Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
essetup.exe

Overview

General Information

Sample name:essetup.exe
Analysis ID:1546032
MD5:3cb6d589a774c51a099ab6ef738e3e36
SHA1:e597a0d1fa0bc47ac06d13fe2efc4637fa7c0416
SHA256:fbb8e38c891b8f385804a2b4ff540830cef7c440ea34ebb696d15224cfbbfe6b
Infos:

Detection

Score:12
Range:0 - 100
Whitelisted:false
Confidence:0%

Signatures

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • essetup.exe (PID: 7488 cmdline: "C:\Users\user\Desktop\essetup.exe" MD5: 3CB6D589A774C51A099AB6EF738E3E36)
    • nchsetup.exe (PID: 7528 cmdline: "C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe" -installer "C:\Users\user\Desktop\essetup.exe" -instdata "C:\Users\user\AppData\Local\Temp\n1s\nchdata.dat" MD5: BA3E5C54EA069C5A70A2D0F1CDC68BA8)
  • essetup.exe (PID: 7616 cmdline: "C:\Users\user\Desktop\essetup.exe" MD5: 3CB6D589A774C51A099AB6EF738E3E36)
  • essetup.exe (PID: 7668 cmdline: "C:\Users\user\Desktop\essetup.exe" MD5: 3CB6D589A774C51A099AB6EF738E3E36)
    • nchsetup.exe (PID: 7700 cmdline: "C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe" -installer "C:\Users\user\Desktop\essetup.exe" -instdata "C:\Users\user\AppData\Local\Temp\n2s\nchdata.dat" MD5: BA3E5C54EA069C5A70A2D0F1CDC68BA8)
  • essetup.exe (PID: 7784 cmdline: "C:\Users\user\Desktop\essetup.exe" MD5: 3CB6D589A774C51A099AB6EF738E3E36)
  • essetup.exe (PID: 7844 cmdline: "C:\Users\user\Desktop\essetup.exe" MD5: 3CB6D589A774C51A099AB6EF738E3E36)
    • nchsetup.exe (PID: 7928 cmdline: "C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe" -installer "C:\Users\user\Desktop\essetup.exe" -instdata "C:\Users\user\AppData\Local\Temp\n2s\nchdata.dat" MD5: BA3E5C54EA069C5A70A2D0F1CDC68BA8)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Desktop\essetup.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe, ProcessId: 7528, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ScribeInstall

