1181cd065415775a2e20766fcadc5a4b911ffaf7e0ec2a2526fce9330783b990

Resubmissions

27/11/2024, 05:53

241127-gljresxlek 10

Analysis

max time kernel
594s
max time network
527s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2024, 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Updates/ODBC/update.exe
Size

54.0MB
MD5

b7d281ba860f7507be10288a54de8fe3
SHA1

ba0c627626c46a7d77f440a1c660ab2d323ac04c
SHA256

575ad04aad19034af4862fcaa8991fdc3a87d07d2d136787e1c84c2f8bcb4532
SHA512

c630ffaa6ac4dc13a9972c7283752e5378d6a1de08c6ddcf6c5f2b5c131b49e65d1e77e5f4ed4e36dd458b7985b3a8b0326c80590f7616c1584813afe60f6570
SSDEEP

1572864:trw54t15f1zvHhV4lPIAReq1mjmheq0IxQ:xMK15NBeHRx1mjmImQ

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\SET93BF.tmp	DrvInst.exe
File created	C:\Windows\System32\drivers\SET93BF.tmp	DrvInst.exe

Manipulates Digital Signatures 1 TTPs 1 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc040000000100000010000000c759d588bceb1c8a8c8a4d2c00103ba10f00000001000000140000001b4e387db74a69a0470cb08f598beb3b511617531400000001000000140000009afe50cc7c723e76b49c036a97a88c8135cb6651190000000100000010000000ea06916833e9ecb6dac092d5c3482ff15c000000010000000400000000080000180000000100000010000000c7c2cda336016dcb1d1c518e4c192b4b4b0000000100000044000000320036004100440030003100460039004300300030003200460041004400330037003400320037004500370033003400330030003200330038003300440038005f0000002000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	DrvInst.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PlanetVPN = "C:\\Program Files (x86)\\PlanetVPN\\PlanetVPN.exe"	update.tmp

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{86b4d89d-90e3-4b45-9706-a395a0d7d132}\SET8529.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{86b4d89d-90e3-4b45-9706-a395a0d7d132}\SET852B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{86b4d89d-90e3-4b45-9706-a395a0d7d132}\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{86b4d89d-90e3-4b45-9706-a395a0d7d132}\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{86b4d89d-90e3-4b45-9706-a395a0d7d132}\oemvista.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{86b4d89d-90e3-4b45-9706-a395a0d7d132}\SET852A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{86b4d89d-90e3-4b45-9706-a395a0d7d132}\SET852B.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{86b4d89d-90e3-4b45-9706-a395a0d7d132}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{86b4d89d-90e3-4b45-9706-a395a0d7d132}\SET8529.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{86b4d89d-90e3-4b45-9706-a395a0d7d132}\SET852A.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF	tapinstall.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PlanetVPN\QtQuick\Controls\Styles\Base\is-9EH6J.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQuick\Controls.2\Material\is-E1HKU.tmp	update.tmp
File opened for modification	C:\Program Files (x86)\PlanetVPN\d3dcompiler_47.dll	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQml\RemoteObjects\is-SS1QB.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtGraphicalEffects\private\is-O15L6.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtGraphicalEffects\private\is-GNMBU.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQml\StateMachine\is-T9A6F.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQuick\Controls\Private\is-01K0U.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQuick\Controls\Private\is-Q60QF.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQuick\Controls.2\Material\is-39TOA.tmp	update.tmp
File opened for modification	C:\Program Files (x86)\PlanetVPN\bin\Wireguard\tunnel.dll	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\is-4HD1V.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQuick\Controls\is-COIL7.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\is-H5JPN.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQml\RemoteObjects\is-NPT55.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQuick\Controls\is-KSHIT.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQuick\Controls\Private\is-M3GKE.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQuick\Controls.2\Imagine\is-F4SEN.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQuick.2\is-HQ2KT.tmp	update.tmp
File opened for modification	C:\Program Files (x86)\PlanetVPN\qmltooling\qmldbg_messages.dll	update.tmp
File opened for modification	C:\Program Files (x86)\PlanetVPN\sqldrivers\qsqlpsql.dll	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\bin\is-G9TN5.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\bin\Wireguard\platforms\is-N699R.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQuick\Controls\Private\is-NBF1I.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQuick\Controls\Private\is-R5OS1.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQuick\Controls.2\Material\is-2RKPH.tmp	update.tmp
File opened for modification	C:\Program Files (x86)\PlanetVPN\QtQuick\Extras\qtquickextrasplugin.dll	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\bin\Wireguard\is-C831R.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQuick\Controls\is-31SB2.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQuick\Controls.2\Universal\is-JLH07.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQuick\Controls\is-7Q56Q.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQuick\Controls\Styles\Base\images\is-46G7H.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQuick\Controls.2\Fusion\is-TLE85.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQuick\Controls\is-388VD.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQuick\Controls.2\Imagine\is-8A146.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQuick\Layouts\is-9G6CO.tmp	update.tmp
File opened for modification	C:\Program Files (x86)\PlanetVPN\qmltooling\qmldbg_local.dll	update.tmp
File opened for modification	C:\Program Files (x86)\PlanetVPN\qmltooling\qmldbg_nativedebugger.dll	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\Qt\labs\settings\is-OTVMR.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQuick\Controls.2\is-MPEEG.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQuick\Controls.2\is-9P94J.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQuick\Controls.2\Universal\is-NBSU9.tmp	update.tmp
File opened for modification	C:\Program Files (x86)\PlanetVPN\qmltooling\qmldbg_quickprofiler.dll	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\is-EM2K5.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQuick\Controls\Styles\Flat\is-A0IAS.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQuick\Controls\Styles\Desktop\is-168TE.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQuick\Controls.2\Universal\is-JU70A.tmp	update.tmp
File opened for modification	C:\Program Files (x86)\PlanetVPN\bin\libcrypto-1_1.dll	update.tmp
File opened for modification	C:\Program Files (x86)\PlanetVPN\Qt\labs\settings\qmlsettingsplugin.dll	update.tmp
File opened for modification	C:\Program Files (x86)\PlanetVPN\QtQuick\Controls.2\Universal\qtquickcontrols2universalstyleplugin.dll	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQuick\Controls\Private\is-NUE2V.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQuick\Controls.2\Fusion\is-7BOA6.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQuick\Controls.2\Imagine\is-NO28K.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQml\WorkerScript.2\is-P35MS.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQuick\Controls.2\is-12NLD.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQuick\Controls.2\Material\is-LA2IP.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQuick\Controls.2\Fusion\is-D2RRK.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQuick\Controls.2\Material\is-F626J.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQuick\Extras\Private\is-JQOV5.tmp	update.tmp
File opened for modification	C:\Program Files (x86)\PlanetVPN\QtQuick\Shapes\qmlshapesplugin.dll	update.tmp
File opened for modification	C:\Program Files (x86)\PlanetVPN\QtQuick\Window.2\windowplugin.dll	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQuick\Controls.2\is-UTE2S.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQuick\Controls.2\Material\is-CAJCV.tmp	update.tmp
File created	C:\Program Files (x86)\PlanetVPN\QtQuick\Controls\Styles\Base\is-4MOP0.tmp	update.tmp

