NordVPN[.]appx

Sharing

Copy URL Twitter E-mail

General

Target

NordVPN.appx
Size

135.1MB
MD5

767f533cf56a706ed7c8bd0e56808d4a
SHA1

a78b83f9bc132046e8d1e3fa1189782b33304fc8
SHA256

347d45c493d2995125d1e22fe00c074c9e5a890d4397405dbbd40f8335869ce2
SHA512

5106a35014664016015b754e5766f9fde003c8e33d5ae23706e4bf3cddbdb043c96c401320851e00e0e4e139f74f1c74d65625aa00e6b1902a7287c6d418ffe5
SSDEEP

3145728:ovDX/efStpmbd3cZXsiKRnMfIcYNVZiTeoVu1uX7rAUMg47zNO0SPo8Zbru:ovDAStpj9ontcyVZiamAuLX947xOje

Score

3^/10

Malware Config

Signatures

Unsigned PE 3 IoCs

Checks for missing Authenticode signature.

resource
unpack002/VFS/AppData/local/gpg.exe
unpack002/VFS/AppData/local/iconv.dll
unpack003/AI_STUBS/AiStubX86.exe

Files

NordVPN.appx
.zip
AppxBlockMap.xml
.xml
AppxMetadata/AppxBundleManifest.xml
.xml
AppxSignature.p7x
[Content_Types].xml
.xml
assets.appx
.appx
AppxBlockMap.xml
.xml
AppxManifest.xml
.xml
AppxMetadata/CodeIntegrity.cat
AppxSignature.p7x
Assets/NordVPNSetup.exeSquare44x44Logo.targetsize-16.png
.png
Assets/NordVPNSetup.exeSquare44x44Logo.targetsize-16_altform-lightunplated.png
.png
Assets/NordVPNSetup.exeSquare44x44Logo.targetsize-16_altform-unplated.png
.png
Assets/NordVPNSetup.exeSquare44x44Logo.targetsize-24.png
.png
Assets/NordVPNSetup.exeSquare44x44Logo.targetsize-24_altform-lightunplated.png
.png
Assets/NordVPNSetup.exeSquare44x44Logo.targetsize-24_altform-unplated.png
.png
Assets/NordVPNSetup.exeSquare44x44Logo.targetsize-256.png
.png
Assets/NordVPNSetup.exeSquare44x44Logo.targetsize-256_altform-lightunplated.png
.png
Assets/NordVPNSetup.exeSquare44x44Logo.targetsize-256_altform-unplated.png
.png
Assets/NordVPNSetup.exeSquare44x44Logo.targetsize-32.png
.png
Assets/NordVPNSetup.exeSquare44x44Logo.targetsize-32_altform-lightunplated.png
.png
Assets/NordVPNSetup.exeSquare44x44Logo.targetsize-32_altform-unplated.png
.png
Assets/NordVPNSetup.exeSquare44x44Logo.targetsize-48.png
.png
Assets/NordVPNSetup.exeSquare44x44Logo.targetsize-48_altform-lightunplated.png
.png
Assets/NordVPNSetup.exeSquare44x44Logo.targetsize-48_altform-unplated.png
.png
PsfRunDll32.exe
.exe windows:6 windows x86 arch:x86

2a22b6fe5189b8928e2d5bffd5eb859c

Code Sign

54:98:d2:d1:d4:5b:19:95:48:13:79:c8:11:c0:87:99
Certificate

Issuer

CN=Microsoft Identity Verification Root Certificate Authority 2020,O=Microsoft Corporation,C=US

Not Before

16/04/2020, 18:36

Not After

16/04/2045, 18:44

Subject

CN=Microsoft Identity Verification Root Certificate Authority 2020,O=Microsoft Corporation,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:a5:bd:2b:19:34:f3:63:3b:01:94:00:00:00:00:a5:bd
Certificate

Issuer

CN=Microsoft ID Verified CS EOC CA 01,O=Microsoft Corporation,C=US

Not Before

21/08/2024, 06:31

Not After

24/08/2024, 06:31

Subject

CN=Caphyon SRL,O=Caphyon SRL,L=Craiova,C=RO

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

33:00:00:a5:bd:2b:19:34:f3:63:3b:01:94:00:00:00:00:a5:bd
Certificate

Issuer

CN=Microsoft ID Verified CS EOC CA 01,O=Microsoft Corporation,C=US

Not Before

21/08/2024, 06:31

Not After

24/08/2024, 06:31

Subject

CN=Caphyon SRL,O=Caphyon SRL,L=Craiova,C=RO

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

33:00:00:00:06:4a:1a:fa:cf:05:61:6a:74:00:00:00:00:00:06
Certificate

Issuer

CN=Microsoft ID Verified Code Signing PCA 2021,O=Microsoft Corporation,C=US

Not Before

13/04/2021, 17:31

Not After

13/04/2026, 17:31

Subject

CN=Microsoft ID Verified CS EOC CA 01,O=Microsoft Corporation,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:07:87:a3:34:a3:7b:a5:8e:1c:00:00:00:00:00:07
Certificate

Issuer

CN=Microsoft Identity Verification Root Certificate Authority 2020,O=Microsoft Corporation,C=US

Not Before

01/04/2021, 20:05

Not After

01/04/2036, 20:15

Subject

CN=Microsoft ID Verified Code Signing PCA 2021,O=Microsoft Corporation,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:05:e5:cf:0f:ff:66:2e:c9:87:00:00:00:00:00:05
Certificate

Issuer

CN=Microsoft Identity Verification Root Certificate Authority 2020,O=Microsoft Corporation,C=US

Not Before

19/11/2020, 20:32

Not After

19/11/2035, 20:42

Subject

CN=Microsoft Public RSA Timestamping CA 2020,O=Microsoft Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:3e:d9:35:92:f7:b0:19:42:29:00:00:00:00:00:3e
Certificate

Issuer

CN=Microsoft Public RSA Timestamping CA 2020,O=Microsoft Corporation,C=US

Not Before

18/04/2024, 17:59

Not After

17/04/2025, 17:59

Subject

CN=Microsoft Public RSA Time Stamping Authority,OU=Microsoft Ireland Operations Limited+OU=Thales TSS ESN:91A2-966C-63FB,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

f0:ef:88:e2:3e:38:21:d9:5e:58:91:62:e2:7d:76:7e:80:8b:ff:83:3d:e9:2b:8c:d0:60:7b:67:17:af:7a:ad
Signer

Actual PE Digest

f0:ef:88:e2:3e:38:21:d9:5e:58:91:62:e2:7d:76:7e:80:8b:ff:83:3d:e9:2b:8c:d0:60:7b:67:17:af:7a:ad

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\ReleaseAI\tools\msix-psf\Win32\Release\PsfRunDll32.pdb

Imports

kernel32

GetLastError
LoadLibraryA
GetProcAddress
WriteConsoleW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
RtlUnwind
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW
RaiseException
GetStdHandle
WriteFile
GetModuleFileNameW
ExitProcess
GetModuleHandleExW
HeapAlloc
HeapFree
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetCommandLineA
GetCommandLineW
MultiByteToWideChar
WideCharToMultiByte
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetStdHandle
GetFileType
GetStringTypeW
LCMapStringW
GetProcessHeap
HeapSize
HeapReAlloc
FlushFileBuffers
GetConsoleOutputCP
GetConsoleMode
SetFilePointerEx
CreateFileW
CloseHandle
DecodePointer

Sections

.text
Size: 43KB - Virtual size: 43KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
PsfRunDll64.exe
.exe windows:6 windows x64 arch:x64

fbfe9cc74dcec3523d7b9afacb5c4d17

Code Sign

54:98:d2:d1:d4:5b:19:95:48:13:79:c8:11:c0:87:99
Certificate

Issuer

CN=Microsoft Identity Verification Root Certificate Authority 2020,O=Microsoft Corporation,C=US

Not Before

16/04/2020, 18:36

Not After

16/04/2045, 18:44

Subject

CN=Microsoft Identity Verification Root Certificate Authority 2020,O=Microsoft Corporation,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:a5:bd:2b:19:34:f3:63:3b:01:94:00:00:00:00:a5:bd
Certificate

Issuer

CN=Microsoft ID Verified CS EOC CA 01,O=Microsoft Corporation,C=US

Not Before

21/08/2024, 06:31

Not After

24/08/2024, 06:31

Subject

CN=Caphyon SRL,O=Caphyon SRL,L=Craiova,C=RO

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

33:00:00:a5:bd:2b:19:34:f3:63:3b:01:94:00:00:00:00:a5:bd
Certificate

Issuer

CN=Microsoft ID Verified CS EOC CA 01,O=Microsoft Corporation,C=US

Not Before

21/08/2024, 06:31

Not After

24/08/2024, 06:31

Subject

CN=Caphyon SRL,O=Caphyon SRL,L=Craiova,C=RO

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

33:00:00:00:06:4a:1a:fa:cf:05:61:6a:74:00:00:00:00:00:06
Certificate

Issuer

CN=Microsoft ID Verified Code Signing PCA 2021,O=Microsoft Corporation,C=US

Not Before

13/04/2021, 17:31

Not After

13/04/2026, 17:31

Subject

CN=Microsoft ID Verified CS EOC CA 01,O=Microsoft Corporation,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:07:87:a3:34:a3:7b:a5:8e:1c:00:00:00:00:00:07
Certificate

Issuer

CN=Microsoft Identity Verification Root Certificate Authority 2020,O=Microsoft Corporation,C=US

Not Before

01/04/2021, 20:05

Not After

01/04/2036, 20:15

Subject

CN=Microsoft ID Verified Code Signing PCA 2021,O=Microsoft Corporation,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:05:e5:cf:0f:ff:66:2e:c9:87:00:00:00:00:00:05
Certificate

Issuer

CN=Microsoft Identity Verification Root Certificate Authority 2020,O=Microsoft Corporation,C=US

Not Before

19/11/2020, 20:32

Not After

19/11/2035, 20:42

Subject

CN=Microsoft Public RSA Timestamping CA 2020,O=Microsoft Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:3e:d9:35:92:f7:b0:19:42:29:00:00:00:00:00:3e
Certificate

Issuer

CN=Microsoft Public RSA Timestamping CA 2020,O=Microsoft Corporation,C=US

Not Before

18/04/2024, 17:59

Not After

17/04/2025, 17:59

Subject

CN=Microsoft Public RSA Time Stamping Authority,OU=Microsoft Ireland Operations Limited+OU=Thales TSS ESN:91A2-966C-63FB,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

bc:cd:c5:38:57:31:0f:b2:6f:a2:e4:d1:6a:a5:13:7c:cf:98:42:9d:a8:d2:2b:56:44:77:62:ef:dc:d3:b4:09
Signer

Actual PE Digest

bc:cd:c5:38:57:31:0f:b2:6f:a2:e4:d1:6a:a5:13:7c:cf:98:42:9d:a8:d2:2b:56:44:77:62:ef:dc:d3:b4:09

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\ReleaseAI\tools\msix-psf\x64\Release\PsfRunDll64.pdb

Imports

kernel32

GetLastError
LoadLibraryA
GetProcAddress
WriteConsoleW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
RtlUnwindEx
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW
RaiseException
GetStdHandle
WriteFile
GetModuleFileNameW
ExitProcess
GetModuleHandleExW
HeapAlloc
HeapFree
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetCommandLineA
GetCommandLineW
MultiByteToWideChar
WideCharToMultiByte
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetStdHandle
GetFileType
GetStringTypeW
LCMapStringW
GetProcessHeap
HeapSize
HeapReAlloc
FlushFileBuffers
GetConsoleOutputCP
GetConsoleMode
SetFilePointerEx
CreateFileW
CloseHandle

Sections

.text
Size: 46KB - Virtual size: 46KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 36KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
PsfRuntime32.dll
.dll windows:6 windows x86 arch:x86

a17591684e7aeb718d0c838e2837fe98

Code Sign

54:98:d2:d1:d4:5b:19:95:48:13:79:c8:11:c0:87:99
Certificate

Issuer

CN=Microsoft Identity Verification Root Certificate Authority 2020,O=Microsoft Corporation,C=US

Not Before

16/04/2020, 18:36

Not After

16/04/2045, 18:44

Subject

CN=Microsoft Identity Verification Root Certificate Authority 2020,O=Microsoft Corporation,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:a5:bd:2b:19:34:f3:63:3b:01:94:00:00:00:00:a5:bd
Certificate

Issuer

CN=Microsoft ID Verified CS EOC CA 01,O=Microsoft Corporation,C=US

Not Before

21/08/2024, 06:31

Not After

24/08/2024, 06:31

Subject

CN=Caphyon SRL,O=Caphyon SRL,L=Craiova,C=RO

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

33:00:00:a5:bd:2b:19:34:f3:63:3b:01:94:00:00:00:00:a5:bd
Certificate

Issuer

CN=Microsoft ID Verified CS EOC CA 01,O=Microsoft Corporation,C=US

Not Before

21/08/2024, 06:31

Not After

24/08/2024, 06:31

Subject

CN=Caphyon SRL,O=Caphyon SRL,L=Craiova,C=RO

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

33:00:00:00:06:4a:1a:fa:cf:05:61:6a:74:00:00:00:00:00:06
Certificate

Issuer

CN=Microsoft ID Verified Code Signing PCA 2021,O=Microsoft Corporation,C=US

Not Before

13/04/2021, 17:31

Not After

13/04/2026, 17:31

Subject

CN=Microsoft ID Verified CS EOC CA 01,O=Microsoft Corporation,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:07:87:a3:34:a3:7b:a5:8e:1c:00:00:00:00:00:07
Certificate

Issuer

CN=Microsoft Identity Verification Root Certificate Authority 2020,O=Microsoft Corporation,C=US

Not Before

01/04/2021, 20:05

Not After

01/04/2036, 20:15

Subject

CN=Microsoft ID Verified Code Signing PCA 2021,O=Microsoft Corporation,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:05:e5:cf:0f:ff:66:2e:c9:87:00:00:00:00:00:05
Certificate

Issuer

CN=Microsoft Identity Verification Root Certificate Authority 2020,O=Microsoft Corporation,C=US

Not Before

19/11/2020, 20:32

Not After

19/11/2035, 20:42

Subject

CN=Microsoft Public RSA Timestamping CA 2020,O=Microsoft Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:3f:04:1a:e9:7e:6d:27:fe:eb:00:00:00:00:00:3f
Certificate

Issuer

CN=Microsoft Public RSA Timestamping CA 2020,O=Microsoft Corporation,C=US

Not Before

18/04/2024, 17:59

Not After

17/04/2025, 17:59

Subject

CN=Microsoft Public RSA Time Stamping Authority,OU=Microsoft Ireland Operations Limited+OU=Thales TSS ESN:F5D6-96D6-909E,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

3d:e6:b0:60:1a:0c:cc:33:d6:69:ad:23:47:0f:13:35:70:23:59:6c:e1:c8:da:45:aa:9d:63:b7:7e:f4:d6:cf
Signer

Actual PE Digest

3d:e6:b0:60:1a:0c:cc:33:d6:69:ad:23:47:0f:13:35:70:23:59:6c:e1:c8:da:45:aa:9d:63:b7:7e:f4:d6:cf

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

C:\ReleaseAI\tools\msix-psf\Win32\Release\PsfRuntime32.pdb

Imports

kernel32

HeapFree
GetModuleHandleExW
GetCurrentApplicationUserModelId
OutputDebugStringA
GetFinalPathNameByHandleW
GetModuleFileNameW
CreateFileW
GetCurrentThreadId
MultiByteToWideChar
GetLastError
OutputDebugStringW
CloseHandle
HeapAlloc
GetCurrentPackageFamilyName
GetProcAddress
GetCurrentPackageFullName
GetProcessHeap
GetModuleHandleW
DebugBreak
IsDebuggerPresent
SetLastError
TerminateProcess
ResumeThread
CreateProcessW
WideCharToMultiByte
QueryFullProcessImageNameW
CreateProcessA
GetCurrentThread
LoadLibraryW
FreeLibrary
SetEndOfFile
HeapSize
SetFilePointerEx
VirtualProtect
VirtualFree
GetCurrentProcess
VirtualAlloc
SuspendThread
VirtualProtectEx
GetThreadContext
FlushInstructionCache
SetThreadContext
VirtualQuery
VirtualQueryEx
WriteProcessMemory
GetEnvironmentVariableW
WaitForSingleObject
OpenProcess
VirtualAllocEx
ExitProcess
ReadProcessMemory
IsWow64Process
GetExitCodeProcess
LoadLibraryExW
LocalFree
FormatMessageA
GetLocaleInfoEx
GetStringTypeW
FindClose
FindFirstFileW
FindFirstFileExW
FindNextFileW
GetFileAttributesExW
AreFileApisANSI
GetFileInformationByHandleEx
CompareStringEx
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
EncodePointer
DecodePointer
LCMapStringEx
GetCPInfo
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WakeAllConditionVariable
SleepConditionVariableSRW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
GetStartupInfoW
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
InitializeSListHead
RtlUnwind
RaiseException
InterlockedFlushSList
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
HeapReAlloc
GetStdHandle
GetFileType
ReadFile
GetConsoleMode
ReadConsoleW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
IsValidCodePage
GetACP
GetOEMCP
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetStdHandle
FlushFileBuffers
WriteFile
GetConsoleOutputCP
WriteConsoleW

user32

MessageBoxW

Exports

Exports

?PSFQueryPackageFamilyName@@YGPB_WXZ
DetourFinishHelperProcess
_PSFQueryAppLaunchConfig@8
_PSFQueryAppMonitorConfig@0
_PSFQueryApplicationId@0
_PSFQueryApplicationUserModelId@0
_PSFQueryConfig@8
_PSFQueryConfigRoot@0
_PSFQueryCurrentAppLaunchConfig@4
_PSFQueryCurrentExeConfig@0
_PSFQueryDllConfig@4
_PSFQueryEndScriptInfo@0
_PSFQueryExeConfig@4
_PSFQueryFinalPackageRootPath@0
_PSFQueryPackageFullName@0
_PSFQueryPackageRootPath@0
_PSFQueryStartScriptInfo@0
_PSFRegister@8
_PSFReportError@4
_PSFUnregister@8

Sections

.text
Size: 239KB - Virtual size: 238KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 62KB - Virtual size: 61KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

psf
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.detourc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.detourd
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 13KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
PsfRuntime64.dll
.dll windows:6 windows x64 arch:x64

422d9d5ae950b18d15f6e774aaf5b3ed

Code Sign

54:98:d2:d1:d4:5b:19:95:48:13:79:c8:11:c0:87:99
Certificate

Issuer

CN=Microsoft Identity Verification Root Certificate Authority 2020,O=Microsoft Corporation,C=US

Not Before

16/04/2020, 18:36

Not After

16/04/2045, 18:44

Subject

CN=Microsoft Identity Verification Root Certificate Authority 2020,O=Microsoft Corporation,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:a5:bd:2b:19:34:f3:63:3b:01:94:00:00:00:00:a5:bd
Certificate

Issuer

CN=Microsoft ID Verified CS EOC CA 01,O=Microsoft Corporation,C=US

Not Before

21/08/2024, 06:31

Not After

24/08/2024, 06:31

Subject

CN=Caphyon SRL,O=Caphyon SRL,L=Craiova,C=RO

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

33:00:00:a5:bd:2b:19:34:f3:63:3b:01:94:00:00:00:00:a5:bd
Certificate

Issuer

CN=Microsoft ID Verified CS EOC CA 01,O=Microsoft Corporation,C=US

Not Before

21/08/2024, 06:31

Not After

24/08/2024, 06:31

Subject

CN=Caphyon SRL,O=Caphyon SRL,L=Craiova,C=RO

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

33:00:00:00:06:4a:1a:fa:cf:05:61:6a:74:00:00:00:00:00:06
Certificate

Issuer

CN=Microsoft ID Verified Code Signing PCA 2021,O=Microsoft Corporation,C=US

Not Before

13/04/2021, 17:31

Not After

13/04/2026, 17:31

Subject

CN=Microsoft ID Verified CS EOC CA 01,O=Microsoft Corporation,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:07:87:a3:34:a3:7b:a5:8e:1c:00:00:00:00:00:07
Certificate

Issuer

CN=Microsoft Identity Verification Root Certificate Authority 2020,O=Microsoft Corporation,C=US

Not Before

01/04/2021, 20:05

Not After

01/04/2036, 20:15

Subject

CN=Microsoft ID Verified Code Signing PCA 2021,O=Microsoft Corporation,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:05:e5:cf:0f:ff:66:2e:c9:87:00:00:00:00:00:05
Certificate

Issuer

CN=Microsoft Identity Verification Root Certificate Authority 2020,O=Microsoft Corporation,C=US

Not Before

19/11/2020, 20:32

Not After

19/11/2035, 20:42

Subject

CN=Microsoft Public RSA Timestamping CA 2020,O=Microsoft Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:3f:04:1a:e9:7e:6d:27:fe:eb:00:00:00:00:00:3f
Certificate

Issuer

CN=Microsoft Public RSA Timestamping CA 2020,O=Microsoft Corporation,C=US

Not Before

18/04/2024, 17:59

Not After

17/04/2025, 17:59

Subject

CN=Microsoft Public RSA Time Stamping Authority,OU=Microsoft Ireland Operations Limited+OU=Thales TSS ESN:F5D6-96D6-909E,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

b9:7a:fa:f8:de:4d:04:c5:2a:e6:e5:b9:30:37:13:c9:4c:de:dc:f5:7c:89:32:00:75:37:51:4d:7a:f2:d1:51
Signer

Actual PE Digest

b9:7a:fa:f8:de:4d:04:c5:2a:e6:e5:b9:30:37:13:c9:4c:de:dc:f5:7c:89:32:00:75:37:51:4d:7a:f2:d1:51

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

C:\ReleaseAI\tools\msix-psf\x64\Release\PsfRuntime64.pdb

Imports

kernel32

HeapFree
GetModuleHandleExW
GetCurrentApplicationUserModelId
OutputDebugStringA
GetFinalPathNameByHandleW
GetModuleFileNameW
CreateFileW
GetCurrentThreadId
MultiByteToWideChar
GetLastError
OutputDebugStringW
CloseHandle
HeapAlloc
GetCurrentPackageFamilyName
GetProcAddress
GetCurrentPackageFullName
GetProcessHeap
GetModuleHandleW
DebugBreak
IsDebuggerPresent
SetLastError
TerminateProcess
ResumeThread
CreateProcessW
WideCharToMultiByte
QueryFullProcessImageNameW
CreateProcessA
GetCurrentThread
LoadLibraryW
FreeLibrary
WriteConsoleW
SetEndOfFile
HeapSize
VirtualProtect
VirtualFree
GetCurrentProcess
VirtualAlloc
SuspendThread
VirtualProtectEx
GetThreadContext
FlushInstructionCache
SetThreadContext
VirtualQuery
VirtualQueryEx
WriteProcessMemory
GetEnvironmentVariableW
WaitForSingleObject
OpenProcess
VirtualAllocEx
ExitProcess
ReadProcessMemory
IsWow64Process
GetExitCodeProcess
LoadLibraryExW
LocalFree
FormatMessageA
GetLocaleInfoEx
GetStringTypeW
FindClose
FindFirstFileW
FindFirstFileExW
FindNextFileW
GetFileAttributesExW
AreFileApisANSI
GetFileInformationByHandleEx
CompareStringEx
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
EncodePointer
DecodePointer
LCMapStringEx
GetCPInfo
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WakeAllConditionVariable
SleepConditionVariableSRW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
GetStartupInfoW
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
InitializeSListHead
RtlUnwindEx
RtlPcToFileHeader
RaiseException
InterlockedFlushSList
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
HeapReAlloc
GetStdHandle
GetFileType
ReadFile
GetConsoleMode
ReadConsoleW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
IsValidCodePage
GetACP
GetOEMCP
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetStdHandle
FlushFileBuffers
WriteFile
GetConsoleOutputCP
SetFilePointerEx

user32

MessageBoxW

Exports

Exports

?PSFQueryPackageFamilyName@@YAPEB_WXZ
DetourFinishHelperProcess
PSFQueryAppLaunchConfig
PSFQueryAppMonitorConfig
PSFQueryApplicationId
PSFQueryApplicationUserModelId
PSFQueryConfig
PSFQueryConfigRoot
PSFQueryCurrentAppLaunchConfig
PSFQueryCurrentExeConfig
PSFQueryDllConfig
PSFQueryEndScriptInfo
PSFQueryExeConfig
PSFQueryFinalPackageRootPath
PSFQueryPackageFullName
PSFQueryPackageRootPath
PSFQueryStartScriptInfo
PSFRegister
PSFReportError
PSFUnregister

Sections

.text
Size: 276KB - Virtual size: 275KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 93KB - Virtual size: 93KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 7KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 15KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

psf
Size: 512B - Virtual size: 32B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.detourc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.detourd
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Screenshot_1.png
.png
StartingScriptWrapper.ps1
.ps1
SwapRegHelper10.zip
SwapRegHelper100.zip
SwapRegHelper20.zip
VFS/AppData/local/gpg.exe
.exe windows:4 windows x86 arch:x86

b94d5b6e4b62e1e66866eed7dc715e51

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

advapi32

RegCloseKey
RegCreateKeyA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA

kernel32

AddAtomA
CloseHandle
CreateDirectoryA
CreateFileA
CreateProcessA
DeviceIoControl
ExitProcess
ExpandEnvironmentStringsA
FindAtomA
FormatMessageA
FreeLibrary
GetACP
GetAtomNameA
GetConsoleOutputCP
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetFileSize
GetLastError
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetProcessHeap
GetProcessTimes
GetProcessWorkingSetSize
GetStartupInfoA
GetStdHandle
GetTempPathA
GetThreadTimes
GetTickCount
GetVersionExA
GlobalMemoryStatus
IsDBCSLeadByte
LoadLibraryA
QueryPerformanceCounter
ReadConsoleA
ReadFile
SetConsoleMode
SetFilePointer
SetUnhandledExceptionFilter
Sleep
VirtualProtect
WaitForSingleObject
WriteConsoleA
WriteFile

