Analysis
-
max time kernel
1562s -
max time network
1568s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 09:32
Static task
static1
Behavioral task
behavioral1
Sample
deskfxsetup.exe
Resource
win7-20240508-en
General
-
Target
deskfxsetup.exe
-
Size
1.6MB
-
MD5
01cf2fe2f0ad74d388a1a116f16fe263
-
SHA1
e97b427921b1b24eb8527da7ecf17feb8b336bb1
-
SHA256
1a02ce49082eecd5e5616b4628cd5b63ff58944acbac06b551a46f9ca0cff36c
-
SHA512
9d7154ddf25ace799fbbe1792690468f270ca185e5d0bd41a516dec2ef0b17142aaac469c498acd84426a591c21be552f416627a8831404d7fb09880683dc681
-
SSDEEP
49152:1dW2oWXTUNWtoHStzYeUgSQaqF5AGspqrvxI:rWBWXTUe/UgSsR0ovxI
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
nchsetup.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\DeskFXInstall = "C:\\Users\\Admin\\AppData\\Local\\Temp\\deskfxsetup.exe" nchsetup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 18 IoCs
Processes:
nchsetup.exedescription ioc process File opened for modification C:\Program Files (x86)\NCH Software\DeskFX\deskfx.exe nchsetup.exe File created C:\Program Files (x86)\NCH Software\DeskFX\shellmenu.dll nchsetup.exe File created C:\Program Files (x86)\NCH Software\DeskFX\bassboost_high.dfx nchsetup.exe File created C:\Program Files (x86)\NCH Software\DeskFX\voice.wav nchsetup.exe File created C:\Program Files (x86)\NCH Software\DeskFX\deskfxapox32.dll nchsetup.exe File created C:\Program Files (x86)\NCH Software\DeskFX\deskfxapox64.dll nchsetup.exe File created C:\Program Files (x86)\NCH Software\DeskFX\foyer.dfx nchsetup.exe File created C:\Program Files (x86)\NCH Software\DeskFX\deskfxsetup_v6.15.exe nchsetup.exe File created C:\Program Files (x86)\NCH Software\DeskFX\shellmenub.msix nchsetup.exe File created C:\Program Files (x86)\NCH Software\DeskFX\aposettingsupdater.exe nchsetup.exe File created C:\Program Files (x86)\NCH Software\DeskFX\restaurant.dfx nchsetup.exe File created C:\Program Files (x86)\NCH Software\DeskFX\bassboost_default.dfx nchsetup.exe File created C:\Program Files (x86)\NCH Software\DeskFX\bassboost_veryhigh.dfx nchsetup.exe File created C:\Program Files (x86)\NCH Software\DeskFX\vocal.wav nchsetup.exe File created C:\Program Files (x86)\NCH Software\DeskFX\deskfx.exe nchsetup.exe File created C:\Program Files (x86)\NCH Software\DeskFX\shellmenua.msix nchsetup.exe File created C:\Program Files (x86)\NCH Software\DeskFX\gym.dfx nchsetup.exe File created C:\Program Files (x86)\NCH Software\DeskFX\retail.dfx nchsetup.exe -
Executes dropped EXE 3 IoCs
Processes:
nchsetup.exedeskfx.exedeskfx.exepid process 3000 nchsetup.exe 2944 deskfx.exe 2236 deskfx.exe -
Loads dropped DLL 28 IoCs
Processes:
deskfxsetup.exenchsetup.exeregsvr32.exeregsvr32.exepid process 1488 deskfxsetup.exe 1488 deskfxsetup.exe 1488 deskfxsetup.exe 1488 deskfxsetup.exe 3000 nchsetup.exe 3000 nchsetup.exe 3000 nchsetup.exe 1420 regsvr32.exe 2524 regsvr32.exe 3000 nchsetup.exe 3000 nchsetup.exe 3000 nchsetup.exe 3000 nchsetup.exe 3000 nchsetup.exe 3000 nchsetup.exe 3000 nchsetup.exe 3000 nchsetup.exe 3000 nchsetup.exe 3000 nchsetup.exe 3000 nchsetup.exe 3000 nchsetup.exe 3000 nchsetup.exe 3000 nchsetup.exe 3000 nchsetup.exe 3000 nchsetup.exe 3000 nchsetup.exe 3000 nchsetup.exe 3000 nchsetup.exe -
Registers COM server for autorun 1 TTPs 5 IoCs
Processes:
