Malware Analysis Report

2024-11-15 05:36

Sample ID 240603-lhs8xabd85
Target deskfxsetup.exe
SHA256 1a02ce49082eecd5e5616b4628cd5b63ff58944acbac06b551a46f9ca0cff36c
Tags
discovery persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

1a02ce49082eecd5e5616b4628cd5b63ff58944acbac06b551a46f9ca0cff36c

Threat Level: Shows suspicious behavior

The file deskfxsetup.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence

Adds Run key to start application

Registers COM server for autorun

Checks installed software on the system

Drops file in Program Files directory

Loads dropped DLL

Executes dropped EXE

Enumerates physical storage devices

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 09:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 09:32

Reported

2024-06-03 10:06

Platform

win7-20240508-en

Max time kernel

1562s

Max time network

1568s

Command Line

"C:\Users\Admin\AppData\Local\Temp\deskfxsetup.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\DeskFXInstall = "C:\\Users\\Admin\\AppData\\Local\\Temp\\deskfxsetup.exe" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\NCH Software\DeskFX\deskfx.exe C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\DeskFX\shellmenu.dll C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\DeskFX\bassboost_high.dfx C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\DeskFX\voice.wav C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\DeskFX\deskfxapox32.dll C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\DeskFX\deskfxapox64.dll C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\DeskFX\foyer.dfx C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\DeskFX\deskfxsetup_v6.15.exe C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\DeskFX\shellmenub.msix C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\DeskFX\aposettingsupdater.exe C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\DeskFX\restaurant.dfx C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\DeskFX\bassboost_default.dfx C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\DeskFX\bassboost_veryhigh.dfx C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\DeskFX\vocal.wav C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\DeskFX\deskfx.exe C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\DeskFX\shellmenua.msix C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\DeskFX\gym.dfx C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\DeskFX\retail.dfx C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\deskfxsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deskfxsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deskfxsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deskfxsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{8cbab946-81bf-4be4-99af-093938ad2455}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{8cbab946-81bf-4be4-99af-093938ad2455}\LocalServer32\ = "\"C:\\Program Files (x86)\\NCH Software\\DeskFX\\deskfx.exe\" -systemnotifyevent" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0DAEF0E9-D165-4C46-B229-3C587B558026}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0DAEF0E9-D165-4C46-B229-3C587B558026}\InprocServer32\ = "C:\\ProgramData\\NCH Software\\DeskFX\\loadeddll\\deskfxapox64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0DAEF0E9-D165-4C46-B229-3C587B558026}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files (x86)\NCH Software\DeskFX\deskfx.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer C:\Program Files (x86)\NCH Software\DeskFX\deskfx.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e93610000000002000000000010660000000100002000000044a2feb4874c316162c61cdeb76852442fb9947b48d059978c99bbadc591d16d000000000e8000000002000020000000beaf345ef6ac56408f099823f6f94673809e387d5ab016db6191fb713ff91f849000000012f6621b612cd7757f9c1832ecc7f4f2eb5e83b3b75b0dc79bcfa1c3c541b7efa820a771fe325e18376c044e955d27d35265d42e80104aa0447a272fcd820b2845cf128d7a7ac7feda093ebf06702320692afdaace21f70993dee79083479a795e6a4d6c8bde509cd97af1bc72db629b407f2056915f59ba7e12f92214242d9f94a285e6a54ad5293accce58dc60f42340000000240c25b74b7b8c5fd6d665c128be37d37965a046d0cde8d7df1af365404ced8330a58c6ffcd6f8e8b3112aef97eb75de21609b53f8625f12c928546d25160f6d C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 109c73279ab5da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e9361000000000200000000001066000000010000200000003134a42697c7cfa056e77a35df2d45ecdc4c634f2143397c3a033dfb9e24c9ad000000000e800000000200002000000066b4261a706b7a8448bb25249914a6da46042119236984de17eca1e0825f187720000000eb5fc1052814ae0b75707f3cfa65150650bf1e38529212564f8907e20283edfc400000005a00a3cc304703a54ce033539c12afc775e7a834cf5a1f69057c81c89cdf5d794b046381b9fd00db60e2cb592cfe5e23ef2b55d59d426aad79fa419bdd7f3053 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{51A54651-218D-11EF-A7A3-7A58A1FDD547} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423569499" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.wp\Shell\NCHconvertdoc\command C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.wpd\Shell\NCHconvertdoc\command\ = "\"C:\\Program Files (x86)\\NCH Software\\DeskFX\\deskfx.exe\" -extfind Doxillion \"%L\"" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.vob\Shell\NCHconvertvideo\ = "Convert video file format with Prism" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.dng\Shell\NCHconvertimage C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.raf C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.flac\Shell\NCHconvertsound\ = "Convert sound file format with Switch" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\gsmfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.webp\Shell\NCHeditphoto\command\ = "\"C:\\Program Files (x86)\\NCH Software\\DeskFX\\deskfx.exe\" -extfind PhotoPad \"%L\"" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\srffile\DefaultIcon\ = "%SystemRoot%\\SysWow64\\shell32.dll,19" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.docx C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.odt\shell\NCHconvertdoc\command\ = "\"C:\\Program Files (x86)\\NCH Software\\DeskFX\\deskfx.exe\" -extfind Doxillion \"%L\"" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\dssfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.au\Shell\NCHconvertsound\command C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.jp2\ = "jp2file" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.html\Shell\NCHconvertdoc\command C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.rar\Shell\NCHextract C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.pgf\Shell\NCHeditphoto C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.webp\Shell\NCHeditphoto\command C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.wma\Shell C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.aac\Shell\NCHconvertsound\command\ = "\"C:\\Program Files (x86)\\NCH Software\\DeskFX\\deskfx.exe\" -extfind Switch \"%L\"" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.webp C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dng\Shell\NCHconvertimage\ = "Convert image file format with Pixillion" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.erf\Shell\NCHslideshow\ = "Create slideshow with PhotoStage" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.srw\Shell\NCHslideshow\command C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.aif\Shell\NCHconvertsound\command C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.divx\Shell\NCHeditvideo\ = "Edit video file with VideoPad" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.mpeg\Shell\NCHeditvideo\command\ = "\"C:\\Program Files (x86)\\NCH Software\\DeskFX\\deskfx.exe\" -extfind VideoPad \"%L\"" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.arw C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.jpeg\Shell\NCHslideshow\command C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.odt\shell\NCHconvertdoc\ = "Convert file type with Doxillion" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.rtf\shell\NCHconvertdoc\ = "Convert file type with Doxillion" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.ogv\Shell\NCHeditvideo\command C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.ogv\Shell\NCHeditvideo\command\ = "\"C:\\Program Files (x86)\\NCH Software\\DeskFX\\deskfx.exe\" -extfind VideoPad \"%L\"" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.nef\Shell\NCHconvertimage\command C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.tiff\Shell\NCHeditphoto C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.webp\Shell\NCHconvertimage\command\ = "\"C:\\Program Files (x86)\\NCH Software\\DeskFX\\deskfx.exe\" -extfind Pixillion \"%L\"" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.doc\Shell\NCHconvertdoc\command C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.wp\Shell\NCHconvertdoc\command C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.arw\ = "arwfile" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\psdfile C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\ddpfile\ = "Unhandled Extension Handler Finder" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.3gp\Shell\NCHeditvideo\command C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\xvidfile\DefaultIcon\ = "%SystemRoot%\\SysWow64\\shell32.dll,19" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.wav\Shell\NCHconvertsound C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.m2ts C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.m4v\Shell\NCHeditvideo C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\neffile C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dfx\DeskFX.BAK C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\dssfile\shell\open C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.ds2\Shell\NCHconvertsound\command C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.shn\ = "shnfile" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.M2TS\Shell\NCHeditvideo\command C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.mpeg\Shell\NCHeditvideo\command C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.divx\Shell\NCHconvertvideo\command C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.cr2 C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\deskfx.exe\ = "DeskFX Audio Effect Processor" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.ddp\ = "ddpfile" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.aiff\Shell\NCHconvertsound C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.pgf\Shell\NCHconvertimage C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.ras\Shell C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.webp\Shell\NCHeditphoto\ = "Edit your photos with PhotoPad" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.mpg\Shell\NCHconvertvideo\command C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.iso\Shell\NCHburn C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.mp4\Shell\NCHeditvideo C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\NCH Software\DeskFX\deskfx.exe N/A
N/A N/A C:\Program Files (x86)\NCH Software\DeskFX\deskfx.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\NCH Software\DeskFX\deskfx.exe N/A
N/A N/A C:\Program Files (x86)\NCH Software\DeskFX\deskfx.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1488 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\deskfxsetup.exe C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe
PID 1488 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\deskfxsetup.exe C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe
PID 1488 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\deskfxsetup.exe C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe
PID 1488 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\deskfxsetup.exe C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe
PID 1488 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\deskfxsetup.exe C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe
PID 1488 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\deskfxsetup.exe C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe
PID 1488 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\deskfxsetup.exe C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe
PID 3000 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3000 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3000 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3000 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3000 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3000 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3000 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1420 wrote to memory of 2524 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1420 wrote to memory of 2524 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1420 wrote to memory of 2524 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1420 wrote to memory of 2524 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1420 wrote to memory of 2524 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1420 wrote to memory of 2524 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1420 wrote to memory of 2524 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2944 wrote to memory of 1500 N/A C:\Program Files (x86)\NCH Software\DeskFX\deskfx.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2944 wrote to memory of 1500 N/A C:\Program Files (x86)\NCH Software\DeskFX\deskfx.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2944 wrote to memory of 1500 N/A C:\Program Files (x86)\NCH Software\DeskFX\deskfx.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2944 wrote to memory of 1500 N/A C:\Program Files (x86)\NCH Software\DeskFX\deskfx.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1500 wrote to memory of 1032 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1500 wrote to memory of 1032 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1500 wrote to memory of 1032 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1500 wrote to memory of 1032 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\deskfxsetup.exe

