bbc5d2cf7422ee184beaaac9aa920b0cf9a1310cfd703fd0f9b1b63701672df8

Analysis

max time kernel
101s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 09:37

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

ProtonVPN_v3.5.3_x64.exe
Size

81.4MB
MD5

9e246caf655fef65deaa2ccb9886fddb
SHA1

e8186d24c2e0011453e0495a69aebfd56635240e
SHA256

bbc5d2cf7422ee184beaaac9aa920b0cf9a1310cfd703fd0f9b1b63701672df8
SHA512

f1c6e86c681329feda4db846125356ed29c85a97c65db2e4f66411763b13e844bb947b77c2e7e904f1cb5ae12868d4a133e8573557f477fd147952a942a259e2
SSDEEP

1572864:pVuySnEkGve5KGOIBvwOiHmg4qy5A47s5ECkAz0Ii/VjSuHk26ndjpj69FoFYlwu:WySJme5OswOdn3cw7jjHD9FmYh

Score

10^/10

defense_evasion discovery persistence trojan

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1832 created 3432	1832	ProtonVPN_v3.5.3_x64.tmp	56

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ProtonVPN = "C:\\Program Files\\Proton\\VPN\\ProtonVPN.Launcher.exe"	ProtonVPN.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	ProtonVPN.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Proton\VPN\v3.5.3\System.Resources.Extensions.dll	ProtonVPN_v3.5.3_x64.tmp
File opened for modification	C:\Program Files\Proton\VPN\v3.5.3\System.Net.WebClient.dll	ProtonVPN_v3.5.3_x64.tmp
File created	C:\Program Files\Proton\VPN\v3.5.3\is-7J07R.tmp	ProtonVPN_v3.5.3_x64.tmp
File created	C:\Program Files\Proton\VPN\v3.5.3\is-D5JQE.tmp	ProtonVPN_v3.5.3_x64.tmp
File created	C:\Program Files\Proton\VPN\v3.5.3\is-7EC9D.tmp	ProtonVPN_v3.5.3_x64.tmp
File created	C:\Program Files\Proton\VPN\v3.5.3\is-J92Q6.tmp	ProtonVPN_v3.5.3_x64.tmp
File opened for modification	C:\Program Files\Proton\VPN\v3.5.3\Microsoft.AspNetCore.Razor.Runtime.dll	ProtonVPN_v3.5.3_x64.tmp
File opened for modification	C:\Program Files\Proton\VPN\v3.5.3\wpfgfx_cor3.dll	ProtonVPN_v3.5.3_x64.tmp
File opened for modification	C:\Program Files\Proton\VPN\v3.5.3\tunnel.dll	ProtonVPN_v3.5.3_x64.tmp
File created	C:\Program Files\Proton\VPN\v3.5.3\is-2S4AC.tmp	ProtonVPN_v3.5.3_x64.tmp
File created	C:\Program Files\Proton\VPN\v3.5.3\is-S8710.tmp	ProtonVPN_v3.5.3_x64.tmp
File created	C:\Program Files\Proton\VPN\v3.5.3\is-PE6LJ.tmp	ProtonVPN_v3.5.3_x64.tmp
File opened for modification	C:\Program Files\Proton\VPN\v3.5.3\Microsoft.AspNetCore.RequestDecompression.dll	ProtonVPN_v3.5.3_x64.tmp
File opened for modification	C:\Program Files\Proton\VPN\v3.5.3\Microsoft.AspNetCore.SignalR.Protocols.Json.dll	ProtonVPN_v3.5.3_x64.tmp
File opened for modification	C:\Program Files\Proton\VPN\v3.5.3\Microsoft.DiaSymReader.Native.amd64.dll	ProtonVPN_v3.5.3_x64.tmp
File opened for modification	C:\Program Files\Proton\VPN\v3.5.3\Microsoft.Extensions.Configuration.dll	ProtonVPN_v3.5.3_x64.tmp
File created	C:\Program Files\Proton\VPN\v3.5.3\is-9IVV8.tmp	ProtonVPN_v3.5.3_x64.tmp
File created	C:\Program Files\Proton\VPN\v3.5.3\is-9E3FV.tmp	ProtonVPN_v3.5.3_x64.tmp
File created	C:\Program Files\Proton\VPN\v3.5.3\is-RUSFT.tmp	ProtonVPN_v3.5.3_x64.tmp
File opened for modification	C:\Program Files\Proton\VPN\v3.5.3\Microsoft.AspNetCore.RateLimiting.dll	ProtonVPN_v3.5.3_x64.tmp
File opened for modification	C:\Program Files\Proton\VPN\v3.5.3\System.Diagnostics.TraceSource.dll	ProtonVPN_v3.5.3_x64.tmp
File opened for modification	C:\Program Files\Proton\VPN\v3.5.3\System.IO.FileSystem.AccessControl.dll	ProtonVPN_v3.5.3_x64.tmp
File created	C:\Program Files\Proton\VPN\v3.5.3\is-K7I7B.tmp	ProtonVPN_v3.5.3_x64.tmp
File created	C:\Program Files\Proton\VPN\v3.5.3\is-CNLUS.tmp	ProtonVPN_v3.5.3_x64.tmp
File opened for modification	C:\Program Files\Proton\VPN\v3.5.3\System.Linq.Parallel.dll	ProtonVPN_v3.5.3_x64.tmp
File opened for modification	C:\Program Files\Proton\VPN\v3.5.3\System.Linq.Queryable.dll	ProtonVPN_v3.5.3_x64.tmp
File opened for modification	C:\Program Files\Proton\VPN\v3.5.3\System.Security.SecureString.dll	ProtonVPN_v3.5.3_x64.tmp
File created	C:\Program Files\Proton\VPN\v3.5.3\is-T93VR.tmp	ProtonVPN_v3.5.3_x64.tmp
File created	C:\Program Files\Proton\VPN\v3.5.3\is-9TVIK.tmp	ProtonVPN_v3.5.3_x64.tmp
File created	C:\Program Files\Proton\VPN\v3.5.3\is-Q4IK9.tmp	ProtonVPN_v3.5.3_x64.tmp
File created	C:\Program Files\Proton\VPN\v3.5.3\is-NBDFI.tmp	ProtonVPN_v3.5.3_x64.tmp
File opened for modification	C:\Program Files\Proton\VPN\v3.5.3\ProtonVPN.Announcements.dll	ProtonVPN_v3.5.3_x64.tmp
File created	C:\Program Files\Proton\VPN\v3.5.3\is-LQK1U.tmp	ProtonVPN_v3.5.3_x64.tmp
File created	C:\Program Files\Proton\VPN\v3.5.3\is-4011I.tmp	ProtonVPN_v3.5.3_x64.tmp
File opened for modification	C:\Program Files\Proton\VPN\v3.5.3\Microsoft.AspNetCore.OutputCaching.dll	ProtonVPN_v3.5.3_x64.tmp
File opened for modification	C:\Program Files\Proton\VPN\v3.5.3\ProtonInstaller.exe	ProtonVPN_v3.5.3_x64.tmp
File opened for modification	C:\Program Files\Proton\VPN\v3.5.3\System.Runtime.Serialization.Formatters.dll	ProtonVPN_v3.5.3_x64.tmp
File opened for modification	C:\Program Files\Proton\VPN\v3.5.3\System.Net.Ping.dll	ProtonVPN_v3.5.3_x64.tmp
File created	C:\Program Files\Proton\VPN\is-EB38U.tmp	ProtonVPN_v3.5.3_x64.tmp
File created	C:\Program Files\Proton\VPN\v3.5.3\is-FOF47.tmp	ProtonVPN_v3.5.3_x64.tmp
File opened for modification	C:\Program Files\Proton\VPN\v3.5.3\ByteSize.dll	ProtonVPN_v3.5.3_x64.tmp
File created	C:\Program Files\Proton\VPN\v3.5.3\is-IE6PO.tmp	ProtonVPN_v3.5.3_x64.tmp
File opened for modification	C:\Program Files\Proton\VPN\v3.5.3\System.Xml.XmlDocument.dll	ProtonVPN_v3.5.3_x64.tmp
File opened for modification	C:\Program Files\Proton\VPN\v3.5.3\System.IO.Compression.ZipFile.dll	ProtonVPN_v3.5.3_x64.tmp
File created	C:\Program Files\Proton\VPN\v3.5.3\is-3UDUQ.tmp	ProtonVPN_v3.5.3_x64.tmp
File created	C:\Program Files\Proton\VPN\v3.5.3\is-N056U.tmp	ProtonVPN_v3.5.3_x64.tmp
File opened for modification	C:\Program Files\Proton\VPN\v3.5.3\System.IO.Pipelines.dll	ProtonVPN_v3.5.3_x64.tmp
File created	C:\Program Files\Proton\VPN\v3.5.3\is-1PP3I.tmp	ProtonVPN_v3.5.3_x64.tmp
File created	C:\Program Files\Proton\VPN\v3.5.3\is-BRNQA.tmp	ProtonVPN_v3.5.3_x64.tmp
File created	C:\Program Files\Proton\VPN\v3.5.3\is-KOERS.tmp	ProtonVPN_v3.5.3_x64.tmp
File created	C:\Program Files\Proton\VPN\v3.5.3\is-QBFCJ.tmp	ProtonVPN_v3.5.3_x64.tmp
File opened for modification	C:\Program Files\Proton\VPN\v3.5.3\System.Threading.ThreadPool.dll	ProtonVPN_v3.5.3_x64.tmp
File created	C:\Program Files\Proton\VPN\v3.5.3\is-VBS2N.tmp	ProtonVPN_v3.5.3_x64.tmp
File created	C:\Program Files\Proton\VPN\v3.5.3\Resources\is-EUVL7.tmp	ProtonVPN_v3.5.3_x64.tmp
File opened for modification	C:\Program Files\Proton\VPN\v3.5.3\Microsoft.Extensions.Options.ConfigurationExtensions.dll	ProtonVPN_v3.5.3_x64.tmp
File opened for modification	C:\Program Files\Proton\VPN\v3.5.3\System.Threading.Tasks.Parallel.dll	ProtonVPN_v3.5.3_x64.tmp
File created	C:\Program Files\Proton\VPN\v3.5.3\is-OJ1CI.tmp	ProtonVPN_v3.5.3_x64.tmp
File created	C:\Program Files\Proton\VPN\v3.5.3\is-6S0FO.tmp	ProtonVPN_v3.5.3_x64.tmp
File opened for modification	C:\Program Files\Proton\VPN\v3.5.3\System.Security.Claims.dll	ProtonVPN_v3.5.3_x64.tmp
File created	C:\Program Files\Proton\VPN\v3.5.3\is-RH65I.tmp	ProtonVPN_v3.5.3_x64.tmp
File created	C:\Program Files\Proton\VPN\v3.5.3\is-GFLBG.tmp	ProtonVPN_v3.5.3_x64.tmp
File created	C:\Program Files\Proton\VPN\v3.5.3\is-2N2JI.tmp	ProtonVPN_v3.5.3_x64.tmp
File opened for modification	C:\Program Files\Proton\VPN\v3.5.3\Microsoft.Extensions.Configuration.CommandLine.dll	ProtonVPN_v3.5.3_x64.tmp
File opened for modification	C:\Program Files\Proton\VPN\v3.5.3\de-DE\ProtonVPN.Translations.resources.dll	ProtonVPN_v3.5.3_x64.tmp

