bea34078c360c71fcadc1a86ebd397d081f0d589913ad43970c1a3983231f522

Analysis

max time kernel
32s
max time network
151s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
20-11-2023 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NordVPNSetup.exe
Size

1.7MB
MD5

59cb69a08fdd9cb4b0539e3356df1d4d
SHA1

0c773a0a76f821780c002d527bee387b98904569
SHA256

bea34078c360c71fcadc1a86ebd397d081f0d589913ad43970c1a3983231f522
SHA512

51d4f3d396d183bc5dcaaa0a26cf024fade9b5e5c0e73e1d2ee7663ba26bc55e799beb488d5bab8d8252147b33df6ea1209ebd730124a919940e899758842ec2
SSDEEP

24576:u7FUDowAyrTVE3U5Fg23TD2D+Fz3ifFUwo433RfFcdnOtksSm:uBuZrEUWq0t9D7l

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

NordVPNSetup.tmp

pid process

2716 NordVPNSetup.tmp
Loads dropped DLL 4 IoCs

Processes:

NordVPNSetup.exeNordVPNSetup.tmp

pid process

1468 NordVPNSetup.exe
2716 NordVPNSetup.tmp
2716 NordVPNSetup.tmp
2716 NordVPNSetup.tmp

pid	process
2716	NordVPNSetup.tmp

pid	process
1468	NordVPNSetup.exe
2716	NordVPNSetup.tmp
2716	NordVPNSetup.tmp
2716	NordVPNSetup.tmp

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 26 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

2836 chrome.exe
2836 chrome.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	process
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

chrome.exe

pid process

1000 chrome.exe

pid	process
1000	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exeNordVPNSetup.exe

description	pid	process	target process
PID 2836 wrote to memory of 2124	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 2124	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 2124	2836	chrome.exe	chrome.exe
PID 1468 wrote to memory of 2716	1468	NordVPNSetup.exe	NordVPNSetup.tmp
PID 1468 wrote to memory of 2716	1468	NordVPNSetup.exe	NordVPNSetup.tmp
PID 1468 wrote to memory of 2716	1468	NordVPNSetup.exe	NordVPNSetup.tmp
PID 1468 wrote to memory of 2716	1468	NordVPNSetup.exe	NordVPNSetup.tmp
PID 1468 wrote to memory of 2716	1468	NordVPNSetup.exe	NordVPNSetup.tmp
PID 1468 wrote to memory of 2716	1468	NordVPNSetup.exe	NordVPNSetup.tmp
PID 1468 wrote to memory of 2716	1468	NordVPNSetup.exe	NordVPNSetup.tmp
PID 2836 wrote to memory of 1160	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1160	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1160	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1160	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1160	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1160	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1160	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1160	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1160	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1160	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1160	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1160	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1160	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1160	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1160	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1160	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1160	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1160	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1160	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1160	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1160	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1160	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1160	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1160	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1160	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1160	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1160	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1160	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1160	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1160	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1160	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1160	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1160	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1160	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1160	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1160	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1160	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1160	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1160	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1980	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1980	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 1980	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 2032	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 2032	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 2032	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 2032	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 2032	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 2032	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 2032	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 2032	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 2032	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 2032	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 2032	2836	chrome.exe	chrome.exe
PID 2836 wrote to memory of 2032	2836	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7239758,0x7fef7239768,0x7fef7239778
2⤵
PID:2124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1448 --field-trial-handle=1576,i,15288264813097850974,7945854475223065678,131072 /prefetch:8
2⤵
PID:2032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1384 --field-trial-handle=1576,i,15288264813097850974,7945854475223065678,131072 /prefetch:8
2⤵
PID:1980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1576,i,15288264813097850974,7945854475223065678,131072 /prefetch:2
2⤵
PID:1160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2232 --field-trial-handle=1576,i,15288264813097850974,7945854475223065678,131072 /prefetch:1
2⤵
PID:2372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2244 --field-trial-handle=1576,i,15288264813097850974,7945854475223065678,131072 /prefetch:1
2⤵
PID:2016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1832 --field-trial-handle=1576,i,15288264813097850974,7945854475223065678,131072 /prefetch:2
2⤵
PID:2424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1252 --field-trial-handle=1576,i,15288264813097850974,7945854475223065678,131072 /prefetch:1
2⤵
PID:996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3296 --field-trial-handle=1576,i,15288264813097850974,7945854475223065678,131072 /prefetch:8
2⤵
PID:2728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3300 --field-trial-handle=1576,i,15288264813097850974,7945854475223065678,131072 /prefetch:8
2⤵
PID:2928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4008 --field-trial-handle=1576,i,15288264813097850974,7945854475223065678,131072 /prefetch:1
2⤵
PID:960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 --field-trial-handle=1576,i,15288264813097850974,7945854475223065678,131072 /prefetch:8
2⤵
PID:1640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4124 --field-trial-handle=1576,i,15288264813097850974,7945854475223065678,131072 /prefetch:8
2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1000