nchsetup.exeregsvr32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{8cbab946-81bf-4be4-99af-093938ad2455}\LocalServer32 nchsetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{8cbab946-81bf-4be4-99af-093938ad2455}\LocalServer32\ = "\"C:\\Program Files (x86)\\NCH Software\\DeskFX\\deskfx.exe\" -systemnotifyevent" nchsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0DAEF0E9-D165-4C46-B229-3C587B558026}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0DAEF0E9-D165-4C46-B229-3C587B558026}\InprocServer32\ = "C:\\ProgramData\\NCH Software\\DeskFX\\loadeddll\\deskfxapox64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0DAEF0E9-D165-4C46-B229-3C587B558026}\InprocServer32\ThreadingModel = "Both" regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
deskfx.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS deskfx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer deskfx.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e93610000000002000000000010660000000100002000000044a2feb4874c316162c61cdeb76852442fb9947b48d059978c99bbadc591d16d000000000e8000000002000020000000beaf345ef6ac56408f099823f6f94673809e387d5ab016db6191fb713ff91f849000000012f6621b612cd7757f9c1832ecc7f4f2eb5e83b3b75b0dc79bcfa1c3c541b7efa820a771fe325e18376c044e955d27d35265d42e80104aa0447a272fcd820b2845cf128d7a7ac7feda093ebf06702320692afdaace21f70993dee79083479a795e6a4d6c8bde509cd97af1bc72db629b407f2056915f59ba7e12f92214242d9f94a285e6a54ad5293accce58dc60f42340000000240c25b74b7b8c5fd6d665c128be37d37965a046d0cde8d7df1af365404ced8330a58c6ffcd6f8e8b3112aef97eb75de21609b53f8625f12c928546d25160f6d iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 109c73279ab5da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e9361000000000200000000001066000000010000200000003134a42697c7cfa056e77a35df2d45ecdc4c634f2143397c3a033dfb9e24c9ad000000000e800000000200002000000066b4261a706b7a8448bb25249914a6da46042119236984de17eca1e0825f187720000000eb5fc1052814ae0b75707f3cfa65150650bf1e38529212564f8907e20283edfc400000005a00a3cc304703a54ce033539c12afc775e7a834cf5a1f69057c81c89cdf5d794b046381b9fd00db60e2cb592cfe5e23ef2b55d59d426aad79fa419bdd7f3053 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{51A54651-218D-11EF-A7A3-7A58A1FDD547} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423569499" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe -
Modifies registry class 64 IoCs
Processes:
nchsetup.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.wp\Shell\NCHconvertdoc\command nchsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.wpd\Shell\NCHconvertdoc\command\ = "\"C:\\Program Files (x86)\\NCH Software\\DeskFX\\deskfx.exe\" -extfind Doxillion \"%L\"" nchsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.vob\Shell\NCHconvertvideo\ = "Convert video file format with Prism" nchsetup.exe Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.dng\Shell\NCHconvertimage nchsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.raf nchsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.flac\Shell\NCHconvertsound\ = "Convert sound file format with Switch" nchsetup.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\gsmfile\DefaultIcon nchsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.webp\Shell\NCHeditphoto\command\ = "\"C:\\Program Files (x86)\\NCH Software\\DeskFX\\deskfx.exe\" -extfind PhotoPad \"%L\"" nchsetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\srffile\DefaultIcon\ = "%SystemRoot%\\SysWow64\\shell32.dll,19" nchsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.docx nchsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.odt\shell\NCHconvertdoc\command\ = "\"C:\\Program Files (x86)\\NCH Software\\DeskFX\\deskfx.exe\" -extfind Doxillion \"%L\"" nchsetup.