Executes dropped EXE 5 IoCs

pid	Process
1832	ProtonVPN_v3.5.3_x64.tmp
3412	ProtonInstaller.exe
5796	ProtonVPN.Launcher.exe
5620	ProtonVPN.exe
1112	ProtonVPNService.exe

Loads dropped DLL 64 IoCs

pid	Process
1832	ProtonVPN_v3.5.3_x64.tmp
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe
5620	ProtonVPN.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ProtonVPN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ProtonVPN_v3.5.3_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ProtonVPN_v3.5.3_x64.tmp

Modifies data under HKEY_USERS 16 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "179"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	ProtonVPNService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ProtonVPN\shell\open\command\ = "\"C:\\Program Files\\Proton\\VPN\\v3.5.3\\ProtonVPN.exe\" \"%1\""	ProtonVPN_v3.5.3_x64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ProtonVPN	ProtonVPN_v3.5.3_x64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\Proton.VPN	ProtonVPN_v3.5.3_x64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ProtonVPN\URL Protocol	ProtonVPN_v3.5.3_x64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ProtonVPN\shell\open\command	ProtonVPN_v3.5.3_x64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ProtonVPN\shell	ProtonVPN_v3.5.3_x64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ProtonVPN\shell\open	ProtonVPN_v3.5.3_x64.tmp

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1832	ProtonVPN_v3.5.3_x64.tmp
1832	ProtonVPN_v3.5.3_x64.tmp
1832	ProtonVPN_v3.5.3_x64.tmp
1832	ProtonVPN_v3.5.3_x64.tmp

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5620	ProtonVPN.exe
Token: SeDebugPrivilege	1112	ProtonVPNService.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1832	ProtonVPN_v3.5.3_x64.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2432	LogonUI.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 1832	2508	ProtonVPN_v3.5.3_x64.exe	89
PID 2508 wrote to memory of 1832	2508	ProtonVPN_v3.5.3_x64.exe	89
PID 2508 wrote to memory of 1832	2508	ProtonVPN_v3.5.3_x64.exe	89
PID 1832 wrote to memory of 3412	1832	ProtonVPN_v3.5.3_x64.tmp	102
PID 1832 wrote to memory of 3412	1832	ProtonVPN_v3.5.3_x64.tmp	102
PID 1832 wrote to memory of 5796	1832	ProtonVPN_v3.5.3_x64.tmp	103
PID 1832 wrote to memory of 5796	1832	ProtonVPN_v3.5.3_x64.tmp	103
PID 5796 wrote to memory of 5620	5796	ProtonVPN.Launcher.exe	104
PID 5796 wrote to memory of 5620	5796	ProtonVPN.Launcher.exe	104

