21558bfc700970d50d5bd91e9908582e17660279c2250e16fd45aef1f68ea6e9

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-04-2023 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AviraPhantomVPN.exe
Size

28.6MB
MD5

9466d6ac58ac215fb36794ce3f06a4e7
SHA1

d1ced42f619c5b4cc60951bd25287154974d3bff
SHA256

21558bfc700970d50d5bd91e9908582e17660279c2250e16fd45aef1f68ea6e9
SHA512

c7f1a0abf62359083bee4b33dcc8add0b4c5d55f240b0fa383e24c2f9992d40c8012d1ea71bb3b49a5bc0d67fe447361cf91d3d1bff7c564d6a7d36aea5606a2
SSDEEP

786432:zVVBHkKlbCkSxZhF9fplSYL7CuNS43ZfFI:zzB5lOj9LplbG6JFI

Score

9^/10

discovery evasion trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

VCR-2005-2023-09.02.2023.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ VCR-2005-2023-09.02.2023.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	VCR-2005-2023-09.02.2023.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VCR-2005-2023-09.02.2023.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	VCR-2005-2023-09.02.2023.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	VCR-2005-2023-09.02.2023.exe

Executes dropped EXE 4 IoCs

Processes:

AviraPhantomVPN.tmpAvira Phantom VPN 2.41.1.25731.exeAvira Phantom VPN 2.41.1.25731.tmpVCR-2005-2023-09.02.2023.exe

pid process

3580 AviraPhantomVPN.tmp
4008 Avira Phantom VPN 2.41.1.25731.exe
2212 Avira Phantom VPN 2.41.1.25731.tmp
4976 VCR-2005-2023-09.02.2023.exe

Loads dropped DLL 9 IoCs

Processes:

AviraPhantomVPN.tmpAvira Phantom VPN 2.41.1.25731.tmp

pid	process
3580	AviraPhantomVPN.tmp
3580	AviraPhantomVPN.tmp
3580	AviraPhantomVPN.tmp
3580	AviraPhantomVPN.tmp
3580	AviraPhantomVPN.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

VCR-2005-2023-09.02.2023.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	VCR-2005-2023-09.02.2023.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

VCR-2005-2023-09.02.2023.exe

pid process

4976 VCR-2005-2023-09.02.2023.exe

pid	process
4976	VCR-2005-2023-09.02.2023.exe

Drops file in Program Files directory 6 IoCs

Processes:

AviraPhantomVPN.tmp

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\unins000.msg	AviraPhantomVPN.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\unins000.dat	AviraPhantomVPN.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\Avira Phantom VPN 2.41.1.25731.exe	AviraPhantomVPN.tmp
File created	C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\unins000.dat	AviraPhantomVPN.tmp
File created	C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\is-MPACS.tmp	AviraPhantomVPN.tmp
File created	C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\is-2SAB9.tmp	AviraPhantomVPN.tmp

Runs net.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

AviraPhantomVPN.tmppowershell.exepowershell.exeAvira Phantom VPN 2.41.1.25731.tmp

pid	process
3580	AviraPhantomVPN.tmp
3580	AviraPhantomVPN.tmp
1052	powershell.exe
1052	powershell.exe
3256	powershell.exe
3256	powershell.exe
2212	Avira Phantom VPN 2.41.1.25731.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1052 powershell.exe
Token: SeDebugPrivilege 3256 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AviraPhantomVPN.tmp

pid process

3580 AviraPhantomVPN.tmp
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Avira Phantom VPN 2.41.1.25731.tmp

pid process

2212 Avira Phantom VPN 2.41.1.25731.tmp
2212 Avira Phantom VPN 2.41.1.25731.tmp
2212 Avira Phantom VPN 2.41.1.25731.tmp

description	pid	process
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	3256	powershell.exe

pid	process
2212	Avira Phantom VPN 2.41.1.25731.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp
2212	Avira Phantom VPN 2.41.1.25731.tmp