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\dssfile\shell\open\command nchsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.au\Shell\NCHconvertsound\command nchsetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.jp2\ = "jp2file" nchsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.html\Shell\NCHconvertdoc\command nchsetup.exe Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.rar\Shell\NCHextract nchsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.pgf\Shell\NCHeditphoto nchsetup.exe Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.webp\Shell\NCHeditphoto\command nchsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.wma\Shell nchsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.aac\Shell\NCHconvertsound\command\ = "\"C:\\Program Files (x86)\\NCH Software\\DeskFX\\deskfx.exe\" -extfind Switch \"%L\"" nchsetup.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.webp nchsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dng\Shell\NCHconvertimage\ = "Convert image file format with Pixillion" nchsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.erf\Shell\NCHslideshow\ = "Create slideshow with PhotoStage" nchsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.srw\Shell\NCHslideshow\command nchsetup.exe Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.aif\Shell\NCHconvertsound\command nchsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.divx\Shell\NCHeditvideo\ = "Edit video file with VideoPad" nchsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.mpeg\Shell\NCHeditvideo\command\ = "\"C:\\Program Files (x86)\\NCH Software\\DeskFX\\deskfx.exe\" -extfind VideoPad \"%L\"" nchsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.arw nchsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.jpeg\Shell\NCHslideshow\command nchsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.odt\shell\NCHconvertdoc\ = "Convert file type with Doxillion" nchsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.rtf\shell\NCHconvertdoc\ = "Convert file type with Doxillion" nchsetup.exe Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.ogv\Shell\NCHeditvideo\command nchsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.ogv\Shell\NCHeditvideo\command\ = "\"C:\\Program Files (x86)\\NCH Software\\DeskFX\\deskfx.exe\" -extfind VideoPad \"%L\"" nchsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.nef\Shell\NCHconvertimage\command nchsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.tiff\Shell\NCHeditphoto nchsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.webp\Shell\NCHconvertimage\command\ = "\"C:\\Program Files (x86)\\NCH Software\\DeskFX\\deskfx.exe\" -extfind Pixillion \"%L\"" nchsetup.exe Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.doc\Shell\NCHconvertdoc\command nchsetup.exe Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.wp\Shell\NCHconvertdoc\command nchsetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.arw\ = "arwfile" nchsetup.