed
MD5:5994D42ACC0AC9E6D16EE1AB95CCFAF6
SHA256:46304BD97E8481ABA19AAA907B357D12C0F47EDAC7C9C178E0927571C868CC13
7060nchsetup.exeC:\Program Files (x86)\NCH Software\DrawPad\shellmenua.msixcompressed
MD5:4A735A053471A92E725A0371E53DA06C
SHA256:BCD3AEACBFAB1BF4C6D14BCC5C63ED354D5532AB4ABEA21769E2B0E6F1AB8EB2
7060nchsetup.exeC:\ProgramData\NCH Software\DrawPad\Templates\card.xmltext
MD5:746CB16A990960FCD5430569B1B5FAA4
SHA256:8CE7FBBD4843D10303A2D3BCDA1218D29C0CD96E1FA440306AB046CD431D5B06
7060nchsetup.exeC:\ProgramData\NCH Software\DrawPad\Brushes\colorpicker_fill.pngimage
MD5:0B8ABAA4EB5A83F6605B8749BB35A766
SHA256:CF81F650E642C9E44653CDBEFAA29B6F987C5693CA488EC414B0AA0049ADEB22
7060nchsetup.exeC:\ProgramData\NCH Software\DrawPad\Brushes\colorpicker_eyedropper.pngimage
MD5:0609D781CEDF5C2AE0647E956FE19CE8
SHA256:3AAD8CB180D4BFA496E72EB19D43D79A3ED827FE7A55F8490D05F4BBCBE507D5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
38
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3812
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6564
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6528
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5796
RUXIMICS.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3888
svchost.exe
239.255.255.250:1900
whitelisted
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4064
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
20.190.159.75:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3812
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
5336
SearchApp.exe
92.123.104.59:443
www.bing.com
Akamai International B.V.
DE
unknown
5336
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.212.174
whitelisted
login.live.com
  • 20.190.159.75
  • 40.126.31.71
  • 40.126.31.67
  • 20.190.159.0
  • 40.126.31.73
  • 20.190.159.68
  • 40.126.31.69
  • 20.190.159.4
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
www.bing.com
  • 92.123.104.59
  • 92.123.104.58
  • 92.123.104.42
  • 92.123.104.43
  • 92.123.104.56
  • 92.123.104.49
  • 92.123.104.45
  • 92.123.104.57
  • 92.123.104.46
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
th.bing.com
  • 92.123.104.12
  • 92.123.104.10
  • 92.123.104.67
  • 92.123.104.7
  • 92.123.104.5
  • 92.123.104.11
  • 92.123.104.9
  • 92.123.104.6
  • 92.123.104.4
whitelisted
fd.api.iris.microsoft.com
  • 20.31.169.57
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
slscr.update.microsoft.com
  • 40.127.169.103
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/drawpad/drawpadsetup.exe