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe

Executes dropped EXE 3 IoCs

pid	Process
5044	update.tmp
4188	tapinstall.exe
2332	PlanetVPN.exe

Loads dropped DLL 55 IoCs

pid	Process
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PlanetVPN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Checks SCSI registry key(s) 3 TTPs 62 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2736	taskkill.exe

Modifies data under HKEY_USERS 42 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PlanetVPN\shell\open	PlanetVPN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PlanetVPN\shell\open\command\ = "\"C:\\Program Files (x86)\\PlanetVPN\\PlanetVPN.exe\" \"%1\""	PlanetVPN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PlanetVPN	PlanetVPN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PlanetVPN\ = "URL:PlanetVPN"	PlanetVPN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PlanetVPN\URL Protocol	PlanetVPN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PlanetVPN\shell\open\command	PlanetVPN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PlanetVPN\shell	PlanetVPN.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4360	reg.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2332	PlanetVPN.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5044	update.tmp
5044	update.tmp

Suspicious behavior: LoadsDriver 14 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
676	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	taskkill.exe
Token: SeAuditPrivilege	4608	svchost.exe
Token: SeSecurityPrivilege	4608	svchost.exe
Token: SeLoadDriverPrivilege	4188	tapinstall.exe
Token: SeRestorePrivilege	672	DrvInst.exe
Token: SeBackupPrivilege	672	DrvInst.exe
Token: SeLoadDriverPrivilege	672	DrvInst.exe
Token: SeLoadDriverPrivilege	672	DrvInst.exe
Token: SeLoadDriverPrivilege	672	DrvInst.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5044	update.tmp