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\psdfile nchsetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\ddpfile\ = "Unhandled Extension Handler Finder" nchsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.3gp\Shell\NCHeditvideo\command nchsetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\xvidfile\DefaultIcon\ = "%SystemRoot%\\SysWow64\\shell32.dll,19" nchsetup.exe Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.wav\Shell\NCHconvertsound nchsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.m2ts nchsetup.exe Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.m4v\Shell\NCHeditvideo nchsetup.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\neffile nchsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dfx\DeskFX.BAK nchsetup.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\dssfile\shell\open nchsetup.exe Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.ds2\Shell\NCHconvertsound\command nchsetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.shn\ = "shnfile" nchsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.M2TS\Shell\NCHeditvideo\command nchsetup.exe Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.mpeg\Shell\NCHeditvideo\command nchsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.divx\Shell\NCHconvertvideo\command nchsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.cr2 nchsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\deskfx.exe\ = "DeskFX Audio Effect Processor" nchsetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.ddp\ = "ddpfile" nchsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.aiff\Shell\NCHconvertsound nchsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.pgf\Shell\NCHconvertimage nchsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.ras\Shell nchsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.webp\Shell\NCHeditphoto\ = "Edit your photos with PhotoPad" nchsetup.exe Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.mpg\Shell\NCHconvertvideo\command nchsetup.exe Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.iso\Shell\NCHburn nchsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.mp4\Shell\NCHeditvideo nchsetup.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
nchsetup.exepid process 3000 nchsetup.exe 3000 nchsetup.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
deskfx.exeiexplore.exepid process 2944 deskfx.exe 2944 deskfx.exe 1500 iexplore.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
deskfx.exepid process 2944 deskfx.exe 2944 deskfx.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
deskfx.exeiexplore.exeIEXPLORE.EXEpid process 2944 deskfx.exe 1500 iexplore.exe 1500 iexplore.exe 1032 IEXPLORE.EXE 1032 IEXPLORE.EXE 1032 IEXPLORE.EXE 1032 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
deskfxsetup.exenchsetup.exeregsvr32.exedeskfx.exeiexplore.exedescription pid process target process PID 1488 wrote to memory of 3000 1488 deskfxsetup.exe nchsetup.exe PID 1488 wrote to memory of 3000 1488 deskfxsetup.exe nchsetup.exe PID 1488 wrote to memory of 3000 1488 deskfxsetup.exe nchsetup.exe PID 1488 wrote to memory of 3000 1488 deskfxsetup.exe nchsetup.exe PID 1488 wrote to memory of 3000 1488 deskfxsetup.exe nchsetup.exe PID 1488 wrote to memory of 3000 1488 deskfxsetup.exe nchsetup.exe PID 1488 wrote to memory of 3000 1488 deskfxsetup.exe nchsetup.exe PID 3000 wrote to memory of 1420 3000 nchsetup.exe regsvr32.exe PID 3000 wrote to memory of 1420 3000 nchsetup.exe regsvr32.exe PID 3000 wrote to memory of 1420 3000 nchsetup.exe regsvr32.exe PID 3000 wrote to memory of 1420 3000 nchsetup.exe regsvr32.exe PID 3000 wrote to memory of 1420 3000 nchsetup.exe regsvr32.exe