bea34078c360c71fcadc1a86ebd397d081f0d589913ad43970c1a3983231f522

Analysis

max time kernel
178s
max time network
186s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
25-03-2024 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NordVPNSetup.exe
Size

1.7MB
MD5

59cb69a08fdd9cb4b0539e3356df1d4d
SHA1

0c773a0a76f821780c002d527bee387b98904569
SHA256

bea34078c360c71fcadc1a86ebd397d081f0d589913ad43970c1a3983231f522
SHA512

51d4f3d396d183bc5dcaaa0a26cf024fade9b5e5c0e73e1d2ee7663ba26bc55e799beb488d5bab8d8252147b33df6ea1209ebd730124a919940e899758842ec2
SSDEEP

24576:u7FUDowAyrTVE3U5Fg23TD2D+Fz3ifFUwo433RfFcdnOtksSm:uBuZrEUWq0t9D7l

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 9 IoCs

Processes:

NordVPNSetup.tmpNordVPNSetup.exeNordVPNSetup.tmpNordUpdaterSetup.exeNordUpdaterSetup.tmpdotnetfx48.exeSetup.exeSetupUtility.exeSetupUtility.exe

pid	process
2812	NordVPNSetup.tmp
4704	NordVPNSetup.exe
2532	NordVPNSetup.tmp
348	NordUpdaterSetup.exe
1920	NordUpdaterSetup.tmp
2680	dotnetfx48.exe
2696	Setup.exe
1388	SetupUtility.exe
4764	SetupUtility.exe

Loads dropped DLL 14 IoCs

Processes:

NordVPNSetup.tmpNordVPNSetup.tmpNordUpdaterSetup.tmpSetup.exe

pid	process
2812	NordVPNSetup.tmp
2812	NordVPNSetup.tmp
2812	NordVPNSetup.tmp
2532	NordVPNSetup.tmp
2532	NordVPNSetup.tmp
2532	NordVPNSetup.tmp
2532	NordVPNSetup.tmp
2532	NordVPNSetup.tmp
1920	NordUpdaterSetup.tmp
1920	NordUpdaterSetup.tmp
2696	Setup.exe
2696	Setup.exe
2696	Setup.exe
2696	Setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in Windows directory 2 IoCs

Processes:

NordVPNSetup.tmp

description ioc process

File created C:\Windows\is-A25CQ.tmp NordVPNSetup.tmp
File opened for modification C:\Windows\Nord.Setup.dll NordVPNSetup.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\is-A25CQ.tmp	NordVPNSetup.tmp
File opened for modification	C:\Windows\Nord.Setup.dll	NordVPNSetup.tmp

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1020 taskkill.exe

pid	process
1020	taskkill.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

NordVPNSetup.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	NordVPNSetup.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	NordVPNSetup.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	NordVPNSetup.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	NordVPNSetup.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	NordVPNSetup.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	NordVPNSetup.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	NordVPNSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	NordVPNSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	NordVPNSetup.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	NordVPNSetup.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	NordVPNSetup.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	NordVPNSetup.tmp

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

NordVPNSetup.tmpSetup.exe

pid	process
2812	NordVPNSetup.tmp
2812	NordVPNSetup.tmp
2696	Setup.exe
2696	Setup.exe
2696	Setup.exe
2696	Setup.exe
2696	Setup.exe
2696	Setup.exe
2696	Setup.exe
2696	Setup.exe
2696	Setup.exe
2696	Setup.exe
2696	Setup.exe
2696	Setup.exe
2696	Setup.exe
2696	Setup.exe
2696	Setup.exe
2696	Setup.exe
2696	Setup.exe
2696	Setup.exe
2696	Setup.exe
2696	Setup.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

NordVPNSetup.tmpNordVPNSetup.tmptaskkill.exe

description pid process

Token: SeDebugPrivilege 2812 NordVPNSetup.tmp
Token: SeDebugPrivilege 2532 NordVPNSetup.tmp
Token: SeDebugPrivilege 1020 taskkill.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

NordVPNSetup.tmpNordVPNSetup.tmpNordUpdaterSetup.tmp

pid process

2812 NordVPNSetup.tmp
2532 NordVPNSetup.tmp
1920 NordUpdaterSetup.tmp

description	pid	process
Token: SeDebugPrivilege	2812	NordVPNSetup.tmp
Token: SeDebugPrivilege	2532	NordVPNSetup.tmp
Token: SeDebugPrivilege	1020	taskkill.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

NordVPNSetup.exeNordVPNSetup.tmpNordVPNSetup.exeNordVPNSetup.tmpNordUpdaterSetup.exeNordUpdaterSetup.tmpdotnetfx48.exeSetup.exe

