Windows Analysis Report
NordVPNInstaller.exe

Overview

General Information

Sample name:	NordVPNInstaller.exe
Analysis ID:	1502485
MD5:	59acd8c97c40ed66cf5fcd0e0c010c6a
SHA1:	d3a5cb8dba49d929afe3b05687a3286b5db0b7c3
SHA256:	e4c05c4d5182791ce9f92e0c7da446c15bf65ac47e57e183d2fe83cc3c33c705
Tags:	exe
Infos:

Detection

Agent Tesla, AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected Agent Tesla keylogger

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

AI detected suspicious sample

Contains functionality to capture screen (.Net source)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Moves itself to temp directory

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Stores large binary data to the registry

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: NordVPNInstaller.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe

Avira: detection malicious, Label: TR/Spy.Agent.lkofd

Found malware configuration

Source: NordVPNInstaller.exe

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Web Panel", "C2 url": "https://plantain-elk-b8pt.squarespace.com/api/comment/FlagComment"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe

ReversingLabs: Detection: 63%

Multi AV Scanner detection for submitted file

Source: NordVPNInstaller.exe	ReversingLabs: Detection: 63%
Source: NordVPNInstaller.exe	Virustotal: Detection: 56%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 94.6% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: NordVPNInstaller.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: NordVPNInstaller.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49734 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49746 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49781 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49780 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49790 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49792 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49793 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49820 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49821 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49822 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49869 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49870 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49872 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49873 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49871 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49878 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49879 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 192.168.2.4:49883 -> 198.185.159.177:443 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49889 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49890 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49890 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49891 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49892 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49896 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49895 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49901 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49900 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49899 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49904 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49903 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49902 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49910 version: TLS 1.0

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: NordVPNInstaller.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Admin\Desktop\IELibrary\IELibrary\obj\Debug\IELibrary.pdb source: NordVPNInstaller.exe, bbb.exe.0.dr
Source:	Binary string: r\VB.net\stealers\firefoxx64\firefox\obj\Debug\firefox.pdb source: NordVPNInstaller.exe, bbb.exe.0.dr

Networking

Yara detected Generic Downloader

Source: Yara match	File source: NordVPNInstaller.exe, type: SAMPLE
Source: Yara match	File source: 0.0.NordVPNInstaller.exe.946cb8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.NordVPNInstaller.exe.930000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\bbb\bbb.exe, type: DROPPED

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: checkip.dyndns.orgConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 198.185.159.177 198.185.159.177
Source: Joe Sandbox View	IP Address: 198.185.159.177 198.185.159.177
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SQUARESPACEUS SQUARESPACEUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

May check the online IP address of the machine

Source: unknown

DNS query: name: checkip.dyndns.org

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 322Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 314Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 578Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 322Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 314Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 578Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 850Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108322Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108352Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 116734Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108350Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108700Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 322Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108904Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108350Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 322Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108350Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108350Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108350Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108350Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108350Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108350Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 324Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 322Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 322Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 322Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108352Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 322Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 322Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 322Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 322Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 322Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 322Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108350Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108350Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108350Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108350Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 326Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108352Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108764Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 322Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108762Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108762Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108762Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 110888Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 109600Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 324Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108350Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108352Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 116734Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 322Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 116722Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 116736Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 322Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 322Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108324Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 322Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 322Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49734 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49746 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49781 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49780 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49790 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49792 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49793 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49820 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49821 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49822 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49869 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49870 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49872 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49873 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49871 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49878 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49879 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 192.168.2.4:49883 -> 198.185.159.177:443 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49889 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49890 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49890 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49891 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49892 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49896 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49895 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49901 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49900 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49899 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49904 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49903 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49902 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49910 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe

Code function: 4_2_00CBA09A recv,

4_2_00CBA09A

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: plantain-elk-b8pt.squarespace.com

Source: unknown

HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continueConnection: Keep-Alive

Source: NordVPNInstaller.exe, bbb.exe.0.dr	String found in binary or memory: http://DynDns.com
Source: NordVPNInstaller.exe, bbb.exe.0.dr	String found in binary or memory: http://Paltalk.com
Source: bbb.exe, 00000005.00000002.2132252567.00000000032BA000.00000004.00000800.00020000.00000000.sdmp, bbb.exe, 00000005.00000002.2132252567.0000000003280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, bbb.exe, 00000004.00000002.3078215363.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, bbb.exe, 00000005.00000002.2132252567.0000000003280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: NordVPNInstaller.exe, bbb.exe.0.dr	String found in binary or memory: http://checkip.dyndns.org/E
Source: NordVPNInstaller.exe, bbb.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: NordVPNInstaller.exe, bbb.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: bbb.exe, 00000004.00000002.3072073018.0000000000AB8000.00000004.00000020.00020000.00000000.sdmp, bbb.exe, 00000005.00000002.2131657052.0000000001200000.00000004.00000020.00020000.00000000.sdmp, NordVPNInstaller.exe, bbb.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: NordVPNInstaller.exe, bbb.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: NordVPNInstaller.exe, bbb.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: NordVPNInstaller.exe, bbb.exe.0.dr	String found in binary or memory: http://no-ip.com
Source: NordVPNInstaller.exe, bbb.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: NordVPNInstaller.exe, bbb.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: bbb.exe, 00000004.00000002.3072073018.0000000000AB8000.00000004.00000020.00020000.00000000.sdmp, bbb.exe, 00000005.00000002.2131657052.0000000001200000.00000004.00000020.00020000.00000000.sdmp, NordVPNInstaller.exe, bbb.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: NordVPNInstaller.exe, bbb.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: NordVPNInstaller.exe, bbb.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: NordVPNInstaller.exe, 00000000.00000002.2764791326.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, bbb.exe, 00000004.00000002.3072073018.0000000000B1B000.00000004.00000020.00020000.00000000.sdmp, bbb.exe, 00000005.00000002.2131657052.0000000001200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsig
Source: NordVPNInstaller.exe, bbb.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: bbb.exe, 00000004.00000002.3072073018.0000000000AB8000.00000004.00000020.00020000.00000000.sdmp, bbb.exe, 00000005.00000002.2131657052.0000000001200000.00000004.00000020.00020000.00000000.sdmp, NordVPNInstaller.exe, bbb.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: bbb.exe, 00000004.00000002.3072073018.0000000000AB8000.00000004.00000020.00020000.00000000.sdmp, bbb.exe, 00000005.00000002.2131657052.0000000001200000.00000004.00000020.00020000.00000000.sdmp, NordVPNInstaller.exe, bbb.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: NordVPNInstaller.exe, 00000000.00000002.2778376127.0000000005B60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.c
Source: bbb.exe, 00000004.00000002.3072073018.0000000000B1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.000000000371D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespac
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp, NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000036F1000.00000004.00000800.00020000.00000000.sdmp, NordVPNInstaller.exe, 00000000.00000002.2765864520.0000000003721000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp, NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000036F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd&
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd&.
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd&:
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd&;
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd&_
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd&r
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd.
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd.3
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd.9
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd.V
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd.k
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd.z
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd2
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd2&
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd2C
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd2g
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd6
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd60
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd6T
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd6d
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd:
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd:A
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdB
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdBu
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdF
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdFV
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdFm
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdJ
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdJM
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdJZ
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdJn
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdJs
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdN
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdNG
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdR
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdR4
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdRF
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdRM
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdRg
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdRj
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdV
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdV:
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdVQ
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdVW
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdZ
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdZ?
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdZD
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdZh
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdb
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdb3
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdb8
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdbB
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdbE
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdbY
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdb_
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdf
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdf/
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdfL
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdfP
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdj
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdj1
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdj9
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdn
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdn&
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdnI
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdr
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdrf
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdv
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdvB
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdvz
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdz
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdzv
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd~
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd~;
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd~c
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd~s
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, bbb.exe, 00000004.00000002.3078215363.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespace.com
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.0000000003020000.00000004.00000800.00020000.00000000.sdmp, NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp, NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000036F1000.00000004.00000800.00020000.00000000.sdmp, NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032CF000.00000004.00000800.00020000.00000000.sdmp, NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032D7000.00000004.00000800.00020000.00000000.sdmp, bbb.exe, 00000004.00000002.3078215363.0000000003394000.00000004.00000800.00020000.00000000.sdmp, bbb.exe, 00000004.00000002.3078215363.0000000002EAD000.00000004.00000800.00020000.00000000.sdmp, bbb.exe, 00000004.00000002.3078215363.0000000003355000.00000004.00000800.00020000.00000000.sdmp, bbb.exe, 00000004.00000002.3078215363.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespace.com$
Source: NordVPNInstaller.exe, bbb.exe.0.dr	String found in binary or memory: https://plantain-elk-b8pt.squarespace.com/api/comment/FlagComment
Source: NordVPNInstaller.exe, bbb.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49917 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49866
Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49906 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49914 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49919
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49918
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49917
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49916
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49915
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49914
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49913
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49912
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49911
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49910
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49909
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49908
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49907
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49906
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49903
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49902
Source: unknown	Network traffic detected: HTTP traffic on port 49903 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49901
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49900
Source: unknown	Network traffic detected: HTTP traffic on port 49888 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing

Detected Agent Tesla keylogger

Source: NordVPNInstaller.exe, 00000000.00000000.1663885964.0000000000932000.00000002.00000001.01000000.00000003.sdmp	Memory string: get_Clipboard
Source: NordVPNInstaller.exe, 00000000.00000000.1663885964.0000000000932000.00000002.00000001.01000000.00000003.sdmp	Memory string: set_Sendwebcam
Source: NordVPNInstaller.exe, 00000000.00000000.1663885964.0000000000932000.00000002.00000001.01000000.00000003.sdmp	Memory string: get_ComputerName
Source: NordVPNInstaller.exe, 00000000.00000000.1663885964.0000000000932000.00000002.00000001.01000000.00000003.sdmp	Memory string: get_UserName

Contains functionality to capture screen (.Net source)

Source: NordVPNInstaller.exe, B.cs	.Net Code: O_U
Source: bbb.exe.0.dr, B.cs	.Net Code: O_U

Installs a global keyboard hook

Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\NordVPNInstaller.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\bbb\bbb.exe			Jump to behavior

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: NordVPNInstaller.exe, type: SAMPLE	Matched rule: AgentTesla Payload Author: kevoreilly
Source: NordVPNInstaller.exe, type: SAMPLE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: NordVPNInstaller.exe, type: SAMPLE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: NordVPNInstaller.exe, type: SAMPLE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.0.NordVPNInstaller.exe.94af90.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTesla Payload Author: kevoreilly
Source: 0.0.NordVPNInstaller.exe.94af90.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.0.NordVPNInstaller.exe.94af90.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.0.NordVPNInstaller.exe.94af90.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.0.NordVPNInstaller.exe.946cb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTesla Payload Author: kevoreilly
Source: 0.0.NordVPNInstaller.exe.946cb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.0.NordVPNInstaller.exe.946cb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.0.NordVPNInstaller.exe.946cb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.0.NordVPNInstaller.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTesla Payload Author: kevoreilly
Source: 0.0.NordVPNInstaller.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.0.NordVPNInstaller.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.0.NordVPNInstaller.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: NordVPNInstaller.exe PID: 3524, type: MEMORYSTR	Matched rule: agenttesla_smtp_variant Author: j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!
Source: Process Memory Space: bbb.exe PID: 1196, type: MEMORYSTR	Matched rule: agenttesla_smtp_variant Author: j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe, type: DROPPED	Matched rule: AgentTesla Payload Author: kevoreilly
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe, type: DROPPED	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe, type: DROPPED	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe, type: DROPPED	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen

Yara detected AgentTesla

Source: Yara match	File source: Process Memory Space: NordVPNInstaller.exe PID: 3524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bbb.exe PID: 1196, type: MEMORYSTR
Source: Yara match	File source: NordVPNInstaller.exe, type: SAMPLE
Source: Yara match	File source: 0.0.NordVPNInstaller.exe.94af90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.NordVPNInstaller.exe.946cb8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.NordVPNInstaller.exe.930000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1663885964.0000000000932000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\bbb\bbb.exe, type: DROPPED

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

Process Stats: CPU usage > 49%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Memory allocated: 70350000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Memory allocated: 70D50000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Memory allocated: 70850000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Memory allocated: 71250000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Memory allocated: 71750000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Memory allocated: 71C50000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Memory allocated: 72150000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Memory allocated: 72B00000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Memory allocated: 73E00000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Memory allocated: 77040000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Memory allocated: 77A40000 page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Memory allocated: 70350000 page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Memory allocated: 70850000 page read and write	Jump to behavior

Contains functionality to call native functions

Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Code function: 0_2_05DE2D92 NtQuerySystemInformation,	0_2_05DE2D92
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Code function: 0_2_05DE2D57 NtQuerySystemInformation,	0_2_05DE2D57
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 4_2_05932EBA NtQuerySystemInformation,	4_2_05932EBA
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 4_2_05932E7F NtQuerySystemInformation,	4_2_05932E7F

