hxxps://www[.]nch[.]com[.]au/recordpad/rpsetup[.]exe

Resubmissions

04/10/2024, 18:37

241004-w9rjhathjg 8

Analysis

max time kernel
69s
max time network
72s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.nch.com.au/recordpad/rpsetup.exe

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	nchsetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	rpsetup.exe

Executes dropped EXE 7 IoCs

pid	Process
1984	rpsetup.exe
64	nchsetup.exe
2668	flacenc2.exe
2384	mp3el.exe
4304	recordpad.exe
4380	recordpad.exe
5580	mp3enc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\RecordpadInstall = "C:\\Users\\Admin\\Downloads\\rpsetup.exe"	nchsetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000002350f-99.dat	upx
behavioral1/files/0x000700000002351a-139.dat	upx
behavioral1/memory/5580-271-0x0000000000400000-0x000000000048F000-memory.dmp	upx
behavioral1/memory/5580-281-0x0000000000400000-0x000000000048F000-memory.dmp	upx
behavioral1/memory/5580-282-0x0000000000400000-0x000000000048F000-memory.dmp	upx
behavioral1/memory/5580-290-0x0000000000400000-0x000000000048F000-memory.dmp	upx

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\NCH Software\Recordpad\recordpad.exe	nchsetup.exe
File created	C:\Program Files (x86)\NCH Software\Recordpad\mp3enc.exe	nchsetup.exe
File created	C:\Program Files (x86)\NCH Software\Recordpad\flacenc2.exe	nchsetup.exe
File created	C:\Program Files (x86)\NCH Software\Components\flacenc2\__wt	flacenc2.exe
File created	C:\Program Files (x86)\NCH Software\Components\mp3el\__wt	mp3el.exe
File created	C:\Program Files (x86)\NCH Software\Recordpad\recordpadsetup_v9.03.exe	nchsetup.exe
File created	C:\Program Files (x86)\NCH Software\Recordpad\recordpad.exe	nchsetup.exe
File created	C:\Program Files (x86)\NCH Software\Components\flacenc2\flacenc2.exe	flacenc2.exe
File created	C:\Program Files (x86)\NCH Software\Recordpad\mp3el.exe	nchsetup.exe
File created	C:\Program Files (x86)\NCH Software\Components\mp3el\mp3enc.exe	mp3el.exe
File created	C:\Program Files (x86)\NCH Software\Components\mp3el\a50__wt	nchsetup.exe
File opened for modification	C:\Program Files (x86)\NCH Software\Components\mp3el\mp3enc.exe	nchsetup.exe
File created	C:\Program Files (x86)\NCH Software\Recordpad\recordpadsetup_v9.03.exe\:SmartScreen:$DATA	nchsetup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rpsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nchsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	flacenc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mp3el.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	recordpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	recordpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mp3enc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\VLC.mp3	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\voxfile\Shell	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\ds2file\Shell	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\7-Zip\.gz\DefaultIcon	nchsetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\deprojfile\shell\open\command\ = "\"C:\\Program Files (x86)\\NCH Software\\Recordpad\\recordpad.exe\" -extfind Disketch \"%L\""	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\ddpfile	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\mpdpfile\shell\open	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\dctfile\shell\open\command	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\VLC.3g2\Shell	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\VLC.mp4\Shell	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\VLC.mpeg\Shell	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\VLC.ogv\Shell	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\jpegfile	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\pgffile\Shell	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\.webp	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\apjfile\shell	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\VLC.ape\Shell\NCHconvertsound\command	nchsetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\voxfile\Shell\NCHconvertsound\command\ = "\"C:\\Program Files (x86)\\NCH Software\\Recordpad\\recordpad.exe\" -extfind Switch \"%L\""	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\VLC.mpeg\Shell\NCHconvertvideo	nchsetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\VLC.webm\Shell\NCHconvertvideo\ = "Convert video file"	nchsetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\.wps\ = "wpsfile"	nchsetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\7-Zip\.tar\DefaultIcon\ = "%SystemRoot%\\SysWow64\\shell32.dll,19"	nchsetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\7-Zip\.tgz\DefaultIcon\ = "%SystemRoot%\\SysWow64\\shell32.dll,19"	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\ddpfile\shell\open\command	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\ddpfile\shell	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\ds2file	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\VLC.m4a\Shell	nchsetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\VLC.aac\Shell\NCHconvertsound\command\ = "\"C:\\Program Files (x86)\\NCH Software\\Recordpad\\recordpad.exe\" -extfind Switch \"%L\""	nchsetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\VLC.ape\Shell\NCHconvertsound\command\ = "\"C:\\Program Files (x86)\\NCH Software\\Recordpad\\recordpad.exe\" -extfind Switch \"%L\""	nchsetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\jp2file\DefaultIcon\ = "%SystemRoot%\\SysWow64\\shell32.dll,19"	nchsetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\mpdpfile\ = "Unhandled Extension Handler Finder"	nchsetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\.dss\ = "dssfile"	nchsetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\VLC.flac\Shell\NCHeditsound\ = "Edit sound file"	nchsetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\VLC.mp3\Shell\NCHeditsound\command\ = "\"C:\\Program Files (x86)\\NCH Software\\Recordpad\\recordpad.exe\" -extfind WavePad \"%L\""	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\VLC.ogg\Shell\NCHconvertsound	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\VLC.3gp	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\VLC.avi	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\VLC.mp4	nchsetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\VLC.webm\Shell\NCHeditvideo\command\ = "\"C:\\Program Files (x86)\\NCH Software\\Recordpad\\recordpad.exe\" -extfind VideoPad \"%L\""	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\pngfile\Shell\NCHconvertimage\command	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\7-Zip\.bz2\Shell\NCHextract	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\7-Zip\.gz\Shell\NCHextract	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\.ds2	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\VLC.aif	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\VLC.3g2\Shell\NCHconvertvideo	nchsetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\VLC.mpeg2\Shell\NCHconvertvideo\command\ = "\"C:\\Program Files (x86)\\NCH Software\\Recordpad\\recordpad.exe\" -extfind Prism \"%L\""	nchsetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Windows.IsoFile\Shell\NCHburn\command\ = "\"C:\\Program Files (x86)\\NCH Software\\Recordpad\\recordpad.exe\" -extfind ExpressBurn \"%L\""	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\cdofile\shell\open\command	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\.vox	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\VLC.aac\Shell\NCHconvertsound	nchsetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\VLC.mp4\Shell\NCHconvertvideo\ = "Convert video file"	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\VLC.vob\Shell\NCHconvertvideo	nchsetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\giffile\Shell\NCHconvertimage\ = "Convert image file"	nchsetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\jpegfile\Shell\NCHconvertimage\ = "Convert image file"	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\dssfile\shell\open	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\dssfile\shell\NCHconvertsound\command	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\.gsm	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\shnfile\Shell\NCHconvertsound\command	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\shnfile\Shell	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\VLC.ogv\Shell\NCHconvertvideo	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\AcroExch.Document.DC\Shell	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\cdofile	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\VLC.aac	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\VLC.webm	nchsetup.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\NCH Software\Recordpad\recordpadsetup_v9.03.exe\:SmartScreen:$DATA	nchsetup.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 882418.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4816	msedge.exe
4816	msedge.exe
1728	msedge.exe
1728	msedge.exe
3484	identity_helper.exe
3484	identity_helper.exe
408	msedge.exe
408	msedge.exe
64	nchsetup.exe
64	nchsetup.exe
64	nchsetup.exe
64	nchsetup.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	408	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	408	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 59 IoCs