description	pid	process	target process
PID 4584 wrote to memory of 2812	4584	NordVPNSetup.exe	NordVPNSetup.tmp
PID 4584 wrote to memory of 2812	4584	NordVPNSetup.exe	NordVPNSetup.tmp
PID 4584 wrote to memory of 2812	4584	NordVPNSetup.exe	NordVPNSetup.tmp
PID 2812 wrote to memory of 4704	2812	NordVPNSetup.tmp	NordVPNSetup.exe
PID 2812 wrote to memory of 4704	2812	NordVPNSetup.tmp	NordVPNSetup.exe
PID 2812 wrote to memory of 4704	2812	NordVPNSetup.tmp	NordVPNSetup.exe
PID 4704 wrote to memory of 2532	4704	NordVPNSetup.exe	NordVPNSetup.tmp
PID 4704 wrote to memory of 2532	4704	NordVPNSetup.exe	NordVPNSetup.tmp
PID 4704 wrote to memory of 2532	4704	NordVPNSetup.exe	NordVPNSetup.tmp
PID 2532 wrote to memory of 1020	2532	NordVPNSetup.tmp	taskkill.exe
PID 2532 wrote to memory of 1020	2532	NordVPNSetup.tmp	taskkill.exe
PID 2532 wrote to memory of 1020	2532	NordVPNSetup.tmp	taskkill.exe
PID 2532 wrote to memory of 348	2532	NordVPNSetup.tmp	NordUpdaterSetup.exe
PID 2532 wrote to memory of 348	2532	NordVPNSetup.tmp	NordUpdaterSetup.exe
PID 2532 wrote to memory of 348	2532	NordVPNSetup.tmp	NordUpdaterSetup.exe
PID 348 wrote to memory of 1920	348	NordUpdaterSetup.exe	NordUpdaterSetup.tmp
PID 348 wrote to memory of 1920	348	NordUpdaterSetup.exe	NordUpdaterSetup.tmp
PID 348 wrote to memory of 1920	348	NordUpdaterSetup.exe	NordUpdaterSetup.tmp
PID 1920 wrote to memory of 2680	1920	NordUpdaterSetup.tmp	dotnetfx48.exe
PID 1920 wrote to memory of 2680	1920	NordUpdaterSetup.tmp	dotnetfx48.exe
PID 1920 wrote to memory of 2680	1920	NordUpdaterSetup.tmp	dotnetfx48.exe
PID 2680 wrote to memory of 2696	2680	dotnetfx48.exe	Setup.exe
PID 2680 wrote to memory of 2696	2680	dotnetfx48.exe	Setup.exe
PID 2680 wrote to memory of 2696	2680	dotnetfx48.exe	Setup.exe
PID 2696 wrote to memory of 1388	2696	Setup.exe	SetupUtility.exe
PID 2696 wrote to memory of 1388	2696	Setup.exe	SetupUtility.exe
PID 2696 wrote to memory of 1388	2696	Setup.exe	SetupUtility.exe
PID 2696 wrote to memory of 4764	2696	Setup.exe	SetupUtility.exe
PID 2696 wrote to memory of 4764	2696	Setup.exe	SetupUtility.exe
PID 2696 wrote to memory of 4764	2696	Setup.exe	SetupUtility.exe

C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
"C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4584

C:\Users\Admin\AppData\Local\Temp\is-6R2ES.tmp\NordVPNSetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-6R2ES.tmp\NordVPNSetup.tmp" /SL5="$D01DE,890440,866304,C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2812

C:\Users\Admin\AppData\Local\Temp\is-PQVIM.tmp\NordVPNSetup.exe
"C:\Users\Admin\AppData\Local\Temp\is-PQVIM.tmp\NordVPNSetup.exe" /webinstaller=true /DIR="C:\Program Files\NordVPN" /guid=5075865b-abf4-4f9f-ac81-d15dedc1886e
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704

C:\Users\Admin\AppData\Local\Temp\is-76GM2.tmp\NordVPNSetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-76GM2.tmp\NordVPNSetup.tmp" /SL5="$80150,49095009,866304,C:\Users\Admin\AppData\Local\Temp\is-PQVIM.tmp\NordVPNSetup.exe" /webinstaller=true /DIR="C:\Program Files\NordVPN" /guid=5075865b-abf4-4f9f-ac81-d15dedc1886e
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2532

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\system32\taskkill.exe" /f /im NordVPN.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Users\Admin\AppData\Local\Temp\is-5NC17.tmp\NordUpdaterSetup.exe
"C:\Users\Admin\AppData\Local\Temp\is-5NC17.tmp\NordUpdaterSetup.exe" /VERYSILENT /SUPPRESSMSGBOXES /NOCANCEL /NORESTART /RESTARTEXITCODE=3010 /NOCLOSEAPPLICATIONS
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:348

C:\Users\Admin\AppData\Local\Temp\is-B6LJF.tmp\NordUpdaterSetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-B6LJF.tmp\NordUpdaterSetup.tmp" /SL5="$502B2,3309670,910336,C:\Users\Admin\AppData\Local\Temp\is-5NC17.tmp\NordUpdaterSetup.exe" /VERYSILENT /SUPPRESSMSGBOXES /NOCANCEL /NORESTART /RESTARTEXITCODE=3010 /NOCLOSEAPPLICATIONS
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1920

C:\Users\Admin\AppData\Local\Temp\is-56F7B.tmp\dotnetfx48.exe
"C:\Users\Admin\AppData\Local\Temp\is-56F7B.tmp\dotnetfx48.exe" /lcid 1033 /passive /norestart
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680

C:\e58f634ac1f9b04e9e8ecd53b943\Setup.exe
C:\e58f634ac1f9b04e9e8ecd53b943\\Setup.exe /lcid 1033 /passive /norestart /x86 /x64 /web
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2696

C:\e58f634ac1f9b04e9e8ecd53b943\SetupUtility.exe
SetupUtility.exe /aupause
9⤵
- Executes dropped EXE
PID:1388

C:\e58f634ac1f9b04e9e8ecd53b943\SetupUtility.exe
SetupUtility.exe /screboot
9⤵
- Executes dropped EXE
PID:4764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
b208521c2c31c62015c38bb85feb51b0

SHA1
008316003e88bda0ae51d666e28934a367090dd2

SHA256
c34551e0a8993957869ed2b41357128f47bcd889d141a11b4b2fab20ac678a88

SHA512
97a633887ba4208336c9c4a28edfea165c4d6a88daf119cd09d608f76933b8eef9cab5bcc820401d892d923fb11d5646d6db340ba58903ce85341a3e61070ae8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
4767a801dd9001f8540b4c471706b1b2