PID 3000 wrote to memory of 1420 3000 nchsetup.exe regsvr32.exe PID 3000 wrote to memory of 1420 3000 nchsetup.exe regsvr32.exe PID 1420 wrote to memory of 2524 1420 regsvr32.exe regsvr32.exe PID 1420 wrote to memory of 2524 1420 regsvr32.exe regsvr32.exe PID 1420 wrote to memory of 2524 1420 regsvr32.exe regsvr32.exe PID 1420 wrote to memory of 2524 1420 regsvr32.exe regsvr32.exe PID 1420 wrote to memory of 2524 1420 regsvr32.exe regsvr32.exe PID 1420 wrote to memory of 2524 1420 regsvr32.exe regsvr32.exe PID 1420 wrote to memory of 2524 1420 regsvr32.exe regsvr32.exe PID 2944 wrote to memory of 1500 2944 deskfx.exe iexplore.exe PID 2944 wrote to memory of 1500 2944 deskfx.exe iexplore.exe PID 2944 wrote to memory of 1500 2944 deskfx.exe iexplore.exe PID 2944 wrote to memory of 1500 2944 deskfx.exe iexplore.exe PID 1500 wrote to memory of 1032 1500 iexplore.exe IEXPLORE.EXE PID 1500 wrote to memory of 1032 1500 iexplore.exe IEXPLORE.EXE PID 1500 wrote to memory of 1032 1500 iexplore.exe IEXPLORE.EXE PID 1500 wrote to memory of 1032 1500 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\deskfxsetup.exe"C:\Users\Admin\AppData\Local\Temp\deskfxsetup.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe"C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe" -installer "C:\Users\Admin\AppData\Local\Temp\deskfxsetup.exe" -instdata "C:\Users\Admin\AppData\Local\Temp\n1s\nchdata.dat"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\ProgramData\NCH Software\DeskFX\loadeddll\deskfxapox64.dll"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\system32\regsvr32.exe/s "C:\ProgramData\NCH Software\DeskFX\loadeddll\deskfxapox64.dll"4⤵
- Loads dropped DLL
- Registers COM server for autorun
PID:2524
-
-
-
C:\Program Files (x86)\NCH Software\DeskFX\deskfx.exe"C:\Program Files (x86)\NCH Software\DeskFX\deskfx.exe"3⤵
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.nchsoftware.com/software/thanks.html?software=DeskFX&appname=DeskFX&version=6.15&appbits=32&base=deskfx&domain=nchsoftware&buyoffer=deskfx&pclass=plus&rgst=0&antivirus=expired&instby=dl&iid=T3ZH1f2hWHo&help=0&ostype=1&osver=6.1&svar=LLIBInstquickonLLIBControloffDESKFXSplashv2offZt7nRS5eMJugMCIhFEpxNIbdVwzmZP4wDESKFXSuitetaboffTsduUEupPuygLLIBFrdispkclroffKYMvUEjtDESKFXOrangestatusoffLLIBViewsoundeffectresetoffRztbYs8nQOIaYD4uKCOwFZtuW8bwCa7pEqjvDESKFXStartuploadpresetoffACKsRr2mXklwUFFd&usechoice=llinad%281%29&daysusedprogram=1&usedsubstpct=0&secsfr=244&active10s=04⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1500 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1032
-
-
-
-
C:\Program Files (x86)\NCH Software\DeskFX\deskfx.exe"C:\Program Files (x86)\NCH Software\DeskFX\deskfx.exe" -installsched3⤵
- Executes dropped EXE
PID:2236
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x30c1⤵PID:2180
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5441⤵PID:2640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
109KB
MD5e2dbf5f0f9ab34c3fa48cf4aab9482d6
SHA155f350fc460d873c267adfbb791f16d46a4390da
SHA256cd5f6ad031697f93988400155002c9e7e4c598a3f2152fc92c315ad1cb45cd71
SHA5120cbc6f18f6f00aa99d58e4ab949b65736b8e2a5f28d9fd5c8c0095e8a86c8814e6513560897973233e9034c0ab05ff997627be0b87abfd31b48e58205be7dbe1
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56b5bddd1daf2a4d9c61846beeb11396a
SHA1bd1ee26764bbb58363142f6d3bc5f3b90be68129
SHA256f9f66b760a2bf550c963a906e9b6d134e2624a0c7b5ea0c8102234ac11d577a3