C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
"C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1468

C:\Users\Admin\AppData\Local\Temp\is-U27ME.tmp\NordVPNSetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-U27ME.tmp\NordVPNSetup.tmp" /SL5="$30152,890440,866304,C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2024

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
Filesize
230B

MD5
b54a1ef90be54507df1c29b4a48059e4

SHA1
bb0b5994a5a164d25d131e2251673d26b736dd00

SHA256
b9415cb1976f9671aa8ede60f40d4454560bb5427123e3424a21b2a3ee545c76

SHA512
95c478bbbbf4ecfed67d152d9324dbb111b859906e027034e914f78cdf717cf12555228d9b64b3b82a2389b0c581136ac42c9857d6219427b2d7466165155ad7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7074cceb2ab07b10e8c2f528f21526dc

SHA1
dea0cf564407c2319440ceac3ed3a76a8384b8be

SHA256
4406871abf946e5ac38293b4a32ef604f8f875f291619933acef5cbaab3b3b0c

SHA512
b36a12b35fcc53ee6277c3eb90931fe67706f8b1e4aab7243364d140aea1dd5f0c12d1015f56bc8c9f570f33c47048da0b301a4506700c50c3acd58fde0899cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
09d98df4fda6131125ec4e57c6cf40ed

SHA1
abeb13b0fdc584f62017ac263d4b43d2d25477a2

SHA256
c1367809a461b1271bdfb95e7e2755bee8bc03e3ca336508d209b206516d4af3

SHA512
3ba17a943554907fb7f6595f4b7a4ce1e3aab23e24faa39fb191bc71eedbb02bf81c96ba33948efedceb66944ccea7d0637a68b94eaff91c4518e5fbc9974ca7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
16d0b170e7e980800cb343a878c0b395

SHA1
a0f1ec0b71002ecdf959e3025de301386a57d6cf

SHA256
807424b358ddb72c025ba3aec4b3e498c92d88b6c476d7c80977a271d8b5b7a6

SHA512
79f88227c3d8ff44b8a5c8cb9ae5eeb044a4328591769fa91b81a9459c9e6268e2c0129a9467ab175dfda32699d20beabfe0866ae57ffd257c9b1643817e3246

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3a2a5dff08341c796f42bd0ad61fb27f

SHA1
6310579595d55cef87bd1bac49bc889a84496870

SHA256
98e1efc64047f0a668dba37a09a76a3a584e9e8ab8d1b297acbae4f801676638

SHA512
31b19053b66fe54bd518d2a689e77acc353d33e6b53df1eea7ac20c5cff80ab61cc5c91ac3a1ec9e35ec52c30534c0e31dbe7e622c2daef93220b7626c7d9543

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6ab90819b9c90818df827e7f0f96a089