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3432
- C:\Users\Admin\AppData\Local\Temp\ProtonVPN_v3.5.3_x64.exe
  "C:\Users\Admin\AppData\Local\Temp\ProtonVPN_v3.5.3_x64.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Users\Admin\AppData\Local\Temp\is-FGUPG.tmp\ProtonVPN_v3.5.3_x64.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-FGUPG.tmp\ProtonVPN_v3.5.3_x64.tmp" /SL5="$801F8,84282447,1033216,C:\Users\Admin\AppData\Local\Temp\ProtonVPN_v3.5.3_x64.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1832
  - - C:\Program Files\Proton\VPN\ProtonVPN.Launcher.exe
      "C:\Program Files\Proton\VPN\ProtonVPN.Launcher.exe" /lang en-US /CleanInstall
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5796
    - - C:\Program Files\Proton\VPN\v3.5.3\ProtonVPN.exe
        
        "v3.5.3\ProtonVPN.exe" /lang en-US /CleanInstall
        5⤵
        Adds Run key to start application
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        
        PID:5620
- C:\Program Files\Proton\VPN\v3.5.3\ProtonInstaller.exe
  C:\Program Files\Proton\VPN\v3.5.3\ProtonInstaller.exe
  2⤵
  - Executes dropped EXE
  PID:3412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Program Files\Proton\VPN\ProtonVPN.Launcher.exe
  2⤵
  PID:1408

C:\Program Files\Proton\VPN\v3.5.3\ProtonVPNService.exe
"C:\Program Files\Proton\VPN\v3.5.3\ProtonVPNService.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38c0855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Proton\VPN\ProtonVPN.Launcher.exe

Filesize
12.3MB

MD5
b6106de6a655f8d7cfb1df8c77872325

SHA1
5c41fe66f0807a5990cf99bd358e986e834d5b00

SHA256
b0003bc02a1dfa2fd32366103f0e0cd1ffb22a569f0c37534d89fefc66ebb257

SHA512
5f8c2b53105c773721113003aeb98f0541a9d64c32a00617a75a9ef0e0ceb38ed75b3b03449e8e511039f5bb896789907863bdd4bb41df84e7882a68d4dbf0e9

Download Submit
C:\Program Files\Proton\VPN\v3.5.3\DirectWriteForwarder.dll

Filesize
486KB

MD5
03b64a13771898736b4a1fff03936c73

SHA1
7856776ada449b2c673a9f664a459de7d4f3abfe

SHA256
04708fae22d33dacb6848b684076423cecb482a8bba5a6e7ace831af8d71181d

SHA512
599bd1ff53a8b30bd15e3afecd997911c9910d191c851b2f6b351553c0e3164402dd5d60c297635bdbb0ac06fcb90996afbe22c58e80615aa417abf57fd64a29

Download Submit
C:\Program Files\Proton\VPN\v3.5.3\Microsoft.Win32.Primitives.dll

Filesize
15KB

MD5
9b22cfb5bed886c6969e9c2bca6ac35c

SHA1
10136331c4c4c97581055c94ae57d96daa050fc7

SHA256
150ce7473f17d708e846ccafd9beeab9c341c28a130f6e37630acaa622754a8b

SHA512
e0c31b87191f833492149d9e17fb0ceb6fe15e0e053fd5959223835719f727b9524d6fa4e33ea167ff26cd912096aa455f0e6ea16bd377722d7bf9f2400b760f

Download Submit
C:\Program Files\Proton\VPN\v3.5.3\Microsoft.Win32.Registry.dll

Filesize
118KB

MD5
c2dc11b82a094afce0e4810e4fa50723

SHA1
769a8c969bb7ec7ca893c1939d2500bb367cf565

SHA256
19eab1189558efefb90f34b012b8182dfd3c707463f5e0d4f5c0d810156a5ed8

SHA512
0083fff0e424ff80b3f8a632f139ad267a14d1419abd1b68baf1fc84bd2e5739e805adf10ec79d7fa325bac553cf7f0d84c846425638292c550ca3957af46dab

Download Submit
C:\Program Files\Proton\VPN\v3.5.3\PresentationCore.dll

Filesize
8.1MB

MD5
387c46cb98dea36d68cf91e0b3fe0f59

SHA1
fe07857d156ca667d67b2329d25e6c8d8f12e747

SHA256
6e08a42418bde7132b0c7708d4a1ad3583dbce200cfa2b4a5178a1557451a7fb

SHA512
16c892dd9d592049d7f039c3d56176e738dbcd8bb1683f8eabe35d0561e4f72efa2dcd4ec49b4753185da3e7b264e3e5cbfcecc8a5ccc388997cc73133930aed

Download Submit
C:\Program Files\Proton\VPN\v3.5.3\PresentationFramework.dll

Filesize
15.4MB

MD5
6735155439520f4d921db5e4e404686a

SHA1
e4531189a7d56b0613ad0c3f2b055a8518761a30

SHA256
8a9662ad0e8bd18108b54c2ac3f9ab78a10d2f97ee6dcf96a8a8e6fa0f9ba4cc

SHA512
857ff8b19560e054436abf6e7a35938446ae1142f28be060661cdc46fd101bc5b0eb014038abe668bff14dbd873b722f4946f1d97ed2b601d2bdd1d5d8c76026

Download Submit
C:\Program Files\Proton\VPN\v3.5.3\ProtonInstaller.exe

Filesize
5.9MB

MD5
5c36092ea0b0f24cbb0fc368fba45164

SHA1
a4b61a1fca79699149f98b4660818f854d9e6263

SHA256
a55e464297a5d5aed748ff3a99b92d03bd276529b58b076cc663347edfdba62b

SHA512
a1d3f7e5d582fe852f23d22ab355d101b0a71b0315a1516b974caa850dca923c417c0fa77a17e34bc16191eec3dc6b4ccb23c7c33e25c6388b6177ba88943c35

Download Submit
C:\Program Files\Proton\VPN\v3.5.3\ProtonVPN.deps.json

Filesize
185KB

MD5
a4234439fdd8b4393f92be7367d716ea

SHA1
66f299997d669b19206ca93de5ad7855b51006ba

SHA256
da10f58aeaf62892250153068f2db4b3ca06a4e18bf90fb219851f2b079804ed

SHA512
7d0096657f1225afa883a91a638b73bd50f64a9bbf53d05545fea829e3e2ea2805edfbe7605107ca4163549538703b6a056a05d85d68775735193942adf11fbc

Download Submit
C:\Program Files\Proton\VPN\v3.5.3\ProtonVPN.dll

Filesize
8.8MB

MD5
70722b7dbb744c3b9c0caab7332178fd

SHA1
7fef8ba279002961ac87a15c4512c2f52181ed40

SHA256
901195f5ae8f804c6739a01ae2779a3568079ad188f6571836adbacb02e02ea9

SHA512
d2abc76e6ca48339d6007f7008cf11fc51304d97fe6d63686bd9293cba80bf5012f2df52ed856867838dd468d59a68d7b01e12dba7b36d9246ea1a6c97178706