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe
2332	PlanetVPN.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3776 wrote to memory of 5044	3776	update.exe	82
PID 3776 wrote to memory of 5044	3776	update.exe	82
PID 3776 wrote to memory of 5044	3776	update.exe	82
PID 5044 wrote to memory of 2736	5044	update.tmp	99
PID 5044 wrote to memory of 2736	5044	update.tmp	99
PID 5044 wrote to memory of 2736	5044	update.tmp	99
PID 5044 wrote to memory of 4188	5044	update.tmp	101
PID 5044 wrote to memory of 4188	5044	update.tmp	101
PID 4608 wrote to memory of 3492	4608	svchost.exe	105
PID 4608 wrote to memory of 3492	4608	svchost.exe	105
PID 3492 wrote to memory of 3068	3492	DrvInst.exe	107
PID 3492 wrote to memory of 3068	3492	DrvInst.exe	107
PID 4608 wrote to memory of 672	4608	svchost.exe	108
PID 4608 wrote to memory of 672	4608	svchost.exe	108
PID 5044 wrote to memory of 4360	5044	update.tmp	112
PID 5044 wrote to memory of 4360	5044	update.tmp	112
PID 5044 wrote to memory of 4360	5044	update.tmp	112
PID 5044 wrote to memory of 2332	5044	update.tmp	114
PID 5044 wrote to memory of 2332	5044	update.tmp	114
PID 5044 wrote to memory of 2332	5044	update.tmp	114

C:\Users\Admin\AppData\Local\Temp\Updates\ODBC\update.exe
"C:\Users\Admin\AppData\Local\Temp\Updates\ODBC\update.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3776
- C:\Users\Admin\AppData\Local\Temp\is-BORKL.tmp\update.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-BORKL.tmp\update.tmp" /SL5="$501D6,55471658,1100288,C:\Users\Admin\AppData\Local\Temp\Updates\ODBC\update.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /f /im "PlanetVPN.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2736
- - C:\Program Files (x86)\PlanetVPN\drivers_x64\tapinstall.exe
    "C:\Program Files (x86)\PlanetVPN\drivers_x64\tapinstall.exe" install OemVista.inf tap0901
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious use of AdjustPrivilegeToken
    PID:4188
- - C:\Windows\SysWOW64\reg.exe
    "reg" add HKLM\Software\Wow6432Node\Google\Chrome\Extensions\kadaohckdkghfaclhjmkmplebcdcnfnp /v update_url /t REG_SZ /d "https://clients2.google.com/service/update2/crx" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4360
- - C:\Program Files (x86)\PlanetVPN\PlanetVPN.exe
    "C:\Program Files (x86)\PlanetVPN\PlanetVPN.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:2332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{e8c64200-74a8-b548-af55-ebdaf3fded32}\oemvista.inf" "9" "4d14a44ff" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "c:\program files (x86)\planetvpn\drivers_x64"
  2⤵
  - Manipulates Digital Signatures
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:3492
- - C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{81712294-46c6-0c46-9b35-889eb95e1198} Global\{64be1a88-3494-1848-a214-9bb706154bbd} C:\Windows\System32\DriverStore\Temp\{86b4d89d-90e3-4b45-9706-a395a0d7d132}\oemvista.inf C:\Windows\System32\DriverStore\Temp\{86b4d89d-90e3-4b45-9706-a395a0d7d132}\tap0901.cat
    3⤵
    - Modifies system certificate store
    PID:3068
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000148"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PlanetVPN\PlanetVPN.exe

Filesize
26.4MB

MD5
2ac9a036b05fb71f1b3f7a700e2339e2

SHA1
e5d6544c5a2063da181ad2a6bb513dbbc317623d

SHA256
f400a3c8271563832f12704b97fab75cea68c85f072e975713629a4c8cc2202c

SHA512
838f6b86591134c15eeaac7c2546260dbb98fc403421197a8cc042d26febb263362fb2f06075245a74ec204ba460258176ce52c7eec2c375cc3a0ac295c021ac

Download Submit
C:\Program Files (x86)\PlanetVPN\Qt5Gui.dll

Filesize
9.2MB

MD5
f676936b5dfce1c5ac2f8a1a7f577844

SHA1
c9870365d594bf1d6a4215acd4e730695166f809

SHA256
77f8946ac559cd03694d9a36ab4630cc7d5f0db62b34c00ecec12bc021eafbe9

SHA512
ce4ca22c4afb55a035c68711708ac86b5abf08ddca0bb0b059c3ad130aa1c9266a36e412b4feaeb4cd89edda6aa8ad95225e0a777fb33bcbae828b41c316301a