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

AviraPhantomVPN.exeAviraPhantomVPN.tmpcmd.exeAvira Phantom VPN 2.41.1.25731.exeAvira Phantom VPN 2.41.1.25731.tmpnet.exe

description	pid	process	target process
PID 3288 wrote to memory of 3580	3288	AviraPhantomVPN.exe	AviraPhantomVPN.tmp
PID 3288 wrote to memory of 3580	3288	AviraPhantomVPN.exe	AviraPhantomVPN.tmp
PID 3288 wrote to memory of 3580	3288	AviraPhantomVPN.exe	AviraPhantomVPN.tmp
PID 3580 wrote to memory of 3628	3580	AviraPhantomVPN.tmp	cmd.exe
PID 3580 wrote to memory of 3628	3580	AviraPhantomVPN.tmp	cmd.exe
PID 3580 wrote to memory of 3628	3580	AviraPhantomVPN.tmp	cmd.exe
PID 3628 wrote to memory of 1052	3628	cmd.exe	powershell.exe
PID 3628 wrote to memory of 1052	3628	cmd.exe	powershell.exe
PID 3628 wrote to memory of 1052	3628	cmd.exe	powershell.exe
PID 3628 wrote to memory of 3256	3628	cmd.exe	powershell.exe
PID 3628 wrote to memory of 3256	3628	cmd.exe	powershell.exe
PID 3628 wrote to memory of 3256	3628	cmd.exe	powershell.exe
PID 3580 wrote to memory of 4008	3580	AviraPhantomVPN.tmp	Avira Phantom VPN 2.41.1.25731.exe
PID 3580 wrote to memory of 4008	3580	AviraPhantomVPN.tmp	Avira Phantom VPN 2.41.1.25731.exe
PID 3580 wrote to memory of 4008	3580	AviraPhantomVPN.tmp	Avira Phantom VPN 2.41.1.25731.exe
PID 4008 wrote to memory of 2212	4008	Avira Phantom VPN 2.41.1.25731.exe	Avira Phantom VPN 2.41.1.25731.tmp
PID 4008 wrote to memory of 2212	4008	Avira Phantom VPN 2.41.1.25731.exe	Avira Phantom VPN 2.41.1.25731.tmp
PID 4008 wrote to memory of 2212	4008	Avira Phantom VPN 2.41.1.25731.exe	Avira Phantom VPN 2.41.1.25731.tmp
PID 2212 wrote to memory of 3544	2212	Avira Phantom VPN 2.41.1.25731.tmp	net.exe
PID 2212 wrote to memory of 3544	2212	Avira Phantom VPN 2.41.1.25731.tmp	net.exe
PID 2212 wrote to memory of 3544	2212	Avira Phantom VPN 2.41.1.25731.tmp	net.exe
PID 3544 wrote to memory of 1872	3544	net.exe	net1.exe
PID 3544 wrote to memory of 1872	3544	net.exe	net1.exe
PID 3544 wrote to memory of 1872	3544	net.exe	net1.exe
PID 3580 wrote to memory of 4976	3580	AviraPhantomVPN.tmp	VCR-2005-2023-09.02.2023.exe
PID 3580 wrote to memory of 4976	3580	AviraPhantomVPN.tmp	VCR-2005-2023-09.02.2023.exe

C:\Users\Admin\AppData\Local\Temp\AviraPhantomVPN.exe
"C:\Users\Admin\AppData\Local\Temp\AviraPhantomVPN.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3288

C:\Users\Admin\AppData\Local\Temp\is-4N4MD.tmp\AviraPhantomVPN.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4N4MD.tmp\AviraPhantomVPN.tmp" /SL5="$8007A,28849760,1046016,C:\Users\Admin\AppData\Local\Temp\AviraPhantomVPN.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-2EIUK.tmp\WebrootCommAgentService.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:3628

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACgAJwBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXAAnACkA
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACgAWwBTAHkAcwB0AGUAbQAuAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBHAGUAdABFAG4AdgBpAHIAbwBuAG0AZQBuAHQAVgBhAHIAaQBhAGIAbABlACgAJwBVAFMARQBSAFAAUgBPAEYASQBMAEUAJwApACAAKwAgACcAXABBAHAAcABEAGEAdABhACcAKQA=
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3256

C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\Avira Phantom VPN 2.41.1.25731.exe
"C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\Avira Phantom VPN 2.41.1.25731.exe" /install /quiet /norestart
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008

C:\Users\Admin\AppData\Local\Temp\is-CU4R9.tmp\Avira Phantom VPN 2.41.1.25731.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CU4R9.tmp\Avira Phantom VPN 2.41.1.25731.tmp" /SL5="$10004E,7215309,64512,C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\Avira Phantom VPN 2.41.1.25731.exe" /install /quiet /norestart
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\SysWOW64\net.exe
"net" stop "AviraPhantomVPN"
5⤵
- Suspicious use of WriteProcessMemory
PID:3544

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "AviraPhantomVPN"
6⤵
PID:1872

C:\Users\Admin\AppData\Local\Temp\is-2EIUK.tmp\VCR-2005-2023-09.02.2023.exe
"C:\Users\Admin\AppData\Local\Temp\is-2EIUK.tmp\\VCR-2005-2023-09.02.2023.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\Avira Phantom VPN 2.41.1.25731.exe
Filesize
7.2MB

