940ec4012984218f6e314d793c995b3cb3c3366aabba0308fece77fe2ed7abb7

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Avira Phantom VPN Pro 2.44.1.19908.exe
Size

5.2MB
MD5

0fe5732c15e8150c8f107a0e73db4e45
SHA1

a3b4e14d09b82d365dbf52480854e399b2672f34
SHA256

940ec4012984218f6e314d793c995b3cb3c3366aabba0308fece77fe2ed7abb7
SHA512

2cedc194be8ec37a7d035bcf4af42ea74a6a51fa220ea2d9edc406ae5a7b4dea022f1287c09a22f59a552e23a20730821184434cee2879371db0a78897d0e292
SSDEEP

98304:w0FHAF/aUuvI2peNyoiOC+uWiOqXL6cY9J54jqrZwY8v:xFHAFdCpwy+PeOZ9J5v2YQ

Score

8^/10

discovery evasion execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\DRIVERS\SET9241.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\DRIVERS\phantomtap.sys	DrvInst.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET9241.tmp	DrvInst.exe

Manipulates Digital Signatures 1 TTPs 1 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\922211F5AB4521941D26915AEB82EE728F931082\Blob = 030000000100000014000000922211f5ab4521941d26915aeb82ee728f93108204000000010000001000000072ca4dabdcbc6324974664dd7156eeeb140000000100000014000000218e65f33518eb5e997713580564599a3edb6a32190000000100000010000000e842a5d740e73a3edaefd7024ed5010b0f00000001000000140000004f922e54ac4bfe0fdd2c3fc15bd02f752d09c34920000000010000002e0500003082052a30820412a00302010202100537f25a88e24cafdd7919fa301e8146300d06092a864886f70d01010505003073310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d313230300603550403132944696769436572742048696768204173737572616e636520436f6465205369676e696e672043412d31301e170d3139313231363030303030305a170d3231313131363132303030305a3072310b30090603550406130244453111300f06035504071308546574746e616e6731273025060355040a0c1e4176697261204f7065726174696f6e7320476d6248202620436f2e204b473127302506035504030c1e4176697261204f7065726174696f6e7320476d6248202620436f2e204b4730820122300d06092a864886f70d01010105000382010f003082010a0282010100b1c3c44b562df297959288bd693f105c338e47e0fe5e922c521dd577fa81faf3fd8af8816bd6e7dc90cc61d845b0aa904544e6b154047541ce3113bbb288f0bc68a6a91607f8f216b89215c51e46591a39d08f25c42b4f030892330e2174e2d0ea795508017614d12627e22c6d87d7f26fa44ca8c3c7a0e8c04320ba2fe7d7035747d2cace9249c25f4189149742c15f6dacf36cb72f7e368c5988e94c41474fca8d21fa52d19c51c40b6cf7964f75158738ca8c3ef91a874212304d676e108bab7e5dae1a7d065be46f5c4c92cf2e63c8510ffb41d9d312256fdce68c98e5fedc85f1ea0d9191554d0d81614b1ca18ef2ab89543a8d89380970ce61eec25ccf0203010001a38201b9308201b5301f0603551d23041830168014974803eb15086bb9b25823cc942ef1c665d2648e301d0603551d0e04160414218e65f33518eb5e997713580564599a3edb6a32300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330690603551d1f04623060302ea02ca02a8628687474703a2f2f63726c332e64696769636572742e636f6d2f68612d63732d32303131612e63726c302ea02ca02a8628687474703a2f2f63726c342e64696769636572742e636f6d2f68612d63732d32303131612e63726c304c0603551d2004453043303706096086480186fd6c0301302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533008060667810c01040130818606082b06010505070101047a3078302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305006082b060105050730028644687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274486967684173737572616e6365436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010064d7a216d7d193cfaeb053e31feaf331095a1c99c790b9dfa9cd5356a7b2cef878c435f329fb15adf3ab31793f39c40dcbc9e0484e017fba45fc13599935369dfbf1ecc936e9e4293210dd1c88933b8da9cd26cfb01323f0568811d4e7e7f02a0b3827b4bd7ba59abe9fd003c2577a2cf98b4e4ee64d71ec96019d9da702e966ff68dfb92f0a06b5c184ccaea03474d92d696b227a7d16fcad31f925bc51b569cfb30a420ea71af739d234c96ad68cefcf0b6faa050d7f3fb034e0125e9fceffc306bf90b8b2d6695db4e3965d77f8b5c4e1515ec0d41e84b138e97b32441c13db292fdb40f86049add5db95239f8aed20f1f750edabf4028aba0528eae06d03	DrvInst.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2272	netsh.exe
1932	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 5 IoCs

pid	Process
2768	Avira Phantom VPN Pro 2.44.1.19908.tmp
2104	tapinstall.exe
2744	Avira.VpnService.exe
2424	Avira.NetworkBlocker.exe
1516	Avira.WebAppHost.exe

