sectoprat | e9131d9413f1596b47e86e88dc5b4e4cc70a0a4ec2d39aa8f5a1a5698055adfc

Analysis

max time kernel
123s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2024, 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NordVPNSetup.exe
Size

16.8MB
MD5

8916adb46ac66f510491eeef40eb2b0d
SHA1

25318148e33077ede2689d67a495d9160b0f331d
SHA256

e9131d9413f1596b47e86e88dc5b4e4cc70a0a4ec2d39aa8f5a1a5698055adfc
SHA512

b7ca36f76cfbd13b05462e002e8e3d77edcea2cba7e1076ef4a755172f8b429e54061a52696a399e615a09d405cea21599d56ff19d1b209b8c9d2998b1595721
SSDEEP

393216:9qVjnUv7EZs8DvzHiQFFz1c4vJvFozQMI3vv2Jknvk:KjnUv7Qs8D7iQnzHvJ9kTI3v+KM

Score

10^/10

sectoprat discovery rat spyware trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/232-166-0x0000000001190000-0x0000000001264000-memory.dmp	family_sectoprat

Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\SETE10.tmp	DrvInst.exe
File created	C:\Windows\System32\drivers\SETE10.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\tapnordvpn.sys	DrvInst.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	NordVPNSetup.tmp

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeviceManager.lnk	netsh.exe

Executes dropped EXE 11 IoCs

pid	Process
2980	NordVPNSetup.exe
4616	NordVPNSetup.tmp
2228	NordVPNSetup.exe
2508	NordVPNSetup.tmp
4180	NordUpdaterSetup.exe
4956	NordUpdaterSetup.tmp
3344	NordUpdateService.exe
2124	nordvpn-service.exe
3492	NordVPN.exe
4480	tapctl.exe
2728	tapctl.exe

Loads dropped DLL 64 IoCs

pid	Process
4616	NordVPNSetup.tmp
4616	NordVPNSetup.tmp
4616	NordVPNSetup.tmp
2508	NordVPNSetup.tmp
2508	NordVPNSetup.tmp
2508	NordVPNSetup.tmp
2508	NordVPNSetup.tmp
2508	NordVPNSetup.tmp
4956	NordUpdaterSetup.tmp
4956	NordUpdaterSetup.tmp
3344	NordUpdateService.exe
2124	nordvpn-service.exe
2124	nordvpn-service.exe
2124	nordvpn-service.exe
2124	nordvpn-service.exe
2124	nordvpn-service.exe
2124	nordvpn-service.exe
2124	nordvpn-service.exe
2124	nordvpn-service.exe
2124	nordvpn-service.exe
2124	nordvpn-service.exe
2124	nordvpn-service.exe
2124	nordvpn-service.exe
2124	nordvpn-service.exe
2124	nordvpn-service.exe
2124	nordvpn-service.exe
2124	nordvpn-service.exe
2124	nordvpn-service.exe
2124	nordvpn-service.exe
2124	nordvpn-service.exe
2124	nordvpn-service.exe
2124	nordvpn-service.exe
2124	nordvpn-service.exe
2124	nordvpn-service.exe
2124	nordvpn-service.exe
2124	nordvpn-service.exe
2124	nordvpn-service.exe
2124	nordvpn-service.exe
2124	nordvpn-service.exe
3492	NordVPN.exe
3492	NordVPN.exe
3492	NordVPN.exe
3492	NordVPN.exe
3492	NordVPN.exe
3492	NordVPN.exe
3492	NordVPN.exe
3492	NordVPN.exe
3492	NordVPN.exe
3492	NordVPN.exe
3492	NordVPN.exe
3492	NordVPN.exe
3492	NordVPN.exe
3492	NordVPN.exe
2124	nordvpn-service.exe
3492	NordVPN.exe
3492	NordVPN.exe
3492	NordVPN.exe
3492	NordVPN.exe
3492	NordVPN.exe
3492	NordVPN.exe
3492	NordVPN.exe
3492	NordVPN.exe
3492	NordVPN.exe
3492	NordVPN.exe

Modifies file permissions 1 TTPs 19 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
840	icacls.exe
1096	icacls.exe
4740	icacls.exe
4120	icacls.exe
1488	icacls.exe
2484	icacls.exe
440	icacls.exe
4484	icacls.exe
404	icacls.exe
4988	icacls.exe
972	icacls.exe
1844	icacls.exe
2744	icacls.exe
4616	icacls.exe
1720	icacls.exe
2840	icacls.exe
4436	icacls.exe
4328	icacls.exe
4000	icacls.exe

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	103.86.99.100
Destination IP	103.86.99.100
Destination IP	103.86.99.100

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 48 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E	NordUpdateService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\439F613B3D55693954E1B080DE3085B4_C4927E03400A4F6EDB9D613E6354F864	NordUpdateService.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\nordvpn_S.A\Nord.UpdateService_Path_ukojcz5sficitw1renis02ql2wudc5vj\pujqhtca.tmp	NordUpdateService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	nordvpn-service.exe
File created	C:\Windows\System32\DriverStore\Temp\{d38ed2ff-ce2b-ae4e-a7f4-e5df1c65b0ed}\SET9AB.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	NordUpdateService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_E3A0B2E345AA9F5A174687564C886046	NordUpdateService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\48B35517638A85CA46010B026C2B955A_0E2607AD9B9E618A16D313BC98EDE832	NordUpdateService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\AppCenter\1aba377c-cfd7-45f0-b1aa-06f5081d7585\Logs.db	NordUpdateService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8757A0F68C921927F887F6D56B2C1640_711B0FFDF677284507E7F65614F211FA	nordvpn-service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1591D5F7B0682312DEC3539E38F11DA5_CD616FB4416B0E94DDA6C4C4101236DF	nordvpn-service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B82739147960582EB39EC59AF53E8BB5	nordvpn-service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B82739147960582EB39EC59AF53E8BB5	nordvpn-service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_59F1658D90E38DA89AB56C23C0E7D055	NordUpdateService.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d38ed2ff-ce2b-ae4e-a7f4-e5df1c65b0ed}\tapnordvpn.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_adaa9513bf256fe3\tapnordvpn.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{d38ed2ff-ce2b-ae4e-a7f4-e5df1c65b0ed}\SET9AC.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	nordvpn-service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	nordvpn-service.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d38ed2ff-ce2b-ae4e-a7f4-e5df1c65b0ed}\SET9AB.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d38ed2ff-ce2b-ae4e-a7f4-e5df1c65b0ed}\SET9AC.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_adaa9513bf256fe3\oemvista.PNF	tapctl.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\439F613B3D55693954E1B080DE3085B4_C4927E03400A4F6EDB9D613E6354F864	NordUpdateService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_466BAFE78D4077069B6C3828315C7C8D	nordvpn-service.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d38ed2ff-ce2b-ae4e-a7f4-e5df1c65b0ed}\SET9BC.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_adaa9513bf256fe3\tapnordvpn.cat	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1591D5F7B0682312DEC3539E38F11DA5_C980A22DE634031CE134BCFE04B293B1	nordvpn-service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\AppCenter\1aba377c-cfd7-45f0-b1aa-06f5081d7585\Logs.db-journal	NordUpdateService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_466BAFE78D4077069B6C3828315C7C8D	nordvpn-service.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d38ed2ff-ce2b-ae4e-a7f4-e5df1c65b0ed}\OemVista.inf	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_E3A0B2E345AA9F5A174687564C886046	NordUpdateService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E	NordUpdateService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\48B35517638A85CA46010B026C2B955A_0E2607AD9B9E618A16D313BC98EDE832	NordUpdateService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1591D5F7B0682312DEC3539E38F11DA5_C980A22DE634031CE134BCFE04B293B1	nordvpn-service.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d38ed2ff-ce2b-ae4e-a7f4-e5df1c65b0ed}\tapnordvpn.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{d38ed2ff-ce2b-ae4e-a7f4-e5df1c65b0ed}\SET9BC.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C	NordUpdateService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_59F1658D90E38DA89AB56C23C0E7D055	NordUpdateService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1591D5F7B0682312DEC3539E38F11DA5_CD616FB4416B0E94DDA6C4C4101236DF	nordvpn-service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	nordvpn-service.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_adaa9513bf256fe3\OemVista.inf	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	NordUpdateService.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\nordvpn_S.A\Nord.UpdateService_Path_ukojcz5sficitw1renis02ql2wudc5vj\pujqhtca.newcfg	NordUpdateService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8757A0F68C921927F887F6D56B2C1640_711B0FFDF677284507E7F65614F211FA	nordvpn-service.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d38ed2ff-ce2b-ae4e-a7f4-e5df1c65b0ed}	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C	NordUpdateService.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4700 set thread context of 3864	4700	NordVPNSetup.exe	95
PID 3864 set thread context of 232	3864	netsh.exe	102