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-31T11:56:19.786436+010020229301A Network Trojan was detected4.245.163.56443192.168.2.449731TCP
2024-10-31T11:56:58.657317+010020229301A Network Trojan was detected4.245.163.56443192.168.2.449737TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: essetup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: essetup.exeStatic PE information: certificate valid
Source: essetup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: c:\sourcecode\scribe\release\Scribe.pdb source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr
Source: Binary string: c:\sourcecode\hookappcommand\release\hookappcommand.pdb source: essetup.exe, 00000000.00000002.2916014319.0000000002B37000.00000004.00000020.00020000.00000000.sdmp, essetup.exe, 00000005.00000002.1765735272.00000000026FF000.00000004.00000020.00020000.00000000.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002A6F000.00000004.00000020.00020000.00000000.sdmp, nchdata.dat.5.dr, nchdata.dat.0.dr
Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.4:49731
Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.4:49737
Source: nchsetup.exe.0.drString found in binary or memory: tardiESTEDT%.02d:%.02d:%.02d&suggestion=https://www.nch.com.au/suggestions/it/index.html?software=Scribe&version=13.18&lang=it%s%s&email=Express%20Scribehttps://www.nchsoftware.com/software/it/newsletter.html?software=Scribe&appname=%s&version=13.18&lang=it%s%shttps://www.nch.com.au/software/it/dictation.htmlhttps://www.facebook.com/NCHSoftwareIThttps://twitter.com/nchsoftwareithttps://www.facebook.com/sharer/sharer.php?u=%sHo appena scaricato Express Scribe Software di Trascrizione. Provalo qui: https://www.twitter.com/?status=%s%shttp://www.linkedin.com/shareArticle?url=%s&title=NCH+Software&mini=trueThankshttps://%s/software/it/thanks.html&secsfr=%d&active10s=%dRunsRunsSinceLastInstallMinutesRunSinceLastInstallFirstRunDurationSecondsS34gCFRcNotifyTrialExtensionFFmb equals www.facebook.com (Facebook)
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: tardiESTEDT%.02d:%.02d:%.02d&suggestion=https://www.nch.com.au/suggestions/it/index.html?software=Scribe&version=13.18&lang=it%s%s&email=Express%20Scribehttps://www.nchsoftware.com/software/it/newsletter.html?software=Scribe&appname=%s&version=13.18&lang=it%s%shttps://www.nch.com.au/software/it/dictation.htmlhttps://www.facebook.com/NCHSoftwareIThttps://twitter.com/nchsoftwareithttps://www.facebook.com/sharer/sharer.php?u=%sHo appena scaricato Express Scribe Software di Trascrizione. Provalo qui: https://www.twitter.com/?status=%s%shttp://www.linkedin.com/shareArticle?url=%s&title=NCH+Software&mini=trueThankshttps://%s/software/it/thanks.html&secsfr=%d&active10s=%dRunsRunsSinceLastInstallMinutesRunSinceLastInstallFirstRunDurationSecondsS34gCFRcNotifyTrialExtensionFFmb equals www.linkedin.com (Linkedin)
Source: nchsetup.exe.0.drString found in binary or memory: tardiESTEDT%.02d:%.02d:%.02d&suggestion=https://www.nch.com.au/suggestions/it/index.html?software=Scribe&version=13.18&lang=it%s%s&email=Express%20Scribehttps://www.nchsoftware.com/software/it/newsletter.html?software=Scribe&appname=%s&version=13.18&lang=it%s%shttps://www.nch.com.au/software/it/dictation.htmlhttps://www.facebook.com/NCHSoftwareIThttps://twitter.com/nchsoftwareithttps://www.facebook.com/sharer/sharer.php?u=%sHo appena scaricato Express Scribe Software di Trascrizione. Provalo qui: https://www.twitter.com/?status=%s%shttp://www.linkedin.com/shareArticle?url=%s&title=NCH+Software&mini=trueThankshttps://%s/software/it/thanks.html&secsfr=%d&active10s=%dRunsRunsSinceLastInstallMinutesRunSinceLastInstallFirstRunDurationSecondsS34gCFRcNotifyTrialExtensionFFmb equals www.twitter.com (Twitter)
Source: nchsetup.exe.0.drString found in binary or memory: 7. Se utilizzi una qualsiasi funzione di caricamento su YouTube di questo software, accetti i Termini di servizio di YouTube (https://www.youtube.com/t/terms). equals www.youtube.com (Youtube)
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: http://%s/components/shared/%s.zipSoftware
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: http://canberra.nchsoftware.com:120/minidumpupload
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: http://canberra.nchsoftware.com:120/minidumpupload%.4dWin%d%d%sUkn0(Msg%dLstCmd%d)GloIni1GuiIni2GuiD
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: http://cgi.nch.com.au/cgi-bin/regcheck-it.exe?cmd=v&id=%d&magic=%d&magicb=%d
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: http://cgi.nch.com.au/cgi-bin/regcheck-it.exe?cmd=v&id=%d&magic=%d&magicb=%dConvalidare
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: http://cgi.nch.com.au/cgi-bin/report-it.exetestfolderLaunch
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: nchsetup.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: http://ffmpeg.orgavutil-52.nch.dllswscale-2.nch.dllswresample-0.nch.dllavcodec-55.nch.dllavformat-55
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: http://ocsp.digicert.com0
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: http://ocsp.entrust.net02
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: http://ocsp.entrust.net03
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: http://www.audiochannel.net/components/it/notifications/scribe.txtpn
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: http://www.audiochannel.net/software/de/scribesetup_de.exehttps://www.nch.com.au/scribe/de/essetup.e
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: http://www.audiochannel.net/versions/components/%s_it.txt
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: http://www.audiochannel.net/versions/components/%s_it.txt1.00.0Verifica
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: http://www.audiochannel.net/versions/scribe_it.txt
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: http://www.audiochannel.net/versions/scribe_it.txtinfo=download=Nessuna
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: http://www.digicert.com/CPS0
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: http://www.entrust.net/rpa03
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: http://www.nch.com.au/components/%s.exe.Express
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: http://www.nch.com.au/components/%s.exeDownload
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: http://www.nch.com.au/components/index.html
Source: essetup.exeString found in binary or memory: http://www.nch.com.au/software/win2000/index.html-bootstrap-bseldlg
Source: essetup.exeString found in binary or memory: http://www.nch.com.au/software/win98/index.htmlWindows
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: http://www.nch.com.au/switch/it/index.htmlConverti
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: http://www.nchsoftware.com/prism/it/index.htmlConverti
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: http://www.opensource.org/licenses/lgpl-license.php
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: https://%s/software/it/thanks.html&secsfr=%d&active10s=%dRunsRunsSinceLastInstallMinutesRunSinceLast
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: https://%sit/index.html?ref=nchiodaboutScarica
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: https://nch.invisionzone.com/forum/239-italiano/https://www.nch.com.au/suggestions/it/index.html?sof
Source: nchsetup.exe.0.drString found in binary or memory: https://secure.nch.com.au/cgi-bin/getrefdata.exe?software=Scribe&lang=IT&platform=Win&download=%s&ii
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: https://secure.nch.com.au/cgi-bin/register-it.exe?action=q&id=%u&magica=%u&magicb=%u
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: https://secure.nch.com.au/cgi-bin/register-it.exe?software=scribe&version=13.18%s%s%s%s%s%s%s&instby
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: https://secure.nch.com.au/cgi-bin/register-it.exe?software=scribeAcquista
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: https://secure.nch.com.au/cgi-bin/register.exe?software=scribeAcquista
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: https://www.entrust.net/rpa0
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: https://www.nch.com.au/delegate/it/index.htmlServerIndirizzo:es:
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: https://www.nch.com.au/hardware/it/pedals.htmlAcquista
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: https://www.nch.com.au/it/index.htmlComponente
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: https://www.nch.com.au/kb/it/10271.htmlEsegui
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: https://www.nch.com.au/software/it/audio.html
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: https://www.nch.com.au/software/it/bug.html?software=Scribe&version=13.18&lang=it&iid=%s&data=%s&rdf
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: https://www.nch.com.au/software/it/bug.html?software=Scribe&version=13.18&lang=it&xi=%s-Win%d%d%s-MA
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: https://www.nch.com.au/software/it/bug.html?software=Scribe&version=13.18&lang=it&xi=GUI-%s&iid=%s&d
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: https://www.nch.com.au/software/it/rateit.html?software=Scribe&appname=%s&version=13.18&rating=%d&bu
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: https://www.nch.com.au/software/it/thanksforusing.htmlwww.nch.com.auInstallerDomain&usage=%04X%02XNC
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: https://www.nch.com.au/suggestions/it/index.html?software=Scribe&version=13.18&lang=it%s%s&email=Exp
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: https://www.nch.com.au/support/it/reg.htmlhttps://www.nch.com.au/upgrade/it/index.htmlCodice
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: https://www.nch.com.au/upgrade/it/index.html?software=scribe&upgradeid=%d&upgradekey=%shttps://www.n
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: https://www.nchsoftware.com/%s.htmlit/indexhttps://www.nchsoftware.com/it/index.htmlhttps://www.nch.
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: https://www.nchsoftware.com/%s/it/index.html?ref=nchsuitehttps://www.nch.com.au/%s/it/index.html?ref
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: https://www.twitter.com/?status=%s%shttp://www.linkedin.com/shareArticle?url=%s&title=NCH
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drString found in binary or memory: https://www.youtube.com/t/terms).
Source: essetup.exeStatic PE information: Resource name: None type: Microsoft Cabinet archive data, Windows 2000/XP setup, 433993 bytes, 1 file, at 0x2c +A "resource.dat", number 1, 25 datablocks, 0x1503 compression
Source: essetup.exeStatic PE information: Resource name: None type: Microsoft Cabinet archive data, Windows 2000/XP setup, 864221 bytes, 1 file, at 0x2c +A "Scribe.exe", number 1, 71 datablocks, 0x1503 compression
Source: essetup.exeBinary or memory string: OriginalFilenameScribe.exeD vs essetup.exe
Source: essetup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: essetup.exeStatic PE information: Section: .rsrc ZLIB complexity 0.997511908552116
Source: classification engineClassification label: clean12.evad.winEXE@11/8@0/0