SHA1
d2dd27dd3a4d308973d0c8e331fb62d9b076d36d

SHA256
50dbd03a053941f858e0b85bd9d146a84b0094fa8e10456715ed41acbfad574a

SHA512
7e037a3011e946562760f7e3e5c18daf7de3b7ff155b40725673b2bf7f6c15488380562cf7e0090ede5d3f60aba5a606d0d7e7cfbc7fa6ee7fea54d09d9bd9c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NordVPNSetup.tmp.log

Filesize
932B

MD5
08cefa74f39e4ae172b9cfdfe0bc8c43

SHA1
1b649addd030392efbac35daa061b33f4193e315

SHA256
37289164583b6ff83003404a68b1f42412e4d40419eb0b6a16ace5dc6047d09b

SHA512
473a7be8ca639f9db4d243fad7c2a5a96c0e43a5f68abc7aa3573fdd72e53b04ae583993e2c6111be99c5a6be8ae4bc69d81072d1562b8d5b74e9c830d08447f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HFIB0CE.tmp.html

Filesize
17KB

MD5
654a2e2731c7a388822f452efcf7b6d5

SHA1
b4a26b91db2dd63f24e58ae75e3d5925ce10ec2a

SHA256
39f4a2fd1e5ce0ca04c1a18d0552f1a427e4fed9a6a0e4cd43c3997c81b7dada

SHA512
2648e77a062e22c68c602e76461d5e0f7cdd666fd35af55b6e4415b51aed5c640cc604dcd8a13eb4d2f8a28ea5636d97d95ea30d889fc9bcee45fe8255d8bd84

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-56F7B.tmp\dotnetfx48.exe

Filesize
1.4MB

MD5
86482f2f623a52b8344b00968adc7b43

SHA1
755349ecd6a478fe010e466b29911d2388f6ce94

SHA256
2c7530edbf06b08a0b9f4227c24ec37d95f3998ee7e6933ae22a9943d0adfa57

SHA512
64c168263fd48788d90919cbb9992855aed4ffe9a0f8052cb84f028ca239102c0571dfaf75815d72ad776009f5fc4469c957113fb66da7d4e9c83601e8287f3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5NC17.tmp\NordUpdaterSetup.exe

Filesize
4.0MB

MD5
99109ff7f7b52ef14f711bb97308097b

SHA1
a06beb27cd40aeb84624b4ccb4683a221d8c69e6

SHA256
83baaa6226bbff881fc22a3e0719f443d3cde821e0971de03a75069d0b74bdf8

SHA512
534be4961f4b9c78a3966d6e976a9a3ff69d50b52631163738399893cd1d44f81a051f3003ada2d1bfc3e13bdb5d5c40eef2113ee63c1dee5ebced22440171f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6R2ES.tmp\NordVPNSetup.tmp

Filesize
3.1MB

MD5
29ca787f3a0d83846b7318d02fccb583

SHA1
b3688c01bef0e9f1fe62dc831926df3ca92b3778

SHA256
746b972e21acb59e4086b5b25fe53ef2cddcecfa94dd56ad68c8e5bab9960c3c

SHA512
a6c21bf5590dc91a5d9bc729d9c04c20b54341d3270efd2fb7d2b548d7dc7b23a1a351147a07dfd569e901a608cb44533304de10725cb02fec781cada80b8e3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-76GM2.tmp\NordVPNSetup.tmp

Filesize
3.1MB

MD5
f935e204c2c283ab59fa119919555be3

SHA1
be38a56170055d4375c1342e09c8e4b1a1bd1740

SHA256
5e4a351b69c1f1439bc54889d35140d50057bb88d2285576439316374e9f9326

SHA512
bc37b56c16a07c1368fb7c73010ee0263e71004bac859c174448575302c2e28d40320abbc7eff41ed5b15d087f956db35c6781da5491b775aced4c296a1073a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-B6LJF.tmp\NordUpdaterSetup.tmp

Filesize
3.1MB

MD5
c85151b9fd9f2784c1e4f7e3da4f9fda

SHA1
9066a3c0acba33a097d8d8fa9462fb33341b2464

SHA256
62a620aa6727e7067084c644456ee6fd8a8db79f6251c08c5257315a32ae5fdd

SHA512
36dda64e8fb09dc0825c84cdf342898ba7b630488291654f32aa3d9fd220a744d90f2e7b94c6de01cf32dad90e05cb0c9947781f06ad16d1ffd7c6f57df544ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PQVIM.tmp\NordVPNSetup.exe

Filesize
14.5MB

MD5
d0953975f15fde3f3c5c0353f702b75e

SHA1
ce630616b692a04593f600100e6b541a30e7d166

SHA256
6e51326499872eaea7daf6fe0fa167176439860c15a2a25610c3de54a8802f02

SHA512
9a2b928b4dd9e580cc629da8069254206d810d8efd5b9e9aa306a27f031e8eae02eb9dc625f8de7ad32d6b21302ffbf421dd63dbbafab22016e03efc9facb2fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PQVIM.tmp\NordVPNSetup.exe

Filesize
4.0MB

MD5
0babed1f69cbd428164e526d00e2e830

SHA1
ef867a658add41a7c6f2eed59b9473038c2638e6

SHA256
c3d80a08bc89b77e01efb5f78598ff3a17abb9c6a4f3abed485403da59a09129

SHA512
4442fa109599a4e26ca7786a75a31b43cc0951213d0fabe0fb40805c60eac04ed07a239326dde3aec3daa1b3a0c811ab5f1a140776fb3a34e49aa0343b9a9356

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PQVIM.tmp\NordVPNSetup.exe

Filesize
3.6MB

MD5
d2571dceed8793fe77c3be63507b0c48

SHA1
8092bdd9610253c4e48e2acf476aa2bbfaed0a76

SHA256
37af90a5a39c2336aac774717fbb3348af7f8b4d1b6b4f23157822f7153d0803

SHA512
4b688e4421eeca67fe7e793b537bdd49c2268ad7a285447739efc5f5bfdce84f217f5f0ee31a3a347af5b6ac8b27932508b5f268566a008c5b8f63b8d90b8a2e