SHA5126718e63f7bdb44eab00ecf86d64deae5f6d9e8921fed5866713b302ded807fc78487af6ea66d2c7573a70bb86afc0fbda118cb7137ce44fe818c3d516e34c979
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f4d48044e975ef3be629086a5a5d0363
SHA1f0531c604680908c095c1ee37ac8134bcb13a2e4
SHA2567a12fcd9cd96eb772e102dc425b6085505f911ca8d0fa09666ff21547c93c601
SHA5129544bd532e8f2633b2685338849978e8796532cd61fde45d4b3389488d175d013d44ae1bfa43fd3572c75d5f15847586ea67c721adb47bf2c61712c904b472f6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56cbd583c039b476163db9d56b8350bdd
SHA12ff92a05d08adb73952521457beab166f7f811f9
SHA256071642ef54beae2931aed1c8f3868563cb3f389fc9f5a7c7d01504a652bc3ba5
SHA51252f171e79b3f5888b6775f05149c6e8e0135573a3c9ba415cedddb877ad890c5e6fc840edbcf8e81eb7cb972935b52366b5dc496722260c40635c90e036c7140
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD500a3fbdf1a8ad772f6c72df9f955eb6e
SHA1314cbde939b84e777112e15c8bb7a077c1e95ed7
SHA2560240c5cb631a80f5d89c0de6389696dbd3d9897111f2b0872c2fed1ca49c9cbd
SHA512848fc97c0bf283aa3a2bfbce9732448704348e48705d53f5d16260677f781ea42ccf377a9e15aecefd348079ea6c2d8c210c2d192a0a76e46c6c2c8939d514cb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50077f1e39a635bf3d5a69b0c5c7b27d6
SHA1b113d74b6ad8edae2c85bd14a736a84aa4e3bf1d
SHA256b8d005b2affd71977b2f43690d35fea4111035338ee403ebb9ad5cb7d0215d0d
SHA512131ff4eb5f36ac9d50105f4504f0bdd60f40697762f88cb8f8bb86f4bb89e1eb21e4673b8e475748417d3bdca84f0fdcbd2429266b8b7d7e0eafe6683f204866
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ff6d1537530a6f9434ba59f1a6f67f8d
SHA1ea65a963df3de0922515c66ead97575f371f4c4c
SHA256dab8a2b3dab704cf2398e8509eb6f72077433592db99edcdc7ead979fa9b2632
SHA512b97cc172c48d8531cb2a97008b9c57e99177bd1f9a79d2ed9c1bbba65416116c914721824092d29e23da6965811b5ec17e3f2269a7bde86976e455f577b7ea15
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD569cb689f00d7c6bb39e94070816d82c7
SHA1b202ce8484e9023d1d7fd6318f3ce781f2a7c9e0
SHA256a773f22b88980782b1991c43ed8eb229ef2fc73c48f4effa71b09b6c3f469821
SHA51231c4b0d5d2560b1f53731159087970c899ec3342b029b8ed10accf14c00804c96ddda14b051db470774b3e4733b529abb5887871e5e5fe27815e63d426c83d5b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f1ce920a1d9f7c9ab28dd0ed15b8db72
SHA16bc200de4536e42fd093989bf3aeec4009db1698
SHA256ad4ad47b2cd335478da96b7a23cc8ba265d6f92fafa6ee4b182c21909da607c0
SHA512cf6425bba7b5df059faf987a61384b05abff70fef651963ab05ec2d5e135605aa2df71fd285f658f3e3cbd17a4867c48174cb29176347caf2e47cb3d36c9fa0c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a4fc0b94e45fe35abc067f7457a7ade7
SHA1eb2b115754b83e7ca1eb7629ce4e69780a2edc2c
SHA256927abd2f2134f5b357bb55282d4d668e6faa3f534306cfdb2a32b7f3414257b9
SHA51227c1a5e8674d4e68ff84f8b2e9ef865d8096019ed4f1ffde56293b3fef7c79d307b42d4bb4fccc8cafda4a593db5715faa5a335d781b986b21cf8db0c938b332
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59b36ddc6a5a7303f7ec9a98f8d1421b3
SHA1d3403e631ebd9b238ad1759f7193a9c1afb55e11
SHA25673f73da54b84e3b98075585d91236d851e1adba42f03dbfc75f5210b7caed951
SHA512c1209945ba629a37be5d8c3751f27ec2c65e1cfb012995447f88db9b16f84961b7fca333e84161c59e8fabc3a59faa6882a75143a49938a4fcdf48a1d7bd9bde
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fbce370c7b6581c2b10dc15a696def45
SHA1e832da70e7c94055a41ff46f7be0d389aa93ccc5
SHA256d318e76e0a52da9445dda90096cc971b71beb40bb9de42cc933b0b32e6f420e0