Detected potential crypto function

Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Code function: 0_2_053D2C7C	0_2_053D2C7C
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Code function: 0_2_053D0F78	0_2_053D0F78
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Code function: 0_2_053D3E4F	0_2_053D3E4F
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Code function: 0_2_053D0F68	0_2_053D0F68
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Code function: 0_2_053D1299	0_2_053D1299
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Code function: 0_2_065932C8	0_2_065932C8
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Code function: 0_2_0669D300	0_2_0669D300
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Code function: 0_2_0669A7E8	0_2_0669A7E8
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Code function: 0_2_06695550	0_2_06695550
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Code function: 0_2_0669A138	0_2_0669A138
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Code function: 0_2_0669A7D9	0_2_0669A7D9
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Code function: 0_2_066951A8	0_2_066951A8
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Code function: 0_2_067F4120	0_2_067F4120
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 4_2_05022A21	4_2_05022A21
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 4_2_05020F78	4_2_05020F78
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 4_2_05020F69	4_2_05020F69
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 4_2_05021299	4_2_05021299
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 4_2_0606081C	4_2_0606081C
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 4_2_060648A1	4_2_060648A1
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 4_2_0606D300	4_2_0606D300
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 4_2_0606A138	4_2_0606A138
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 4_2_06065550	4_2_06065550
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 4_2_0606A7E8	4_2_0606A7E8
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 4_2_060651A8	4_2_060651A8
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 4_2_0606A7D9	4_2_0606A7D9
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 4_2_060741E0	4_2_060741E0
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 4_2_06072FFC	4_2_06072FFC
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 5_2_056D0F78	5_2_056D0F78
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 5_2_056D0F69	5_2_056D0F69
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 5_2_056D1299	5_2_056D1299

One or more processes crash

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 12572

PE / OLE file has an invalid certificate

Source: NordVPNInstaller.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: NordVPNInstaller.exe, 00000000.00000002.2780165235.00000000065A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameIELibrary.dll4 vs NordVPNInstaller.exe
Source: NordVPNInstaller.exe, 00000000.00000000.1663885964.0000000000969000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs NordVPNInstaller.exe
Source: NordVPNInstaller.exe, 00000000.00000002.2764791326.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs NordVPNInstaller.exe
Source: NordVPNInstaller.exe, 00000000.00000000.1663885964.0000000000932000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameIELibrary.dll4 vs NordVPNInstaller.exe
Source: NordVPNInstaller.exe, 00000000.00000000.1663885964.0000000000932000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamefirefox.exe4 vs NordVPNInstaller.exe
Source: NordVPNInstaller.exe	Binary or memory string: OriginalFilenameIELibrary.dll4 vs NordVPNInstaller.exe
Source: NordVPNInstaller.exe	Binary or memory string: OriginalFilenamefirefox.exe4 vs NordVPNInstaller.exe
Source: NordVPNInstaller.exe	Binary or memory string: OriginalFileName vs NordVPNInstaller.exe

Uses 32bit PE files

Source: NordVPNInstaller.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: NordVPNInstaller.exe, type: SAMPLE	Matched rule: AgentTesla_1 author = kevoreilly, description = AgentTesla Payload, cape_type = AgentTesla Payload
Source: NordVPNInstaller.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: NordVPNInstaller.exe, type: SAMPLE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: NordVPNInstaller.exe, type: SAMPLE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.0.NordVPNInstaller.exe.94af90.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTesla_1 author = kevoreilly, description = AgentTesla Payload, cape_type = AgentTesla Payload
Source: 0.0.NordVPNInstaller.exe.94af90.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.0.NordVPNInstaller.exe.94af90.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.0.NordVPNInstaller.exe.94af90.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.0.NordVPNInstaller.exe.946cb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTesla_1 author = kevoreilly, description = AgentTesla Payload, cape_type = AgentTesla Payload
Source: 0.0.NordVPNInstaller.exe.946cb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.0.NordVPNInstaller.exe.946cb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.0.NordVPNInstaller.exe.946cb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.0.NordVPNInstaller.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTesla_1 author = kevoreilly, description = AgentTesla Payload, cape_type = AgentTesla Payload
Source: 0.0.NordVPNInstaller.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.0.NordVPNInstaller.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.0.NordVPNInstaller.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: NordVPNInstaller.exe PID: 3524, type: MEMORYSTR	Matched rule: agenttesla_smtp_variant date = 2018/2, filetype = memory, reference3 = agent tesla == negasteal -- @coldshell, author = j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!, version = stealer, reference1 = https://www.virustotal.com/#/file/1198865bc928a7a4f7977aaa36af5a2b9d5a949328b89dd87c541758516ad417/detection, reference2 = https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_negasteal.a
Source: Process Memory Space: bbb.exe PID: 1196, type: MEMORYSTR	Matched rule: agenttesla_smtp_variant date = 2018/2, filetype = memory, reference3 = agent tesla == negasteal -- @coldshell, author = j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!, version = stealer, reference1 = https://www.virustotal.com/#/file/1198865bc928a7a4f7977aaa36af5a2b9d5a949328b89dd87c541758516ad417/detection, reference2 = https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_negasteal.a
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe, type: DROPPED	Matched rule: AgentTesla_1 author = kevoreilly, description = AgentTesla Payload, cape_type = AgentTesla Payload
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe, type: DROPPED	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe, type: DROPPED	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload

Source: NordVPNInstaller.exe, B.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: NordVPNInstaller.exe, B.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: NordVPNInstaller.exe, B.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: NordVPNInstaller.exe, B.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: NordVPNInstaller.exe, B.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: NordVPNInstaller.exe, B.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: NordVPNInstaller.exe, DJW.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: NordVPNInstaller.exe, DJW.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: bbb.exe.0.dr, B.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: bbb.exe.0.dr, B.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: bbb.exe.0.dr, B.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: bbb.exe.0.dr, B.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: bbb.exe.0.dr, B.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: bbb.exe.0.dr, B.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/7@2/2

Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Code function: 0_2_05DE244E AdjustTokenPrivileges,	0_2_05DE244E
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Code function: 0_2_05DE2417 AdjustTokenPrivileges,	0_2_05DE2417
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 4_2_05932576 AdjustTokenPrivileges,	4_2_05932576
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 4_2_0593253F AdjustTokenPrivileges,	4_2_0593253F
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 5_2_06222576 AdjustTokenPrivileges,	5_2_06222576
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 5_2_0622253F AdjustTokenPrivileges,	5_2_0622253F

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

File created: C:\Users\user\AppData\Roaming\bbb

Jump to behavior

Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\4b0e4149-cae4-4d92-95df-7ed46049df32