Download Submit
C:\e58f634ac1f9b04e9e8ecd53b943\1025\LocalizedData.xml

Filesize
78KB

MD5
44691954472009a6b3ce3f66b18f055e

SHA1
0850c43961fcd46293573f16e897ffd8e394bd1d

SHA256
531806a66d2a15c5cdf429924fd6d59ac04829c34a2b7d11ce2631b682a27b64

SHA512
f74de99aff798d245b308cc65233fb3a7c29ed234a1e12ebaf03fe13759d00e1f6f0b2b990623e57087e81920e0a0449eb54f3415848923a967e83fdbbefa34c

Download Submit
C:\e58f634ac1f9b04e9e8ecd53b943\1028\LocalizedData.xml

Filesize
66KB

MD5
0b1ec452d38244404ac9ee918b6cfd8f

SHA1
fb3d48a3e9cdab92153ec7d6dddd0f5f082c50d5

SHA256
a117f71b3c12140909ac91c821dbae2924c9c92a96e30f1b110e8f65d2e174a4

SHA512
6307922efa0cc6b2547986ad45c1a47ec0b80b888074b86f0e5c11891fb53fb9adb792cd64f591b0270190d5e9041f5a3072c7f065ecdfa93a56faf037856a55

Download Submit
C:\e58f634ac1f9b04e9e8ecd53b943\1029\LocalizedData.xml

Filesize
83KB

MD5
a551cce873100176c0b3f620ec2043e3

SHA1
861e31b69e9a2c2c311708433752cf188161f7a4

SHA256
45447e0dd95e8d032b2447d7a3ab1249f4f07a932259170330c60acf606ee8d0

SHA512
130b523f980e1bc04641a1a47004cb61a578d3a4681b7d5eb5c21be99ba00353a5b4a0cabd1e527edb2591479154b183bfef25bdfb1bf0d433a18759ba472f4f

Download Submit
C:\e58f634ac1f9b04e9e8ecd53b943\1030\LocalizedData.xml

Filesize
81KB

MD5
afdbae81fa231831532f50ef0c828c1c

SHA1
af586d2ad1692f4c2b95c19267e5cd16160f0f55

SHA256
abf8b56af69df67374e7bbca4202c8a37c7656fed1ae6f0a7e86f29a8ea63256

SHA512
c7369fd6e8d2fb1d497c275d7ce63f652af9d6e4f6554269687e8ea0b8bee5085ce00eb35d3b62d9edbc170ea08e6a9d6de053d938f42a87a4f3469fa169bb4d

Download Submit
C:\e58f634ac1f9b04e9e8ecd53b943\1031\LocalizedData.xml

Filesize
85KB

MD5
ccd7cba74acda7eae603fab5a9d721c4

SHA1
a6968a1a3b4d0da0ade2ce0ec8e844ead6739be1

SHA256
98b47a166d04a3859a56a1a05c5b1e3d46443d6c000f973021ea2e86b5cbf70f

SHA512
9bcbc75f673115a0cdd75b29aa3a7407d1f6d94d001ca2d798c2dbf789d5442a7346795d28e9daa05fe25082d31e897d2b6fccda6e211fa944c7cc487e14b7a6

Download Submit
C:\e58f634ac1f9b04e9e8ecd53b943\1032\LocalizedData.xml

Filesize
88KB

MD5
369b930104a99a3f9ae621c9831cdf2b

SHA1
b710a289cfd6625585c9d240d1b768ff581ff87d

SHA256
49eb82060ebaf907686829621aca3e01a4f0f054739f897a213e7f8ecb608e32

SHA512
d79b22a2bea5276fa18e9f3cd6d527b3f09ee6acca73e1bcc6e9e04ef4216f9512a6c5cd1eb70b238aac07013a3790c4a231228aafaa97bd63d23614a79cbb18

Download Submit
C:\e58f634ac1f9b04e9e8ecd53b943\1033\LocalizedData.xml

Filesize
80KB

MD5
e7a6e380b3489f48700567d8a31bed0d

SHA1
1c228150fc651c731f3f6eec8952324c857fbb8c

SHA256
4df5421968b12944758123cdcbc84148649a38427931e6c3e2653f7985edc7c2

SHA512
7ce45d4c5dc6b3d1312c7229eba05c6d341e2e5f3b1b9bd14475c290eb13c8762feee981358ce5b9601cd0e2d2f1e3c2def47728d2510029c154c428ffdc30d5

Download Submit
C:\e58f634ac1f9b04e9e8ecd53b943\1033\SetupResources.dll

Filesize
29KB

MD5
e0db702984c891e45fcc53da5b4e55b9

SHA1
b21d1d11d79628489387ef94311d7dcf33d8097d

SHA256
abfe75ce71c8932af9cc472468633ac69e28418b4aed61820b0ff1b5badc6451

SHA512
6367963c8a6f2f2954470b2652a90440491b43c4e4b53dd94053868033d553bc13b34a69cfb32da5cb45ec4a1607f4eab06615aa245a50863c86b30b0647f350

Download Submit
C:\e58f634ac1f9b04e9e8ecd53b943\1035\LocalizedData.xml

Filesize
81KB

MD5
7ecf456fb1efe39c4ab76fd64c8ee899

SHA1
daaba3aba824559727c1da2703588c7c4193a5fd

SHA256
afb1ed0adc8fa04aaff7fee1ffffae412bd468df9ddb5cc158d5ecf21cbd8849

SHA512
5c7568b2541c3ae9b2966b8a9a203f02fec077cb20f8b11fd822eb06d4e00e2307781cb56f5ad8e72d58429c200f48196b5e0854f9ea142b90c340a46385013f