Download Submit
C:\Program Files (x86)\PlanetVPN\Qt5Network.dll

Filesize
2.7MB

MD5
ced4531f553504ed6770d999f9c82cb9

SHA1
3405a3118bb6479413b9a749ce4c0b395622883c

SHA256
77f1bd3192d9e8b15dd23adb15a3f83e92e9474df9a30450247fbe9e96b71736

SHA512
df98b27470b30377928bcea23e18b0c3d8e7929d0d7ee6862887440f6ef577e5172fcb02b82a20b4903ce9eb7e1d00cfb8e1785476cbaaee3da92354f701dcbc

Download Submit
C:\Program Files (x86)\PlanetVPN\Qt5Qml.dll

Filesize
7.0MB

MD5
65781efc205f808159563cb526332e28

SHA1
771cfa537a523cad8987179a0211c653cda30c68

SHA256
7244b065771674bf963d998acefad1ee0c93ababfaf667724c4ea3c6bf4f0bce

SHA512
fadd974e9353575ec3e5f631643e246bfbbb0da30c90225fb18c587517603b4f279b0d5f1cab86e47844edb46f6832fda2a338e9717b1534faec7e76bd4d2304

Download Submit
C:\Program Files (x86)\PlanetVPN\Qt5QmlModels.dll

Filesize
947KB

MD5
a097b71d3afbc8e27dc4f577ed6ce0f1

SHA1
7ef05f005ee2dc7f0676d4b9fe22ee5dab86bb85

SHA256
4d4d9965174560fb8d9be778c2344deca655717a772bb549f57244cc92b58617

SHA512
70a96835180790e6f0c8ea99e2d16ef2484bea187a958a433340aedcec7a277b7b8ccfa82653be9bc7de5b0a4eb1962342a049749bc3357e15629bac3cd55649

Download Submit
C:\Program Files (x86)\PlanetVPN\Qt5QmlWorkerScript.dll

Filesize
141KB

MD5
4ecac5dda76d1060de28f45ae3746723

SHA1
f147bc6d65142fd8fb055ad8882c4099856bdc50

SHA256
c0896506288e3da386d0674fec374272a6785cb982b3b6fdcd2214fc6c431f69

SHA512
d6623ee3f50714db5acc6b40f46eec0677ea80136f078d8fd65a56b95ea4a24a13a0c54e9b01d856db152287bafde7474307a00cbde477cbcc7c7c50e57e478d

Download Submit
C:\Program Files (x86)\PlanetVPN\Qt5Quick.dll

Filesize
8.3MB

MD5
c300fa804a97c846a13f098a22934502

SHA1
3c3909fbdb64fd3a62134c3c634c7f2ded16ef36

SHA256
b7af3bc93e2905e336886805553dec7313e4567886f7f2ac5981778cdd67173b

SHA512
e45f011c10831c0f9542f1374d12e199403aab9e3291cb086a08bf119be2241faebe461af30f2235ff3b7af5267e1b4479d692bde46656a7145b61544f013dc1

Download Submit
C:\Program Files (x86)\PlanetVPN\Qt5QuickControls2.dll

Filesize
380KB

MD5
923c8972ca770c30e2842b35ca6241b0

SHA1
782fa6d1e117d27654a5b1c11a41ae3e89b87a38

SHA256
4b4828ad11bb52807fcd1a09c6449d843257f6f91fba2c72a3f9f1c7fe5aef56

SHA512
1d0c8c21958a97197b8e03d0822ee766857ac2b207463ff53ac6d03d8dd57aa66dad1a874fd6dcc039bade82e49f1c8dcf7caa9f9ecf7bdfb1508bec4bacdf43

Download Submit
C:\Program Files (x86)\PlanetVPN\Qt5QuickTemplates2.dll

Filesize
2.1MB

MD5
92f87fa2ff58486a4bd90b5d252af461

SHA1
52070add32e7c0e9fd8f9c923de8bd5465f7e04b

SHA256
de8a2649d572553edf38726c719f692037f4b4e995eb3699e453554197c7f806

SHA512
2291788bf15c9b4f27409d79b870b7e095c23689629243fcb0a25cd1ab9aef7b73fed3a303cbc98cecbf94773c6ffa477b00a641521ad038263d715c9ee22e7d

Download Submit
C:\Program Files (x86)\PlanetVPN\Qt5Sql.dll

Filesize
438KB

MD5
4a043538298514e28359cae6f92ea241

SHA1
41e0433977697d4a8d1036cc39436f8a3e5e7d17

SHA256
998946d2f9d9e77ab5114992ce8bd26aba3ce80ff777791a2446f190046a9391

SHA512
9716ab208d8ca5f7075c16065856a27b25dd569d008d4dc365ec89951ca2610c74582e2a858d0f52eac1b1f0d90bb8ad209106ca01185e0c455738039e455771