Loads dropped DLL 13 IoCs

pid	Process
2692	Avira Phantom VPN Pro 2.44.1.19908.exe
2768	Avira Phantom VPN Pro 2.44.1.19908.tmp
2768	Avira Phantom VPN Pro 2.44.1.19908.tmp
2768	Avira Phantom VPN Pro 2.44.1.19908.tmp
2768	Avira Phantom VPN Pro 2.44.1.19908.tmp
2768	Avira Phantom VPN Pro 2.44.1.19908.tmp
2768	Avira Phantom VPN Pro 2.44.1.19908.tmp
2768	Avira Phantom VPN Pro 2.44.1.19908.tmp
2540	Process not Found
2744	Avira.VpnService.exe
2744	Avira.VpnService.exe
2744	Avira.VpnService.exe
2744	Avira.VpnService.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\Security\Benchmark	Avira.VpnService.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 25 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\{674961cb-171f-0ba4-f064-007493d2dd0b}\SET5987.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{674961cb-171f-0ba4-f064-007493d2dd0b}\phantomtap.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	Avira.VpnService.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{674961cb-171f-0ba4-f064-007493d2dd0b}\SET5977.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{674961cb-171f-0ba4-f064-007493d2dd0b}\SET5987.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_00af225a2e272bde\oemvista.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{674961cb-171f-0ba4-f064-007493d2dd0b}\SET5966.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{674961cb-171f-0ba4-f064-007493d2dd0b}\SET5977.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_00af225a2e272bde\oemvista.PNF	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	Avira.VpnService.exe
File created	C:\Windows\System32\DriverStore\Temp\{674961cb-171f-0ba4-f064-007493d2dd0b}\SET5966.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{674961cb-171f-0ba4-f064-007493d2dd0b}\phantomtap.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{674961cb-171f-0ba4-f064-007493d2dd0b}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{674961cb-171f-0ba4-f064-007493d2dd0b}\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	tapinstall.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	Avira.VpnService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	Avira.VpnService.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	tapinstall.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-TAPLD.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\Templates\images\is-B36Q9.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File opened for modification	C:\Program Files (x86)\Avira\VPN\SharpRaven.dll	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\is-972K3.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\is-7R0T0.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-L0I5P.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-ILTBE.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-N31KO.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-LHD7A.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-B7F8U.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File opened for modification	C:\Program Files (x86)\Avira\VPN\System.Diagnostics.DiagnosticSource.dll	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\Templates\is-DLJUV.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-5NJDH.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-KLLCM.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-7G3D4.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-N6AJ9.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\Templates\images\is-CE47O.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-6GTSL.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-Q5FP3.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-JVCH4.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-E3R61.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-8F3U5.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-V07T5.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-A7FB8.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\views\directives\is-HLL54.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\is-J01RR.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-7L1CT.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-75DRQ.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\views\directives\is-GR2I9.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\Templates\is-BN0D5.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\is-UV34S.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-7F0B6.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\Templates\is-DBA4B.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\Templates\images\is-28E7V.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-B4OJJ.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-TOBS3.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\views\directives\is-1U2U9.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\is-V7HB6.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\is-G24AR.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\views\directives\is-H6UC0.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File opened for modification	C:\Program Files (x86)\Avira\VPN\Avira.VPN.NotifierClient.dll	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-FVN1J.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\is-MKUVH.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\Templates\is-0QU3O.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-20VRC.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\views\directives\is-CEO2R.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\pt-BR\is-U3GBR.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\Templates\is-F0656.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File opened for modification	C:\Program Files (x86)\Avira\VPN\es-ES\Avira.VpnService.resources.dll	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-M76T2.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-OHTSS.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\Templates\images\is-5UDPF.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\zh-CN\is-9E90N.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\css\is-8722Q.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\is-7GARJ.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-DNJC7.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\views\directives\is-RB6TM.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\ru-RU\is-UPBMR.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\is-IM407.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-13SIQ.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-T4SEK.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\is-UJBF4.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-E9N6H.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-A0432.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem2.PNF	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	tapinstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev2	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2900	sc.exe
2940	sc.exe
2840	sc.exe
1676	sc.exe
2168	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Avira.VpnService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Avira.VpnService.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2956	timeout.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
2452	taskkill.exe
2844	taskkill.exe
2924	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	Avira.VpnService.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tcpipcfg.dll,-50002 = "TCP/IP version 6. The latest version of the internet protocol that provides communication across diverse interconnected networks."	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@netcfgx.dll,-50002 = "Allows your computer to access resources on a Microsoft network."	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	Avira.VpnService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rascfg.dll,-32009 = "Allows you to securely connect to a private network using the Internet."	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	Avira.VpnService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\lltdres.dll,-3 = "Allows this PC to be discovered and located on the network."	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@netcfgx.dll,-50003 = "Allows other computers to access resources on your computer using a Microsoft network."	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}	Avira.VpnService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\vpnclient = "31ca4eeb8cbf4d9c89bcf05cbaed56a76351d5de"	Avira.VpnService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\telemetry = "3e7d7fdd6c014bf89d5d25cd9018d4a2b0d5a06d"	Avira.VpnService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\machine = "daf0039ddc334b35972eb694bfadca82fec79522"	Avira.VpnService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\vpnclient = "6e59b3886d0543ca851f2a0dd242a7a9d4be79fe"	Avira.WebAppHost.exe