Download Submit
C:\e58f634ac1f9b04e9e8ecd53b943\1036\LocalizedData.xml

Filesize
85KB

MD5
d3e951a08c9beacb18cbfce8cf3af8c8

SHA1
27826f4e6d38b9d5c7029cf71786f13443ef571c

SHA256
8e8620f9592ba5eef941cbca067460d56364cb9b71629b713743e76db2772857

SHA512
530368737fb777bbab58378128a7cb0680f97631b90bd149831a18665ec702aeb4783a14bb75248477efca02dad199479266f81c5db3ee1d06d0305e0fe2fe87

Download Submit
C:\e58f634ac1f9b04e9e8ecd53b943\1037\LocalizedData.xml

Filesize
76KB

MD5
271157714e2256547966336bf0e871ba

SHA1
a5505276881a65d0ea5885d902014c063fa81f69

SHA256
6697c94007f2614091b46692d0c429c2beb1453fb047614f7d0a53e3856ca637

SHA512
3f663d6283ac192855a0f23ea49ea375aa3b838276d4c92c9e88121c3703aa6ed62ed9c2c43fc2e61284ba4bf1a6ba4a39fa8fb980727fcd7cb72b1e723c709f

Download Submit
C:\e58f634ac1f9b04e9e8ecd53b943\1038\LocalizedData.xml

Filesize
84KB

MD5
48f47676e00ff4907e8460ddf635056a

SHA1
dd43d80736aa37f0651cb648c98b56a44af84397

SHA256
f96c529a4bc594fa04c33202037d54d42e72592eeb4c7207f5864026db0a2576

SHA512
d1fc09d079740577e5fde41523ec1ff64653ad6d40850f34026bb9b813161c87636b92a0d84fd06fdc563fe50c2f66440b78e79471318ef7f967378299faf2f4

Download Submit
C:\e58f634ac1f9b04e9e8ecd53b943\1040\LocalizedData.xml

Filesize
83KB

MD5
fbc91f62c53ee8378e89026cf0766198

SHA1
3e76b20a388d2ffbd910692ed1de2baae673bd96

SHA256
cf70fe90e571b2af7acc14c8f467f226000872ead9d1cf504ff62023c308566c

SHA512
ed91bb4092267d53b56d1bdac0599039fc1e8349d14e7ba2c4d853aef4453812760d6fd6abd0f11ec663ab93081d1fbb30a94dd60b8553495f4d539a9cf30a0d

Download Submit
C:\e58f634ac1f9b04e9e8ecd53b943\1041\LocalizedData.xml

Filesize
72KB

MD5
66807bde0e60edeadc418b5a59130a66

SHA1
e96b1373f1c2e9afdf44f6bb8c89c2ba0ebec633

SHA256
41778b41416386679bd161fbc847a24cf6db86204fc2f768f85d943a73f88941

SHA512
d5b8ebaf2b6178f53fb5486c2556462346a3bdab92457f5dfa0721864bbc0fcde3d44d01184b1653855b4ccd35485f4a8a323826ff50b42091b6a7493e283f9a

Download Submit
C:\e58f634ac1f9b04e9e8ecd53b943\1042\LocalizedData.xml

Filesize
71KB

MD5
bba10d27a71c7ff511121d903ad7ce70

SHA1
27e0a60a54161b3b3f59afed6ebe3c096d29fb5c

SHA256
5dd356246306e1eec27d878821ac3f3c111641b3d88cf3b2a30ed4da8cc63400

SHA512
caecb185b8bb4ea861d29a3a2c4c3b12a9d49de0457609a5157596f8c7cec1171c5057ca0b9c4923b75514b4cdd6524a4cae84b5476cf279d21958968d79bb84

Download Submit
C:\e58f634ac1f9b04e9e8ecd53b943\1043\LocalizedData.xml

Filesize
83KB

MD5
828a3c208be5f4e7874014a87d0614d9

SHA1
68058ec9301cbf8946af8ccc8893c3b99e23b024

SHA256
3e6dd7175c7c06fcc8a5c96193832feb904f664e44b03861e6f4e67917bd1b40

SHA512
458ac1eeb50f6324570858d6b5577fbc5759b6c7fe50cae9ddc5eb416811a2ed57cc8faca222c4c0712b9002261d07ac0816164c4c9d5a7796c214575427b566

Download Submit
C:\e58f634ac1f9b04e9e8ecd53b943\1044\LocalizedData.xml

Filesize
82KB

MD5
cb5e20eab63e1d147cd3922167c50a08

SHA1
36b70792b6da1aece6f2b2ca0c588aa224c20226

SHA256
9e67694779e41d257edf9cd776a12d21e47e8c2c75cf8f2123c9aca38a55aeb5

SHA512
a98511fcc77b9ca0ae2c99ab88454057bd5574b49c0a6a6844238b0c9c0ea9615204ed582e92d32131f5d3e0343b80d4143201805ad706add1a7e2e3f9da3c45

Download Submit
C:\e58f634ac1f9b04e9e8ecd53b943\1045\LocalizedData.xml

Filesize
85KB

MD5
bfe80fcd1f4a3eb3ad10b7d5091077bd

SHA1
b24905350d07ff9ec5367e3d5537cf9d1caeefcf

SHA256
afc6df6ffb0f26ad40eb2e751a0361ec91dd09acae1ef318f8d1a5c2bcca4663

SHA512
bf721f50b603aab47555b9f92aaa57ae45bd2e38404a0a566e85ad5bdd029b226597d49b9b0fc3aeab95799983deeb168ccfbca8210a6667d79e136517b7682f