SHA5120790d0fe86a03453b862c42e78789fb2bd262dc4920d3d1fcec00b423531134ab7b7ffa647d77d79d902382e336071eec470451662a0478d39a081a0314ddaf8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54c34e2ab7846ffd9748268c79efa3843
SHA18de6cf95a5d579c3853777db078f4d439e06161f
SHA256751e069fa92dac27e99e0d21cfdf712ef3e733b539ff51561919c3f3601478d1
SHA51244039d30b73299a738a1643929f21d02f00daa7e01e0c778cc1005be379c8469a1d71b4bca32750b5e80dfcbe30fdcb1ff5e5a8dc46a3ee8c0bf80961178c53c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55cac38a1c6a5f3c91da589f38707aab6
SHA168b4d88573d376ff8b2ddf61c644767d8b9e0b29
SHA256e01f41e508bacf374da34f01caf7a8cbf925185eb819f66fb0f5e4e122500ad0
SHA512f58eb70d0c316fd71a5e3ca25b75770cb759ac413e934213d0d0d34cf505fd431f03acf19f055b97c4e30760102e5462da9af28345103259a42a1b11f88aca1c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56441ae7fa5312089ce761e40aee72c3d
SHA1d1f96b21ea136a2fcf11d326bed8281cd129d826
SHA256a6fe0f0c554f8c02853d77c9a20036b5ac657fe82e85bcee069dbb27e6399fcb
SHA512f999c456d2c4b4667f1345b97d4f6186fed85ba8f33413613dac62e1ea237328f4bb107fa761af95d5617d1dec05586f69104be810fa82d9bf430cb74527a8ed
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a7ef3e1f9da098c5df07625341320e4b
SHA1f16f4a2eed204f5ed36d4f217256f3a65bc300c2
SHA256ee97272ff69edb336b7a986f7458a8da67aa68d057fa78f88ea753eaede013dd
SHA512604692f2a05cf18147467003b6978f0ea8199ab0aa95dd43f4197713d1b609d2709af160ee5c3e0318b3ff5f3d47334959585fb2826a1fa758ed0af0c3727e3e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53c064808efcd94e35d0b41eeea4d8e01
SHA16a40625bcee4ef381d9b0bb398aa4d4eebe653b1
SHA25629c9c9da2a579e4a358beb2b68e2927f64a7745f2e5fea80c0753f2d27941c84
SHA51228843aa12c875d97282162429221379593e87a7f2c032db8a0938a18706c3a375044934b7125c03a7c84a6b6d321e1e5159671fe376662b57637ae14c173f67f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b629b9c0a256bb059b847a070ee564cd
SHA12a5521c386381b6916283176cb4e428d4d710c68
SHA2561f113912a4da97bfaaf7a259db89f14c02beadfefb44b11af2b01ec4fd435e80
SHA51207ecfadcc038c293b271485817bfda44ee12e333a3ba1d06543e654b1b92b255e37d222fe01fa2e66d840e1993dbd3f8bb71518ad1eb97e7fdc9aa1c7edd30fe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52d3710da7492edbd2173a02905fe6454
SHA1642dc413bb69e49c8698643892a29b67e1fdb98d
SHA2567de3ccd79a4af6daf4228cf114eb67f36666085f41a5c9ef92cd9fb767c05420
SHA512293a36d4de64668297c6d72dfed6fe0bb12e15517d887dfc79f29dce7f2320ecf8270a99638b51b7b48679f14408d30773911ede4c318223fbe75be0860a8514
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a6b483de44a087875954ea43f28faa52
SHA197b53fc940813418026f238ce06df7ecda7ea966
SHA2565dd2dc92456ea5ea84eab324d3dd43e3eeee92624578cd95e1a592488fd18a91
SHA5121eedfa9e3682b3c594ea6d3361483b03bc10e416b24c7d6183647eb21ad7131e98fe66bd821bc6f3e50650c6c79a895d0a1a144cd4c9087eb631abc55de66e1c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f7130b4f7380cd24e18ca11af16ead66
SHA12945510f65ad169abc73d9e09daf7b9b76d31eb6
SHA25669a0ad5cbcb46b15442609862b82288bb27fa6d4b0043a8c52f32def51bed8a5
SHA51284321256ec0f2ef08f144e883956507ef5be9b0ea1f3b967b3e7920be51768c5aac0a56edf8b05e1f3cdf5a1bd8541dae91dc6f24602dd6c39ef9dd251c0aad3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD589d07281c554bfadcbaf843211ed49fa
SHA1901872de97987754fe6225cba225bd37d0161f47
SHA256c996af5bcb491921802483bae73aff758c3f89d3b1ff658750f146744438813e