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\NordVPN\7.21.2.0\wintun.dll	NordVPNSetup.tmp
File created	C:\Program Files\NordVPN\7.21.2.0\is-VJ03R.tmp	NordVPNSetup.tmp
File created	C:\Program Files\NordVPN\7.21.2.0\is-VAJGK.tmp	NordVPNSetup.tmp
File created	C:\Program Files\NordVPN\NordSec ThreatProtection\1.4.21.7\is-LOSQJ.tmp	NordVPNSetup.tmp
File created	C:\Program Files\NordVPN\NordSec ThreatProtection\1.4.21.7\is-LPR0N.tmp	NordVPNSetup.tmp
File opened for modification	C:\Program Files\NordVPN\NordSec ThreatProtection\1.4.21.7\Nord.Common.dll	NordVPNSetup.tmp
File opened for modification	C:\Program Files\NordVPN\NordSec ThreatProtection\1.4.21.7\nordsec-threatprotection-service-app.exe	NordVPNSetup.tmp
File opened for modification	C:\Program Files\NordVPN\7.21.2.0\NordSecurity.Communication.Ipc.Annotations.dll	NordVPNSetup.tmp
File opened for modification	C:\Program Files\NordVPN\7.21.2.0\SharpVectors.Dom.dll	NordVPNSetup.tmp
File created	C:\Program Files\NordVPN\7.21.2.0\Resources\Binaries\64bit\is-J355D.tmp	NordVPNSetup.tmp
File created	C:\Program Files\NordVPN\7.21.2.0\is-J1QT9.tmp	NordVPNSetup.tmp
File created	C:\Program Files\NordVPN\7.21.2.0\is-76RVR.tmp	NordVPNSetup.tmp
File created	C:\Program Files\NordUpdater\1.4.2.147\is-EDL30.tmp	NordUpdaterSetup.tmp
File opened for modification	C:\Program Files\NordVPN\7.21.2.0\SharpVectors.Rendering.Wpf.dll	NordVPNSetup.tmp
File opened for modification	C:\Program Files\NordVPN\7.21.2.0\System.IO.Pipes.AccessControl.dll	NordVPNSetup.tmp
File created	C:\Program Files\NordVPN\7.21.2.0\is-IB6ME.tmp	NordVPNSetup.tmp
File created	C:\Program Files\NordVPN\NordSec ThreatProtection\1.4.21.7\is-8B8GK.tmp	NordVPNSetup.tmp
File created	C:\Program Files\NordVPN\7.21.2.0\is-VBL9B.tmp	NordVPNSetup.tmp
File opened for modification	C:\Program Files\NordVPN\7.21.2.0\TraceReloggerLib.dll	NordVPNSetup.tmp
File opened for modification	C:\Program Files\NordVPN\7.21.2.0\LiteDB.dll	NordVPNSetup.tmp
File opened for modification	C:\Program Files\NordVPN\7.21.2.0\NordSecurity.Nat.dll	NordVPNSetup.tmp
File opened for modification	C:\Program Files\NordVPN\7.21.2.0\System.ServiceModel.Primitives.dll	NordVPNSetup.tmp
File opened for modification	C:\Program Files\NordVPN\7.21.2.0\System.ValueTuple.dll	NordVPNSetup.tmp
File created	C:\Program Files\NordVPN\7.21.2.0\is-T65R9.tmp	NordVPNSetup.tmp
File opened for modification	C:\Program Files\NordVPN\7.21.2.0\NordSecurity.NordVpn.Audit.dll	NordVPNSetup.tmp
File opened for modification	C:\Program Files\NordVPN\NordSec ThreatProtection\1.4.21.7\Bugsnag.dll	NordVPNSetup.tmp
File opened for modification	C:\Program Files\NordVPN\7.21.2.0\NordVpn.Startup.dll	NordVPNSetup.tmp
File opened for modification	C:\Program Files\NordVPN\7.21.2.0\System.Security.Cryptography.Xml.dll	NordVPNSetup.tmp
File created	C:\Program Files\NordVPN\7.21.2.0\is-9CEMN.tmp	NordVPNSetup.tmp
File created	C:\Program Files\NordVPN\7.21.2.0\Drivers\is-RMSKP.tmp	NordVPNSetup.tmp
File created	C:\Program Files\NordVPN\NordSec ThreatProtection\1.4.21.7\is-N20JM.tmp	NordVPNSetup.tmp
File created	C:\Program Files\NordUpdater\1.4.2.147\is-GMBKJ.tmp	NordUpdaterSetup.tmp
File opened for modification	C:\Program Files\NordVPN\7.21.2.0\Microsoft.Extensions.Primitives.dll	NordVPNSetup.tmp
File opened for modification	C:\Program Files\NordVPN\7.21.2.0\NDivertControl.dll	NordVPNSetup.tmp
File opened for modification	C:\Program Files\NordVPN\7.21.2.0\NordVpn.Application.Localization.dll	NordVPNSetup.tmp
File opened for modification	C:\Program Files\NordVPN\7.21.2.0\SharpVectors.Runtime.Wpf.dll	NordVPNSetup.tmp
File created	C:\Program Files\NordVPN\7.21.2.0\Resources\Binaries\64bit\is-502JL.tmp	NordVPNSetup.tmp
File created	C:\Program Files\NordVPN\NordSec ThreatProtection\1.4.21.7\is-6149B.tmp	NordVPNSetup.tmp
File created	C:\Program Files\NordUpdater\1.4.2.147\is-78BQJ.tmp	NordUpdaterSetup.tmp
File opened for modification	C:\Program Files\NordVPN\7.21.2.0\NordSecurity.Liberation.PacketDivert.dll	NordVPNSetup.tmp
File opened for modification	C:\Program Files\NordVPN\7.21.2.0\NordVpn.DiagnosticsTool.UI.dll	NordVPNSetup.tmp
File created	C:\Program Files\NordVPN\7.21.2.0\is-6D0J0.tmp	NordVPNSetup.tmp
File created	C:\Program Files\NordVPN\7.21.2.0\is-MMHVA.tmp	NordVPNSetup.tmp
File created	C:\Program Files\NordVPN\7.21.2.0\is-RPF6J.tmp	NordVPNSetup.tmp
File created	C:\Program Files\NordVPN\7.21.2.0\is-6290F.tmp	NordVPNSetup.tmp
File opened for modification	C:\Program Files\NordVPN\unins000.dat	NordVPNSetup.tmp
File opened for modification	C:\Program Files\NordVPN\7.21.2.0\Nord.Marshall.IOCTL.dll	NordVPNSetup.tmp
File opened for modification	C:\Program Files\NordVPN\NordSec ThreatProtection\1.4.21.7\System.Diagnostics.EventLog.dll	NordVPNSetup.tmp
File opened for modification	C:\Program Files\NordVPN\NordSec ThreatProtection\1.4.21.7\c7zip.dll	NordVPNSetup.tmp
File opened for modification	C:\Program Files\NordVPN\NordSec ThreatProtection\1.4.21.7\System.Text.Json.dll	NordVPNSetup.tmp
File created	C:\Program Files\NordVPN\NordSec ThreatProtection\is-GN38E.tmp	NordVPNSetup.tmp
File created	C:\Program Files\NordVPN\7.21.2.0\is-9AAIU.tmp	NordVPNSetup.tmp
File created	C:\Program Files\NordVPN\7.21.2.0\is-02762.tmp	NordVPNSetup.tmp
File created	C:\Program Files\NordVPN\7.21.2.0\is-FLNFG.tmp	NordVPNSetup.tmp
File opened for modification	C:\Program Files\NordVPN\7.21.2.0\NordSecurity.Liberation.Network.dll	NordVPNSetup.tmp
File opened for modification	C:\Program Files\NordVPN\7.21.2.0\NordSecurity.NordVpn.Infrastructure.Serialization.dll	NordVPNSetup.tmp
File opened for modification	C:\Program Files\NordVPN\7.21.2.0\NordSecurity.NordVpn.WebSockets.dll	NordVPNSetup.tmp
File opened for modification	C:\Program Files\NordVPN\NordSec ThreatProtection\1.4.21.7\ThreatProtectionService.Infrastructure.dll	NordVPNSetup.tmp
File created	C:\Program Files\NordVPN\7.21.2.0\Resources\templates\is-BDOD9.tmp	NordVPNSetup.tmp
File created	C:\Program Files\NordVPN\7.21.2.0\is-O2DKP.tmp	NordVPNSetup.tmp
File created	C:\Program Files\NordVPN\7.21.2.0\is-CTTAM.tmp	NordVPNSetup.tmp
File created	C:\Program Files\NordVPN\7.21.2.0\is-27SUV.tmp	NordVPNSetup.tmp
File opened for modification	C:\Program Files\NordVPN\7.21.2.0\NordSecurity.Liberation.Diagnostics.Core.dll	NordVPNSetup.tmp
File opened for modification	C:\Program Files\NordVPN\NordSec ThreatProtection\1.4.21.7\Grpc.Core.Api.dll	NordVPNSetup.tmp

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapctl.exe
File created	C:\Windows\INF\oem3.PNF	tapctl.exe
File created	C:\Windows\is-TCHMG.tmp	NordVPNSetup.tmp
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\Nord.Setup.dll	NordVPNSetup.tmp
File opened for modification	C:\Windows\INF\setupapi.dev.log	pnputil.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	pnputil.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
3560	taskkill.exe
3924	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	NordUpdateService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	NordUpdateService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	NordUpdateService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	nordvpn-service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	nordvpn-service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	NordUpdateService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	NordUpdateService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	NordUpdateService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	NordUpdateService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	NordUpdateService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	NordUpdateService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	nordvpn-service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	nordvpn-service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	NordUpdateService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	NordUpdateService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	NordUpdateService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	NordUpdateService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	NordUpdateService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	NordUpdateService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	NordUpdateService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	nordvpn-service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	nordvpn-service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	nordvpn-service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	NordUpdateService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	NordUpdateService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	nordvpn-service.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	nordvpn-service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	NordUpdateService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	nordvpn-service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	nordvpn-service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	NordUpdateService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	nordvpn-service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	nordvpn-service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	NordUpdateService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	NordUpdateService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	NordUpdateService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	nordvpn-service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	NordUpdateService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	NordUpdateService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	NordUpdateService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	nordvpn-service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	nordvpn-service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	NordUpdateService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	NordUpdateService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	nordvpn-service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	nordvpn-service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe

Modifies registry class 14 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NordVPN\ = "URL:NordVPN Protocol"	NordVPNSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NordVPN\shell\open	NordVPNSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NordVPN\shell\open\command	NordVPNSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NordVPN\shell\open\command\ = "\"C:\\Program Files\\NordVPN\\NordVPN.exe\" \"%1\""	NordVPNSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NordVPN.Notification	NordVPNSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NordVPN.Notification\shell\open	NordVPNSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NordVPN.Notification\shell\open\command	NordVPNSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NordVPN.Notification\shell	NordVPNSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NordVPN.Notification\shell\open\command\ = "\"C:\\Program Files\\NordVPN\\NordVPN.exe\" \"%1\""	NordVPNSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NordVPN	NordVPNSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NordVPN\URL Protocol	NordVPNSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NordVPN.Notification\ = "URL:NordVPN.Notification"	NordVPNSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NordVPN.Notification\URL Protocol	NordVPNSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NordVPN\shell	NordVPNSetup.tmp