Download Submit
C:\Program Files\Proton\VPN\v3.5.3\ProtonVPN.exe

Filesize
450KB

MD5
33781650f9fd0885ec550793b2f13a22

SHA1
81bfcc6834cdc040e3c65b7e7fba788a58665eae

SHA256
97b33318b5c8b1d90cdbc916cb3968c975291fa42bce754a1d83004508c0879d

SHA512
85f39a1ac8e957070d567abfa4dc89399fe7fb5b241bfdf5e8f3c6d52afa1223ae573ff7535c2de36ba2e0c8e4e329247cf89f0821da7e0b560de8aea1e217e1

Download Submit
C:\Program Files\Proton\VPN\v3.5.3\ProtonVPNService.deps.json

Filesize
172KB

MD5
b1333ea67ff6b268855ad3d8b4442f94

SHA1
34aaa2f5b76a18556eb84537f409f6d75b55add1

SHA256
86a8297402c11b3591e2c400436e4e822f876bfde69b63fb2dd3431a46abbf16

SHA512
c3b58a31dcb02dedb20b44e2465ca17816a47819cbb81fa6a524b548ebc6bc23a623d7f51f2423b57eca13650d481be994e8f699110905744aaecc21af1364ba

Download Submit
C:\Program Files\Proton\VPN\v3.5.3\System.Collections.Concurrent.dll

Filesize
270KB

MD5
b9b20837fc21f3b6c7dc96118f58a584

SHA1
a1e60495da508facb76031996abca51306078142

SHA256
4cc75a63fed0a6388c95628efbea788408e4167595d8f3980bcd2beb9b439541

SHA512
720fc092603432e3640c9b4c71c969403d2bf400e1c2f7ef1f0c46d85e8a31147113c0a191a1a3180d9fe26337c3e1d0f6ba38505bc8146156a88841f8ffbecf

Download Submit
C:\Program Files\Proton\VPN\v3.5.3\System.Collections.NonGeneric.dll

Filesize
102KB

MD5
d8e1f2706edbbb0d5283e866fd6b5a68

SHA1
5893b4b685a2172d37df5519ad00f02b5132db50

SHA256
891a7b6baa99b3a98d33947e69cb35f415bf735d9515da628d6624bd64595bbe

SHA512
82f5fca1138885bf890ea262b7b453e05c76095a7c80f66d2f90cac91b374153a7e53b4f0c215b389bdaff63f91dc52912382960e24c646429e12908ab2feca5

Download Submit
C:\Program Files\Proton\VPN\v3.5.3\System.Collections.Specialized.dll

Filesize
102KB

MD5
408636ad69d82964450d11e2bc2b063e

SHA1
c6701a74d0993b7e8242dc45c73c47cf38a8cf1c

SHA256
b2eabd2cc9923818f6d1bdfb3e9cfe02a54d6327dcc4aeccf61f895e0e02e67a

SHA512
fc252cb0e6b778e410856c1d8b2e00a925c8c6a31e8622687d56d641dc54dad004507af4a23406448d1410cb618f7689704e0d504b55a68ba2bd6bd05e8254a5

Download Submit
C:\Program Files\Proton\VPN\v3.5.3\System.Collections.dll

Filesize
254KB

MD5
f79c5255b5a8113246917ae7681e4a24

SHA1
cc1b9bed6269bb109657a3bbec56f54c31444b0e

SHA256
5b20181ee4e188aa6b328c107fee9506e63efe3a4f9d2c3517ef2972b6aa1211

SHA512
731ab48b1913fc9ba4f8d25eb497ef860796ffca7364ac91d18be2dcb243cda6bae0bd141cd6b8cb77c940253fe642bd44d85999003dd5701be9242a6bdab5bb

Download Submit
C:\Program Files\Proton\VPN\v3.5.3\System.ComponentModel.Primitives.dll

Filesize
78KB

MD5
bc478fc2764a94c56e69e9e38a51452a

SHA1
1c199bf6064992a5a81472b091a01f45b4442889

SHA256
304635dbc025b5c3bff78df48c19980e9b52c632a7d3c145b61288f546293bf7

SHA512
ae81a6ce5e66cdde1b074474459db6081c627b8b38e0f959ebcdee02ae935bb022e66f39a4451989aa59e3ebb15ce3052cc23ddee4c9db5e6649d33eaee484b6

Download Submit
C:\Program Files\Proton\VPN\v3.5.3\System.Diagnostics.Debug.dll

Filesize
15KB

MD5
200a2ef8039a866c29f6646c08c916a0

SHA1
d9afb3dcf376fdf153d5b0f1ae6167660dfb1feb

SHA256
f587e4d5f4347d8851fe63fd165ff3af6f0a0d7edb22dc9ec13878cc5342ab2b

SHA512
51beb0733a184397ed605d483d0ef47f7a6b6da05666db5175cbdb8cdefb90e4d6bfdb0c59e118796e9851108d590f2eadf3cf07944424c05276bd9f8a64e25c

Download Submit
C:\Program Files\Proton\VPN\v3.5.3\System.IO.Packaging.dll

Filesize
286KB

MD5
84210178469bacf943dc254635d69531

SHA1
94528463402ea1966448f27ea1a2f2e322b98048

SHA256
d858be59d3d2eb100ba1d963cbff906ff542ec3501a5921c34f59c04cb78e2db

SHA512
5e54b901bb96f8c7dc69a0743d51e18c38ed48054f3b2f9e3f5e3fdd8d9a6c2c2e305ecc00821db8830e995b387059deadf2b647c0230e126b5afc7958f0d75b

Download Submit
C:\Program Files\Proton\VPN\v3.5.3\System.Memory.dll

Filesize
154KB

MD5
1e158b6e320633ca794113eef60bd35b

SHA1
bd6bc89189e4546abd4b24c3196c60ce2c2a473e

SHA256
536310fad46e9710e2378e6ab65715489c267b13a08ad96139978d97974bd282

SHA512
b3c89d7f57f69d3e7b0eefec4e4f5e6fc56d3023032f8631e126a48b8068a30b2394ff74e9ad5fab4d8719e42a22d8003b27b60f1a5e009986216ac4d9961356

Download Submit
C:\Program Files\Proton\VPN\v3.5.3\System.Private.CoreLib.dll

Filesize
12.6MB

MD5
8b5ee62abdb7b72f418d797fe73f2521

SHA1
77582007964cbb215278267691a255b63abe5ffd

SHA256
4cd6810b4ebe8d6e1f5928f2026d257c112380d33b557a60bcfa9c7f2bb012e8

SHA512
870ef275e1e8d1607e2b22eb25f1f05f99346b54651bc119d809bf21f1a6f041eff801b3b5e1ffbb1897975feb2c3aa47b3699cc4c63eca8e3e6a60387ab4bd9