Modifies system certificate store 2 TTPs 14 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Avira.VpnService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Avira.VpnService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Avira.VpnService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Avira.VpnService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Avira.VpnService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Avira.VpnService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	tapinstall.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2768	Avira Phantom VPN Pro 2.44.1.19908.tmp
2768	Avira Phantom VPN Pro 2.44.1.19908.tmp
2744	Avira.VpnService.exe
2744	Avira.VpnService.exe
1516	Avira.WebAppHost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2452	taskkill.exe
Token: SeDebugPrivilege	2844	taskkill.exe
Token: SeDebugPrivilege	2924	taskkill.exe
Token: SeRestorePrivilege	2104	tapinstall.exe
Token: SeRestorePrivilege	2104	tapinstall.exe
Token: SeRestorePrivilege	2104	tapinstall.exe
Token: SeRestorePrivilege	2104	tapinstall.exe
Token: SeRestorePrivilege	2104	tapinstall.exe
Token: SeRestorePrivilege	2104	tapinstall.exe
Token: SeRestorePrivilege	2104	tapinstall.exe
Token: SeRestorePrivilege	2104	tapinstall.exe
Token: SeRestorePrivilege	2104	tapinstall.exe
Token: SeRestorePrivilege	2104	tapinstall.exe
Token: SeRestorePrivilege	2104	tapinstall.exe
Token: SeRestorePrivilege	2104	tapinstall.exe
Token: SeRestorePrivilege	2104	tapinstall.exe
Token: SeRestorePrivilege	2104	tapinstall.exe
Token: SeRestorePrivilege	2612	DrvInst.exe
Token: SeRestorePrivilege	2612	DrvInst.exe
Token: SeRestorePrivilege	2612	DrvInst.exe
Token: SeRestorePrivilege	2612	DrvInst.exe
Token: SeRestorePrivilege	2612	DrvInst.exe
Token: SeRestorePrivilege	2612	DrvInst.exe
Token: SeRestorePrivilege	2612	DrvInst.exe
Token: SeRestorePrivilege	2612	DrvInst.exe
Token: SeRestorePrivilege	2612	DrvInst.exe
Token: SeRestorePrivilege	2612	DrvInst.exe
Token: SeRestorePrivilege	2612	DrvInst.exe
Token: SeRestorePrivilege	2612	DrvInst.exe
Token: SeRestorePrivilege	2612	DrvInst.exe
Token: SeRestorePrivilege	2612	DrvInst.exe
Token: SeRestorePrivilege	2124	rundll32.exe
Token: SeRestorePrivilege	2124	rundll32.exe
Token: SeRestorePrivilege	2124	rundll32.exe
Token: SeRestorePrivilege	2124	rundll32.exe
Token: SeRestorePrivilege	2124	rundll32.exe
Token: SeRestorePrivilege	2124	rundll32.exe
Token: SeRestorePrivilege	2124	rundll32.exe
Token: SeBackupPrivilege	1748	vssvc.exe
Token: SeRestorePrivilege	1748	vssvc.exe
Token: SeAuditPrivilege	1748	vssvc.exe
Token: SeBackupPrivilege	2612	DrvInst.exe
Token: SeRestorePrivilege	2612	DrvInst.exe
Token: SeRestorePrivilege	2052	DrvInst.exe
Token: SeRestorePrivilege	2052	DrvInst.exe
Token: SeRestorePrivilege	2052	DrvInst.exe
Token: SeRestorePrivilege	2052	DrvInst.exe
Token: SeRestorePrivilege	2052	DrvInst.exe
Token: SeRestorePrivilege	2052	DrvInst.exe
Token: SeRestorePrivilege	2052	DrvInst.exe
Token: SeLoadDriverPrivilege	2052	DrvInst.exe
Token: SeLoadDriverPrivilege	2052	DrvInst.exe
Token: SeLoadDriverPrivilege	2052	DrvInst.exe
Token: SeRestorePrivilege	2104	tapinstall.exe
Token: SeLoadDriverPrivilege	2104	tapinstall.exe
Token: SeRestorePrivilege	2300	DrvInst.exe
Token: SeRestorePrivilege	2300	DrvInst.exe
Token: SeRestorePrivilege	2300	DrvInst.exe
Token: SeRestorePrivilege	2300	DrvInst.exe
Token: SeRestorePrivilege	2300	DrvInst.exe
Token: SeRestorePrivilege	2300	DrvInst.exe
Token: SeRestorePrivilege	2300	DrvInst.exe
Token: SeRestorePrivilege	2300	DrvInst.exe
Token: SeLoadDriverPrivilege	2300	DrvInst.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2768	Avira Phantom VPN Pro 2.44.1.19908.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2768	2692	Avira Phantom VPN Pro 2.44.1.19908.exe	30
PID 2692 wrote to memory of 2768	2692	Avira Phantom VPN Pro 2.44.1.19908.exe	30
PID 2692 wrote to memory of 2768	2692	Avira Phantom VPN Pro 2.44.1.19908.exe	30
PID 2692 wrote to memory of 2768	2692	Avira Phantom VPN Pro 2.44.1.19908.exe	30
PID 2692 wrote to memory of 2768	2692	Avira Phantom VPN Pro 2.44.1.19908.exe	30
PID 2692 wrote to memory of 2768	2692	Avira Phantom VPN Pro 2.44.1.19908.exe	30
PID 2692 wrote to memory of 2768	2692	Avira Phantom VPN Pro 2.44.1.19908.exe	30
PID 2768 wrote to memory of 2452	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	31
PID 2768 wrote to memory of 2452	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	31
PID 2768 wrote to memory of 2452	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	31
PID 2768 wrote to memory of 2452	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	31
PID 2768 wrote to memory of 2844	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	33
PID 2768 wrote to memory of 2844	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	33
PID 2768 wrote to memory of 2844	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	33
PID 2768 wrote to memory of 2844	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	33
PID 2768 wrote to memory of 2924	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	34
PID 2768 wrote to memory of 2924	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	34
PID 2768 wrote to memory of 2924	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	34
PID 2768 wrote to memory of 2924	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	34
PID 2768 wrote to memory of 2900	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	37
PID 2768 wrote to memory of 2900	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	37
PID 2768 wrote to memory of 2900	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	37
PID 2768 wrote to memory of 2900	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	37
PID 2768 wrote to memory of 2104	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	41
PID 2768 wrote to memory of 2104	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	41
PID 2768 wrote to memory of 2104	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	41
PID 2768 wrote to memory of 2104	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	41
PID 2612 wrote to memory of 2124	2612	DrvInst.exe	44
PID 2612 wrote to memory of 2124	2612	DrvInst.exe	44
PID 2612 wrote to memory of 2124	2612	DrvInst.exe	44
PID 2768 wrote to memory of 2940	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	49
PID 2768 wrote to memory of 2940	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	49
PID 2768 wrote to memory of 2940	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	49
PID 2768 wrote to memory of 2940	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	49
PID 2768 wrote to memory of 2840	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	51
PID 2768 wrote to memory of 2840	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	51
PID 2768 wrote to memory of 2840	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	51
PID 2768 wrote to memory of 2840	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	51
PID 2768 wrote to memory of 1676	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	54
PID 2768 wrote to memory of 1676	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	54
PID 2768 wrote to memory of 1676	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	54
PID 2768 wrote to memory of 1676	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	54
PID 2768 wrote to memory of 2168	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	56
PID 2768 wrote to memory of 2168	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	56
PID 2768 wrote to memory of 2168	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	56
PID 2768 wrote to memory of 2168	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	56
PID 2768 wrote to memory of 2272	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	58
PID 2768 wrote to memory of 2272	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	58
PID 2768 wrote to memory of 2272	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	58
PID 2768 wrote to memory of 2272	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	58
PID 2768 wrote to memory of 1932	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	60
PID 2768 wrote to memory of 1932	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	60
PID 2768 wrote to memory of 1932	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	60
PID 2768 wrote to memory of 1932	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	60
PID 2768 wrote to memory of 1464	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	62
PID 2768 wrote to memory of 1464	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	62
PID 2768 wrote to memory of 1464	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	62
PID 2768 wrote to memory of 1464	2768	Avira Phantom VPN Pro 2.44.1.19908.tmp	62
PID 1464 wrote to memory of 2956	1464	cmd.exe	64
PID 1464 wrote to memory of 2956	1464	cmd.exe	64
PID 1464 wrote to memory of 2956	1464	cmd.exe	64
PID 1464 wrote to memory of 2956	1464	cmd.exe	64
PID 2744 wrote to memory of 2424	2744	Avira.VpnService.exe	65
PID 2744 wrote to memory of 2424	2744	Avira.VpnService.exe	65