Modifies system certificate store 2 TTPs 23 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	NordVPNSetup.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 040000000100000010000000be954f16012122448ca8bc279602acf50f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e0b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000006200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21900000001000000100000009f687581f7ef744ecfc12b9cee6238f12000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	NordVPN.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	nordvpn-service.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5EEED86FA37C675230642F55C84DDBF67CD33C80\Blob = 0f000000010000003000000082ef60cde833832df196a3351df5b2b90029e31f679cec503aeea7ca8893db9d81d4e576a9f216dd0baec61cb02a14600b00000001000000380000004400690067006900430065007200740020004300530020005200530041003400300039003600200052006f006f00740020004700350000006200000001000000200000007353b6d6c2d6da4247773f3f07d075decb5134212bead0928ef1f4611526094153000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000680193b1d24a40426994462c1c5a88a925b4474f1d0000000100000010000000cfa020613a558555d3c1ea201f6276da0300000001000000140000005eeed86fa37c675230642f55c84ddbf67cd33c80200000000100000068050000308205643082034ca003020102021006cee131be6d55c807f7c0c7fb44e620300d06092a864886f70d01010c0500304c310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e312430220603550403131b4469676943657274204353205253413430393620526f6f74204735301e170d3231303131353030303030305a170d3436303131343233353935395a304c310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e312430220603550403131b4469676943657274204353205253413430393620526f6f7420473530820222300d06092a864886f70d01010105000382020f003082020a0282020100b6337380d8620370142c111c395e7cae7c83861dfe262f4c24ad8bea835fa9bc3d5bfc0b984c024730ece2feece8345b665ebf3bd72ca625ff8c59b3dfeada7c29d9465072081d6ed11b0add1fcd9989fa0f0f73c4e19c1d7532cd6f97da2a6a95b26cc909d0ea0b7b7d17064999efd6dee0c853d4aec677f186bb231cb8c0df59f78e7dd1ef82e6268b5a38b5ff75d5b2d94f09f3378850da11a48a1414d15304007df36a4418fe507032071ca89a0e3a1dc50a1f6e0b2669b73ca257702c86fa4c6e95a95843b9ac12d6ff3fedd743176b4cce9ec490abfffa10509aa39057d6e78c10ae9f161acf351d7fd776ed8a9c35a728b8a75d21fc3037ddde08194f15c6e7a6da90478ef794534c8e5302befd99e5ea86d0af0302d39baa93f1ab288e2001ff4cfbccb72940f587a41213051f436ed751509f38b420ed1709128fccb919af9fcdbe6911d3af55106d1786799652c6b2009de5af38b035f4886b8f0e043d7ceeafcdd36a104ac6cd86ca223da14a5cfb0eff88df5c62a7c0b91ed9ac6c7e3837fe779325c2858a4fb537065a068114f1ce949d9991ea325ace673d6e0466ad0c4f2da32ef79ef5789df70afd7e8fe3428a5596bcf19f372dfc9e5f95fe8c181bfc8efd4b90afd703681263ace293a7a2cb04e54f64ce03fac6149fd98be8ccd4628c6be4002c199f1a06c6318154fb53249aaf5599ba9d75aeb8c2dd0203010001a3423040301d0603551d0e04160414680193b1d24a40426994462c1c5a88a925b4474f300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff300d06092a864886f70d01010c0500038202010092fceeb802791702517d21c54967a7a4f1a82438eb0c68ea5a426b9cf473c1694a2db33705504298929e06792c2e0699f6efdf2ba0cdb3920183b5a0cb27b53c231a9849a2ec2d99a55943acd2b193d657d71cbc93d6c640e1b36f1955b713d7e54333a4b5abcbdac131640d74d62cedc38d6eebbbaf194761612dc0f405b96f78dc3af74240655391bd990d939254a6a937592b9bcb99c6bc3df70484f094331d0f825a39cb2e45c32819a3b29b98c8fc316b608ff6e98628bce03c7d745d16895b6924c7108bc44bbb364fd4593fc3b0a49199f82ed14a019df58812efbf5a116a594f596b5a67f38fb4130fc0d82f3d2872aa197f117d6a5b9f95e75fb7944ff13ea15aff2dcc9ddf27778f32731c670a76f3fa5cb1bfbc1dbd0c289bb2c717670b330fc3bd36dcfbba420babed84c362d68416a9b1076ba96eeec6cfe6b04429c2f0b361802a8b6fd2145c25875464f3a44cc1a1f8a76beafeea3afc79db0e8fdcc6f3c9d46cdee983a18e1d22ecc93ab2007bdc3ba7421a7fdc8ba9113d8ea7c0206f5d095d4344e68f66cca95b07f1ef9b7a0eb354e194fd0e2cc693d755fd719835b8094affc629282cf6522ddb14189227e2167e8ccad461be828791eb98373fbf5f5d773f34ac1b3843ab687299321e3a1a19a5a3384c23d7a3e7ccd52a9217900b5a4bbd16bdfb866ae28999ece4a05518c9a3081f13e0320872d0	NordVPN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5EEED86FA37C675230642F55C84DDBF67CD33C80	nordvpn-service.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	nordvpn-service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	NordVPNSetup.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	NordVPNSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5EEED86FA37C675230642F55C84DDBF67CD33C80	NordVPN.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	NordVPNSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2	NordVPN.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 5c0000000100000004000000001000001900000001000000100000009f687581f7ef744ecfc12b9cee6238f1030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2090000000100000016000000301406082b0601050507030306082b060105050703086200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e12700b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000000f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e040000000100000010000000be954f16012122448ca8bc279602acf52000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	NordVPN.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	NordVPNSetup.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	NordVPNSetup.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5EEED86FA37C675230642F55C84DDBF67CD33C80\Blob = 19000000010000001000000016aee18d205d4e54b5aee9b3c1466a210300000001000000140000005eeed86fa37c675230642f55c84ddbf67cd33c801d0000000100000010000000cfa020613a558555d3c1ea201f6276da140000000100000014000000680193b1d24a40426994462c1c5a88a925b4474f090000000100000016000000301406082b0601050507030306082b0601050507030853000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007353b6d6c2d6da4247773f3f07d075decb5134212bead0928ef1f461152609410b00000001000000380000004400690067006900430065007200740020004300530020005200530041003400300039003600200052006f006f00740020004700350000000f000000010000003000000082ef60cde833832df196a3351df5b2b90029e31f679cec503aeea7ca8893db9d81d4e576a9f216dd0baec61cb02a1460200000000100000068050000308205643082034ca003020102021006cee131be6d55c807f7c0c7fb44e620300d06092a864886f70d01010c0500304c310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e312430220603550403131b4469676943657274204353205253413430393620526f6f74204735301e170d3231303131353030303030305a170d3436303131343233353935395a304c310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e312430220603550403131b4469676943657274204353205253413430393620526f6f7420473530820222300d06092a864886f70d01010105000382020f003082020a0282020100b6337380d8620370142c111c395e7cae7c83861dfe262f4c24ad8bea835fa9bc3d5bfc0b984c024730ece2feece8345b665ebf3bd72ca625ff8c59b3dfeada7c29d9465072081d6ed11b0add1fcd9989fa0f0f73c4e19c1d7532cd6f97da2a6a95b26cc909d0ea0b7b7d17064999efd6dee0c853d4aec677f186bb231cb8c0df59f78e7dd1ef82e6268b5a38b5ff75d5b2d94f09f3378850da11a48a1414d15304007df36a4418fe507032071ca89a0e3a1dc50a1f6e0b2669b73ca257702c86fa4c6e95a95843b9ac12d6ff3fedd743176b4cce9ec490abfffa10509aa39057d6e78c10ae9f161acf351d7fd776ed8a9c35a728b8a75d21fc3037ddde08194f15c6e7a6da90478ef794534c8e5302befd99e5ea86d0af0302d39baa93f1ab288e2001ff4cfbccb72940f587a41213051f436ed751509f38b420ed1709128fccb919af9fcdbe6911d3af55106d1786799652c6b2009de5af38b035f4886b8f0e043d7ceeafcdd36a104ac6cd86ca223da14a5cfb0eff88df5c62a7c0b91ed9ac6c7e3837fe779325c2858a4fb537065a068114f1ce949d9991ea325ace673d6e0466ad0c4f2da32ef79ef5789df70afd7e8fe3428a5596bcf19f372dfc9e5f95fe8c181bfc8efd4b90afd703681263ace293a7a2cb04e54f64ce03fac6149fd98be8ccd4628c6be4002c199f1a06c6318154fb53249aaf5599ba9d75aeb8c2dd0203010001a3423040301d0603551d0e04160414680193b1d24a40426994462c1c5a88a925b4474f300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff300d06092a864886f70d01010c0500038202010092fceeb802791702517d21c54967a7a4f1a82438eb0c68ea5a426b9cf473c1694a2db33705504298929e06792c2e0699f6efdf2ba0cdb3920183b5a0cb27b53c231a9849a2ec2d99a55943acd2b193d657d71cbc93d6c640e1b36f1955b713d7e54333a4b5abcbdac131640d74d62cedc38d6eebbbaf194761612dc0f405b96f78dc3af74240655391bd990d939254a6a937592b9bcb99c6bc3df70484f094331d0f825a39cb2e45c32819a3b29b98c8fc316b608ff6e98628bce03c7d745d16895b6924c7108bc44bbb364fd4593fc3b0a49199f82ed14a019df58812efbf5a116a594f596b5a67f38fb4130fc0d82f3d2872aa197f117d6a5b9f95e75fb7944ff13ea15aff2dcc9ddf27778f32731c670a76f3fa5cb1bfbc1dbd0c289bb2c717670b330fc3bd36dcfbba420babed84c362d68416a9b1076ba96eeec6cfe6b04429c2f0b361802a8b6fd2145c25875464f3a44cc1a1f8a76beafeea3afc79db0e8fdcc6f3c9d46cdee983a18e1d22ecc93ab2007bdc3ba7421a7fdc8ba9113d8ea7c0206f5d095d4344e68f66cca95b07f1ef9b7a0eb354e194fd0e2cc693d755fd719835b8094affc629282cf6522ddb14189227e2167e8ccad461be828791eb98373fbf5f5d773f34ac1b3843ab687299321e3a1a19a5a3384c23d7a3e7ccd52a9217900b5a4bbd16bdfb866ae28999ece4a05518c9a3081f13e0320872d0	NordVPN.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5EEED86FA37C675230642F55C84DDBF67CD33C80\Blob = 040000000100000010000000a733edbf1b5de119c491c94aeaf76dc70f000000010000003000000082ef60cde833832df196a3351df5b2b90029e31f679cec503aeea7ca8893db9d81d4e576a9f216dd0baec61cb02a14600b00000001000000380000004400690067006900430065007200740020004300530020005200530041003400300039003600200052006f006f00740020004700350000006200000001000000200000007353b6d6c2d6da4247773f3f07d075decb5134212bead0928ef1f4611526094153000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000680193b1d24a40426994462c1c5a88a925b4474f1d0000000100000010000000cfa020613a558555d3c1ea201f6276da0300000001000000140000005eeed86fa37c675230642f55c84ddbf67cd33c8019000000010000001000000016aee18d205d4e54b5aee9b3c1466a21200000000100000068050000308205643082034ca003020102021006cee131be6d55c807f7c0c7fb44e620300d06092a864886f70d01010c0500304c310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e312430220603550403131b4469676943657274204353205253413430393620526f6f74204735301e170d3231303131353030303030305a170d3436303131343233353935395a304c310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e312430220603550403131b4469676943657274204353205253413430393620526f6f7420473530820222300d06092a864886f70d01010105000382020f003082020a0282020100b6337380d8620370142c111c395e7cae7c83861dfe262f4c24ad8bea835fa9bc3d5bfc0b984c024730ece2feece8345b665ebf3bd72ca625ff8c59b3dfeada7c29d9465072081d6ed11b0add1fcd9989fa0f0f73c4e19c1d7532cd6f97da2a6a95b26cc909d0ea0b7b7d17064999efd6dee0c853d4aec677f186bb231cb8c0df59f78e7dd1ef82e6268b5a38b5ff75d5b2d94f09f3378850da11a48a1414d15304007df36a4418fe507032071ca89a0e3a1dc50a1f6e0b2669b73ca257702c86fa4c6e95a95843b9ac12d6ff3fedd743176b4cce9ec490abfffa10509aa39057d6e78c10ae9f161acf351d7fd776ed8a9c35a728b8a75d21fc3037ddde08194f15c6e7a6da90478ef794534c8e5302befd99e5ea86d0af0302d39baa93f1ab288e2001ff4cfbccb72940f587a41213051f436ed751509f38b420ed1709128fccb919af9fcdbe6911d3af55106d1786799652c6b2009de5af38b035f4886b8f0e043d7ceeafcdd36a104ac6cd86ca223da14a5cfb0eff88df5c62a7c0b91ed9ac6c7e3837fe779325c2858a4fb537065a068114f1ce949d9991ea325ace673d6e0466ad0c4f2da32ef79ef5789df70afd7e8fe3428a5596bcf19f372dfc9e5f95fe8c181bfc8efd4b90afd703681263ace293a7a2cb04e54f64ce03fac6149fd98be8ccd4628c6be4002c199f1a06c6318154fb53249aaf5599ba9d75aeb8c2dd0203010001a3423040301d0603551d0e04160414680193b1d24a40426994462c1c5a88a925b4474f300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff300d06092a864886f70d01010c0500038202010092fceeb802791702517d21c54967a7a4f1a82438eb0c68ea5a426b9cf473c1694a2db33705504298929e06792c2e0699f6efdf2ba0cdb3920183b5a0cb27b53c231a9849a2ec2d99a55943acd2b193d657d71cbc93d6c640e1b36f1955b713d7e54333a4b5abcbdac131640d74d62cedc38d6eebbbaf194761612dc0f405b96f78dc3af74240655391bd990d939254a6a937592b9bcb99c6bc3df70484f094331d0f825a39cb2e45c32819a3b29b98c8fc316b608ff6e98628bce03c7d745d16895b6924c7108bc44bbb364fd4593fc3b0a49199f82ed14a019df58812efbf5a116a594f596b5a67f38fb4130fc0d82f3d2872aa197f117d6a5b9f95e75fb7944ff13ea15aff2dcc9ddf27778f32731c670a76f3fa5cb1bfbc1dbd0c289bb2c717670b330fc3bd36dcfbba420babed84c362d68416a9b1076ba96eeec6cfe6b04429c2f0b361802a8b6fd2145c25875464f3a44cc1a1f8a76beafeea3afc79db0e8fdcc6f3c9d46cdee983a18e1d22ecc93ab2007bdc3ba7421a7fdc8ba9113d8ea7c0206f5d095d4344e68f66cca95b07f1ef9b7a0eb354e194fd0e2cc693d755fd719835b8094affc629282cf6522ddb14189227e2167e8ccad461be828791eb98373fbf5f5d773f34ac1b3843ab687299321e3a1a19a5a3384c23d7a3e7ccd52a9217900b5a4bbd16bdfb866ae28999ece4a05518c9a3081f13e0320872d0	nordvpn-service.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5EEED86FA37C675230642F55C84DDBF67CD33C80\Blob = 5c00000001000000040000000010000019000000010000001000000016aee18d205d4e54b5aee9b3c1466a210300000001000000140000005eeed86fa37c675230642f55c84ddbf67cd33c801d0000000100000010000000cfa020613a558555d3c1ea201f6276da140000000100000014000000680193b1d24a40426994462c1c5a88a925b4474f090000000100000016000000301406082b0601050507030306082b0601050507030853000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007353b6d6c2d6da4247773f3f07d075decb5134212bead0928ef1f461152609410b00000001000000380000004400690067006900430065007200740020004300530020005200530041003400300039003600200052006f006f00740020004700350000000f000000010000003000000082ef60cde833832df196a3351df5b2b90029e31f679cec503aeea7ca8893db9d81d4e576a9f216dd0baec61cb02a1460040000000100000010000000a733edbf1b5de119c491c94aeaf76dc7200000000100000068050000308205643082034ca003020102021006cee131be6d55c807f7c0c7fb44e620300d06092a864886f70d01010c0500304c310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e312430220603550403131b4469676943657274204353205253413430393620526f6f74204735301e170d3231303131353030303030305a170d3436303131343233353935395a304c310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e312430220603550403131b4469676943657274204353205253413430393620526f6f7420473530820222300d06092a864886f70d01010105000382020f003082020a0282020100b6337380d8620370142c111c395e7cae7c83861dfe262f4c24ad8bea835fa9bc3d5bfc0b984c024730ece2feece8345b665ebf3bd72ca625ff8c59b3dfeada7c29d9465072081d6ed11b0add1fcd9989fa0f0f73c4e19c1d7532cd6f97da2a6a95b26cc909d0ea0b7b7d17064999efd6dee0c853d4aec677f186bb231cb8c0df59f78e7dd1ef82e6268b5a38b5ff75d5b2d94f09f3378850da11a48a1414d15304007df36a4418fe507032071ca89a0e3a1dc50a1f6e0b2669b73ca257702c86fa4c6e95a95843b9ac12d6ff3fedd743176b4cce9ec490abfffa10509aa39057d6e78c10ae9f161acf351d7fd776ed8a9c35a728b8a75d21fc3037ddde08194f15c6e7a6da90478ef794534c8e5302befd99e5ea86d0af0302d39baa93f1ab288e2001ff4cfbccb72940f587a41213051f436ed751509f38b420ed1709128fccb919af9fcdbe6911d3af55106d1786799652c6b2009de5af38b035f4886b8f0e043d7ceeafcdd36a104ac6cd86ca223da14a5cfb0eff88df5c62a7c0b91ed9ac6c7e3837fe779325c2858a4fb537065a068114f1ce949d9991ea325ace673d6e0466ad0c4f2da32ef79ef5789df70afd7e8fe3428a5596bcf19f372dfc9e5f95fe8c181bfc8efd4b90afd703681263ace293a7a2cb04e54f64ce03fac6149fd98be8ccd4628c6be4002c199f1a06c6318154fb53249aaf5599ba9d75aeb8c2dd0203010001a3423040301d0603551d0e04160414680193b1d24a40426994462c1c5a88a925b4474f300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff300d06092a864886f70d01010c0500038202010092fceeb802791702517d21c54967a7a4f1a82438eb0c68ea5a426b9cf473c1694a2db33705504298929e06792c2e0699f6efdf2ba0cdb3920183b5a0cb27b53c231a9849a2ec2d99a55943acd2b193d657d71cbc93d6c640e1b36f1955b713d7e54333a4b5abcbdac131640d74d62cedc38d6eebbbaf194761612dc0f405b96f78dc3af74240655391bd990d939254a6a937592b9bcb99c6bc3df70484f094331d0f825a39cb2e45c32819a3b29b98c8fc316b608ff6e98628bce03c7d745d16895b6924c7108bc44bbb364fd4593fc3b0a49199f82ed14a019df58812efbf5a116a594f596b5a67f38fb4130fc0d82f3d2872aa197f117d6a5b9f95e75fb7944ff13ea15aff2dcc9ddf27778f32731c670a76f3fa5cb1bfbc1dbd0c289bb2c717670b330fc3bd36dcfbba420babed84c362d68416a9b1076ba96eeec6cfe6b04429c2f0b361802a8b6fd2145c25875464f3a44cc1a1f8a76beafeea3afc79db0e8fdcc6f3c9d46cdee983a18e1d22ecc93ab2007bdc3ba7421a7fdc8ba9113d8ea7c0206f5d095d4344e68f66cca95b07f1ef9b7a0eb354e194fd0e2cc693d755fd719835b8094affc629282cf6522ddb14189227e2167e8ccad461be828791eb98373fbf5f5d773f34ac1b3843ab687299321e3a1a19a5a3384c23d7a3e7ccd52a9217900b5a4bbd16bdfb866ae28999ece4a05518c9a3081f13e0320872d0	nordvpn-service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	NordVPNSetup.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	NordVPNSetup.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	NordVPNSetup.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 0f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e0b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000006200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa22000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	NordVPN.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 1900000001000000100000009f687581f7ef744ecfc12b9cee6238f1030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2090000000100000016000000301406082b0601050507030306082b060105050703086200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e12700b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000000f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e2000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	NordVPN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	nordvpn-service.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
4700	NordVPNSetup.exe
4700	NordVPNSetup.exe
4616	NordVPNSetup.tmp
4616	NordVPNSetup.tmp
3864	netsh.exe
3864	netsh.exe
232	MSBuild.exe
232	MSBuild.exe
2508	NordVPNSetup.tmp
2508	NordVPNSetup.tmp
232	MSBuild.exe
3492	NordVPN.exe
3492	NordVPN.exe
2124	nordvpn-service.exe
2124	nordvpn-service.exe
2124	nordvpn-service.exe
2124	nordvpn-service.exe
3492	NordVPN.exe
3492	NordVPN.exe
3492	NordVPN.exe
3492	NordVPN.exe
2124	nordvpn-service.exe
2124	nordvpn-service.exe
3492	NordVPN.exe
3492	NordVPN.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
664	Process not Found