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeFile created: C:\Users\user\AppData\Roaming\NCH SoftwareJump to behavior
Source: C:\Users\user\Desktop\essetup.exeFile created: C:\Users\user\AppData\Local\Temp\n1sJump to behavior
Source: essetup.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\essetup.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\essetup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: essetup.exeString found in binary or memory: Do you want to go the website and download the Windows 2000 version if one is available?http://www.nch.com.au/software/win2000/index.html-bootstrap-bseldlg -bseldlg-LQUIETLQUIET-instby-instsvar-instrefdatan%dsnchsetup.cabnchsetup.exenchdata.cabnchdata.dat-bootstrap %s%s -installer "%s" -instdata "%s" -instby %s-bootstrap %s%s -installer "%s" -instdata "%s" -instrefdata -instsvar -installer "%s" -instdata "%s" -instby %s%s%s%s%s-installer "%s" -instdata "%s"l(
Source: unknownProcess created: C:\Users\user\Desktop\essetup.exe "C:\Users\user\Desktop\essetup.exe"
Source: C:\Users\user\Desktop\essetup.exeProcess created: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe "C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe" -installer "C:\Users\user\Desktop\essetup.exe" -instdata "C:\Users\user\AppData\Local\Temp\n1s\nchdata.dat"
Source: unknownProcess created: C:\Users\user\Desktop\essetup.exe "C:\Users\user\Desktop\essetup.exe"
Source: unknownProcess created: C:\Users\user\Desktop\essetup.exe "C:\Users\user\Desktop\essetup.exe"
Source: C:\Users\user\Desktop\essetup.exeProcess created: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe "C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe" -installer "C:\Users\user\Desktop\essetup.exe" -instdata "C:\Users\user\AppData\Local\Temp\n2s\nchdata.dat"
Source: unknownProcess created: C:\Users\user\Desktop\essetup.exe "C:\Users\user\Desktop\essetup.exe"
Source: unknownProcess created: C:\Users\user\Desktop\essetup.exe "C:\Users\user\Desktop\essetup.exe"
Source: C:\Users\user\Desktop\essetup.exeProcess created: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe "C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe" -installer "C:\Users\user\Desktop\essetup.exe" -instdata "C:\Users\user\AppData\Local\Temp\n2s\nchdata.dat"
Source: C:\Users\user\Desktop\essetup.exeProcess created: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe "C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe" -installer "C:\Users\user\Desktop\essetup.exe" -instdata "C:\Users\user\AppData\Local\Temp\n1s\nchdata.dat"Jump to behavior
Source: C:\Users\user\Desktop\essetup.exeProcess created: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe "C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe" -installer "C:\Users\user\Desktop\essetup.exe" -instdata "C:\Users\user\AppData\Local\Temp\n2s\nchdata.dat"Jump to behavior
Source: C:\Users\user\Desktop\essetup.exeProcess created: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe "C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe" -installer "C:\Users\user\Desktop\essetup.exe" -instdata "C:\Users\user\AppData\Local\Temp\n2s\nchdata.dat"Jump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: devrtl.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeSection loaded: duser.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: devrtl.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: devrtl.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\essetup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeAutomated click: Next
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: essetup.exeStatic PE information: certificate valid
Source: essetup.exeStatic file information: File size 1335024 > 1048576
Source: essetup.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x13f000
Source: essetup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: c:\sourcecode\scribe\release\Scribe.pdb source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.dr
Source: Binary string: c:\sourcecode\hookappcommand\release\hookappcommand.pdb source: essetup.exe, 00000000.00000002.2916014319.0000000002B37000.00000004.00000020.00020000.00000000.sdmp, essetup.exe, 00000005.00000002.1765735272.00000000026FF000.00000004.00000020.00020000.00000000.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002A6F000.00000004.00000020.00020000.00000000.sdmp, nchdata.dat.5.dr, nchdata.dat.0.dr
Source: nchsetup.exe.0.drStatic PE information: real checksum: 0x23d978 should be: 0x2369a1
Source: nchdata.dat.5.drStatic PE information: real checksum: 0x0 should be: 0xcea48
Source: nchsetup.exe.5.drStatic PE information: real checksum: 0x23d978 should be: 0x2369a1
Source: nchdata.dat.0.drStatic PE information: real checksum: 0x0 should be: 0xcea48
Source: nchdata.dat.0.drStatic PE information: section name: .gxfg
Source: nchdata.dat.0.drStatic PE information: section name: .gehcont
Source: nchdata.dat.5.drStatic PE information: section name: .gxfg
Source: nchdata.dat.5.drStatic PE information: section name: .gehcont
Source: C:\Users\user\Desktop\essetup.exeFile created: C:\Users\user\AppData\Local\Temp\n1s\nchdata.datJump to dropped file
Source: C:\Users\user\Desktop\essetup.exeFile created: C:\Users\user\AppData\Local\Temp\n2s\nchdata.datJump to dropped file
Source: C:\Users\user\Desktop\essetup.exeFile created: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exeJump to dropped file
Source: C:\Users\user\Desktop\essetup.exeFile created: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ScribeInstallJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ScribeInstallJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ScribeInstallJump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ScribeInstallJump to behavior
Source: C:\Users\user\Desktop\essetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\essetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\essetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\essetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\essetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\essetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\essetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\essetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\essetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\essetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\essetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\essetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\essetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\essetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\essetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.drBinary or memory string: WINE_GET_UNIX_FILE_NAME
Source: essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drBinary or memory string: COPIA FILE%I64U TB%I64U GB%I64U MB%I64U KB%I64U BYTES%IUKERNEL32.DLLGETPRODUCTINFOISWOW64PROCESSHARDWARE\DESCRIPTION\SYSTEM\BIOSBASEBOARDMANUFACTURERMICROSOFT CORPORATIONBASEBOARDPRODUCTVIRTUAL MACHINEWINE_GET_UNIX_FILE_NAME_%SCHANGEWINDOWMESSAGEFILTERMICROSOFT BASE CRYPTOGRAPHIC PROVIDER V1.0NCHKQXLLIBHTTPS://WWW.NCHSOFTWARE.COM/%S.HTMLIT/INDEXHTTPS://WWW.NCHSOFTWARE.COM/IT/INDEX.HTMLHTTPS://WWW.NCH.COM.AU/%S.HTMLHTTPS://WWW.NCH.COM.AU/KB/IT/%D.HTMLSCRIBEHTTP://HELP.NCHSOFTWARE.COM/HELP/IT/%S/WIN%S/%S.HTMLHELPOPENSFIRSTRUNACTIVE10SEC&ANTIVIRUS=EXPIRED&ANTIVIRUS=NONE?SOFTWARE=SCRIBE&APPNAME=%S&VERSION=13.18%S%S&APPBITS=32&BASE=SCRIBE&DOMAIN=NCH&BUYOFFER=SCRIBE&PCLASS=PLUS&RGST=%D%S%S%S&INSTBY=%S&IID=%S&HELP=%D&OSTYPE=%U&OSVER=%S%S%S&DAYSUSEDPROGRAM=%DUSEDKEYS&USEDKEYS=%U&USEDSUBSTPCT=%D&INSTSVAR=%S&DAYS=%D&RUNS=%D&OSCLASS=%D&IPPRIVCLASS=%S&REFDATA=%S"%S" -EXE %SUC00:00:002024-01-01BOVISUALIZZA PREZZI SPECIALI && ACQUISTO EXPRESS SCRIBE ONLINEFARE CLIC QUI PER VISUALIZZARE LO SCONTO SPECIALE DEL GIORNO ONLINEINSERIRE IL CODICE SE
Source: essetup.exe, 00000000.00000002.2915337906.0000000000B22000.00000002.00000001.01000000.00000003.sdmp, essetup.exe, 00000005.00000002.1765495788.0000000000B22000.00000002.00000001.01000000.00000003.sdmp, essetup.exe, 0000000A.00000002.1846437196.0000000000B22000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: LU1KERNEL32.DLLWINE_GET_UNIX_FILE_NAMEVERIFYVERSIONINFOAWINDOWS 98/ME SUPPORTTHIS VERSION OF THE APPLICATION REQUIRES WINDOWS XP/2003 OR LATER.
Source: essetup.exeBinary or memory string: (1KERNEL32.DLLWINE_GET_UNIX_FILE_NAMEVERIFYVERSIONINFOAWINDOWS 98/ME SUPPORTTHIS VERSION OF THE APPLICATION REQUIRES WINDOWS XP/2003 OR LATER.
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeWindow / User API: threadDelayed 950Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeWindow / User API: threadDelayed 2275Jump to behavior
Source: C:\Users\user\Desktop\essetup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\n1s\nchdata.datJump to dropped file
Source: C:\Users\user\Desktop\essetup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\n2s\nchdata.datJump to dropped file
Source: essetup.exe, 00000005.00000002.1765252991.000000000090B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _VMware_
Source: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\essetup.exeProcess created: C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe "C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe" -installer "C:\Users\user\Desktop\essetup.exe" -instdata "C:\Users\user\AppData\Local\Temp\n1s\nchdata.dat"Jump to behavior
Source: C:\Users\user\Desktop\essetup.exeProcess created: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe "C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe" -installer "C:\Users\user\Desktop\essetup.exe" -instdata "C:\Users\user\AppData\Local\Temp\n2s\nchdata.dat"Jump to behavior
Source: C:\Users\user\Desktop\essetup.exeProcess created: C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe "C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe" -installer "C:\Users\user\Desktop\essetup.exe" -instdata "C:\Users\user\AppData\Local\Temp\n2s\nchdata.dat"Jump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		11
Process Injection		1
Masquerading		OS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
Registry Run Keys / Startup Folder		1
DLL Side-Loading		1
Virtualization/Sandbox Evasion		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
Registry Run Keys / Startup Folder		1
Disable or Modify Tools		Security Account Manager1
Application Window Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Software Packing		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
Process Injection		LSA Secrets1
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1546032 Sample: essetup.exe Startdate: 31/10/2024 Architecture: WINDOWS Score: 12 30 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->30 6 essetup.exe 6 2->6         started        10 essetup.exe 8 2->10         started        12 essetup.exe 8 2->12         started        14 2 other processes 2->14 process3 file4 22 C:\Users\user\AppData\Local\...\nchsetup.exe, PE32 6->22 dropped 24 C:\Users\user\AppData\Local\...\nchdata.dat, PE32+ 6->24 dropped 32 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 6->32 16 nchsetup.exe 3 3 6->16         started        26 C:\Users\user\AppData\Local\...\nchsetup.exe, PE32 10->26 dropped 28 C:\Users\user\AppData\Local\...\nchdata.dat, PE32+ 10->28 dropped 18 nchsetup.exe 3 10->18         started        20 nchsetup.exe 3 12->20         started        signatures5 process6