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Avira Phantom VPN Pro 2.44.1.19908.exe
"C:\Users\Admin\AppData\Local\Temp\Avira Phantom VPN Pro 2.44.1.19908.exe" @ECHO OFF Color 0B @cls echo. echo. echo. @echo ////////////////////////////////////////////////////////////// @echo / / @echo / Avira Phantom VPN Pro is installing... / @echo / / @echo / Please wait... / @echo / / @echo / Dont close this window / @echo / / @echo ////////////////////////////////////////////////////////////// @echo off FOR %%i IN ("Avira Phantom VPN Pro*.exe") DO Set FileName="%%i" %FileName% /VERYSILENT
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Users\Admin\AppData\Local\Temp\is-CQLIB.tmp\Avira Phantom VPN Pro 2.44.1.19908.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-CQLIB.tmp\Avira Phantom VPN Pro 2.44.1.19908.tmp" /SL5="$60150,4884611,248832,C:\Users\Admin\AppData\Local\Temp\Avira Phantom VPN Pro 2.44.1.19908.exe" @ECHO OFF Color 0B @cls echo. echo. echo. @echo ////////////////////////////////////////////////////////////// @echo / / @echo / Avira Phantom VPN Pro is installing... / @echo / / @echo / Please wait... / @echo / / @echo / Dont close this window / @echo / / @echo ////////////////////////////////////////////////////////////// @echo off FOR %%i IN ("Avira Phantom VPN Pro*.exe") DO Set FileName="%%i" %FileName% /VERYSILENT
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im Avira.WebAppHost.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2452
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im Avira.VPN.Notifier.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im Avira.NetworkBlocker.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2924
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" stop AviraPhantomVPN
    3⤵
    - Launches sc.exe
    PID:2900
- - C:\Program Files (x86)\Avira\VPN\OpenVpn\TAP\win7\amd64\tapinstall.exe
    "C:\Program Files (x86)\Avira\VPN\OpenVpn\TAP\win7\amd64\tapinstall.exe" install "C:\Program Files (x86)\Avira\VPN\OpenVpn\TAP\win7\amd64\OemVista.inf" "phantomtap"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    PID:2104
- - C:\Windows\SysWOW64\sc.exe
    "sc" create "AviraPhantomVPN" displayname= "Avira Phantom VPN" start= auto binPath= "C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe"
    3⤵
    - Launches sc.exe
    PID:2940
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" start "AviraPhantomVPN"
    3⤵
    - Launches sc.exe
    PID:2840
- - C:\Windows\SysWOW64\sc.exe
    "sc" description "AviraPhantomVPN" "AviraPhantomVPN"
    3⤵
    - Launches sc.exe
    PID:1676
- - C:\Windows\SysWOW64\sc.exe
    "sc" failure AviraPhantomVPN reset= 86400 actions= restart/5000/restart/10000//1000
    3⤵
    - Launches sc.exe
    PID:2168
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall firewall add rule dir=in action=allow program="C:\Program Files (x86)\Avira\VPN\OpenVpn\phantomvpn.exe" enable=yes profile=any name="Avira Phantom VPN"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2272
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall firewall add rule dir=out action=allow program="C:\Program Files (x86)\Avira\VPN\OpenVpn\phantomvpn.exe" enable=yes profile=any name="Avira Phantom VPN"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1932
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C TIMEOUT 10
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1464
  - - C:\Windows\SysWOW64\timeout.exe
      TIMEOUT 10
      4⤵
      Delays execution with timeout.exe
      PID:2956
- - C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe
    "C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe" /migrateSettings
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:1516

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{6b47d6d2-03ba-490a-403c-2c294d2cf217}\oemvista.inf" "9" "657afe35b" "000000000000048C" "WinSta0\Default" "00000000000003C4" "208" "c:\program files (x86)\avira\vpn\openvpn\tap\win7\amd64"
1⤵
- Manipulates Digital Signatures
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{570427e6-5ec3-5ae0-578e-4d57f9afad69} Global\{23bf3338-56d8-0671-9f2e-f25c6a65183f} C:\Windows\System32\DriverStore\Temp\{674961cb-171f-0ba4-f064-007493d2dd0b}\oemvista.inf C:\Windows\System32\DriverStore\Temp\{674961cb-171f-0ba4-f064-007493d2dd0b}\phantomtap.cat
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2124

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005D8" "00000000000005E4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2052

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:phantomtap.NTamd64:phantomtap.ndi:9.24.2.601:phantomtap" "657afe35b" "000000000000048C" "00000000000005DC" "00000000000005E4"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe
"C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Program Files (x86)\Avira\VPN\Avira.NetworkBlocker.exe
  "C:\Program Files (x86)\Avira\VPN\Avira.NetworkBlocker.exe" delete
  2⤵
  - Executes dropped EXE
  PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-U5BBI.tmp

Filesize
743B

MD5
d3b58f803a9a01a59210dd673998a229

SHA1
6caddb6c8e749e9c5b786a3984bb7bdbba2bafc5

SHA256
3cf52e677d7f7be201cbf6e3ec56ed1f48b95c47e5969ef2c2510e270133c4f0

SHA512
88aade4affd629926e473df3d26ecca5ba49c4b77da9343e58729cf3a2b1cd0b9d27d9e019018455bffd18b7a7570a5c14d918eff46deecc5821903f76094988

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.Acp.Common.dll

Filesize
14KB

MD5
271d473a99869a462e0200e1776b093c

SHA1
050bd3a95fc3c1a66a9fa11a7649afe95b48e5ca

SHA256
793dc8d33fd8190c6d87c39a860ae4d67c6f02a19b573087831b18202f8e413e

SHA512
8df6120445f10fd3a62b72a33f86b1969a42eae85d97154d5f030bebf68d579263be50ba4e0a9758bd9a8698e9680277d1491bebc1b2c91722d0ebab04275510

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.Acp.Resources.dll

Filesize
54KB

MD5
318f261f2875d1b6ad27afd9aebce1da

SHA1
6230901e4b145e7ea66160e9726951931a00b7de

SHA256
839942ba4c0e36ad27355f65acf6520bbd6fa0967bfd3d9d6ddec520ca4fc3c9

SHA512
379c89f2d165a1551c459984f3aeec556499c2cc7346f4a346d5b651f5a729c44b0f84c68b48f120f8c5ddaba0bfa2895421acb7261f266dd5743ce8fa6a6c80

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.Acp.dll

Filesize
151KB

MD5
93b9f3f908fd317f6400044ace1426b8

SHA1
28a81a9e705837007143c1933a436941bc0e3e73

SHA256
4c20af4eb824f54308a3d0fcb1e0c02705e36f4066a96d3187ff61cbd324bfbf

SHA512
6b32af4a9e63320ca20daea161c655ad58a4bcaffa8c0ecbe40cf2f41599a09bdc3306916e87777259ade6b120e2eb193e79ca4345268a49786159779d2aead1

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.Common.Acp.AppClient.dll

Filesize
43KB

MD5
223b514db361069dbe4e56983113092a

SHA1
13a71fb55e6cda7db64df764b4073fd59ea6dce7

SHA256
c09d32229c51eb1f4bfb7132002e68acc61883fda68365fcd274439eda332af7

SHA512
2010806d2a3f60e9714e98e856fab7d651e0cd7f93bdf146ab2870c4a5581dc3809483fd045c40bbeaf1652e0bbb1d06539876d7173a03ee4a71024a2f29e7ee

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.Common.Core.dll

Filesize
67KB

MD5
12cc33847b511eaab85d42a62bd7770e

SHA1
240a3ec390e8271d24687de2d24e221483d7d4dd

SHA256
48d0e13ee24af3fe5bd666b410b59f6a12dceca0fabb3038cf29779cbede835a

SHA512
94b22e8e0dcac61480213e1292a2e0d93b58d19e5ab7168ed6954a21a67cdd2c33521164d351cdb45d9621a7b21ad979c1f4f013b4f09d53fb98d338838f0e73

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.Messaging.dll

Filesize
46KB

MD5
f59d38fa0dc7bafff65f9ea5bb88490b

SHA1
a0b3da5df01e851f5880934183bf6fd0b3882657

SHA256
58d3cc5b59d8f9eb3a187de1377cd40ebf38852944b6d7d59abae64be5416cb0

SHA512
b22ec4b48f052bb049cc2c5e285efbbd2dbad1adf77f3c18b832a7bf60872984464ab2fcded4f4e7734d91fd0e671f6d2b56660d277c64b18594c6f21e6f6f81

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.NetworkBlocker.exe

Filesize
236KB

MD5
01fbb420b06ddc49ed8194292b387425

SHA1
203404e993901ba47a166938ea62ea52fabdd2b4

SHA256
f9e95d2d3760b2b56f70daad4db65781b090ff014029c6b4e2b7897d0e685cf8

SHA512
b488e8d2348e7efa39cf052007421e90fa83724b40f3599444c8dc57cdfa36e2a765d3c377cfcbc45262662844792ebc49f0f4bcf2fa6cdcaa3f3337daef6912

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.VPN.Acp.dll

Filesize
31KB

MD5
e8cdcbb79fc2efa8b55a79ae427482d3

SHA1
a25f319970661010d9e50948786832f89f493e01

SHA256
4f1da0dff5d32ef6150a6de7e37907d810f55f4f5e2aa870c4225488af2a3c3d

SHA512
df51a2d0d360618517bb8a4deaaa967d78b3c8417a5c78058516db26031bb450e626ef7c0748baa6d7cefa4fa8f9c74c32b17a761bc5b79f331c517131aa9f63

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.VPN.Core.dll

Filesize
143KB

MD5
43e6727daed1d298b448ab2ce52a2cad

SHA1
ec25e38127a76399669c34742b6d449f8bf3c784

SHA256
fb7c8fa2243822e609f44e3a0de1f7c6fb03e4c9325d1065f44302ffac494eff

SHA512
2afd6f036a8120da5dac5722b8d53764fbb40ff39024b4f03dd7aa531b474ee024a8a569750cb1888b6f1adfdfc6bb0a5bb47f035f0da415639d18b773c89e8f

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.VPN.NotifierClient.dll

Filesize
27KB

MD5
191011e0325600c321c13a5d642dce8c

SHA1
630384ab0c3dcff33964ca8869dd31510ecb8d8d

SHA256
b267d1b02da761ff4b2ab2cc72904eab942692929155da7c09e7368492646b89

SHA512
8d015e9c706386b47f46f51959ed28169c05b6215442eb3dab2987fd1547dbbc68903ad6667f96c37088eb933dd17bf6ed16d8da678fd44ec3ccb43d5a2be651

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.VPN.OeConnector.dll

Filesize
40KB

MD5
a382bb982dac18b9b2bee6ab353827be

SHA1
5a88ae7ff1d42ce4979e2ac6f6f4d82ea12ec6fd

SHA256
b818007801ca7f12c18695aafb18475898f692c0c76a352b49167c57095999b4

SHA512
c5eb76520798a284988e084171d5c996e6cf52b94fdb8b3620aeecce5a20111b4020eb2a9f1f8fb59ecaeede97564b853088ca04237ba0fc3be32d76a5e3fd60

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe

Filesize
380KB

MD5
909650ffdd67f61b1bacdadf30cef13e

SHA1
9c1827d1ad678d6c0eed6f110fcc7ce477435598

SHA256
dea6fa4e7ccb8f10846c14500d88d17f2a0a678ae0648ae768965f18450b6aa9

SHA512
5a726fcc0535ca4e63eef08a6ff4e3b1054048aa3895843c550a6d1ea456503e541ebb5c8fb086f3d45058c7297add85a29c18377f3e8cca12b76c47a91b4753

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe.config

Filesize
8KB

MD5
4527b654464acc681c7f1899b2b910ff

SHA1
93f86fc08801952bd79a16786ad688496d459368

SHA256
05210b2ddc6846c10a95b1f0874240930771c0f4383b60478fbf9585b3a67c61

SHA512
288da0f4ad7af467650e5fffb034c1676cf802272d53e21594b2eb1f560ca16a0e977bf4eeda409be88606fc15d052d2b41b808fa99a0c251a810839e889baee

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe.config

Filesize
3KB

MD5
0d46bdc17f97e662981fd6ac11888307

SHA1
a0c99f49febe776dc8cbee1f7ba9f31cf24d7059

SHA256
a2b68cd7ad5e1158d182d59131488a0aa84c106f142ab62451bc284c72218216

SHA512
3582ed4c1a001209ff4cb938020b65886e0a95b8466f91074aa3b2b7df57d5c1278c10105e696a2ac7a0453bd9ea26742042bd5f51fee20461d151300050e8a0

Download Submit
C:\Program Files (x86)\Avira\VPN\Defaults\ProductSettings.json

Filesize
1KB

MD5
f9eb282786f0c1d27f9f6ae8b448d4d1

SHA1
df4f115df8a7dc8ffc2d7dbdd9953170cb0f8b32

SHA256
7e84e38c4b147fa13e871249a9986c4621176ed0afc88c999901e354f603d096

SHA512
db8a15d8b7b830dd63819eea73aa160accee27dca61a4b9b76d30f9b4161d28307c47d1f412faad9f92d2b77c17832226c16e8db0bb1d413444de1e918692753

Download Submit
C:\Program Files (x86)\Avira\VPN\Messaging.dll

Filesize
36KB

MD5
198703a2aa65565b3c6232add7d9d22d

SHA1
b161ab7056be4892ca92bea1d3ce21d228c4641f

SHA256
304c76f16380cdfbe2a1adbbd36f3a9e3a9bcd8c6901a400f0add66027f885b7

SHA512
603594e89f1e23d5f649a65d8cb8fbf25bdbc7be4213b436c9bc14518fe81d2eed9393c051f1b97ccb6725ed62bee811b88f9c70262d03f5015b3aebc951f591

Download Submit
C:\Program Files (x86)\Avira\VPN\Newtonsoft.Json.dll

Filesize
693KB

MD5
a358964e94bf3cb71172d6776f28fc3d

SHA1
9f16e876559759cdb52a0cb05db6528dd8f1951c

SHA256
cdf68de50fc05055120968d89dfa40f0dcd0a052fe381de1daa312e84b6e41f4

SHA512
5de2c65e1e14443ebcff3f09bc7639c7bf9f1033b11533229df610480c9149292cc3336902102c9983368914e92a49a76edfae493b0378e7212e69e3e808c6ca

Download Submit
C:\Program Files (x86)\Avira\VPN\OpenVpn\TAP\win7\amd64\OemVista.inf

Filesize
7KB

MD5
66b9dec2074c3425e6ee6382aa3600c1

SHA1
372b2b314cfa40450303c52c52ab1b24516abca6

SHA256
427f9551921202143ba72f8d3abec45ad7c887a827fac2864a501551ce309685

SHA512
a9c64b8686f750700fe63fa214e4f0780918edc365e8ed8dda4d0305aaf90d74280a47e0c3c688ec1ca6a7b7fd270e24446fcf33c7343b292ea83279d23b85a8

Download Submit
C:\Program Files (x86)\Avira\VPN\Serilog.Sinks.File.dll

Filesize
35KB

MD5
97f20eb6f1c67873802f0851859e2aed

SHA1
45e83bdbc9c6d992df5bb7233e9a0f8f661c38b2

SHA256
d1a929b7aa1b1cfa330a33b3c1f238fb1fcf73c7bd9d43bc3579ad8a9625d824

SHA512
0180e31bf95e1ecc6cffc90cbab5b736c61d86bd5b0ac23ae9f3ac7f7602e2b63a0e6f579ff7105f891547deb9beb8bd86fd16995cea4b62b80439a56f7cb761

Download Submit
C:\Program Files (x86)\Avira\VPN\Serilog.dll

Filesize
150KB

MD5
a4cb9f0cd0a7f720cadb28c07542d3de

SHA1
39d5a8fc0474224211db95fa80c6c7d12864c8a8

SHA256
f14f61e815adbb6403ff70941c7d98f1836792dcd4cdf1fbc77f9164694fc932

SHA512
1044a204a3ba81739cb3d937571d9f70fa92e45c754341b35fbbdd5d604ccf8c005b7c92877437f9a827b8ab478627a08c3dca6bf5fa0bc9df72ce2f02f200ca

Download Submit
C:\Program Files (x86)\Avira\VPN\ServiceStack.Text.dll

Filesize
199KB

MD5
537b82928ce015be0594e07587267e41

SHA1
4203b59a6563832db4c012e62e09a66501f8ee62

SHA256
93003778ab63e158cc18b86066e8fbb2c0104cae570dc3f53aa56b38faf41817

SHA512
a073f4b23a1ade5cd27972996fd1b1feeb50c0a04a1c6640124b62cfc2b8b911e793bdbd673147cd89d8ef67b87eaa51668e540f287bdf4d7bb33092aa9d1fd4

Download Submit
C:\Program Files (x86)\Avira\VPN\SharpRaven.dll

Filesize
100KB

MD5
e66983a1cceb2c7cd3f7e3448957d9f6

SHA1
b97981265121322034e04f567faf39cbdbd19679

SHA256
5521dc13a0264e2f178e205b2fbf76c57ed34ef650bd7508348cba0c9f6b2dd6

SHA512
455fe9b542faca8f4add763de2df1fdb4c8b5371e3cdd8df9fda6d743e9c59c22f45a13097159aa92e6fe4d75c2c62aa1192d029368fd4ae58ce4d3f0a2052f2

Download Submit
C:\Program Files (x86)\Avira\VPN\System.Diagnostics.DiagnosticSource.dll

Filesize
169KB

MD5
8a260507f7fe8815fdfd66b97678ddaf

SHA1
2d0893fd0b2cc6c4e83d90ac8ef114bdf229d3e7

SHA256
30fbf5b1aa8736badeebb85a2e630dc44b65659564d6e8399a71a887e2244b98

SHA512
379adb0692dfa46e399e28fe2ea9a0f0a2106f6b5c6b74456f376726d921f3e44cee3c9489fc774ed4b1dad5cbc24247b5e1c2ad2d6efe9cbff469f9eaa44024

Download Submit
C:\Program Files (x86)\Avira\VPN\VPN.Core.dll

Filesize
179KB

MD5
ea3cfd2c4256b3045d7a812c12023feb

SHA1
2b3a99ca1876c0f34a7d771227cc35d779077c02

SHA256
13db96190d32798a2a1224b309991a69300424f5345d83684ed13c074371dd67

SHA512
fc04f26847cd34201fc7e3e2060487a72dac9afc29df849731f311c93f5422cd79031ebc1d28dc2190cee7ceeb66b33a0550ee866981d0646ad9f48a1cd42292

Download Submit
C:\Program Files (x86)\Avira\VPN\en-US\Avira.VpnService.resources.dll

Filesize
21KB

MD5
05d0d2f37e6b683e59cdfd05bcb3b08a

SHA1
b21b207367d0b5dba10d67e9bcc5c29175aa6ab9

SHA256
57b7256eec2eb64deb1f52ecc3ea529c061b99ae009e4a28f70ad76ce565cbc4

SHA512
4c1fa9a21599cc86d4de858d4adb870135be706394a009241425d166c417b9216393ec721ac9f4e2e6659f1d39036672d582a11265a57c715b592f60f5399070

Download Submit
C:\ProgramData\Avira\VPN\VpnPrivateSettings.backup

Filesize
6KB

MD5
d0a82d1f6812d69aab47854a72db915c

SHA1
d0c7eee94f5e20351b4f411898669be86be5836f

SHA256
8cd642c39ec85d454ff8a598279fff07e10c7b59fa5802118146ef6bb261850b

SHA512
4dda2f2bc580772edee950af469ae222e9e5b57d007f5c092fb35e8ebc283e8a8ba911ce54c23082b7124ac1f44b5ef330d0f35f2aea9dc26be5480606bbfa69

Download Submit
C:\ProgramData\Avira\VPN\VpnPrivateSettings.backup

Filesize
5KB

MD5
27fa586219c9656a2f3bec47447f3cbf

SHA1
f385f165b1b84300a9aba5dcd98c45fa8baaa6e5

SHA256
5dded8290aa9e5889b89afcf0ad0e4007af076757e12b396a8e2eb8b8ecce15d

SHA512
7a2400e2554da716d52d6afcf59475058800ee02dceaca9cbba981a31e984e8d2b3a965ffb4ef64cf02453186011f7d6f8ab44e8c559bf03ceee3083bbcd00d5

Download Submit
C:\ProgramData\Avira\VPN\VpnPrivateSettings.config

Filesize
6KB

MD5
c260750ef073ff5f47f56ba1115eb25d

SHA1
37e52aac332a5ec71c78f9059b910117fe923222

SHA256
2fde44bd25894e3a626297de734fe83736bd4d970a86895c59a330a19dcb3d5f

SHA512
2229f2bf94f26b7e032b71b2eee05c8cbee938eac0c9a32405e9736e62a47585b54b66fb379af0e343b7ce487b09cb28158b7a21de02bfab29a003327aa0f9e0

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
1KB

MD5
941f3c5af47e1ef6d5eaaa897a922142

SHA1
defe0a07d44c31530aaccff3dbd52182a8d7116d

SHA256
4b51a7f44686932fb87ff786c02c889f255c4d85eb72ba4258be2402b47ce973

SHA512
ae01c4c7c74853fbd84c426eddc91d937bff8e321ee6e23642e6a37a45d62857a40ccfd1ded982d36e9d27857e099a83d47c4adce28ac2d575c2be4951ba34ff

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
1KB

MD5
bbbe3fcafe6dc3dcd2e6adf3c250f60f

SHA1
982a81dcced907528230ca05c011b284cf16f60c

SHA256
3da92565b94fa79942dff1838ce81107d2d92f1f5b9c3333302e29f0cbed1620

SHA512
5ea52b29faacf9f15ea7a827d49c44db022a5538814591201689e67d42953181a5fa08565f9edf80986fe93164d7ba98eeb4cf1552cc17779fb761c021b5b11f

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
1KB

MD5
a0756e46630ffe94c093dec1b8922302

SHA1
e44ae0a64a44d1324d3fb8602508b348f5f10641

SHA256
29695034f9c3969ea595bffe38a1c97ce0291a8a14b94c7137a30771f49e628c

SHA512
921a8c28edc6bd708525498b87054321ed2f471b2160dba6fe7e46bf661c202c570def460edead0681cc4255ed86946ef1f641d5ca9505254e47940c1dc0ed8f

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
1KB

MD5
eb8409db0dc21bfec1ce811fdc2f4f86

SHA1
3e653350eacbc1291e1d2fb51ad4a2abac54e950

SHA256
73c21572ca27710c8565077356a0034ff1867a56148fc5c0700b6e99dc6bff56

SHA512
76bb5be1c785de17fce29f49261db161a98eaf576c52f74d6f7db0251edadd3dd42cf4b40033bfc8c7d495bae2e262bb7ac4d13c0c2a30fc86079e371bed3190

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.config

Filesize
1KB

MD5
15d329e42c82e88d24a101df3a20b5b9

SHA1
c8227ba9ce6892c532e8e43a8b1c9d94183a0ce6

SHA256
abd246496373cd49bfcd63bc2d740874dde83c11598137526e9ff75056cfb58f

SHA512
06d5a641fab000037d2c84f9e1f33920eccec1ae1e3145525b537eaa5ce7db605bcb0b5cbec7b63d1d370c64a0db9267f708b3b10bc354fa24739fa1e4d13c1f

Download Submit
C:\ProgramData\Avira\VPN\vpndbg.log

Filesize
7KB

MD5
d405b3cb5f4bad0ae9af798e578aaf3d

SHA1
1a6a2e910e4b13a41d85851ec1c665e24c197302

SHA256
fa878fec25d0480c3439b78a9ed05b481779da35a7e1db9f7b03922b567d0407

SHA512
08c3d3bda4709ce7056916a49e5c2fbfcc629012b571a1ed3df02d9d799dd491456dee003da8450857baff841bdb3e0558e8eb238384aad05a66925f3eb17634

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab58BC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar58CF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CQLIB.tmp\Avira Phantom VPN Pro 2.44.1.19908.tmp

Filesize
1.5MB

MD5
0c1c8eb89026af3bc48b56d10759c400

SHA1
46052ea988389f440ebbf5ff2fe3cc4570f2131c

SHA256
02febfffcac96296e9cbad84cccf0153a11c051e0f2421e86360eccfc21f7f4d

SHA512
5c85df79f85c31557cb9d5d5974314fddd71ddaf66427c5d673b5db887b752a31e2dd510b2ab0bc5953751037c97e436c6bfa149a22ae7a8031a24e92c319d20

Download Submit
C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_00af225a2e272bde\oemvista.PNF

Filesize
8KB

MD5
de0fd021c9f0a0672a548c0993bda27f

SHA1
853386e091be9859ba4e0b46bc2200c4bde73770

SHA256
1b096fbbef8d0d038ccc8c8d4a6954df0952b67ef867ae7ce0b4132ed4a4efcf

SHA512
ca3fd721766cf604f7721436a497f0b9cea2de18017506665ab59df70a73eca6645aa045251c5a8c6eec8e15151ea3edf59c44f831082ef92b1d164af4e5d252

Download Submit
C:\Windows\System32\DriverStore\INFCACHE.1

Filesize
1.4MB

MD5
37356d454b41f24820fec7d295ce433a

SHA1
b3add17273bdc93a60213752ef1f8bace0773b27

SHA256
066f3e5043c2e11142ccc2767e452a42410353bde0a288e310205236cf910e78

SHA512
608cb031481cc7f0dd3433a6620b7f50223b66bd426608da4a329c2593754a88e5f1eb228ce583842811ad13e2c10432bd9f076dc6fa85a681f31794f48ecbf4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
c0c31b5e190a7ce98323004be67ea144

SHA1
edb000aca4466d7038c2a8f59a17be6724b4635c

SHA256
1e15c75703447dfe035c3331b7fd7ddff224453d00002d545b11b631d980200f

SHA512
c4e5e56cddaa48085030c400aaa897d2d4c744eb9dde33b2ad8ec62849ca18f7541025018f56ab67715aa9e247a2867d6a3257f3f69f4521c09efd19772c9e15

Download Submit
C:\Windows\Temp\Cab5997.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar599A.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\inf\oem2.PNF

Filesize
8KB

MD5
14ef9a70830b8a1073276ee8d444cac6

SHA1
fd195b9481f6c2642b7415ff418a282bec721143

SHA256
1712eb6d246cb7c3e4d4aea13b778f65a2a57aef9b78b9fe5e41cb8dd4731fe3

SHA512
794c63651a666c276a676a35c492a1dbb30216c7a93dd8a01646f23600bc3b2d8af9d0a8b0249c807e7ec92ba85defd36d9d2fcdc5177cb5713ee0918b09caf3

Download Submit
\??\c:\PROGRA~2\avira\vpn\openvpn\tap\win7\amd64\PHANTO~1.SYS

Filesize
38KB

MD5
03b2a36ceb6f61154a4c668718d2dfd8

SHA1
17232ef7f2748ba8c7d1d65004e954a40f967ba0

SHA256
f2414bfba1c8a4fd2cafa0695832886a7f4cbad9a0d9e2e6c13f6e4803bfc604

SHA512
81357c0327e0841421dc6b95ea1ee05c465c95bab59a95b221827597b5b870d8f852c3d23689d174c655dc86535e11a2d33de51e838928a4b05ea1bbe655221d

Download Submit
\??\c:\program files (x86)\avira\vpn\openvpn\tap\win7\amd64\phantomtap.cat

Filesize
9KB

MD5
7140745f8abeebde6cdaa372f6f4d654

SHA1
e88a1a8bc76e3ee60700bed13419291a57bdd6f7

SHA256
23fa82d166e5ea49da9ea65683e9df0544d9b3012e725ac528e6cd0ccb37ce14

SHA512
56f956ca02bb89ba68637b3bf5b3591a378a0b9621b2379c15d4bd54d6d403e76ced31d9260d43936bf83a43ebd7bd758072dde3ce3ca36435ac56fa9607c387

Download Submit
\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe

Filesize
815KB

MD5
ea069f7019a7b305cff275aed802a2ca

SHA1
d2b955656a234b507e8fe9d41395fbb97701ba43

SHA256
0a2d4aaab11291d99542e74689bc6265bb2a7922d8870167bdcc3210f0627273

SHA512
3980747d2acad456b3c5fb6ad3550c9f1520bc54c5ff68d0137d8e2682632e85f26ccd3703aab6c394bfd43f05e5699bc07240ab23e2492358363487bb68cfa5

Download Submit
\Program Files (x86)\Avira\VPN\OpenVpn\TAP\win7\amd64\tapinstall.exe

Filesize
482KB

MD5
2b1bddf7f9d3190ff73563a41bcb72be

SHA1
8a522e9cb1007b922cec9e5ed2b70f01ff12cf0d

SHA256
85ab4bbb77ab248956d0da02ace1a2bc58ce6c6db9f421808ef03ed31bbcf3b6

SHA512
6a42ac53262c6bafc8d7a5ff225acb07754af8cf044f0135251d4b3cf983a53494d755052296cf49627b3bbe6acead3aa9bacc33b51d222a1d2a0fe6d2bb4f93

Download Submit
\Program Files (x86)\Avira\VPN\unins000.exe

Filesize
1.5MB

MD5
f019d7be022910406834ae32e6f3417e

SHA1
3853827aa54a1f4ea8d23533247a40d586981386

SHA256
7597b3dbf0fce4d5ce61285d7702f067e04c00025f6ae6e9378227b060ab4cef

SHA512
8b2d32de2fe6d30d52caaaa0f2997afc2836b479f1ddc8ccc41da0f3c49135227a5c512ccbabf5ecb6898d5cb21228004524ecccfe72a2a3401874f718f269b2

Download Submit
\Users\Admin\AppData\Local\Temp\is-M9DP5.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1516-1397-0x0000000001200000-0x00000000012CE000-memory.dmp

Filesize
824KB

Download
memory/2300-1181-0x0000000000BB0000-0x0000000000BD6000-memory.dmp

Filesize
152KB

Download
memory/2692-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2692-2-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/2692-1419-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2692-1090-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2744-1237-0x0000000019980000-0x000000001998E000-memory.dmp

Filesize
56KB

Download
memory/2744-1215-0x0000000000E50000-0x0000000000E58000-memory.dmp

Filesize
32KB

Download
memory/2744-1189-0x00000000004D0000-0x0000000000504000-memory.dmp

Filesize
208KB

Download
memory/2744-1193-0x0000000000AF0000-0x0000000000BA2000-memory.dmp

Filesize
712KB

Download
memory/2744-1185-0x0000000000E70000-0x0000000000ED4000-memory.dmp

Filesize
400KB

Download
memory/2744-1235-0x0000000019860000-0x0000000019872000-memory.dmp

Filesize
72KB

Download
memory/2744-1212-0x0000000000E30000-0x0000000000E40000-memory.dmp

Filesize
64KB

Download
memory/2744-1233-0x0000000019830000-0x000000001985A000-memory.dmp

Filesize
168KB

Download
memory/2744-1187-0x00000000004A0000-0x00000000004CA000-memory.dmp

Filesize
168KB

Download
memory/2744-1231-0x0000000019820000-0x000000001982C000-memory.dmp

Filesize
48KB

Download
memory/2744-1241-0x00000000199D0000-0x00000000199D8000-memory.dmp

Filesize
32KB

Download
memory/2744-1243-0x00000000199E0000-0x00000000199EA000-memory.dmp

Filesize
40KB

Download
memory/2744-1229-0x0000000019810000-0x000000001981E000-memory.dmp

Filesize
56KB

Download
memory/2744-1191-0x0000000000510000-0x000000000053A000-memory.dmp

Filesize
168KB

Download
memory/2744-1198-0x0000000000BD0000-0x0000000000BE4000-memory.dmp

Filesize
80KB

Download
memory/2744-1222-0x0000000000E60000-0x0000000000E6E000-memory.dmp

Filesize
56KB

Download
memory/2744-1224-0x0000000019410000-0x000000001941A000-memory.dmp

Filesize
40KB

Download
memory/2744-1196-0x0000000000BB0000-0x0000000000BBC000-memory.dmp

Filesize
48KB

Download
memory/2744-1210-0x0000000000E10000-0x0000000000E2C000-memory.dmp

Filesize
112KB

Download
memory/2744-1239-0x0000000019990000-0x00000000199C6000-memory.dmp

Filesize
216KB

Download
memory/2744-1214-0x0000000000EE0000-0x0000000000F0E000-memory.dmp

Filesize
184KB

Download
memory/2768-10-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2768-1418-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2768-1273-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2768-1091-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download