Download Submit
C:\e58f634ac1f9b04e9e8ecd53b943\1046\LocalizedData.xml

Filesize
82KB

MD5
ae7364df1f634f8205a73d89611fdbb9

SHA1
f31e1ad7a9f3788e060933308b8ba1920159995f

SHA256
065e4006457b58a49838795e8fa9be58c82e523844fc8fbc11666f6c8672a7dd

SHA512
2171ef64518b93745f97eda79be1a43ba9c39928956c302e7b9052d5ccdcd37caaed4b766ac21a9eac2882d504bc3254a7c187aeb819591ff8c99528750d6701

Download Submit
C:\e58f634ac1f9b04e9e8ecd53b943\1049\LocalizedData.xml

Filesize
84KB

MD5
cc753313d8caa73b36e5d025aedfaa7e

SHA1
1f0618af406f97a9530429ea915741037aaee6d2

SHA256
6d4a04b311ff23112a0836d0d2234129363c236e9aa47c8434ad25adf9228d5f

SHA512
5b537529d71c72947ac896a6d7bb02fbc169617fd4c65699600294d7ee1681e85ce554a60e7c09fdfd4cfcce8664645e72c932e048a62f602ae385e5ddb01a9a

Download Submit
C:\e58f634ac1f9b04e9e8ecd53b943\1053\LocalizedData.xml

Filesize
81KB

MD5
29506f5bdc6f26310f09467c77c757da

SHA1
daaa113f6387a59b20363269e0ded2bbaf558bf6

SHA256
c60f3f774d36388af82cd5809d90f77171bcda783eeb16d1ba229f6ecee3f7fd

SHA512
762958946d36747403dc589a1f75a27eb2bb441998c071d1ca022d4c6f72b427508be740403c3f840295a41c2dab3aa417fa93b146e9dac6abc76f3b03eba977

Download Submit
C:\e58f634ac1f9b04e9e8ecd53b943\1055\LocalizedData.xml

Filesize
81KB

MD5
d98027325fb5321ca98a309d6a45ddd7

SHA1
858af88086c1b5b10aff1ec248c0818732267b6c

SHA256
f43ef3a678ef44dd1acf3dce408f094c2726b04062e22e52f2188a6b488be752

SHA512
4faf81284c090026e9516bd686fdf3af6d56846b5e71cb34dbf04c4675839d3d6d011e38da568300c8e286911fb071309beac860fc0d2525e1f4d68a1ea45e34

Download Submit
C:\e58f634ac1f9b04e9e8ecd53b943\2052\LocalizedData.xml

Filesize
66KB

MD5
9bcc4a10cbfaa559ea43e4b47435a9d9

SHA1
67b9d1cd6ed94bd267122233de5c1cc026667d5c

SHA256
610e1b5c5e27526beac4f1690bb39471838f2f90fd03bb0b85a6dcddc1e47431

SHA512
bb68e85d1f7fed93f98a2d1c4c2b010bf789dee096c2c7d4dbbb8efcf07a28e2ee82ccaea0baf349e672a3d5a1cc875b795e9c1c845dbf0799c2a251dcd25b9e

Download Submit
C:\e58f634ac1f9b04e9e8ecd53b943\2070\LocalizedData.xml

Filesize
83KB

MD5
b3aca46a9df4ce0999e7717b1d46c7db

SHA1
fefd43dcbea997aad1507678dda52055c1acde5b

SHA256
d692f769fb8c799377143b4ca1191da5545839ef955b1e9ccbdc89d31c17292c

SHA512
806e2f76b0de66a0c921894c6b33e51ed0b6cab0ced466b84f276385a85039af48c5dbd3ac002d1ddf1740314c9dabfc7a40b1c2c6f76f603ac3a53e997d12e0

Download Submit
C:\e58f634ac1f9b04e9e8ecd53b943\3082\LocalizedData.xml

Filesize
83KB

MD5
645b04d40b114f88bcee24482dad79c4

SHA1
aea296e1a318a591a1b0bbc4f1328fda56d07831

SHA256
1808c6111700dc1094f55a6874ce40cdd6845ad8a0bf052751cc3a3047d5a7b7

SHA512
3788e58f72fa761d9b87caf91bfd6adeac4ee758a6541063253573a1cbf3afc02b6d99b8fe83ad2299cf18fcf4569ed7c0ab05347555a613d42ff8e46d75b415

Download Submit
C:\e58f634ac1f9b04e9e8ecd53b943\DHTMLHeader.html

Filesize
15KB

MD5
cd131d41791a543cc6f6ed1ea5bd257c

SHA1
f42a2708a0b42a13530d26515274d1fcdbfe8490

SHA256
e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb

SHA512
a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

Download Submit
C:\e58f634ac1f9b04e9e8ecd53b943\ParameterInfo.xml

Filesize
3.3MB

MD5
554912536d90658fdd0a24dc51b9720e

SHA1
6820aa0ee45f474b8b3c2b0740ddb23362e9aa74

SHA256
bba9f776f8be2b742a9c8f0ec473bfec2a8d25ebe2d63a62a878f002abef95fc

SHA512
022b4057b36ba1380b753695b3b68bfc5c81897c835e94383c17f18cd12da7f3c36aebd267f6b0fcc6bf481387ec80f42c1c6db9c9c15fc5de642c4f82e186d8

Download Submit
C:\e58f634ac1f9b04e9e8ecd53b943\Setup.exe

Filesize
125KB

MD5
d8bdc90b8d9c47548b0789b33c93b266

SHA1
e2287110a405c2988f49a61d859455d41eac7215

SHA256
fd54615d479e33197b7a63873e7468f3e2e5467bdd4384d6471b4d8009f13dcf

SHA512
687cdd99c2ce3075b9cbc8f4113fa2245b01c93607bb15396ea26406eca53181998aa124452dbb4681492e29e273bd14a1b427953e59ade17aa27bbbaf249b14