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
4700	NordVPNSetup.exe
3864	netsh.exe
3864	netsh.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	4616	NordVPNSetup.tmp
Token: SeDebugPrivilege	2508	NordVPNSetup.tmp
Token: SeDebugPrivilege	232	MSBuild.exe
Token: SeDebugPrivilege	3560	taskkill.exe
Token: SeDebugPrivilege	3924	taskkill.exe
Token: SeDebugPrivilege	3344	NordUpdateService.exe
Token: SeDebugPrivilege	3344	NordUpdateService.exe
Token: SeDebugPrivilege	2124	nordvpn-service.exe
Token: SeDebugPrivilege	2124	nordvpn-service.exe
Token: SeDebugPrivilege	3492	NordVPN.exe
Token: SeDebugPrivilege	3492	NordVPN.exe
Token: SeAuditPrivilege	2788	svchost.exe
Token: SeSecurityPrivilege	2788	svchost.exe
Token: SeLoadDriverPrivilege	2728	tapctl.exe
Token: SeRestorePrivilege	4712	DrvInst.exe
Token: SeBackupPrivilege	4712	DrvInst.exe
Token: SeLoadDriverPrivilege	4712	DrvInst.exe
Token: SeLoadDriverPrivilege	4712	DrvInst.exe
Token: SeLoadDriverPrivilege	4712	DrvInst.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4616	NordVPNSetup.tmp
2508	NordVPNSetup.tmp
4956	NordUpdaterSetup.tmp
2508	NordVPNSetup.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4700 wrote to memory of 2980	4700	NordVPNSetup.exe	87
PID 4700 wrote to memory of 2980	4700	NordVPNSetup.exe	87
PID 4700 wrote to memory of 2980	4700	NordVPNSetup.exe	87
PID 2980 wrote to memory of 4616	2980	NordVPNSetup.exe	88
PID 2980 wrote to memory of 4616	2980	NordVPNSetup.exe	88
PID 2980 wrote to memory of 4616	2980	NordVPNSetup.exe	88
PID 4700 wrote to memory of 3864	4700	NordVPNSetup.exe	95
PID 4700 wrote to memory of 3864	4700	NordVPNSetup.exe	95
PID 4700 wrote to memory of 3864	4700	NordVPNSetup.exe	95
PID 4700 wrote to memory of 3864	4700	NordVPNSetup.exe	95
PID 4616 wrote to memory of 2228	4616	NordVPNSetup.tmp	99
PID 4616 wrote to memory of 2228	4616	NordVPNSetup.tmp	99
PID 4616 wrote to memory of 2228	4616	NordVPNSetup.tmp	99
PID 2228 wrote to memory of 2508	2228	NordVPNSetup.exe	100
PID 2228 wrote to memory of 2508	2228	NordVPNSetup.exe	100
PID 2228 wrote to memory of 2508	2228	NordVPNSetup.exe	100
PID 3864 wrote to memory of 232	3864	netsh.exe	102
PID 3864 wrote to memory of 232	3864	netsh.exe	102
PID 3864 wrote to memory of 232	3864	netsh.exe	102
PID 3864 wrote to memory of 232	3864	netsh.exe	102
PID 3864 wrote to memory of 232	3864	netsh.exe	102
PID 232 wrote to memory of 3560	232	MSBuild.exe	103
PID 232 wrote to memory of 3560	232	MSBuild.exe	103
PID 232 wrote to memory of 3560	232	MSBuild.exe	103
PID 2508 wrote to memory of 3924	2508	NordVPNSetup.tmp	105
PID 2508 wrote to memory of 3924	2508	NordVPNSetup.tmp	105
PID 2508 wrote to memory of 3924	2508	NordVPNSetup.tmp	105
PID 2508 wrote to memory of 4180	2508	NordVPNSetup.tmp	107
PID 2508 wrote to memory of 4180	2508	NordVPNSetup.tmp	107
PID 2508 wrote to memory of 4180	2508	NordVPNSetup.tmp	107
PID 4180 wrote to memory of 4956	4180	NordUpdaterSetup.exe	108
PID 4180 wrote to memory of 4956	4180	NordUpdaterSetup.exe	108
PID 4180 wrote to memory of 4956	4180	NordUpdaterSetup.exe	108
PID 4956 wrote to memory of 1720	4956	NordUpdaterSetup.tmp	109
PID 4956 wrote to memory of 1720	4956	NordUpdaterSetup.tmp	109
PID 4956 wrote to memory of 972	4956	NordUpdaterSetup.tmp	111
PID 4956 wrote to memory of 972	4956	NordUpdaterSetup.tmp	111
PID 4956 wrote to memory of 404	4956	NordUpdaterSetup.tmp	113
PID 4956 wrote to memory of 404	4956	NordUpdaterSetup.tmp	113
PID 4956 wrote to memory of 4988	4956	NordUpdaterSetup.tmp	115
PID 4956 wrote to memory of 4988	4956	NordUpdaterSetup.tmp	115
PID 4956 wrote to memory of 2840	4956	NordUpdaterSetup.tmp	117
PID 4956 wrote to memory of 2840	4956	NordUpdaterSetup.tmp	117
PID 4956 wrote to memory of 1096	4956	NordUpdaterSetup.tmp	119
PID 4956 wrote to memory of 1096	4956	NordUpdaterSetup.tmp	119
PID 4956 wrote to memory of 4328	4956	NordUpdaterSetup.tmp	121
PID 4956 wrote to memory of 4328	4956	NordUpdaterSetup.tmp	121
PID 4956 wrote to memory of 4740	4956	NordUpdaterSetup.tmp	123
PID 4956 wrote to memory of 4740	4956	NordUpdaterSetup.tmp	123
PID 4956 wrote to memory of 1844	4956	NordUpdaterSetup.tmp	126
PID 4956 wrote to memory of 1844	4956	NordUpdaterSetup.tmp	126
PID 2508 wrote to memory of 2744	2508	NordVPNSetup.tmp	130
PID 2508 wrote to memory of 2744	2508	NordVPNSetup.tmp	130
PID 2508 wrote to memory of 4436	2508	NordVPNSetup.tmp	132
PID 2508 wrote to memory of 4436	2508	NordVPNSetup.tmp	132
PID 2508 wrote to memory of 4616	2508	NordVPNSetup.tmp	134
PID 2508 wrote to memory of 4616	2508	NordVPNSetup.tmp	134
PID 2508 wrote to memory of 4120	2508	NordVPNSetup.tmp	136
PID 2508 wrote to memory of 4120	2508	NordVPNSetup.tmp	136
PID 2508 wrote to memory of 1488	2508	NordVPNSetup.tmp	138
PID 2508 wrote to memory of 1488	2508	NordVPNSetup.tmp	138
PID 2508 wrote to memory of 2484	2508	NordVPNSetup.tmp	140
PID 2508 wrote to memory of 2484	2508	NordVPNSetup.tmp	140
PID 2508 wrote to memory of 4000	2508	NordVPNSetup.tmp	142

C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
"C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4700
- C:\ProgramData\ws2\LZBGRAQTNLQPQOOYGU\NordVPNSetup.exe
  C:\ProgramData\ws2\LZBGRAQTNLQPQOOYGU\NordVPNSetup.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Users\Admin\AppData\Local\Temp\is-9HK5C.tmp\NordVPNSetup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-9HK5C.tmp\NordVPNSetup.tmp" /SL5="$10015E,890444,866304,C:\ProgramData\ws2\LZBGRAQTNLQPQOOYGU\NordVPNSetup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4616
  - - C:\Users\Admin\AppData\Local\Temp\is-72TAH.tmp\NordVPNSetup.exe
      "C:\Users\Admin\AppData\Local\Temp\is-72TAH.tmp\NordVPNSetup.exe" /webinstaller=true /DIR="C:\Program Files\NordVPN" /guid=c8590311-4865-4742-8389-41bd433ddc13
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2228
    - - C:\Users\Admin\AppData\Local\Temp\is-KGHD7.tmp\NordVPNSetup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-KGHD7.tmp\NordVPNSetup.tmp" /SL5="$D01CA,50118752,866304,C:\Users\Admin\AppData\Local\Temp\is-72TAH.tmp\NordVPNSetup.exe" /webinstaller=true /DIR="C:\Program Files\NordVPN" /guid=c8590311-4865-4742-8389-41bd433ddc13
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:2508
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /f /im NordVPN.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3924
      - C:\Users\Admin\AppData\Local\Temp\is-1GN8A.tmp\NordUpdaterSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-1GN8A.tmp\NordUpdaterSetup.exe" /VERYSILENT /SUPPRESSMSGBOXES /NOCANCEL /NORESTART /RESTARTEXITCODE=3010 /NOCLOSEAPPLICATIONS
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\is-5DUGV.tmp\NordUpdaterSetup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-5DUGV.tmp\NordUpdaterSetup.tmp" /SL5="$90056,3309670,910336,C:\Users\Admin\AppData\Local\Temp\is-1GN8A.tmp\NordUpdaterSetup.exe" /VERYSILENT /SUPPRESSMSGBOXES /NOCANCEL /NORESTART /RESTARTEXITCODE=3010 /NOCLOSEAPPLICATIONS
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" "C:\Program Files\NordUpdater" /inheritance:r
        8⤵
        Modifies file permissions
        
        PID:1720
        
        C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" "C:\Program Files\NordUpdater" /grant *S-1-5-32-545:(OI)(CI)(RX)
        8⤵
        Modifies file permissions
        
        PID:972
        
        C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" "C:\Program Files\NordUpdater" /grant *S-1-5-32-544:(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:404
        
        C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" "C:\Program Files\NordUpdater" /grant *S-1-5-18:(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:4988
        
        C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" C:\ProgramData\NordUpdater /inheritance:d
        8⤵
        Modifies file permissions
        
        PID:2840
        
        C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" C:\ProgramData\NordUpdater /remove Users /T
        8⤵
        Modifies file permissions
        
        PID:1096
        
        C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" C:\ProgramData\NordUpdater /grant Users:(RX)
        8⤵
        Modifies file permissions
        
        PID:4328
        
        C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" C:\ProgramData\NordUpdater\logs /grant Users:(OI)(CI)(RX)
        8⤵
        Modifies file permissions
        
        PID:4740
        
        C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" C:\ProgramData\NordUpdater\updates /grant Users:(OI)(CI)(RX)
        8⤵
        Modifies file permissions
        
        PID:1844
      - C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" C:\ProgramData\NordVPN /inheritance:d
        6⤵
        Modifies file permissions
        
        PID:2744
      - C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" C:\ProgramData\NordVPN /remove Users /T
        6⤵
        Modifies file permissions
        
        PID:4436
      - C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" C:\ProgramData\NordVPN /grant Users:(RX)
        6⤵
        Modifies file permissions
        
        PID:4616
      - C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" C:\ProgramData\NordVPN\settings /grant Users:(OI)(CI)(RX)
        6⤵
        Modifies file permissions
        
        PID:4120
      - C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" C:\ProgramData\NordVPN\logs /grant Users:(OI)(CI)(RX)
        6⤵
        Modifies file permissions
        
        PID:1488
      - C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" C:\ProgramData\NordVPN\affiliates.json /grant Users:(RX)
        6⤵
        Modifies file permissions
        
        PID:2484
      - C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" "C:\Program Files\NordVPN" /inheritance:r
        6⤵
        Modifies file permissions
        