Download Submit
C:\Program Files\Proton\VPN\v3.5.3\System.Private.Uri.dll

Filesize
254KB

MD5
fadc9e1672eba182ad57e6ff27df1797

SHA1
774c74089fcea3afe0c7ca1a0b496c999392900a

SHA256
dc01ed420ef427086f0057013d7ac1cac07e2483e4cfc162d09df1b64553892c

SHA512
0650f9ed9c86103cc66871b4558ba9ae291273ff5e0dc0fa7468f3636ac6896caa8c9ea714ed821b55a519c6e1b1f5bd26d6dc7196f8f2bba6215f355a2be602

Download Submit
C:\Program Files\Proton\VPN\v3.5.3\System.Runtime.CompilerServices.VisualC.dll

Filesize
30KB

MD5
511a6cd95cb5e50acc7c7b97f8de3531

SHA1
3ae756447c028a59cbcfb20cef96483337de4b5b

SHA256
2cf2328b2bb67efb7a4021e6b1093282826a7d221bd3b3b57c145e5e13374456

SHA512
033e5553663d65a66007021d5773bb3046c2b24d51a991c83e1b025170e9d04b910273467cbaec9cde12b79db10e2c9685af5722bbacd603eeea5acb565f4788

Download Submit
C:\Program Files\Proton\VPN\v3.5.3\System.Runtime.Extensions.dll

Filesize
17KB

MD5
33fb9bbbcba3e7bbbd7ba9216958008b

SHA1
7660b39fdf52e35edf106d6900f2c7862121eea4

SHA256
c31f0812b87812a10627c8603ca265e1a33927047134b1dd5ce69356869e250c

SHA512
d51fd4d60b53c8bd23bc285ff34c447ceb517c3e402a8d61db397996c3800f268b4f0abebeac12bf42b608506edcbf66cc4a27e46c0842b9ba149dab61e5f01d

Download Submit
C:\Program Files\Proton\VPN\v3.5.3\System.Runtime.InteropServices.dll

Filesize
94KB

MD5
1df866f691def4290407f5cf01b996ad

SHA1
b2ba5af3f80aab63ef2fecf6341b44deae201ac1

SHA256
127ea3f2ff47cea14c082b2ed22066554d22c9d8f97dc0d403b17042fac62a5b

SHA512
6f96aec2abf7f6e96b7699f67cc8547334277c8e502e6ed357713c54b68faf264b1843ea42e6ab0f7c6ad7dcc1098b9042e1d5f15e93db6f8d346f613d1f6a1d

Download Submit
C:\Program Files\Proton\VPN\v3.5.3\System.Runtime.dll

Filesize
42KB

MD5
dac7d72763e59a64c0d706325b747d92

SHA1
5890f0ee30b86e01ab55d6017261554d16f6c916

SHA256
9c506c9347f872c3375255f744dcf83b71a96ff71cbf4a19b39873fa22f73c22

SHA512
4218ca96d6d2d4e24e3b6a70a87890a9035156d522d217f48999870f644548a7bc5c09b78b23de41c5974c375f9d03ed49054a173b4230ae835ff808469ce50a

Download Submit
C:\Program Files\Proton\VPN\v3.5.3\System.Threading.dll

Filesize
82KB

MD5
932a0c2978b649703c40b260b1955d26

SHA1
e9a4c055bc14b3a2db5bc5d0cf838e79838ce8e0

SHA256
15cc9db291b87042f1ab4319f8d04f4cd226f15bf88bf0810b31dcd50fb0bb7e

SHA512
51d6d767425fa1afa0acd5a149b99d4c62bab174ecd7485211e9b9635eb876319e8ad2a96d9a7cef26beb855da3661b26912f05014f6dc22cffe33306d9988e4

Download Submit
C:\Program Files\Proton\VPN\v3.5.3\System.Xaml.dll

Filesize
1.4MB

MD5
1130708833ff71818513517c6bccc032

SHA1
f5ca4bcf6ea7bc9cd0691ccce31e083ab71b4699

SHA256
7cd9d44f7a57344695fd007925306457d965e6bd2ef8ffd75f5c8adc0098a274

SHA512
4c8060b943bdcb3e005c094a87f4e9b6fb34ef7df636a7404d4728b800274329fe6e3f80f7bf6a8b6d6fc71cdb88499c623e5f1e847fe5fd612115e058b755ba

Download Submit
C:\Program Files\Proton\VPN\v3.5.3\WinRT.Runtime.dll

Filesize
508KB

MD5
f46fe77fc4111142cee0940d9a6b4d0b

SHA1
386440ba7ffce2632aad4306a9c9597c463845b2

SHA256
7f72d3817130bf63c602a10636b7a9d8b1cb718e1286146a8f6e21f88aadf4b5

SHA512
acbf397a9fe4c475dcfb4baf22b7c5a31f40ca49ff6811641715c89953c3d2e859a9947872b499c7c040642be0b3d8e22c60ffa839ae519d4935913ca01b4158

Download Submit
C:\Program Files\Proton\VPN\v3.5.3\WindowsBase.dll

Filesize
2.2MB

MD5
21cff665bf097a683fbd69c675d32509

SHA1
1c424ea1adae721e9477e7159498c652f4c25836

SHA256
0438075ed22dac7a30161f91753cc23878f2bafd0ff8bb8aadf6355d74e06e6d

SHA512
e12f245ed79d1f03acd5bb54bf16d763bd6d5817c2ffbcc8de0f935b91a70333006a45a9b611a831d651d47e5022ceb98fca486b65f3e1ffc99919df5a362cbe

Download Submit
C:\Program Files\Proton\VPN\v3.5.3\clrjit.dll

Filesize
1.7MB

MD5
cafab1ff05ff429bd46cb78b2ff8e9e8

SHA1
e02b3b243b6993c0add46cab15bbb6549c602700

SHA256
0dfe34be78144cad7db5b66a7fca3d86178ec0f353aafba6c81eb72e797e383b

SHA512
f19b60d26d784b2000e67a8698f8915ef623eee074dab9b853ba927a20ff11ab267c4ba385971620470987240263f917199e1424f3d23d263382163d66435639

Download Submit
C:\Program Files\Proton\VPN\v3.5.3\coreclr.dll

Filesize
4.8MB

MD5
389f964635cb95c6696744f56cbc092d

SHA1
f133da56b7ad65d162656e052c358328877db1b1

SHA256
b4375494bb10be11db6134d361df2f39a7a2c7f6696ca8d239a3ed424ce66de7

SHA512
49dbab9c3d1e9fe506ea7e0942d431559dcaf406c8e8233afdd234bd8337f735e1d9510861c1de00b7295d5956ee166d0ad55afce2142fd75a876f506f4dc661

Download Submit
C:\Program Files\Proton\VPN\v3.5.3\hostfxr.dll

Filesize
342KB

MD5
00f6fc45937b885439cc6c1a34dc96c1

SHA1
5df3efd8a49b91e5af676d35c02e75a640f4755f

SHA256
130a3656b07a317f859d542c0f11339f3d0ba4198169853781a3fc04ed64c907

SHA512
75f088c244271142c58a7ca8f42ee68b910332ac2a23c44f7e6f6c38ff2334f96b8f28ef312a79461f5c631b07110403523b67245be8d3c7b6d0368913438085