Download Submit
C:\e58f634ac1f9b04e9e8ecd53b943\SetupEngine.dll

Filesize
901KB

MD5
87125d428eb7b400af6822af0c4e72dd

SHA1
67dc6ef3ae8e32fda9e941d450ae9e0adbcf3982

SHA256
d199d038d59d3b6a219258009635699226d835bf9163357e9458352b6578b157

SHA512
d4ca91b014557827449426d00689f86599a6d7bdd231c358d1666001dfa73d54e199b695a8cb5c21aab7e191b01bdc7e031d6a9288af27b6b271f736d963ceb6

Download Submit
C:\e58f634ac1f9b04e9e8ecd53b943\SetupUi.dll

Filesize
342KB

MD5
e31641c114d66ea24d79ed4032269dd0

SHA1
911fd6d8e62c61a76a464306f84c9b80e93467aa

SHA256
3b9822668816a77b623258f8036120eaa5da5d74b16aadfc601cb0e513a56461

SHA512
dc7377cadda1bf63c7df267f3313f916a92363004ab8859e6f3a77aa7938d20de0f6857b8842e6424de2749cf6686f35898002054d8f9c4ed4f5775035cec54c

Download Submit
C:\e58f634ac1f9b04e9e8ecd53b943\SetupUi.xsd

Filesize
31KB

MD5
a9f6a028e93f3f6822eb900ec3fda7ad

SHA1
8ff2e8f36d690a687233dbd2e72d98e16e7ef249

SHA256
aaf8cb1a9af89d250cbc0893a172e2c406043b1f81a211cb93604f165b051848

SHA512
1c51392c334aea17a25b20390cd4e7e99aa6373e2c2b97e7304cf7ec1a16679051a41e124c7bc890b02b890d4044b576b666ef50d06671f7636e4701970e8ddc

Download Submit
C:\e58f634ac1f9b04e9e8ecd53b943\Strings.xml

Filesize
13KB

MD5
8a28b474f4849bee7354ba4c74087cea

SHA1
c17514dfc33dd14f57ff8660eb7b75af9b2b37b0

SHA256
2a7a44fb25476886617a1ec294a20a37552fd0824907f5284fade3e496ed609b

SHA512
a7927700d8050623bc5c761b215a97534c2c260fcab68469b7a61c85e2dff22ed9cf57e7cb5a6c8886422abe7ac89b5c71e569741db74daa2dcb4152f14c2369

Download Submit
C:\e58f634ac1f9b04e9e8ecd53b943\UiInfo.xml

Filesize
63KB

MD5
c99059acb88a8b651d7ab25e4047a52d

SHA1
45114125699fa472d54bc4c45c881667c117e5d4

SHA256
b879f9bc5b79349fa7b0bdbe63167be399c5278454c96773885bd70fbfe7c81d

SHA512
b23a7051f94d72d5a1a0914107e5c2be46c0ddee7ca510167065b55e2d1cb25f81927467370700b1cc7449348d152e9562566de501f3ea5673a2072248572e3b

Download Submit
C:\e58f634ac1f9b04e9e8ecd53b943\graphics\print.ico

Filesize
123KB

MD5
d39bad9dda7b91613cb29b6bd55f0901

SHA1
6d079df41e31fbc836922c19c5be1a7fc38ac54e

SHA256
d80ffeb020927f047c11fc4d9f34f985e0c7e5dfea9fb23f2bc134874070e4e6

SHA512
fad8cb2b9007a7240421fbc5d621c3092d742417c60e8bb248e2baa698dcade7ca54b24452936c99232436d92876e9184eaf79d748c96aa1fe8b29b0e384eb82

Download Submit
C:\e58f634ac1f9b04e9e8ecd53b943\graphics\save.ico

Filesize
123KB

MD5
c66bbe8f84496ef85f7af6bed5212cec

SHA1
1e4eab9cc728916a8b1c508f5ac8ae38bb4e7bf1

SHA256
1372c7f132595ddad210c617e44fedff7a990a9e8974cc534ca80d897dd15abd

SHA512
5dabf65ec026d8884e1d80dcdacb848c1043ef62c9ebd919136794b23be0deb3f7f1acdff5a4b25a53424772b32bd6f91ba1bd8c5cf686c41477dd65cb478187

Download Submit
C:\e58f634ac1f9b04e9e8ecd53b943\graphics\setup.ico

Filesize
123KB

MD5
6125f32aa97772afdff2649bd403419b

SHA1
d84da82373b599aed496e0d18901e3affb6cfaca

SHA256
a0c7b4b17a69775e1d94123dfceec824744901d55b463ba9dca9301088f12ea5

SHA512
c4bdcd72fa4f2571c505fdb0adc69f7911012b6bdeb422dca64f79f7cc1286142e51b8d03b410735cd2bd7bc7c044c231a3a31775c8e971270beb4763247850f

Download Submit
C:\e58f634ac1f9b04e9e8ecd53b943\sqmapi.dll

Filesize
221KB

MD5
6404765deb80c2d8986f60dce505915b

SHA1
e40e18837c7d3e5f379c4faef19733d81367e98f

SHA256
b236253e9ecb1e377643ae5f91c0a429b91c9b30cca1751a7bc4403ea6d94120

SHA512
a5ff302f38020b31525111206d2f5db2d6a9828c70ef0b485f660f122a30ce7028b5a160dd5f5fbcccb5b59698c8df7f2e15fdf19619c82f4dec8d901b7548ba