"C:\Users\Admin\AppData\Local\Temp\deskfxsetup.exe"

C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe

"C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe" -installer "C:\Users\Admin\AppData\Local\Temp\deskfxsetup.exe" -instdata "C:\Users\Admin\AppData\Local\Temp\n1s\nchdata.dat"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x30c

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\ProgramData\NCH Software\DeskFX\loadeddll\deskfxapox64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\ProgramData\NCH Software\DeskFX\loadeddll\deskfxapox64.dll"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x544

C:\Program Files (x86)\NCH Software\DeskFX\deskfx.exe

"C:\Program Files (x86)\NCH Software\DeskFX\deskfx.exe"

C:\Program Files (x86)\NCH Software\DeskFX\deskfx.exe

"C:\Program Files (x86)\NCH Software\DeskFX\deskfx.exe" -installsched

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.nchsoftware.com/software/thanks.html?software=DeskFX&appname=DeskFX&version=6.15&appbits=32&base=deskfx&domain=nchsoftware&buyoffer=deskfx&pclass=plus&rgst=0&antivirus=expired&instby=dl&iid=T3ZH1f2hWHo&help=0&ostype=1&osver=6.1&svar=LLIBInstquickonLLIBControloffDESKFXSplashv2offZt7nRS5eMJugMCIhFEpxNIbdVwzmZP4wDESKFXSuitetaboffTsduUEupPuygLLIBFrdispkclroffKYMvUEjtDESKFXOrangestatusoffLLIBViewsoundeffectresetoffRztbYs8nQOIaYD4uKCOwFZtuW8bwCa7pEqjvDESKFXStartuploadpresetoffACKsRr2mXklwUFFd&usechoice=llinad%281%29&daysusedprogram=1&usedsubstpct=0&secsfr=244&active10s=0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1500 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 secure.nch.com.au udp
US 173.247.253.164:443 secure.nch.com.au tcp
US 8.8.8.8:53 www.nchsoftware.com udp
US 66.39.83.155:443 www.nchsoftware.com tcp
US 66.39.83.155:443 www.nchsoftware.com tcp
US 66.39.83.155:443 www.nchsoftware.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe

MD5 280ebae987571740b6fcff4efc4954e1
SHA1 e2ff8f1114a6f124c8a0648c743d328300233df1
SHA256 08880eaf945a256fd568cceac581c1845ddfe11c5daf07aad8969a6069912124
SHA512 68f00509ada6f834b9061e8fbf62a252e0cd9b03583e681bfd5c965842c43889f5d76602b6e6501234ec40266ec37b786fd499f75ac2848ada99d230d4d51f9e

memory/3000-22-0x0000000000260000-0x0000000000261000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\n1s\nchdata.dat

MD5 005d5b97295ac96859292adde20c0015
SHA1 d7e50a9d2dc2fb58494eab1e310a74e338fea4e9
SHA256 eb6351e3117b06a4676695e0f2dd9fcb6c6300230e8129004c7272b4661e2e87
SHA512 7f9e485f6e844168221663987d23b789d8ff1bfaf55fe3f7cb570f63a50ccffa4bd1a987e6519100d2ff9eee59fb016841f4aa26f0642c9c637ef49abd1e45ca

C:\ProgramData\NCH Software\DeskFX\loadeddll\deskfxapox64.dll

MD5 e2dbf5f0f9ab34c3fa48cf4aab9482d6
SHA1 55f350fc460d873c267adfbb791f16d46a4390da
SHA256 cd5f6ad031697f93988400155002c9e7e4c598a3f2152fc92c315ad1cb45cd71
SHA512 0cbc6f18f6f00aa99d58e4ab949b65736b8e2a5f28d9fd5c8c0095e8a86c8814e6513560897973233e9034c0ab05ff997627be0b87abfd31b48e58205be7dbe1

C:\Users\Admin\AppData\Local\Temp\CabDB8.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarE7B.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fbce370c7b6581c2b10dc15a696def45
SHA1 e832da70e7c94055a41ff46f7be0d389aa93ccc5
SHA256 d318e76e0a52da9445dda90096cc971b71beb40bb9de42cc933b0b32e6f420e0
SHA512 0790d0fe86a03453b862c42e78789fb2bd262dc4920d3d1fcec00b423531134ab7b7ffa647d77d79d902382e336071eec470451662a0478d39a081a0314ddaf8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4c34e2ab7846ffd9748268c79efa3843
SHA1 8de6cf95a5d579c3853777db078f4d439e06161f
SHA256 751e069fa92dac27e99e0d21cfdf712ef3e733b539ff51561919c3f3601478d1
SHA512 44039d30b73299a738a1643929f21d02f00daa7e01e0c778cc1005be379c8469a1d71b4bca32750b5e80dfcbe30fdcb1ff5e5a8dc46a3ee8c0bf80961178c53c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5cac38a1c6a5f3c91da589f38707aab6
SHA1 68b4d88573d376ff8b2ddf61c644767d8b9e0b29
SHA256 e01f41e508bacf374da34f01caf7a8cbf925185eb819f66fb0f5e4e122500ad0
SHA512 f58eb70d0c316fd71a5e3ca25b75770cb759ac413e934213d0d0d34cf505fd431f03acf19f055b97c4e30760102e5462da9af28345103259a42a1b11f88aca1c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6441ae7fa5312089ce761e40aee72c3d
SHA1 d1f96b21ea136a2fcf11d326bed8281cd129d826
SHA256 a6fe0f0c554f8c02853d77c9a20036b5ac657fe82e85bcee069dbb27e6399fcb
SHA512 f999c456d2c4b4667f1345b97d4f6186fed85ba8f33413613dac62e1ea237328f4bb107fa761af95d5617d1dec05586f69104be810fa82d9bf430cb74527a8ed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a7ef3e1f9da098c5df07625341320e4b
SHA1 f16f4a2eed204f5ed36d4f217256f3a65bc300c2
SHA256 ee97272ff69edb336b7a986f7458a8da67aa68d057fa78f88ea753eaede013dd
SHA512 604692f2a05cf18147467003b6978f0ea8199ab0aa95dd43f4197713d1b609d2709af160ee5c3e0318b3ff5f3d47334959585fb2826a1fa758ed0af0c3727e3e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3c064808efcd94e35d0b41eeea4d8e01
SHA1 6a40625bcee4ef381d9b0bb398aa4d4eebe653b1
SHA256 29c9c9da2a579e4a358beb2b68e2927f64a7745f2e5fea80c0753f2d27941c84
SHA512 28843aa12c875d97282162429221379593e87a7f2c032db8a0938a18706c3a375044934b7125c03a7c84a6b6d321e1e5159671fe376662b57637ae14c173f67f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b629b9c0a256bb059b847a070ee564cd
SHA1 2a5521c386381b6916283176cb4e428d4d710c68
SHA256 1f113912a4da97bfaaf7a259db89f14c02beadfefb44b11af2b01ec4fd435e80
SHA512 07ecfadcc038c293b271485817bfda44ee12e333a3ba1d06543e654b1b92b255e37d222fe01fa2e66d840e1993dbd3f8bb71518ad1eb97e7fdc9aa1c7edd30fe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2d3710da7492edbd2173a02905fe6454
SHA1 642dc413bb69e49c8698643892a29b67e1fdb98d
SHA256 7de3ccd79a4af6daf4228cf114eb67f36666085f41a5c9ef92cd9fb767c05420
SHA512 293a36d4de64668297c6d72dfed6fe0bb12e15517d887dfc79f29dce7f2320ecf8270a99638b51b7b48679f14408d30773911ede4c318223fbe75be0860a8514