MD5
bf245b7db7637e6b2991105f62cc76de

SHA1
1d7252929d5c4cb404a34e553b72757729c701d5

SHA256
c414e764c53a81c6beb2c393635044661da238380492c182162b37f3e82a8c89

SHA512
08380e7ab2012f453ec4cb72646ca3a920d32f2f253f5c956b239780d1d08e434c4353580f6f9c95317b0e76810bc9351def59039350b96a4d989ece80722076

Download Submit
C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\Avira Phantom VPN 2.41.1.25731.exe
Filesize
7.2MB

MD5
bf245b7db7637e6b2991105f62cc76de

SHA1
1d7252929d5c4cb404a34e553b72757729c701d5

SHA256
c414e764c53a81c6beb2c393635044661da238380492c182162b37f3e82a8c89

SHA512
08380e7ab2012f453ec4cb72646ca3a920d32f2f253f5c956b239780d1d08e434c4353580f6f9c95317b0e76810bc9351def59039350b96a4d989ece80722076

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
f4229d4640f34a2e9311a2ed41204f09

SHA1
cecafd1fb8e5522f4116b55ed269a2a6dfd66da3

SHA256
8dc474bf2fd62a9bcd91251411ec203ac1fec3b4b527feb50eb200be6d88f9ab

SHA512
a9e7cdc53b971863b1c79ece2d07057e9fc1f61f312efd5a8b7cc0600f88b7863a2273b17a9f033f4f5a5ef965151e8b41da839a2ae4b9cdd9ac371266c1e260

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tfnq2rjz.dgg.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2EIUK.tmp\VCR-2005-2023-09.02.2023.exe
Filesize
787.2MB

MD5
0dfe7ca71f82030334cd430b2cc2551d

SHA1
009fa6304f1da2383e6a7ed808e16708ef813088

SHA256
9354036cf6a3316cc14c085aaee05f6a1f6581e90caceed72f8a89994f158ae7

SHA512
b87105d4c4b564db6f46cac8c4ef31d8543948474f82539d24b5bab2812b5f82ecc503430a0d65794966ddc26b9833a78b8af091f1cb57dc6eca4c74e4625c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2EIUK.tmp\VCR-2005-2023-09.02.2023.exe
Filesize
792.8MB

MD5
106fd2fb9e2bd91b2a0b0e4d0e3243c3

SHA1
c03dd8ffcdfe777fddc3bbdfc3f625fd7330ac1d

SHA256
b622a80341f03b752d60d6c2f07518f14418d78ddb65562db39a1fb217d07cff

SHA512
bbfefca97b805f13f77e206c062a97a8da2db43b1fedc73006e9a7b29afa4119a192f485d7a04fc135a354180d7dae178e9170ccf153274d078b8f13abe5860a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2EIUK.tmp\WebrootCommAgentService.bat
Filesize
465B

MD5
357f5b062141f4f796a463e2ca373a9f

SHA1
c5eded68e24b0e9a05ec852205e181e9f33eaa00

SHA256
c909ac1fca71db5a322994ec8eb956a1c0c0fbb83410af38c6d4a8922381d373

SHA512
43bce27cffb7949eb9394e4006b3f91cffd89d6564a0fabb6f49beb15e33c243eda71f69be25c0c8e688edc907656d5fd6b2dff6c862b5c94f5562bdfcb14041

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2EIUK.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2EIUK.tmp\_isetup\_isdecmp.dll
Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2EIUK.tmp\_isetup\_isdecmp.dll
Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2EIUK.tmp\innocallback.dll
Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2EIUK.tmp\innocallback.dll
Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4N4MD.tmp\AviraPhantomVPN.tmp
Filesize
3.2MB

MD5
709f58ff64c336a777ab15d80e18202c

SHA1
7c0e403482cf019e04d3ef5dcda3ef0e45d4c7c3

SHA256
a5ee7f4c0ccbba0f695fee64edee7bacf5f59d7f1bf72d54621394e44a633003

SHA512
59af9bd796bf9b42ef651483255a60a15b0557162d714c87337e7be2b631f00fc2ee32cd2b367133492c390f26ba8cef2a57245436f3bc63c03a5408a91368b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4N4MD.tmp\AviraPhantomVPN.tmp
Filesize
3.2MB