pid	Process
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
64	nchsetup.exe
4304	recordpad.exe
4304	recordpad.exe
4304	recordpad.exe
4304	recordpad.exe
4304	recordpad.exe
4304	recordpad.exe
4304	recordpad.exe
4304	recordpad.exe
4304	recordpad.exe
4304	recordpad.exe
4304	recordpad.exe
4304	recordpad.exe
4304	recordpad.exe
4304	recordpad.exe
4304	recordpad.exe
4304	recordpad.exe
4304	recordpad.exe
4304	recordpad.exe
4304	recordpad.exe
4304	recordpad.exe
4304	recordpad.exe
1728	msedge.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
4304	recordpad.exe
4304	recordpad.exe
4304	recordpad.exe
4304	recordpad.exe
4304	recordpad.exe
4304	recordpad.exe
4304	recordpad.exe
4304	recordpad.exe
4304	recordpad.exe
4304	recordpad.exe
4304	recordpad.exe
4304	recordpad.exe
4304	recordpad.exe
4304	recordpad.exe
4304	recordpad.exe
4304	recordpad.exe
4304	recordpad.exe
4304	recordpad.exe
4304	recordpad.exe
4304	recordpad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 1256	1728	msedge.exe	83
PID 1728 wrote to memory of 1256	1728	msedge.exe	83
PID 1728 wrote to memory of 856	1728	msedge.exe	84
PID 1728 wrote to memory of 856	1728	msedge.exe	84
PID 1728 wrote to memory of 856	1728	msedge.exe	84
PID 1728 wrote to memory of 856	1728	msedge.exe	84
PID 1728 wrote to memory of 856	1728	msedge.exe	84
PID 1728 wrote to memory of 856	1728	msedge.exe	84
PID 1728 wrote to memory of 856	1728	msedge.exe	84
PID 1728 wrote to memory of 856	1728	msedge.exe	84
PID 1728 wrote to memory of 856	1728	msedge.exe	84
PID 1728 wrote to memory of 856	1728	msedge.exe	84
PID 1728 wrote to memory of 856	1728	msedge.exe	84
PID 1728 wrote to memory of 856	1728	msedge.exe	84
PID 1728 wrote to memory of 856	1728	msedge.exe	84
PID 1728 wrote to memory of 856	1728	msedge.exe	84
PID 1728 wrote to memory of 856	1728	msedge.exe	84
PID 1728 wrote to memory of 856	1728	msedge.exe	84
PID 1728 wrote to memory of 856	1728	msedge.exe	84
PID 1728 wrote to memory of 856	1728	msedge.exe	84
PID 1728 wrote to memory of 856	1728	msedge.exe	84
PID 1728 wrote to memory of 856	1728	msedge.exe	84
PID 1728 wrote to memory of 856	1728	msedge.exe	84
PID 1728 wrote to memory of 856	1728	msedge.exe	84
PID 1728 wrote to memory of 856	1728	msedge.exe	84
PID 1728 wrote to memory of 856	1728	msedge.exe	84
PID 1728 wrote to memory of 856	1728	msedge.exe	84
PID 1728 wrote to memory of 856	1728	msedge.exe	84
PID 1728 wrote to memory of 856	1728	msedge.exe	84
PID 1728 wrote to memory of 856	1728	msedge.exe	84
PID 1728 wrote to memory of 856	1728	msedge.exe	84
PID 1728 wrote to memory of 856	1728	msedge.exe	84
PID 1728 wrote to memory of 856	1728	msedge.exe	84
PID 1728 wrote to memory of 856	1728	msedge.exe	84
PID 1728 wrote to memory of 856	1728	msedge.exe	84
PID 1728 wrote to memory of 856	1728	msedge.exe	84
PID 1728 wrote to memory of 856	1728	msedge.exe	84
PID 1728 wrote to memory of 856	1728	msedge.exe	84
PID 1728 wrote to memory of 856	1728	msedge.exe	84
PID 1728 wrote to memory of 856	1728	msedge.exe	84
PID 1728 wrote to memory of 856	1728	msedge.exe	84
PID 1728 wrote to memory of 856	1728	msedge.exe	84
PID 1728 wrote to memory of 4816	1728	msedge.exe	85
PID 1728 wrote to memory of 4816	1728	msedge.exe	85
PID 1728 wrote to memory of 3772	1728	msedge.exe	86
PID 1728 wrote to memory of 3772	1728	msedge.exe	86
PID 1728 wrote to memory of 3772	1728	msedge.exe	86
PID 1728 wrote to memory of 3772	1728	msedge.exe	86
PID 1728 wrote to memory of 3772	1728	msedge.exe	86
PID 1728 wrote to memory of 3772	1728	msedge.exe	86
PID 1728 wrote to memory of 3772	1728	msedge.exe	86
PID 1728 wrote to memory of 3772	1728	msedge.exe	86
PID 1728 wrote to memory of 3772	1728	msedge.exe	86
PID 1728 wrote to memory of 3772	1728	msedge.exe	86
