Windows Analysis Report
essetup.exe

Compliance

Source: essetup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: essetup.exe

Static PE information: certificate valid

Source: essetup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: c:\sourcecode\scribe\release\Scribe.pdb source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr

Source:

Binary string: c:\sourcecode\hookappcommand\release\hookappcommand.pdb source: essetup.exe, 00000000.00000002.2916014319.0000000002B37000.00000004.00000020.00020000.00000000.sdmp, essetup.exe, 00000005.00000002.1765735272.00000000026FF000.00000004.00000020.00020000.00000000.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002A6F000.00000004.00000020.00020000.00000000.sdmp, nchdata.dat.5.dr, nchdata.dat.0.dr

Networking

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.4:49731
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.4:49737

Source: nchsetup.exe.0.dr	String found in binary or memory: tardiESTEDT%.02d:%.02d:%.02d&suggestion=https://www.nch.com.au/suggestions/it/index.html?software=Scribe&version=13.18&lang=it%s%s&email=Express%20Scribehttps://www.nchsoftware.com/software/it/newsletter.html?software=Scribe&appname=%s&version=13.18&lang=it%s%shttps://www.nch.com.au/software/it/dictation.htmlhttps://www.facebook.com/NCHSoftwareIThttps://twitter.com/nchsoftwareithttps://www.facebook.com/sharer/sharer.php?u=%sHo appena scaricato Express Scribe Software di Trascrizione. Provalo qui: https://www.twitter.com/?status=%s%shttp://www.linkedin.com/shareArticle?url=%s&title=NCH+Software&mini=trueThankshttps://%s/software/it/thanks.html&secsfr=%d&active10s=%dRunsRunsSinceLastInstallMinutesRunSinceLastInstallFirstRunDurationSecondsS34gCFRcNotifyTrialExtensionFFmb equals www.facebook.com (Facebook)
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: tardiESTEDT%.02d:%.02d:%.02d&suggestion=https://www.nch.com.au/suggestions/it/index.html?software=Scribe&version=13.18&lang=it%s%s&email=Express%20Scribehttps://www.nchsoftware.com/software/it/newsletter.html?software=Scribe&appname=%s&version=13.18&lang=it%s%shttps://www.nch.com.au/software/it/dictation.htmlhttps://www.facebook.com/NCHSoftwareIThttps://twitter.com/nchsoftwareithttps://www.facebook.com/sharer/sharer.php?u=%sHo appena scaricato Express Scribe Software di Trascrizione. Provalo qui: https://www.twitter.com/?status=%s%shttp://www.linkedin.com/shareArticle?url=%s&title=NCH+Software&mini=trueThankshttps://%s/software/it/thanks.html&secsfr=%d&active10s=%dRunsRunsSinceLastInstallMinutesRunSinceLastInstallFirstRunDurationSecondsS34gCFRcNotifyTrialExtensionFFmb equals www.linkedin.com (Linkedin)
Source: nchsetup.exe.0.dr	String found in binary or memory: tardiESTEDT%.02d:%.02d:%.02d&suggestion=https://www.nch.com.au/suggestions/it/index.html?software=Scribe&version=13.18&lang=it%s%s&email=Express%20Scribehttps://www.nchsoftware.com/software/it/newsletter.html?software=Scribe&appname=%s&version=13.18&lang=it%s%shttps://www.nch.com.au/software/it/dictation.htmlhttps://www.facebook.com/NCHSoftwareIThttps://twitter.com/nchsoftwareithttps://www.facebook.com/sharer/sharer.php?u=%sHo appena scaricato Express Scribe Software di Trascrizione. Provalo qui: https://www.twitter.com/?status=%s%shttp://www.linkedin.com/shareArticle?url=%s&title=NCH+Software&mini=trueThankshttps://%s/software/it/thanks.html&secsfr=%d&active10s=%dRunsRunsSinceLastInstallMinutesRunSinceLastInstallFirstRunDurationSecondsS34gCFRcNotifyTrialExtensionFFmb equals www.twitter.com (Twitter)
Source: nchsetup.exe.0.dr	String found in binary or memory: 7. Se utilizzi una qualsiasi funzione di caricamento su YouTube di questo software, accetti i Termini di servizio di YouTube (https://www.youtube.com/t/terms). equals www.youtube.com (Youtube)

Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: http://%s/components/shared/%s.zipSoftware
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: http://canberra.nchsoftware.com:120/minidumpupload
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: http://canberra.nchsoftware.com:120/minidumpupload%.4dWin%d%d%sUkn0(Msg%dLstCmd%d)GloIni1GuiIni2GuiD
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: http://cgi.nch.com.au/cgi-bin/regcheck-it.exe?cmd=v&id=%d&magic=%d&magicb=%d
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: http://cgi.nch.com.au/cgi-bin/regcheck-it.exe?cmd=v&id=%d&magic=%d&magicb=%dConvalidare
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: http://cgi.nch.com.au/cgi-bin/report-it.exetestfolderLaunch
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: nchsetup.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: http://ffmpeg.orgavutil-52.nch.dllswscale-2.nch.dllswresample-0.nch.dllavcodec-55.nch.dllavformat-55
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: http://ocsp.entrust.net02
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: http://ocsp.entrust.net03
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: http://www.audiochannel.net/components/it/notifications/scribe.txtpn
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: http://www.audiochannel.net/software/de/scribesetup_de.exehttps://www.nch.com.au/scribe/de/essetup.e
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: http://www.audiochannel.net/versions/components/%s_it.txt
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: http://www.audiochannel.net/versions/components/%s_it.txt1.00.0Verifica
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: http://www.audiochannel.net/versions/scribe_it.txt
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: http://www.audiochannel.net/versions/scribe_it.txtinfo=download=Nessuna
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: http://www.entrust.net/rpa03
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: http://www.nch.com.au/components/%s.exe.Express
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: http://www.nch.com.au/components/%s.exeDownload
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: http://www.nch.com.au/components/index.html
Source: essetup.exe	String found in binary or memory: http://www.nch.com.au/software/win2000/index.html-bootstrap-bseldlg
Source: essetup.exe	String found in binary or memory: http://www.nch.com.au/software/win98/index.htmlWindows
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: http://www.nch.com.au/switch/it/index.htmlConverti
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: http://www.nchsoftware.com/prism/it/index.htmlConverti
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: http://www.opensource.org/licenses/lgpl-license.php
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: https://%s/software/it/thanks.html&secsfr=%d&active10s=%dRunsRunsSinceLastInstallMinutesRunSinceLast
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: https://%sit/index.html?ref=nchiodaboutScarica
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: https://nch.invisionzone.com/forum/239-italiano/https://www.nch.com.au/suggestions/it/index.html?sof
Source: nchsetup.exe.0.dr	String found in binary or memory: https://secure.nch.com.au/cgi-bin/getrefdata.exe?software=Scribe&lang=IT&platform=Win&download=%s&ii
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: https://secure.nch.com.au/cgi-bin/register-it.exe?action=q&id=%u&magica=%u&magicb=%u
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: https://secure.nch.com.au/cgi-bin/register-it.exe?software=scribe&version=13.18%s%s%s%s%s%s%s&instby
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: https://secure.nch.com.au/cgi-bin/register-it.exe?software=scribeAcquista
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: https://secure.nch.com.au/cgi-bin/register.exe?software=scribeAcquista
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: https://www.entrust.net/rpa0
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: https://www.nch.com.au/delegate/it/index.htmlServerIndirizzo:es:
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: https://www.nch.com.au/hardware/it/pedals.htmlAcquista
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: https://www.nch.com.au/it/index.htmlComponente
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: https://www.nch.com.au/kb/it/10271.htmlEsegui
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: https://www.nch.com.au/software/it/audio.html
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: https://www.nch.com.au/software/it/bug.html?software=Scribe&version=13.18&lang=it&iid=%s&data=%s&rdf
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: https://www.nch.com.au/software/it/bug.html?software=Scribe&version=13.18&lang=it&xi=%s-Win%d%d%s-MA
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: https://www.nch.com.au/software/it/bug.html?software=Scribe&version=13.18&lang=it&xi=GUI-%s&iid=%s&d
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: https://www.nch.com.au/software/it/rateit.html?software=Scribe&appname=%s&version=13.18&rating=%d&bu
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: https://www.nch.com.au/software/it/thanksforusing.htmlwww.nch.com.auInstallerDomain&usage=%04X%02XNC
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: https://www.nch.com.au/suggestions/it/index.html?software=Scribe&version=13.18&lang=it%s%s&email=Exp
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: https://www.nch.com.au/support/it/reg.htmlhttps://www.nch.com.au/upgrade/it/index.htmlCodice
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: https://www.nch.com.au/upgrade/it/index.html?software=scribe&upgradeid=%d&upgradekey=%shttps://www.n
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: https://www.nchsoftware.com/%s.htmlit/indexhttps://www.nchsoftware.com/it/index.htmlhttps://www.nch.
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: https://www.nchsoftware.com/%s/it/index.html?ref=nchsuitehttps://www.nch.com.au/%s/it/index.html?ref
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: https://www.twitter.com/?status=%s%shttp://www.linkedin.com/shareArticle?url=%s&title=NCH
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	String found in binary or memory: https://www.youtube.com/t/terms).