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a6b483de44a087875954ea43f28faa52
SHA1 97b53fc940813418026f238ce06df7ecda7ea966
SHA256 5dd2dc92456ea5ea84eab324d3dd43e3eeee92624578cd95e1a592488fd18a91
SHA512 1eedfa9e3682b3c594ea6d3361483b03bc10e416b24c7d6183647eb21ad7131e98fe66bd821bc6f3e50650c6c79a895d0a1a144cd4c9087eb631abc55de66e1c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f7130b4f7380cd24e18ca11af16ead66
SHA1 2945510f65ad169abc73d9e09daf7b9b76d31eb6
SHA256 69a0ad5cbcb46b15442609862b82288bb27fa6d4b0043a8c52f32def51bed8a5
SHA512 84321256ec0f2ef08f144e883956507ef5be9b0ea1f3b967b3e7920be51768c5aac0a56edf8b05e1f3cdf5a1bd8541dae91dc6f24602dd6c39ef9dd251c0aad3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 89d07281c554bfadcbaf843211ed49fa
SHA1 901872de97987754fe6225cba225bd37d0161f47
SHA256 c996af5bcb491921802483bae73aff758c3f89d3b1ff658750f146744438813e
SHA512 27e8d74967792dd8da079ebf29679e11fce1ef86189f10d4b817e70bf3bdabcbf4e42d465cb5ec04da4a744e6079930b95947470728fc0b0a2aebdddf86137fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0aae790d14976ed49f3d4b78baa78c4e
SHA1 6783f75ee52b0ba6869ecbd69c23e185b46cbd7c
SHA256 f8c17d7764b6f4a70bc57cdd758390bdceea72760c6a93b9ad593f306a095afd
SHA512 170a25f5c79a2d2981f6775db3fd38ba63db29516f346814607675911e8ed42233034293f677d3d52a992e78b3ae3e5aa5c7e25bcac30efb0ad9311dd3a35ca8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c02b609736b05931dcb0b3110b1de65e
SHA1 978cfa92a7f36b86cd67cd4468c9b7a938daa4cf
SHA256 b8f1a3b53f1ee4a02c237a39d4c4e5184bfc640092b9b4214f08127c5536e403
SHA512 ae20044d1838899b04493450cb5ab283bc2e177abdd1f5d5ab957a097ce0b29c236e977a0532bf71bd79a8b4fe47faec1407209f7963f60c0040d15813700ea8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 66a16e9967820ba72b21a25f68d699a8
SHA1 9532581c2a53bdb1ea8c022a376b4da8b14d2a4b
SHA256 019e1c48503b59706d0b0297ae97f6ce2259fda7877c812a1b80a1c48d6ee015
SHA512 86b508fd3ce2442fd0bf5d8b5dcf063032d2e8194a03827b5201e1ca9072ec566c99adcc54c54e4b064107924df8780f30bfde02d0969e553696a8327d079f84