PID 1728 wrote to memory of 3772	1728	msedge.exe	86
PID 1728 wrote to memory of 3772	1728	msedge.exe	86
PID 1728 wrote to memory of 3772	1728	msedge.exe	86
PID 1728 wrote to memory of 3772	1728	msedge.exe	86
PID 1728 wrote to memory of 3772	1728	msedge.exe	86
PID 1728 wrote to memory of 3772	1728	msedge.exe	86
PID 1728 wrote to memory of 3772	1728	msedge.exe	86
PID 1728 wrote to memory of 3772	1728	msedge.exe	86
PID 1728 wrote to memory of 3772	1728	msedge.exe	86
PID 1728 wrote to memory of 3772	1728	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.nch.com.au/recordpad/rpsetup.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcc66c46f8,0x7ffcc66c4708,0x7ffcc66c4718
  2⤵
  PID:1256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,3182090560703944409,14094497854835977115,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,3182090560703944409,14094497854835977115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,3182090560703944409,14094497854835977115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
  2⤵
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3182090560703944409,14094497854835977115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3182090560703944409,14094497854835977115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,3182090560703944409,14094497854835977115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 /prefetch:8
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,3182090560703944409,14094497854835977115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3182090560703944409,14094497854835977115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3182090560703944409,14094497854835977115,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:2884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3182090560703944409,14094497854835977115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3182090560703944409,14094497854835977115,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,3182090560703944409,14094497854835977115,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5144 /prefetch:8
  2⤵
  PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3182090560703944409,14094497854835977115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,3182090560703944409,14094497854835977115,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6188 /prefetch:8
  2⤵
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,3182090560703944409,14094497854835977115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6120 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:408
- C:\Users\Admin\Downloads\rpsetup.exe
  "C:\Users\Admin\Downloads\rpsetup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1984
- - C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe
    "C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe" -installer "C:\Users\Admin\Downloads\rpsetup.exe" -instdata "C:\Users\Admin\AppData\Local\Temp\n1s\nchdata.dat"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:64
  - - C:\Program Files (x86)\NCH Software\Recordpad\flacenc2.exe
      "C:\Program Files (x86)\NCH Software\Recordpad\flacenc2.exe" -LQUIET -instby fiRecordpad
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      PID:2668
  - - C:\Program Files (x86)\NCH Software\Recordpad\mp3el.exe
      "C:\Program Files (x86)\NCH Software\Recordpad\mp3el.exe" -LQUIET -instby fiRecordpad
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      PID:2384
  - - C:\Program Files (x86)\NCH Software\Recordpad\recordpad.exe
      "C:\Program Files (x86)\NCH Software\Recordpad\recordpad.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:4304
    - - C:\Program Files (x86)\NCH Software\Components\mp3el\mp3enc.exe
        