Download Submit
C:\Program Files\Proton\VPN\v3.5.3\hostpolicy.dll

Filesize
384KB

MD5
25fd4181ab8b572a1bbfba2f4a9ec239

SHA1
b834dfc4c908b3cb8d3fc40771e6d0e900c7de64

SHA256
65d61078b6b97884ad09aa12da97d96f50f7d98e6d163c926ae199f9bb58a3ce

SHA512
38b708595e5a91194fdb089ae56e4051841c27406f8e770bb720ee9a5d66e6fb1ce8599f224071c2c23d30d832315c2a51a532677f121b383547f149385d1246

Download Submit
C:\Program Files\Proton\VPN\v3.5.3\is-F439H.tmp

Filesize
453B

MD5
0f699c934a98f229e08b805ced7e265d

SHA1
191e6e106081033b448d0ccb32b5d6a81d6c8d63

SHA256
a0eb69194b1819658ba615351a79859707d3a5cab440bdfc26e015a64ddc7b82

SHA512
0ad0d5fac9bde0eaeceff4b60be75df6e6f2745670d56da5674c96b179b609312ef1c66a94ae0aeb7566bf9ff22193556a3817fdd7a29c777322521db7aa239f

Download Submit
C:\Program Files\Proton\VPN\v3.5.3\is-L890A.tmp

Filesize
540B

MD5
fceeafc460df5609a1f10921b03da7d7

SHA1
dc281c4a126df181e4330a4cdfd9e43bf39997c3

SHA256
1b8a0096c02b3f1ddf6756a3b112b4e5a3ff7698b8500eadd28298837387c60b

SHA512
b5ea390511370f27e761269c8bc25f1f2fd0befcce9c1cc6a919f319220a440c1203954703eddb373d35e96ef73aeb3a02b35ee530b63496735cc877bc7d186e

Download Submit
C:\Program Files\Proton\VPN\v3.5.3\nethost.dll

Filesize
140KB

MD5
e5dcf47d33269f796c22c9a87372b3e0

SHA1
503237413787514ed80177138b482cecefdc1998

SHA256
5ef7eca8a93c4e22712232c977fbef0bc146399a5c0cb1dc89d591109b4f0f53

SHA512
d80ca764dedaa6166e80f447ff78bc58147bc0032c8663b869152d470a6c4d89fc6b3c469304ddad0b5d1eb5b645f789c292307b76db1cced6ea6eb8a83d3c60

Download Submit
C:\Users\Admin\AppData\Local\ProtonVPN\ProtonVPN_Url_cmnccr2xp2ofmvhglly0haihuyzzqh0i\3.5.3.0\1dqdtjxu.newcfg

Filesize
1KB

MD5
d69b2c357319853b94606af7dee85e85

SHA1
1e8f9b208425f9744963d10f669fa1aa9b3097a8

SHA256
fce26e6c45b14d25e1ecfe7d2cf91907c088d77e908c912b4402a402a6152ab9

SHA512
afc0136afad73c770db5f90e6dd26cbddaed21730a20dc8fb24af446b6d430c97cb94f1d7703ccecdfdb072e3d2a6e3e5fa3b5f03df85decde1e82df52fa1142

Download Submit
C:\Users\Admin\AppData\Local\ProtonVPN\ProtonVPN_Url_cmnccr2xp2ofmvhglly0haihuyzzqh0i\3.5.3.0\210hxp1d.newcfg

Filesize
1KB

MD5
e10e8996a1c36bd2340ea4f782752dce

SHA1
ba6f2c4b7efd8b4422e89c619d22bbc1462bc2ed

SHA256
f4fca5288bd1b543920347156b287d3216e192eba674bf6f07c829786ceb9ff0

SHA512
20b4b1c2c3c74f8e98cdf09cda6314e2b033f7874c8cadeeadc2b72a48a4c229bd915d608fc10e732053bdaa7d01ebd454679155f01b6fa1d00730ac89b1d320

Download Submit
C:\Users\Admin\AppData\Local\ProtonVPN\ProtonVPN_Url_cmnccr2xp2ofmvhglly0haihuyzzqh0i\3.5.3.0\3omcf4az.newcfg

Filesize
1KB

MD5
c42e653a627881cfc68a5155a690662f

SHA1
324f66182836b719f04495aec332c0ebdaadfea0

SHA256
69cb268a359dcafcde50e12657c88062b075025289b7a2de88582180a1735eab

SHA512
0c1e5c480cce1b6514169758d9570d1cb662429f9369838ccf88f0637613d0ff8d0d3bafe0bca39573c0b83366c8a9e1e403ace353645ae49d7c3abd5755e251

Download Submit
C:\Users\Admin\AppData\Local\ProtonVPN\ProtonVPN_Url_cmnccr2xp2ofmvhglly0haihuyzzqh0i\3.5.3.0\42ukcghh.newcfg

Filesize
1KB

MD5
4864fe2109b2689f206ab9338fdab05e

SHA1
8236c0565bfe94b464fd17b1acd493cde69c5922

SHA256
5362953f9a00aa19139516e8cc8ff3132cc0f5337d687f05d921ebddbf190427

SHA512
1ec7e7ba00eb80a023722d7a538d1ffdd0ab76d468307ab13e15d008659cf0b3ae654dfee72acc5f36154914f7f6806445b250caaeb632a3499c56f8d9e59d61

Download Submit
C:\Users\Admin\AppData\Local\ProtonVPN\ProtonVPN_Url_cmnccr2xp2ofmvhglly0haihuyzzqh0i\3.5.3.0\5eoyrhrx.newcfg

Filesize
1KB

MD5
ab8f220dc7533832fc5d96a9d1598394

SHA1
62ff8aa0e67166cd1e234b6fda93210c332d0e0e

SHA256
b511576477ff8d751fc9c027c4551e9de517b61de63ff7cfb9bfbbf843f03052

SHA512
02479fed92c2e1cb770e43a0bb8f6f1066538053cd0cfddef8fd3a2b9505c92b4e9b4f205abc6e1e2e620d5897ab5c976d539e0c4dd857894616b54b48c0ce82

Download Submit
C:\Users\Admin\AppData\Local\ProtonVPN\ProtonVPN_Url_cmnccr2xp2ofmvhglly0haihuyzzqh0i\3.5.3.0\d3qx2tum.newcfg

Filesize
1KB

MD5
3f88a62a47fb9a01929288bf02b09e2f

SHA1
c2dcc5dce7d2108e362a0cea1661be281dce829f

SHA256
759f5a2beb9e7a209c17cc9c0a4410c397f9f5ea1badd5941100d709c0074fe2

SHA512
7ed1044328f018cd015c3d05fe4df93641cfd809e669cf6fe7673dab0821b6eb48dcb2f1c0fadd066f241f53f8fe069b036c3f352efffcac9822ea822a5e3eed