System Summary

Source: essetup.exe	Static PE information: Resource name: None type: Microsoft Cabinet archive data, Windows 2000/XP setup, 433993 bytes, 1 file, at 0x2c +A "resource.dat", number 1, 25 datablocks, 0x1503 compression
Source: essetup.exe	Static PE information: Resource name: None type: Microsoft Cabinet archive data, Windows 2000/XP setup, 864221 bytes, 1 file, at 0x2c +A "Scribe.exe", number 1, 71 datablocks, 0x1503 compression

Source: essetup.exe

Binary or memory string: OriginalFilenameScribe.exeD vs essetup.exe

Source: essetup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: essetup.exe

Static PE information: Section: .rsrc ZLIB complexity 0.997511908552116

Source: classification engine

Classification label: clean12.evad.winEXE@11/8@0/0

Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe

File created: C:\Users\user\AppData\Roaming\NCH Software

Jump to behavior

Source: C:\Users\user\Desktop\essetup.exe

File created: C:\Users\user\AppData\Local\Temp\n1s

Jump to behavior

Source: essetup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\essetup.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\essetup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: essetup.exe

String found in binary or memory: Do you want to go the website and download the Windows 2000 version if one is available?http://www.nch.com.au/software/win2000/index.html-bootstrap-bseldlg -bseldlg-LQUIETLQUIET-instby-instsvar-instrefdatan%dsnchsetup.cabnchsetup.exenchdata.cabnchdata.dat-bootstrap %s%s -installer "%s" -instdata "%s" -instby %s-bootstrap %s%s -installer "%s" -instdata "%s" -instrefdata -instsvar -installer "%s" -instdata "%s" -instby %s%s%s%s%s-installer "%s" -instdata "%s"l(

Source: unknown	Process created: C:\Users\user\Desktop\essetup.exe "C:\Users\user\Desktop\essetup.exe"
Source: C:\Users\user\Desktop\essetup.exe	Process created: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe "C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe" -installer "C:\Users\user\Desktop\essetup.exe" -instdata "C:\Users\user\AppData\Local\Temp\n1s\nchdata.dat"
Source: unknown	Process created: C:\Users\user\Desktop\essetup.exe "C:\Users\user\Desktop\essetup.exe"
Source: unknown	Process created: C:\Users\user\Desktop\essetup.exe "C:\Users\user\Desktop\essetup.exe"
Source: C:\Users\user\Desktop\essetup.exe	Process created: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe "C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe" -installer "C:\Users\user\Desktop\essetup.exe" -instdata "C:\Users\user\AppData\Local\Temp\n2s\nchdata.dat"
Source: unknown	Process created: C:\Users\user\Desktop\essetup.exe "C:\Users\user\Desktop\essetup.exe"
Source: unknown	Process created: C:\Users\user\Desktop\essetup.exe "C:\Users\user\Desktop\essetup.exe"
Source: C:\Users\user\Desktop\essetup.exe	Process created: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe "C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe" -installer "C:\Users\user\Desktop\essetup.exe" -instdata "C:\Users\user\AppData\Local\Temp\n2s\nchdata.dat"
Source: C:\Users\user\Desktop\essetup.exe	Process created: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe "C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe" -installer "C:\Users\user\Desktop\essetup.exe" -instdata "C:\Users\user\AppData\Local\Temp\n1s\nchdata.dat"			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Process created: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe "C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe" -installer "C:\Users\user\Desktop\essetup.exe" -instdata "C:\Users\user\AppData\Local\Temp\n2s\nchdata.dat"			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Process created: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe "C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe" -installer "C:\Users\user\Desktop\essetup.exe" -instdata "C:\Users\user\AppData\Local\Temp\n2s\nchdata.dat"			Jump to behavior