        "C:\Program Files (x86)\NCH Software\Components\mp3el\mp3enc.exe" -m s --cbr -b 192 -r -x -s 44.100 -S "-" "C:\Users\Admin\Music\Recordpad\Untitled 000.mp3"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5580
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.nch.com.au/software/thanks.html?software=Recordpad&appname=RecordPad%20Sound%20Recorder&version=9.03&base=recordpad&domain=nch&buyoffer=recordpad&rgst=0&svar=LLIBControlonLLIBNagaltrunsoff&antivirus=expired&instby=dl&iid=4gAo6NJtCvY&help=0&usage=047101&usagestats=OpenSink(1)&usechoice=llinad(1)
        5⤵
        
        PID:5792
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ffcc66c46f8,0x7ffcc66c4708,0x7ffcc66c4718
        6⤵
        
        PID:5804
  - - C:\Program Files (x86)\NCH Software\Recordpad\recordpad.exe
      "C:\Program Files (x86)\NCH Software\Recordpad\recordpad.exe" -installsched
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3182090560703944409,14094497854835977115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2424 /prefetch:1
  2⤵
  PID:5860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3182090560703944409,14094497854835977115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1336 /prefetch:1
  2⤵
  PID:6020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3182090560703944409,14094497854835977115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:6128

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1832

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4880

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4fc 0x384
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\NCH Software\Recordpad\flacenc2.exe

Filesize
116KB

MD5
add4cc2a84a5868ea29dd5f97a98ca8f

SHA1
d11a84238d2203cbb13952f655c3ed6602260d15

SHA256
2576262f960eb780875251ed10b9b6c695f3afe2f94ea00869ade40cae154511

SHA512
f121261fdd4535e1dd4585f29e7debc7167eb9ce78f0b56d4ad4a07cdd5fe3ae5b0299088beb65ed2203f01b09fecfc88f206d0fe82615b0d4dead7a22591efa

Download Submit
C:\Program Files (x86)\NCH Software\Recordpad\mp3el.exe

Filesize
120KB

MD5
403da8628c89287de1eee4bf5cd2c582

SHA1
cbd2c38c3b455244d56bdecc661b6eea5daa821c

SHA256
10e319743e94b578b3794255e4ac47c2da92a8d8fd7b53083b6cf0662d2997d4

SHA512
4acdb498f372a1459afda231130d994cb8d5f9df42e0442e73f980373b61f5494c3c22084aee2f6a6f3fe007918c75bee95cc6156f89e9afaff9b0dbc95bdef2

Download Submit
C:\Program Files (x86)\NCH Software\Recordpad\mp3enc.exe

Filesize
108KB

MD5
1f083f5a820468e5438c32419525b798

SHA1
600e5c224eda4bd6d9f07d84a7be32e42a28c097

SHA256
5469fc0d10b52c6a369bdba738d173f3601587ec345fae18c4311d3e7c282fa4

SHA512
8b96b66a7afe8790542e14c05d05e7f5e56b0674ff9c9e4e7fdb16c58a353884108e2c4f7fd216c089007868ce34c9f10e33b33c567f753b9e7a28197fe5b653

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e4f80e7950cbd3bb11257d2000cb885e

SHA1
10ac643904d539042d8f7aa4a312b13ec2106035

SHA256
1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

SHA512
2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
be91fc12d81a7df5e7be926f788a4a30

SHA1
d7ff436e98bc06644edf7c99383d2a4276b91222

SHA256
2b08ad0ab31f2973d999f74e4a703c374b43335a1d30b8559ea8e2691b4e5c2d

SHA512
88ced2bf0dc38040ab24aea4d64388b265594280ca765a56e89fdc9b5f780f5f72d6ee67c9159e1f80e51bff1abb48170e93667ffea63ea2fba6b77621ba087f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
fd269e7c371cf8180464801e7c4908ce

SHA1
cfbda87da53d2443c044cbb7a81ef298766f6a53

SHA256
66ecd5982f151b9832437a31518b13078bef2d3f41821e4e65008a50faea1912

SHA512
5aec2c7b749ae52d5d3d7e602e5fa8aac1d8e7f8b4769bf718671dad5ace68158ba6e4fb8e9bfd9b21a0022c820363aec60aa3c97aa71053fa427c0d16d6eccc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
33da7aca68aabbf6f8989a29081ae653

SHA1
4c55bb5a412e13d30af47f21a67bf5d0103a199a

SHA256
62f1a1dac9b68c877dc3ef0268bfad1969f60313595edd18bb298f7920900462

SHA512
f942142430255ed89b2aa565f0dd32e44e3668f43401066e875bf12a321f6daafec81eb36c9501eb29763eab48cda5d23eb4e692eb8a127e13b158bb81b871a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
45ba96754d11b531d9abeca3166d35d7