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
essetup.exe0%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\n1s\nchdata.dat3%ReversingLabs
C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\n2s\nchdata.dat3%ReversingLabs
C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://ocsp.entrust.net030%URL Reputationsafe
http://ocsp.entrust.net020%URL Reputationsafe
http://crl.entrust.net/ts1ca.crl00%URL Reputationsafe
http://www.entrust.net/rpa030%URL Reputationsafe
http://aia.entrust.net/ts1-chain256.cer010%URL Reputationsafe
http://crl.entrust.net/2048ca.crl00%URL Reputationsafe
https://www.entrust.net/rpa00%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://www.youtube.com/t/terms).essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
    		unknown
    http://ffmpeg.orgavutil-52.nch.dllswscale-2.nch.dllswresample-0.nch.dllavcodec-55.nch.dllavformat-55essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
      		unknown
      http://ocsp.entrust.net03essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
      • URL Reputation: safe
      		unknown
      http://ocsp.entrust.net02essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
      • URL Reputation: safe
      		unknown
      http://cgi.nch.com.au/cgi-bin/regcheck-it.exe?cmd=v&id=%d&magic=%d&magicb=%dessetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
        		unknown
        https://%s/software/it/thanks.html&secsfr=%d&active10s=%dRunsRunsSinceLastInstallMinutesRunSinceLastessetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
          		unknown
          https://www.nch.com.au/support/it/reg.htmlhttps://www.nch.com.au/upgrade/it/index.htmlCodiceessetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
            		unknown
            http://www.audiochannel.net/versions/components/%s_it.txt1.00.0Verificaessetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
              		unknown
              https://www.nch.com.au/delegate/it/index.htmlServerIndirizzo:es:essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
                		unknown
                http://www.audiochannel.net/components/it/notifications/scribe.txtpnessetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
                  		unknown
                  http://cgi.nch.com.au/cgi-bin/report-it.exetestfolderLaunchessetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
                    		unknown
                    http://www.nchsoftware.com/prism/it/index.htmlConvertiessetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
                      		unknown
                      https://www.nch.com.au/software/it/bug.html?software=Scribe&version=13.18&lang=it&iid=%s&data=%s&rdfessetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
                        		unknown
                        https://www.nch.com.au/software/it/thanksforusing.htmlwww.nch.com.auInstallerDomain&usage=%04X%02XNCessetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
                          		unknown
                          http://www.audiochannel.net/versions/scribe_it.txtessetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
                            		unknown
                            http://crl.entrust.net/ts1ca.crl0essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://www.nch.com.au/it/index.htmlComponenteessetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
                              		unknown
                              https://www.nch.com.au/software/it/bug.html?software=Scribe&version=13.18&lang=it&xi=GUI-%s&iid=%s&dessetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
                                		unknown
                                http://www.audiochannel.net/software/de/scribesetup_de.exehttps://www.nch.com.au/scribe/de/essetup.eessetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
                                  		unknown
                                  https://www.twitter.com/?status=%s%shttp://www.linkedin.com/shareArticle?url=%s&title=NCHessetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
                                    		unknown
                                    https://www.nch.com.au/software/it/audio.htmlessetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
                                      		unknown
                                      https://www.nch.com.au/kb/it/10271.htmlEseguiessetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
                                        		unknown
                                        https://%sit/index.html?ref=nchiodaboutScaricaessetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
                                          		unknown
                                          https://www.nch.com.au/upgrade/it/index.html?software=scribe&upgradeid=%d&upgradekey=%shttps://www.nessetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
                                            		unknown
                                            http://www.nch.com.au/components/%s.exeDownloadessetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
                                              		unknown
                                              http://cgi.nch.com.au/cgi-bin/regcheck-it.exe?cmd=v&id=%d&magic=%d&magicb=%dConvalidareessetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
                                                		unknown
                                                http://canberra.nchsoftware.com:120/minidumpuploadessetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
                                                  		unknown
                                                  http://www.entrust.net/rpa03essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.nch.com.au/components/index.htmlessetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
                                                    		unknown
                                                    http://www.nch.com.au/switch/it/index.htmlConvertiessetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
                                                      		unknown
                                                      http://www.opensource.org/licenses/lgpl-license.phpessetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
                                                        		unknown
                                                        http://aia.entrust.net/ts1-chain256.cer01essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://www.nch.com.au/hardware/it/pedals.htmlAcquistaessetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
                                                          		unknown
                                                          http://canberra.nchsoftware.com:120/minidumpupload%.4dWin%d%d%sUkn0(Msg%dLstCmd%d)GloIni1GuiIni2GuiDessetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
                                                            		unknown
                                                            http://www.nch.com.au/software/win2000/index.html-bootstrap-bseldlgessetup.exefalse
                                                              		unknown
                                                              https://www.nch.com.au/software/it/bug.html?software=Scribe&version=13.18&lang=it&xi=%s-Win%d%d%s-MAessetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
                                                                		unknown
                                                                https://secure.nch.com.au/cgi-bin/getrefdata.exe?software=Scribe&lang=IT&platform=Win&download=%s&iinchsetup.exe.0.drfalse
                                                                  		unknown
                                                                  https://secure.nch.com.au/cgi-bin/register.exe?software=scribeAcquistaessetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
                                                                    		unknown
                                                                    http://www.nch.com.au/software/win98/index.htmlWindowsessetup.exefalse
                                                                      		unknown
                                                                      https://www.nch.com.au/software/it/rateit.html?software=Scribe&appname=%s&version=13.18&rating=%d&buessetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
                                                                        		unknown
                                                                        http://www.audiochannel.net/versions/components/%s_it.txtessetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
                                                                          		unknown
                                                                          https://www.nchsoftware.com/%s.htmlit/indexhttps://www.nchsoftware.com/it/index.htmlhttps://www.nch.essetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
                                                                            		unknown
                                                                            https://secure.nch.com.au/cgi-bin/register-it.exe?action=q&id=%u&magica=%u&magicb=%uessetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
                                                                              		unknown
                                                                              http://www.audiochannel.net/versions/scribe_it.txtinfo=download=Nessunaessetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
                                                                                		unknown
                                                                                https://secure.nch.com.au/cgi-bin/register-it.exe?software=scribe&version=13.18%s%s%s%s%s%s%s&instbyessetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
                                                                                  		unknown
                                                                                  http://%s/components/shared/%s.zipSoftwareessetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
                                                                                    		unknown
                                                                                    https://secure.nch.com.au/cgi-bin/register-it.exe?software=scribeAcquistaessetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
                                                                                      		unknown
                                                                                      http://crl.entrust.net/2048ca.crl0essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://nch.invisionzone.com/forum/239-italiano/https://www.nch.com.au/suggestions/it/index.html?sofessetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
                                                                                        		unknown
                                                                                        https://www.nchsoftware.com/%s/it/index.html?ref=nchsuitehttps://www.nch.com.au/%s/it/index.html?refessetup.exe, 00000000.00000002.2916014319.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000001.00000000.1668084018.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, nchsetup.exe, 00000001.00000002.2915911503.0000000000F8E000.00000002.00000001.01000000.00000005.sdmp, essetup.exe, 00000005.00000002.1765735272.0000000002745000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 00000006.00000002.1761380287.000000000109E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 00000006.00000000.1757987358.000000000109E000.00000002.00000001.01000000.00000006.sdmp, essetup.exe, 0000000A.00000002.1846820080.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, nchsetup.exe, 0000000B.00000002.1845634898.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe, 0000000B.00000000.1843936011.0000000000C6E000.00000002.00000001.01000000.00000006.sdmp, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
                                                                                          		unknown
                                                                                          https://www.entrust.net/rpa0essetup.exe, nchsetup.exe.5.dr, nchsetup.exe.0.drfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown

                                                                                          World Map of Contacted IPs

                                                                                          No contacted IP infos

                                                                                          General Information

                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                          Analysis ID:1546032
                                                                                          Start date and time:2024-10-31 11:55:08 +01:00
                                                                                          Joe Sandbox product:CloudBasic
                                                                                          Overall analysis duration:0h 4m 23s
                                                                                          Hypervisor based Inspection enabled:false
                                                                                          Report type:full
                                                                                          Cookbook file name:default.jbs
                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                          Number of analysed new started processes analysed:14
                                                                                          Number of new started drivers analysed:0
                                                                                          Number of existing processes analysed:0
                                                                                          Number of existing drivers analysed:0
                                                                                          Number of injected processes analysed:1
                                                                                          Technologies:
                                                                                          • EGA enabled
                                                                                          • AMSI enabled
                                                                                          Analysis Mode:default
                                                                                          Analysis stop reason:Timeout
                                                                                          Sample name:essetup.exe
                                                                                          Detection:CLEAN
                                                                                          Classification:clean12.evad.winEXE@11/8@0/0
                                                                                          Cookbook Comments:
                                                                                          • Found application associated with file extension: .exe

                                                                                          Warnings

                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, consent.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                          • VT rate limit hit for: essetup.exe

                                                                                          Simulations

                                                                                          Behavior and APIs

                                                                                          TimeTypeDescription
                                                                                          10:55:59AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce ScribeInstall C:\Users\user\Desktop\essetup.exe
                                                                                          10:56:07AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce ScribeInstall C:\Users\user\Desktop\essetup.exe

                                                                                          Joe Sandbox View / Context

                                                                                          IPs

                                                                                          No context

                                                                                          Domains

                                                                                          No context

                                                                                          ASNs

                                                                                          No context

                                                                                          JA3 Fingerprints

                                                                                          No context

                                                                                          Dropped Files

                                                                                          No context

                                                                                          Created / dropped Files

                                                                                          C:\Users\user\AppData\Local\Temp\n1s\nchdata.cab

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\essetup.exe
                                                                                          File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 433993 bytes, 1 file, at 0x2c +A "resource.dat", number 1, 25 datablocks, 0x1503 compression
                                                                                          Category:dropped
                                                                                          Size (bytes):433993
                                                                                          Entropy (8bit):7.9991830347405966
                                                                                          Encrypted:true
                                                                                          SSDEEP:12288:mlbsSAMgUHrFXAlJu32OS6nyadnqoFfnRHDfs4:mJAMgUJXKu3FSwdndXn
                                                                                          MD5:67D19112A2EBA560794E86BD99A6E961
                                                                                          SHA1:7592291061C4BD7067389620DD23BBCE314A5F32
                                                                                          SHA-256:D53165F3E565C464E859285F807D207F579376E773A5B9EB9F3025658AE84679
                                                                                          SHA-512:C080151A8D9110B9D276FEB9BE12E078ABEEE4E955FFAC9BC19266F144C65CCF040B6E9CA6648D262E9F691616E98BE2D9FF0C3519A2172EC117208D15BA1057
                                                                                          Malicious:false
                                                                                          Reputation:low
                                                                                          Preview:MSCF....I.......,...................I......._I........*Y.. .resource.dat....I.D..[..........up4..m....m..R........r.o....S..n...E.X.......x....x..U..Rm!..D.{.u.j...T......?....g.;.'..yX...a...Ol.N#.Y.6...H..%...mC]B...>..zZmO.F.[.-[.AX@m..-.........u..._H..R.. .y..... j..53UD.@.@.....|....U.r..8l.E..@..B.!?.......W..F.....t.5.o...3(.LZo...|.eXqU....R.U..nS.-vm.b'....JiM../...n.:7..i:..V......`u..r..{........U..>.......~.cV{.w.Oz..Yq;E....{.......w.}..O.....G...B..-.&....H....q..?.2.N..F.#F~......F..|.i.}...H.....4.6..e..;..n.W..o..Y.).6.._]UI.....S..... ../..z..Z,P(...pm...B."...E. ..u.......>..?..HOK5!c...+..]..S.W/L....GG.%[cA.d........^U....E..r....jJ6.r..f.........kO..wSW........9f..uJf.=f.....P...v..c..0T...m.fy.....;...\.8.b.N'..Y...a..*..E.R.......\j..RL..Nk.5D..*.d.A.-@.-A!X.g..:.]..D4.f9A..-+........X.v..f....k.4....t.s9...]F.Z....[ .\vK.rvp.}...@@.0.._$.L".J.-..M..6%..Zu%.$A.a7...g....3AH..r...[....cy....F...9....

                                                                                          C:\Users\user\AppData\Local\Temp\n1s\nchdata.dat

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\essetup.exe
                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):805215
                                                                                          Entropy (8bit):5.994837242938757
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:QFzS6ZJfchnqF2XXCUCo6B706kqwx1EADjWCsDOmfZs:izSok22XSFn7UTiSmfZs
                                                                                          MD5:0F9D3656E1CD294B2725B3D11C4FE0C2
                                                                                          SHA1:7544E9E83D0845E7B695AD6F13F13B31275B573C
                                                                                          SHA-256:2EFF1CA7B9C028E33BA3DE01A21480B5EABB63F4220C502395E8DB9084882D2A
                                                                                          SHA-512:F27CCFD24E938AE3BCA83D942F2D31D0DAFB1D11123D1BF27ECA47EFA5CF8BAEE6C2D900DD988897D60845FF01B89E1B35286238F156E48CB14568B340B9F5D7
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                          Reputation:low
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;.......................y..-...\..-...q..-...w......s......u..v...z...........~.....~...x.~.....~..Rich...........PE..d....M.f.........." .....D...........6....................................................`.................................................@................0.. .......................8............................................`...............................text...+C.......D.................. ..`.rdata..T....`.......H..............@..@.data...............................@....pdata.. ....0......................@..@.gxfg...0....P......................@..@.gehcont.....p.......(..............@..@.rsrc................*..............@..@.reloc...............,..............@..B........................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\n1s\nchsetup.cab

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\essetup.exe
                                                                                          File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 864221 bytes, 1 file, at 0x2c +A "Scribe.exe", number 1, 71 datablocks, 0x1503 compression
                                                                                          Category:dropped
                                                                                          Size (bytes):864221
                                                                                          Entropy (8bit):7.999734709500922
                                                                                          Encrypted:true
                                                                                          SSDEEP:24576:04wpfDH3UMQqbfm14I2D3Nrq7yF3lqnYwU:NwpfDEjqa14IS5qfni
                                                                                          MD5:97B2390C241F33A033B387254B36597F
                                                                                          SHA1:13F263697AD095217F59C83BB127A82218E2EE48
                                                                                          SHA-256:DEE22C7604ACCB53A67DFA83FFD7B20029B477AD576587ACDC9F04F6DEC26D17
                                                                                          SHA-512:459964ADFE7E06407EFF2293959E9FCFA2BD12DF40A542C75C6C926A1B84C2DF17905DDC6A7219920F3BD4B2BCB23AEA1873DA405416B742CBA7D647F5897B55
                                                                                          Malicious:false
                                                                                          Reputation:low
                                                                                          Preview:MSCF...../......,...................G...G.....#.......*Y.. .Scribe.exe.l`"&.C..[...0....."R`4..n....m...Uj.riYiY:]KW.U..jj.X...n...G.nZy.WPx.@PO@......F....).HI....m..4.j..F.........D3Dfr.g.s<.1..3K..CK~.]..Bw7.TK......Cm.C..`..vj..>C-*O..4.]%%....[6%@...-.26........8...4..?...l.. C.EEPvW.9......y3..[.e.w.tH.H..$iJ.Q.......eT.. .@..B..(!..`.~...E.m...p#.C.....u#1.'..Z....5.Wm..p.#Mk...O.n...=E.#.{X_".h.O.o@B.....+...|....k.v.......iJ`..j.e?95.....4n.....8y.x~M.>..{..O.......n.'av.m.[t8)..p....sbV.g.b.E.u..(.....gF.<..j.].}.V..4.....\n...=.../iu*.>..HT.s..D{`......W.s!|.'4...>..M..(o$[.....T..W....'....i.>...V.dq>k...O..UN...n.D.T......'......o.ltH.u.gM..;...4.&G.......x.:-5.u.^...k..c..M.p..1..XZ....%7I..#'..h.x?~...VH1...HM.s.9.0,1.r2Q..)b.[........R#...'~\..../..r..iE..N.K.RMS..JR.....{....%$...\l5......h"P.jd..@V@.............hz..Pe........L.x.V.M7........LN../k.L....I.Z.@c......c...d.....r: U9.}}r8..)...I...TTp........d.B....`U.%Li=."x.