MD5
709f58ff64c336a777ab15d80e18202c

SHA1
7c0e403482cf019e04d3ef5dcda3ef0e45d4c7c3

SHA256
a5ee7f4c0ccbba0f695fee64edee7bacf5f59d7f1bf72d54621394e44a633003

SHA512
59af9bd796bf9b42ef651483255a60a15b0557162d714c87337e7be2b631f00fc2ee32cd2b367133492c390f26ba8cef2a57245436f3bc63c03a5408a91368b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CU4R9.tmp\Avira Phantom VPN 2.41.1.25731.tmp
Filesize
911KB

MD5
02c5691af81933ce36735946e3ed1ea4

SHA1
2faed8d51a0800f127e424bfba9d44bab6aee1b2

SHA256
e1f5e87796c015e567153db6b994a35a34b0819b1093d1ea12064ee35102c42d

SHA512
ebde4772c94f5199a2936f8fdbcf80e57d11a820276b1e1323fbcde6d192cd89bcc69a441cff17e26d688427fe05e62cc858e896c0647d93c9e2ebe74a6e6749

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QCKUL.tmp\ISTask.dll
Filesize
66KB

MD5
86a1311d51c00b278cb7f27796ea442e

SHA1
ac08ac9d08f8f5380e2a9a65f4117862aa861a19

SHA256
e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d

SHA512
129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QCKUL.tmp\ISTask.dll
Filesize
66KB

MD5
86a1311d51c00b278cb7f27796ea442e

SHA1
ac08ac9d08f8f5380e2a9a65f4117862aa861a19

SHA256
e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d

SHA512
129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QCKUL.tmp\VclStylesInno.dll
Filesize
3.0MB

MD5
b0ca93ceb050a2feff0b19e65072bbb5

SHA1
7ebbbbe2d2acd8fd516f824338d254a33b69f08d

SHA256
0e93313f42084d804b9ac4be53d844e549cfcaf19e6f276a3b0f82f01b9b2246

SHA512
37242423e62af30179906660c6dbbadca3dc2ba9e562f84315a69f3114765bc08e88321632843dbd78ba1728f8d1ce54a4edfa3b96a9d13e540aee895ae2d8e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QCKUL.tmp\VclStylesInno.dll
Filesize
3.0MB

MD5
b0ca93ceb050a2feff0b19e65072bbb5

SHA1
7ebbbbe2d2acd8fd516f824338d254a33b69f08d

SHA256
0e93313f42084d804b9ac4be53d844e549cfcaf19e6f276a3b0f82f01b9b2246

SHA512
37242423e62af30179906660c6dbbadca3dc2ba9e562f84315a69f3114765bc08e88321632843dbd78ba1728f8d1ce54a4edfa3b96a9d13e540aee895ae2d8e2

Download Submit
memory/1052-191-0x0000000006150000-0x000000000616E000-memory.dmp

Filesize
120KB

Download
memory/1052-174-0x00000000052B0000-0x00000000058D8000-memory.dmp

Filesize
6.2MB

Download
memory/1052-177-0x0000000002B60000-0x0000000002B70000-memory.dmp

Filesize
64KB

Download
memory/1052-179-0x0000000005180000-0x00000000051A2000-memory.dmp

Filesize
136KB

Download
memory/1052-180-0x00000000058E0000-0x0000000005946000-memory.dmp

Filesize
408KB

Download
memory/1052-178-0x0000000002B60000-0x0000000002B70000-memory.dmp

Filesize
64KB

Download
memory/1052-181-0x0000000005AC0000-0x0000000005B26000-memory.dmp

Filesize
408KB

Download
memory/1052-173-0x0000000002B70000-0x0000000002BA6000-memory.dmp

Filesize
216KB

Download
memory/1052-192-0x0000000007130000-0x0000000007162000-memory.dmp

Filesize
200KB

Download
memory/1052-193-0x0000000070060000-0x00000000700AC000-memory.dmp

Filesize
304KB

Download
memory/1052-203-0x00000000066E0000-0x00000000066FE000-memory.dmp

Filesize
120KB

Download
memory/1052-204-0x0000000007AA0000-0x000000000811A000-memory.dmp

Filesize
6.5MB

Download
memory/1052-205-0x0000000007450000-0x000000000746A000-memory.dmp

Filesize
104KB

Download
memory/1052-206-0x0000000002B60000-0x0000000002B70000-memory.dmp

Filesize
64KB

Download
memory/1052-207-0x000000007FC80000-0x000000007FC90000-memory.dmp

Filesize
64KB

Download
memory/1052-208-0x00000000074C0000-0x00000000074CA000-memory.dmp

Filesize
40KB

Download
memory/1052-209-0x00000000076D0000-0x0000000007766000-memory.dmp

Filesize
600KB

Download
memory/1052-210-0x0000000007680000-0x000000000768E000-memory.dmp

Filesize
56KB

Download
memory/1052-211-0x0000000007790000-0x00000000077AA000-memory.dmp

Filesize
104KB

Download
memory/1052-212-0x0000000007770000-0x0000000007778000-memory.dmp

Filesize
32KB

Download
memory/2212-301-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2212-289-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2212-380-0x0000000007240000-0x0000000007241000-memory.dmp