        PID:4000
      - C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" "C:\Program Files\NordVPN" /grant *S-1-5-32-545:(OI)(CI)(RX)
        6⤵
        Modifies file permissions
        
        PID:440
      - C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" "C:\Program Files\NordVPN" /grant *S-1-5-32-544:(OI)(CI)(F)
        6⤵
        Modifies file permissions
        
        PID:4484
      - C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" "C:\Program Files\NordVPN" /grant *S-1-5-18:(OI)(CI)(F)
        6⤵
        Modifies file permissions
        
        PID:840
      - C:\Program Files\NordVPN\NordVPN.exe
        
        "C:\Program Files\NordVPN\NordVPN.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3492
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\SysWOW64\netsh.exe
  2⤵
  - Drops startup file
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3864
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:232
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /im chrome.exe /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3560

C:\Program Files\NordUpdater\NordUpdateService.exe
"C:\Program Files\NordUpdater\NordUpdateService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3344

C:\Program Files\NordVPN\nordvpn-service.exe
"C:\Program Files\NordVPN\nordvpn-service.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /C pnputil /enum-devices /class Net /drivers
  2⤵
  PID:808
- - C:\Windows\system32\pnputil.exe
    pnputil /enum-devices /class Net /drivers
    3⤵
    - Checks SCSI registry key(s)
    PID:912
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /C pnputil /add-driver "C:\Program Files\NordVPN\7.21.2.0\Drivers/OemVista.inf" /install
  2⤵
  PID:1428
- - C:\Windows\system32\pnputil.exe
    pnputil /add-driver "C:\Program Files\NordVPN\7.21.2.0\Drivers/OemVista.inf" /install
    3⤵
    - Drops file in Windows directory
    - Checks SCSI registry key(s)
    PID:4000
- C:\Program Files\NordVPN\7.21.2.0\TapDriver\tapctl.exe
  "C:\Program Files\NordVPN\7.21.2.0\TapDriver/tapctl.exe" list --hwid tapnordvpn
  2⤵
  - Executes dropped EXE
  PID:4480
- C:\Program Files\NordVPN\7.21.2.0\TapDriver\tapctl.exe
  "C:\Program Files\NordVPN\7.21.2.0\TapDriver/tapctl.exe" create --hwid tapnordvpn
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2788
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Windows\TEMP\{9bbd6cb8-013a-324d-bc3f-24fa0c81b6cd}\OemVista.inf" "9" "4721fbe9f" "0000000000000150" "Service-0x0-3e7$\Default" "0000000000000158" "208" "C:\Program Files\NordVPN\7.21.2.0\Drivers"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:3860
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "1" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:3beb73aff103cc24:tapnordvpn.ndi:9.0.0.23:tapnordvpn," "42b53aaff" "0000000000000148"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:4712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\NordUpdater\1.4.2.147\Bugsnag.dll

Filesize
80KB

MD5
c4813b767ed8c977bc91cd1467d282fb

SHA1
ddbc8e1916b422092a9b3e96b7fd8fc615630147

SHA256
b7186e48325a34dbe740c5ff8ec0e276c53f1063e29df8bf62e7d42be63258dd

SHA512
ac2abbcdb7a819f9c70696d5f91afcd5ed4047605df919bfd7452c2888455b63e03936c0a0aee649b0e83327b84fd293e9161d681fd356e39bdef1cb642d903d

Download Submit
C:\Program Files\NordUpdater\1.4.2.147\Flare.Net.dll

Filesize
53KB

MD5
6364e3bdfa678a84d7e402cc4f3ed195

SHA1
fc8b8fbdb6ec7cf22f66eec96e047579ce3fbf04

SHA256
e700bfca7bf0194b796b41c979b1899bc73b00703d67e4d2548ffc4e0e338d9f

SHA512
42be29a4027054d4947fffa66c21f841670fc376b8a2c602d7e75c0ded8a9eb9db6ad451356b16a67879fba6cf5bbc00513983db0f88e90d402a12c68ace10b0

Download Submit
C:\Program Files\NordUpdater\1.4.2.147\Google.Protobuf.dll

Filesize
451KB

MD5
4e55c1768326593fdf4da24d3a2ea5da

SHA1
20a539dc8513f57ef3d47c1eee90d0f503766c18

SHA256
ffb2121b833df886f5c7e7be4e708252847381febfa81607c9a8fa5721b388b0

SHA512
bcac534d8c9f6811e8b4697d50faf929f8ef2d532a198627e59a0576972d1810443eee05c7ff8a6ed937c4e9e7ba25177f326b4bc93882d866bd5c7a866b08be

Download Submit
C:\Program Files\NordUpdater\1.4.2.147\Grpc.Core.Api.dll

Filesize
68KB

MD5
7fd4dd0c64cf2fe452909b75f514413a

SHA1
8942bee8476a99f536eff613897b9cef257fc01c

SHA256
60a00e145b695ecfa39ede63f5b62b25404ba2dc26db062600bef98b57cd7b86

SHA512
884464fde59109840e01495859a9ca87a2da29a927e0111c5d00f1276c939530ad26d7fc30310c6e3702bb2857449d86b059e8354af70bae0545bac6bd912f3c

Download Submit
C:\Program Files\NordUpdater\1.4.2.147\Liberation.Configuration.dll

Filesize
16KB

MD5
9c10d78a02b598e928d3dbb6d1b48736

SHA1
742438f8b3deb9330092d419d1eee7966a9c6325

SHA256
89bc9e979469a2a904153a5e4fe56b37152828a4a684cd4473bdae0b792672f9

SHA512
084ab108ffafcdf7901279863191a03a20e1630ea78268f1fe4dfe218f34250f630b0204e0e4eba51244a1ea1ecb4ae6b3e45a51c4f35d1ff5a57e702c32dbc0

Download Submit
C:\Program Files\NordUpdater\1.4.2.147\Liberation.OS.dll

Filesize
113KB

MD5
cda1a366dfa6236a8ac25745252f18ee

SHA1
07a8c131b9b5ae180351f251b8fce7b4ac3d4324

SHA256
af14dd50ffbf8208c5d7a0481009bfafc4bb2eb672f2489a36554b68efb2791c

SHA512
ed18e6cf1c19fc93c021071305f98ca77b77c65a09a689b001af09f9765b021ec6f1ad417d93411b710ce5f04ecaceecb2f8df77c9224fa851131b3b4c799f55

Download Submit
C:\Program Files\NordUpdater\1.4.2.147\Microsoft.AppCenter.Analytics.dll

Filesize
27KB

MD5
7de9e89075979456933356c59e45c259

SHA1
aeee1ea3504cab1b3a47dd99e4a05e1781613a63

SHA256
3a23972ae4b308e5f05b666b948d1fd7041373f46db3dbc1665396d08dfdd954

SHA512
e69386e208b20bcf6fdb31300c56455eaf24771e765dc0c389242c492c6f40eb953bed4c47273fadcb6698fca16763b4b5125a0af9c5b215ec8a3254c083711a

Download Submit
C:\Program Files\NordUpdater\1.4.2.147\Microsoft.AppCenter.Crashes.dll

Filesize
53KB

MD5
01283b94a3a56470d2062366c52abc5b

SHA1
c478d79127f84e225a675e312539df222ca15da0

SHA256
a64e27e34f66532aaa519d7799873cfe8d6f0560a4fe6346ebeb06e6e1ba3325

SHA512
d5921588a1d3c56996f06108f1fbe1b9a296339f957e5a8286fa36670b55803ae6f9b13c052aec1f47bc2cb0403c65a9770bf5b92449718eb9e269270e019bcb

Download Submit
C:\Program Files\NordUpdater\1.4.2.147\Microsoft.AppCenter.dll

Filesize
147KB

MD5
3443e578b573bfafe44253c4634c51bd

SHA1
c2bd505cba3bf45a94d31e5a0700df5dd354815d

SHA256
fe1511c02866eff8808ba955396c124b2ca18ec64b54bd9dcca225381bcbb0eb

SHA512
43e9b26ff1e8e5065309492e41ab0b9aedc0008f7d9b132c5ba1f121b123ea374ff9ee20ea035a0c9383271a114dc06f073564066ff5c648e54e495634600d0b

Download Submit
C:\Program Files\NordUpdater\1.4.2.147\Microsoft.Bcl.AsyncInterfaces.dll

Filesize
23KB

MD5
a60369232eb8c0a89b3f9ed65bc20123

SHA1
6c7c552555395594a9a35759e42c101f82e9e252

SHA256
2060b0a01fc5a21ee352c3a8e4364f8b790cce75aeee72935aa6ea774890a226

SHA512
b43eed812c489386a9ed5ca26ea1c7334b50b42bdc211b1fc88d9c9af57ee8c1eaeeaf462ac9161e80b9c4f58dcb8cf3f7a1e6dc0cabfdf64fc81f5f8a4ff4dd

Download Submit
C:\Program Files\NordUpdater\1.4.2.147\Microsoft.Extensions.DependencyInjection.Abstractions.dll

Filesize
48KB

MD5
49150accfabe329d8461f6b21aad54d0

SHA1
0f175a0b2c6db3e67a47829a09cf2eb7d76d8686

SHA256
4f9097d5648a861e430a44d7f4235e2d341072030b6802cf40899e3d84ebd0fd

SHA512
de86c291a063cca0396407dbaeab1de5c7c91ed8212a30efa89fadd48919d897541ca14c2083a6d9e142f4fcf703ff5d5c0940a5f460d3ff94663a19c40e10d8

Download Submit
C:\Program Files\NordUpdater\1.4.2.147\Microsoft.Extensions.DependencyInjection.dll

Filesize
84KB

MD5
d462170d293a6ac0f097f60d7fd35e7a

SHA1
03d39daa516d61e3e05fa73f1aace7020f80cb7c

SHA256
60dd009f4cbec8f59aa11de4d17f6cc59581d82db1aa98595fdf17a14f41b47e

SHA512
b053f47e574cf31f3927ee5469dc969f387fd82b5df31da3db0f046e6a11face6a3b1ebaee1eb24f4b1e90f9be3a939fdc0402a52a064d0da727e65a0b99df7c

Download Submit
C:\Program Files\NordUpdater\1.4.2.147\Microsoft.Win32.Registry.dll

Filesize
28KB

MD5
28b8ba37d2330d1c84e2b558f59d682c

SHA1
e0c6364a75b65ae63e83b6ed90d054bd248084b5

SHA256
ca0f785d76df350da9813400841cd3936f7bdd38afc009ec93a604163cf6d690

SHA512
080af4924d5d52a73f0eccc175ebdf4378f0f7b2cf5e443b436e0ba661345744cbf9f0b693431cde9b5cf071f46f2730f558499a0ab86dc2b75e13f0f23036de

Download Submit
C:\Program Files\NordUpdater\1.4.2.147\NLog.dll

Filesize
928KB

MD5
d33f1ad8dd16daf5b9af7a9c2cec63b1

SHA1
2bafea8b472eddb23902e1544ae384c183cab51b

SHA256
fd457a60b82759dcee4266015c070796104a43f6f3f410bb02774efaedd6a82d

SHA512
5fca0ab4b1a0820b449435815871f04583c4334baeb7ea0a3a3294c2f553bae65d90a0df4ae8e1b3d1e05069266a706ef7c700963c83038f5c4cdbfcd9ef5b19

Download Submit
C:\Program Files\NordUpdater\1.4.2.147\Newtonsoft.Json.dll

Filesize
694KB

MD5
c048265a5dbdf8df04aec525f9db7e4d

SHA1
8a7ebd71a1eb35272b7095eb1dac40dc76c186db

SHA256
c6847210c7910764828ccc6f4dbc8d3043273c076844b40282d1cb6ae4530a29

SHA512
f8261b416ed94e36b54375975990e7b4d814cb773b3161dd62a18ea33e5568d35de75a258023c74db09530a439cd755edf2167312464c3fcb50e657609e7cfb7

Download Submit
C:\Program Files\NordUpdater\1.4.2.147\Nord.Communication.UpdateService.NordSecurityCenter.dll

Filesize
60KB

MD5
404e38ab406f46baf10d987f722f234d

SHA1
d3e329639b1d4c62edc2e6265ef2de7154418dbc

SHA256
157f8e6eb30fef3d152066c11e0e58db9064e2471ad5b0065586e2199b35db2a

SHA512
e915d0e1082311c8de7754aebd452140b42c863333b2d530f7495d51e7756ae755c39b06fa8e5bcedc7c508d10a551707d7a937265a68d5a016db05b61a63b2e

Download Submit
C:\Program Files\NordUpdater\1.4.2.147\Nord.Communication.UpdateService.dll

Filesize
69KB

MD5
7976f0eeb5d946260833cdaab159d322

SHA1
cb17fa563185413e88999bfb5145379fcdccdf60

SHA256
d5c3e4fad90196fcb0e72e9bfcd282c2c438880ee2bcd23608f7e143da167003

SHA512
fb52069287b9ad1981dcfdb44d19cc1b1ec56fdbb4729036d110745b57472ff96f49ad1985c0761f2850968e6031021ae60a18294665d7481f8d6e706126b547