Download Submit
C:\Program Files (x86)\PlanetVPN\Qt5Svg.dll

Filesize
582KB

MD5
825b515b5694b55982c4f7d004a94ad4

SHA1
7430898bb90f9e98bc85e0b172889c9bd63b5dc6

SHA256
d7f56abfc93e7d4d5c79b568222f09ffeecdd08f4c18c2c17dfab00114dd40a0

SHA512
1ae16ef69878efa975693f77498355a16622d4dbc619a674b5178d367c5cf82c64504cc8762033f2da4512c537afa20542dbdfd61a0fad91d44be87263d37993

Download Submit
C:\Program Files (x86)\PlanetVPN\Qt5Widgets.dll

Filesize
8.8MB

MD5
b037b86cd074ea2a216bbd4b7b489c9c

SHA1
bc6b32e01e03887b06e297009efcf965083aa435

SHA256
2f0c2a362f2ef318ce80e03e914981ad42a1751c74b534725a6bf3cf50ce03a3

SHA512
39472c8ba41dbe53e180568ca61472fd3b912ea55227bbc75e9e2889f9d18551b971079824e9102afe0f132782b20c42f2b7c06b576eba2509c36e5f77b6572b

Download Submit
C:\Program Files (x86)\PlanetVPN\QtQuick.2\qmldir

Filesize
131B

MD5
d2cf96786ce59e93a2feb2178603a27f

SHA1
7478dfedcd7ac1795bf4ff2732ef716ec82b061a

SHA256
b6f63056ade6925aa070d3b2bd4133d26e80df4ea2719e81ad90027e19661ae8

SHA512
4fcde288c6a690728f919b70308b3bb2ead62c40223bea14e52ec5f3ef74f5467b1930f419df77d78b8d50e84ec81a1fe78cc9a3b42c4a6d261ba77c654a1714

Download Submit
C:\Program Files (x86)\PlanetVPN\QtQuick.2\qtquick2plugin.dll

Filesize
55KB

MD5
bc48935d7fb9d87eed3994024f1071f8

SHA1
9cea445364aae84a38d3e79b5aabdffd4229a284

SHA256
6fccb1c95c2198d15d818e640d7849af9215e741ebbaceecfee3f3315f90b0ae

SHA512
95dc78983ba867883766a3d2a988d56bd9c9a6252e8231e631a294c5a9cee3647862909f0282284d6c5d734d41685b8ca53823538bb23a7549098e5477676720

Download Submit
C:\Program Files (x86)\PlanetVPN\QtQuick\Controls.2\Imagine\is-ECHVG.tmp

Filesize
2KB

MD5
c51a96cfe7de9ef5f7499b520aef04ee

SHA1
fd088304215ec2f081fb3b30383140fb716f0842

SHA256
c7f74755b3fc438dbdcb415930beaada79e45a540424282daecf5f538ee3489a

SHA512
80a19ab44c7232abb863575c63ff25f235e2ea49a9532fa23adacc8beebacaa3b36067e3e486b5bdb5f936bafd442c70127f7e028ead02241aa2b3cb35512be3

Download Submit
C:\Program Files (x86)\PlanetVPN\QtQuick\Controls.2\Imagine\is-V580P.tmp

Filesize
2KB

MD5
f5cd8ac746b6994ed71ff8301b42a56b

SHA1
ba037b256ee49d9fc2c30bd11ccb8a01993a38b5

SHA256
1d4f3f1d0dbb8cae0d392c2556889c9639a1a51b055e47bdaabedbd33bd4a934

SHA512
6b465228d5918fc4a1eb093a0896abfbd11a57abd2641a6f89581b063e6537f5bec2b33084f873871026526c39741a10ce11c0f52be80b35257ec86f7bd27e75

Download Submit
C:\Program Files (x86)\PlanetVPN\QtQuick\Controls.2\qmldir

Filesize
140B

MD5
659ed029afaeabbe4235968ff5292736

SHA1
565ceba5b695eebbf28030965ee5929c2a5a2346

SHA256
7b404175bb8e2b0d3822e75320c8d6d09c61bb53f4513c235a7d04ac7d34fd57

SHA512
41fcb039c054c7decb9fc7ca198f3218dc0965813758b66c5b8b174b732040a33f2d3f54037aec7a9c48af5cd3bcc798ddd41c7458924b8c9bdd49a38846195b

Download Submit
C:\Program Files (x86)\PlanetVPN\QtQuick\Controls.2\qtquickcontrols2plugin.dll