Source: C:\Users\user\Desktop\essetup.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: cabinet.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: devrtl.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: edputil.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: windows.staterepositoryps.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: appresolver.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: bcp47langs.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: slc.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: sppc.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: onecorecommonproxystub.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: onecoreuapcommonproxystub.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: pcacli.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: sfc_os.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Section loaded: msacm32.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Section loaded: winmm.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Section loaded: netapi32.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Section loaded: msimg32.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Section loaded: winmmbase.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Section loaded: winmmbase.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Section loaded: samcli.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Section loaded: dwmapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Section loaded: windows.ui.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Section loaded: windowmanagementapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Section loaded: textinputframework.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Section loaded: inputhost.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Section loaded: coreuicomponents.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Section loaded: twinapi.appcore.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Section loaded: twinapi.appcore.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Section loaded: duser.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Section loaded: xmllite.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Section loaded: atlthunk.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Section loaded: textshaping.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Section loaded: oleacc.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: cabinet.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: devrtl.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: edputil.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: windows.staterepositoryps.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: appresolver.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: bcp47langs.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: slc.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: sppc.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: onecorecommonproxystub.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: onecoreuapcommonproxystub.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: pcacli.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: sfc_os.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe	Section loaded: msacm32.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe	Section loaded: winmm.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe	Section loaded: netapi32.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe	Section loaded: msimg32.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe	Section loaded: winmmbase.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe	Section loaded: winmmbase.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe	Section loaded: samcli.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe	Section loaded: dwmapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: cabinet.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: devrtl.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: edputil.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: windows.staterepositoryps.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: appresolver.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: bcp47langs.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: slc.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: sppc.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: onecorecommonproxystub.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: onecoreuapcommonproxystub.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: pcacli.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Section loaded: sfc_os.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe	Section loaded: msacm32.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe	Section loaded: winmm.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe	Section loaded: netapi32.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe	Section loaded: msimg32.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe	Section loaded: winmmbase.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe	Section loaded: winmmbase.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe	Section loaded: samcli.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe	Section loaded: dwmapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe	Section loaded: kernel.appcore.dll			Jump to behavior

Source: C:\Users\user\Desktop\essetup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Automated click: Next

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: essetup.exe

Static PE information: certificate valid

Source: essetup.exe

Static file information: File size 1335024 > 1048576

Source: essetup.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x13f000

Source: essetup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: c:\sourcecode\scribe\release\Scribe.pdb source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr

Source:

Binary string: c:\sourcecode\hookappcommand\release\hookappcommand.pdb source: essetup.exe, 00000000.00000002.2916014319.0000000002B37000.00000004.00000020.00020000.00000000.sdmp, essetup.exe, 00000005.00000002.1765735272.00000000026FF000.00000004.00000020.00020000.00000000.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002A6F000.00000004.00000020.00020000.00000000.sdmp, nchdata.dat.5.dr, nchdata.dat.0.dr

Data Obfuscation

Source: nchsetup.exe.0.dr	Static PE information: real checksum: 0x23d978 should be: 0x2369a1
Source: nchdata.dat.5.dr	Static PE information: real checksum: 0x0 should be: 0xcea48
Source: nchsetup.exe.5.dr	Static PE information: real checksum: 0x23d978 should be: 0x2369a1
Source: nchdata.dat.0.dr	Static PE information: real checksum: 0x0 should be: 0xcea48

Source: nchdata.dat.0.dr	Static PE information: section name: .gxfg
Source: nchdata.dat.0.dr	Static PE information: section name: .gehcont
Source: nchdata.dat.5.dr	Static PE information: section name: .gxfg
Source: nchdata.dat.5.dr	Static PE information: section name: .gehcont

Persistence and Installation Behavior

Source: C:\Users\user\Desktop\essetup.exe	File created: C:\Users\user\AppData\Local\Temp\n1s\nchdata.dat			Jump to dropped file
Source: C:\Users\user\Desktop\essetup.exe	File created: C:\Users\user\AppData\Local\Temp\n2s\nchdata.dat			Jump to dropped file
Source: C:\Users\user\Desktop\essetup.exe	File created: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe			Jump to dropped file
Source: C:\Users\user\Desktop\essetup.exe	File created: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe			Jump to dropped file