Download Submit
C:\Program Files\NordUpdater\1.4.2.147\Nord.Grpc.NamedPipes.dll

Filesize
74KB

MD5
6061ffe635c51c55547a5639b39608da

SHA1
23abcffc7dd0b6112f162480855775a1947f7806

SHA256
2c30021cf004505a7414deba040f995c554444b7c0361ca572ac349d8301b884

SHA512
56d69dfc8e55c09d10b48a4079c87d74da295a36e0a754dc832f479cabcad6372c086f7822623dc9b39412c3458ab787e686e33971ca17e99052a3dee9eb9fac

Download Submit
C:\Program Files\NordUpdater\1.4.2.147\Nord.Logging.Abstractions.dll

Filesize
19KB

MD5
13695b2b74b42e249aa0c6ca0420101c

SHA1
4a3be913139baa91bc037a595040381d9ef3d656

SHA256
df156567643f164dc2bddd311af5d7d31ec11834f2f5df4ea6c66265188e0efd

SHA512
710930a340020dd36dcfbe5efb82a405dd20c90576b7a599f528a0ea1daef311f57288a167f15ba55264ae926488cef295cdb7742c1a9d81cdebb72f51f409e4

Download Submit
C:\Program Files\NordUpdater\1.4.2.147\Nord.Logging.dll

Filesize
28KB

MD5
286d12d41fffa7b09aba1f99a0f2c8f3

SHA1
7b6c9179646981a8e75a979e09d0934bbce4cfaa

SHA256
5788ae37cbabc4256fa15a7fed2d060d9f437e9e3981869eebd614a05e3b896a

SHA512
0be6b2a77eac4af5c6ae32d7dfaed9534d4f20a27008278a2765b499a7706d5f551c3f213f45c22317282e50fd5437aa3566e1217a295245bc1dcf74975c1ed6

Download Submit
C:\Program Files\NordUpdater\1.4.2.147\Nord.SecureData.dll

Filesize
18KB

MD5
918445b3e2970a62bc8987c8a3a8b773

SHA1
4d15d83ca374f4a5f6b7d14e06427dda8d8bc4e6

SHA256
233a75a3d741fddf5ecf301e89019aadd3c85ff204b7776d56dc5991cbf1ced4

SHA512
0505f8497255c060405346cd0c17f088472fe66cd1364fb8f6b6928ec1564d5cf011173aea5144c3ad7d13ab0b52a651750fdfbaac3b0c061bbce17b6bd4e63e

Download Submit
C:\Program Files\NordUpdater\1.4.2.147\NordSecurity.Communication.Ipc.Annotations.dll

Filesize
36KB

MD5
d3e65312aef11f9180ec041f686a6d47

SHA1
88fa8f036a592563ce5d2105d4be587c7c577110

SHA256
8774f51d99c27b858197b87b2db5e3350d738277c1f888ef8508447db7b8756b

SHA512
571b596c81e68d4d875509487954c5bc92a4acf8104c8cd5bf75e237e1ddf69957519934e1a59aadc0ed21c88fc61da10bd6b4b2e5689675930b0643c1506c33

Download Submit
C:\Program Files\NordUpdater\1.4.2.147\NordSecurity.Communication.Ipc.Core.dll

Filesize
81KB

MD5
3a568990fd9f479557f7b803e0744545

SHA1
65dae64bf0df264f45e49334ececd1071fc166ca

SHA256
aaeb66a82ee4b57182a6bef8cb29a6730c96240ecf74f455e295e2efaa438a2a

SHA512
7e032ec246cf1d5ebe2fdbd1e833e0b70b2b9c26b802b5562d8585a334bddd98a85014b8076f24a2e0bab46cce108e74820ee032ffd2a9e68ac5a4acdf5f0361

Download Submit
C:\Program Files\NordUpdater\1.4.2.147\SQLitePCLRaw.batteries_v2.dll

Filesize
22KB

MD5
bce733d28c757a7926f27ec4aa7c4575

SHA1
e3eed34cc3c08c172a34a6a4c9111f6b194e034d

SHA256
27214bd7e2d516dd783ad8dbd6b8596b35a99139631fd6be11bab13bddb984a4

SHA512
146f03a942fe66a8bf90c99ad77afee7d9ce9f7806a75c67f8b896208c5dc085c060c4f098bad691c9ae15a4263b14c1313e07cc755adbf13f70338ae7e23070

Download Submit
C:\Program Files\NordUpdater\1.4.2.147\SQLitePCLRaw.core.dll

Filesize
60KB

MD5
6f83852ed06596ad2714835d94056311

SHA1
3cad668cca9b44e034537e175422a82ecaac13de

SHA256
2a633ffedd5734778cea79cb4c83bd77320a5f4588724431a8a013fa1ccfbf77

SHA512
e49f58eadc1e5ae752c465304a6d1fde4c0101adec0998716dab261cd18bbf803b4cabcb20a90909122e8c460efe3c4adad13f40af775f68f932b027f8aeafef

Download Submit
C:\Program Files\NordUpdater\1.4.2.147\SQLitePCLRaw.provider.dynamic_cdecl.dll

Filesize
74KB

MD5
274a4cbfde5e33128aa065baa42b2444

SHA1
4edcfcd18970b35150cd9e9b066e7bb5e6e9fa6b

SHA256
1675c7c3aa911950d7de4693c6352f857a74a916e7f9f580e00cb27063bb8beb

SHA512
c9e3deb41cb86961bd8c5d1bb5b0059d2497af9a9d948b3509a57cfe0d4ace1b1ece054617202a58d2dd92747177fe56c10eda03ca5a8b685e1bf42a48494900

Download Submit
C:\Program Files\NordUpdater\1.4.2.147\SQLitePCLRaw.provider.winsqlite3.dll

Filesize
50KB

MD5
7d191811d436bf9be6eabe1f40cb5f45

SHA1
4726fd3cba14425fdf643b58cb3a071b7a840b1b

SHA256
4d1061ef7f2cd1b7c34bea75254d726843466f03382ae4622142ee7b4f2e2293

SHA512
fe3562b383dd3f767894db35a700ea5a8999ea528356a9bf3ff5ba5f2298f8ec5725393d6db7be3047ddadee5136b68d21eb49156595cc432e469729a7f6fbab

Download Submit
C:\Program Files\NordUpdater\1.4.2.147\System.Buffers.dll

Filesize
22KB

MD5
39f5df6d9f0a346d5cd82b95d3dda742

SHA1
3e17f08f7254593d361170b78ac3dad7600a7185

SHA256
f342c117cecc0cbf796ab8e2e3eb20efc2bde05472d21cf0aa972a612bcf0318

SHA512
b7229ea3f4c66bff9f38f9ec0512623e45a3a40d7acf574726e628d88a8b5ba467674f2469d4dc328102551839ad2b51010a80251e6faf113b0f2172d2356e49

Download Submit
C:\Program Files\NordUpdater\1.4.2.147\System.Memory.dll

Filesize
140KB

MD5
54f9ec5237add68456489b06f444ea48

SHA1
305b443a1fb3958cae4adc3b2936bcadc0a21eec

SHA256
664cdea9e0223b2fc427cacaed22a29bd733f65f8dddc16fdcb28480f8250248

SHA512
37399f02d684313cc03ae8971f37e6b973aba41efbc3070a440e56303a949afae92e253c11ed26840448d2d46f65dbdbca6401db2e1d4b8651fd05a925b73bc1

Download Submit
C:\Program Files\NordUpdater\1.4.2.147\System.Numerics.Vectors.dll

Filesize
108KB

MD5
a9bdf914265d4bf02d599a6f8479914e

SHA1
bc06104da1f6b671dda4dd102c3dd64ec1ccb855

SHA256
929ceba9b4905bef105771a98dce9a6e4a4f24ad6aebf51873aa27025781c2d8

SHA512
de7bafe1202dd1be22185a167c575f6371b242a5300326f2d27821264d109ac8eccb1b5694cbeeee84bca5c8e5cd0856ffaad76f2c519152cfe892e3e1339a9f

Download Submit
C:\Program Files\NordUpdater\1.4.2.147\System.Runtime.CompilerServices.Unsafe.dll

Filesize
19KB

MD5
bf08fd9569aa809b70ea7bd94fcbd36e

SHA1
ec20034eb8b032b18b66e073c832cfb503153fb2

SHA256
d85c1235dc35b71ea6f0668695a8d5e86747330392aa34a1d959bbd2a1e4a34a

SHA512
684efa8b82660e9c5d72caed1f6317417a811ea132a8e9f2c938b1ef781703ed4bb5d1e90f6d36a6bde354f32a4c73f53276f638142976eb4e70be04e794d663

Download Submit
C:\Program Files\NordUpdater\1.4.2.147\System.Security.Cryptography.ProtectedData.dll

Filesize
20KB

MD5
947bd3280c3fbaa5d74ddbc774151ff5

SHA1
c359d1b2fd9ed101fc7f6e0dd66d7736e8e61947

SHA256
3c3ad36f2c15e7563058e296973afc5901bf3aac7803fb9dc643c99e395a1df5

SHA512
8d4c71644cf5a50a3fae8c90413661efa332e320ada1a39ce0a05388e38dfd06053dceac7e11ef49ff6a35a714511aec5ae64cd81a215b5703a5e5fc0b70417b

Download Submit
C:\Program Files\NordUpdater\1.4.2.147\System.Threading.Tasks.Extensions.dll

Filesize
27KB

MD5
08f5a32e61c29ed8ca1d9659b03bc30e

SHA1
2da2a75d555483a7d0b3ae5b229946866ff87d03

SHA256
ef0e9cad8d67d64eb92ce2bc8901feb20321ab30ca86f5b92941648ff0897499

SHA512
cacfe1ee4fd9023ccca2de58fa6eb7c45fd21da74439a9638651cef716f1385d831e2d2085d81fb61d8721900537092b0332fd09f61d3d08bd2042332226c338

Download Submit
C:\Program Files\NordUpdater\1.4.2.147\UpdaterWindowsService.dll

Filesize
261KB

MD5
4a2782edaa6b9a524f640f8ac5ce72c7

SHA1
abac13f0b4d47c8af4e7e5e349e405de5d50b807

SHA256
a764d40c42972f3664cb30f2fb64501ec0b8718576db85d2246f22568db5e4ad

SHA512
15129464bbdddf02ef0f6932e0b286167f41ab49e9d58bb328eec2c179af48a4416bad37d60e658f46988d9a1f2f7a92bd96c44a9f9c4fcb1babe5503aafe6cb

Download Submit
C:\Program Files\NordUpdater\1.4.2.147\e_sqlite3.dll

Filesize
1.6MB

MD5
3705e8449b118115e433f424606f41ef

SHA1
3a45e0cc657cb7159d8f62e34d7aab885d57d7e2

SHA256
bf76fc3505d7b0ecfd7a4c0d38923e64bb4fc493666aede2d38917be9359771b

SHA512
44310610a9821f18de15dc8fd8a64ad522a3175e1e6942bc5778e58da77e5a44230c5bd3c1d193ae661fa9d58bcabb576acfab59cce2a01d44490bb0f6ea1132

Download Submit
C:\Program Files\NordUpdater\Nord.Common.dll

Filesize
41KB

MD5
93b54ae5ab538c423aa42e0ad9f21369

SHA1
54217b5a2fb10b7f786837c3a9dca98ddc03a07c

SHA256
c748e1761528e54cb6637e46a50c39a1bb5e8f951ae19ebe64c3f424eb774181

SHA512
3bcd7772251c0c59e76f345c218e972cb07dcf14dedc3f07ab90d658470770883d41ae0671bc87796097b6fcfa12476202d1d0633c07ef4fd0d338ac00d214ac

Download Submit
C:\Program Files\NordUpdater\NordUpdateService.exe

Filesize
290KB

MD5
c59d83ce3b43dd07757910b4c1694b40

SHA1
7671aad5be051ef18ecd733c36ad58edb8a98297

SHA256
e99fd45109ffdf65e427a60c6846aa7adc6da833a97273ae99c7f6dcade0f7ca

SHA512
aac5b5c549f47ffbafac11a8f132d5202e9edf4389c4a4d25b569f7031c898e5aa490d8a56d4b4db5644ffc0d54d3e76492eec775b5ce3352a60c31b949570af

Download Submit
C:\Program Files\NordUpdater\unins000.dat

Filesize
65KB

MD5
57186586b1a1b52cf3ac36df4b656fd0

SHA1
0927d24d6a2db5e3aaa8c30d453232c38f419e10

SHA256
7a4dd84fd40a77c06ecdd8bce40645ac1571d4833ac2356162279a80b0af17f4

SHA512
c4b7a672b5557ee31b645f8b9663529f8a0f2e996e540a9d4e188227be4ed6a61216cf22a58325df695aba32d311bc52fde75bd0c9d3fdb4575583a5ff58e81f

Download Submit
C:\Program Files\NordUpdater\unins000.msg

Filesize
23KB

MD5
7c50fa817cb54f049c2fb3c974a4694e

SHA1
517967e404058f6854f602296f92e8deec4954f5

SHA256
1ccb7b601e475369727b1bce89cda0551f1af9b6f06553224849e71c2169e09c

SHA512
33dd839642bfde741d12cb8d7706cde54193a4983b9de25cb3d30f2c82a6854a96f475cca7d1c0da56a6d523588b2a81e4b2add02bc7ae8b822e8ffab4b55ebc