                                                                                          C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\essetup.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):2294512
                                                                                          Entropy (8bit):6.268152982076055
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:/pyFpD64I/zLKECN0qYViCwxsGZJVBS+BCXtOGmh8EpRq5sWAMODrUY:eNI/TPrMd4AGmKlKMov
                                                                                          MD5:BA3E5C54EA069C5A70A2D0F1CDC68BA8
                                                                                          SHA1:E4123D21B55A7BDDC826C5F908F77EB70C1AFA3A
                                                                                          SHA-256:65A9FE6BF3982768A73E7B8BF4CACE4CAF0D3D6BE8B9C6E03D67F4F6F71EAFD7
                                                                                          SHA-512:D5C3E80E82CDC42D1F6E7CE9B8BD6F11AAA3BE1EC209DCEBB53AE2DF1AB5FD0D26C7646990344AC099285C89ED20FDAD0ED38ECF0EA002B706D11A63A88B6ABC
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Reputation:low
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........e....K...K...K.f.K...Ka.kK...K5.uK...K..vK...K..fK...K..eK...Ka.TK...Ka.VK...K...K...K..yK...K..wK...K...K...K..sK...KRich...K........PE..L....N.f..........".................4X............@..........................@,.....x.#...@..................................}.......p$.Pb............"..P....*.$...........................Hu.......u..@...............D............................text............................... ..`.rdata..............................@..@.data...........>..................@....tls.........`$.....................@....rsrc...Pb...p$..d..................@..@.reloc...]....*..^...T!.............@..B........................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\n2s\nchdata.cab

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\essetup.exe
                                                                                          File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 433993 bytes, 1 file, at 0x2c +A "resource.dat", number 1, 25 datablocks, 0x1503 compression
                                                                                          Category:dropped
                                                                                          Size (bytes):433993
                                                                                          Entropy (8bit):7.9991830347405966
                                                                                          Encrypted:true
                                                                                          SSDEEP:12288:mlbsSAMgUHrFXAlJu32OS6nyadnqoFfnRHDfs4:mJAMgUJXKu3FSwdndXn
                                                                                          MD5:67D19112A2EBA560794E86BD99A6E961
                                                                                          SHA1:7592291061C4BD7067389620DD23BBCE314A5F32
                                                                                          SHA-256:D53165F3E565C464E859285F807D207F579376E773A5B9EB9F3025658AE84679
                                                                                          SHA-512:C080151A8D9110B9D276FEB9BE12E078ABEEE4E955FFAC9BC19266F144C65CCF040B6E9CA6648D262E9F691616E98BE2D9FF0C3519A2172EC117208D15BA1057
                                                                                          Malicious:false
                                                                                          Reputation:low
                                                                                          Preview:MSCF....I.......,...................I......._I........*Y.. .resource.dat....I.D..[..........up4..m....m..R........r.o....S..n...E.X.......x....x..U..Rm!..D.{.u.j...T......?....g.;.'..yX...a...Ol.N#.Y.6...H..%...mC]B...>..zZmO.F.[.-[.AX@m..-.........u..._H..R.. .y..... j..53UD.@.@.....|....U.r..8l.E..@..B.!?.......W..F.....t.5.o...3(.LZo...|.eXqU....R.U..nS.-vm.b'....JiM../...n.:7..i:..V......`u..r..{........U..>.......~.cV{.w.Oz..Yq;E....{.......w.}..O.....G...B..-.&....H....q..?.2.N..F.#F~......F..|.i.}...H.....4.6..e..;..n.W..o..Y.).6.._]UI.....S..... ../..z..Z,P(...pm...B."...E. ..u.......>..?..HOK5!c...+..]..S.W/L....GG.%[cA.d........^U....E..r....jJ6.r..f.........kO..wSW........9f..uJf.=f.....P...v..c..0T...m.fy.....;...\.8.b.N'..Y...a..*..E.R.......\j..RL..Nk.5D..*.d.A.-@.-A!X.g..:.]..D4.f9A..-+........X.v..f....k.4....t.s9...]F.Z....[ .\vK.rvp.}...@@.0.._$.L".J.-..M..6%..Zu%.$A.a7...g....3AH..r...[....cy....F...9....

                                                                                          C:\Users\user\AppData\Local\Temp\n2s\nchdata.dat

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\essetup.exe
                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):805215
                                                                                          Entropy (8bit):5.994837242938757
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:QFzS6ZJfchnqF2XXCUCo6B706kqwx1EADjWCsDOmfZs:izSok22XSFn7UTiSmfZs
                                                                                          MD5:0F9D3656E1CD294B2725B3D11C4FE0C2
                                                                                          SHA1:7544E9E83D0845E7B695AD6F13F13B31275B573C
                                                                                          SHA-256:2EFF1CA7B9C028E33BA3DE01A21480B5EABB63F4220C502395E8DB9084882D2A
                                                                                          SHA-512:F27CCFD24E938AE3BCA83D942F2D31D0DAFB1D11123D1BF27ECA47EFA5CF8BAEE6C2D900DD988897D60845FF01B89E1B35286238F156E48CB14568B340B9F5D7
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                          Reputation:low
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;.......................y..-...\..-...q..-...w......s......u..v...z...........~.....~...x.~.....~..Rich...........PE..d....M.f.........." .....D...........6....................................................`.................................................@................0.. .......................8............................................`...............................text...+C.......D.................. ..`.rdata..T....`.......H..............@..@.data...............................@....pdata.. ....0......................@..@.gxfg...0....P......................@..@.gehcont.....p.......(..............@..@.rsrc................*..............@..@.reloc...............,..............@..B........................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\n2s\nchsetup.cab

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\essetup.exe
                                                                                          File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 864221 bytes, 1 file, at 0x2c +A "Scribe.exe", number 1, 71 datablocks, 0x1503 compression
                                                                                          Category:dropped
                                                                                          Size (bytes):864221
                                                                                          Entropy (8bit):7.999734709500922
                                                                                          Encrypted:true
                                                                                          SSDEEP:24576:04wpfDH3UMQqbfm14I2D3Nrq7yF3lqnYwU:NwpfDEjqa14IS5qfni
                                                                                          MD5:97B2390C241F33A033B387254B36597F
                                                                                          SHA1:13F263697AD095217F59C83BB127A82218E2EE48
                                                                                          SHA-256:DEE22C7604ACCB53A67DFA83FFD7B20029B477AD576587ACDC9F04F6DEC26D17
                                                                                          SHA-512:459964ADFE7E06407EFF2293959E9FCFA2BD12DF40A542C75C6C926A1B84C2DF17905DDC6A7219920F3BD4B2BCB23AEA1873DA405416B742CBA7D647F5897B55
                                                                                          Malicious:false
                                                                                          Reputation:low
                                                                                          Preview:MSCF...../......,...................G...G.....#.......*Y.. .Scribe.exe.l`"&.C..[...0....."R`4..n....m...Uj.riYiY:]KW.U..jj.X...n...G.nZy.WPx.@PO@......F....).HI....m..4.j..F.........D3Dfr.g.s<.1..3K..CK~.]..Bw7.TK......Cm.C..`..vj..>C-*O..4.]%%....[6%@...-.26........8...4..?...l.. C.EEPvW.9......y3..[.e.w.tH.H..$iJ.Q.......eT.. .@..B..(!..`.~...E.m...p#.C.....u#1.'..Z....5.Wm..p.#Mk...O.n...=E.#.{X_".h.O.o@B.....+...|....k.v.......iJ`..j.e?95.....4n.....8y.x~M.>..{..O.......n.'av.m.[t8)..p....sbV.g.b.E.u..(.....gF.<..j.].}.V..4.....\n...=.../iu*.>..HT.s..D{`......W.s!|.'4...>..M..(o$[.....T..W....'....i.>...V.dq>k...O..UN...n.D.T......'......o.ltH.u.gM..;...4.&G.......x.:-5.u.^...k..c..M.p..1..XZ....%7I..#'..h.x?~...VH1...HM.s.9.0,1.r2Q..)b.[........R#...'~\..../..r..iE..N.K.RMS..JR.....{....%$...\l5......h"P.jd..@V@.............hz..Pe........L.x.V.M7........LN../k.L....I.Z.@c......c...d.....r: U9.}}r8..)...I...TTp........d.B....`U.%Li=."x.

