c414e764c53a81c6beb2c393635044661da238380492c182162b37f3e82a8c89

Analysis

max time kernel
118s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30/04/2024, 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Avira Phantom VPN 2.41.1.25731.exe
Size

7.2MB
MD5

bf245b7db7637e6b2991105f62cc76de
SHA1

1d7252929d5c4cb404a34e553b72757729c701d5
SHA256

c414e764c53a81c6beb2c393635044661da238380492c182162b37f3e82a8c89
SHA512

08380e7ab2012f453ec4cb72646ca3a920d32f2f253f5c956b239780d1d08e434c4353580f6f9c95317b0e76810bc9351def59039350b96a4d989ece80722076
SSDEEP

196608:cI+4fSWrh9ry+5jCyVCavZ7jnEDHGV6uXVM4Fz6Krg:cIBZrXryiC8fnImV1zIKrg

Score

8^/10

discovery evasion persistence spyware stealer

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 2 TTPs 3 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3904	netsh.exe
4736	netsh.exe
3260	netsh.exe

Executes dropped EXE 19 IoCs

pid	Process
1008	Avira Phantom VPN 2.41.1.25731.tmp
2228	Avira.VpnService.exe
3460	Avira.WebAppHost.exe
3280	Avira.NetworkBlocker.exe
2516	Avira.WebAppHost.exe
3956	Avira.WebAppHost.exe
4808	Avira.WebAppHost.exe
1076	Avira.WebAppHost.exe
2020	Avira.WebAppHost.exe
868	Avira.WebAppHost.exe
1428	Avira.WebAppHost.exe
376	Avira.WebAppHost.exe
4652	Avira.WebAppHost.exe
460	Avira.WebAppHost.exe
4824	Avira.WebAppHost.exe
4864	Avira.WebAppHost.exe
636	Avira.WebAppHost.exe
3276	Avira.WebAppHost.exe
1052	Avira.WebAppHost.exe

Loads dropped DLL 4 IoCs

pid	Process
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\Security\Benchmark	Avira.VpnService.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Avira\VPN\OpenVpn\TAP\win7\amd64\is-6FJ86.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\Templates\is-Q7S68.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-L1QRV.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\pt-BR\is-79K0R.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-B6PLS.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-IIOTP.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-O5VGV.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\views\directives\is-L8CH0.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\is-JGAEV.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\fonts\is-0KBH7.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\is-5ES2M.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-T4P9B.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-LP91H.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File opened for modification	C:\Program Files (x86)\Avira\VPN\Serilog.Enrichers.Thread.dll	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\Templates\is-9JR44.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File opened for modification	C:\Program Files (x86)\Avira\VPN\App\TReset.exe	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\Certificates\is-T2IT2.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-ASL83.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File opened for modification	C:\Program Files (x86)\Avira\VPN\PCLStorage.Abstractions.dll	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-MEU0T.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\is-0NJ9J.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-C5O9A.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File opened for modification	C:\Program Files (x86)\Avira\VPN\OpenVpn\libcrypto-1_1.dll	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-763UT.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-8R6LB.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-TKTBC.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-ROEU2.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-F83B9.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-NGUE3.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\Templates\images\is-RHQ4M.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\is-O7HEI.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-45M6T.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-8KBIA.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\en-US\is-MHOEK.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\Templates\images\is-E4OBT.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\fonts\is-6E7QS.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-3GID5.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-SSDI3.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-9VJQA.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\is-PN5UL.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-8222M.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-S4KPO.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-3D4F4.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-G35SG.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\OpenVpn\is-L53H3.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File opened for modification	C:\Program Files (x86)\Avira\VPN\Avira.Messaging.dll	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\is-L4HTI.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-FNSO1.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\Templates\is-7RSGS.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\is-TBVLT.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File opened for modification	C:\Program Files (x86)\Avira\VPN\OpenVpn\TAP\win7\amd64\tapinstall.exe	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\fonts\is-JSMA9.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-NOTDL.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\ja-JP\is-1LQS4.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File opened for modification	C:\Program Files (x86)\Avira\VPN\unins000.dat	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\fonts\is-591BN.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\is-M1KID.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-3S5SU.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-IQ4T7.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File opened for modification	C:\Program Files (x86)\Avira\VPN\PCLAppConfig.dll	Avira Phantom VPN 2.41.1.25731.tmp
File opened for modification	C:\Program Files (x86)\Avira\VPN\it-IT\Avira.VpnService.resources.dll	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\is-CJ1CI.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\views\directives\is-5K9OF.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File opened for modification	C:\Program Files (x86)\Avira\VPN\SharpRavenPortable.dll	Avira Phantom VPN 2.41.1.25731.tmp

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4204	sc.exe
1668	sc.exe
872	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Avira.VpnService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Avira.VpnService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 48 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Avira.VpnService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	Avira.VpnService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	Avira.VpnService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	Avira.VpnService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	Avira.VpnService.exe

Modifies registry class 29 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\vpnclient = "d6130fc7f9824d91af18ced691fe2512b1bb6f70"	Avira.WebAppHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\vpnclient = "b27695ee26524cabafd2e64edd03409167ba715e"	Avira.WebAppHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\telemetry = "51d48fe77e5b44a7813bcc29c5a16b2af43376be"	Avira.WebAppHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\vpnclient = "24e78e19623a42a1bb61588f604939b66830d2ae"	Avira.WebAppHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\telemetry = "2f0cd93e1dc74ecb97a0f3c24a392d61fc921ab3"	Avira.WebAppHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\telemetry = "5f516e83b71a42d2b4211a2b5a2f87058020b608"	Avira.WebAppHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\telemetry = "29778573a3c3411ebdde5dd8614ae25f26d10405"	Avira.WebAppHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\telemetry = "a47cfa83d24e478cab3d19bc75879ebbd70b2e03"	Avira.WebAppHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\vpnclient = "3a227ca5437f449e86a223fb50a7013834992840"	Avira.WebAppHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\vpnclient = "e801f0c460ab4fa388228dc8ec648f89885b94a1"	Avira.WebAppHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\vpnclient = "984988f4f23043ccbb671e64fc3d4341ae58d92d"	Avira.WebAppHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\vpnclient = "82af89e905ff4d888438577ed5d8b5d841de903c"	Avira.WebAppHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\machine = "fa911b09922f4de4b60a8a7e130d12038b237f4e"	Avira.VpnService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\telemetry = "85e08e9a68a341f9b6c3266a6a6ee48979139f4b"	Avira.WebAppHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\vpnclient = "a079758ac59348f0a29fad1cffb448b18877d8b4"	Avira.WebAppHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\vpnclient = "76bd9a15931345dcbb5e964eb7f67cf771862d4f"	Avira.WebAppHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\telemetry = "8724bf51a8fc4f409141606269fdbf70b1e20541"	Avira.WebAppHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\vpnclient = "e8b4de3e7d734fe1a40130ce2c20d7cd324e24b9"	Avira.WebAppHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\vpnclient = "90bfb1e3f59a414d9b56c8debf0858f90c1e7bbc"	Avira.WebAppHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\telemetry = "a03d5d4c8a9741cda332f34a328f2b86356631b5"	Avira.WebAppHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\vpnclient = "eb4bec16ba284ed9b82f4fef9489b772102498f5"	Avira.WebAppHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\vpnclient = "69c296d8b8f94d53b696ccbd65082418e09186b3"	Avira.WebAppHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\vpnclient = "a769afdef5c64a9198db272161eb604b4e266a51"	Avira.WebAppHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}	Avira.VpnService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\vpnclient = "f7686b8dc7904975a36ce5a9e48d844545166e4c"	Avira.VpnService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\telemetry = "206d087f500744c9b432f7e1dbf2b5d1dfadbf56"	Avira.VpnService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\telemetry = "dc919c712b024225bdc562655878359e8a52ea75"	Avira.WebAppHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\vpnclient = "95c17dedccdb41698e06b10b91e2c469b67dc1b5"	Avira.WebAppHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\vpnclient = "765a08bfbe0f4c1884e65e6bbd84f9e20fdedeb6"	Avira.WebAppHost.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431	Avira.VpnService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431\Blob = 0f0000000100000014000000327fc447408de9bf596f83d4b2fa4b8e3e7097d8090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b060105050703076200000001000000200000006dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb1770b000000010000001e00000045006e00740072007500730074002000280032003000340038002900000014000000010000001400000055e481d11180bed889b908a331f9a1240916b9701d0000000100000010000000e871723e266f38af5d49cda2a502669c7e000000010000000800000000c001b39667d601030000000100000014000000503006091d97d4f5ae39f7cbe7927d7d652d343120000000010000002e0400003082042a30820312a00302010202043863def8300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3239303732343134313531325a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970300d06092a864886f70d010105050003820101003b9b8f569b30e753997c7a79a74d97d7199590fb061fca337c46638f966624fa401b2127cae67273f24ffe3199fdc80c4c6853c680821398fab6adda5d3df1ce6ef6151194820cee3f95af11ab0fd72fde1f038f572c1ec9bb9a1a4495eb184fa61fcd7d57102f9b04095a84b56ed81d3ae1d69ed16c795e791c14c5e3d04c933b653ceddf3dbea6e5951ac3b519c3bd5e5bbbff23ef6819cb1293275c032d6f30d01eb61aacde5af7d1aaa827a6fe7981c479993357ba12b0a9e0426c93ca56defe6d840b088b7e8dead79821c6f3e73c792f5e9cd14c158de1ec2237cc9a430b97dc80908db3679b6f48081556cfbff12b7c5e9a76e95990c57c8335116551	Avira.VpnService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	Avira.VpnService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	Avira.VpnService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	Avira.VpnService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431\Blob = 19000000010000001000000091fad483f14848a8a69b18b805cdbb3a0f0000000100000014000000327fc447408de9bf596f83d4b2fa4b8e3e7097d8090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b060105050703076200000001000000200000006dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb1770b000000010000001e00000045006e00740072007500730074002000280032003000340038002900000014000000010000001400000055e481d11180bed889b908a331f9a1240916b9701d0000000100000010000000e871723e266f38af5d49cda2a502669c7e000000010000000800000000c001b39667d601030000000100000014000000503006091d97d4f5ae39f7cbe7927d7d652d343120000000010000002e0400003082042a30820312a00302010202043863def8300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3239303732343134313531325a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970300d06092a864886f70d010105050003820101003b9b8f569b30e753997c7a79a74d97d7199590fb061fca337c46638f966624fa401b2127cae67273f24ffe3199fdc80c4c6853c680821398fab6adda5d3df1ce6ef6151194820cee3f95af11ab0fd72fde1f038f572c1ec9bb9a1a4495eb184fa61fcd7d57102f9b04095a84b56ed81d3ae1d69ed16c795e791c14c5e3d04c933b653ceddf3dbea6e5951ac3b519c3bd5e5bbbff23ef6819cb1293275c032d6f30d01eb61aacde5af7d1aaa827a6fe7981c479993357ba12b0a9e0426c93ca56defe6d840b088b7e8dead79821c6f3e73c792f5e9cd14c158de1ec2237cc9a430b97dc80908db3679b6f48081556cfbff12b7c5e9a76e95990c57c8335116551	Avira.VpnService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	Avira.VpnService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431\Blob = 040000000100000010000000ee2931bc327e9ae6e8b5f751b4347190030000000100000014000000503006091d97d4f5ae39f7cbe7927d7d652d34317e000000010000000800000000c001b39667d6011d0000000100000010000000e871723e266f38af5d49cda2a502669c14000000010000001400000055e481d11180bed889b908a331f9a1240916b9700b000000010000001e00000045006e0074007200750073007400200028003200300034003800290000006200000001000000200000006dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb1777f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000014000000327fc447408de9bf596f83d4b2fa4b8e3e7097d819000000010000001000000091fad483f14848a8a69b18b805cdbb3a20000000010000002e0400003082042a30820312a00302010202043863def8300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3239303732343134313531325a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970300d06092a864886f70d010105050003820101003b9b8f569b30e753997c7a79a74d97d7199590fb061fca337c46638f966624fa401b2127cae67273f24ffe3199fdc80c4c6853c680821398fab6adda5d3df1ce6ef6151194820cee3f95af11ab0fd72fde1f038f572c1ec9bb9a1a4495eb184fa61fcd7d57102f9b04095a84b56ed81d3ae1d69ed16c795e791c14c5e3d04c933b653ceddf3dbea6e5951ac3b519c3bd5e5bbbff23ef6819cb1293275c032d6f30d01eb61aacde5af7d1aaa827a6fe7981c479993357ba12b0a9e0426c93ca56defe6d840b088b7e8dead79821c6f3e73c792f5e9cd14c158de1ec2237cc9a430b97dc80908db3679b6f48081556cfbff12b7c5e9a76e95990c57c8335116551	Avira.VpnService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431\Blob = 5c00000001000000040000000008000019000000010000001000000091fad483f14848a8a69b18b805cdbb3a0f0000000100000014000000327fc447408de9bf596f83d4b2fa4b8e3e7097d8090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b060105050703076200000001000000200000006dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb1770b000000010000001e00000045006e00740072007500730074002000280032003000340038002900000014000000010000001400000055e481d11180bed889b908a331f9a1240916b9701d0000000100000010000000e871723e266f38af5d49cda2a502669c7e000000010000000800000000c001b39667d601030000000100000014000000503006091d97d4f5ae39f7cbe7927d7d652d3431040000000100000010000000ee2931bc327e9ae6e8b5f751b434719020000000010000002e0400003082042a30820312a00302010202043863def8300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3239303732343134313531325a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970300d06092a864886f70d010105050003820101003b9b8f569b30e753997c7a79a74d97d7199590fb061fca337c46638f966624fa401b2127cae67273f24ffe3199fdc80c4c6853c680821398fab6adda5d3df1ce6ef6151194820cee3f95af11ab0fd72fde1f038f572c1ec9bb9a1a4495eb184fa61fcd7d57102f9b04095a84b56ed81d3ae1d69ed16c795e791c14c5e3d04c933b653ceddf3dbea6e5951ac3b519c3bd5e5bbbff23ef6819cb1293275c032d6f30d01eb61aacde5af7d1aaa827a6fe7981c479993357ba12b0a9e0426c93ca56defe6d840b088b7e8dead79821c6f3e73c792f5e9cd14c158de1ec2237cc9a430b97dc80908db3679b6f48081556cfbff12b7c5e9a76e95990c57c8335116551	Avira.VpnService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	Avira.VpnService.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
2228	Avira.VpnService.exe
2228	Avira.VpnService.exe
3460	Avira.WebAppHost.exe
3460	Avira.WebAppHost.exe
4684	msedge.exe
4684	msedge.exe
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4948	msedge.exe
4948	msedge.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2228	Avira.VpnService.exe
Token: SeDebugPrivilege	3460	Avira.WebAppHost.exe
Token: SeDebugPrivilege	2516	Avira.WebAppHost.exe
Token: SeDebugPrivilege	3956	Avira.WebAppHost.exe
Token: SeDebugPrivilege	4808	Avira.WebAppHost.exe
Token: SeDebugPrivilege	1076	Avira.WebAppHost.exe
Token: SeDebugPrivilege	2020	Avira.WebAppHost.exe
Token: SeDebugPrivilege	868	Avira.WebAppHost.exe
Token: SeDebugPrivilege	1428	Avira.WebAppHost.exe
Token: SeDebugPrivilege	376	Avira.WebAppHost.exe
Token: SeDebugPrivilege	4652	Avira.WebAppHost.exe
Token: SeDebugPrivilege	460	Avira.WebAppHost.exe
Token: SeDebugPrivilege	4824	Avira.WebAppHost.exe
Token: SeDebugPrivilege	4864	Avira.WebAppHost.exe
Token: SeDebugPrivilege	636	Avira.WebAppHost.exe
Token: SeDebugPrivilege	3276	Avira.WebAppHost.exe
Token: SeDebugPrivilege	1052	Avira.WebAppHost.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
1008	Avira Phantom VPN 2.41.1.25731.tmp
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
2516	Avira.WebAppHost.exe
2516	Avira.WebAppHost.exe
3956	Avira.WebAppHost.exe
3956	Avira.WebAppHost.exe
4808	Avira.WebAppHost.exe
4808	Avira.WebAppHost.exe
1076	Avira.WebAppHost.exe
1076	Avira.WebAppHost.exe
2020	Avira.WebAppHost.exe
2020	Avira.WebAppHost.exe
868	Avira.WebAppHost.exe
868	Avira.WebAppHost.exe
4652	Avira.WebAppHost.exe
4652	Avira.WebAppHost.exe
636	Avira.WebAppHost.exe
636	Avira.WebAppHost.exe
1052	Avira.WebAppHost.exe
1052	Avira.WebAppHost.exe

Suspicious use of SendNotifyMessage 42 IoCs

pid	Process
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
2516	Avira.WebAppHost.exe
2516	Avira.WebAppHost.exe
3956	Avira.WebAppHost.exe
3956	Avira.WebAppHost.exe
4808	Avira.WebAppHost.exe
4808	Avira.WebAppHost.exe
1076	Avira.WebAppHost.exe
1076	Avira.WebAppHost.exe
2020	Avira.WebAppHost.exe
2020	Avira.WebAppHost.exe
868	Avira.WebAppHost.exe
868	Avira.WebAppHost.exe
4652	Avira.WebAppHost.exe
4652	Avira.WebAppHost.exe
636	Avira.WebAppHost.exe
636	Avira.WebAppHost.exe
1052	Avira.WebAppHost.exe
1052	Avira.WebAppHost.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
1008	Avira Phantom VPN 2.41.1.25731.tmp
2516	Avira.WebAppHost.exe
2516	Avira.WebAppHost.exe
3956	Avira.WebAppHost.exe
3956	Avira.WebAppHost.exe
4808	Avira.WebAppHost.exe
4808	Avira.WebAppHost.exe
1076	Avira.WebAppHost.exe
1076	Avira.WebAppHost.exe
2020	Avira.WebAppHost.exe
2020	Avira.WebAppHost.exe
868	Avira.WebAppHost.exe
868	Avira.WebAppHost.exe
4652	Avira.WebAppHost.exe
4652	Avira.WebAppHost.exe
636	Avira.WebAppHost.exe
636	Avira.WebAppHost.exe
1052	Avira.WebAppHost.exe
1052	Avira.WebAppHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3484 wrote to memory of 1008	3484	Avira Phantom VPN 2.41.1.25731.exe	83
PID 3484 wrote to memory of 1008	3484	Avira Phantom VPN 2.41.1.25731.exe	83
PID 3484 wrote to memory of 1008	3484	Avira Phantom VPN 2.41.1.25731.exe	83
PID 1008 wrote to memory of 3944	1008	Avira Phantom VPN 2.41.1.25731.tmp	85
PID 1008 wrote to memory of 3944	1008	Avira Phantom VPN 2.41.1.25731.tmp	85
PID 1008 wrote to memory of 3944	1008	Avira Phantom VPN 2.41.1.25731.tmp	85
PID 3944 wrote to memory of 4960	3944	net.exe	87
PID 3944 wrote to memory of 4960	3944	net.exe	87
PID 3944 wrote to memory of 4960	3944	net.exe	87
PID 1008 wrote to memory of 1668	1008	Avira Phantom VPN 2.41.1.25731.tmp	100
PID 1008 wrote to memory of 1668	1008	Avira Phantom VPN 2.41.1.25731.tmp	100
PID 1008 wrote to memory of 1668	1008	Avira Phantom VPN 2.41.1.25731.tmp	100
PID 1008 wrote to memory of 872	1008	Avira Phantom VPN 2.41.1.25731.tmp	102
PID 1008 wrote to memory of 872	1008	Avira Phantom VPN 2.41.1.25731.tmp	102
PID 1008 wrote to memory of 872	1008	Avira Phantom VPN 2.41.1.25731.tmp	102
PID 1008 wrote to memory of 4204	1008	Avira Phantom VPN 2.41.1.25731.tmp	104
PID 1008 wrote to memory of 4204	1008	Avira Phantom VPN 2.41.1.25731.tmp	104
PID 1008 wrote to memory of 4204	1008	Avira Phantom VPN 2.41.1.25731.tmp	104
PID 1008 wrote to memory of 3260	1008	Avira Phantom VPN 2.41.1.25731.tmp	107
PID 1008 wrote to memory of 3260	1008	Avira Phantom VPN 2.41.1.25731.tmp	107
PID 1008 wrote to memory of 3260	1008	Avira Phantom VPN 2.41.1.25731.tmp	107
PID 1008 wrote to memory of 4736	1008	Avira Phantom VPN 2.41.1.25731.tmp	108
PID 1008 wrote to memory of 4736	1008	Avira Phantom VPN 2.41.1.25731.tmp	108
PID 1008 wrote to memory of 4736	1008	Avira Phantom VPN 2.41.1.25731.tmp	108
PID 1008 wrote to memory of 3904	1008	Avira Phantom VPN 2.41.1.25731.tmp	109
PID 1008 wrote to memory of 3904	1008	Avira Phantom VPN 2.41.1.25731.tmp	109
PID 1008 wrote to memory of 3904	1008	Avira Phantom VPN 2.41.1.25731.tmp	109
PID 1008 wrote to memory of 4948	1008	Avira Phantom VPN 2.41.1.25731.tmp	114
PID 1008 wrote to memory of 4948	1008	Avira Phantom VPN 2.41.1.25731.tmp	114
PID 4948 wrote to memory of 1884	4948	msedge.exe	115
PID 4948 wrote to memory of 1884	4948	msedge.exe	115
PID 4948 wrote to memory of 2396	4948	msedge.exe	118
PID 4948 wrote to memory of 2396	4948	msedge.exe	118
PID 4948 wrote to memory of 2396	4948	msedge.exe	118
PID 4948 wrote to memory of 2396	4948	msedge.exe	118
PID 4948 wrote to memory of 2396	4948	msedge.exe	118
PID 4948 wrote to memory of 2396	4948	msedge.exe	118
PID 4948 wrote to memory of 2396	4948	msedge.exe	118
PID 4948 wrote to memory of 2396	4948	msedge.exe	118
PID 4948 wrote to memory of 2396	4948	msedge.exe	118
PID 4948 wrote to memory of 2396	4948	msedge.exe	118
PID 4948 wrote to memory of 2396	4948	msedge.exe	118
PID 4948 wrote to memory of 2396	4948	msedge.exe	118
PID 4948 wrote to memory of 2396	4948	msedge.exe	118
PID 4948 wrote to memory of 2396	4948	msedge.exe	118
PID 4948 wrote to memory of 2396	4948	msedge.exe	118
PID 4948 wrote to memory of 2396	4948	msedge.exe	118
PID 4948 wrote to memory of 2396	4948	msedge.exe	118
PID 4948 wrote to memory of 2396	4948	msedge.exe	118
PID 4948 wrote to memory of 2396	4948	msedge.exe	118
PID 4948 wrote to memory of 2396	4948	msedge.exe	118
PID 4948 wrote to memory of 2396	4948	msedge.exe	118
PID 4948 wrote to memory of 2396	4948	msedge.exe	118
PID 4948 wrote to memory of 2396	4948	msedge.exe	118
PID 4948 wrote to memory of 2396	4948	msedge.exe	118
PID 4948 wrote to memory of 2396	4948	msedge.exe	118
PID 4948 wrote to memory of 2396	4948	msedge.exe	118
PID 4948 wrote to memory of 2396	4948	msedge.exe	118
PID 4948 wrote to memory of 2396	4948	msedge.exe	118
PID 4948 wrote to memory of 2396	4948	msedge.exe	118
PID 4948 wrote to memory of 2396	4948	msedge.exe	118
PID 4948 wrote to memory of 2396	4948	msedge.exe	118
PID 4948 wrote to memory of 2396	4948	msedge.exe	118
PID 4948 wrote to memory of 2396	4948	msedge.exe	118

C:\Users\Admin\AppData\Local\Temp\Avira Phantom VPN 2.41.1.25731.exe
"C:\Users\Admin\AppData\Local\Temp\Avira Phantom VPN 2.41.1.25731.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Users\Admin\AppData\Local\Temp\is-0N1OA.tmp\Avira Phantom VPN 2.41.1.25731.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-0N1OA.tmp\Avira Phantom VPN 2.41.1.25731.tmp" /SL5="$190068,7215309,64512,C:\Users\Admin\AppData\Local\Temp\Avira Phantom VPN 2.41.1.25731.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Windows\SysWOW64\net.exe
    "net" stop "AviraPhantomVPN"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3944
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "AviraPhantomVPN"
      4⤵
      PID:4960
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\system32\sc.exe" create "AviraPhantomVPN" binPath= "C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe" start= auto error= ignore DisplayName= "Avira Phantom VPN"
    3⤵
    - Launches sc.exe
    PID:1668
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\system32\sc.exe" description "AviraPhantomVPN" "AviraPhantomVPN"
    3⤵
    - Launches sc.exe
    PID:872
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\system32\sc.exe" start "AviraPhantomVPN"
    3⤵
    - Launches sc.exe
    PID:4204
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="Avira Phantom VPN"
    3⤵
    - Modifies Windows Firewall
    PID:3260
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Avira Phantom VPN" program="C:\Program Files (x86)\Avira\VPN\OpenVpn\phantomvpn.exe" dir=in enable=yes profile=any action=allow
    3⤵
    - Modifies Windows Firewall
    PID:4736
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Avira Phantom VPN" program="C:\Program Files (x86)\Avira\VPN\OpenVpn\phantomvpn.exe" dir=out enable=yes profile=any action=allow
    3⤵
    - Modifies Windows Firewall
    PID:3904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://lrepacks.net/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4948
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffafe4346f8,0x7ffafe434708,0x7ffafe434718
      4⤵
      PID:1884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,2940791898876992356,16801847919701731140,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
      4⤵
      PID:2396
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,2940791898876992356,16801847919701731140,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4684
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,2940791898876992356,16801847919701731140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
      4⤵
      PID:3884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2940791898876992356,16801847919701731140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
      4⤵
      PID:3680
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2940791898876992356,16801847919701731140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
      4⤵
      PID:2740
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2140,2940791898876992356,16801847919701731140,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4756 /prefetch:8
      4⤵
      PID:3480

C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe
"C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe"
1⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228
- C:\Program Files (x86)\Avira\VPN\Avira.NetworkBlocker.exe
  "C:\Program Files (x86)\Avira\VPN\Avira.NetworkBlocker.exe" delete
  2⤵
  - Executes dropped EXE
  PID:3280

C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe
"C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe" /migrateSettings
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3460

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1552

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:320

C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe
"C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2516

C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe
"C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3956

C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe
"C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4808

C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe
"C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1076

C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe
"C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2020

C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe
"C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:868

C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe
"C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe
"C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:376

C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe
"C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4652

C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe
"C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:460

C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe
"C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe
"C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4864

C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe
"C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:636

C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe
"C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe
"C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Avira\VPN\App\css\vpn-1.0.0.min.css

Filesize
62KB

MD5
db263a64edafc8ecd283907ae14cea80

SHA1
0b32e6aa37c1bffb523adc02a08016521607b1d7

SHA256
e5137cb2ffb9c98cb95f6432018670720a6b10d2af9ce6b2f841d5e5596b61f6

SHA512
dc8b7ddaed02f3bff36c21fd25774f2f34c3b5e003e7c83373fa986378622c153f33cc383f0f9f48ab97cad6e396acdb2157cfc066cb76225d826c7a229898ca

Download Submit
C:\Program Files (x86)\Avira\VPN\App\css\vpn-vendor-1.0.0.min.css

Filesize
50KB

MD5
3e010afca2c5420d1793cd51ede3ea14

SHA1
190f42c1d34aa8de83939619df0440401b01f869

SHA256
7146bb2cd47b3bf090b202cd88c53467318f534c5f4e079c1ac3bf7be56f485f

SHA512
01b6062081c22503c24ef8cc55f5ecbd089ff36f102d35a9a1b919a4ab7851f69d59929e69579fc9d647a98d22b44720d758f0d838b8b8eed6e650322c21c475

Download Submit
C:\Program Files (x86)\Avira\VPN\App\fonts\KievitWeb-Light.woff

Filesize
54KB

MD5
a8a9d6aaf9f3940badc66e2a2aa21047

SHA1
8d2cd2f4fd9fd36f19033c01272dc3fe43bccdb7

SHA256
a791aba3842d3766494ad0aa2a1b9cdbd2bb8aa8b2235aedea82e993c851a1ab

SHA512
46561f0b8f178e4e4cc836a4561d12f6a0670543ac5567bcede9cb193bfdb4bf654e3f01372210f158ae3de58643e4c963c1e1cb788f497ee817877a019fcfd4

Download Submit
C:\Program Files (x86)\Avira\VPN\App\images\gif\loading.gif

Filesize
8KB

MD5
8a7630caadfb15dbd13cb469853ab004

SHA1
8947a7e8900a4e4359ded13199f4f05ee0e55e84

SHA256
c9c616de646e94b9adea60ef1e8ffe5246f82b82baa1e039b1b6007067791773

SHA512
5c229f934e5c764247f990e2b813ad8ad055c81df1739b0a773aafe1e7f1285c098ac8db24bd4a074eb8981a933955fa9ed69c0da1503259d30d397bdb5809df

Download Submit
C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-B80FC.tmp

Filesize
743B

MD5
d3b58f803a9a01a59210dd673998a229

SHA1
6caddb6c8e749e9c5b786a3984bb7bdbba2bafc5

SHA256
3cf52e677d7f7be201cbf6e3ec56ed1f48b95c47e5969ef2c2510e270133c4f0

SHA512
88aade4affd629926e473df3d26ecca5ba49c4b77da9343e58729cf3a2b1cd0b9d27d9e019018455bffd18b7a7570a5c14d918eff46deecc5821903f76094988

Download Submit
C:\Program Files (x86)\Avira\VPN\App\index.html

Filesize
4KB

MD5
7da80eb8be2f4ad337e913d9dcabe6dc

SHA1
f21c2d3044fe0c7699c86bb91dd5b911f254bdc3

SHA256
f3e9a70674fc47536fc416cece6a54a90cf4b71c9389525671cca73a2f5744ce

SHA512
3afc58ff2d28447edb6bd583dad60faf28ad75d784845a820969f4410602580e96f6523464949fcd4d99dabd0a786c7d50c06c937fd6b33e6833c85bba945abe

Download Submit
C:\Program Files (x86)\Avira\VPN\App\js\vpn-1.0.0.min.js

Filesize
313KB

MD5
1a19dc38b9c1f8941491e5b1faec2cc7

SHA1
90dbf3705a81354b0c8e1e88bd39233769a45d46

SHA256
9cb67133e6b03fb006e86d78d67f752d7ea423e1bdca024c927685a1d0b06739

SHA512
549032577be676f4dd5711bb2afe24442374573376a1540e8f3779e863a880b5996ecfcf4c6f6e9d91456a41c6448177043a7ded66e5350e18378446c6058a8a

Download Submit
C:\Program Files (x86)\Avira\VPN\App\js\vpn-vendor-1.0.0.min.js

Filesize
317KB

MD5
fd6679775b921878549ef80e6d9d59d3

SHA1
fb89bc2eb33f47cc56b00630ea79818d61fd678d

SHA256
696393aa261c0980dac558ce58fc30e9806d8b64f65c28c572b282ebf2a04f56

SHA512
66976a9b0002f1d32b6c7618a7a7c6ccbbc373ffc565415448428eb75fb60251b3b1934571b6bc725ec5ce456f5adaddfc994595cc3b1d87ef02ba3478ed7e34

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.Acp.Common.dll

Filesize
24KB

MD5
581016c89a77c77f58f223cb2c3e11f9

SHA1
c0fb60681e4b648e492bb6db21885d35538c37bd

SHA256
67091dd1cc0f8e9758e161db5f1bc6a251145239aefa2f2fb07cb17c9aa69d8b

SHA512
3d8899fedad4fbf4f00836280d983afb13026f6ecb98f4d52c223007c93ecc430bf0032571add9d957faab8d4d269481f468fdf9fc366f44bd6e7f479c977729

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.Acp.Resources.dll

Filesize
58KB

MD5
093d314f56c72cc419162cf7a5ca7c30

SHA1
b988bd91504bb98db307ed71419067c2f96fd28c

SHA256
e5c1e86ddb3c64bfb0dc7e2f5cfe4663a87afe6bbd6dba1a7ef89bf8147b85f2

SHA512
a372830b1321c42443e6d83a0f66a10640f01ecbf4504f6d7080533e03a8f161aa7f663c99b331e5b955a5b1402389697ec4333b9af98e894a1bd9acffa1808e

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.Acp.dll

Filesize
183KB

MD5
604479ca6f96a609af4e655a264ebb4a

SHA1
bbbc311db7bb57076e7155aa001d7b80505244ae

SHA256
08bf986a2ca137da66933c6f6652b3ad6c6bf82293b6dbbe5f685ecbd0180102

SHA512
6c7416998bbcd463d123b82ed52f17accf8dfb3c82f565587c1850c1aef4e9776764771f91eed037a4bfd8579a5f15b7fea2ae874188142bac5350096bf6c2c6

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.Common.Acp.AppClient.dll

Filesize
32KB

MD5
ca7b6f611d0e7d6dbe9eaf26171cdbbf

SHA1
4f46b4d3742a78bdf38c89d2762222d1588e4e3e

SHA256
33940c3a56379a53b3e8da2919aab1f7521552ae79d280285539ee8ed653798e

SHA512
d67f50c21839607bdd50c10a7db40e1c296ad367c88a18d43201f91bbeeb084c98da9ee48d0477428996f79793d72b355cbc38d385354a05b7c588f2768cdfea

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.Common.Core.dll

Filesize
65KB

MD5
7917445a0a68b182f1dcb5e389f227e8

SHA1
a68f0585ce492127b6853e81ab56922d543d8a66

SHA256
dafb2a29f8bca71a4afb8cca62e002cdaa23c0ba18b1612dbf3dd6f79ab4c9c8

SHA512
3783ab69b86cf86944a584efeb5a1ae79322f5eef3b2beb1544e2de8c8b875317f05bd0b9c55678d7dd0b4736e60f1c4774b0bae891aeeabd8b7c2f2318b1581

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.Messaging.dll

Filesize
47KB

MD5
d3c5f5e36d142bce892fa433fca550d2

SHA1
8dced1a5ebe426d99fc05bcda4ade921473c6666

SHA256
258ee9787f113dc88b2dd92e6b282c557cc9cb1348aa5e2d77e35ed9de495c34

SHA512
84340cfd05fdc058b27db9eef9b9840124570dda42b121a9b9df74ff47b0ed11970090384b83785dd91ea64c80c3bd49d9db662ec98b7db86f9608194f756039

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.NetworkBlocker.exe

Filesize
236KB

MD5
6a0aa7dbe87f694a7239ae76e7567c1d

SHA1
a2615c144d5148778e9ba0d67697fecd31e109e2

SHA256
69fcb3e43543edeca208f16bc14a5c8318bdfd4e87ccb8ddba4be7e0d5482f09

SHA512
b6b2b9edf41380c946e484876c7e4c15118476cc9b03ddc48fc907568f0aca8fc24c92fa7e0a6afe07c6d651e3faa123ad372cd635cdf35852ecd08a433be317

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.VPN.Acp.dll

Filesize
33KB

MD5
6e9f407e8b6a1509ddd05767768a21dd

SHA1
72e725ac83013e4824b21d9514645439728a1057

SHA256
2cc0100e647d583f6536679a883f3aebe793471b3c910d76fc0f554335cdfa77

SHA512
0b36abe2e9aa863125e20b3d0ac7aecc95a8de3ca10297c062d3307897307c92beaf31b734a84353dca8a58574cad26c51d11f34aeb90c51c4f7debcf2ee0dc8

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.VPN.Core.dll

Filesize
145KB

MD5
8e560c4384508d3a91dc0fe99fcf95f3

SHA1
f523346df8eb743d889ac40887fb15e65d2d87dd

SHA256
568399fb7b5de227e005fdcad3c9252070ac468db219bb590400ebf320d7fbfb

SHA512
54807bf6dc35d8ed28427f88b26f1a62f509ba5747294b6e3d8006be09ce69d965caa7a2a46588f09f57c07dffaeafcb36c3b91c0cdb5a8cbb8c99dbbdfe96bd

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.VPN.NotifierClient.dll

Filesize
28KB

MD5
91231fadbd4750fd0f7aff4451817de9

SHA1
b0dbebd34968d49efaed34b49e39f512f0f5f319

SHA256
01de4b3d0f561d957940c899138e3f6259591c2e2a1a5397dc5e68f8f3bfc6f6

SHA512
e1192e4873dc20e0248f6d3ac71a2af0268c4eb2ba131eeca5ff9962aac4f11d731aca84cd882b47f1e7a479dc2efc5c4db55630729f6f07ddfbe6827d84d3fa

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.VPN.OeConnector.dll

Filesize
41KB

MD5
3c5a6b77e6b042f10c71dbea818b47df

SHA1
bffa109b195b73d75ece3189026a15b51cd7dc90

SHA256
8185636f5d1839d2955a49865557982b1e1f69083ad7c6758358181b21ef7561

SHA512
6f6412355762846975a7433e9f84f2302333d147497884f374aeaace6f23ff4214f425d121f2c29aec80032cb5f42e2dd8e38ce1905642cf357a95d1243c18ae

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe

Filesize
330KB

MD5
af72ccc85709fa9d9844005e88cd4730

SHA1
dad8e2003f4d88e4cd7952a17ef236a3571187bc

SHA256
230e0c61d80d6ad1e1426ba7308c3f2b40266e78a6796e3343dd4b34d7d4cee9

SHA512
d495d1e4316de38cb60b211e90582fbbad1752647ae35baaaa330ad05b02f899e3cf40d06934fb3fe16d7314c9338c944fc7c5a14d149033ab646298444ba97a

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe.config

Filesize
8KB

MD5
1f63cf3e535b97a59e128168157b3f56

SHA1
be5a9afc3fcd74329f5406abcf85e0d241bf094d

SHA256
15210a2f511dae748e70bc78ead98bb6b76e2ac3e45cd93bca3bfce5ab7f6b0d

SHA512
d16ea8d1c1a2c6ba0cdef471ee36c5c3b486c862e636de7f748d14ed394d0838c9bf54bff9efc099199e81d30e4e2e503f14436d7815af7d5ddb21327464ee28

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe

Filesize
822KB

MD5
15251f271169251e9b962c57dd763d31

SHA1
ef590cd7b6e854111851c9f9e397b2108fed01d1

SHA256
f3f28506d8419457640bb4e623db9e78906051fa179180634d3dabddb6d4f9db

SHA512
eec9cf30918c1c61eb4f5e427b944816b103d41719d567039be8b2c08705ef3605c53c115cf93fbdfb0e2a0030e47a91f4fd6337b5a6878c01587af399c029ee

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe.config

Filesize
2KB

MD5
d1b8c0544f8c0620a66484fdec9e6ba0

SHA1
1da95e37623fdbf78a58d5a45710ae0fdeca5110

SHA256
777ccd894c1c49cddbf84f41a215b50fe30da29c2d4ddced6e394066e3f82f50

SHA512
6ff4e4e9ca73c1ad64afbf1d948162b2a07effdeeef5cde83f9ac8e54483432a522723acd19cae98a69c654ace07319d6227496b6a5ebaefaeb65d828fe4a2c0

Download Submit
C:\Program Files (x86)\Avira\VPN\Defaults\ProductSettings.json

Filesize
1KB

MD5
f9eb282786f0c1d27f9f6ae8b448d4d1

SHA1
df4f115df8a7dc8ffc2d7dbdd9953170cb0f8b32

SHA256
7e84e38c4b147fa13e871249a9986c4621176ed0afc88c999901e354f603d096

SHA512
db8a15d8b7b830dd63819eea73aa160accee27dca61a4b9b76d30f9b4161d28307c47d1f412faad9f92d2b77c17832226c16e8db0bb1d413444de1e918692753

Download Submit
C:\Program Files (x86)\Avira\VPN\Messaging.dll

Filesize
36KB

MD5
b1a97af12a736c53cd06501653e2e4cb

SHA1
6be48e266948fc173e8dc5f0852881f2d2dedae2

SHA256
1570229665cccbc32a605fa8c7becf35f7db9b029d581be252e3d19cf7952101

SHA512
817750fb29f208274ca615cdf6044e7cb5f40afd6155993f5ba876b9c9d288822f572fe5b30b3d7d915c1c08105ad006239410026a515004558342cd00ecb2aa

Download Submit
C:\Program Files (x86)\Avira\VPN\Newtonsoft.Json.dll

Filesize
694KB

MD5
5c72fad6a58a4a1a6a1a7ae8dc8a167e

SHA1
61deeb15fb4628cd7f7c32b7ef844211ab79f5ad

SHA256
554f9a657d6db8654a63aaaa90389ce2ef7f323cb0798148770d8c7e11dd17c7

SHA512
75a311f81b0a391d016fd825911ed5ba42d441de0148717f6d46654bfdbb287ed92ab0bbfed1ee54a783f2929bc5958e33c71dc8432c6089f971d94e28e95262

Download Submit
C:\Program Files (x86)\Avira\VPN\Serilog.Sinks.File.dll

Filesize
35KB

MD5
b58456f9a160e2736d7ee5602337dd9c

SHA1
82efcf79f21117f5fe6e2e2ab60d211f63e20684

SHA256
ff82098459238bd848372e8cd57457c520ce6bd04b23a59013dfaeb002a7cb88

SHA512
71d22e506ee948c000b37978a4cf1716872ee7a07842ff70c968a82c8c9d9914948ac6174156097fd68fe4208a7b80e31938b89913a84abba27286a72c103f85

Download Submit
C:\Program Files (x86)\Avira\VPN\Serilog.dll

Filesize
128KB

MD5
b61849eb6b545dea8851fd4e8c19efad

SHA1
2095a79a037daac7587b0a649cabe35de7b0c795

SHA256
e0ea1ea9bef21956ed2225c0e476a8d64381e57572150554e34deb4817ae5b3e

SHA512
e49e91678e90b7dff23504d864b61525f7907f4685a69def542fb6496d8d62194a968c794f2f40729e67abc3f3e4e07269b423821624f958fc2daf3c89e3d27b

Download Submit
C:\Program Files (x86)\Avira\VPN\ServiceStack.Text.dll

Filesize
202KB

MD5
64bbe4659a9c875de8b484c32a4a37e9

SHA1
2706c2b3068a7e84f76b708cccc22a9aabd6ea5c

SHA256
c77a86b4ce4e079ea333d7aca9e4d440d65290c9325ca1d8bc26c857853b13b9

SHA512
d8d713561e143152ef8546371380aeb244cad82057135c5ea208f5dd9d95ff750dd4c07f65a76b4a6ce14140838f6089f484973123c72409107bf5751fd5ae9c

Download Submit
C:\Program Files (x86)\Avira\VPN\SharpRavenPortable.dll

Filesize
71KB

MD5
8c2bc678cd38c9900be1ef6b0393abb2

SHA1
b7ef732ba1c584bbf21145199b7d32ad3620fe25

SHA256
387b3854074a36556c8bcdf67d58c51c7b1e74db7198c99c1b3fd86015a11bf9

SHA512
54f2e604d729ba1369144f855b0d2776e3850a2e97fe3e3fbd24f6f16c16cae822e2b41cfb1f09520c1c9fdaccb287c552b51f55546ca036f58d8c555bdae87d

Download Submit
C:\Program Files (x86)\Avira\VPN\VPN.Core.dll

Filesize
193KB

MD5
f9a0de6dd03121b8c6329371ef51be31

SHA1
1cc3551261614e65332487b2050fd41bed70bd11

SHA256
e27fe6bae04faaba2ff2b99e6bb612a5b6cdc7567677208a7a6ed82c1b36ef1f

SHA512
c8a852ffe62cbcf6af5be86ec43556dd2328a9d5478665974dba68130f961d207fd3d93dfad342fda15da00e6c75878f4e95d1f09e4d278f792bfb60d6c83ffa

Download Submit
C:\Program Files (x86)\Avira\VPN\en-US\Avira.VpnService.resources.dll

Filesize
20KB

MD5
5992773bb8a669fabae3e211d8c78d18

SHA1
18f31073260f545f7e70b54a41ba5cdab0f9e766

SHA256
79cdfb169e886a8d277227ef2be96041ccea2b4e8c77ae339efbe77f26ed63f6

SHA512
3821513767f6bd3bf35c65cde43608d843a526c33aa22fcd8e7744a0fac8bb564a8e93a8bf58027143613422f39f2141741dcfcd67cbc1d16567a1d00c5087c5

Download Submit
C:\Program Files (x86)\Avira\VPN\lrepacks.dll

Filesize
3KB

MD5
806d697d22bae29e300ef1c0cf0d4dfa

SHA1
d03676f772dc82e17acf2f1681f847bac015b260

SHA256
2bf947b782b448750b619ef75117efaf252538782f9e67c760b295f11affe1be

SHA512
568d28de46af2475f0b5bd9b0041c45a7f69c823f539d4d0eccf918877a02b7ecac4db1c0467bdb36d4de67fc3e98d36f362647d6ddaaace78f7e8b3b37d5d3e

Download Submit
C:\Program Files (x86)\Avira\VPN\vpn.shared.core.dll

Filesize
19KB

MD5
eb27f5e8937f4cf8b46391edb2d99d0d

SHA1
92f7b3bdca6445d6d34d85bf54a7e35d998a4365

SHA256
a03f591ee090e376ef80830beba9e5a6aeb1090000db6825832ff6e638661872

SHA512
34ada2524b6919766a1a9ad116ffeba62df6a8f3e805439aeebcaf09e434a6fe6d3a1337d3bb73049e22e5fb69322e3af93f049acea207f2255a43215734f7df

Download Submit
C:\ProgramData\Avira\VPN\VpnPrivateSettings.config

Filesize
415B

MD5
4c80e60049f27cd39c60665a801eb514

SHA1
13232b6c83686c14002afaa1662e1db86481ceb0

SHA256
7ab90de6791fa1e6e6a67f8739dd651ed647f04d8a4e62662ce5b4d29ee7e2ee

SHA512
6f023dfff3610a8190d0165637368cec7cb3053509a57ac404dc37350b2d4c2c83e36e4a289da0b8114fc2120b283fc4bc97a84a69378b619fc9e4f11f91ef49

Download Submit
C:\ProgramData\Avira\VPN\VpnPrivateSettings.config

Filesize
520B

MD5
d5a67fc9d7bf280103f38247341f028c

SHA1
586a875ed65dd6f5869f228f1ed076fe7baf4e04

SHA256
7e4e027aa3eceed5b0c2a34e347731ef4a81d4dcd00016b4123d71f5750ae944

SHA512
409be63dd869b972941cff9bf5481d2b6e28653e4d9a0f441578d0d6a01f31910ebf597a6cfdd3c8a8205cfb2365745298b2bd66357896de7a8d7c693a5bfd86

Download Submit
C:\ProgramData\Avira\VPN\VpnPrivateSettings.config

Filesize
6KB

MD5
2640fbb6680f0eaa62aa6f6345e070a4

SHA1
dd5b73e92fd5e6635710922f5d5120f018d12f57

SHA256
fa55fbb8f86bfe3f29324f33df0b1ca3ddf1eaebf753ff5ce52a1aec430e6b04

SHA512
914f0c0c2f4bff54ebf7e8b7f3b8f9d51f1aa21742d9ad6ab68fa08ada7c96d2f3b3c7bc59b7b522287864d5c6534f1754a601e40805ac351763f257313d0006

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
233B

MD5
af12cec02b8a0186410126b1e6a111c2

SHA1
efad6aecbd65b4c97e221950a882e66cbd2a1f25

SHA256
f5c545cce9b88b01a2e0c05eabdc5945aca1e94e4c07e5225ede82a66b893c44

SHA512
ec73638278d746b7cef3bf10490bcf33cc9297dd7e495e310e67831d920e222a2a49abf7db7337092def0e08f82edf833452d36b475586a7478f84ec7ae59948

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
305B

MD5
3af5d5d68cf0c53735f87a63d610accb

SHA1
934bd3ed1d59541fdbaed497977bfa31c1a04972

SHA256
58ce5ecbc973604e40dec157ac06b3d310a3e60efdc3571c00cf8a3859089159

SHA512
46fe77b70af198a432cd260db135b803098429e242cbe4727f829ea65b602f470ba5c7cfa7cd745530d75b49cbcba2cc3d55cb49036b5be2ed45819e8fb53e42

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
381B

MD5
8bd6a2c62f1c155aa359f9fec3196c3a

SHA1
8f448a5ff4f13470d676c90e8ad9de9196876d9e

SHA256
a5fb8bee53a911bf01743e22e4d0852eaaf41f28b0a8d085273ec8b57a707a32

SHA512
986db19ae9e2865036b1f05277a859460d71d5eded7ea1ea39dddddad63be657873d9e77522720e2b7ea538c8584fad370b7afff8735b7a61252ebc6073f668b

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
381B

MD5
eb6120a64518226bd9a0222011ef7a71

SHA1
6a5422b66f94e68cb8b9dc5a46d4a47c13658c40

SHA256
ca4fb9048a7d255c43d142edc6730fec56e81fc30f68d32aa283edc707e417c2

SHA512
2fb9df6b4c80715040774a4d429907317c1bd9931e48bedb287cfc5beb5b1d241de2138dac12ea0a54b13f7993b172dca5554b633cedbad8f218e2db3465a65a

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
600B

MD5
d67b975a7761c0d97f6ce6bd80d58b91

SHA1
5b2f380865e5c69821ad96854fa191bc2a8d6b1a

SHA256
a91b68668a0a02cd4674608cef195732204d0da6f17d8add7733fbd35361b943

SHA512
8f5cd6db73a2b3d61207d9d84921b008f5fc5f1fbc5cd86119db4b9212bec0da7680d6c726fce7290292ae1a61c4659eddbde0b0b7e34e73ceb0cd15105bab6a

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
741B

MD5
338260b3a027ff5a161670ba8d207d09

SHA1
2fc59faef67d0706ddf6a16edc436db2c033e514

SHA256
62d5250563cff1c9ddab4555b974d272722ac841d9a398fd9fb572a2b4fb52c7

SHA512
398008dc74e3220a231856d44f9b87fcb437d68f96bdda818a3a31bcfa7651c43e734908dce4629b3e422e53efb4120f61674bece4c13f275ae5a6bc2821dff3

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
741B

MD5
b812530f047ae5ea6bd70c0e5c40886b

SHA1
004003ea24b30ad747526d181716049fa93b5d9e

SHA256
6c0b05405b0c4b3ee9f363594051335c7241de9353d82942b16f02e52a2fa68a

SHA512
180837c6e322f693e482e99d4230663f31969af8b33ee8da3809622321671c67ef041bc41cf397d0e268b6287e863e1ea4c2c5fe64261de40ca05acb34478e43

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
815B

MD5
d4a3d50adbc460ada5103c779728b4f3

SHA1
3c30e436bdfb4ddba0905f738fd89bbe1ef0ac4b

SHA256
84796be514ef85ea99245c7b6608c5a2d06d6ec783977502459bb9245830a004

SHA512
7f1712533ed996f2ba32e0ed18894baafff80233c69b22e3aa5c6ec55a379ea0b30388d3244d5efc9b4e0a09e53d755cdd3e63b2ac78630d040e153aec1c344d

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
815B

MD5
f5c2480d51b7c199200a859fda8a5fe7

SHA1
bfac98f18a7ddc375bc7003d07e723b37512410b

SHA256
fda2e4d8ee54455797a362d59c38cc054e4ca8dc36a97ff632a677bd6429f753

SHA512
4c88fb987db6cabcfca949f08a361e6db497fdbab3290fc8862093120f2107b2fed112af08a8c84c3771cc118a116cc75946ba8b5f6b1ad0e6368c0ff85fb6dd

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
815B

MD5
eff1b5927f06bfc4a07452aae0ac4e2d

SHA1
c4d34e4e614cdebdba2becb97363ed8b53f1c95f

SHA256
5ef41ba36525195b79324f1212fc9a671f28535c1930a0c83de1fec222a31e22

SHA512
b300615467a347ce10d790bf3f73bfd3216c8abb7871b32e034192a41bdc69507b60fb8a206d0b989431bcb04650cee19354de7d244c674157df19fafbfc21b9

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
815B

MD5
0321baa5dc4e930e15353759d009ff5a

SHA1
1895076d04c4fb6e40f132d5f8130badb02386da

SHA256
43f191a695025be924a45634d5e16e9fd2c6d33a8398f730c2b428ab4421952a

SHA512
d3c9ec7828ac61e5e288d660c57df4d46a05a79442e5d959e789705ff792bae82d87f5bf547d4bd0d689cd638169b2d5f1814ed2c826f41f7ce5eec01a416b8a

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
815B

MD5
a2d67a410003251fc08eaa8db9c4c166

SHA1
8af163998ae736ab9165581ba1e69054a84ff1cc

SHA256
a195748e6b7b2d3e7bacbbdc7e5704a13dbe69bbcd8cdba4e162c3137c5260de

SHA512
bbc5b72d03a5e9b815c43a6814e93f0ebdcf999e1fc65dc99e8ff2ffd330f670fcb7ae06ff2c563e4c98fbfdba21e32ae4e66ad7132dbfc9ad7e14951f0595be

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
816B

MD5
7d7b7f90b7a55ac35fd56c5564d177e1

SHA1
3c4d742db8ea20b1e725b8990b89f3a14e0b7ee4

SHA256
3d242ffc1393a21236fa332585a13190af278b799e7c1764b06be9877ffca174

SHA512
f1b05a9016ce5b7304dd0f47290c760e84c41b5b5b0708039a06288c609426835234e464ef6c20a020dd57e83c081ad0dc79eaca2d23ff55e287a9b6ed4f1b1f

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
816B

MD5
357b0482a7e06bab2b84d10fdbd3266e

SHA1
4199bf3b390f5f5a8d8e0fe89319a493eeeaa54a

SHA256
b1273636276303be55f0a94e0a10cc41bd9318c17973aaa92f7d88ef3b653e31

SHA512
099f32ecb36bca18a02e6d6b960666fece6ff3898f632aa50cefaf14f17935f19e4f5a176e19d609207cd4458f8b491cbdf86745ae4c05c6c9805a57c4959448

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
816B

MD5
a407262cffbcb5b4848b27585d5e4fe8

SHA1
196f8f8ded77daf4f5eaceb93167337e8de5bc27

SHA256
89da900fe2cfabf79e3b4e2c1fa2339b62f4fb2d62845d09707a6c55a0a34134

SHA512
45e2339cdc6c060faeabf0822f18437c4862028ed7a5655de3ef03dc43e598bb6540a3652c11fa3fdef27b37f1e96daf7117663830c3224f010cc76c8093501e

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
815B

MD5
35ae4cc26a1ebb530cbfeb9d2f85b639

SHA1
c953db7b27ad59a1002153661ed0bb1166d8a16c

SHA256
cf9717f194fa80bb8c26559ea0781ecc2969b5e98daf371230cd87e2cfe427b2

SHA512
b15a9a7ca5a904c7e24f317f61e865f64833c4d7d58d76b5f43a33301f16faaf035f9b477702d41101c018ed060b1513610012fcb993a13b73d3661d3b41e476

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
815B

MD5
3a439a434e5d428483c5f11959578bc1

SHA1
32fa9e822647717a179eb2e327f9616c7be14914

SHA256
8ee6d6d469de7d93e3d200b1939326fe5c82d24453094b57f6a8465051e9b7fe

SHA512
fbd66d1a1c197fe44c389d8a21fce057e9ad45ffc6cc87b9f9135ed5f9f7451abf6a432e7994b3647d3675b2f82658735ae04369d0add25e7708a4b75841e5f4

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
815B

MD5
63ee04c8f2494d413c87145f75b89e66

SHA1
206899edc24a638db4087747d4e4478d274a74e9

SHA256
1746a9595f33132bc397038939c98dc9ad26f9a03a984e83fafa9d9d9b4f6547

SHA512
182b1d3a9b53f5ff0484f6f81a6bfbc54c128284df7978392cea72a48a9ac0f880d38f850088aeec1b06213a3c75b012c41dbdc42dbefb9a7aad933c6ddaed62

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
816B

MD5
9bcf49dcf59975d35166a8e917bfca52

SHA1
766fcab2935403e782ecff40ae82cf3201724e21

SHA256
c72142c9639a3518587c6d1e3d250ac142bfc10bd87f9df3d39bbf673360b1c8

SHA512
6ceffd8ff284c0886e8d8da1eff69f7553f6f0b9ef616078dbb5341274f4081bd875111d6fa5f3014d22f257ff61173d34c7439a1c4a7322ba06073b0474ae98

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
816B

MD5
799337f9b3cf4048d24c4166054af9d1

SHA1
0df1c4cf456cdb0bf76be44c9267b94f9dc1244c

SHA256
30683aa5775fe080067d44cff799592891efe4b4cf52abd2bf83cd83eb5ad914

SHA512
c7634d052dd3006a67fb8f2122782eeb716b8e49344af2e9c899bdd91dbeec2de564e3d92d5c71850e1e1ce620f49f307ea507bfe56980f0476e62af89ddf9d6

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.config

Filesize
263B

MD5
6a278220c51a38c0284546e7f80b1980

SHA1
087fc70ad0d0db6eb7a8af4da86fd62f67f16145

SHA256
3d5feb6c07c1c7785482cff6ef1fa92264f50cfc68ab37ad0e7c979edd17d895

SHA512
b92408fa471caaf5572d5f36eed73fa3938056201bb0c4e0eed3d46a24ec8caf9f2bac2ad8636f0002f927485348fa8ee919de8dfe7e4afc78c84b30234e87e8

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.config

Filesize
600B

MD5
996f8cac17e1834358942cceb62834a9

SHA1
55cb2d1a123ef129a4e7a066ace7adfe0cb9c6d8

SHA256
f5f6c5e3583276a5e6dc5538a2d864184dd6695405c3efa81e142117324fc536

SHA512
46cd10d7e48c113df978aebf6fd65a3a2b700005c6e3c2c78fe56e776f22159c7cf735720fbb7f46b439f6b556d788316447a7b602e5832e2a1b9f58eaa8f4ce

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.config

Filesize
600B

MD5
07b57beffcc1ded937797a1e16df021a

SHA1
9117a5cb5394b98e2981f15639423d38d5f149e2

SHA256
7719bd8e9ce74fe3dc070d51934665b0de069f1c421e8931e5d47faf52a1b37b

SHA512
6b6de6e58806e0924381493d089126c11279195f81f9d10070fd9a069dcf2b314f9d11b01adf99ec156e3e90089b88511f4c6e6ad7e397ba1001b77166978b5f

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.config

Filesize
670B

MD5
c877590ff53f299499c7d78d007d59b4

SHA1
2b0b0401df3a480e7f768053ae20d94d23931d1a

SHA256
aa3e07d57f59e203a4f71a91cbcbc85c100a3985cedc276ab02ae7fe735968ca

SHA512
96316ef6d0ef37225612c489e10d3147ec2ed92c764faf62d1767faffbe76fc22c075782384fa61fa86ee8b766329343a0d3efa1a54437abc64c45298dc8035f

Download Submit
C:\ProgramData\Avira\VPN\vpndbg.log

Filesize
1KB

MD5
3dbe79f4ccad7286505edb4737dd29a2

SHA1
a3d11e8e9447557558d84448b1f7c42c96c9f6fc

SHA256
91a871b397afd21dc329ce873cc8a67c2c980518adc2c4a24557cc224e92dd60

SHA512
45ed3bcb700fc4556c7875398ed205209edcb73cdf05785bd8b3a5b5256b2bec7827dca8c061a58bb7c13000bf336c49d949562b26a7133341cd68dc2976b53f

Download Submit
C:\ProgramData\Avira\VPN\vpndbg.log

Filesize
4KB

MD5
db6bb3dde1ede094faaccbcba1d6a737

SHA1
b434ec1b9a6f3c2e9de1e8e016492f3e8b7004fc

SHA256
450abb9296665d08edf15a1839fa3a35301f9aeabdbd2295992b48da62eec397

SHA512
19d21163d0e9381ff9cce2bb22055e774993709e599aa7488ff5aa7f90ea8d52ed7c47275ef5298a2d0d331ced44e59f325ba9ae0d85ae727d0a070ce755d99b

Download Submit
C:\ProgramData\Avira\VPN\vpndbg.log

Filesize
13KB

MD5
3a6391e9f8ee3bd4b805851e8ddc383c

SHA1
227b94669901a5ad929df3e456b5acb2da0030c5

SHA256
9e39bd6fef33432e54a40ea9e61c688cc53053c59904cb45d9891d02219c7c41

SHA512
1a6424532146651fb4721076b14ad0e14d547f4b2b1d6fc2badd19900a4ca692a3d3d9705aa77b6600087a9f2ebb74934de0c71005e9768f5e80ae5ad37ce4c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Avira.WebAppHost.exe.log

Filesize
2KB

MD5
9194cef6008fe04330d9d8073274d969

SHA1
2dffdd7f7ac4f4a67c03366a23e04c56044dc305

SHA256
cf3ddd4d9cac32a8eca4a6674e278ef46798eb01a4e90b43940a617d95dcbd8e

SHA512
a614ab1da6d4925456302e009c0e72ec79049a7fe4d8cae752821046639328700d2646cf98289dab342569f746a12b1b553f60b01554665f3b6eeb029d875c63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7ac03b15b68af2d5cb5c8063057cc83e

SHA1
9b2d4db737f57322ff5c4bbddd765b3177f930ab

SHA256
b90d7596301470b389842eecb46bd3a8e614260b0d374d5c35a36afb9c71a700

SHA512
a5e9f40dd9040803046b0218fab6b058d49e5e2a3ada315e161fe9fc80ebb8d6d4442ccc1c98d19e561fc7c61bcf43d662fe2231cacacb447876a2113c2e3732

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9dc60aef38e7832217e7fa02d6f0d9f6

SHA1
4f8539dc7d5739b36fe976a932338f459d066db6

SHA256
8a0ee0b6fafabb256571b691c2faf77c7244945faa749c72124d5eb43a197a32

SHA512
18371541811910992c2b84a8eae7e997e8627640bdb60b9e82751389e50931db9b3e206d31f4d9d2dc3ca25ea3a82c0be413ecb0ef3ac227a14e54f406eaa7e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
5326f41fd14447836b478ff44d21d780

SHA1
4cacb8db51e062ec22609acb1002b1a4076ed5e5

SHA256
2e7daabb5c9f98093f4acca48a45cbbe53c3a1268898f8ee97be38590e0d2eb5

SHA512
d15dd25279dbfb9c14a0fc924788dcfe423131280c545c7b70fe87eda3b3729812fbbd0c6b975c10c5367ed362b05a2e149b5dfcd25da138626567c60b06d90b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
e0a3f852dafb115dcf13c01cb5b29f01

SHA1
9ad84827b8795c3a57b5d76555bea5ee27378e79

SHA256
b0c2440d25bc67da7d7a1c453968e5290331187d13d5784b0bf95eebe63b0c91

SHA512
cd313a6b6d6464ac14e1472a795e9e3b413d0cbe8ff50bf238b9927c0a5ac9761ab4d4871dc994f1fb303185df042f9ae4034ce5ae1be4f9ce6f65be1296e628

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f7f6d55fedbcd6774640a6f005041c16

SHA1
26586f8c0afb9387e599abccc5986a21e01b3878

SHA256
8a1e65ec4dbea6a92c44e59f684e6a1d7c1ee9398ecfb96bc64568d44fc0bd4e

SHA512
9a954886c84554d3e6bda3598d9d6256dfe61f832a7ab9a9d91cbd2fd203cfb09bd4a2b6c6a6c3741745b162517c469eccf6dfc884d4ffffa7e7de1e43ba1a86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
61178081866436bedfd185d3ed1596b6

SHA1
b650764e92cb395e536a486ccd970432c46006a4

SHA256
1b8832ac978b4bad3cea4b3371dc44632eb72cf3bff8a0d0ca0d65c156353d70

SHA512
366b49f5505d6cef4dc87b7c7c296b966b53c84b0107d4ee97aa7bbed09165a860542d0e50b3950e178055cc3b6c041fc6682ce84ed3af7537e86a6a8a22a9bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
086aad64a707948f88dcb2c390bc6783

SHA1
1f23df32bd77d93c6fdd2ab34f359a1427c92c06

SHA256
1290c59ed5f1ad7fa7f09c5f3c6c2328b210111703db099eb5d48c1bf78f232b

SHA512
ae68ca1669d694420ac56ee518809ee7f01bc613176f896dbea07325f5e4d6f372f1e6bb74e7f63c509fc4beec79678e6450e7cac24363e80c855e538a74983e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0N1OA.tmp\Avira Phantom VPN 2.41.1.25731.tmp

Filesize
911KB

MD5
02c5691af81933ce36735946e3ed1ea4

SHA1
2faed8d51a0800f127e424bfba9d44bab6aee1b2

SHA256
e1f5e87796c015e567153db6b994a35a34b0819b1093d1ea12064ee35102c42d

SHA512
ebde4772c94f5199a2936f8fdbcf80e57d11a820276b1e1323fbcde6d192cd89bcc69a441cff17e26d688427fe05e62cc858e896c0647d93c9e2ebe74a6e6749

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OFCU9.tmp\ISTask.dll

Filesize
66KB

MD5
86a1311d51c00b278cb7f27796ea442e

SHA1
ac08ac9d08f8f5380e2a9a65f4117862aa861a19

SHA256
e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d

SHA512
129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OFCU9.tmp\VclStylesInno.dll

Filesize
3.0MB

MD5
b0ca93ceb050a2feff0b19e65072bbb5

SHA1
7ebbbbe2d2acd8fd516f824338d254a33b69f08d

SHA256
0e93313f42084d804b9ac4be53d844e549cfcaf19e6f276a3b0f82f01b9b2246

SHA512
37242423e62af30179906660c6dbbadca3dc2ba9e562f84315a69f3114765bc08e88321632843dbd78ba1728f8d1ce54a4edfa3b96a9d13e540aee895ae2d8e2

Download Submit
memory/1008-43-0x00000000079B0000-0x00000000079B1000-memory.dmp

Filesize
4KB

Download
memory/1008-63-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/1008-6-0x0000000002190000-0x0000000002191000-memory.dmp

Filesize
4KB

Download
memory/1008-17-0x00000000072B0000-0x00000000072C6000-memory.dmp

Filesize
88KB

Download
memory/1008-26-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/1008-27-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/1008-53-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/1008-84-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/1008-83-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/1008-87-0x00000000073D0000-0x00000000073D1000-memory.dmp

Filesize
4KB

Download
memory/1008-82-0x0000000007A80000-0x0000000007A81000-memory.dmp

Filesize
4KB

Download
memory/1008-80-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/1008-23-0x00000000074E0000-0x00000000077FA000-memory.dmp

Filesize
3.1MB

Download
memory/1008-79-0x0000000007A70000-0x0000000007A71000-memory.dmp

Filesize
4KB

Download
memory/1008-25-0x0000000007950000-0x0000000007951000-memory.dmp

Filesize
4KB

Download
memory/1008-78-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/1008-46-0x00000000079C0000-0x00000000079C1000-memory.dmp

Filesize
4KB

Download
memory/1008-47-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/1008-77-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/1008-76-0x0000000007A60000-0x0000000007A61000-memory.dmp

Filesize
4KB

Download
memory/1008-75-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/1008-54-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/1008-74-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/1008-28-0x0000000007960000-0x0000000007961000-memory.dmp

Filesize
4KB

Download
memory/1008-29-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/1008-73-0x0000000007A50000-0x0000000007A51000-memory.dmp

Filesize
4KB

Download
memory/1008-72-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/1008-30-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/1008-71-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/1008-31-0x0000000007970000-0x0000000007971000-memory.dmp

Filesize
4KB

Download
memory/1008-70-0x0000000007A40000-0x0000000007A41000-memory.dmp

Filesize
4KB

Download
memory/1008-32-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/1008-69-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/1008-68-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/1008-81-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/1008-67-0x0000000007A30000-0x0000000007A31000-memory.dmp

Filesize
4KB

Download
memory/1008-33-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/1008-34-0x0000000007980000-0x0000000007981000-memory.dmp

Filesize
4KB

Download
memory/1008-35-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/1008-66-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/1008-36-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/1008-65-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/1008-64-0x0000000007A20000-0x0000000007A21000-memory.dmp

Filesize
4KB

Download
memory/1008-37-0x0000000007990000-0x0000000007991000-memory.dmp

Filesize
4KB

Download
memory/1008-38-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/1008-62-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/1008-61-0x0000000007A10000-0x0000000007A11000-memory.dmp

Filesize
4KB

Download
memory/1008-60-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/1008-39-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/1008-40-0x00000000079A0000-0x00000000079A1000-memory.dmp

Filesize
4KB

Download
memory/1008-59-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/1008-41-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/1008-42-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/1008-58-0x0000000007A00000-0x0000000007A01000-memory.dmp

Filesize
4KB

Download
memory/1008-44-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/1008-57-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/1008-56-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/1008-45-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/1008-55-0x00000000079F0000-0x00000000079F1000-memory.dmp

Filesize
4KB

Download
memory/1008-48-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/1008-52-0x00000000079E0000-0x00000000079E1000-memory.dmp

Filesize
4KB

Download
memory/1008-49-0x00000000079D0000-0x00000000079D1000-memory.dmp

Filesize
4KB

Download
memory/1008-51-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/1008-50-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/2228-1079-0x000001D3F6AF0000-0x000001D3F6AF8000-memory.dmp

Filesize
32KB

Download
memory/2228-996-0x000001D3F59C0000-0x000001D3F59CC000-memory.dmp

Filesize
48KB

Download
memory/2228-1111-0x000001D3F6C60000-0x000001D3F6C8E000-memory.dmp

Filesize
184KB

Download
memory/2228-1113-0x000001D3F6C30000-0x000001D3F6C40000-memory.dmp

Filesize
64KB

Download
memory/2228-1200-0x000001D3F6D60000-0x000001D3F6D68000-memory.dmp

Filesize
32KB

Download
memory/2228-1201-0x000001D3F6D70000-0x000001D3F6D78000-memory.dmp

Filesize
32KB

Download
memory/2228-1231-0x000001D3F7130000-0x000001D3F717A000-memory.dmp

Filesize
296KB

Download
memory/2228-1150-0x000001D3F6D20000-0x000001D3F6D28000-memory.dmp

Filesize
32KB

Download
memory/2228-1115-0x000001D3F6C40000-0x000001D3F6C4C000-memory.dmp

Filesize
48KB

Download
memory/2228-980-0x000001D3F50F0000-0x000001D3F5148000-memory.dmp

Filesize
352KB

Download
memory/2228-1133-0x000001D3F6D10000-0x000001D3F6D1A000-memory.dmp

Filesize
40KB

Download
memory/2228-1118-0x000001D3F6CD0000-0x000001D3F6D06000-memory.dmp

Filesize
216KB

Download
memory/2228-1422-0x000001D3F6D80000-0x000001D3F6D88000-memory.dmp

Filesize
32KB

Download
memory/2228-1120-0x000001D3F6C50000-0x000001D3F6C58000-memory.dmp

Filesize
32KB

Download
memory/2228-1107-0x000001D3F6C10000-0x000001D3F6C18000-memory.dmp

Filesize
32KB

Download
memory/2228-984-0x000001D3F6200000-0x000001D3F6236000-memory.dmp

Filesize
216KB

Download
memory/2228-1121-0x000001D3F6DC0000-0x000001D3F6E6A000-memory.dmp

Filesize
680KB

Download
memory/2228-1080-0x000001D3F6B10000-0x000001D3F6B18000-memory.dmp

Filesize
32KB

Download
memory/2228-1106-0x000001D3F6C00000-0x000001D3F6C08000-memory.dmp

Filesize
32KB

Download
memory/2228-1077-0x000001D3F6AE0000-0x000001D3F6AEC000-memory.dmp

Filesize
48KB

Download
memory/2228-991-0x000001D3F6320000-0x000001D3F63D0000-memory.dmp

Filesize
704KB

Download
memory/2228-993-0x000001D3F62A0000-0x000001D3F62C2000-memory.dmp

Filesize
136KB

Download
memory/2228-1105-0x000001D3F6B00000-0x000001D3F6B0E000-memory.dmp

Filesize
56KB

Download
memory/2228-1082-0x000001D3F6BF0000-0x000001D3F6BFA000-memory.dmp

Filesize
40KB

Download
memory/2228-989-0x000001D3F6240000-0x000001D3F6264000-memory.dmp

Filesize
144KB

Download
memory/2228-1060-0x000001D3F6AC0000-0x000001D3F6ADE000-memory.dmp

Filesize
120KB

Download
memory/2228-1059-0x000001D3F6B20000-0x000001D3F6B96000-memory.dmp

Filesize
472KB

Download
memory/2228-1017-0x000001D3F6290000-0x000001D3F62A0000-memory.dmp

Filesize
64KB

Download
memory/2228-1013-0x000001D3F62F0000-0x000001D3F6306000-memory.dmp

Filesize
88KB

Download
memory/2228-1015-0x000001D3F6310000-0x000001D3F6318000-memory.dmp

Filesize
32KB

Download
memory/2228-1014-0x000001D3F6280000-0x000001D3F6288000-memory.dmp

Filesize
32KB

Download
memory/2228-1109-0x000001D3F6C20000-0x000001D3F6C2C000-memory.dmp

Filesize
48KB

Download
memory/2228-998-0x000001D3F62D0000-0x000001D3F62E4000-memory.dmp

Filesize
80KB

Download
memory/2228-994-0x000001D3F59D0000-0x000001D3F59D8000-memory.dmp

Filesize
32KB

Download
memory/2228-982-0x000001D3F61D0000-0x000001D3F61FA000-memory.dmp

Filesize
168KB

Download
memory/2228-985-0x000001D3F5980000-0x000001D3F598A000-memory.dmp

Filesize
40KB

Download
memory/2228-987-0x000001D3F59B0000-0x000001D3F59B8000-memory.dmp

Filesize
32KB

Download
memory/2516-1458-0x000002171F6A0000-0x000002171FE46000-memory.dmp

Filesize
7.6MB

Download
memory/3460-1088-0x000001F9E5320000-0x000001F9E53EE000-memory.dmp

Filesize
824KB

Download
memory/3484-781-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3484-1191-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3484-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3484-3-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download