Download Submit
C:\Program Files\NordVPN\7.21.2.0\Diagnostics.exe

Filesize
444KB

MD5
a5e64460dd0846e38a24bd6434099aea

SHA1
fc4a5ee2c968c19fd417c09e89f6093bf5cc65f5

SHA256
52c6bd2c43b5ffc252da7db9d7542f23d24f253b50c941cad212240c53683e94

SHA512
b7807d302d9db393a590cd5c7f068be7abcba572f88952f01d5508fb6f357b9b836af0500cbb40ea2c451dea50de0f27e63ff2d522b35d16cab14a9632f5450b

Download Submit
C:\Program Files\NordVPN\7.21.2.0\Nord.Common.dll

Filesize
40KB

MD5
4029f5f83160e495ece0c84ef6fe7420

SHA1
ad0b784e16343c3a25c3c7e4eb2dde7331a1f9fa

SHA256
bde128af8478d5c60917fd637bd9d62cccffd1fb2e594779595f30abcc6b6b21

SHA512
303fc5145c964bc2f0c4060a86d57ccce21cb09a2c13fb8559fef44917355c06e43f9091cc792757c8ffb588d8b6b069dfb26d6ab2e280156a016e22808804b2

Download Submit
C:\Program Files\NordVPN\NordVPN.exe

Filesize
257KB

MD5
ff4568edc9fce6309a363f53e8265850

SHA1
74f421d5b757f9e5a9526ba390b59f4a871ce3da

SHA256
6788f84fe5b1c321575c35da92f6ba775dea7937fcad83409119dbf8ba2d8aa0

SHA512
a7e13a77e3bffb697fdb019eccd9a8d629659c875e8a47203b57e886ae241f96a6a97600404d4fbf9eb010a1a31d6fe282a9c6685a970af5a13960fb350d74fe

Download Submit
C:\Program Files\NordVPN\Resources\toast.ico

Filesize
87KB

MD5
81cddd84c0faeb97dfb495ddfea1764d

SHA1
65c4da96f72f73489623e1d3c2ce32ec2e804147

SHA256
d1c0c7eaf223cab955a8d29e019566028227b7d8b74fc8aa8fe65fa782e02738

SHA512
a5fe3fe49aae367e2ed6c9c740db8b322bf5a781d5f0c23637fdde950502e4aaea7fc5e7d55315896cd382222bb42043918856d8a2325571ff2a2f7dbbcd7641

Download Submit
C:\ProgramData\NordVPN\configs\templates\template.xslt

Filesize
3KB

MD5
c79bd4b94b0b83d4a3e1588614524a95

SHA1
26a2ac217abd39a15773d2e3d2a6aa2ac7d45369

SHA256
d6ed263761188a215ce302b69fe0b73b6dc796f5935206c56d2f9e1694c00635

SHA512
b0e4926b49ec76fc0fb66021598f836e34b61a7540769346b9a0689ca7dc11bb65309ced8444f7a9d80727858720387b99b1eb49d6819b07f257acbd7f3ef0ea

Download Submit
C:\ProgramData\NordVPN\configs\templates\xor_template.xslt

Filesize
4KB

MD5
542e0102aa5dc40e3cb21c84ae94d053

SHA1
e48cc5b7c06513b86180c52270e85dd08e74c86a

SHA256
56c2e8781f54a083aa5a3b19b8e018ab96917e0bfe79be8593161f2f2954276c

SHA512
74d2394514e8f13244517c225c2e4dc17f2a9f796b437d7c7f7ac8635654f4677a490e8879a1e52aa8ffe0b769124dfe173db3ae97f9ccb369fd67e7d12eaf27

Download Submit
C:\ProgramData\NordVPN\records\auditevents

Filesize
8KB

MD5
a875f43efb974e2c10d4d6e41120f637

SHA1
a272224ffdecbc26d909625f4119ab4fe9b95f8e

SHA256
1ba4e3563edef90c6728929a6335b999fbdc41438639044db4fd3d7dcf57f960

SHA512
9ebda151935dcc9ae86d486a600ab6159b698713718a0a2c811d085798e45542d349a0e27bfec9ed1e7faadb1f5af9084337c7edd15b764a59d9a7ae3b391cc0

Download Submit
C:\ProgramData\NordVPN\records\auditevents

Filesize
32KB

MD5
7d004c36e5ee6820edc4a4b4894c86e2

SHA1
2fcbc3e9127bf244c2ed56a6313d47997fe3e6e1

SHA256
6f895d55729378c1ad69f6eccd0a342d8a67d0663fdec92407d4ff834ec282b8

SHA512
d7655b462c720ba59fe39375a97623d7d8cd98e26a4c858cccca2597c8775e9e52ebb913233572a1e05e18482b48d445c2c205d93b6bb27e6fc162f00511fcbd

Download Submit
C:\ProgramData\ws2\LZBGRAQTNLQPQOOYGU\NordVPNSetup.exe

Filesize
1.7MB

MD5
5d6f0577264346d7c28f1853871d89b7

SHA1
a606fa6e79ed5ca473eed30cc8483901ca67fae1

SHA256
391b613c8db8f21fe6545d6448adb188dd2b54749f31e7cd7abefb6e61f388d2

SHA512
9d43f0ef1ed41ac338a157dbcc74e5ebdb00ff83935aeb96095af9fe780a2217ae6362e6577b51780baffcaa50e2ee8f0c92345a473a199da5897411d3f72159

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NordVPNSetup.tmp.log

Filesize
932B

MD5
87c54d4da204ea1d4fc9489bd45d06e3

SHA1
f9ca47f0b16aa375eaf991dc83aec09678e6f749

SHA256
c282cbbfd81749788f382185502d567ca75e78030781b498e9ba976fe4d96f63

SHA512
172fe3085c22a5b595929e2837174412d1007335b3ef6682ac560b9ec728b2d27664ddb458a79adc59fe1344077a71719660b3b911f926b7080bfb49bff9dc21

Download Submit
C:\Users\Admin\AppData\Local\NordVPN\NordVPN.exe_Path_0c424lopi0elj2nvuynpwdnjavgmogrt\7.21.2.0\user.config

Filesize
1KB

MD5
826de7e6ca973cc930cbde51fd6fce92

SHA1
e1aca23f61f358e09a02bf1dd870ded77d028c1d

SHA256
a89b080a54b86e52991b584695d4a9251f7bdce90c032a0eebf2e134e5e31751

SHA512
c3dc40c761ed9a382308082e7f9a16a87ea187f1800ab6154c95760739670ad4c333e34adda8ac8cbac976458120420037fe5a90e6ce3b1201569ee4254cc6b8

Download Submit
C:\Users\Admin\AppData\Local\NordVPN\NordVPN.exe_Path_0c424lopi0elj2nvuynpwdnjavgmogrt\7.21.2.0\user.config

Filesize
14KB

MD5
a6c1d341a6759145eb4ee19ef6ff51ea

SHA1
aaddf9ff65590c3f8dbd72e429098d3479b1016b

SHA256
24add953ef212e0b455b6ff914c56ddd3b35c7047a45443efdfc4ab5dffc106e

SHA512
d19569a110bc00ef8498cc1edc338d2b9c5c5443f2eda1dd425c92e438a3a069590eecdd10f04fbf9be4222080e8252af153ecae50180245f326e4b009f2f2a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\15b093e3

Filesize
3.1MB

MD5
54eea75d1de4e638a16d039515d8ffa1

SHA1
5a4c75056021f380f1c0f8c885ac77c26000575c

SHA256
5e304d13f313f9224b97c0f6b43257a4afe6f5543035fd5f3ca51f07cf273135

SHA512
189a84077c374a376e8dcf4d752eda84f0e866478e4bb5b7df30c9408d37b38e6bb937fbb50b2a2c6b1ceadf762af9799b1c8af479d2d21b6a2768bc6017c18d

Download Submit
C:\Users\Admin\AppData\Local\Temp\167f55f8

Filesize
3.2MB

MD5
8148af1884bf91693bea262974afe195

SHA1
2031beeee3324d93b2bbede0f148f24ad2fc785b

SHA256
7b6e3663ab4aac2d1ad94ffd48574899b9282515a070c1bad719296a46749229

SHA512
8ab4608d7147b18d20719c35dc7d63da67d1e64ebbf0a46db4a284eda82581759bd8927bbdb06bbddf9577bb6d066a2c8d60ca7a23a1c4e1256cf73993fdb6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1GN8A.tmp\Nord.Setup.dll

Filesize
43KB

MD5
799f59bdb3eb6483a34bbb4631f5aaf8

SHA1
f5a1c87fd49352d9e477047b21abd9d29a5167fd

SHA256
8e40d8a719ca2e70d27a32c74377712ddef1e1b0c2a262a233c57e2adbc62c2e

SHA512
1087487333d1af5502c5f52a221a538d5ace841155ee749b23428e4b4377e0f8bc1e1daeea37563864e41826cb2054d117a751c77b1decb98ffeb05fb69fc385

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1GN8A.tmp\NordUpdaterSetup.exe

Filesize
4.0MB

MD5
99109ff7f7b52ef14f711bb97308097b

SHA1
a06beb27cd40aeb84624b4ccb4683a221d8c69e6

SHA256
83baaa6226bbff881fc22a3e0719f443d3cde821e0971de03a75069d0b74bdf8

SHA512
534be4961f4b9c78a3966d6e976a9a3ff69d50b52631163738399893cd1d44f81a051f3003ada2d1bfc3e13bdb5d5c40eef2113ee63c1dee5ebced22440171f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1GN8A.tmp\VerifyTrust.dll

Filesize
85KB

MD5
dacb58a4faa4c897a513f8404bb2e402

SHA1
b0d3fc37ae2f1e4602e2164462f4ae6fc8aa540c

SHA256
a400c9af4775b27462bb9b97f1d158467693cf0186b14629acd4920ed25adfb9

SHA512
a84d745a2525be631cb0e6d419b81ee32b30cdf63736249f918b1ed40cae2ad39844519010c94b9299391e7df994040ecbb6b47070311842d0272a2409b31150

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1GN8A.tmp\isxdl.dll

Filesize
169KB

MD5
7998a1a52eedde342de34b4147006419

SHA1
8fad49145668b4387d233e296b6f57342c7a1a55

SHA256
48003909f632c53e9ab7edaf8660b6a12070325d733c7c14f0e3c2d72487a8fc

SHA512
5d217922dfeecae213dfa950c3bdd402c27fc8ffec0de31ec6a457811c45a230e0a940d2dd8736be192785dfb77cfeba7bb6bda74ff0050a9ee1b05c3c4486b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5DUGV.tmp\NordUpdaterSetup.tmp

Filesize
3.1MB

MD5
c85151b9fd9f2784c1e4f7e3da4f9fda

SHA1
9066a3c0acba33a097d8d8fa9462fb33341b2464

SHA256
62a620aa6727e7067084c644456ee6fd8a8db79f6251c08c5257315a32ae5fdd

SHA512
36dda64e8fb09dc0825c84cdf342898ba7b630488291654f32aa3d9fd220a744d90f2e7b94c6de01cf32dad90e05cb0c9947781f06ad16d1ffd7c6f57df544ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-72TAH.tmp\Nord.Setup.dll

Filesize
40KB

MD5
fb15e8ae0e2decdb97257514355d2b0e

SHA1
d329afd113203e248d945609793a4c9663665bbb

SHA256
3a658d57d8723a5ab7a29ae212d3cee0c090c04d5a02579fa4cc1b658929c0b7

SHA512
08493b22ee4e082bd6ea0935965bd54dcbdc0992793b0fb7caf9801351f815a81dd143a87b6ae2d0ed45f20fe7f33680ae7dede3e915ada8ebe9b7522eb507f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-72TAH.tmp\NordVPNSetup.exe

Filesize
48.7MB

MD5
8f5d6cd2912ca247b49eb4a299b1f96d

SHA1
c0299be859a3236b3e31db7d5f938ce06902a7ac

SHA256
45a0859c5a47d56f22807434a7cd6b15189db4c11f8f701d2567fbe14630644a

SHA512
248eeed6e0f88845a90bbeec29a2aa8ae484fb964ec2385081881bf9228af02ef95536330df174a5ed1eac91f1798bfdbd75059e89e53a4c1c5f8f2386cc4fb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9HK5C.tmp\NordVPNSetup.tmp

Filesize
3.1MB

MD5
6693ddaca0479cdeea33386155e9cacf

SHA1
0b426408257359afbcee9de1332804541aab1e89

SHA256
384dab757af95f6d6d4a80351507f6f455c0fce58f2aa32ff1c1e8ceeb3ade82

SHA512
8afc8322631da373c9ea09bc81df6c071ea760d9ac3535235c4f59768a1a8ffc654741205baddb4fed843eb20622e534432171e8f436a05e88fd320232df9678