                                                                                          C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\essetup.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):2294512
                                                                                          Entropy (8bit):6.268152982076055
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:/pyFpD64I/zLKECN0qYViCwxsGZJVBS+BCXtOGmh8EpRq5sWAMODrUY:eNI/TPrMd4AGmKlKMov
                                                                                          MD5:BA3E5C54EA069C5A70A2D0F1CDC68BA8
                                                                                          SHA1:E4123D21B55A7BDDC826C5F908F77EB70C1AFA3A
                                                                                          SHA-256:65A9FE6BF3982768A73E7B8BF4CACE4CAF0D3D6BE8B9C6E03D67F4F6F71EAFD7
                                                                                          SHA-512:D5C3E80E82CDC42D1F6E7CE9B8BD6F11AAA3BE1EC209DCEBB53AE2DF1AB5FD0D26C7646990344AC099285C89ED20FDAD0ED38ECF0EA002B706D11A63A88B6ABC
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Reputation:low
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........e....K...K...K.f.K...Ka.kK...K5.uK...K..vK...K..fK...K..eK...Ka.TK...Ka.VK...K...K...K..yK...K..wK...K...K...K..sK...KRich...K........PE..L....N.f..........".................4X............@..........................@,.....x.#...@..................................}.......p$.Pb............"..P....*.$...........................Hu.......u..@...............D............................text............................... ..`.rdata..............................@..@.data...........>..................@....tls.........`$.....................@....rsrc...Pb...p$..d..................@..@.reloc...]....*..^...T!.............@..B........................................................................................................................................................................................................................................................

                                                                                          Static File Info

                                                                                          General

                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Entropy (8bit):7.99647901070941
                                                                                          TrID:
                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                          File name:essetup.exe
                                                                                          File size:1'335'024 bytes
                                                                                          MD5:3cb6d589a774c51a099ab6ef738e3e36
                                                                                          SHA1:e597a0d1fa0bc47ac06d13fe2efc4637fa7c0416
                                                                                          SHA256:fbb8e38c891b8f385804a2b4ff540830cef7c440ea34ebb696d15224cfbbfe6b
                                                                                          SHA512:d5fb428190ce539eb0358c9cde02228737c5de625b16c2971e2907487af7d7e0c37835dee172fd8edf08e6d392b8a5121e8bfd6f519f308378cdf57def0df8eb
                                                                                          SSDEEP:24576:KXJAMgUJXKu3FSwdndX74wpfDH3UMQqbfm14I2D3Nrq7yF3lqnYwt:02pu3l2wpfDEjqa14IS5qfn/
                                                                                          TLSH:5C553352027D5A88D6A56FB040F1ED1A6DA47F31F81748EBB8ABD35B1B10202DF5077E
                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.!z..O)..O)..O)...)..O)..N)3.O)...)..O)...)..O)...)..O)Rich..O)................PE..L...nZ{f...................................

                                                                                          File Icon

                                                                                          Icon Hash:23a3393932320c03

                                                                                          Static PE Info

                                                                                          General

                                                                                          Entrypoint:0x401286
                                                                                          Entrypoint Section:.text
                                                                                          Digitally signed:true
                                                                                          Imagebase:0x400000
                                                                                          Subsystem:windows gui
                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                          Time Stamp:0x667B5A6E [Wed Jun 26 00:01:50 2024 UTC]
                                                                                          TLS Callbacks:
                                                                                          CLR (.Net) Version:
                                                                                          OS Version Major:5
                                                                                          OS Version Minor:1
                                                                                          File Version Major:5
                                                                                          File Version Minor:1
                                                                                          Subsystem Version Major:5
                                                                                          Subsystem Version Minor:1
                                                                                          Import Hash:dfc6dbbcea4beda15dcbddfb77d26fc5

                                                                                          Authenticode Signature

                                                                                          Signature Valid:true
                                                                                          Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                          Signature Validation Error:The operation completed successfully
                                                                                          Error Number:0
                                                                                          Not Before, Not After
                                                                                          • 18/03/2022 00:00:00 03/04/2025 00:59:59
                                                                                          Subject Chain
                                                                                          • CN="NCH Software, Inc.", O="NCH Software, Inc.", L=Greenwood Village, S=Colorado, C=US, SERIALNUMBER=4489370, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US
                                                                                          Version:3
                                                                                          Thumbprint MD5:4D09CE2DB78F83DEC58A324BAAD1B74E
                                                                                          Thumbprint SHA-1:41B9918CABD9AFD9374AE2711928B5FDCF37C5B9
                                                                                          Thumbprint SHA-256:14B87041A3C903E43C9D30DEE2108FA49725E9165B97695DB8E7D92E1F0D0EA6
                                                                                          Serial:07EFF6937E472271E722F7E06248A3F1

                                                                                          Entrypoint Preview

                                                                                          Instruction
                                                                                          push ebp
                                                                                          mov ebp, esp
                                                                                          and esp, FFFFFFF8h
                                                                                          sub esp, 0000DE98h
                                                                                          push ebx
                                                                                          push ebp
                                                                                          push esi
                                                                                          push edi
                                                                                          call 00007F8D98E75A10h
                                                                                          mov dword ptr [esp+14h], eax
                                                                                          test eax, eax
                                                                                          jne 00007F8D98E760F5h
                                                                                          push 00000006h
                                                                                          xor ebx, ebx
                                                                                          push ebx
                                                                                          call dword ptr [0040208Ch]
                                                                                          call dword ptr [00402030h]
                                                                                          mov esi, eax
                                                                                          mov edx, 00402490h
                                                                                          mov eax, 004020A4h
                                                                                          mov ecx, esi
                                                                                          mov dword ptr [esp+1Ch], eax
                                                                                          call 00007F8D98E760D4h
                                                                                          xor ecx, ecx
                                                                                          inc ecx
                                                                                          push 00000020h
                                                                                          pop ebp
                                                                                          test eax, eax
                                                                                          je 00007F8D98E75B55h
                                                                                          mov byte ptr [esp+13h], cl
                                                                                          add eax, 14h
                                                                                          jmp 00007F8D98E75AFAh
                                                                                          cmp cx, bp
                                                                                          jne 00007F8D98E75AFDh
                                                                                          add eax, 02h
                                                                                          movzx ecx, word ptr [eax]
                                                                                          test cx, cx
                                                                                          jne 00007F8D98E75AE2h
                                                                                          movzx ecx, word ptr [eax]
                                                                                          mov edx, ebx
                                                                                          test cx, cx
                                                                                          je 00007F8D98E75B0Eh
                                                                                          mov edi, ebx
                                                                                          cmp cx, bp
                                                                                          je 00007F8D98E75B07h
                                                                                          inc edx
                                                                                          mov word ptr [esp+edi+00000AE0h], cx
                                                                                          lea edi, dword ptr [edx+edx]
                                                                                          movzx ecx, word ptr [edi+eax]
                                                                                          test cx, cx
                                                                                          jne 00007F8D98E75AD8h
                                                                                          xor eax, eax
                                                                                          mov ecx, esi
                                                                                          mov word ptr [esp+edx*2+00000AE0h], ax
                                                                                          mov edx, 004024B0h
                                                                                          call 00007F8D98E76075h
                                                                                          test eax, eax
                                                                                          je 00007F8D98E75B0Ah
                                                                                          mov dword ptr [esp+1Ch], 004024C4h
                                                                                          jmp 00007F8D98E75B00h
                                                                                          xor eax, eax
                                                                                          mov byte ptr [esp+13h], bl
                                                                                          mov word ptr [esp+00000AE0h], ax
                                                                                          mov edx, 004024E0h