SHA1
dd264b8b1b465b7290cc44b94236daa8962c4f7c

SHA256
778e18713747c2ec84ea04827af81310945e2d265cb73646a5ed7189cd628110

SHA512
433d7a7a0b4f32df55dab992abffc7646313e1beb146c9130106da3de5b34f650f68040dd026b74656632d0463a05577b1aca952caee861df714119ee445e52d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c9ed2151c03c8e7122cffbf8f85c09b1

SHA1
3097d07134c90082a8df10f46fd463d0117095e9

SHA256
afb88d5fb22a6b3b171e071f2cedc87af872b356218416ab6b6416867c8e152f

SHA512
d7c4bf4cdc5f90f628bfe8988c0250208252a781900f4ab07902d4ec7475db65164892eb693e190033d6cd088ad75179cad05c728887c698c9fa3aae65833349

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
bbe7916476d66b9f297edb97e0a80f0c

SHA1
fe232d2a3cb4b8d144dc019dfdf327d5321c82ae

SHA256
50286555ff8859d3b322199cfd87a6864650e35f2289b9e33c3c566ae6f06651

SHA512
860019977196ff556f074dcddc97fe02f78900e977a14e32b36d83cba7908f8b92d00f9b7528c6c911cb7abaded935ccfb4fbf9bb99f4403d57a142e122914d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
363B

MD5
ed03639a6593b96e0fe235709774d932

SHA1
5f8016ef671ae510716edbd016e2e4b73a8fb3d3

SHA256
b0fafb80bd6f5e21d223c855705f8f9c4fbd4ebc6b1fe794b8164361bf8df606

SHA512
fa61e18211db2b0358f550a24e1d13713442c74145b1224486a1f74bb6a3abb95760ac0319232d8bbaed252f9ce623f73f0f9554a261a676a78c1980accf5276

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
10fa328d197ffa79473d47c6c6884cde

SHA1
7a2b42e9c510af18ce879005a9801b6a15196b5c

SHA256
648e741b1c3c9e53282b9ccce2a809d86ff310e2d190525b5c868beacbe7ec0e

SHA512
ac7df7fdb4674f0264207e247b59860cc26e420ac052dfa689f4ed386e4f99a83af6e7fdb9d04a34909a85a354eafb1fb99981923471ff6f18f7ceb671373b2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
aa52c9777894786268cca7d3e4b904b3

SHA1
090645b60cff359791d67cb49db8a80d2973c29f

SHA256
cd9fe2d3f752f3dec32a9f9bcda947a770e1126c12d7e514963d8ce5bbb152ff

SHA512
aebe59875dceb3b1b75dd3c93e082c1b7810e21ee1c1359a7dcbde146518291ca6f9ada826907e46a8769d74ef8b746020ddd0ac11d937faa8dff27b4586f329

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
4ee4c52726ff7785d66640e704efd117

SHA1
b225a95d599ad6ee70f32254b6411e964d416511

SHA256
2e65e951f841908fded84b4958597e3260cfc271fbc8d3f22fad45f7cd6818d0

SHA512
fa3a75fac88b5fc26d0364a519584bacb4e5a710cc6693d2d8e9a27ba257454c33d0dc1baf4e5cfdd2a85ed4f03e3d182975a069bb7817295ab6cb878ba116f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4B64.tmp
Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4B96.tmp
Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-48VI8.tmp\Nord.Setup.dll
Filesize
40KB

MD5
fb3b4bb0ea4f23de6109281606a35c8e

SHA1
01fc9184e971407bf2c7bc4b4e5181c96a16e38b

SHA256
5a8c26e985a7346e04d95e57373e7f65646d42f2403ccb24e5092d21d6a2a5b9

SHA512
6481aa9610589fb9609d74c8daa70b527593833972540bbcfeef11bc1ec66544b77ad5517b06b46b3e157969593095045253487c57a6b712efba9f47b75873e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U27ME.tmp\NordVPNSetup.tmp
Filesize
3.1MB