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ALGL8.tmp\VerifyTrust.dll

Filesize
85KB

MD5
9a326be60e5714739b50ac33c2577e79

SHA1
dae4d405e0eef41a19e9e4ac58ce8d9a20e8094b

SHA256
5fe545ace5098b313af5eaf74b4e6ab769b3df635a956889bcd21268e8e393a4

SHA512
cf4d5d6a6df9114e2b1a826c8416445efa594bf9b57fa605069c44644caa1a5390330e7ae4357eedcc6c451d5cd2df90f7fa885fa94f6b7f62b91bef087a7a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ALGL8.tmp\isxdl.dll

Filesize
170KB

MD5
0f714846f9ae8a60f5cdb4811377b23f

SHA1
80033367772bac128fefa8707ad64b4b27cf0c34

SHA256
98d547efb2bb65c32cc278beed99c4c9ce83e63f0032ad327fbc5241cdbaab90

SHA512
5149814592ffd2f756f60dbfc8bf10dc7c91e3c8b4a8d1c881dc0c3b2ecc6ffcf98fbd6b7e0cbf2d85d02e314b8ccf8f6d1646198553365c5560fb267bacddf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KGHD7.tmp\NordVPNSetup.tmp

Filesize
3.1MB

MD5
fb5d94b4bb166a662617a68009ab63ff

SHA1
c161ddcb4ce3142f4205d5b4a527b8d8eb7add05

SHA256
641b41439676f656ddcee1785889129e4c0c25171f073327825c566f51d2124d

SHA512
b215712ddcdbc3a0072d63aa2e0f68516c097dfcb3ccb700e187c93c12e723d5c7751e01e709b525ff5130ba4bf47fd4d3f60a10bfb44e5fb07efd34a2cfcced

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1AB9.tmp

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1AEB.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Windows\Temp\TmpC2CE.tmp

Filesize
782B

MD5
4ee28ea0e8c6d8bee2db4e4521123b53

SHA1
0c42741f31bc5c915fc0d4a2908ee43f372d06bd

SHA256
fb1aa055dff33e58012f7c6b9d85eaf7234ecdce31e05f7caadebb76ee4fadad

SHA512
f95e1a3e4f5e32bda6d1f9d30c6d750e61fee372f5eea5519b83bfaffe6008ac508547306957b4de3bf5b43bbd2f684f1b8042312eebbc6ea3614c4b13cbbe8c

Download Submit
C:\Windows\Temp\TmpC2EF.tmp

Filesize
804B

MD5
8120a2a5bbe15b94b00ec360f3b58674

SHA1
a52a5eec1c4b8400f6649bfdd55e8c39f0f53c12

SHA256
669fce0c7d292a008fd26854c1aa1dd3a7af9c255f0091af809c6eb21f6f70d6

SHA512
87d7ac253c7deb10c03ecd8f7a239dab778f4da1fc91e64c6960299e756e10e7bd52c6420e54311b7cb34a0689f99edac8f4995c33e484ba9f90cd7ea84e89dd

Download Submit
C:\Windows\Temp\{9bbd6cb8-013a-324d-bc3f-24fa0c81b6cd}\OemVista.inf

Filesize
7KB

MD5
0d719e9779f64ab6499ccf7452f99c9b

SHA1
8e170acbbb222588a05d4b22105ce056c342859a

SHA256
fa56f77404e9fa7723d95a493f206f1bfd2644d83af984b92a45c94a2ea4f7e5

SHA512
6904c34f93a3fc4276f113faffd14084a50e136a7bb5e31129c3bf030fe2b6d1b5c2f919eafa2e322f01db57a5376a2c2fca37f402a8e51f7161c5d016565050

Download Submit
C:\Windows\Temp\{9bbd6cb8-013a-324d-bc3f-24fa0c81b6cd}\tapnordvpn.cat

Filesize
10KB

MD5
ae5e7a3609077ef8ef287a90fa34599e

SHA1
0046cf86bb16e8aa8f036684a79e8ee2e47a6e96

SHA256
50315c54f0f5727df5b00047757ab038d9946e2859deeacfa8d5d9d050b3fd8a

SHA512
08efcec283a564a4956c7583209b403d6727e1cec08a4ac5241e897f40bbbb6b3f6bf3d4a08e2d2df7ac89826168367bb56a39dd1ad5d0cfcf3ce72760d5f0c0

Download Submit
C:\Windows\Temp\{9bbd6cb8-013a-324d-bc3f-24fa0c81b6cd}\tapnordvpn.sys

Filesize
48KB

MD5
adbefa4c0ad655eae60fd5b58e6e7be4

SHA1
c18fcab0dbaaf6407441a596411f33c454d8a345

SHA256
b64ae9f92a2542ec8ce063f81ba96894076f2d5eba37e25c47018d0db38ef503

SHA512
acb5498c70cc57e9b5667e1115ef1dcd7b345f619cf7a8734117f1f85dd2091787a4f9be3af8c306ba0b897b04644c936f242ef65d7b397a1a60cfa6a315ca66

Download Submit
memory/232-168-0x0000000005700000-0x0000000005792000-memory.dmp

Filesize
584KB

Download
memory/232-424-0x00000000058E0000-0x00000000058F0000-memory.dmp

Filesize
64KB

Download
memory/232-171-0x0000000006240000-0x00000000067E4000-memory.dmp

Filesize
5.6MB

Download
memory/232-162-0x000000006D850000-0x000000006EAA4000-memory.dmp

Filesize
18.3MB

Download
memory/232-166-0x0000000001190000-0x0000000001264000-memory.dmp

Filesize
848KB

Download
memory/232-169-0x00000000058E0000-0x00000000058F0000-memory.dmp

Filesize
64KB

Download
memory/232-174-0x0000000005EE0000-0x0000000005EFE000-memory.dmp

Filesize
120KB

Download
memory/232-173-0x0000000005970000-0x00000000059E6000-memory.dmp

Filesize
472KB

Download
memory/232-167-0x0000000073500000-0x0000000073CB0000-memory.dmp

Filesize
7.7MB

Download
memory/232-223-0x0000000073500000-0x0000000073CB0000-memory.dmp

Filesize
7.7MB

Download
memory/232-172-0x00000000057F0000-0x0000000005840000-memory.dmp

Filesize
320KB

Download
memory/232-175-0x0000000005FF0000-0x0000000006056000-memory.dmp

Filesize
408KB

Download
memory/232-170-0x0000000005AC0000-0x0000000005C82000-memory.dmp

Filesize
1.8MB

Download
memory/2228-1402-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2228-97-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2228-133-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2508-150-0x0000000003560000-0x0000000003570000-memory.dmp

Filesize
64KB

Download
memory/2508-1218-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2508-134-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2508-206-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2508-204-0x0000000073500000-0x0000000073CB0000-memory.dmp

Filesize
7.7MB

Download
memory/2508-200-0x0000000003560000-0x0000000003570000-memory.dmp

Filesize
64KB

Download
memory/2508-194-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/2508-165-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2508-1400-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2508-103-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/2508-1040-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2508-156-0x00000000753C0000-0x00000000753D0000-memory.dmp

Filesize
64KB

Download
memory/2508-157-0x0000000073500000-0x0000000073CB0000-memory.dmp

Filesize
7.7MB

Download
memory/2508-155-0x0000000003670000-0x0000000003680000-memory.dmp

Filesize
64KB

Download
memory/2980-17-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2980-48-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2980-124-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/3344-952-0x000001F3AE0E0000-0x000001F3AE0F0000-memory.dmp

Filesize
64KB

Download
memory/3344-807-0x000001F3AEB70000-0x000001F3AEBE6000-memory.dmp

Filesize
472KB

Download
memory/3344-957-0x000001F3AEA90000-0x000001F3AEAA8000-memory.dmp

Filesize
96KB

Download
memory/3344-941-0x000001F3AEA90000-0x000001F3AEA98000-memory.dmp

Filesize
32KB

Download
memory/3344-938-0x000001F3AE670000-0x000001F3AE678000-memory.dmp

Filesize
32KB

Download
memory/3344-939-0x000001F3AE0D0000-0x000001F3AE0D8000-memory.dmp

Filesize
32KB

Download
memory/3344-935-0x000001F3AE9F0000-0x000001F3AEA16000-memory.dmp

Filesize
152KB

Download
memory/3344-934-0x000001F3AE760000-0x000001F3AE776000-memory.dmp

Filesize
88KB

Download
memory/3344-933-0x000001F3AE740000-0x000001F3AE752000-memory.dmp

Filesize
72KB

Download
memory/3344-427-0x000001F3953A0000-0x000001F3953AE000-memory.dmp

Filesize
56KB

Download
memory/3344-428-0x000001F3953D0000-0x000001F3953DE000-memory.dmp

Filesize
56KB

Download
memory/3344-430-0x00007FFA67550000-0x00007FFA68011000-memory.dmp

Filesize
10.8MB

Download
memory/3344-433-0x000001F3AE0E0000-0x000001F3AE0F0000-memory.dmp

Filesize
64KB

Download
memory/3344-495-0x000001F3AE000000-0x000001F3AE044000-memory.dmp

Filesize
272KB

Download
memory/3344-500-0x000001F3958E0000-0x000001F3958F0000-memory.dmp

Filesize
64KB

Download
memory/3344-521-0x000001F395A40000-0x000001F395A60000-memory.dmp

Filesize
128KB

Download
memory/3344-545-0x000001F3958F0000-0x000001F3958F8000-memory.dmp

Filesize
32KB

Download
memory/3344-536-0x000001F3AE050000-0x000001F3AE06A000-memory.dmp

Filesize
104KB

Download
memory/3344-552-0x000001F395900000-0x000001F39590A000-memory.dmp

Filesize
40KB

Download
memory/3344-557-0x000001F3AE900000-0x000001F3AE9EA000-memory.dmp

Filesize
936KB

Download
memory/3344-922-0x000001F3AE0C0000-0x000001F3AE0CA000-memory.dmp

Filesize
40KB

Download
memory/3344-627-0x000001F3AE090000-0x000001F3AE0A8000-memory.dmp

Filesize
96KB

Download
memory/3344-634-0x000001F395910000-0x000001F39591A000-memory.dmp

Filesize
40KB

Download
memory/3344-645-0x000001F395A60000-0x000001F395A6A000-memory.dmp

Filesize
40KB

Download
memory/3344-658-0x000001F3AE070000-0x000001F3AE080000-memory.dmp

Filesize
64KB

Download
memory/3344-671-0x000001F3AE600000-0x000001F3AE628000-memory.dmp

Filesize
160KB

Download
memory/3344-689-0x000001F3AE0B0000-0x000001F3AE0BA000-memory.dmp

Filesize
40KB

Download
memory/3344-684-0x000001F3AE080000-0x000001F3AE090000-memory.dmp

Filesize
64KB

Download
memory/3344-800-0x000001F3AEAB0000-0x000001F3AEB62000-memory.dmp

Filesize
712KB

Download
memory/3492-1675-0x0000000077A50000-0x0000000077A71000-memory.dmp

Filesize
132KB

Download
memory/3492-1677-0x0000000077830000-0x0000000077923000-memory.dmp

Filesize
972KB

Download
memory/3492-1676-0x0000000077960000-0x0000000077A4E000-memory.dmp

Filesize
952KB

Download
memory/3864-93-0x0000000075200000-0x000000007537B000-memory.dmp

Filesize
1.5MB

Download
memory/3864-158-0x0000000075200000-0x000000007537B000-memory.dmp

Filesize
1.5MB

Download
memory/3864-159-0x0000000075200000-0x000000007537B000-memory.dmp

Filesize
1.5MB

Download
memory/3864-125-0x00007FFA87250000-0x00007FFA87445000-memory.dmp

Filesize
2.0MB

Download
memory/4180-352-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4180-211-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4616-49-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/4616-121-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/4616-43-0x0000000006A00000-0x0000000006F2C000-memory.dmp

Filesize
5.2MB

Download
memory/4616-41-0x00000000740F0000-0x0000000074100000-memory.dmp

Filesize
64KB

Download
memory/4616-104-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/4616-42-0x0000000073850000-0x0000000074000000-memory.dmp

Filesize
7.7MB

Download
memory/4616-40-0x0000000003790000-0x00000000037A0000-memory.dmp

Filesize
64KB

Download
memory/4616-122-0x0000000073850000-0x0000000074000000-memory.dmp

Filesize
7.7MB

Download
memory/4616-36-0x0000000004370000-0x0000000004380000-memory.dmp

Filesize
64KB

Download
memory/4616-23-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/4700-12-0x0000000075200000-0x000000007537B000-memory.dmp

Filesize
1.5MB

Download
memory/4700-13-0x0000000075200000-0x000000007537B000-memory.dmp

Filesize
1.5MB

Download
memory/4700-0-0x0000000000400000-0x0000000000805000-memory.dmp

Filesize
4.0MB

Download
memory/4700-9-0x00007FFA87250000-0x00007FFA87445000-memory.dmp

Filesize
2.0MB

Download
memory/4700-8-0x0000000075200000-0x000000007537B000-memory.dmp

Filesize
1.5MB

Download
memory/4700-2-0x0000000000400000-0x0000000000805000-memory.dmp

Filesize
4.0MB

Download
memory/4700-44-0x0000000075200000-0x000000007537B000-memory.dmp

Filesize
1.5MB

Download
memory/4956-227-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/4956-351-0x0000000000400000-0x0000000000727000-memory.dmp

Filesize
3.2MB

Download