SHA51227e8d74967792dd8da079ebf29679e11fce1ef86189f10d4b817e70bf3bdabcbf4e42d465cb5ec04da4a744e6079930b95947470728fc0b0a2aebdddf86137fd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50aae790d14976ed49f3d4b78baa78c4e
SHA16783f75ee52b0ba6869ecbd69c23e185b46cbd7c
SHA256f8c17d7764b6f4a70bc57cdd758390bdceea72760c6a93b9ad593f306a095afd
SHA512170a25f5c79a2d2981f6775db3fd38ba63db29516f346814607675911e8ed42233034293f677d3d52a992e78b3ae3e5aa5c7e25bcac30efb0ad9311dd3a35ca8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c02b609736b05931dcb0b3110b1de65e
SHA1978cfa92a7f36b86cd67cd4468c9b7a938daa4cf
SHA256b8f1a3b53f1ee4a02c237a39d4c4e5184bfc640092b9b4214f08127c5536e403
SHA512ae20044d1838899b04493450cb5ab283bc2e177abdd1f5d5ab957a097ce0b29c236e977a0532bf71bd79a8b4fe47faec1407209f7963f60c0040d15813700ea8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD566a16e9967820ba72b21a25f68d699a8
SHA19532581c2a53bdb1ea8c022a376b4da8b14d2a4b
SHA256019e1c48503b59706d0b0297ae97f6ce2259fda7877c812a1b80a1c48d6ee015
SHA51286b508fd3ce2442fd0bf5d8b5dcf063032d2e8194a03827b5201e1ca9072ec566c99adcc54c54e4b064107924df8780f30bfde02d0969e553696a8327d079f84
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5df5402569a617cd1aa9ece84cf8fd428
SHA1ef0ad51e00d426bbebd145fdaa9d13d62e3af91b
SHA256cf7c2ffc8227dbe6ebf7bbaafd57b021639a7b3273b5019c74c0e66dd64b1e16
SHA5124cff559205659e75411c5c5e85d985b099b4e3e2c1e8a5effad22e8f06db472b621140e5bccd6d69f8f6d0e49344301e6e7f548ef249306144d61b1a33499349
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f01ef1605cf7ea904955d8981c2bdc15
SHA1d1fbe72ff8f41a85d604802b2de7b9beb6d8572f
SHA2566dc6696beec70a0b997104e378792efe54c9e1fdb1f58577e291be94d955263a
SHA512899915835c925388620788a3dbeeeb997d147b4e09698798f052ed98e456c1e3d75e79c147c0be7f83d6b1768433d6874c3f0c2a57bbdee51236b3265e8e0135
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5318ab0b97008f0b9b6bf9482c05b12bb
SHA13555383fb27ef2cd329bcf41b2e8b6af522211b8
SHA256513f90cc6dce31a9bac2a98db9aacda8eed5136117ad10b8c898cd7cab6e3260
SHA512c773af128ac0ae6e0b030430767c821d3040dfb567111a955aa0acbd4ed416100cacfedcddcac4eed08609eabfcafe18af71fbd2a4fd636641553bf6e3f0ae04
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c0b901f458a360d3939256a763b39126
SHA1e4ec3bf8b7878ca2b62b797162636d48cecd8ecf
SHA256e824e5cdd314552a0beb3720da0a49ce78e9e53697042496bcfe4a936631a596
SHA512ec1957e32a3c86b17877e4d4dc87573a403ea304151799cf1a2d53405608de461a3e2c8d4b9f24a5be590942ae2d912e97a369444ad1ada40c0723b5ecdd5ad8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50a8fbe179893931469eef9262462bf2f
SHA1a6c4d4d6227d6dbf17d3a5e6a1e2287268142b88
SHA25615b5a5978acab78b01192da17a969469f0a41e0d3de95e974a27c1eab8539022
SHA512e437ece8c57863f136b15bea5b8b56cd0291f8e6e8de11f89f653311be4cf835015f89b73da5a60cdd231a8f320f723ded4520e76a57fe543e8c1cea20275a27
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
812KB
MD5005d5b97295ac96859292adde20c0015
SHA1d7e50a9d2dc2fb58494eab1e310a74e338fea4e9
SHA256eb6351e3117b06a4676695e0f2dd9fcb6c6300230e8129004c7272b4661e2e87
SHA5127f9e485f6e844168221663987d23b789d8ff1bfaf55fe3f7cb570f63a50ccffa4bd1a987e6519100d2ff9eee59fb016841f4aa26f0642c9c637ef49abd1e45ca
-
Filesize
3.3MB
MD5280ebae987571740b6fcff4efc4954e1
SHA1e2ff8f1114a6f124c8a0648c743d328300233df1
SHA25608880eaf945a256fd568cceac581c1845ddfe11c5daf07aad8969a6069912124
SHA51268f00509ada6f834b9061e8fbf62a252e0cd9b03583e681bfd5c965842c43889f5d76602b6e6501234ec40266ec37b786fd499f75ac2848ada99d230d4d51f9e