MD5
29ca787f3a0d83846b7318d02fccb583

SHA1
b3688c01bef0e9f1fe62dc831926df3ca92b3778

SHA256
746b972e21acb59e4086b5b25fe53ef2cddcecfa94dd56ad68c8e5bab9960c3c

SHA512
a6c21bf5590dc91a5d9bc729d9c04c20b54341d3270efd2fb7d2b548d7dc7b23a1a351147a07dfd569e901a608cb44533304de10725cb02fec781cada80b8e3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U27ME.tmp\NordVPNSetup.tmp
Filesize
3.1MB

MD5
29ca787f3a0d83846b7318d02fccb583

SHA1
b3688c01bef0e9f1fe62dc831926df3ca92b3778

SHA256
746b972e21acb59e4086b5b25fe53ef2cddcecfa94dd56ad68c8e5bab9960c3c

SHA512
a6c21bf5590dc91a5d9bc729d9c04c20b54341d3270efd2fb7d2b548d7dc7b23a1a351147a07dfd569e901a608cb44533304de10725cb02fec781cada80b8e3b

Download Submit
\??\pipe\crashpad_2836_VAZMFNWZZMJZDFJR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\is-48VI8.tmp\Nord.Setup.dll
Filesize
40KB

MD5
fb3b4bb0ea4f23de6109281606a35c8e

SHA1
01fc9184e971407bf2c7bc4b4e5181c96a16e38b

SHA256
5a8c26e985a7346e04d95e57373e7f65646d42f2403ccb24e5092d21d6a2a5b9

SHA512
6481aa9610589fb9609d74c8daa70b527593833972540bbcfeef11bc1ec66544b77ad5517b06b46b3e157969593095045253487c57a6b712efba9f47b75873e6

Download Submit
\Users\Admin\AppData\Local\Temp\is-48VI8.tmp\Nord.Setup.dll
Filesize
40KB

MD5
fb3b4bb0ea4f23de6109281606a35c8e

SHA1
01fc9184e971407bf2c7bc4b4e5181c96a16e38b

SHA256
5a8c26e985a7346e04d95e57373e7f65646d42f2403ccb24e5092d21d6a2a5b9

SHA512
6481aa9610589fb9609d74c8daa70b527593833972540bbcfeef11bc1ec66544b77ad5517b06b46b3e157969593095045253487c57a6b712efba9f47b75873e6

Download Submit
\Users\Admin\AppData\Local\Temp\is-48VI8.tmp\Nord.Setup.dll
Filesize
40KB

MD5
fb3b4bb0ea4f23de6109281606a35c8e

SHA1
01fc9184e971407bf2c7bc4b4e5181c96a16e38b

SHA256
5a8c26e985a7346e04d95e57373e7f65646d42f2403ccb24e5092d21d6a2a5b9

SHA512
6481aa9610589fb9609d74c8daa70b527593833972540bbcfeef11bc1ec66544b77ad5517b06b46b3e157969593095045253487c57a6b712efba9f47b75873e6

Download Submit
\Users\Admin\AppData\Local\Temp\is-U27ME.tmp\NordVPNSetup.tmp
Filesize
3.1MB

MD5
29ca787f3a0d83846b7318d02fccb583

SHA1
b3688c01bef0e9f1fe62dc831926df3ca92b3778

SHA256
746b972e21acb59e4086b5b25fe53ef2cddcecfa94dd56ad68c8e5bab9960c3c

SHA512
a6c21bf5590dc91a5d9bc729d9c04c20b54341d3270efd2fb7d2b548d7dc7b23a1a351147a07dfd569e901a608cb44533304de10725cb02fec781cada80b8e3b

Download Submit
memory/1468-234-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1468-1-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2716-241-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/2716-240-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2716-32-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/2716-22-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/2716-256-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/2716-242-0x00000000041F0000-0x0000000004230000-memory.dmp

Filesize
256KB

Download
memory/2716-19-0x00000000041F0000-0x0000000004230000-memory.dmp

Filesize
256KB

Download
memory/2716-9-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2716-243-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/2716-629-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download