Filesize
4KB

Download
memory/2212-374-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/2212-337-0x0000000007240000-0x0000000007241000-memory.dmp

Filesize
4KB

Download
memory/2212-317-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2212-316-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2212-315-0x00000000078A0000-0x00000000078A1000-memory.dmp

Filesize
4KB

Download
memory/2212-314-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2212-313-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2212-312-0x0000000007890000-0x0000000007891000-memory.dmp

Filesize
4KB

Download
memory/2212-304-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2212-264-0x0000000007120000-0x0000000007136000-memory.dmp

Filesize
88KB

Download
memory/2212-311-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2212-310-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2212-267-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/2212-309-0x0000000007880000-0x0000000007881000-memory.dmp

Filesize
4KB

Download
memory/2212-271-0x0000000007350000-0x000000000766A000-memory.dmp

Filesize
3.1MB

Download
memory/2212-308-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2212-273-0x00000000077C0000-0x00000000077C1000-memory.dmp

Filesize
4KB

Download
memory/2212-274-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2212-275-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2212-276-0x00000000077D0000-0x00000000077D1000-memory.dmp

Filesize
4KB

Download
memory/2212-277-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2212-279-0x00000000077E0000-0x00000000077E1000-memory.dmp

Filesize
4KB

Download
memory/2212-278-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2212-280-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2212-281-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2212-282-0x00000000077F0000-0x00000000077F1000-memory.dmp

Filesize
4KB

Download
memory/2212-283-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2212-284-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2212-285-0x0000000007800000-0x0000000007801000-memory.dmp

Filesize
4KB

Download
memory/2212-286-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2212-287-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2212-288-0x0000000007810000-0x0000000007811000-memory.dmp

Filesize
4KB

Download
memory/2212-307-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2212-290-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2212-291-0x0000000007820000-0x0000000007821000-memory.dmp

Filesize
4KB

Download
memory/2212-292-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2212-293-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2212-294-0x0000000007830000-0x0000000007831000-memory.dmp

Filesize
4KB

Download
memory/2212-295-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2212-296-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2212-297-0x0000000007840000-0x0000000007841000-memory.dmp

Filesize
4KB

Download
memory/2212-298-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2212-299-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2212-300-0x0000000007850000-0x0000000007851000-memory.dmp

Filesize
4KB

Download
memory/2212-305-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2212-302-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2212-303-0x0000000007860000-0x0000000007861000-memory.dmp

Filesize
4KB

Download
memory/2212-306-0x0000000007870000-0x0000000007871000-memory.dmp

Filesize
4KB

Download
memory/3256-226-0x0000000002F10000-0x0000000002F20000-memory.dmp

Filesize
64KB

Download
memory/3256-228-0x0000000002F10000-0x0000000002F20000-memory.dmp

Filesize
64KB

Download
memory/3256-227-0x0000000002F10000-0x0000000002F20000-memory.dmp

Filesize
64KB

Download
memory/3256-229-0x0000000070060000-0x00000000700AC000-memory.dmp

Filesize
304KB

Download
memory/3256-239-0x000000007F700000-0x000000007F710000-memory.dmp

Filesize
64KB

Download
memory/3288-133-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3288-159-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3580-244-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/3580-171-0x0000000003660000-0x0000000003675000-memory.dmp

Filesize
84KB

Download
memory/3580-176-0x0000000003660000-0x0000000003675000-memory.dmp

Filesize
84KB

Download
memory/3580-170-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/3580-162-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/3580-161-0x0000000003660000-0x0000000003675000-memory.dmp

Filesize
84KB

Download
memory/3580-152-0x0000000003660000-0x0000000003675000-memory.dmp

Filesize
84KB

Download
memory/3580-138-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/3580-160-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/3580-175-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/4008-248-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4976-363-0x00007FF706C50000-0x00007FF70817E000-memory.dmp

Filesize
21.2MB

Download
memory/4976-386-0x00007FF706C50000-0x00007FF70817E000-memory.dmp

Filesize
21.2MB

Download