Filesize
922KB

MD5
b64cdbba8f86ad1570980766ba01fc04

SHA1
f22fb76a9240414408cf732561a7306d1b49c49f

SHA256
9e7ae57b5f45ebca1f9130a238850910fb3d0124eaf69c219d94db0e74ec4c99

SHA512
13b03e6e0ee0c9497002ffe16956c498b4d6d5d40168e208d35039de58578a7d1b3d37dc3133344dec34072f0ec53a84f9e3061df97c0399fe825ac8aa77ebf1

Download Submit
C:\Program Files (x86)\PlanetVPN\QtQuick\Window.2\qmldir

Filesize
122B

MD5
c434589591a9b33cbe88891afbb7c144

SHA1
42476fb63f3cf463b4bb03b47048aa0918e588b5

SHA256
8d88b81547e1573f8c91df998ea82608e0a79770b014c82f760a67388b41945a

SHA512
5a09830970ea37942166c1e5e5ce0fe452290eb9cd662ffaa9858bdb61806caa03b1016d30c98871a7b6c8fdfa369e29e3940a5f9779d967b98ede5901f4d30f

Download Submit
C:\Program Files (x86)\PlanetVPN\QtQuick\Window.2\windowplugin.dll

Filesize
157KB

MD5
aaa6f063228fe0f039fbfbdd71350b52

SHA1
0191185074bd6ae95910a9abc33245d68501fd01

SHA256
9ce4c676795449331955fbe0475b0ced2672d9f2e3693df06dae8a354306614c

SHA512
0f5626fa285c914407debbb815c8a867da19cc50f0e08303d67783d57a5cb5ed73cdcbde7273b4cd19a576bb4dcfbf4b88d1e2b00003e3519c61e6a89681a31d

Download Submit
C:\Program Files (x86)\PlanetVPN\bin\Wireguard\is-2OS1M.tmp

Filesize
1.5MB

MD5
051973a1420749e10d007049f15a30ab

SHA1
27141d4e7847e16f3cedd487dd3f074811556ff1

SHA256
672458902acead23b1a4dbca8b26e51324e88948196bc30d68703d45547898e8

SHA512
0f105ba29af981afe3a43e6d789f5df8a501c252d3f46bf730d5c92c98358c6656cbdc7bd7d5a0d4c5357ae0acb1144828358b07cf2b1515512ca9b4d3f047fa

Download Submit
C:\Program Files (x86)\PlanetVPN\bin\Wireguard\is-85JQ0.tmp

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Program Files (x86)\PlanetVPN\bin\Wireguard\is-C831R.tmp

Filesize
46KB

MD5
ed53eee1623a43e9ae174262169f0f2e

SHA1
4bf7e9fa40878e19d6d7b8277982ed958681af86

SHA256
0b5532f93126db45689d7e3162cfc6951f78738a182e52712bb2c71980468f23

SHA512
dce1bc89033313934323e9ad1fd0ef7a525df0fd8f2f7c64b5ca8f5e7780b5526ce9e1fff408f8a00b46f718763d492eae059b7d11d873eea3186e8584dca53c

Download Submit
C:\Program Files (x86)\PlanetVPN\bin\Wireguard\is-UCLGT.tmp

Filesize
8.2MB

MD5
39d509b1675c380dc549972506a8f717

SHA1
7fdbb1897ccd3ffcdee39ac3838e19f7b9d3f6c7

SHA256
bb88391d53cf771c58887cb54101b5dc638abeb84bce4beddd82be5fb4bae671

SHA512
bb4cfd92dd772b4d7a5bc84a6348be1e7d96864b086bfc331713ebefb47e30c7d1b304cde7d3a25b388ccd7e59816b0e3fe96f85676c722664be470723960ca9

Download Submit
C:\Program Files (x86)\PlanetVPN\bin\is-QIA6L.tmp

Filesize
2.2MB

MD5
e22b2e3d650c33c9197f985b7516da70

SHA1
87fe823dfd9a2ed7596cbfe249318c17e095aeb1

SHA256
2270871989e6c90df07b3e4630b4c4b6dd0e33e2a23ba3c52a7ff7bc3553304e

SHA512
84c9ca6f4dd73fb1f426671f937ab0e0210dce0bfb0e48fbb8e0305d31aca97d762a6b462c8daef5092d27b612fd7bfc7a6e3664995eee2ece25598dd3b48af8

Download Submit
C:\Program Files (x86)\PlanetVPN\bin\is-T6R8H.tmp

Filesize
72KB

MD5
98130c9779c39825dd123029060b8084

SHA1
57ab9af726692dbb0d2d65ab95f03f1b87e7da3e

SHA256
479907904acf2836a3e103a192393e98c98cfddc1b4c0b8ff20a442521900c6a

SHA512
4afbcb353bc4e697005f05ce729d52d14ce0538a0b3fc76044a72725296cd805682cb004630cd20b1d150ddf348f92478b5243dced378cf4720be51b61e117c4