Boot Survival

Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ScribeInstall			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ScribeInstall			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ScribeInstall			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ScribeInstall			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\essetup.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.dr	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr	Binary or memory string: COPIA FILE%I64U TB%I64U GB%I64U MB%I64U KB%I64U BYTES%IUKERNEL32.DLLGETPRODUCTINFOISWOW64PROCESSHARDWARE\DESCRIPTION\SYSTEM\BIOSBASEBOARDMANUFACTURERMICROSOFT CORPORATIONBASEBOARDPRODUCTVIRTUAL MACHINEWINE_GET_UNIX_FILE_NAME_%SCHANGEWINDOWMESSAGEFILTERMICROSOFT BASE CRYPTOGRAPHIC PROVIDER V1.0NCHKQXLLIBHTTPS://WWW.NCHSOFTWARE.COM/%S.HTMLIT/INDEXHTTPS://WWW.NCHSOFTWARE.COM/IT/INDEX.HTMLHTTPS://WWW.NCH.COM.AU/%S.HTMLHTTPS://WWW.NCH.COM.AU/KB/IT/%D.HTMLSCRIBEHTTP://HELP.NCHSOFTWARE.COM/HELP/IT/%S/WIN%S/%S.HTMLHELPOPENSFIRSTRUNACTIVE10SEC&ANTIVIRUS=EXPIRED&ANTIVIRUS=NONE?SOFTWARE=SCRIBE&APPNAME=%S&VERSION=13.18%S%S&APPBITS=32&BASE=SCRIBE&DOMAIN=NCH&BUYOFFER=SCRIBE&PCLASS=PLUS&RGST=%D%S%S%S&INSTBY=%S&IID=%S&HELP=%D&OSTYPE=%U&OSVER=%S%S%S&DAYSUSEDPROGRAM=%DUSEDKEYS&USEDKEYS=%U&USEDSUBSTPCT=%D&INSTSVAR=%S&DAYS=%D&RUNS=%D&OSCLASS=%D&IPPRIVCLASS=%S&REFDATA=%S"%S" -EXE %SUC00:00:002024-01-01BOVISUALIZZA PREZZI SPECIALI && ACQUISTO EXPRESS SCRIBE ONLINEFARE CLIC QUI PER VISUALIZZARE LO SCONTO SPECIALE DEL GIORNO ONLINEINSERIRE IL CODICE SE
Source: essetup.exe, 00000000.00000002.2915337906.0000000000B22000.00000002.00000001.01000000.00000003.sdmp, essetup.exe, 00000005.00000002.1765495788.0000000000B22000.00000002.00000001.01000000.00000003.sdmp, essetup.exe, 0000000A.00000002.1846437196.0000000000B22000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: LU1KERNEL32.DLLWINE_GET_UNIX_FILE_NAMEVERIFYVERSIONINFOAWINDOWS 98/ME SUPPORTTHIS VERSION OF THE APPLICATION REQUIRES WINDOWS XP/2003 OR LATER.
Source: essetup.exe	Binary or memory string: (1KERNEL32.DLLWINE_GET_UNIX_FILE_NAMEVERIFYVERSIONINFOAWINDOWS 98/ME SUPPORTTHIS VERSION OF THE APPLICATION REQUIRES WINDOWS XP/2003 OR LATER.

Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Window / User API: threadDelayed 950			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe	Window / User API: threadDelayed 2275			Jump to behavior

Source: C:\Users\user\Desktop\essetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\n1s\nchdata.dat			Jump to dropped file
Source: C:\Users\user\Desktop\essetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\n2s\nchdata.dat			Jump to dropped file

Source: essetup.exe, 00000005.00000002.1765252991.000000000090B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: _VMware_

Anti Debugging

Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\essetup.exe	Process created: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe "C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe" -installer "C:\Users\user\Desktop\essetup.exe" -instdata "C:\Users\user\AppData\Local\Temp\n1s\nchdata.dat"			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Process created: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe "C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe" -installer "C:\Users\user\Desktop\essetup.exe" -instdata "C:\Users\user\AppData\Local\Temp\n2s\nchdata.dat"			Jump to behavior
Source: C:\Users\user\Desktop\essetup.exe	Process created: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe "C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe" -installer "C:\Users\user\Desktop\essetup.exe" -instdata "C:\Users\user\AppData\Local\Temp\n2s\nchdata.dat"			Jump to behavior