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 df5402569a617cd1aa9ece84cf8fd428
SHA1 ef0ad51e00d426bbebd145fdaa9d13d62e3af91b
SHA256 cf7c2ffc8227dbe6ebf7bbaafd57b021639a7b3273b5019c74c0e66dd64b1e16
SHA512 4cff559205659e75411c5c5e85d985b099b4e3e2c1e8a5effad22e8f06db472b621140e5bccd6d69f8f6d0e49344301e6e7f548ef249306144d61b1a33499349

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f01ef1605cf7ea904955d8981c2bdc15
SHA1 d1fbe72ff8f41a85d604802b2de7b9beb6d8572f
SHA256 6dc6696beec70a0b997104e378792efe54c9e1fdb1f58577e291be94d955263a
SHA512 899915835c925388620788a3dbeeeb997d147b4e09698798f052ed98e456c1e3d75e79c147c0be7f83d6b1768433d6874c3f0c2a57bbdee51236b3265e8e0135

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 318ab0b97008f0b9b6bf9482c05b12bb
SHA1 3555383fb27ef2cd329bcf41b2e8b6af522211b8
SHA256 513f90cc6dce31a9bac2a98db9aacda8eed5136117ad10b8c898cd7cab6e3260
SHA512 c773af128ac0ae6e0b030430767c821d3040dfb567111a955aa0acbd4ed416100cacfedcddcac4eed08609eabfcafe18af71fbd2a4fd636641553bf6e3f0ae04

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c0b901f458a360d3939256a763b39126
SHA1 e4ec3bf8b7878ca2b62b797162636d48cecd8ecf
SHA256 e824e5cdd314552a0beb3720da0a49ce78e9e53697042496bcfe4a936631a596
SHA512 ec1957e32a3c86b17877e4d4dc87573a403ea304151799cf1a2d53405608de461a3e2c8d4b9f24a5be590942ae2d912e97a369444ad1ada40c0723b5ecdd5ad8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0a8fbe179893931469eef9262462bf2f
SHA1 a6c4d4d6227d6dbf17d3a5e6a1e2287268142b88
SHA256 15b5a5978acab78b01192da17a969469f0a41e0d3de95e974a27c1eab8539022
SHA512 e437ece8c57863f136b15bea5b8b56cd0291f8e6e8de11f89f653311be4cf835015f89b73da5a60cdd231a8f320f723ded4520e76a57fe543e8c1cea20275a27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6b5bddd1daf2a4d9c61846beeb11396a
SHA1 bd1ee26764bbb58363142f6d3bc5f3b90be68129
SHA256 f9f66b760a2bf550c963a906e9b6d134e2624a0c7b5ea0c8102234ac11d577a3
SHA512 6718e63f7bdb44eab00ecf86d64deae5f6d9e8921fed5866713b302ded807fc78487af6ea66d2c7573a70bb86afc0fbda118cb7137ce44fe818c3d516e34c979

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f4d48044e975ef3be629086a5a5d0363
SHA1 f0531c604680908c095c1ee37ac8134bcb13a2e4
SHA256 7a12fcd9cd96eb772e102dc425b6085505f911ca8d0fa09666ff21547c93c601
SHA512 9544bd532e8f2633b2685338849978e8796532cd61fde45d4b3389488d175d013d44ae1bfa43fd3572c75d5f15847586ea67c721adb47bf2c61712c904b472f6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6cbd583c039b476163db9d56b8350bdd
SHA1 2ff92a05d08adb73952521457beab166f7f811f9
SHA256 071642ef54beae2931aed1c8f3868563cb3f389fc9f5a7c7d01504a652bc3ba5
SHA512 52f171e79b3f5888b6775f05149c6e8e0135573a3c9ba415cedddb877ad890c5e6fc840edbcf8e81eb7cb972935b52366b5dc496722260c40635c90e036c7140

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 00a3fbdf1a8ad772f6c72df9f955eb6e
SHA1 314cbde939b84e777112e15c8bb7a077c1e95ed7
SHA256 0240c5cb631a80f5d89c0de6389696dbd3d9897111f2b0872c2fed1ca49c9cbd
SHA512 848fc97c0bf283aa3a2bfbce9732448704348e48705d53f5d16260677f781ea42ccf377a9e15aecefd348079ea6c2d8c210c2d192a0a76e46c6c2c8939d514cb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0077f1e39a635bf3d5a69b0c5c7b27d6
SHA1 b113d74b6ad8edae2c85bd14a736a84aa4e3bf1d
SHA256 b8d005b2affd71977b2f43690d35fea4111035338ee403ebb9ad5cb7d0215d0d
SHA512 131ff4eb5f36ac9d50105f4504f0bdd60f40697762f88cb8f8bb86f4bb89e1eb21e4673b8e475748417d3bdca84f0fdcbd2429266b8b7d7e0eafe6683f204866

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ff6d1537530a6f9434ba59f1a6f67f8d
SHA1 ea65a963df3de0922515c66ead97575f371f4c4c
SHA256 dab8a2b3dab704cf2398e8509eb6f72077433592db99edcdc7ead979fa9b2632
SHA512 b97cc172c48d8531cb2a97008b9c57e99177bd1f9a79d2ed9c1bbba65416116c914721824092d29e23da6965811b5ec17e3f2269a7bde86976e455f577b7ea15

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 69cb689f00d7c6bb39e94070816d82c7
SHA1 b202ce8484e9023d1d7fd6318f3ce781f2a7c9e0
SHA256 a773f22b88980782b1991c43ed8eb229ef2fc73c48f4effa71b09b6c3f469821
SHA512 31c4b0d5d2560b1f53731159087970c899ec3342b029b8ed10accf14c00804c96ddda14b051db470774b3e4733b529abb5887871e5e5fe27815e63d426c83d5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f1ce920a1d9f7c9ab28dd0ed15b8db72
SHA1 6bc200de4536e42fd093989bf3aeec4009db1698
SHA256 ad4ad47b2cd335478da96b7a23cc8ba265d6f92fafa6ee4b182c21909da607c0
SHA512 cf6425bba7b5df059faf987a61384b05abff70fef651963ab05ec2d5e135605aa2df71fd285f658f3e3cbd17a4867c48174cb29176347caf2e47cb3d36c9fa0c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a4fc0b94e45fe35abc067f7457a7ade7
SHA1 eb2b115754b83e7ca1eb7629ce4e69780a2edc2c
SHA256 927abd2f2134f5b357bb55282d4d668e6faa3f534306cfdb2a32b7f3414257b9
SHA512 27c1a5e8674d4e68ff84f8b2e9ef865d8096019ed4f1ffde56293b3fef7c79d307b42d4bb4fccc8cafda4a593db5715faa5a335d781b986b21cf8db0c938b332

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9b36ddc6a5a7303f7ec9a98f8d1421b3
SHA1 d3403e631ebd9b238ad1759f7193a9c1afb55e11
SHA256 73f73da54b84e3b98075585d91236d851e1adba42f03dbfc75f5210b7caed951
SHA512 c1209945ba629a37be5d8c3751f27ec2c65e1cfb012995447f88db9b16f84961b7fca333e84161c59e8fabc3a59faa6882a75143a49938a4fcdf48a1d7bd9bde