                                                                                          Rich Headers

                                                                                          Programming Language:
                                                                                          • [IMP] VS2008 SP1 build 30729
                                                                                          • [RES] VS2013 build 21005
                                                                                          • [LNK] VS2013 UPD5 build 40629

                                                                                          Data Directories

                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x278c0x78.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x13efe4.rsrc
                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x140e000x50f0
                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1430000xa4.reloc
                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x94.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                          Sections

                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                          .text0x10000x90b0xa00879893291378e8412bf92864c1b5f5f0False0.585546875data5.742209097433246IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                          .rdata0x20000xb020xc000b00557691e652a9bf4f207e90296a0dFalse0.3287760416666667data3.803131883490906IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .data0x30000x40x2001d7d80e8b5ce8c86e7c833467964b6aeFalse0.033203125DOS executable (block device driver)0.06591441234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                          .rsrc0x40000x13efe40x13f000070661f3d31aef43988aea526e4c82ffFalse0.997511908552116data7.999193423652402IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .reloc0x1430000xa40x2004267ee83ea1275ae19675a7cdac23159False0.349609375data2.563012356290222IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                          Resources

                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                          RT_ICON0x41d80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 26880.5882196162046909
                                                                                          RT_ICON0x50800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 11520.7463898916967509
                                                                                          RT_GROUP_ICON0x59280x22data0.9411764705882353
                                                                                          RT_VERSION0x594c0x2ecdata0.4612299465240642
                                                                                          RT_MANIFEST0x5c380x47dXML 1.0 document, ASCII text, with CRLF line terminators0.42384682332463014
                                                                                          None0x60b80x69f49Microsoft Cabinet archive data, Windows 2000/XP setup, 433993 bytes, 1 file, at 0x2c +A "resource.dat", number 1, 25 datablocks, 0x1503 compression1.000241939386119
                                                                                          None0x700040xd2fddMicrosoft Cabinet archive data, Windows 2000/XP setup, 864221 bytes, 1 file, at 0x2c +A "Scribe.exe", number 1, 71 datablocks, 0x1503 compression0.9998484184022374

                                                                                          Imports

                                                                                          DLLImport
                                                                                          SETUPAPI.dllSetupIterateCabinetW
                                                                                          ole32.dllCoUninitialize, CoInitializeEx
                                                                                          SHELL32.dllShellExecuteExW, ShellExecuteW
                                                                                          USER32.dllwsprintfW, MessageBoxW
                                                                                          KERNEL32.dllCreateDirectoryW, lstrcpyW, DeleteFileW, CloseHandle, RemoveDirectoryW, LockResource, LoadLibraryA, GetProcAddress, GetLastError, GetTempPathW, GetStartupInfoW, ExitProcess, GetCommandLineW, FindResourceW, FreeLibrary, LoadResource, VerSetConditionMask, SetEnvironmentVariableW, WaitForSingleObject, GetModuleHandleW, WriteFile, SizeofResource, GetExitCodeProcess, GetModuleFileNameW, CreateFileW

                                                                                          Network Behavior

                                                                                          No network behavior found

                                                                                          Statistics

                                                                                          CPU Usage

                                                                                          Click to jump to process

                                                                                          Memory Usage

                                                                                          Click to jump to process

                                                                                          High Level Behavior Distribution

                                                                                          Click to dive into process behavior distribution

                                                                                          Behavior

                                                                                          Click to jump to process

                                                                                          System Behavior

                                                                                          General

                                                                                          Target ID:0
                                                                                          Start time:06:55:59
                                                                                          Start date:31/10/2024
                                                                                          Path:C:\Users\user\Desktop\essetup.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\Desktop\essetup.exe"
                                                                                          Imagebase:0xb20000
                                                                                          File size:1'335'024 bytes
                                                                                          MD5 hash:3CB6D589A774C51A099AB6EF738E3E36
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:low
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:1
                                                                                          Start time:06:55:59
                                                                                          Start date:31/10/2024
                                                                                          Path:C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe" -installer "C:\Users\user\Desktop\essetup.exe" -instdata "C:\Users\user\AppData\Local\Temp\n1s\nchdata.dat"
                                                                                          Imagebase:0xe50000
                                                                                          File size:2'294'512 bytes
                                                                                          MD5 hash:BA3E5C54EA069C5A70A2D0F1CDC68BA8
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Antivirus matches:
                                                                                          • Detection: 0%, ReversingLabs
                                                                                          Reputation:low
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:2
                                                                                          Start time:06:56:07
                                                                                          Start date:31/10/2024
                                                                                          Path:C:\Users\user\Desktop\essetup.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Users\user\Desktop\essetup.exe"
                                                                                          Imagebase:0xb20000
                                                                                          File size:1'335'024 bytes
                                                                                          MD5 hash:3CB6D589A774C51A099AB6EF738E3E36
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:5
                                                                                          Start time:06:56:08
                                                                                          Start date:31/10/2024
                                                                                          Path:C:\Users\user\Desktop\essetup.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\Desktop\essetup.exe"
                                                                                          Imagebase:0xb20000
                                                                                          File size:1'335'024 bytes
                                                                                          MD5 hash:3CB6D589A774C51A099AB6EF738E3E36
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:6
                                                                                          Start time:06:56:08
                                                                                          Start date:31/10/2024
                                                                                          Path:C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe" -installer "C:\Users\user\Desktop\essetup.exe" -instdata "C:\Users\user\AppData\Local\Temp\n2s\nchdata.dat"
                                                                                          Imagebase:0xf60000
                                                                                          File size:2'294'512 bytes
                                                                                          MD5 hash:BA3E5C54EA069C5A70A2D0F1CDC68BA8
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Antivirus matches:
                                                                                          • Detection: 0%, ReversingLabs
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:7
                                                                                          Start time:06:56:15
                                                                                          Start date:31/10/2024
                                                                                          Path:C:\Users\user\Desktop\essetup.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Users\user\Desktop\essetup.exe"
                                                                                          Imagebase:0xb20000
                                                                                          File size:1'335'024 bytes
                                                                                          MD5 hash:3CB6D589A774C51A099AB6EF738E3E36
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:10
                                                                                          Start time:06:56:16
                                                                                          Start date:31/10/2024
                                                                                          Path:C:\Users\user\Desktop\essetup.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\Desktop\essetup.exe"
                                                                                          Imagebase:0xb20000
                                                                                          File size:1'335'024 bytes
                                                                                          MD5 hash:3CB6D589A774C51A099AB6EF738E3E36
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:11
                                                                                          Start time:06:56:17
                                                                                          Start date:31/10/2024
                                                                                          Path:C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe" -installer "C:\Users\user\Desktop\essetup.exe" -instdata "C:\Users\user\AppData\Local\Temp\n2s\nchdata.dat"
                                                                                          Imagebase:0xb30000
                                                                                          File size:2'294'512 bytes
                                                                                          MD5 hash:BA3E5C54EA069C5A70A2D0F1CDC68BA8
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          Disassembly

                                                                                          No disassembly