Download Submit
C:\Program Files (x86)\PlanetVPN\drivers_x64\OemVista.inf

Filesize
7KB

MD5
87868193626dc756d10885f46d76f42e

SHA1
94a5ce8ed7633ed77531b6cb14ceb1927c5cae1f

SHA256
b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41

SHA512
79751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277

Download Submit
C:\Program Files (x86)\PlanetVPN\drivers_x64\tapinstall.exe

Filesize
80KB

MD5
65379a2610ece62ab38b201d27200848

SHA1
6bbed21bac02a2b123cbf47ed99893b96ff48c3f

SHA256
315e6c9856072d7fee07929157d74b2496b82dc01e04383559bb6ab80032873d

SHA512
9f4d195056ae0e43eb051746767e4045c91e8bd141d217ba9eb287bcc2796ac7c9964d8cbf7971c9a53a19e120952d361f914edc489ba94e450512477f8a3960

Download Submit
C:\Program Files (x86)\PlanetVPN\libQt-Secret.dll

Filesize
133KB

MD5
33a9394b124d1d1133179b469261783f

SHA1
4fc5644d31d1baef57bb88bb7e7833a9c4159437

SHA256
af73201f89ef2c034a992d3cba32cc0b53af81cca066d57ed31d0939d8fa61c0

SHA512
965060b3fb3630f00362c61a6c2d281b98c2f6dab0de46b9e945031a320d775fa48783d3ecaae83e45f4fa75b33a8aa5eb012531735211b8488ed8c0e748fc4d

Download Submit
C:\Program Files (x86)\PlanetVPN\libQtBigint.dll

Filesize
221KB

MD5
4368ec31dca86376f5fb53b6d21c2165

SHA1
8eaa9d021886ed87c6e905289690c905493fd14a

SHA256
6730803897a74622f3cc2679c3014c6d1792e9a0158f3980dbd4c63f7dbc07c6

SHA512
e24000a37349adddde7d127d7a03e6381adb23aa760a3116a82a83a02c8f22bb1f15341889a3d101c1ad08244ec9d565580b00aea74b7f7f41ddd31d683b75ab

Download Submit
C:\Program Files (x86)\PlanetVPN\platforms\is-QMCEN.tmp

Filesize
2.9MB

MD5
10de385a50aba297f8b92fb2eeaca1a3

SHA1
b1506e0f27f0661e3c46d2389159b8fc1fdc704b

SHA256
bd092da50a3d1d5113d0f5404bc8854faabc4875dd3247c81c4267fe8599e338

SHA512
29e8781cf4c98a2ea4d97cc0dd5f8bcfc8825caec55bd5d82c7124a4668c6823605910ac4f14d1a26fe46dfadc9bc8957c3c69b35d81837f8fc1f8d958e41f2c

Download Submit
C:\Program Files (x86)\PlanetVPN\styles\qwindowsvistastyle.dll

Filesize
332KB

MD5
f17db40c8253fab8642753677453c49c

SHA1
db14600290a48153481e5d84a378b08d8c55bcfb

SHA256
5e6bfaf6dcd4446ff34a6a385652923c470037963235072e624887d1bca98565

SHA512
b9ab3f59dd87e3f0752fcceec596ffa306b0bba6cba9864760e1a9b87ebbe0fc9c22adf8181bf6ec45973d774f91dbb6dc439809eea892cf92b7334a11212a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BORKL.tmp\update.tmp

Filesize
3.3MB

MD5
9e9ef955001906e8b747e86f44f54b22

SHA1
7ca2f3294f5b1c202dc5d5bbb78c1890e70d1e72

SHA256
5c2848f6ba1cfbfeb136174d94632a7c0bce132fc11664559b88ca0180e919d3

SHA512
5eaeff606ef999f7a30adc2f78658fbc3c9cf427b162aed94488c867a2cd838a6d67c9165b5d114f89a2957858accd6246c5b34e971e4364a26ff17661b8b7af

Download Submit
C:\Users\Admin\AppData\Local\Temp\{e8c64200-74a8-b548-af55-ebdaf3fded32}\SET84AE.tmp