Source: NordVPNInstaller.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: NordVPNInstaller.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\NordVPNInstaller.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: NordVPNInstaller.exe	ReversingLabs: Detection: 63%
Source: NordVPNInstaller.exe	Virustotal: Detection: 56%

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

File read: C:\Users\user\Desktop\NordVPNInstaller.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\NordVPNInstaller.exe "C:\Users\user\Desktop\NordVPNInstaller.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\bbb\bbb.exe "C:\Users\user\AppData\Roaming\bbb\bbb.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\bbb\bbb.exe "C:\Users\user\AppData\Roaming\bbb\bbb.exe"
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 12572
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 12576
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 12572	Jump to behavior

Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: midimap.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: midimap.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: fwpuclnt.dll

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: NordVPNInstaller.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: NordVPNInstaller.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Admin\Desktop\IELibrary\IELibrary\obj\Debug\IELibrary.pdb source: NordVPNInstaller.exe, bbb.exe.0.dr
Source:	Binary string: r\VB.net\stealers\firefoxx64\firefox\obj\Debug\firefox.pdb source: NordVPNInstaller.exe, bbb.exe.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: NordVPNInstaller.exe, DJW.cs	.Net Code: FG System.Reflection.Assembly.Load(byte[])
Source: bbb.exe.0.dr, DJW.cs	.Net Code: FG System.Reflection.Assembly.Load(byte[])

PE file contains an invalid checksum

Source: bbb.exe.0.dr	Static PE information: real checksum: 0x48848 should be: 0x532b0
Source: NordVPNInstaller.exe	Static PE information: real checksum: 0x48848 should be: 0x532b0

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

Code function: 0_2_065915A8 pushad ; retf

0_2_065915F9

Drops PE files

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

File created: C:\Users\user\AppData\Roaming\bbb\bbb.exe

Jump to dropped file

Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyOtApp			Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyOtApp			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\NordVPNInstaller.exe	File opened: C:\Users\user\AppData\Roaming\bbb\bbb.exe:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	File opened: C:\Users\user\AppData\Roaming\bbb\bbb.exe:Zone.Identifier read attributes \| delete			Jump to behavior

Moves itself to temp directory

Source: c:\users\user\desktop\nordvpninstaller.exe

File moved: C:\Users\user\AppData\Local\Temp\tmpG356.tmp

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Stores large binary data to the registry

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Blob

Jump to behavior

Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: NordVPNInstaller.exe PID: 3524, type: MEMORYSTR

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Memory allocated: 1300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Memory allocated: 2FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Memory allocated: 4FD0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Memory allocated: F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Memory allocated: 2BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Memory allocated: 4BA0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Memory allocated: 1880000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Memory allocated: 3230000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Memory allocated: 5230000 memory commit \| memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Window / User API: threadDelayed 1784	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Window / User API: threadDelayed 2016	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Window / User API: threadDelayed 3352	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Window / User API: threadDelayed 1971	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Window / User API: threadDelayed 3229	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Window / User API: threadDelayed 2475	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Window / User API: threadDelayed 2556	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Window / User API: threadDelayed 901	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\NordVPNInstaller.exe TID: 3192	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe TID: 3192	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe TID: 3192	Thread sleep time: -1784000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe TID: 3192	Thread sleep time: -2016000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe TID: 3192	Thread sleep time: -50280s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe TID: 5296	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe TID: 5296	Thread sleep time: -3229000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe TID: 5296	Thread sleep time: -37125s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe TID: 5296	Thread sleep time: -38340s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe TID: 5296	Thread sleep time: -901000s >= -30000s	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\NordVPNInstaller.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\NordVPNInstaller.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

Code function: 0_2_05DE6B52 GetSystemInfo,

0_2_05DE6B52

Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: dw20.exe, 00000007.00000002.2758474814.0000000000479000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: dw20.exe, 00000007.00000002.2758474814.000000000046B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWbQr
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: NordVPNInstaller.exe, 00000000.00000002.2778376127.0000000005B60000.00000004.00000020.00020000.00000000.sdmp, bbb.exe, 00000004.00000002.3072073018.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, bbb.exe, 00000005.00000002.2132954381.0000000006100000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: dw20.exe, 00000007.00000002.2758474814.000000000042E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW "G%SystemRoot%\system32\mswsock.dll />
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

Process queried: DebugPort

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

Code function: 0_2_053D1D68 LdrInitializeThunk,

0_2_053D1D68

Enables debug privileges

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 12572

Jump to behavior

Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: <br><span style=font-size:14px;font-style:normal;text-decoration:none;text-transform:none;color:#0099cc;>[Program Manager]<span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;> (09/01/2024 15:56:22)</span></span><br>
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Adds / modifies Windows certificates

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Blob

Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	File opened: C:\FTP Navigator\Ftplist.txt			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\NordVPNInstaller.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: NordVPNInstaller.exe, type: SAMPLE
Source: Yara match	File source: 0.0.NordVPNInstaller.exe.94af90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.NordVPNInstaller.exe.946cb8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.NordVPNInstaller.exe.930000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2765864520.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1663885964.0000000000932000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3078215363.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NordVPNInstaller.exe PID: 3524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bbb.exe PID: 1196, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\bbb\bbb.exe, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
198.185.159.177	plantain-elk-b8pt.squarespace.com	United States		53831	SQUARESPACEUS	true
132.226.247.73	checkip.dyndns.com	United States		16989	UTMEMUS	false

Contacted Domains

Name	IP	Active
plantain-elk-b8pt.squarespace.com	198.185.159.177	true
checkip.dyndns.com	132.226.247.73	true
checkip.dyndns.org	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://plantain-elk-b8pt.squarespace.com/api/comment/FlagComment	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: NordVPNInstaller.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe

Avira: detection malicious, Label: TR/Spy.Agent.lkofd

Found malware configuration

Source: NordVPNInstaller.exe

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Web Panel", "C2 url": "https://plantain-elk-b8pt.squarespace.com/api/comment/FlagComment"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe

ReversingLabs: Detection: 63%

Multi AV Scanner detection for submitted file

Source: NordVPNInstaller.exe	ReversingLabs: Detection: 63%
Source: NordVPNInstaller.exe	Virustotal: Detection: 56%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 94.6% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: NordVPNInstaller.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: NordVPNInstaller.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49734 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49746 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49781 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49780 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49790 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49792 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49793 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49820 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49821 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49822 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49869 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49870 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49872 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49873 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49871 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49878 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49879 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 192.168.2.4:49883 -> 198.185.159.177:443 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49889 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49890 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49890 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49891 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49892 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49896 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49895 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49901 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49900 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49899 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49904 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49903 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49902 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49910 version: TLS 1.0

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: NordVPNInstaller.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Admin\Desktop\IELibrary\IELibrary\obj\Debug\IELibrary.pdb source: NordVPNInstaller.exe, bbb.exe.0.dr
Source:	Binary string: r\VB.net\stealers\firefoxx64\firefox\obj\Debug\firefox.pdb source: NordVPNInstaller.exe, bbb.exe.0.dr

Networking

Yara detected Generic Downloader

Source: Yara match	File source: NordVPNInstaller.exe, type: SAMPLE
Source: Yara match	File source: 0.0.NordVPNInstaller.exe.946cb8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.NordVPNInstaller.exe.930000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\bbb\bbb.exe, type: DROPPED

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: checkip.dyndns.orgConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 198.185.159.177 198.185.159.177
Source: Joe Sandbox View	IP Address: 198.185.159.177 198.185.159.177
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SQUARESPACEUS SQUARESPACEUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

May check the online IP address of the machine

Source: unknown

DNS query: name: checkip.dyndns.org

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 322Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 314Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 578Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 322Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 314Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 578Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 850Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108322Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108352Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 116734Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108350Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108700Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 322Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108904Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108350Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 322Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108350Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108350Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108350Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108350Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108350Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108350Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 324Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 322Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 322Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 322Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108352Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 322Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 322Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 322Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 322Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 322Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 322Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108350Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108350Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108350Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108350Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 326Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108352Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108764Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 322Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108762Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108762Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108762Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 110888Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 109600Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 324Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108350Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108352Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 116734Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 322Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 116722Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 116736Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 322Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 322Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 108324Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 322Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 322Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/comment/FlagComment HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: plantain-elk-b8pt.squarespace.comContent-Length: 280Expect: 100-continue

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49734 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49746 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49781 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49780 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49790 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49792 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49793 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49820 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49821 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49822 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49869 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49870 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49872 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49873 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49871 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49878 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49879 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 192.168.2.4:49883 -> 198.185.159.177:443 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49889 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49890 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49890 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49891 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49892 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49896 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49895 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49901 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49900 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49899 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49904 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49903 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49902 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.185.159.177:443 -> 192.168.2.4:49910 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe

Code function: 4_2_00CBA09A recv,

4_2_00CBA09A

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: plantain-elk-b8pt.squarespace.com

Source: unknown

Source: NordVPNInstaller.exe, bbb.exe.0.dr	String found in binary or memory: http://DynDns.com
Source: NordVPNInstaller.exe, bbb.exe.0.dr	String found in binary or memory: http://Paltalk.com
Source: bbb.exe, 00000005.00000002.2132252567.00000000032BA000.00000004.00000800.00020000.00000000.sdmp, bbb.exe, 00000005.00000002.2132252567.0000000003280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, bbb.exe, 00000004.00000002.3078215363.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, bbb.exe, 00000005.00000002.2132252567.0000000003280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: NordVPNInstaller.exe, bbb.exe.0.dr	String found in binary or memory: http://checkip.dyndns.org/E
Source: NordVPNInstaller.exe, bbb.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: NordVPNInstaller.exe, bbb.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: bbb.exe, 00000004.00000002.3072073018.0000000000AB8000.00000004.00000020.00020000.00000000.sdmp, bbb.exe, 00000005.00000002.2131657052.0000000001200000.00000004.00000020.00020000.00000000.sdmp, NordVPNInstaller.exe, bbb.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: NordVPNInstaller.exe, bbb.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: NordVPNInstaller.exe, bbb.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: NordVPNInstaller.exe, bbb.exe.0.dr	String found in binary or memory: http://no-ip.com
Source: NordVPNInstaller.exe, bbb.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: NordVPNInstaller.exe, bbb.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: bbb.exe, 00000004.00000002.3072073018.0000000000AB8000.00000004.00000020.00020000.00000000.sdmp, bbb.exe, 00000005.00000002.2131657052.0000000001200000.00000004.00000020.00020000.00000000.sdmp, NordVPNInstaller.exe, bbb.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: NordVPNInstaller.exe, bbb.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: NordVPNInstaller.exe, bbb.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: NordVPNInstaller.exe, 00000000.00000002.2764791326.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, bbb.exe, 00000004.00000002.3072073018.0000000000B1B000.00000004.00000020.00020000.00000000.sdmp, bbb.exe, 00000005.00000002.2131657052.0000000001200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsig
Source: NordVPNInstaller.exe, bbb.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: bbb.exe, 00000004.00000002.3072073018.0000000000AB8000.00000004.00000020.00020000.00000000.sdmp, bbb.exe, 00000005.00000002.2131657052.0000000001200000.00000004.00000020.00020000.00000000.sdmp, NordVPNInstaller.exe, bbb.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: bbb.exe, 00000004.00000002.3072073018.0000000000AB8000.00000004.00000020.00020000.00000000.sdmp, bbb.exe, 00000005.00000002.2131657052.0000000001200000.00000004.00000020.00020000.00000000.sdmp, NordVPNInstaller.exe, bbb.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: NordVPNInstaller.exe, 00000000.00000002.2778376127.0000000005B60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.c
Source: bbb.exe, 00000004.00000002.3072073018.0000000000B1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.000000000371D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespac
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp, NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000036F1000.00000004.00000800.00020000.00000000.sdmp, NordVPNInstaller.exe, 00000000.00000002.2765864520.0000000003721000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp, NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000036F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd&
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd&.
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd&:
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd&;
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd&_
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd&r
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd.
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd.3
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd.9
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd.V
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd.k
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd.z
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd2
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd2&
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd2C
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd2g
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd6
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd60
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd6T
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd6d
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd:
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd:A
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdB
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdBu
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdF
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdFV
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdFm
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdJ
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdJM
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdJZ
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdJn
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdJs
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdN
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdNG
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdR
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdR4
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdRF
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdRM
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdRg
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdRj
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdV
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdV:
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdVQ
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdVW
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdZ
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdZ?
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdZD
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdZh
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdb
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdb3
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdb8
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdbB
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdbE
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdbY
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdb_
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdf
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdf/
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdfL
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdfP
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdj
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdj1
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdj9
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdn
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdn&
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdnI
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdr
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdrf
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdv
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdvB
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdvz
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdz
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacdzv
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd~
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd~;
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd~c
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespacd~s
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, bbb.exe, 00000004.00000002.3078215363.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespace.com
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.0000000003020000.00000004.00000800.00020000.00000000.sdmp, NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032DC000.00000004.00000800.00020000.00000000.sdmp, NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000036F1000.00000004.00000800.00020000.00000000.sdmp, NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032CF000.00000004.00000800.00020000.00000000.sdmp, NordVPNInstaller.exe, 00000000.00000002.2765864520.00000000032D7000.00000004.00000800.00020000.00000000.sdmp, bbb.exe, 00000004.00000002.3078215363.0000000003394000.00000004.00000800.00020000.00000000.sdmp, bbb.exe, 00000004.00000002.3078215363.0000000002EAD000.00000004.00000800.00020000.00000000.sdmp, bbb.exe, 00000004.00000002.3078215363.0000000003355000.00000004.00000800.00020000.00000000.sdmp, bbb.exe, 00000004.00000002.3078215363.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://plantain-elk-b8pt.squarespace.com$
Source: NordVPNInstaller.exe, bbb.exe.0.dr	String found in binary or memory: https://plantain-elk-b8pt.squarespace.com/api/comment/FlagComment
Source: NordVPNInstaller.exe, bbb.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49917 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49866
Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49906 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49914 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49919
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49918
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49917
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49916
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49915
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49914
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49913
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49912
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49911
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49910
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49909
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49908
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49907
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49906
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49903
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49902
Source: unknown	Network traffic detected: HTTP traffic on port 49903 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49901
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49900
Source: unknown	Network traffic detected: HTTP traffic on port 49888 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing

Detected Agent Tesla keylogger

Source: NordVPNInstaller.exe, 00000000.00000000.1663885964.0000000000932000.00000002.00000001.01000000.00000003.sdmp	Memory string: get_Clipboard
Source: NordVPNInstaller.exe, 00000000.00000000.1663885964.0000000000932000.00000002.00000001.01000000.00000003.sdmp	Memory string: set_Sendwebcam
Source: NordVPNInstaller.exe, 00000000.00000000.1663885964.0000000000932000.00000002.00000001.01000000.00000003.sdmp	Memory string: get_ComputerName
Source: NordVPNInstaller.exe, 00000000.00000000.1663885964.0000000000932000.00000002.00000001.01000000.00000003.sdmp	Memory string: get_UserName

Contains functionality to capture screen (.Net source)

Source: NordVPNInstaller.exe, B.cs	.Net Code: O_U
Source: bbb.exe.0.dr, B.cs	.Net Code: O_U

Installs a global keyboard hook

Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\NordVPNInstaller.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\bbb\bbb.exe			Jump to behavior

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: NordVPNInstaller.exe, type: SAMPLE	Matched rule: AgentTesla Payload Author: kevoreilly
Source: NordVPNInstaller.exe, type: SAMPLE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: NordVPNInstaller.exe, type: SAMPLE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: NordVPNInstaller.exe, type: SAMPLE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.0.NordVPNInstaller.exe.94af90.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTesla Payload Author: kevoreilly
Source: 0.0.NordVPNInstaller.exe.94af90.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.0.NordVPNInstaller.exe.94af90.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.0.NordVPNInstaller.exe.94af90.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.0.NordVPNInstaller.exe.946cb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTesla Payload Author: kevoreilly
Source: 0.0.NordVPNInstaller.exe.946cb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.0.NordVPNInstaller.exe.946cb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.0.NordVPNInstaller.exe.946cb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.0.NordVPNInstaller.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTesla Payload Author: kevoreilly
Source: 0.0.NordVPNInstaller.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.0.NordVPNInstaller.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.0.NordVPNInstaller.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: NordVPNInstaller.exe PID: 3524, type: MEMORYSTR	Matched rule: agenttesla_smtp_variant Author: j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!
Source: Process Memory Space: bbb.exe PID: 1196, type: MEMORYSTR	Matched rule: agenttesla_smtp_variant Author: j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe, type: DROPPED	Matched rule: AgentTesla Payload Author: kevoreilly
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe, type: DROPPED	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe, type: DROPPED	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe, type: DROPPED	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen

Yara detected AgentTesla

Source: Yara match	File source: Process Memory Space: NordVPNInstaller.exe PID: 3524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bbb.exe PID: 1196, type: MEMORYSTR
Source: Yara match	File source: NordVPNInstaller.exe, type: SAMPLE
Source: Yara match	File source: 0.0.NordVPNInstaller.exe.94af90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.NordVPNInstaller.exe.946cb8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.NordVPNInstaller.exe.930000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1663885964.0000000000932000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\bbb\bbb.exe, type: DROPPED

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

Process Stats: CPU usage > 49%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Memory allocated: 70350000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Memory allocated: 70D50000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Memory allocated: 70850000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Memory allocated: 71250000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Memory allocated: 71750000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Memory allocated: 71C50000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Memory allocated: 72150000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Memory allocated: 72B00000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Memory allocated: 73E00000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Memory allocated: 77040000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Memory allocated: 77A40000 page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Memory allocated: 70350000 page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Memory allocated: 70850000 page read and write	Jump to behavior

Contains functionality to call native functions

Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Code function: 0_2_05DE2D92 NtQuerySystemInformation,	0_2_05DE2D92
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Code function: 0_2_05DE2D57 NtQuerySystemInformation,	0_2_05DE2D57
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 4_2_05932EBA NtQuerySystemInformation,	4_2_05932EBA
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 4_2_05932E7F NtQuerySystemInformation,	4_2_05932E7F

Detected potential crypto function

Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Code function: 0_2_053D2C7C	0_2_053D2C7C
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Code function: 0_2_053D0F78	0_2_053D0F78
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Code function: 0_2_053D3E4F	0_2_053D3E4F
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Code function: 0_2_053D0F68	0_2_053D0F68
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Code function: 0_2_053D1299	0_2_053D1299
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Code function: 0_2_065932C8	0_2_065932C8
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Code function: 0_2_0669D300	0_2_0669D300
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Code function: 0_2_0669A7E8	0_2_0669A7E8
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Code function: 0_2_06695550	0_2_06695550
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Code function: 0_2_0669A138	0_2_0669A138
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Code function: 0_2_0669A7D9	0_2_0669A7D9
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Code function: 0_2_066951A8	0_2_066951A8
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Code function: 0_2_067F4120	0_2_067F4120
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 4_2_05022A21	4_2_05022A21
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 4_2_05020F78	4_2_05020F78
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 4_2_05020F69	4_2_05020F69
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 4_2_05021299	4_2_05021299
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 4_2_0606081C	4_2_0606081C
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 4_2_060648A1	4_2_060648A1
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 4_2_0606D300	4_2_0606D300
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 4_2_0606A138	4_2_0606A138
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 4_2_06065550	4_2_06065550
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 4_2_0606A7E8	4_2_0606A7E8
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 4_2_060651A8	4_2_060651A8
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 4_2_0606A7D9	4_2_0606A7D9
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 4_2_060741E0	4_2_060741E0
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 4_2_06072FFC	4_2_06072FFC
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 5_2_056D0F78	5_2_056D0F78
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 5_2_056D0F69	5_2_056D0F69
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 5_2_056D1299	5_2_056D1299

One or more processes crash

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 12572

PE / OLE file has an invalid certificate

Source: NordVPNInstaller.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: NordVPNInstaller.exe, 00000000.00000002.2780165235.00000000065A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameIELibrary.dll4 vs NordVPNInstaller.exe
Source: NordVPNInstaller.exe, 00000000.00000000.1663885964.0000000000969000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs NordVPNInstaller.exe
Source: NordVPNInstaller.exe, 00000000.00000002.2764791326.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs NordVPNInstaller.exe
Source: NordVPNInstaller.exe, 00000000.00000000.1663885964.0000000000932000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameIELibrary.dll4 vs NordVPNInstaller.exe
Source: NordVPNInstaller.exe, 00000000.00000000.1663885964.0000000000932000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamefirefox.exe4 vs NordVPNInstaller.exe
Source: NordVPNInstaller.exe	Binary or memory string: OriginalFilenameIELibrary.dll4 vs NordVPNInstaller.exe
Source: NordVPNInstaller.exe	Binary or memory string: OriginalFilenamefirefox.exe4 vs NordVPNInstaller.exe
Source: NordVPNInstaller.exe	Binary or memory string: OriginalFileName vs NordVPNInstaller.exe

Uses 32bit PE files

Source: NordVPNInstaller.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: NordVPNInstaller.exe, type: SAMPLE	Matched rule: AgentTesla_1 author = kevoreilly, description = AgentTesla Payload, cape_type = AgentTesla Payload
Source: NordVPNInstaller.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: NordVPNInstaller.exe, type: SAMPLE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: NordVPNInstaller.exe, type: SAMPLE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.0.NordVPNInstaller.exe.94af90.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTesla_1 author = kevoreilly, description = AgentTesla Payload, cape_type = AgentTesla Payload
Source: 0.0.NordVPNInstaller.exe.94af90.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.0.NordVPNInstaller.exe.94af90.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.0.NordVPNInstaller.exe.94af90.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.0.NordVPNInstaller.exe.946cb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTesla_1 author = kevoreilly, description = AgentTesla Payload, cape_type = AgentTesla Payload
Source: 0.0.NordVPNInstaller.exe.946cb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.0.NordVPNInstaller.exe.946cb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.0.NordVPNInstaller.exe.946cb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.0.NordVPNInstaller.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTesla_1 author = kevoreilly, description = AgentTesla Payload, cape_type = AgentTesla Payload
Source: 0.0.NordVPNInstaller.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.0.NordVPNInstaller.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.0.NordVPNInstaller.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: NordVPNInstaller.exe PID: 3524, type: MEMORYSTR	Matched rule: agenttesla_smtp_variant date = 2018/2, filetype = memory, reference3 = agent tesla == negasteal -- @coldshell, author = j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!, version = stealer, reference1 = https://www.virustotal.com/#/file/1198865bc928a7a4f7977aaa36af5a2b9d5a949328b89dd87c541758516ad417/detection, reference2 = https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_negasteal.a
Source: Process Memory Space: bbb.exe PID: 1196, type: MEMORYSTR	Matched rule: agenttesla_smtp_variant date = 2018/2, filetype = memory, reference3 = agent tesla == negasteal -- @coldshell, author = j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!, version = stealer, reference1 = https://www.virustotal.com/#/file/1198865bc928a7a4f7977aaa36af5a2b9d5a949328b89dd87c541758516ad417/detection, reference2 = https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_negasteal.a
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe, type: DROPPED	Matched rule: AgentTesla_1 author = kevoreilly, description = AgentTesla Payload, cape_type = AgentTesla Payload
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe, type: DROPPED	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe, type: DROPPED	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload

Source: NordVPNInstaller.exe, B.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: NordVPNInstaller.exe, B.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: NordVPNInstaller.exe, B.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: NordVPNInstaller.exe, B.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: NordVPNInstaller.exe, B.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: NordVPNInstaller.exe, B.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: NordVPNInstaller.exe, DJW.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: NordVPNInstaller.exe, DJW.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: bbb.exe.0.dr, B.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: bbb.exe.0.dr, B.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: bbb.exe.0.dr, B.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: bbb.exe.0.dr, B.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: bbb.exe.0.dr, B.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: bbb.exe.0.dr, B.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/7@2/2

Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Code function: 0_2_05DE244E AdjustTokenPrivileges,	0_2_05DE244E
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Code function: 0_2_05DE2417 AdjustTokenPrivileges,	0_2_05DE2417
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 4_2_05932576 AdjustTokenPrivileges,	4_2_05932576
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 4_2_0593253F AdjustTokenPrivileges,	4_2_0593253F
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 5_2_06222576 AdjustTokenPrivileges,	5_2_06222576
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Code function: 5_2_0622253F AdjustTokenPrivileges,	5_2_0622253F

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

File created: C:\Users\user\AppData\Roaming\bbb

Jump to behavior

Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\4b0e4149-cae4-4d92-95df-7ed46049df32

Source: NordVPNInstaller.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: NordVPNInstaller.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\NordVPNInstaller.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: NordVPNInstaller.exe	ReversingLabs: Detection: 63%
Source: NordVPNInstaller.exe	Virustotal: Detection: 56%

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

File read: C:\Users\user\Desktop\NordVPNInstaller.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\NordVPNInstaller.exe "C:\Users\user\Desktop\NordVPNInstaller.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\bbb\bbb.exe "C:\Users\user\AppData\Roaming\bbb\bbb.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\bbb\bbb.exe "C:\Users\user\AppData\Roaming\bbb\bbb.exe"
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 12572
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 12576
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 12572	Jump to behavior

Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: midimap.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: midimap.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Section loaded: fwpuclnt.dll

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: NordVPNInstaller.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: NordVPNInstaller.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Admin\Desktop\IELibrary\IELibrary\obj\Debug\IELibrary.pdb source: NordVPNInstaller.exe, bbb.exe.0.dr
Source:	Binary string: r\VB.net\stealers\firefoxx64\firefox\obj\Debug\firefox.pdb source: NordVPNInstaller.exe, bbb.exe.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: NordVPNInstaller.exe, DJW.cs	.Net Code: FG System.Reflection.Assembly.Load(byte[])
Source: bbb.exe.0.dr, DJW.cs	.Net Code: FG System.Reflection.Assembly.Load(byte[])

PE file contains an invalid checksum

Source: bbb.exe.0.dr	Static PE information: real checksum: 0x48848 should be: 0x532b0
Source: NordVPNInstaller.exe	Static PE information: real checksum: 0x48848 should be: 0x532b0

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

Code function: 0_2_065915A8 pushad ; retf

0_2_065915F9

Drops PE files

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

File created: C:\Users\user\AppData\Roaming\bbb\bbb.exe

Jump to dropped file

Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyOtApp			Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyOtApp			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\NordVPNInstaller.exe	File opened: C:\Users\user\AppData\Roaming\bbb\bbb.exe:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	File opened: C:\Users\user\AppData\Roaming\bbb\bbb.exe:Zone.Identifier read attributes \| delete			Jump to behavior

Moves itself to temp directory

Source: c:\users\user\desktop\nordvpninstaller.exe

File moved: C:\Users\user\AppData\Local\Temp\tmpG356.tmp

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Stores large binary data to the registry

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Blob

Jump to behavior

Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: NordVPNInstaller.exe PID: 3524, type: MEMORYSTR

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Memory allocated: 1300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Memory allocated: 2FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Memory allocated: 4FD0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Memory allocated: F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Memory allocated: 2BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Memory allocated: 4BA0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Memory allocated: 1880000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Memory allocated: 3230000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Memory allocated: 5230000 memory commit \| memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Window / User API: threadDelayed 1784	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Window / User API: threadDelayed 2016	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Window / User API: threadDelayed 3352	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Window / User API: threadDelayed 1971	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Window / User API: threadDelayed 3229	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Window / User API: threadDelayed 2475	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Window / User API: threadDelayed 2556	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Window / User API: threadDelayed 901	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\NordVPNInstaller.exe TID: 3192	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe TID: 3192	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe TID: 3192	Thread sleep time: -1784000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe TID: 3192	Thread sleep time: -2016000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe TID: 3192	Thread sleep time: -50280s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe TID: 5296	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe TID: 5296	Thread sleep time: -3229000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe TID: 5296	Thread sleep time: -37125s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe TID: 5296	Thread sleep time: -38340s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe TID: 5296	Thread sleep time: -901000s >= -30000s	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\NordVPNInstaller.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\NordVPNInstaller.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

Code function: 0_2_05DE6B52 GetSystemInfo,

0_2_05DE6B52

Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: dw20.exe, 00000007.00000002.2758474814.0000000000479000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: dw20.exe, 00000007.00000002.2758474814.000000000046B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWbQr
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: NordVPNInstaller.exe, 00000000.00000002.2778376127.0000000005B60000.00000004.00000020.00020000.00000000.sdmp, bbb.exe, 00000004.00000002.3072073018.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, bbb.exe, 00000005.00000002.2132954381.0000000006100000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: dw20.exe, 00000007.00000002.2758474814.000000000042E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW "G%SystemRoot%\system32\mswsock.dll />
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

Process queried: DebugPort

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

Code function: 0_2_053D1D68 LdrInitializeThunk,

0_2_053D1D68

Enables debug privileges

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 12572

Jump to behavior

Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: <br><span style=font-size:14px;font-style:normal;text-decoration:none;text-transform:none;color:#0099cc;>[Program Manager]<span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;> (09/01/2024 15:56:22)</span></span><br>
Source: NordVPNInstaller.exe, 00000000.00000002.2765864520.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NordVPNInstaller.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Adds / modifies Windows certificates

Source: C:\Users\user\Desktop\NordVPNInstaller.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Blob

Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	File opened: C:\FTP Navigator\Ftplist.txt			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\NordVPNInstaller.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbb\bbb.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: NordVPNInstaller.exe, type: SAMPLE
Source: Yara match	File source: 0.0.NordVPNInstaller.exe.94af90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.NordVPNInstaller.exe.946cb8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.NordVPNInstaller.exe.930000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2765864520.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1663885964.0000000000932000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3078215363.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NordVPNInstaller.exe PID: 3524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bbb.exe PID: 1196, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\bbb\bbb.exe, type: DROPPED

Windows Analysis Report
NordVPNInstaller.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1502485
Product:	CloudBasic
Start time:	21:54:04
Start date:	01.09.2024
Sample:	NordVPNInstaller.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	59acd8c97c40ed66cf5fcd0e0c010c6a
SHA1:	d3a5cb8dba49d929afe3b05687a3286b5db0b7c3
SHA256:	e4c05c4d5182791ce9f92e0c7da446c15bf65ac47e57e183d2fe83cc3c33c705
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_NordVPNInstaller_d32f2326bebabb555fd0cd20d617137cdc2e5360_00000000_58333de5-1d69-400c-bfdb-2fd94689eea2\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	665FEEE07E38D85649A1AC997BB5FE92	F1A92DE14E6210E7497232F0E218CDA509CA91A5	00F33F4108A006E206B24EA6DD3F9F98D424ED9AFCC8F53463B50DDDA4EF9EF4
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREAAB.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	A673B9657D58D4EA830A8FD6AD18DEC4	E63EE215B0D186DC7FB852BDD2EA1766851ABD81	9E22D49DFCC58DF787F83B6A5EDD8E864DB85CCB9DB8BB0D2625E970374B9AB1
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC04.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	384D910585495F7F2FC83C9512C51F1A	ADA3031FD5573EE3C15DF505FF69132537AFDE37	137D2C946F25CD0FE909D1E801CB2BCEF5B5FED01540F268B310183DAD8862C0
C:\Users\user\AppData\Roaming\ScreenShot\screen.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3	30A9572A421C6FF4F0CC37FB3E299492	F3ADA0FF289D5C3374345C31CB1FAA64CC4FBC0F	2BFC0E92BE7FCDA45193CEA20E64DEC2E967E347FEE732ED4E9E1D5BA524BCA5
C:\Users\user\AppData\Roaming\bbb\bbb.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	59ACD8C97C40ED66CF5FCD0E0C010C6A	D3A5CB8DBA49D929AFE3B05687A3286B5DB0B7C3	E4C05C4D5182791CE9F92E0C7DA446C15BF65AC47E57E183D2FE83CC3C33C705
C:\Users\user\AppData\Roaming\bbb\bbb.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	229AE0A1AEF481B895DB78811A45B3CD	EAB9743C0D61281AA0241E1AC6B40E295C6FF5DC	495B6F87A889386B2BF5C3D00BBF05EBFA0891C05296BFF134B56E7886E07E4F

Windows Analysis Report NordVPNInstaller.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
NordVPNInstaller.exe

Malware Threat Intel
Provided by