Download Submit
\Users\Admin\AppData\Local\Temp\is-56F7B.tmp\VerifyTrust.dll

Filesize
85KB

MD5
9a326be60e5714739b50ac33c2577e79

SHA1
dae4d405e0eef41a19e9e4ac58ce8d9a20e8094b

SHA256
5fe545ace5098b313af5eaf74b4e6ab769b3df635a956889bcd21268e8e393a4

SHA512
cf4d5d6a6df9114e2b1a826c8416445efa594bf9b57fa605069c44644caa1a5390330e7ae4357eedcc6c451d5cd2df90f7fa885fa94f6b7f62b91bef087a7a10

Download Submit
\Users\Admin\AppData\Local\Temp\is-56F7B.tmp\isxdl.dll

Filesize
170KB

MD5
0f714846f9ae8a60f5cdb4811377b23f

SHA1
80033367772bac128fefa8707ad64b4b27cf0c34

SHA256
98d547efb2bb65c32cc278beed99c4c9ce83e63f0032ad327fbc5241cdbaab90

SHA512
5149814592ffd2f756f60dbfc8bf10dc7c91e3c8b4a8d1c881dc0c3b2ecc6ffcf98fbd6b7e0cbf2d85d02e314b8ccf8f6d1646198553365c5560fb267bacddf7

Download Submit
\Users\Admin\AppData\Local\Temp\is-5NC17.tmp\Nord.Setup.dll

Filesize
43KB

MD5
8e2fd469945c2263116cc4a5e398f617

SHA1
89fe8f568e67091e1b711eb3ff911bcc51240a4e

SHA256
e2861ccdbba4d518caa4029d202eb4e4c7413dc475506d73f164b4d1f6dbe879

SHA512
c3197c1ccff2eafff9ceb2079f431f5f3c25df6e6214aaab8536847ec8924bd5464bf16a667cfd5995c864a49e635f11219cd0a9beb58e5498ac605ac558eebe

Download Submit
\Users\Admin\AppData\Local\Temp\is-5NC17.tmp\VerifyTrust.dll

Filesize
85KB

MD5
e9b594f045cd2be90eef64265180d7d3

SHA1
073fa45284ecefad383b0df7e4fa2a24ad934436

SHA256
2055f96699f7ebec3ecd33b3195dfc6c5dc2176b050cc6acb7655c77c77c5a6d

SHA512
559cbde22b8229d68ed63873fafcda22836dc9b8169f853915156b3107a5686df80ae6cb55dcc7184a98daba9cd6ccfe5783e4a5d90cdfa5f08e86491108cd48

Download Submit
\Users\Admin\AppData\Local\Temp\is-5NC17.tmp\isxdl.dll

Filesize
169KB

MD5
7998a1a52eedde342de34b4147006419

SHA1
8fad49145668b4387d233e296b6f57342c7a1a55

SHA256
48003909f632c53e9ab7edaf8660b6a12070325d733c7c14f0e3c2d72487a8fc

SHA512
5d217922dfeecae213dfa950c3bdd402c27fc8ffec0de31ec6a457811c45a230e0a940d2dd8736be192785dfb77cfeba7bb6bda74ff0050a9ee1b05c3c4486b4

Download Submit
\Users\Admin\AppData\Local\Temp\is-PQVIM.tmp\Nord.Setup.dll

Filesize
40KB

MD5
b18bd486c5718397bc65d77a16ce2593

SHA1
58fe73e27c5c04e6915c5358f698f7fe8c2b5af8

SHA256
0bbf32b0553ca1292602e8c2c0458e075fdee2c8b6ef8ea81e924a86bc065f3c

SHA512
f4ffa1c8983914c41657fecc11c9324caa5899ad875b9687da8ffcf79ab189f19d6f926e16f09f240de9e6b22e26691fae785ed95657af310de5bf6c58ce8e0e

Download Submit
memory/348-159-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/348-447-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/1920-165-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/1920-459-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/1920-448-0x0000000000400000-0x0000000000727000-memory.dmp

Filesize
3.2MB

Download
memory/2532-141-0x0000000072FB0000-0x000000007369E000-memory.dmp

Filesize
6.9MB

Download
memory/2532-431-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2532-139-0x00000000036B0000-0x00000000036C0000-memory.dmp

Filesize
64KB

Download
memory/2532-140-0x0000000073780000-0x0000000073790000-memory.dmp

Filesize
64KB

Download
memory/2532-134-0x00000000141A0000-0x00000000141B0000-memory.dmp

Filesize
64KB

Download
memory/2532-142-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2532-154-0x0000000072FB0000-0x000000007369E000-memory.dmp

Filesize
6.9MB

Download
memory/2532-153-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2532-150-0x00000000141A0000-0x00000000141B0000-memory.dmp

Filesize
64KB

Download
memory/2532-80-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/2532-146-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/2532-144-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2812-59-0x00000000036F0000-0x0000000003700000-memory.dmp

Filesize
64KB

Download
memory/2812-25-0x0000000006860000-0x0000000006D8C000-memory.dmp

Filesize
5.2MB

Download
memory/2812-63-0x00000000732B0000-0x000000007399E000-memory.dmp

Filesize
6.9MB

Download
memory/2812-116-0x00000000732B0000-0x000000007399E000-memory.dmp

Filesize
6.9MB

Download
memory/2812-36-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/2812-35-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/2812-27-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/2812-115-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/2812-73-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/2812-5-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/2812-22-0x0000000003700000-0x0000000003710000-memory.dmp

Filesize
64KB

Download
memory/2812-24-0x0000000073A80000-0x0000000073A90000-memory.dmp

Filesize
64KB

Download
memory/2812-23-0x00000000732B0000-0x000000007399E000-memory.dmp

Filesize
6.9MB

Download
memory/2812-18-0x00000000036F0000-0x0000000003700000-memory.dmp

Filesize
64KB

Download
memory/4584-26-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4584-0-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4584-118-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4704-75-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4704-62-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download