msvcrt

_access
_chsize
_close
_fdopen
_fstat
_getpid
_isatty
_lseek
_mkdir
_open
_putenv
_read
_rmdir
_setmode
_umask
_unlink
_write
__getmainargs
__mb_cur_max
__p__environ
__p__fmode
__set_app_type
_assert
_cexit
_errno
_iob
_isctype
_onexit
_open_osfhandle
_pctype
_setmode
_stricmp
_strnicmp
_vsnprintf
abort
atexit
atoi
calloc
clearerr
clock
exit
fclose
fflush
fgetc
fgets
fopen
fprintf
fputc
fputs
fread
free
fseek
fwrite
getc
getenv
gmtime
isalnum
isalpha
iscntrl
isdigit
isgraph
islower
isprint
ispunct
isspace
isupper
isxdigit
localtime
malloc
memchr
memcmp
memcpy
memmove
memset
mktime
printf
putc
putchar
puts
raise
rand
realloc
remove
rename
signal
sprintf
srand
sscanf
strcat
strchr
strcmp
strcpy
strcspn
strerror
strftime
strlen
strncmp
strncpy
strpbrk
strrchr
strspn
strstr
strtol
strtoul
time
toupper
ungetc
vfprintf
vsprintf

user32

GetActiveWindow
GetCapture
GetCaretPos
GetClipboardOwner
GetClipboardViewer
GetCursorPos
GetDesktopWindow
GetFocus
GetInputState
GetMessagePos
GetMessageTime
GetOpenClipboardWindow
GetProcessWindowStation
GetQueueStatus

wsock32

WSAGetLastError
closesocket
recv
send

Sections

.text
Size: 815KB - Virtual size: 814KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 22KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 162KB - Virtual size: 161KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 8KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
VFS/AppData/local/iconv.dll
.dll windows:4 windows x86 arch:x86

e7aa0aeef61e4ca89f4b87b602f40e02

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

msvcrt

memset
malloc
memcmp
free
qsort
strlen
strcmp
_errno
_initterm
_adjust_fdiv
sprintf
abort
memcpy

kernel32

DisableThreadLibraryCalls
GetACP

Exports

Exports

_libiconv_version
libiconv
libiconv_close
libiconv_open
libiconv_set_relocation_prefix
libiconvctl
libiconvlist
locale_charset

Sections

.text
Size: 52KB - Virtual size: 48KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 800KB - Virtual size: 798KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 380B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
[Content_Types].xml
.xml
config.json
vyeis.ps1
main-x86.appx
.appx
AI_STUBS/AiStubX86.exe
.exe windows:6 windows x86 arch:x86

3197080f9ff56a35cc53e8bd1338f734

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\ReleaseAI\win\Release\stubs\x86\uwpstublauncher.pdb

Imports

msi

ord205
ord70

api-ms-win-core-winrt-l1-1-0

RoInitialize
RoUninitialize
RoGetActivationFactory
RoActivateInstance

api-ms-win-core-winrt-string-l1-1-0

WindowsCreateStringReference

kernel32

GetProcAddress
LocalFree
DeleteCriticalSection
GetProcessHeap
FreeLibrary
GetCurrentProcess
GetModuleHandleW
MultiByteToWideChar
WideCharToMultiByte
CreateDirectoryW
SizeofResource
EnterCriticalSection
WriteFile
GetModuleFileNameW
LeaveCriticalSection
CreateFileW
GetCurrentThreadId
OutputDebugStringW
LockResource
CloseHandle
FindResourceExW
LoadResource
FindResourceW
GetCurrentProcessId
FlushFileBuffers
HeapDestroy
WaitForSingleObject
GetSystemDefaultLangID
CreateProcessW
GetEnvironmentStringsW
GetExitCodeProcess
RaiseException
lstrcmpiW
LoadLibraryExW
GetModuleFileNameA
SetLastError
GetModuleHandleExW
OutputDebugStringA
InitializeProcThreadAttributeList
FormatMessageW
UpdateProcThreadAttribute
DeleteProcThreadAttributeList
GetCurrentPackageFamilyName
GetCurrentPackageFullName
DebugBreak
IsDebuggerPresent
GetStartupInfoW
SetEnvironmentVariableW
GetEnvironmentVariableW
GetFileAttributesW
GetSystemDirectoryW
GetCurrentDirectoryW
GetUserDefaultLCID
IsValidLocale
GetLocaleInfoW
LCMapStringW
DecodePointer
HeapAlloc
LoadLibraryW
HeapReAlloc
GetLastError
HeapSize
InitializeCriticalSectionEx
HeapFree
EnumSystemLocalesW
SetFilePointerEx
IsValidCodePage
GetACP
GetOEMCP
ExpandEnvironmentStringsW
WriteConsoleW
GetFileType
GetStdHandle
ExitProcess
FreeLibraryAndExitThread
GetCommandLineA
GetConsoleMode
GetConsoleOutputCP
SetStdHandle
FreeEnvironmentStringsW
GetCommandLineW
ExitThread
CreateThread
TlsFree
TlsSetValue
TlsGetValue
GetSystemInfo
VirtualProtect
VirtualQuery
LoadLibraryExA
FormatMessageA
GetLocaleInfoEx
GetStringTypeW
FindClose
FindFirstFileW
FindFirstFileExW
FindNextFileW
GetFileAttributesExW
AreFileApisANSI
GetFileInformationByHandleEx
EncodePointer
LCMapStringEx
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
TryAcquireSRWLockExclusive
WakeAllConditionVariable
SleepConditionVariableSRW
CompareStringEx
GetCPInfo
QueryPerformanceCounter
GetSystemTimeAsFileTime
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
InitializeSListHead
RtlUnwind
InitializeCriticalSectionAndSpinCount
TlsAlloc

user32

MessageBoxW
LoadStringW
CharNextW

advapi32

RegEnumKeyW
RegEnumValueW
RegQueryInfoKeyW
RegDeleteKeyW
RegCreateKeyExW
RegEnumKeyExW
RegSetValueExW
RegDeleteValueW
OpenProcessToken
GetTokenInformation
RegCloseKey
RegOpenKeyExW
RegQueryValueExW

shell32

SHGetKnownFolderPath
ShellExecuteExW
SHGetFolderPathW

ole32

CoTaskMemAlloc
CoCreateInstance
CoTaskMemRealloc
CoTaskMemFree

oleaut32

VarUI4FromStr

shlwapi

PathFileExistsW

Sections

.text
Size: 354KB - Virtual size: 353KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 111KB - Virtual size: 110KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.didat
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 19KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
AppxBlockMap.xml
.xml
AppxManifest.xml
.xml
AppxMetadata/CodeIntegrity.cat
AppxSignature.p7x
Assets/NordVPNSetup.exeBadgeLogo.scale-100.png
.png
Assets/NordVPNSetup.exeSplashScreen.scale-100.png
.png
Assets/NordVPNSetup.exeSquare150x150Logo.scale-100.png
.png
Assets/NordVPNSetup.exeSquare310x310Logo.scale-100.png
.png
Assets/NordVPNSetup.exeSquare44x44Logo.scale-100.png
.png
Assets/NordVPNSetup.exeSquare71x71Logo.scale-100.png
.png
Assets/NordVPNSetup.exeWide310x150Logo.scale-100.png
.png
Assets/Store50x50Logo.scale-100.png
.png
NordVPNSetup.exe
.exe windows:6 windows x86 arch:x86

e569e6f445d32ba23766ad67d1e3787f

Code Sign

77:bd:0e:05:b7:59:0b:b6:1d:47:61:53:1e:3f:75:ed
Certificate

Issuer

CN=GlobalSign Code Signing Root R45,O=GlobalSign nv-sa,C=BE

Not Before

28/07/2020, 00:00

Not After

28/07/2030, 00:00

Subject

CN=GlobalSign GCC R45 EV CodeSigning CA 2020,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

5d:b3:ab:95:b8:9d:4a:e0:90:60:8b:4a
Certificate

Issuer

CN=GlobalSign GCC R45 EV CodeSigning CA 2020,O=GlobalSign nv-sa,C=BE

Not Before

14/05/2021, 20:05

Not After

14/05/2024, 20:05

Subject

SERIALNUMBER=155694934,CN=nordvpn s.a.,O=nordvpn s.a.,STREET=PH F&F Tower\, 50th Street & 56th Street\, Suite 32-D,L=Panama City,ST=Panama,C=PA,1.2.840.113549.1.9.1=#0c1161646d696e406e6f726476706e2e636f6d,1.3.6.1.4.1.311.60.2.1.3=#13025041,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

01:c2:9c:7a:f4:7a:a6:02:58:0e:af:32:b1:23:b1:1d
Certificate

Issuer

CN=GlobalSign Timestamping CA - SHA384 - G4,O=GlobalSign nv-sa,C=BE

Not Before

06/04/2022, 07:44

Not After

08/05/2033, 07:44

Subject

CN=Globalsign TSA for Advanced - G4,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

01:ec:1c:92:40:de:fd:2e:40:5d:7c:47:74
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R6,O=GlobalSign

Not Before

20/06/2018, 00:00

Not After

10/12/2034, 00:00

Subject

CN=GlobalSign Timestamping CA - SHA384 - G4,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

01:f2:40:42:40:ce:fd:22:db:e9:6c:71:fc
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Not Before

20/02/2019, 00:00

Not After

18/03/2029, 10:00

Subject

CN=GlobalSign,OU=GlobalSign Root CA - R6,O=GlobalSign

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

04:00:00:00:00:01:21:58:53:08:a2
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Not Before

18/03/2009, 10:00

Not After

18/03/2029, 10:00

Subject

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

04:31:be:cd:80:2c:7b:0b:02:b4:d7:89:06:ec:bb:3d:00:d9:dc:bb:08:1b:38:43:37:f0:85:fe:88:13:ea:9d
Signer

Actual PE Digest

04:31:be:cd:80:2c:7b:0b:02:b4:d7:89:06:ec:bb:3d:00:d9:dc:bb:08:1b:38:43:37:f0:85:fe:88:13:ea:9d

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Imports

kernel32

GetACP
GetExitCodeProcess
LocalFree
CloseHandle
SizeofResource
VirtualProtect
VirtualFree
GetFullPathNameW
ExitProcess
HeapAlloc
GetCPInfoExW
RtlUnwind
GetCPInfo
GetStdHandle
GetModuleHandleW
FreeLibrary
HeapDestroy
ReadFile
CreateProcessW
GetLastError
GetModuleFileNameW
SetLastError
FindResourceW
CreateThread
CompareStringW
LoadLibraryA
ResetEvent
GetVersion
RaiseException
FormatMessageW
SwitchToThread
GetExitCodeThread
GetCurrentThread
LoadLibraryExW
LockResource
GetCurrentThreadId
UnhandledExceptionFilter
VirtualQuery
VirtualQueryEx
Sleep
EnterCriticalSection
SetFilePointer
LoadResource
SuspendThread
GetTickCount
GetFileSize
GetStartupInfoW
GetFileAttributesW
InitializeCriticalSection
GetSystemWindowsDirectoryW
GetThreadPriority
SetThreadPriority
GetCurrentProcess
VirtualAlloc
GetSystemInfo
GetCommandLineW
LeaveCriticalSection
GetProcAddress
ResumeThread
GetVersionExW
VerifyVersionInfoW
HeapCreate
GetWindowsDirectoryW
VerSetConditionMask
GetDiskFreeSpaceW
FindFirstFileW
GetUserDefaultUILanguage
lstrlenW
QueryPerformanceCounter
SetEndOfFile
HeapFree
WideCharToMultiByte
FindClose
MultiByteToWideChar
LoadLibraryW
SetEvent
CreateFileW
GetLocaleInfoW
GetSystemDirectoryW
DeleteFileW
GetLocalTime
GetEnvironmentVariableW
WaitForSingleObject
WriteFile
ExitThread
DeleteCriticalSection
TlsGetValue
GetDateFormatW
SetErrorMode
IsValidLocale
TlsSetValue
CreateDirectoryW
GetSystemDefaultUILanguage
EnumCalendarInfoW
LocalAlloc
GetUserDefaultLangID
RemoveDirectoryW
CreateEventW
SetThreadLocale
GetThreadLocale

comctl32

InitCommonControls

version

GetFileVersionInfoSizeW
VerQueryValueW
GetFileVersionInfoW

user32

CreateWindowExW
TranslateMessage
CharLowerBuffW
CallWindowProcW
CharUpperW
PeekMessageW
GetSystemMetrics
SetWindowLongW
MessageBoxW
DestroyWindow
CharUpperBuffW
CharNextW
MsgWaitForMultipleObjects
LoadStringW
ExitWindowsEx
DispatchMessageW

oleaut32

SysAllocStringLen
SafeArrayPtrOfIndex
VariantCopy
SafeArrayGetLBound
SafeArrayGetUBound
VariantInit
VariantClear
SysFreeString
SysReAllocStringLen
VariantChangeType
SafeArrayCreate

netapi32

NetWkstaGetInfo
NetApiBufferFree

advapi32

ConvertStringSecurityDescriptorToSecurityDescriptorW
RegQueryValueExW
AdjustTokenPrivileges
GetTokenInformation
ConvertSidToStringSidW
LookupPrivilegeValueW
RegCloseKey
OpenProcessToken
RegOpenKeyExW

Exports

Exports

TMethodImplementationIntercept
__dbk_fcall_wrapper
dbkFCallWrapperAddr

Sections

.text
Size: 718KB - Virtual size: 718KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.itext
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 27KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.didata
Size: 512B - Virtual size: 420B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 512B - Virtual size: 154B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: - Virtual size: 24B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 512B - Virtual size: 93B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 101KB - Virtual size: 100KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Registry.dat
[Content_Types].xml
.xml
resources.pri
scale-125.appx
.appx
AppxBlockMap.xml
.xml
AppxManifest.xml
.xml
AppxSignature.p7x
Assets/NordVPNSetup.exeBadgeLogo.scale-125.png
.png
Assets/NordVPNSetup.exeSplashScreen.scale-125.png
.png
Assets/NordVPNSetup.exeSquare150x150Logo.scale-125.png
.png
Assets/NordVPNSetup.exeSquare310x310Logo.scale-125.png
.png
Assets/NordVPNSetup.exeSquare44x44Logo.scale-125.png
.png
Assets/NordVPNSetup.exeSquare71x71Logo.scale-125.png
.png
Assets/NordVPNSetup.exeWide310x150Logo.scale-125.png
.png
Assets/Store50x50Logo.scale-125.png
.png
[Content_Types].xml
.xml
resources.pri
scale-150.appx
.appx
AppxBlockMap.xml
.xml
AppxManifest.xml
.xml
AppxSignature.p7x
Assets/NordVPNSetup.exeBadgeLogo.scale-150.png
.png
Assets/NordVPNSetup.exeSplashScreen.scale-150.png
.png
Assets/NordVPNSetup.exeSquare150x150Logo.scale-150.png
.png
Assets/NordVPNSetup.exeSquare310x310Logo.scale-150.png
.png
Assets/NordVPNSetup.exeSquare44x44Logo.scale-150.png
.png
Assets/NordVPNSetup.exeSquare71x71Logo.scale-150.png
.png
Assets/NordVPNSetup.exeWide310x150Logo.scale-150.png
.png
Assets/Store50x50Logo.scale-150.png
.png
[Content_Types].xml
.xml
resources.pri
scale-200.appx
.appx
AppxBlockMap.xml
.xml
AppxManifest.xml
.xml
AppxSignature.p7x
Assets/NordVPNSetup.exeBadgeLogo.scale-200.png
.png
Assets/NordVPNSetup.exeSplashScreen.scale-200.png
.png
Assets/NordVPNSetup.exeSquare150x150Logo.scale-200.png
.png
Assets/NordVPNSetup.exeSquare310x310Logo.scale-200.png
.png
Assets/NordVPNSetup.exeSquare44x44Logo.scale-200.png
.png
Assets/NordVPNSetup.exeSquare71x71Logo.scale-200.png
.png
Assets/NordVPNSetup.exeWide310x150Logo.scale-200.png
.png
Assets/Store50x50Logo.scale-200.png
.png
[Content_Types].xml
.xml
resources.pri
scale-400.appx
.appx
AppxBlockMap.xml
.xml
AppxManifest.xml
.xml
AppxSignature.p7x
Assets/NordVPNSetup.exeBadgeLogo.scale-400.png
.png
Assets/NordVPNSetup.exeSplashScreen.scale-400.png
.png
Assets/NordVPNSetup.exeSquare150x150Logo.scale-400.png
.png
Assets/NordVPNSetup.exeSquare310x310Logo.scale-400.png
.png
Assets/NordVPNSetup.exeSquare44x44Logo.scale-400.png
.png
Assets/NordVPNSetup.exeSquare71x71Logo.scale-400.png
.png
Assets/NordVPNSetup.exeWide310x150Logo.scale-400.png
.png
Assets/Store50x50Logo.scale-400.png
.png
[Content_Types].xml
.xml
resources.pri

Sharing

General

Malware Config

Signatures

Files

2a22b6fe5189b8928e2d5bffd5eb859c

Code Sign

54:98:d2:d1:d4:5b:19:95:48:13:79:c8:11:c0:87:99Certificate

Key Usages

33:00:00:a5:bd:2b:19:34:f3:63:3b:01:94:00:00:00:00:a5:bdCertificate

Extended Key Usages

Key Usages

33:00:00:a5:bd:2b:19:34:f3:63:3b:01:94:00:00:00:00:a5:bdCertificate

Extended Key Usages

Key Usages

33:00:00:00:06:4a:1a:fa:cf:05:61:6a:74:00:00:00:00:00:06Certificate

Key Usages

33:00:00:00:07:87:a3:34:a3:7b:a5:8e:1c:00:00:00:00:00:07Certificate

Key Usages

33:00:00:00:05:e5:cf:0f:ff:66:2e:c9:87:00:00:00:00:00:05Certificate

Extended Key Usages

Key Usages

33:00:00:00:3e:d9:35:92:f7:b0:19:42:29:00:00:00:00:00:3eCertificate

Extended Key Usages

Key Usages

f0:ef:88:e2:3e:38:21:d9:5e:58:91:62:e2:7d:76:7e:80:8b:ff:83:3d:e9:2b:8c:d0:60:7b:67:17:af:7a:adSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

Sections

.text Size: 43KB - Virtual size: 43KB

.rdata Size: 23KB - Virtual size: 22KB

.data Size: 2KB - Virtual size: 4KB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 3KB - Virtual size: 3KB

fbfe9cc74dcec3523d7b9afacb5c4d17

Code Sign

54:98:d2:d1:d4:5b:19:95:48:13:79:c8:11:c0:87:99Certificate

Key Usages

33:00:00:a5:bd:2b:19:34:f3:63:3b:01:94:00:00:00:00:a5:bdCertificate

Extended Key Usages

Key Usages

33:00:00:a5:bd:2b:19:34:f3:63:3b:01:94:00:00:00:00:a5:bdCertificate

Extended Key Usages

Key Usages

33:00:00:00:06:4a:1a:fa:cf:05:61:6a:74:00:00:00:00:00:06Certificate

Key Usages

33:00:00:00:07:87:a3:34:a3:7b:a5:8e:1c:00:00:00:00:00:07Certificate

Key Usages

33:00:00:00:05:e5:cf:0f:ff:66:2e:c9:87:00:00:00:00:00:05Certificate

Extended Key Usages

Key Usages

33:00:00:00:3e:d9:35:92:f7:b0:19:42:29:00:00:00:00:00:3eCertificate

Extended Key Usages

Key Usages

bc:cd:c5:38:57:31:0f:b2:6f:a2:e4:d1:6a:a5:13:7c:cf:98:42:9d:a8:d2:2b:56:44:77:62:ef:dc:d3:b4:09Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

Sections

.text Size: 46KB - Virtual size: 46KB

.rdata Size: 36KB - Virtual size: 36KB

.data Size: 3KB - Virtual size: 7KB

.pdata Size: 3KB - Virtual size: 3KB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 2KB - Virtual size: 1KB

a17591684e7aeb718d0c838e2837fe98

Code Sign

54:98:d2:d1:d4:5b:19:95:48:13:79:c8:11:c0:87:99Certificate

Key Usages

33:00:00:a5:bd:2b:19:34:f3:63:3b:01:94:00:00:00:00:a5:bdCertificate

Extended Key Usages

Key Usages

33:00:00:a5:bd:2b:19:34:f3:63:3b:01:94:00:00:00:00:a5:bdCertificate

54:98:d2:d1:d4:5b:19:95:48:13:79:c8:11:c0:87:99
Certificate

33:00:00:a5:bd:2b:19:34:f3:63:3b:01:94:00:00:00:00:a5:bd
Certificate

33:00:00:a5:bd:2b:19:34:f3:63:3b:01:94:00:00:00:00:a5:bd
Certificate

33:00:00:00:06:4a:1a:fa:cf:05:61:6a:74:00:00:00:00:00:06
Certificate

33:00:00:00:07:87:a3:34:a3:7b:a5:8e:1c:00:00:00:00:00:07
Certificate

33:00:00:00:05:e5:cf:0f:ff:66:2e:c9:87:00:00:00:00:00:05
Certificate

33:00:00:00:3e:d9:35:92:f7:b0:19:42:29:00:00:00:00:00:3e
Certificate

f0:ef:88:e2:3e:38:21:d9:5e:58:91:62:e2:7d:76:7e:80:8b:ff:83:3d:e9:2b:8c:d0:60:7b:67:17:af:7a:ad
Signer

.text
Size: 43KB - Virtual size: 43KB

.rdata
Size: 23KB - Virtual size: 22KB

.data
Size: 2KB - Virtual size: 4KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 3KB - Virtual size: 3KB

54:98:d2:d1:d4:5b:19:95:48:13:79:c8:11:c0:87:99
Certificate

33:00:00:a5:bd:2b:19:34:f3:63:3b:01:94:00:00:00:00:a5:bd
Certificate

33:00:00:a5:bd:2b:19:34:f3:63:3b:01:94:00:00:00:00:a5:bd
Certificate

33:00:00:00:06:4a:1a:fa:cf:05:61:6a:74:00:00:00:00:00:06
Certificate

33:00:00:00:07:87:a3:34:a3:7b:a5:8e:1c:00:00:00:00:00:07
Certificate

33:00:00:00:05:e5:cf:0f:ff:66:2e:c9:87:00:00:00:00:00:05
Certificate

33:00:00:00:3e:d9:35:92:f7:b0:19:42:29:00:00:00:00:00:3e
Certificate

bc:cd:c5:38:57:31:0f:b2:6f:a2:e4:d1:6a:a5:13:7c:cf:98:42:9d:a8:d2:2b:56:44:77:62:ef:dc:d3:b4:09
Signer

.text
Size: 46KB - Virtual size: 46KB

.rdata
Size: 36KB - Virtual size: 36KB

.data
Size: 3KB - Virtual size: 7KB

.pdata
Size: 3KB - Virtual size: 3KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 2KB - Virtual size: 1KB

54:98:d2:d1:d4:5b:19:95:48:13:79:c8:11:c0:87:99
Certificate

33:00:00:a5:bd:2b:19:34:f3:63:3b:01:94:00:00:00:00:a5:bd
Certificate

33:00:00:a5:bd:2b:19:34:f3:63:3b:01:94:00:00:00:00:a5:bd
Certificate

33:00:00:00:06:4a:1a:fa:cf:05:61:6a:74:00:00:00:00:00:06
Certificate

33:00:00:00:07:87:a3:34:a3:7b:a5:8e:1c:00:00:00:00:00:07
Certificate

33:00:00:00:05:e5:cf:0f:ff:66:2e:c9:87:00:00:00:00:00:05
Certificate

33:00:00:00:3f:04:1a:e9:7e:6d:27:fe:eb:00:00:00:00:00:3f
Certificate

3d:e6:b0:60:1a:0c:cc:33:d6:69:ad:23:47:0f:13:35:70:23:59:6c:e1:c8:da:45:aa:9d:63:b7:7e:f4:d6:cf
Signer

.text
Size: 239KB - Virtual size: 238KB

.rdata
Size: 62KB - Virtual size: 61KB

.data
Size: 6KB - Virtual size: 9KB

psf
Size: 512B - Virtual size: 16B

.detourc
Size: 4KB - Virtual size: 4KB

.detourd
Size: 512B - Virtual size: 12B

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 13KB - Virtual size: 12KB

54:98:d2:d1:d4:5b:19:95:48:13:79:c8:11:c0:87:99
Certificate

33:00:00:a5:bd:2b:19:34:f3:63:3b:01:94:00:00:00:00:a5:bd
Certificate

33:00:00:a5:bd:2b:19:34:f3:63:3b:01:94:00:00:00:00:a5:bd
Certificate

33:00:00:00:06:4a:1a:fa:cf:05:61:6a:74:00:00:00:00:00:06
Certificate

33:00:00:00:07:87:a3:34:a3:7b:a5:8e:1c:00:00:00:00:00:07
Certificate

33:00:00:00:05:e5:cf:0f:ff:66:2e:c9:87:00:00:00:00:00:05
Certificate

33:00:00:00:3f:04:1a:e9:7e:6d:27:fe:eb:00:00:00:00:00:3f
Certificate

b9:7a:fa:f8:de:4d:04:c5:2a:e6:e5:b9:30:37:13:c9:4c:de:dc:f5:7c:89:32:00:75:37:51:4d:7a:f2:d1:51
Signer

.text
Size: 276KB - Virtual size: 275KB

.rdata
Size: 93KB - Virtual size: 93KB

.data
Size: 7KB - Virtual size: 13KB

.pdata
Size: 15KB - Virtual size: 15KB

psf
Size: 512B - Virtual size: 32B

.detourc
Size: 8KB - Virtual size: 8KB

.detourd
Size: 512B - Virtual size: 24B

.rsrc
Size: 512B - Virtual size: 480B