SHA1
6a1775262ea3d4aeb5800f7006fef1895a9d1d8f

SHA256
17701034bd944bf3a92c0db8f082ce8554007d424cf950c76092da20a61fca68

SHA512
9bdcef49f77356f1f8ae7f1b27d6eae95c53894a222ba0154b1e43f92f31db1785660c5a37ab6fb8671a43894e488170d8ea68f7e08941d136674145be4c3297

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dc93e5344fbe319f3f1cb09f2042f29e

SHA1
f3d4295898a81a3c4caf38d03c5ca9242377364d

SHA256
e88ed08353eeee6da274a165ff40ffcc096c8d8b777b6ce2ac0ddc9a5253be8c

SHA512
d1087e23fb6540cccbe7569c8920efb3f2c3252f2eabdda33d0092e9cd86f618d9ee3d31262614a81fd4f49dd69cc9cdec738af8d0f77f569652b5244bfaf6fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b6567e523be6be7a3677f291ab009a0c

SHA1
e6cf350a7dd8d4b554d6ffffb12b3cb3d8c4984b

SHA256
e01f79eea13f6b1c7fc0a27dcd715015aa7c630186f0bf7b293fd52eecd5ed14

SHA512
232e9a450573738d4ea23d67e41afe0a1ee29d968da4fb7a0f9688aaa563b992e696164c3f5e1dbb96274627af148158b83c90f1ffb7e83573f2e1ff261073ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
622c3d85a4bf99a6f99c38fe1d43e447

SHA1
241609e68f6a2311b6c5f5126dd67b17ad0965a0

SHA256
19a04623f45f455e94a78ca88794e6eb3e07dfb91795f6d265f598243e65ab37

SHA512
428475d4aba8033a1808630d1439bd6699bcc2c88db4a9c29337a8ffe38d7a577ed7e1c0db52e9f10f1f87c8173f235deffaf2c45bfeda698f6d009008b1af78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
10b5f7084cc8be4a877c67822d769f7b

SHA1
1269a16713de58b6fd9124071458e5af0c9236d4

SHA256
175a43dbf1e1ac4e39ca2e766767ef8291f9bbba2c02c7931464f79e49049f04

SHA512
ed1fae6d83f629b3c468e760c6e651e36bce8ceec9e6dd1e5ce1e13a4ecfa97e70fe9760b2f0d78ac9d6012a914d7ee1c0e7d8411b9df22837cb932e9482bc45

Download Submit
C:\Users\Admin\AppData\Local\Temp\n1s\nchdata.dat

Filesize
344KB

MD5
6b4876e5754b3c0e64fb0295987f6900

SHA1
71d04e62b9cf910908d10dc6ceafa9bf1d03689b

SHA256
d7b2fd08fe7affc61733433e31b3d82be77a3a1adb364abec04bcffe859fac20

SHA512
5b82c92e0b42ec3c33cba9142801618c8692cc37c19e0446397bdd18b8508b1751018de2190b127a5bb978e262948f3ca6309766ec4adeffc8144e49d99d648d

Download Submit
C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe

Filesize
1.8MB

MD5
c3017de6230ab9c526ebd3c21091e0d2

SHA1
54b6afd8b7d86abc88ca802b8495c3e825de44a9

SHA256
8af245e5b0d17caa1fd27039ad1272eac3da6e9d32f0464cd5d3607f9773daba

SHA512
5117dfde6d247854b85b8c44ab4ef8bc391c7a2566b39b18c6da268eb38a0d03d9c9ddf0ace7407a72314171beb86565fe33b42e4b46f6b1194d359282fe19f5

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 882418.crdownload

Filesize
1.1MB

MD5
83b9ca6a67bbc4745aa8b13c31e264d5

SHA1
8bf23471fd749459b14f1f0989f1f28fd6c6d069

SHA256
912555d279c4d0973b32a7df6519c63c7ba9cb2e73ae38154e989e0d16106789

SHA512
316ec9426238c4b19a74cf937a61a0db9e1a0a60c840b832860221c5a199e0f452b03d0073d1d9f99a18d69d4bb3048a6beb2506646ddaa2ca9c470b4bfe8803

Download Submit
memory/5580-290-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/5580-282-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/5580-281-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/5580-271-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download