Filesize
26KB

MD5
d765f43cbea72d14c04af3d2b9c8e54b

SHA1
daebe266073616e5fc931c319470fcf42a06867a

SHA256
89c5ca1440df186497ce158eb71c0c6bf570a75b6bc1880eac7c87a0250201c0

SHA512
ff83225ed348aa8558fb3055ceb43863bad5cf775e410ed8acda7316b56cd5c9360e63ed71abbc8929f7dcf51fd9a948b16d58242a7a2b16108e696c11d548b2

Download Submit
\??\c:\program files (x86)\planetvpn\drivers_x64\tap0901.cat

Filesize
19KB

MD5
c757503bc0c5a6679e07fe15b93324d6

SHA1
6a81aa87e4b07c7fea176c8adf1b27ddcdd44573

SHA256
91ebea8ad199e97832cf91ea77328ed7ff49a1b5c06ddaacb0e420097a9b079e

SHA512
efd1507bc7aa0cd335b0e82cddde5f75c4d1e35490608d32f24a2bed0d0fbcac88919728e3b3312665bd1e60d3f13a325bdcef4acfddab0f8c2d9f4fb2454d99

Download Submit
memory/2332-3452-0x000000006D9C0000-0x000000006DA12000-memory.dmp

Filesize
328KB

Download
memory/2332-3643-0x0000000007490000-0x00000000078E2000-memory.dmp

Filesize
4.3MB

Download
memory/2332-3449-0x0000000002DC0000-0x0000000002DE3000-memory.dmp

Filesize
140KB

Download
memory/2332-3450-0x0000000061B40000-0x000000006225D000-memory.dmp

Filesize
7.1MB

Download
memory/2332-3451-0x000000006E7C0000-0x000000006ECBC000-memory.dmp

Filesize
5.0MB

Download
memory/2332-3453-0x0000000002780000-0x0000000002DB1000-memory.dmp

Filesize
6.2MB

Download
memory/2332-3657-0x000000000A520000-0x000000000A521000-memory.dmp

Filesize
4KB

Download
memory/2332-3658-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/2332-3659-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/2332-3661-0x000000000A530000-0x000000000A531000-memory.dmp

Filesize
4KB

Download
memory/2332-3466-0x0000000006390000-0x0000000006590000-memory.dmp

Filesize
2.0MB

Download
memory/2332-3662-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/2332-3663-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/2332-3483-0x0000000063D00000-0x0000000063D34000-memory.dmp

Filesize
208KB

Download
memory/2332-3664-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/2332-3665-0x000000000A530000-0x000000000A531000-memory.dmp

Filesize
4KB

Download
memory/2332-3666-0x000000000A530000-0x000000000A531000-memory.dmp

Filesize
4KB

Download
memory/2332-3476-0x0000000065C80000-0x0000000065C96000-memory.dmp

Filesize
88KB

Download
memory/2332-3667-0x000000000A530000-0x000000000A531000-memory.dmp

Filesize
4KB

Download
memory/2332-3668-0x000000000A530000-0x000000000A531000-memory.dmp

Filesize
4KB

Download
memory/2332-3669-0x000000000A530000-0x000000000A531000-memory.dmp

Filesize
4KB

Download
memory/2332-3670-0x000000000A530000-0x000000000A531000-memory.dmp

Filesize
4KB

Download
memory/2332-3464-0x0000000005F50000-0x0000000006390000-memory.dmp

Filesize
4.2MB

Download
memory/2332-3486-0x0000000006BA0000-0x0000000006BEB000-memory.dmp

Filesize
300KB

Download
memory/2332-3484-0x0000000006BA0000-0x0000000006BEB000-memory.dmp

Filesize
300KB

Download
memory/2332-3446-0x0000000002780000-0x0000000002DB1000-memory.dmp

Filesize
6.2MB

Download
memory/2332-3645-0x0000000007490000-0x00000000078E2000-memory.dmp

Filesize
4.3MB

Download
memory/2332-3647-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/2332-3652-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/2332-3651-0x0000000005340000-0x0000000005354000-memory.dmp

Filesize
80KB

Download
memory/2332-3650-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/2332-3649-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/2332-3648-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/2332-3646-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/2332-3673-0x000000000A530000-0x000000000A531000-memory.dmp

Filesize
4KB

Download
memory/2332-3672-0x000000000A530000-0x000000000A531000-memory.dmp

Filesize
4KB

Download
memory/2332-3671-0x000000000A530000-0x000000000A531000-memory.dmp

Filesize
4KB

Download
memory/3776-3463-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/3776-0-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/3776-8-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/3776-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/5044-10-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download
memory/5044-14-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download
memory/5044-93-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download
memory/5044-239-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download
memory/5044-2370-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download
memory/5044-12-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download
memory/5044-3462-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download
memory/5044-3413-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download
memory/5044-6-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download