Download Submit
C:\Users\Admin\AppData\Local\ProtonVPN\ProtonVPN_Url_cmnccr2xp2ofmvhglly0haihuyzzqh0i\3.5.3.0\eplzsriq.newcfg

Filesize
2KB

MD5
a50d64c5391ad1d98cc3c2dcde28c7ce

SHA1
93e063e70708c6e5dcfb7e0e4d5a29da34036bc6

SHA256
c26474aee03cdf11bf21fe55a30601ce582b51d21d0569c874181432cd88019a

SHA512
c8aeb80a2eea4af6d8b7b8ba23550c56a465bab7c38d3b7dd58d575d782b6f625c91763d1f4a55030e0d3b77dd96cbf27381266702e371d513a75a68b8c09102

Download Submit
C:\Users\Admin\AppData\Local\ProtonVPN\ProtonVPN_Url_cmnccr2xp2ofmvhglly0haihuyzzqh0i\3.5.3.0\giuqt3qn.newcfg

Filesize
1KB

MD5
b57b4abc92aab834029aa15b2cc6e985

SHA1
750576f04eed71e5ba4cbd00fd6b84d895f43176

SHA256
c4d7cab7d9668cc3799c353b21b59b76e178537963de80fedcb8b409e6a37722

SHA512
d85c53a11bc967ca7a4288c8da4e25a7a3c9d1b919f22727b9429581943feda259935e2176534c8e77278422cc7b06357cdb329fbb25d9e0bf0ce21ba42fc91b

Download Submit
C:\Users\Admin\AppData\Local\ProtonVPN\ProtonVPN_Url_cmnccr2xp2ofmvhglly0haihuyzzqh0i\3.5.3.0\iqzvhhu2.newcfg

Filesize
1KB

MD5
ad21a62835356289500032dea34a6234

SHA1
10af1a1a895d1d2b802d76152a1ef670b96264cc

SHA256
6cc037e62308ec5b67ad9ef1c0eca1828a6aee06de958a8e6a8d10b07732ff7f

SHA512
ae6c703b562cc07e7b0e16001b8320d8baefbe07ca6ed016ea2ecd3e1ca03b4018d47dbd539ad1221ffbf7a9b22110de58499d6b8f970012cfa46829ed87447e

Download Submit
C:\Users\Admin\AppData\Local\ProtonVPN\ProtonVPN_Url_cmnccr2xp2ofmvhglly0haihuyzzqh0i\3.5.3.0\iupzpm3z.newcfg

Filesize
1KB

MD5
29577bd2f13a9998b70ad5dfae4a1a66

SHA1
6f24c67413ff7cd3f6e19a01b8b7886ebefe39e4

SHA256
4d29d35be5ba5ea5a616922dd0cb748b5e38ba3cb71a09b336834afbe4f856c7

SHA512
79e66467a337a54bd6394050378557f2df9a6a6f4010d611dacda2bd9629efd541b364dc8b2bc41d5777f2fcf1ac87d55510c9c48daba0f4bc9f0f8413938d09

Download Submit
C:\Users\Admin\AppData\Local\ProtonVPN\ProtonVPN_Url_cmnccr2xp2ofmvhglly0haihuyzzqh0i\3.5.3.0\j5smcd01.newcfg

Filesize
1KB

MD5
4ed8b04855bc660ba997d0d9615357de

SHA1
78c1e9a6327a65082b511d737fdd433fbdf620f4

SHA256
3e112e3b166abeaa7bd51714aa1a2c8f6d5b130a3976228ad8431cd8d2f190c2

SHA512
9fe59e99750ddd760f222137bf600f689ab055c92c6237c3b5e5005ed6728f6cc2b5808e18b50a5894aea1b6d2210eb18f5c55f5a38388a8a55b3e5a2711b7a4

Download Submit
C:\Users\Admin\AppData\Local\ProtonVPN\ProtonVPN_Url_cmnccr2xp2ofmvhglly0haihuyzzqh0i\3.5.3.0\l4umhnqj.newcfg

Filesize
1KB

MD5
341f0c3fe7d2197ab0e5ecf98c865c32

SHA1
90b581110c68e36f80d84de4efbef80a71d65481

SHA256
52a2b56621d05b2241ca6687b188b62e52ce0fd6cd3f317502f25d56d36830ec

SHA512
993af4cbb7b012b1bac76e05b5d34b18a748ef95c1c8cb3a5411957be15b06c9a43994c02ec9a246a074c5582d7d57c5b63b22c4948099af379a33646c8a0b10

Download Submit
C:\Users\Admin\AppData\Local\ProtonVPN\ProtonVPN_Url_cmnccr2xp2ofmvhglly0haihuyzzqh0i\3.5.3.0\m4suha1x.newcfg

Filesize
10KB

MD5
46dbb0464f538a25fac9fb94f0b30656

SHA1
cc886cede231417ac9a0541344f14d7852f4f79a

SHA256
ab4376edcc6e117148a105c327a5ba5745a935a02a28d6cac7e296e37c3356eb

SHA512
c1df610af7cf986d858b8a5732057ab375f586eb7b17060def0a1feaf64144a7dccc957ed57d683ef7c7dafa538db549a40e18ba3273a76bb2c046843c121c42

Download Submit
C:\Users\Admin\AppData\Local\ProtonVPN\ProtonVPN_Url_cmnccr2xp2ofmvhglly0haihuyzzqh0i\3.5.3.0\rc2xua1i.newcfg

Filesize
2KB

MD5
5f2a2f5d17eafdae892d0abdd3371fa9

SHA1
153d15737f0638635dc80d0fff9299a6fb5e8c89

SHA256
f1d18a98037f1a10d8aba6d2880dcdebe1504ae0e080051116473f07a231086f

SHA512
0a753acf009235e8ca2ab3ffafdd8345be846104fed6e201ca5a5b4b466543b857c1bc8724a8e63cd851ccf1320f2337d34a27d06ef33bb113f5951323cde694

Download Submit
C:\Users\Admin\AppData\Local\ProtonVPN\ProtonVPN_Url_cmnccr2xp2ofmvhglly0haihuyzzqh0i\3.5.3.0\rihg2n10.newcfg

Filesize
1KB

MD5
5fce1b3cb6cfc0fd7a2e1e524a522651

SHA1
7b5e256fcc55f32a3ad1bda7255cf8e384260362

SHA256
320faecf3a9d53164a4c844816b44b414e9f7456b673dc4746fdfa539bc5ff8a

SHA512
3246b5677939595ba1f006337f337ee72f4e4170e13dde3506684c4e30abe9fe91c520abdf32e65e62a7545e333e5d02130bd4cb4d119631d76cd1a9537cef4f

Download Submit
C:\Users\Admin\AppData\Local\ProtonVPN\ProtonVPN_Url_cmnccr2xp2ofmvhglly0haihuyzzqh0i\3.5.3.0\rlgbzsmv.newcfg

