NordVPNSetup.exe
This report is generated from a file or URL submitted to this webservice on June 9th 2020 04:21:41 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Spyware
- Found a string that may be used as part of an injection method
- Persistence
-
Spawns a lot of processes
Writes data to a remote process - Fingerprint
-
Queries kernel debugger information
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
-
Marks file for deletion
Possibly tries to implement anti-virtualization techniques - Spreading
-
Opens the MountPointManager (often used to detect additional infection locations)
Tries to access unusual system drive letters
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 5
-
Installation/Persistance
-
Writes data to a remote process
- details
-
"msiexec.exe" wrote 1500 bytes to a remote process "%WINDIR%\SysWOW64\msiexec.exe" (Handle: 428)
"msiexec.exe" wrote 8 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 428)
"msiexec.exe" wrote 4 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 428)
"msiexec.exe" wrote 32 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 428)
"msiexec.exe" wrote 52 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 428)
"msiexec.exe" wrote 1500 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 300)
"msiexec.exe" wrote 8 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 300)
"msiexec.exe" wrote 4 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 300)
"msiexec.exe" wrote 32 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 300)
"msiexec.exe" wrote 52 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 300)
"msiexec.exe" wrote 1500 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 484)
"msiexec.exe" wrote 8 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 484)
"msiexec.exe" wrote 4 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 484)
"msiexec.exe" wrote 32 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 484)
"msiexec.exe" wrote 52 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 484) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
-
Unusual Characteristics
-
Spawns a lot of processes
- details
-
Spawned process "NordVPNSetup.exe" (Show Process)
Spawned process "msiexec.exe" with commandline "/V" (Show Process)
Spawned process "msiexec.exe" with commandline "-Embedding F55385F13AFCA159315E3311710FA49E C" (Show Process)
Spawned process "msiexec.exe" with commandline "-Embedding 0E47A3DF0E09F4DCDBD727635EF3C243 C" (Show Process)
Spawned process "msiexec.exe" with commandline "-Embedding 89B732C44E03CFAD1E34279F8617B271 C" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Tries to access unusual system drive letters
- details
-
"NordVPNSetup.exe" touched "K:"
"NordVPNSetup.exe" touched "L:"
"NordVPNSetup.exe" touched "M:"
"NordVPNSetup.exe" touched "N:"
"NordVPNSetup.exe" touched "O:"
"NordVPNSetup.exe" touched "P:"
"NordVPNSetup.exe" touched "Q:"
"NordVPNSetup.exe" touched "R:"
"NordVPNSetup.exe" touched "S:"
"NordVPNSetup.exe" touched "T:"
"NordVPNSetup.exe" touched "U:"
"NordVPNSetup.exe" touched "V:"
"NordVPNSetup.exe" touched "W:" - source
- API Call
- relevance
- 9/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns a lot of processes
-
Hiding 2 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 21
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
-
"NordVPNSetup.exe" at 00179668-00003752-00000033-5456079715
"msiexec.exe" at 00180511-00003080-00000033-27873983295
"msiexec.exe" at 00180641-00003100-00000033-33843961967
"msiexec.exe" at 00185359-00003768-00000033-193702839171
"msiexec.exe" at 00185628-00003336-00000033-202291933257 - source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
- "Y_^M3]UjhmdPXt 3EVWPEdUuu}uEEEEEErMQh`PR=uqEMUA+ME;sJE:v8E+;vQQM2Z+MMPjQ4KuuUr?EPRWuuKUEEEEyfEffu+QRMME13EEEEfEMEE3FF~AfFAAfEEtMEeEEtMEIEM}PMd" (Indicator: "qemu")
- source
- File/Memory
- relevance
- 4/10
- ATT&CK ID
- T1497 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
-
"NordVPNSetup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Possibly tries to implement anti-virtualization techniques
-
General
-
Found a potential E-Mail address in binary/memory
- details
-
Pattern match: "0@yk.y"
Pattern match: "w@onsi9s-z.mnr2"
Pattern match: "rozywqqq6i4omwen@kk.yk"
Pattern match: "valzuv@gt.ngcalvd"
Pattern match: "xbvdh82dyd@j5kf0.2rffp5gfa"
Pattern match: "o@t.text"
Pattern match: "4e3jp.@.t.hp.t.f"
Pattern match: "ef@3geefemqpmmemh.umbm3eeeefeeettjpepkbee"
Pattern match: "qr@jh.y"
Pattern match: "j.yf9uf9t-f9uf9tpsp@ugpvdj.yu"
Pattern match: "r@q8.yzzntcd" - source
- File/Memory
- relevance
- 3/10
- ATT&CK ID
- T1114 (Show technique in the MITRE ATT&CK™ matrix)
-
Opened the service control manager
- details
-
"NordVPNSetup.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
"NordVPNSetup.exe" called "OpenSCManager" requesting access rights "0XE0000000L"
"msiexec.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1) - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1035 (Show technique in the MITRE ATT&CK™ matrix)
-
Found a potential E-Mail address in binary/memory
-
Installation/Persistance
-
Drops executable files
- details
-
"decoder.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI1116.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI314D.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI41A9.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
System Destruction
-
Marks file for deletion
- details
-
"C:\NordVPNSetup.exe" marked "%TEMP%\MSI1116.tmp" for deletion
"C:\NordVPNSetup.exe" marked "%TEMP%\MSI314D.tmp" for deletion
"C:\NordVPNSetup.exe" marked "%TEMP%\MSI41A9.tmp" for deletion - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
-
"NordVPNSetup.exe" opened "%TEMP%\MSIE468.tmp" with delete access
"NordVPNSetup.exe" opened "%TEMP%\MSI1116.tmp" with delete access
"NordVPNSetup.exe" opened "%TEMP%\MSI314D.tmp" with delete access
"NordVPNSetup.exe" opened "%TEMP%\MSI41A9.tmp" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Modifies Software Policy Settings
- details
-
"NordVPNSetup.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"NordVPNSetup.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"NordVPNSetup.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"NordVPNSetup.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"NordVPNSetup.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"NordVPNSetup.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"NordVPNSetup.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"NordVPNSetup.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"NordVPNSetup.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"NordVPNSetup.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"NordVPNSetup.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"NordVPNSetup.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"NordVPNSetup.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"NordVPNSetup.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"NordVPNSetup.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
"NordVPNSetup.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
"NordVPNSetup.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS")
"NordVPNSetup.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE")
"NordVPNSetup.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CERTIFICATES")
"NordVPNSetup.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies Software Policy Settings
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
-
"decoder.dll" claimed CRC 0 while the actual is CRC 25013406
"MSI1116.tmp" claimed CRC 406171 while the actual is CRC 221069
"MSI41A9.tmp" claimed CRC 635312 while the actual is CRC 406171 - source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
GetDriveTypeW
GetFileAttributesW
UnhandledExceptionFilter
FindResourceExW
ConnectNamedPipe
CopyFileW
OutputDebugStringW
GetModuleFileNameW
IsDebuggerPresent
GetModuleFileNameA
LoadLibraryExA
LoadLibraryExW
CreateThread
TerminateProcess
GetModuleHandleExW
CreateToolhelp32Snapshot
LoadLibraryW
VirtualProtect
LoadLibraryA
GetFileSize
GetStartupInfoW
CreateDirectoryW
DeleteFileW
GetTempFileNameW
WriteFile
GetFileSizeEx
FindNextFileW
FindFirstFileW
FindFirstFileExW
GetProcAddress
CreateFileW
FindResourceW
Process32NextW
LockResource
GetCommandLineW
GetCommandLineA
CopyFileExW
Process32FirstW
GetModuleHandleW
GetTempPathW
CreateProcessW
Sleep
VirtualAlloc
ExitThread
RegCreateKeyExW
RegCloseKey
SetSecurityDescriptorDacl
OpenProcessToken
RegOpenKeyExW
LookupAccountNameW
StartServiceW
GetTickCount
OpenProcess
ReadProcessMemory
ShellExecuteW
ShellExecuteExW
GetWindowThreadProcessId
WSAStartup
RegEnumKeyExW
GetUserNameExW
InternetGetConnectedState - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"NordVPNSetup.exe" wrote bytes "b4360200" to virtual address "0x74DA4EA4" (part of module "SSPICLI.DLL")
"NordVPNSetup.exe" wrote bytes "68130000" to virtual address "0x763A1680" (part of module "WS2_32.DLL")
"NordVPNSetup.exe" wrote bytes "b436da74" to virtual address "0x74DB0200" (part of module "SSPICLI.DLL")
"NordVPNSetup.exe" wrote bytes "d83ada74" to virtual address "0x74DB01FC" (part of module "SSPICLI.DLL")
"NordVPNSetup.exe" wrote bytes "b81015ec73ffe0" to virtual address "0x74DA36B4" (part of module "SSPICLI.DLL")
"NordVPNSetup.exe" wrote bytes "d83a0200" to virtual address "0x74DA4D78" (part of module "SSPICLI.DLL")
"NordVPNSetup.exe" wrote bytes "f8113f7620143f760c113f76f5163f76a9113f7685483f76b9343f76a9343f7668343f7600000000a56bac75e485ac75e04dac759cc0ac75a3bfac7592aeac750c7dac7500000000" to virtual address "0x74051000" (part of module "MSIMG32.DLL")
"NordVPNSetup.exe" wrote bytes "d83ada74" to virtual address "0x74DB0274" (part of module "SSPICLI.DLL")
"NordVPNSetup.exe" wrote bytes "c0df50771cf94f77ccf84f770d64517700000000c0113f7600000000fc3e3f7600000000e0133f76000000009457767625e05077c6e0507700000000bc6a757600000000cf313f760000000093197676000000002c323f7600000000" to virtual address "0x75FB1000" (part of module "NSI.DLL")
"NordVPNSetup.exe" wrote bytes "75dc1376273e137651c11176ee9c1176949811760fb31776109911769097117600000000f5163f76ead74076d9173f7669873f760f7741760c113f76a9343f7620143f76f8113f76ff103f7600000000" to virtual address "0x7415E000" (part of module "MSLS31.DLL")
"NordVPNSetup.exe" wrote bytes "a011ec73" to virtual address "0x7702E324" (part of module "WININET.DLL")
"NordVPNSetup.exe" wrote bytes "b89012ec73ffe0" to virtual address "0x74DA3AD8" (part of module "SSPICLI.DLL")
"NordVPNSetup.exe" wrote bytes "d83a0200" to virtual address "0x74DA4E38" (part of module "SSPICLI.DLL")
"NordVPNSetup.exe" wrote bytes "b4360200" to virtual address "0x74DA4D68" (part of module "SSPICLI.DLL")
"NordVPNSetup.exe" wrote bytes "d83ada74" to virtual address "0x74DB01E0" (part of module "SSPICLI.DLL")
"NordVPNSetup.exe" wrote bytes "7111ae007a3bad00ab8b02007f950200fc8c0200729602006cc805001ecdaa007d26aa00" to virtual address "0x76A807E4" (part of module "USER32.DLL")
"NordVPNSetup.exe" wrote bytes "b436da74" to virtual address "0x74DB025C" (part of module "SSPICLI.DLL")
"NordVPNSetup.exe" wrote bytes "b436da74" to virtual address "0x74DB0278" (part of module "SSPICLI.DLL")
"NordVPNSetup.exe" wrote bytes "b436da74" to virtual address "0x74DB01E4" (part of module "SSPICLI.DLL")
"NordVPNSetup.exe" wrote bytes "d83ada74" to virtual address "0x74DB0258" (part of module "SSPICLI.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"NordVPNSetup.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"NordVPNSetup.exe" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "LOCALENAME") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
CRC value set in PE header does not match actual value
-
Hiding 8 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 24
-
Environment Awareness
-
Queries volume information
- details
-
"NordVPNSetup.exe" queries volume information of "C:\" at 00179668-00003752-00000046-28755651564
"msiexec.exe" queries volume information of "C:\" at 00180511-00003080-00000046-32870832647 - source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information of an entire harddrive
- details
-
"NordVPNSetup.exe" queries volume information of "C:\" at 00179668-00003752-00000046-28755651564
"msiexec.exe" queries volume information of "C:\" at 00180511-00003080-00000046-32870832647 - source
- API Call
- relevance
- 8/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/71 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Accesses Software Policy Settings
- details
-
"NordVPNSetup.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"NordVPNSetup.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"NordVPNSetup.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"NordVPNSetup.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"NordVPNSetup.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"NordVPNSetup.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"NordVPNSetup.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"NordVPNSetup.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"NordVPNSetup.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"NordVPNSetup.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"NordVPNSetup.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"NordVPNSetup.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"NordVPNSetup.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"NordVPNSetup.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"NordVPNSetup.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
"NordVPNSetup.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
"NordVPNSetup.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "")
"NordVPNSetup.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE"; Key: "")
"NordVPNSetup.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CERTIFICATES"; Key: "")
"NordVPNSetup.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Accesses System Certificates Settings
- details
-
"NordVPNSetup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
"NordVPNSetup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"NordVPNSetup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"NordVPNSetup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\104C63D2546B8021DD105E9FBA5A8D78169F6B32"; Key: "BLOB")
"NordVPNSetup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\1FB86B1168EC743154062E8C9CC5B171A4B7CCB4"; Key: "BLOB")
"NordVPNSetup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\247106A405B288A46E70A0262717162D0903E734"; Key: "BLOB")
"NordVPNSetup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8"; Key: "BLOB")
"NordVPNSetup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\339CDD57CFD5B141169B615FF31428782D1DA639"; Key: "BLOB")
"NordVPNSetup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\5AEAEE3F7F2A9449CEBAFEEC68FDD184F20124A7"; Key: "BLOB")
"NordVPNSetup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\902EF2DEEB3C5B13EA4C3D5193629309E231AE55"; Key: "BLOB")
"NordVPNSetup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\C86EDBC71AB05078F61ACDF3D8DC5DB61EB75FB6"; Key: "BLOB")
"NordVPNSetup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\E3FC0AD84F2F5A83ED6F86F567F8B14B40DCBF12"; Key: "BLOB")
"NordVPNSetup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\EAB040689A0D805B5D6FD654FC168CFF00B78BE3"; Key: "BLOB")
"NordVPNSetup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0"; Key: "BLOB")
"NordVPNSetup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FF67367C5CD4DE4AE18BCCE1D70FDABD7C866135"; Key: "BLOB")
"NordVPNSetup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"NordVPNSetup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"NordVPNSetup.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains PDB pathways
- details
-
"C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb"
"C:\JobRelease\win\Release\stubs\x86\Decoder.pdb"
"KxIx:9XJ[Q qF`T|V`@hYau<WrRSDSF<xE SnC:\JobRelease\win\Release\custact\x86\XmlCfg.pdbUUGCTL.text$di/0.text$mn<.text$x6.text$ydT.idata$5T.00cfgX.CRT$XCA\.CRT$XCCh.CRT$XCLt$.CRT$XCU.CRT$XCZ.CRT$XIA.CRT$XIC.CRT$XIZ.CRT$XPA.CRT$XPX.CRT$XPXA.CRT$XPZ.CRT$XTA.CRT$XTZ$M.rdataP.rdata$rR.rdata$sxdataX\.rdata$zzzdbg \.rtc$IAA$\.rtc$IZZ(\.rtc$TAA,\.rtc$TZZ0\.xdata$x@.edata8.idata$2.idata$3T.idata$4@.idata$6 0.data00p.data$r1$.bssP.rsrc$01P.rsrc$02"T\<<"\0<8<@<H<"\p<""]
]@]38"x]<<<"
"B]tEEDPEXEhEpEPE@XEEEEEpEE@EEEEEpEE@EE8EHEXEEpEE@8EEEEEEpEE@EEEEEpEE@E(E$E4E@EpE(E@$E4EpEEEpE4E@pELEEEELE@ElE@EEEE,EE@HEXE`EE@HElEEEEEE,EE@EEEEEEE,EE@EE8EHE`EEEE,EE@8EEEEEEE,EE@EhEEEEEE,EhE@EE8EHE\EEE,EE@8EEEEEEEE,EE@EEEEEEE,EE@E,E8EHE`EEEE,E,E@8EXEEEEEEE,EXE@EEEEEEEE,EE@EE@EPEhEEEE,EE@@EEEEE,EE@EEEEE,EE@EE(EEE,EE@E EXEhE|EEE,E E@XExEEEEEE,ExE@EEEE$EEE,EE@EETEdExEEE,EE@TEEEEEEEE,EE@E0EEE$EEE,E0E@EETEdExEEE,EE@TEEEEEEEEE,EE@EE@EEEEEE,E(EHEXEtEEEEE,E(E@HEPEEEE(EEE,EPE@EEEE EEE,EE@EEEEdEtEEEE,EE@dEXEEEEEE,EXE@EEEE0EEE,EE@EE`EpEEEE,EE@`EEEEEEEE,EE@EEEE0EEE,EE@EhE`EpEEEE,EhE@`EEEEEEEEE,EE@EE@E(EEEEE,EETEdEEEEEE,EE@TE(EEEE(EEE,E(E@EEEE,EEE,EE@EEEEpEEEEE,EE@pEEEEEEEE,EE@EEE,E@EEE,EE@EpEpEEEEE,EpE@pEEEEEEEEE,EE@EE@(E8EEEEE,EEdEtEEEEEE,EE@dE0EEEE(EEE,E0E@EEE(E<EEE,EE@EE(EEEEEE@EEEEEpEE@EtSTVMM NHNpNN#OdOOP QQQ(RRRS8S`SST8ThTTTT0UhUUVzVVWXYYYY9ZyZZ[0[^[[[[\\\]]2^^^_H__`I``"aa0bhbbDcyccc9ddexee4fhfff&gIg~gggh\hhhiDiiiij6jcjjjk7kZk}kkk+l]lllmPmmmmno-pPp}pp)qzqqr5rrrrr sUssss!t_tttu%vvvvvw+w`wwwwxRSDS<-8VDC:\JobRelease\win\Release\custact\x86\viewer.pdb**GCTLp.text$dipP=.text$mnMp*.text$x0x.text$yd.idata$5.00cfg.CRT$XCA.CRT$XCAA.CRT$XCC.CRT$XCL.CRT$XCZ .CRT$XIA$.CRT$XIAA(.CRT$XIAC
.CRT$XIC@.CRT$XIZD.CRT$XPAH.CRT$XPXP.CRT$XPXAT.CRT$XPZX.CRT$XTA\.CRT$XTZ`.rdataD.rdata$rh.rdata$sxdataht.rdata$zzzdbg.rtc$IAA.rtc$IZZ.rtc$TAA.rtc$TZZ..xdata$x.idata$2\.idata$3p.idata$4h.idata$6.data8.data$r4".bss .rsrc$01 .rsrc$02"EMDMD"HEMD""E@ND"ENDND"E" - source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"NordVPNSetup.exe" created file "%WINDIR%\Temp\NordVPN\NordVPN6.30.8\install\decoder.dll"
"NordVPNSetup.exe" created file "%WINDIR%\Temp\NordVPN\NordVPN6.30.8\install\holder0.aiph"
"NordVPNSetup.exe" created file "%TEMP%\MSIE468.LOG"
"NordVPNSetup.exe" created file "%WINDIR%\Temp\NordVPN\NordVPN6.30.8\install\1BFE57E\NordVPN Setup.msi"
"NordVPNSetup.exe" created file "%TEMP%\MSI1116.tmp"
"NordVPNSetup.exe" created file "%TEMP%\MSI314D.tmp"
"NordVPNSetup.exe" created file "%TEMP%\MSI41A9.tmp" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Global\MSILOG_ae845cd61d63e15GOL.864EISM_pmeT_lacoL_ataDppA_SWBUPAH_sresU_:C"
"Global\MSILOG_ae845cd61d63e15GOL.864EISM_pmeT_lacoL_ataDppA_SWBUPAH_sresU_:C" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "decoder.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSI1116.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSI314D.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSI41A9.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
- "NordVPNSetup.exe" loaded module "%WINDIR%\SysWOW64\riched20.dll" at 73E40000
- source
- Loaded Module
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Overview of unique CLSIDs touched in registry
- details
-
"NordVPNSetup.exe" touched "Task Bar Communication" (Path: "HKCU\WOW6432NODE\CLSID\{56FDF344-FD6D-11D0-958A-006097C9A090}")
"NordVPNSetup.exe" touched "Msi install server" (Path: "HKCU\WOW6432NODE\CLSID\{000C101C-0000-0000-C000-000000000046}\TREATAS")
"NordVPNSetup.exe" touched "PSFactoryBuffer" (Path: "HKCU\WOW6432NODE\CLSID\{000C103E-0000-0000-C000-000000000046}\TREATAS")
"NordVPNSetup.exe" touched "Microsoft Windows Installer Message RPC" (Path: "HKCU\CLSID\{000C101D-0000-0000-C000-000000000046}\DLLVERSION") - source
- Registry Access
- relevance
- 3/10
-
Process launched with changed environment
- details
-
Process "msiexec.exe" (Show Process) was launched with modified environment variables: "LOCALAPPDATA, TMP, PROCESSOR_ARCHITECTURE, USERDOMAIN, CommonProgramFiles, ProgramFiles, Path, USERPROFILE, TEMP, APPDATA"
Process "msiexec.exe" (Show Process) was launched with missing environment variables: "PROMPT, LOGONSERVER, HOMEPATH, HOMEDRIVE, PROCESSOR_ARCHITEW6432"
Process "msiexec.exe" (Show Process) was launched with new environment variables: "PROMPT="$P$G", LOGONSERVER="\\HAPUBWS-PC", HOMEPATH="\Users\yetrbWM", HOMEDRIVE="C:", PROCESSOR_ARCHITEW6432="AMD64""
Process "msiexec.exe" (Show Process) was launched with modified environment variables: "LOCALAPPDATA, TMP, PROCESSOR_ARCHITECTURE, USERDOMAIN, CommonProgramFiles, ProgramFiles, Path, USERPROFILE, TEMP, APPDATA" - source
- Monitored Target
- relevance
- 10/10
-
Reads Windows Trust Settings
- details
- "NordVPNSetup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Scanning for window names
- details
- "NordVPNSetup.exe" searching for class "Shell_TrayWnd"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
-
Spawned process "msiexec.exe" with commandline "/V" (Show Process)
Spawned process "msiexec.exe" with commandline "-Embedding F55385F13AFCA159315E3311710FA49E C" (Show Process)
Spawned process "msiexec.exe" with commandline "-Embedding 0E47A3DF0E09F4DCDBD727635EF3C243 C" (Show Process)
Spawned process "msiexec.exe" with commandline "-Embedding 89B732C44E03CFAD1E34279F8617B271 C" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "msiexec.exe" with commandline "/V" (Show Process)
Spawned process "msiexec.exe" with commandline "-Embedding F55385F13AFCA159315E3311710FA49E C" (Show Process)
Spawned process "msiexec.exe" with commandline "-Embedding 0E47A3DF0E09F4DCDBD727635EF3C243 C" (Show Process)
Spawned process "msiexec.exe" with commandline "-Embedding 89B732C44E03CFAD1E34279F8617B271 C" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE" (SHA1: 0B:BF:AB:97:05:95:95:E8:D1:EC:48:E8:9E:B8:65:7C:0E:5A:AE:71; see report for more information)
The input sample is signed with a certificate issued by "CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3" (SHA1: 87:A6:3D:9A:DB:62:7D:77:78:36:15:3C:68:0A:3D:FC:F2:7D:E9:0C; see report for more information)
The input sample is signed with a certificate issued by "CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE" (SHA1: A4:F9:7D:B7:17:8D:49:9C:AE:99:AE:49:EB:24:BD:B3:BF:21:97:7F; see report for more information) - source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1116 (Show technique in the MITRE ATT&CK™ matrix)
-
Accesses Software Policy Settings
-
Installation/Persistance
-
Connects to LPC ports
- details
- "NordVPNSetup.exe" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"decoder.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"NordVPN Setup.msi" has type "Composite Document File V2 Document Can't read SAT"
"MSI1116.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B" has type "data"
"MSI314D.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI41A9.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"B039FEA45CB4CC4BBACFC013C7C55604_D21903E2722B551F252C717985D24037" has type "data"
"DF8D319B9741B9E1EBE906AACEA5CBBA_F9985C75AEFCA67215471BFB58801100" has type "data"
"57C8EDB95DF3F0AD4EE2DC2B8CFD4157" has type "data" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"NordVPNSetup.exe" touched file "%WINDIR%\SysWOW64\en-US\setupapi.dll.mui"
"NordVPNSetup.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"NordVPNSetup.exe" touched file "%WINDIR%\Fonts\StaticCache.dat"
"NordVPNSetup.exe" touched file "%WINDIR%\SysWOW64\en-US\msctf.dll.mui"
"NordVPNSetup.exe" touched file "%WINDIR%\Temp\NordVPN\NordVPN6.30.8"
"NordVPNSetup.exe" touched file "%WINDIR%\Temp\NordVPN\NordVPN6.30.8\install"
"NordVPNSetup.exe" touched file "%WINDIR%\Temp\NordVPN\NordVPN6.30.8\install\decoder.dll"
"NordVPNSetup.exe" touched file "%WINDIR%\Temp"
"NordVPNSetup.exe" touched file "%WINDIR%\Temp\NordVPN"
"NordVPNSetup.exe" touched file "%WINDIR%\Temp\NordVPN\NordVPN6.30.8\install\holder0.aiph"
"NordVPNSetup.exe" touched file "%WINDIR%\Temp\NordVPN\NordVPN6.30.8\install\1BFE57E" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://schemas.microsoft.com/SMI/2005/WindowsSettings"
Heuristic match: "#>e_V+.kh"
Pattern match: "0.jR/G*S"
Pattern match: "http://www.yahoo.com"
Pattern match: "http://www.google.com"
Pattern match: "http://www.example.com"
Pattern match: "https://download.microsoft.com/download/C/8/7/C87AE67E-A228-48FB-8F02-B2A9A1238099/Windows6.1-KB3033929-x64.msu"
Pattern match: "https://download.microsoft.com/download/5/0/5/505D7894-362D-4AB6-BEC3-6A791C15E2D5/Windows6.1-KB3147071-x86.msu"
Pattern match: "http://ocsp.globalsign.com/rootr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCDQ"
Pattern match: "http://ocsp2.globalsign.com/gsextendcodesignsha2g3/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQ3DAV9N6WelMGCzSTdNIqjdmfHiAQU3CxYLCpvNS2feZWoSF3"
Pattern match: "http://ocsp2.globalsign.com/rootr3/ME8wTTBLMEkwRzAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCDkg"
Heuristic match: "'I|[eKx},IC;7.@7\{BRLM3XPaL<9KYG5ps9Jpn^RvI%qB85|A ;.sI"
Pattern match: "jQyj.CPPt/ExrPPEYh`hFEPw3wf~fGEEE_G3Gf~fGEE_EMMd"
Heuristic match: "Y_^]UjhdPQVt 3PEduEN^E.Md"
Heuristic match: "Y^]UjhCdPQVt 3PEduENEz.Md"
Pattern match: "http://t1.symcb.com/ThawtePCA.crl0U%0++0U0"
Pattern match: "http://tl.symcb.com/tl.crl0U0U%0"
Pattern match: "https://www.thawte.com/cps0/+0#!https://www.thawte.com/repository0W+K0I0+0http://tl.symcd.com0&+0http://tl.symcb.com/tl.crt0"
Pattern match: "https://www.advancedinstaller.com"
Pattern match: "https://d.symcb.com/cps0%+0https://d.symcb.com/rpa0.+0"
Pattern match: "https://d.symcb.com/cps0%+0https://d.symcb.com/rpa0@U9070531/http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0U%0"
Pattern match: "http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(U!0010UTimeStamp-2048-60Un_;1y6{0U#0cNrA)8ub0"
Pattern match: "wP.cmHm/.k|^}qL^E][m+f" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Creates or modifies windows services
- details
- "NordVPNSetup.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"NordVPNSetup.exe" opened "\Device\KsecDD"
"msiexec.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates or modifies windows services
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
-
"3d4e640c0e23968800fcb5aa56818fe0fef2586dab5f847b82461502e7c17308.bin" was detected as "VC8 -> Microsoft Corporation"
"decoder.dll" was detected as "Borland Delphi 3.0 (???)"
"MSI1116.tmp" was detected as "Borland Delphi 3.0 (???)"
"MSI41A9.tmp" was detected as "Borland Delphi 3.0 (???)" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1045 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
NordVPNSetup.exe
- Filename
- NordVPNSetup.exe
- Size
- 24MiB (24975800 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 3d4e640c0e23968800fcb5aa56818fe0fef2586dab5f847b82461502e7c17308
- MD5
- f72093b4c5425b57a1638383d5db7917
- SHA1
- 4ff52f1616cacd0c377d7c204c0d4e78a24504d9
- ssdeep
- 393216:SfSRRgnudC3Zz2H4vI49/s3xFKw8iuEcr28fpfr8zhfCli:GmR0d3xzvps3xFK1iuE215EBCA
- imphash
- 4e34551681b88f54d3ea931d0557f57a
- authentihash
- 5c3462cc6aac140b448e9905610e7cd8953447990b612f0f316ef3a3025ba2c7
- Compiler/Packer
- VC8 -> Microsoft Corporation
- PDB Timestamp
- 08/01/2019 13:06:14 (UTC)
- PDB Pathway
- C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb
- PDB GUID
- C1DEA314C0EE4B19AED9CE31BB95FD30
Version Info
- LegalCopyright
- Copyright (C) 2020 NordVPN
- InternalName
- NordVPNSetup
- FileVersion
- 6.30.8
- CompanyName
- NordVPN
- ProductName
- NordVPN
- ProductVersion
- 6.30.8
- FileDescription
- NordVPN Installer
- OriginalFileName
- NordVPNSetup.exe
- Translation
- 0x0409 0x04b0
Classification (TrID)
- 91.7% (.OCX) Windows ActiveX control
- 3.5% (.EXE) Win32 Executable (generic)
- 1.5% (.EXE) OS/2 Executable (generic)
- 1.5% (.EXE) Generic Win/DOS Executable
- 1.5% (.EXE) DOS Executable Generic
File Metadata
- 1 .OBJ Files (COFF) linked with LINK.EXE 5.10 (Visual Studio 5) (build: 27905)
- 1 Unknown Resource Files (build: 0)
- 290 .BAS Files compiled with C2.EXE 5.0 (Visual Basic 6) (build: 27905)
- 2 .BAS Files compiled with C2.EXE 5.00 (Visual Studio 5) (build: 26213)
- 26 .OBJ Files (COFF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 26213)
- 98 .OBJ Files (OMF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 26504)
- 23 .OBJ Files (OMF) linked with LINK.EXE 5.10 (Visual Studio 5) (build: 26504)
- 19 .OBJ Files (COFF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 26504)
- 179 .OBJ Files (OMF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 26213)
- 14 .OBJ Files (OMF) linked with LINK.EXE 5.10 (Visual Studio 5) (build: 26213)
- File contains Visual Basic code
- File appears to contain raw COFF/OMF content
- File is the product of a large codebase (290 files)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
File Certificates
Error validating certificate: No signature was present in the subject. (0x800b0100)
Download Certificate File (6.6KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3 | CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE Serial: 1ee5f169dff97352b6465d66a |
09/19/2018 00:00:00 01/28/2028 12:00:00 |
58:BF:B0:EA:CF:17:E2:D0:A6:5A:4D:06:10:42:C3:BF 0B:BF:AB:97:05:95:95:E8:D1:EC:48:E8:9E:B8:65:7C:0E:5A:AE:71 |
CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE | CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3 Serial: 481b6a07a9424c1eaafef3cdf10f |
06/15/2016 00:00:00 06/15/2024 00:00:00 |
3C:59:FF:68:9C:16:9A:B9:30:4B:F0:87:06:42:9B:CE 87:A6:3D:9A:DB:62:7D:77:78:36:15:3C:68:0A:3D:FC:F2:7D:E9:0C |
EMAILADDRESS=admin@nordvpn.com, CN=TEFINCOM S.A., O=TEFINCOM S.A., STREET="50th Street, Global Plaza Tower, 19th Floor, Suite H", L=Panama, ST=Panama, C=PA, OID.1.3.6.1.4.1.311.60.2.1.3=PA, SERIALNUMBER=155628861, OID.2.5.4.15=Private Organization | CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE Serial: 7b0f7049634bd8fd7f77a580 |
05/14/2019 12:05:33 06/13/2021 12:05:33 |
C9:7F:0D:D0:5F:89:EC:53:ED:77:7E:3B:9C:8B:7D:A6 A4:F9:7D:B7:17:8D:49:9C:AE:99:AE:49:EB:24:BD:B3:BF:21:97:7F |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 5 processes in total (System Resource Monitor).
- NordVPNSetup.exe (PID: 3752)
-
msiexec.exe
/V
(PID: 3080)
- msiexec.exe -Embedding F55385F13AFCA159315E3311710FA49E C (PID: 3100)
- msiexec.exe -Embedding 0E47A3DF0E09F4DCDBD727635EF3C243 C (PID: 3768)
- msiexec.exe -Embedding 89B732C44E03CFAD1E34279F8617B271 C (PID: 3336)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 9 extracted file(s). The remaining 3 file(s) are available in the full version and XML/JSON reports.
-
Clean 4
-
-
MSI1116.tmp
- Size
- 372KiB (381088 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/71
- Runtime Process
- NordVPNSetup.exe (PID: 3752)
- MD5
- a3b4d222a755f43b34a0963f13f77500
- SHA1
- e3bd216f35434287197082745b9f789b9a4f93c6
- SHA256
- 9692a12baf2113db4921678f3cf8746933d26d05141748fe09dcef11e5d94f54
-
MSI314D.tmp
- Size
- 372KiB (381088 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/71
- Runtime Process
- NordVPNSetup.exe (PID: 3752)
- MD5
- a3b4d222a755f43b34a0963f13f77500
- SHA1
- e3bd216f35434287197082745b9f789b9a4f93c6
- SHA256
- 9692a12baf2113db4921678f3cf8746933d26d05141748fe09dcef11e5d94f54
-
MSI41A9.tmp
- Size
- 564KiB (577184 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/70
- Runtime Process
- NordVPNSetup.exe (PID: 3752)
- MD5
- c1b635990fad0fcce9eea1cdb72860f0
- SHA1
- d32e1f9ccbec61d87597bf9345999c0290156544
- SHA256
- 4f6922e784cad973e2dd5c8896cffab49b8f92a6b1516ed53e93ade76495bc16
-
decoder.dll
- Size
- 181KiB (185344 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/67
- Runtime Process
- NordVPNSetup.exe (PID: 3752)
- MD5
- 44329f1efd42e8d09592a0ec994b2d78
- SHA1
- a2bb4a5effcba644362a3707d99ad06bf7527ca8
- SHA256
- 2c7a85b13e198c5f43ba56d074505399304a7bf5fc1c50eee288d8c9bacf7bff
-
-
Informative 5
-
-
57C8EDB95DF3F0AD4EE2DC2B8CFD4157
- Size
- 340B (340 bytes)
- Type
- data
- Runtime Process
- NordVPNSetup.exe (PID: 3752)
- MD5
- 87a924e772291e8ec426505aa5abc2c3
- SHA1
- d621eee58d60d7ee6446f114723f62b3b73f8419
- SHA256
- aefda3801fb99a41f0a31fee9de794a81411a9ed6a3caff9b4ce1e5bcb43c4c0
-
0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B
- Size
- 1.5KiB (1526 bytes)
- Type
- data
- Runtime Process
- NordVPNSetup.exe (PID: 3752)
- MD5
- bbb522e81a90ba6d25b66ac674f8c574
- SHA1
- 3efc63cbc3e658805fbe8b2c8a8e844c1e6ea380
- SHA256
- 7c7ca82238dba1e35a5ebbf4953a1a2e1ca418dbb64fef2965c94b7c9832ec11
-
B039FEA45CB4CC4BBACFC013C7C55604_D21903E2722B551F252C717985D24037
- Size
- 498B (498 bytes)
- Type
- data
- Runtime Process
- NordVPNSetup.exe (PID: 3752)
- MD5
- 8624c00bc01dd91177078551180ef036
- SHA1
- b63adb34050d75ef8336f52c167305419b5372f1
- SHA256
- 28164132973c13482a70054000c9165dcd9df5b12a7327f2989fd775a6463b25
-
DF8D319B9741B9E1EBE906AACEA5CBBA_F9985C75AEFCA67215471BFB58801100
- Size
- 530B (530 bytes)
- Type
- data
- Runtime Process
- NordVPNSetup.exe (PID: 3752)
- MD5
- 22b146417e9f89ea470994fc218e6397
- SHA1
- ee0ea11c5f24e99cdd61008a202008005b5dd507
- SHA256
- 22a404c6ea268b390ff1842c04856b9d10e965098d525219fa7f403a417a55bc
-
NordVPN Setup.msi
- Size
- 4MiB (4194304 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Can't read SAT
- Runtime Process
- NordVPNSetup.exe (PID: 3752)
- MD5
- d06a68bd2dbd5390c8e14cfa36809cf5
- SHA1
- 0135684ba42283632f25d0fa2b2fa2d7f5719cde
- SHA256
- b2da6643cc4240a477c557b9cee22ad2e67fe7aa66b741fe4273f0441fbe55d8
-
Notifications
-
Runtime
- Although all strings were processed, some are hidden from the report in order to reduce the overall size
- Not all Falcon MalQuery lookups completed in time
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-12" are available in the report
- Not all sources for indicator ID "api-31" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "registry-1" are available in the report
- Not all sources for indicator ID "registry-17" are available in the report
- Not all sources for indicator ID "registry-18" are available in the report
- Not all sources for indicator ID "registry-19" are available in the report
- Not all sources for indicator ID "string-64" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report