URL:

nordvpn.com

Full analysis: https://app.any.run/tasks/533055af-0d06-41ab-b611-c2721f614717
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: June 23, 2025, 09:26:42
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-scr
delphi
inno
installer
stealer
Indicators:
MD5:

322367B9334085B76718966FB49A80E6

SHA1:

1C81A03EC125DD04476D5440B5CE80886EBF86E3

SHA256:

F0ACFF125D7BA7F83E1A4D85A202C2E4FAEA1FBFAABD3108927693EA7413E841

SSDEEP:

3:iVLyTn:ihyT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 2620)
      • VC_redist.x64.exe (PID: 4236)

    • Actions looks like stealing of personal data

      • j23wezvr.zjf..tmp (PID: 5368)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • NordInstaller.exe (PID: 7120)
      • j23wezvr.zjf..exe (PID: 1044)
      • j23wezvr.zjf..tmp (PID: 5368)
      • NordUpdaterSetup.exe (PID: 3756)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 4984)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 2620)
      • vcredist2019_x64.exe (PID: 7400)
      • vcredist2019_x64.exe (PID: 8104)
      • VC_redist.x64.exe (PID: 4236)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 2280)
      • VC_redist.x64.exe (PID: 2276)
      • VC_redist.x64.exe (PID: 2592)
      • NordUpdaterSetup.tmp (PID: 5348)

    • Reads security settings of Internet Explorer

      • NordInstaller.exe (PID: 6412)
      • NordInstaller.exe (PID: 7120)
      • j23wezvr.zjf..tmp (PID: 5368)
      • NordUpdaterSetup.tmp (PID: 5348)
      • NordUpdateService.exe (PID: 1352)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 4984)
      • vcredist2019_x64.exe (PID: 8104)
      • VC_redist.x64.exe (PID: 2276)

    • Adds/modifies Windows certificates

      • NordInstaller.exe (PID: 6412)

    • Starts CMD.EXE for commands execution

      • NordInstaller.exe (PID: 6412)
      • j23wezvr.zjf..tmp (PID: 5368)

    • Command gets lists installed versions of .NET Runtime on the system

      • cmd.exe (PID: 6360)

    • Reads the Windows owner or organization settings

      • j23wezvr.zjf..tmp (PID: 5368)
      • NordUpdaterSetup.tmp (PID: 5348)
      • msiexec.exe (PID: 5248)

    • Searches for installed software

      • j23wezvr.zjf..tmp (PID: 5368)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 4984)
      • vcredist2019_x64.exe (PID: 8104)
      • VC_redist.x64.exe (PID: 4236)
      • dllhost.exe (PID: 6036)
      • VC_redist.x64.exe (PID: 2276)
      • VC_redist.x64.exe (PID: 2592)

    • There is functionality for taking screenshot (YARA)

      • NordInstaller.exe (PID: 6412)

    • Process drops legitimate windows executable

      • j23wezvr.zjf..tmp (PID: 5368)
      • NordUpdaterSetup.tmp (PID: 5348)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 2280)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 4984)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 2620)
      • msiexec.exe (PID: 5248)
      • vcredist2019_x64.exe (PID: 7400)
      • vcredist2019_x64.exe (PID: 8104)
      • VC_redist.x64.exe (PID: 4236)
      • NordInstaller.exe (PID: 7120)
      • VC_redist.x64.exe (PID: 2592)

    • Uses TASKKILL.EXE to kill process

      • j23wezvr.zjf..tmp (PID: 5368)

    • Uses ICACLS.EXE to modify access control lists

      • NordUpdaterSetup.tmp (PID: 5348)
      • j23wezvr.zjf..tmp (PID: 5368)

    • Executes as Windows Service

      • NordUpdateService.exe (PID: 1352)
      • VSSVC.exe (PID: 4868)

    • Starts a Microsoft application from unusual location

      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 2280)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 4984)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 2620)
      • vcredist2019_x64.exe (PID: 7400)
      • vcredist2019_x64.exe (PID: 8104)
      • VC_redist.x64.exe (PID: 4236)

    • Starts itself from another location

      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 4984)
      • vcredist2019_x64.exe (PID: 8104)

    • Creates a software uninstall entry

      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 2620)
      • VC_redist.x64.exe (PID: 4236)

    • The process creates files with name similar to system file names

      • msiexec.exe (PID: 5248)
      • NordInstaller.exe (PID: 7120)

    • Reads the date of Windows installation

      • NordInstaller.exe (PID: 7120)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 5248)

    • Application launched itself

      • VC_redist.x64.exe (PID: 3980)
      • VC_redist.x64.exe (PID: 2276)

    • The process checks if it is being run in the virtual environment

      • msiexec.exe (PID: 5248)

    • Drops a system driver (possible attempt to evade defenses)

      • j23wezvr.zjf..tmp (PID: 5368)

    • Drops 7-zip archiver for unpacking

      • j23wezvr.zjf..tmp (PID: 5368)

  • INFO

    • Reads Microsoft Office registry keys

      • firefox.exe (PID: 6612)

    • Reads the machine GUID from the registry

      • NordInstaller.exe (PID: 7120)
      • NordInstaller.exe (PID: 6412)
      • j23wezvr.zjf..tmp (PID: 5368)
      • NordUpdaterSetup.tmp (PID: 5348)
      • NordUpdateService.exe (PID: 1352)
      • msiexec.exe (PID: 5248)
      • VC_redist.x64.exe (PID: 4236)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 2620)

    • Reads Environment values

      • NordInstaller.exe (PID: 7120)

    • Reads the software policy settings

      • NordInstaller.exe (PID: 7120)
      • NordInstaller.exe (PID: 6412)
      • j23wezvr.zjf..tmp (PID: 5368)
      • slui.exe (PID: 4824)
      • NordUpdaterSetup.tmp (PID: 5348)
      • NordUpdateService.exe (PID: 1352)
      • msiexec.exe (PID: 5248)

    • Reads the computer name

      • NordInstaller.exe (PID: 7120)
      • NordInstaller.exe (PID: 6412)
      • j23wezvr.zjf..exe (PID: 1044)
      • j23wezvr.zjf..tmp (PID: 5368)
      • NordUpdaterSetup.exe (PID: 3756)
      • NordUpdaterSetup.tmp (PID: 5348)
      • NordUpdateService.exe (PID: 1352)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 4984)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 2280)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 2620)
      • msiexec.exe (PID: 5248)
      • msiexec.exe (PID: 3972)
      • msiexec.exe (PID: 236)
      • msiexec.exe (PID: 4804)
      • msiexec.exe (PID: 2876)
      • vcredist2019_x64.exe (PID: 7400)
      • vcredist2019_x64.exe (PID: 8104)
      • VC_redist.x64.exe (PID: 4236)
      • VC_redist.x64.exe (PID: 2276)
      • VC_redist.x64.exe (PID: 2592)

    • Checks proxy server information

      • NordInstaller.exe (PID: 7120)
      • slui.exe (PID: 4824)
      • j23wezvr.zjf..tmp (PID: 5368)
      • NordInstaller.exe (PID: 6412)

    • Create files in a temporary directory

      • NordInstaller.exe (PID: 7120)
      • NordInstaller.exe (PID: 6412)
      • j23wezvr.zjf..exe (PID: 1044)
      • j23wezvr.zjf..tmp (PID: 5368)
      • NordUpdaterSetup.exe (PID: 3756)
      • NordUpdaterSetup.tmp (PID: 5348)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 4984)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 2620)
      • vcredist2019_x64.exe (PID: 8104)
      • VC_redist.x64.exe (PID: 2276)
      • VC_redist.x64.exe (PID: 4236)

    • Application launched itself

      • firefox.exe (PID: 6612)
      • firefox.exe (PID: 3540)

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 6612)
      • msiexec.exe (PID: 5248)

    • Creates files or folders in the user directory

      • NordInstaller.exe (PID: 7120)
      • NordInstaller.exe (PID: 6412)
      • j23wezvr.zjf..tmp (PID: 5368)

    • The sample compiled with english language support

      • NordInstaller.exe (PID: 7120)
      • j23wezvr.zjf..tmp (PID: 5368)
      • NordUpdaterSetup.tmp (PID: 5348)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 4984)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 2620)
      • msiexec.exe (PID: 5248)
      • vcredist2019_x64.exe (PID: 7400)
      • vcredist2019_x64.exe (PID: 8104)
      • VC_redist.x64.exe (PID: 4236)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 2280)
      • VC_redist.x64.exe (PID: 2276)
      • firefox.exe (PID: 6612)
      • VC_redist.x64.exe (PID: 2592)

    • Process checks computer location settings

      • NordInstaller.exe (PID: 7120)
      • NordInstaller.exe (PID: 6412)
      • j23wezvr.zjf..tmp (PID: 5368)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 4984)
      • vcredist2019_x64.exe (PID: 8104)
      • VC_redist.x64.exe (PID: 2276)

    • Checks supported languages

      • NordInstaller.exe (PID: 6412)
      • j23wezvr.zjf..tmp (PID: 5368)
      • j23wezvr.zjf..exe (PID: 1044)
      • deldirrpa.exe (PID: 4072)
      • NordUpdaterSetup.tmp (PID: 5348)
      • NordUpdaterSetup.exe (PID: 3756)
      • deldirrpa.exe (PID: 8116)
      • _setup64.tmp (PID: 5928)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 2280)
      • NordUpdateService.exe (PID: 1352)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 4984)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 2620)
      • msiexec.exe (PID: 5248)
      • msiexec.exe (PID: 3972)
      • msiexec.exe (PID: 236)
      • msiexec.exe (PID: 4804)
      • msiexec.exe (PID: 2876)
      • vcredist2019_x64.exe (PID: 8104)
      • VC_redist.x64.exe (PID: 4236)
      • vcredist2019_x64.exe (PID: 7400)
      • NordInstaller.exe (PID: 7120)
      • VC_redist.x64.exe (PID: 3980)
      • VC_redist.x64.exe (PID: 2276)
      • _setup64.tmp (PID: 2380)
      • VC_redist.x64.exe (PID: 2592)

    • Disables trace logs

      • NordInstaller.exe (PID: 6412)
      • NordInstaller.exe (PID: 7120)

    • Reads CPU info

      • NordInstaller.exe (PID: 6412)

    • Detects InnoSetup installer (YARA)

      • j23wezvr.zjf..exe (PID: 1044)
      • j23wezvr.zjf..tmp (PID: 5368)

    • Compiled with Borland Delphi (YARA)

      • j23wezvr.zjf..exe (PID: 1044)
      • j23wezvr.zjf..tmp (PID: 5368)

    • Creates files in the program directory

      • NordUpdaterSetup.tmp (PID: 5348)
      • NordUpdateService.exe (PID: 1352)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 2620)
      • VC_redist.x64.exe (PID: 4236)
      • NordInstaller.exe (PID: 6412)
      • NordInstaller.exe (PID: 7120)
      • j23wezvr.zjf..tmp (PID: 5368)

    • Creates a software uninstall entry

      • NordUpdaterSetup.tmp (PID: 5348)
      • msiexec.exe (PID: 5248)

    • Launching a file from a Registry key

      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 2620)
      • VC_redist.x64.exe (PID: 4236)

    • Manages system restore points

      • SrTasks.exe (PID: 6016)

    • Launching a file from the Downloads directory

      • firefox.exe (PID: 6612)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
234
Monitored processes
92
Malicious processes
16
Suspicious processes
1

Behavior graph

Click at the process to see the details
start firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs slui.exe nordinstaller.exe nordinstaller.exe cmd.exe no specs conhost.exe no specs j23wezvr.zjf..exe j23wezvr.zjf..tmp cmd.exe no specs conhost.exe no specs cmdkey.exe no specs cmd.exe no specs conhost.exe no specs cmdkey.exe no specs deldirrpa.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs nordupdatersetup.exe nordupdatersetup.tmp deldirrpa.exe no specs conhost.exe no specs _setup64.tmp no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs nordupdateservice.exe windowsdesktop-runtime-8.0.8-win-x64.exe windowsdesktop-runtime-8.0.8-win-x64.exe windowsdesktop-runtime-8.0.8-win-x64.exe msiexec.exe msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs vcredist2019_x64.exe vcredist2019_x64.exe vc_redist.x64.exe SPPSurrogate no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs vc_redist.x64.exe no specs vc_redist.x64.exe vc_redist.x64.exe _setup64.tmp no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
236C:\Windows\syswow64\MsiExec.exe -Embedding 30B21A91FC4E781A5F6AB81DB545A6E6C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
420"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4792 -prefsLen 39438 -prefMapHandle 5612 -prefMapSize 272997 -jsInitHandle 4752 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 4396 -initialChannelId {6c20c892-718b-4e37-99bb-d3ccd152ce27} -parentPid 6612 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6612" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 13 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
504\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exedeldirrpa.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1040"C:\WINDOWS\system32\icacls.exe" "C:\Program Files\NordUpdater" /grant *S-1-5-32-544:(OI)(CI)(F)C:\Windows\System32\icacls.exeNordUpdaterSetup.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1044"C:\Users\admin\AppData\Local\Temp\f4907f41-628b-4d68-910b-193d24bac937\j23wezvr.zjf..exe" /SILENT /VERYSILENT /NORESTARTC:\Users\admin\AppData\Local\Temp\f4907f41-628b-4d68-910b-193d24bac937\j23wezvr.zjf..exe
NordInstaller.exe
User:
admin
Company:
Nord Security
Integrity Level:
HIGH
Description:
NordVPN Installer
Version:
7.42.1.0
Modules
Images
c:\users\admin\appdata\local\temp\f4907f41-628b-4d68-910b-193d24bac937\j23wezvr.zjf..exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
1156\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1352"C:\Program Files\NordUpdater\NordUpdateService.exe"C:\Program Files\NordUpdater\NordUpdateService.exe
services.exe
User:
SYSTEM
Company:
nordvpn S.A.
Integrity Level:
SYSTEM
Description:
NordSec Update Service
Version:
1.0.2.28
Modules
Images
c:\program files\nordupdater\nordupdateservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1440"C:\WINDOWS\system32\icacls.exe" C:\ProgramData\NordVPN /remove *S-1-5-32-545 /TC:\Windows\System32\icacls.exej23wezvr.zjf..tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1580\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeicacls.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1700"C:\WINDOWS\system32\icacls.exe" C:\ProgramData\NordVPN\updates /grant *S-1-5-32-545:(OI)(CI)(RX)C:\Windows\System32\icacls.exej23wezvr.zjf..tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
68 027
Read events
66 041
Write events
1 558
Delete events
428

Modification events

(PID) Process:(6612) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
(PID) Process:(6612) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(7120) NordInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\NordInstaller_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7120) NordInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\NordInstaller_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7120) NordInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\NordInstaller_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(7120) NordInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\NordInstaller_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(7120) NordInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\NordInstaller_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(7120) NordInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\NordInstaller_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(7120) NordInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\NordInstaller_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(7120) NordInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\NordInstaller_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
Executable files
1 694
Suspicious files
454
Text files
207
Unknown types
18

Dropped files

PID
Process
Filename
Type
6612firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
MD5:
SHA256:
6612firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.jsonbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
6612firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\urlCache-current.binbinary
MD5:3134ED3F12E4F4F8643DB90043B0FD7B
SHA256:26E4F122034D7A03F6DA0E707799B09CBEEBDAF8D7A3133A1F7BD894AC72EEA1
6612firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6612firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6612firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs.jstext
MD5:2FD670934FEF0C60E2119BD874AAF470
SHA256:771A7C83CA015BDBC6AB86A7BD9B1D54E40062E28942D311A9178A0FE6433CF2
6612firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.json.tmpbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
6612firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs-1.jstext
MD5:2FD670934FEF0C60E2119BD874AAF470
SHA256:771A7C83CA015BDBC6AB86A7BD9B1D54E40062E28942D311A9178A0FE6433CF2
6612firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\SiteSecurityServiceState.binbinary
MD5:3002F10051388144B0EF12B771D238CB
SHA256:897DA2D3597DE60EADC01F1BFED17527E10252471C5C48748EEF05AA7B76787A
6612firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\activity-stream.contile.json.tmpbinary
MD5:54BAA0FC828F0C5874A89554B31B00C2
SHA256:5F25DCDA800B79186D8E47BC55020D44FEB4A90FE285D25B544E8E61357747CF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
62
TCP/UDP connections
136
DNS requests
213
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6612
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
6612
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
6612
firefox.exe
POST
200
142.250.185.195:80
http://o.pki.goog/s/wr3/k58
unknown
whitelisted
6612
firefox.exe
POST
200
142.250.185.195:80
http://o.pki.goog/we2
unknown
whitelisted
6612
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
6612
firefox.exe
POST
200
142.250.185.195:80
http://o.pki.goog/we2
unknown
whitelisted
6612
firefox.exe
POST
200
142.250.185.195:80
http://o.pki.goog/we2
unknown
whitelisted
6612
firefox.exe
POST
200
142.250.185.195:80
http://o.pki.goog/we2
unknown
whitelisted
6612
firefox.exe
POST
200
142.250.185.195:80
http://o.pki.goog/s/wr3/azY
unknown
whitelisted
6612
firefox.exe
POST
200
142.250.185.195:80
http://o.pki.goog/we2
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2276
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6612
firefox.exe
34.160.144.191:443
content-signature-2.cdn.mozilla.net
GOOGLE
US
whitelisted
6612
firefox.exe
104.16.208.203:443
nordvpn.com
CLOUDFLARENET
unknown
6612
firefox.exe
34.107.221.82:80
detectportal.firefox.com
GOOGLE
US
whitelisted
6612
firefox.exe
34.36.137.203:443
contile.services.mozilla.com
GOOGLE-CLOUD-PLATFORM
US
whitelisted
6612
firefox.exe
34.149.100.209:443
firefox.settings.services.mozilla.com
GOOGLE
US
whitelisted
6612
firefox.exe
142.250.185.195:80
o.pki.goog
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.142
whitelisted
content-signature-2.cdn.mozilla.net
  • 34.160.144.191
whitelisted
content-signature-chains.prod.autograph.services.mozaws.net
  • 34.160.144.191
  • 2600:1901:0:92a9::
whitelisted
nordvpn.com
  • 104.16.208.203
  • 104.19.159.190
unknown
detectportal.firefox.com
  • 34.107.221.82
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
contile.services.mozilla.com
  • 34.36.137.203
whitelisted
spocs.getpocket.com
  • 34.36.137.203
whitelisted
mc.prod.ads.prod.webservices.mozgcp.net
  • 34.36.137.203
whitelisted
example.org
  • 23.215.0.132
  • 23.215.0.133
  • 96.7.128.186
  • 96.7.128.192
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
2200
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
2200
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
Process
Message
msiexec.exe
Failed to release Service
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
nordvpn.com