Filesize
1KB

MD5
a7d6d339d13646a16f71b369df4c8bbb

SHA1
349ecaf3f4db125c6b24ee0a362fb2045314cb2b

SHA256
1fe087c94fae33ff7d3546f10fe150cd69a2678a3fa28892f64068d516b7720f

SHA512
641ef31a8cc0980d7ea14d2b6937bb4720df1e34b4d19a5224e07c2b160157faa7bca17c8679630a6b77feda78a3957d02728a8cb1f884cdc533adf95d18667c

Download Submit
C:\Users\Admin\AppData\Local\ProtonVPN\ProtonVPN_Url_cmnccr2xp2ofmvhglly0haihuyzzqh0i\3.5.3.0\rukhy4sv.newcfg

Filesize
1KB

MD5
d7d34eaf7bf011dbace78eaf59fea942

SHA1
2c17dc85a608c0ae17fc7dc9375446c4146c57de

SHA256
ba6f5faaa826e0a8081bec65be02608dccb1800f4a338c9510cabf183cddad01

SHA512
65139492c489f2b2a0eb8eea49d6284eb5d45eaaf628f5901742e5c055ffa29246f1967ab084d3e5e41d7d461194dff5643e2fd6d78150360d15bb89c01e7cab

Download Submit
C:\Users\Admin\AppData\Local\ProtonVPN\ProtonVPN_Url_cmnccr2xp2ofmvhglly0haihuyzzqh0i\3.5.3.0\switkkaf.newcfg

Filesize
1KB

MD5
aebaacef5d3aa8d9c59ea00f06a8666e

SHA1
8d88167da4a487a8b4095c345c5310d94cfa47df

SHA256
ac31f3e2b757f84ceac0eea4be9cc0f773b0eb2456afa08b31fb568e0a0fd783

SHA512
7f7a79bae68c5c87679d3f0ca2d2179159d402213c445186e10cde73693a9f691764edc4d9b1693a7cde6f8cf8aa268474a611b22f4903d18b28a32251008c32

Download Submit
C:\Users\Admin\AppData\Local\ProtonVPN\ProtonVPN_Url_cmnccr2xp2ofmvhglly0haihuyzzqh0i\3.5.3.0\u1qduul5.newcfg

Filesize
1KB

MD5
a2f755a09b4c1fec0d45ee5b8b662a19

SHA1
f4d1b78caf90402edf924e4a7a530b7cc281a7ae

SHA256
7e7298aec74f03ac14a846733cceb7d184327a951cf71e55e9fc6c20529998b4

SHA512
528d4a7a03d95fa3c57d94e4cede7780d1cf896675fe8d3633799c7b705e9081253f32674be13ad403f5d9fab6830d503f02a38b9dfd64d8691970a97a6e52d3

Download Submit
C:\Users\Admin\AppData\Local\ProtonVPN\ProtonVPN_Url_cmnccr2xp2ofmvhglly0haihuyzzqh0i\3.5.3.0\user.config

Filesize
1KB

MD5
c39728b34b9d8eb429088594737b3618

SHA1
6b4e7e2460ccbd77a8ab83da7d083afdb02362ad

SHA256
e1b0501294bc8d108c477806f8764f7d0c3661188abb211c08b487c0b2aaf1ea

SHA512
70830f2a702b5206ec86e1de32a0628c7a458383e6b7b5c5dbd4597e6500ecdb8a7c8d4ac97c2e224c8c07ee79ea4537505906972c1da344c309949ccaa1780b

Download Submit
C:\Users\Admin\AppData\Local\ProtonVPN\ProtonVPN_Url_cmnccr2xp2ofmvhglly0haihuyzzqh0i\3.5.3.0\yltk41nu.newcfg

Filesize
1KB

MD5
cc4d28e40879449d6e6d868f6050be7d

SHA1
4c20a62c8f22adfbbfdd01c87b32bcf3861ef76e

SHA256
6605d729e47e8bc2e2b658e1f1e3ab96e31e459439af2aba1732088079564a36

SHA512
13b58f49a0d4bc541425d3f211226eb06badf14542d1133d3901001ac95c382980cc37c6082b778e60d03837e1ff7e49cb219b60a39332ce957c5f74f13bfde4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup Log 2025-03-28 #001.txt

Filesize
199KB

MD5
942cd9f9a902c149d0b3b75a38827266

SHA1
0e4abd5923cadab4c486957f95bbfa9c593da559

SHA256
25fc2a1cd1fb0bcb6b2ce2732543c44514ac34119d629a37dc300787feaf1e52

SHA512
9de24b3ab0233d9c1271d279fb527b377d2a3e76f96fb8d8b21193a3b2cbc99370f518aaeb661c17e5dd705d7b1d3ed4c169e12656b60fe8dc880b22bc5ecc30

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6501C.tmp\ProtonVPN.InstallActions.x86.dll

Filesize
567KB

MD5
6802d1ae0b114a8dc2827de0e6313f98

SHA1
5045354425d39ed7b7fb5e4153a86648bd14c4c8

SHA256
ff6ada11e1af2cf0516089a99b0b9ca01aa5b850e0b02c6ab6d5ae3b3e03531c

SHA512
d5d8870323239d8b5459d11a8d7036a001188a11472649006a4d57ee6b632b2b89be9a5c53f0429a6b42da8b4bfa2f14a10013c6fb2e79e802c90a0641f9a1ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FGUPG.tmp\ProtonVPN_v3.5.3_x64.tmp

Filesize
3.2MB

MD5
55ed3791796c4f7327512ee86c81c7dd

SHA1
e7db6ef37d39f25f11e151c1b6ea3a04e357ceed

SHA256
e1996e77be19119d7cd880c105e619aa6091d9c87dd74c52306907d97f71792a

SHA512
21a2dfa8852ea03c831e979ffce6cc80b512f7e60ad46b9c0333333f048a4cb747652f826b7a41d317d59e17699d5fd1ca95921f1bf3bf60d017712467202ca1

Download Submit
memory/1832-15-0x0000000002580000-0x00000000026C0000-memory.dmp

Filesize
1.2MB

Download
memory/1832-641-0x0000000000400000-0x000000000073D000-memory.dmp

Filesize
3.2MB

Download
memory/1832-24-0x0000000000400000-0x000000000073D000-memory.dmp

Filesize
3.2MB

Download
memory/1832-23-0x0000000000400000-0x000000000073D000-memory.dmp

Filesize
3.2MB

Download
memory/1832-1170-0x0000000000400000-0x000000000073D000-memory.dmp

Filesize
3.2MB

Download
memory/1832-10-0x0000000000400000-0x000000000073D000-memory.dmp

Filesize
3.2MB

Download
memory/1832-6-0x0000000000400000-0x000000000073D000-memory.dmp

Filesize
3.2MB

Download
memory/2508-1184-0x0000000000400000-0x000000000050A000-memory.dmp

Filesize
1.0MB

Download
memory/2508-8-0x0000000000400000-0x000000000050A000-memory.dmp

Filesize
1.0MB

Download
memory/2508-2-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/2508-0-0x0000000000400000-0x000000000050A000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads