940ec4012984218f6e314d793c995b3cb3c3366aabba0308fece77fe2ed7abb7

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12-07-2024 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Avira Phantom VPN Pro 2.44.1.19908.exe
Size

5.2MB
MD5

0fe5732c15e8150c8f107a0e73db4e45
SHA1

a3b4e14d09b82d365dbf52480854e399b2672f34
SHA256

940ec4012984218f6e314d793c995b3cb3c3366aabba0308fece77fe2ed7abb7
SHA512

2cedc194be8ec37a7d035bcf4af42ea74a6a51fa220ea2d9edc406ae5a7b4dea022f1287c09a22f59a552e23a20730821184434cee2879371db0a78897d0e292
SSDEEP

98304:w0FHAF/aUuvI2peNyoiOC+uWiOqXL6cY9J54jqrZwY8v:xFHAFdCpwy+PeOZ9J5v2YQ

Score

8^/10

discovery evasion execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\SET8AEA.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\phantomtap.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\SET8AEA.tmp	DrvInst.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4900	netsh.exe
2284	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	Avira Phantom VPN Pro 2.44.1.19908.tmp

Executes dropped EXE 5 IoCs

pid	Process
2680	Avira Phantom VPN Pro 2.44.1.19908.tmp
4844	tapinstall.exe
3912	Avira.VpnService.exe
1652	Avira.NetworkBlocker.exe
1936	Avira.WebAppHost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\Security\Benchmark	Avira.VpnService.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0495b410-5277-ea40-8825-207777502dfd}\SET89E1.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{0495b410-5277-ea40-8825-207777502dfd}\SET89E3.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_00af225a2e272bde\oemvista.PNF	tapinstall.exe
File created	C:\Windows\System32\DriverStore\Temp\{0495b410-5277-ea40-8825-207777502dfd}\SET89E1.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0495b410-5277-ea40-8825-207777502dfd}\phantomtap.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0495b410-5277-ea40-8825-207777502dfd}	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0495b410-5277-ea40-8825-207777502dfd}\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0495b410-5277-ea40-8825-207777502dfd}\phantomtap.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_00af225a2e272bde\phantomtap.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_00af225a2e272bde\phantomtap.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0495b410-5277-ea40-8825-207777502dfd}\SET89E2.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{0495b410-5277-ea40-8825-207777502dfd}\SET89E2.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0495b410-5277-ea40-8825-207777502dfd}\SET89E3.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_00af225a2e272bde\oemvista.inf	DrvInst.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Avira\VPN\is-1NPQQ.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-7A259.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-8G026.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\is-13T4R.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-DNB5I.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\OpenVpn\TAP\win10\amd64\is-S8G99.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\OpenVpn\TAP\win7\amd64\is-L6PR7.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\is-PE4CB.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-2C15L.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-R37GI.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\is-UHKUC.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-IVSC7.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File opened for modification	C:\Program Files (x86)\Avira\VPN\Newtonsoft.Json.dll	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\Templates\images\is-5VKU5.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File opened for modification	C:\Program Files (x86)\Avira\VPN\Avira.Common.Acp.AppClient.dll	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\is-KBJ92.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-MDNGN.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\fonts\is-PSGT4.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-2BMP3.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-HHIR4.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-OB0PE.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\it-IT\is-P7QJD.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-02A6T.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File opened for modification	C:\Program Files (x86)\Avira\VPN\Avira.Acp.Resources.dll	Avira Phantom VPN Pro 2.44.1.19908.tmp
File opened for modification	C:\Program Files (x86)\Avira\VPN\Avira.VPN.Notifier.exe	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\is-8IDI8.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\purchase\is-73QHV.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-FPL8H.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\OpenVpn\is-SAL04.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-59AMH.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-DV0J3.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-CMIHF.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-D45SP.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\views\directives\is-6JHCQ.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\OpenVpn\TAP\win10\amd64\is-BQ11T.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-FVPR8.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-20Q5M.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\Templates\is-N57EU.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\Templates\is-HBPFS.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-6P9N1.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\ru-RU\is-T40T2.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File opened for modification	C:\Program Files (x86)\Avira\VPN\Avira.Messaging.dll	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-98J85.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-N8A55.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\Templates\is-5VD1A.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\is-3PV75.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File opened for modification	C:\Program Files (x86)\Avira\VPN\tr-TR\Avira.VpnService.resources.dll	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-65E7B.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-C2VOE.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-RJ17L.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\tr-TR\is-1PNCE.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File opened for modification	C:\Program Files (x86)\Avira\VPN\Avira.NetworkBlocker.exe	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-EPR3C.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-2TS0N.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-K39LM.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-NQ3D8.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\views\directives\is-9VING.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File opened for modification	C:\Program Files (x86)\Avira\VPN\OpenVpn\TAP\win10\i386\tapinstall.exe	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-U96VF.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-1HM3O.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-PVNEM.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-TA2EV.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-6CN7E.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\views\directives\is-VD21D.tmp	Avira Phantom VPN Pro 2.44.1.19908.tmp

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5096	sc.exe
620	sc.exe
1112	sc.exe
2652	sc.exe
4524	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Checks SCSI registry key(s) 3 TTPs 62 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Avira.VpnService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Avira.VpnService.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3176	timeout.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
4828	taskkill.exe
3036	taskkill.exe
2820	taskkill.exe

Modifies data under HKEY_USERS 47 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Avira.VpnService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}	Avira.VpnService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\vpnclient = "a47578f5d4ea4c6485af32eea420ef4ec5b78bdf"	Avira.VpnService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\telemetry = "2318d19473cb46b197cc171986e95abfe205dc24"	Avira.VpnService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\machine = "7892c3e1cc7e421a91dce82ff359fa8ab36854ef"	Avira.VpnService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\vpnclient = "ed53bfda50b2413a9be2629b79673e934a934bbf"	Avira.WebAppHost.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2680	Avira Phantom VPN Pro 2.44.1.19908.tmp
2680	Avira Phantom VPN Pro 2.44.1.19908.tmp
3912	Avira.VpnService.exe
3912	Avira.VpnService.exe
1936	Avira.WebAppHost.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	3036	taskkill.exe
Token: SeDebugPrivilege	2820	taskkill.exe
Token: SeDebugPrivilege	4828	taskkill.exe
Token: SeAuditPrivilege	1972	svchost.exe
Token: SeSecurityPrivilege	1972	svchost.exe
Token: SeLoadDriverPrivilege	4844	tapinstall.exe
Token: SeRestorePrivilege	1204	DrvInst.exe
Token: SeBackupPrivilege	1204	DrvInst.exe
Token: SeLoadDriverPrivilege	1204	DrvInst.exe
Token: SeLoadDriverPrivilege	1204	DrvInst.exe
Token: SeLoadDriverPrivilege	1204	DrvInst.exe
Token: SeDebugPrivilege	3912	Avira.VpnService.exe
Token: SeDebugPrivilege	1936	Avira.WebAppHost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2680	Avira Phantom VPN Pro 2.44.1.19908.tmp

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2680	2844	Avira Phantom VPN Pro 2.44.1.19908.exe	85
PID 2844 wrote to memory of 2680	2844	Avira Phantom VPN Pro 2.44.1.19908.exe	85
PID 2844 wrote to memory of 2680	2844	Avira Phantom VPN Pro 2.44.1.19908.exe	85
PID 2680 wrote to memory of 3036	2680	Avira Phantom VPN Pro 2.44.1.19908.tmp	87
PID 2680 wrote to memory of 3036	2680	Avira Phantom VPN Pro 2.44.1.19908.tmp	87
PID 2680 wrote to memory of 3036	2680	Avira Phantom VPN Pro 2.44.1.19908.tmp	87
PID 2680 wrote to memory of 2820	2680	Avira Phantom VPN Pro 2.44.1.19908.tmp	88
PID 2680 wrote to memory of 2820	2680	Avira Phantom VPN Pro 2.44.1.19908.tmp	88
PID 2680 wrote to memory of 2820	2680	Avira Phantom VPN Pro 2.44.1.19908.tmp	88
PID 2680 wrote to memory of 4828	2680	Avira Phantom VPN Pro 2.44.1.19908.tmp	91
PID 2680 wrote to memory of 4828	2680	Avira Phantom VPN Pro 2.44.1.19908.tmp	91
PID 2680 wrote to memory of 4828	2680	Avira Phantom VPN Pro 2.44.1.19908.tmp	91
PID 2680 wrote to memory of 5096	2680	Avira Phantom VPN Pro 2.44.1.19908.tmp	93
PID 2680 wrote to memory of 5096	2680	Avira Phantom VPN Pro 2.44.1.19908.tmp	93
PID 2680 wrote to memory of 5096	2680	Avira Phantom VPN Pro 2.44.1.19908.tmp	93
PID 2680 wrote to memory of 4844	2680	Avira Phantom VPN Pro 2.44.1.19908.tmp	97
PID 2680 wrote to memory of 4844	2680	Avira Phantom VPN Pro 2.44.1.19908.tmp	97
PID 1972 wrote to memory of 216	1972	svchost.exe	100
PID 1972 wrote to memory of 216	1972	svchost.exe	100
PID 1972 wrote to memory of 1204	1972	svchost.exe	101
PID 1972 wrote to memory of 1204	1972	svchost.exe	101
PID 2680 wrote to memory of 620	2680	Avira Phantom VPN Pro 2.44.1.19908.tmp	104
PID 2680 wrote to memory of 620	2680	Avira Phantom VPN Pro 2.44.1.19908.tmp	104
PID 2680 wrote to memory of 620	2680	Avira Phantom VPN Pro 2.44.1.19908.tmp	104
PID 2680 wrote to memory of 1112	2680	Avira Phantom VPN Pro 2.44.1.19908.tmp	106
PID 2680 wrote to memory of 1112	2680	Avira Phantom VPN Pro 2.44.1.19908.tmp	106
PID 2680 wrote to memory of 1112	2680	Avira Phantom VPN Pro 2.44.1.19908.tmp	106
PID 2680 wrote to memory of 2652	2680	Avira Phantom VPN Pro 2.44.1.19908.tmp	109
PID 2680 wrote to memory of 2652	2680	Avira Phantom VPN Pro 2.44.1.19908.tmp	109
PID 2680 wrote to memory of 2652	2680	Avira Phantom VPN Pro 2.44.1.19908.tmp	109
PID 2680 wrote to memory of 4524	2680	Avira Phantom VPN Pro 2.44.1.19908.tmp	111
PID 2680 wrote to memory of 4524	2680	Avira Phantom VPN Pro 2.44.1.19908.tmp	111
PID 2680 wrote to memory of 4524	2680	Avira Phantom VPN Pro 2.44.1.19908.tmp	111
PID 2680 wrote to memory of 4900	2680	Avira Phantom VPN Pro 2.44.1.19908.tmp	113
PID 2680 wrote to memory of 4900	2680	Avira Phantom VPN Pro 2.44.1.19908.tmp	113
PID 2680 wrote to memory of 4900	2680	Avira Phantom VPN Pro 2.44.1.19908.tmp	113
PID 2680 wrote to memory of 2284	2680	Avira Phantom VPN Pro 2.44.1.19908.tmp	115
PID 2680 wrote to memory of 2284	2680	Avira Phantom VPN Pro 2.44.1.19908.tmp	115
PID 2680 wrote to memory of 2284	2680	Avira Phantom VPN Pro 2.44.1.19908.tmp	115
PID 3912 wrote to memory of 1652	3912	Avira.VpnService.exe	117
PID 3912 wrote to memory of 1652	3912	Avira.VpnService.exe	117
PID 3912 wrote to memory of 1652	3912	Avira.VpnService.exe	117
PID 2680 wrote to memory of 3448	2680	Avira Phantom VPN Pro 2.44.1.19908.tmp	119
PID 2680 wrote to memory of 3448	2680	Avira Phantom VPN Pro 2.44.1.19908.tmp	119
PID 2680 wrote to memory of 3448	2680	Avira Phantom VPN Pro 2.44.1.19908.tmp	119
PID 3448 wrote to memory of 3176	3448	cmd.exe	121
PID 3448 wrote to memory of 3176	3448	cmd.exe	121
PID 3448 wrote to memory of 3176	3448	cmd.exe	121
PID 2680 wrote to memory of 1936	2680	Avira Phantom VPN Pro 2.44.1.19908.tmp	122
PID 2680 wrote to memory of 1936	2680	Avira Phantom VPN Pro 2.44.1.19908.tmp	122

C:\Users\Admin\AppData\Local\Temp\Avira Phantom VPN Pro 2.44.1.19908.exe
"C:\Users\Admin\AppData\Local\Temp\Avira Phantom VPN Pro 2.44.1.19908.exe" @ECHO OFF Color 0B @cls echo. echo. echo. @echo ////////////////////////////////////////////////////////////// @echo / / @echo / Avira Phantom VPN Pro is installing... / @echo / / @echo / Please wait... / @echo / / @echo / Dont close this window / @echo / / @echo ////////////////////////////////////////////////////////////// @echo off FOR %%i IN ("Avira Phantom VPN Pro*.exe") DO Set FileName="%%i" %FileName% /VERYSILENT
1⤵
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Users\Admin\AppData\Local\Temp\is-7PGU8.tmp\Avira Phantom VPN Pro 2.44.1.19908.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-7PGU8.tmp\Avira Phantom VPN Pro 2.44.1.19908.tmp" /SL5="$B01E2,4884611,248832,C:\Users\Admin\AppData\Local\Temp\Avira Phantom VPN Pro 2.44.1.19908.exe" @ECHO OFF Color 0B @cls echo. echo. echo. @echo ////////////////////////////////////////////////////////////// @echo / / @echo / Avira Phantom VPN Pro is installing... / @echo / / @echo / Please wait... / @echo / / @echo / Dont close this window / @echo / / @echo ////////////////////////////////////////////////////////////// @echo off FOR %%i IN ("Avira Phantom VPN Pro*.exe") DO Set FileName="%%i" %FileName% /VERYSILENT
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im Avira.WebAppHost.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3036
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im Avira.VPN.Notifier.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2820
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im Avira.NetworkBlocker.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4828
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" stop AviraPhantomVPN
    3⤵
    - Launches sc.exe
    PID:5096
- - C:\Program Files (x86)\Avira\VPN\OpenVpn\TAP\win10\amd64\tapinstall.exe
    "C:\Program Files (x86)\Avira\VPN\OpenVpn\TAP\win10\amd64\tapinstall.exe" install "C:\Program Files (x86)\Avira\VPN\OpenVpn\TAP\win10\amd64\OemVista.inf" "phantomtap"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Checks SCSI registry key(s)
    - Suspicious use of AdjustPrivilegeToken
    PID:4844
- - C:\Windows\SysWOW64\sc.exe
    "sc" create "AviraPhantomVPN" displayname= "Avira Phantom VPN" start= auto binPath= "C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe"
    3⤵
    - Launches sc.exe
    PID:620
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" start "AviraPhantomVPN"
    3⤵
    - Launches sc.exe
    PID:1112
- - C:\Windows\SysWOW64\sc.exe
    "sc" description "AviraPhantomVPN" "AviraPhantomVPN"
    3⤵
    - Launches sc.exe
    PID:2652
- - C:\Windows\SysWOW64\sc.exe
    "sc" failure AviraPhantomVPN reset= 86400 actions= restart/5000/restart/10000//1000
    3⤵
    - Launches sc.exe
    PID:4524
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall firewall add rule dir=in action=allow program="C:\Program Files (x86)\Avira\VPN\OpenVpn\phantomvpn.exe" enable=yes profile=any name="Avira Phantom VPN"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4900
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall firewall add rule dir=out action=allow program="C:\Program Files (x86)\Avira\VPN\OpenVpn\phantomvpn.exe" enable=yes profile=any name="Avira Phantom VPN"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2284
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C TIMEOUT 10
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3448
  - - C:\Windows\SysWOW64\timeout.exe
      TIMEOUT 10
      4⤵
      Delays execution with timeout.exe
      PID:3176
- - C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe
    "C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe" /migrateSettings
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{3f23bb9a-e83c-9d42-894b-7aee2ca91c2f}\oemvista.inf" "9" "457afe35b" "0000000000000144" "WinSta0\Default" "0000000000000160" "208" "c:\program files (x86)\avira\vpn\openvpn\tap\win10\amd64"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:216
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:3beb73aff103cc24:phantomtap.ndi:9.24.2.601:phantomtap," "457afe35b" "0000000000000144"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:1204

C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe
"C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe"
1⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Program Files (x86)\Avira\VPN\Avira.NetworkBlocker.exe
  "C:\Program Files (x86)\Avira\VPN\Avira.NetworkBlocker.exe" delete
  2⤵
  - Executes dropped EXE
  PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-GG4JT.tmp

Filesize
743B

MD5
d3b58f803a9a01a59210dd673998a229

SHA1
6caddb6c8e749e9c5b786a3984bb7bdbba2bafc5

SHA256
3cf52e677d7f7be201cbf6e3ec56ed1f48b95c47e5969ef2c2510e270133c4f0

SHA512
88aade4affd629926e473df3d26ecca5ba49c4b77da9343e58729cf3a2b1cd0b9d27d9e019018455bffd18b7a7570a5c14d918eff46deecc5821903f76094988

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.Acp.Common.dll

Filesize
14KB

MD5
271d473a99869a462e0200e1776b093c

SHA1
050bd3a95fc3c1a66a9fa11a7649afe95b48e5ca

SHA256
793dc8d33fd8190c6d87c39a860ae4d67c6f02a19b573087831b18202f8e413e

SHA512
8df6120445f10fd3a62b72a33f86b1969a42eae85d97154d5f030bebf68d579263be50ba4e0a9758bd9a8698e9680277d1491bebc1b2c91722d0ebab04275510

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.Acp.Resources.dll

Filesize
54KB

MD5
318f261f2875d1b6ad27afd9aebce1da

SHA1
6230901e4b145e7ea66160e9726951931a00b7de

SHA256
839942ba4c0e36ad27355f65acf6520bbd6fa0967bfd3d9d6ddec520ca4fc3c9

SHA512
379c89f2d165a1551c459984f3aeec556499c2cc7346f4a346d5b651f5a729c44b0f84c68b48f120f8c5ddaba0bfa2895421acb7261f266dd5743ce8fa6a6c80

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.Acp.dll

Filesize
151KB

MD5
93b9f3f908fd317f6400044ace1426b8

SHA1
28a81a9e705837007143c1933a436941bc0e3e73

SHA256
4c20af4eb824f54308a3d0fcb1e0c02705e36f4066a96d3187ff61cbd324bfbf

SHA512
6b32af4a9e63320ca20daea161c655ad58a4bcaffa8c0ecbe40cf2f41599a09bdc3306916e87777259ade6b120e2eb193e79ca4345268a49786159779d2aead1

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.Common.Acp.AppClient.dll

Filesize
43KB

MD5
223b514db361069dbe4e56983113092a

SHA1
13a71fb55e6cda7db64df764b4073fd59ea6dce7

SHA256
c09d32229c51eb1f4bfb7132002e68acc61883fda68365fcd274439eda332af7

SHA512
2010806d2a3f60e9714e98e856fab7d651e0cd7f93bdf146ab2870c4a5581dc3809483fd045c40bbeaf1652e0bbb1d06539876d7173a03ee4a71024a2f29e7ee

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.Common.Core.dll

Filesize
67KB

MD5
12cc33847b511eaab85d42a62bd7770e

SHA1
240a3ec390e8271d24687de2d24e221483d7d4dd

SHA256
48d0e13ee24af3fe5bd666b410b59f6a12dceca0fabb3038cf29779cbede835a

SHA512
94b22e8e0dcac61480213e1292a2e0d93b58d19e5ab7168ed6954a21a67cdd2c33521164d351cdb45d9621a7b21ad979c1f4f013b4f09d53fb98d338838f0e73

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.Messaging.dll

Filesize
46KB

MD5
f59d38fa0dc7bafff65f9ea5bb88490b

SHA1
a0b3da5df01e851f5880934183bf6fd0b3882657

SHA256
58d3cc5b59d8f9eb3a187de1377cd40ebf38852944b6d7d59abae64be5416cb0

SHA512
b22ec4b48f052bb049cc2c5e285efbbd2dbad1adf77f3c18b832a7bf60872984464ab2fcded4f4e7734d91fd0e671f6d2b56660d277c64b18594c6f21e6f6f81

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.NetworkBlocker.exe

Filesize
236KB

MD5
01fbb420b06ddc49ed8194292b387425

SHA1
203404e993901ba47a166938ea62ea52fabdd2b4

SHA256
f9e95d2d3760b2b56f70daad4db65781b090ff014029c6b4e2b7897d0e685cf8

SHA512
b488e8d2348e7efa39cf052007421e90fa83724b40f3599444c8dc57cdfa36e2a765d3c377cfcbc45262662844792ebc49f0f4bcf2fa6cdcaa3f3337daef6912

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.VPN.Acp.dll

Filesize
31KB

MD5
e8cdcbb79fc2efa8b55a79ae427482d3

SHA1
a25f319970661010d9e50948786832f89f493e01

SHA256
4f1da0dff5d32ef6150a6de7e37907d810f55f4f5e2aa870c4225488af2a3c3d

SHA512
df51a2d0d360618517bb8a4deaaa967d78b3c8417a5c78058516db26031bb450e626ef7c0748baa6d7cefa4fa8f9c74c32b17a761bc5b79f331c517131aa9f63

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.VPN.Core.dll

Filesize
143KB

MD5
43e6727daed1d298b448ab2ce52a2cad

SHA1
ec25e38127a76399669c34742b6d449f8bf3c784

SHA256
fb7c8fa2243822e609f44e3a0de1f7c6fb03e4c9325d1065f44302ffac494eff

SHA512
2afd6f036a8120da5dac5722b8d53764fbb40ff39024b4f03dd7aa531b474ee024a8a569750cb1888b6f1adfdfc6bb0a5bb47f035f0da415639d18b773c89e8f

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.VPN.NotifierClient.dll

Filesize
27KB

MD5
191011e0325600c321c13a5d642dce8c

SHA1
630384ab0c3dcff33964ca8869dd31510ecb8d8d

SHA256
b267d1b02da761ff4b2ab2cc72904eab942692929155da7c09e7368492646b89

SHA512
8d015e9c706386b47f46f51959ed28169c05b6215442eb3dab2987fd1547dbbc68903ad6667f96c37088eb933dd17bf6ed16d8da678fd44ec3ccb43d5a2be651

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.VPN.OeConnector.dll

Filesize
40KB

MD5
a382bb982dac18b9b2bee6ab353827be

SHA1
5a88ae7ff1d42ce4979e2ac6f6f4d82ea12ec6fd

SHA256
b818007801ca7f12c18695aafb18475898f692c0c76a352b49167c57095999b4

SHA512
c5eb76520798a284988e084171d5c996e6cf52b94fdb8b3620aeecce5a20111b4020eb2a9f1f8fb59ecaeede97564b853088ca04237ba0fc3be32d76a5e3fd60

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe

Filesize
380KB

MD5
909650ffdd67f61b1bacdadf30cef13e

SHA1
9c1827d1ad678d6c0eed6f110fcc7ce477435598

SHA256
dea6fa4e7ccb8f10846c14500d88d17f2a0a678ae0648ae768965f18450b6aa9

SHA512
5a726fcc0535ca4e63eef08a6ff4e3b1054048aa3895843c550a6d1ea456503e541ebb5c8fb086f3d45058c7297add85a29c18377f3e8cca12b76c47a91b4753

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe.config

Filesize
8KB

MD5
4527b654464acc681c7f1899b2b910ff

SHA1
93f86fc08801952bd79a16786ad688496d459368

SHA256
05210b2ddc6846c10a95b1f0874240930771c0f4383b60478fbf9585b3a67c61

SHA512
288da0f4ad7af467650e5fffb034c1676cf802272d53e21594b2eb1f560ca16a0e977bf4eeda409be88606fc15d052d2b41b808fa99a0c251a810839e889baee

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe

Filesize
815KB

MD5
ea069f7019a7b305cff275aed802a2ca

SHA1
d2b955656a234b507e8fe9d41395fbb97701ba43

SHA256
0a2d4aaab11291d99542e74689bc6265bb2a7922d8870167bdcc3210f0627273

SHA512
3980747d2acad456b3c5fb6ad3550c9f1520bc54c5ff68d0137d8e2682632e85f26ccd3703aab6c394bfd43f05e5699bc07240ab23e2492358363487bb68cfa5

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe.config

Filesize
3KB

MD5
0d46bdc17f97e662981fd6ac11888307

SHA1
a0c99f49febe776dc8cbee1f7ba9f31cf24d7059

SHA256
a2b68cd7ad5e1158d182d59131488a0aa84c106f142ab62451bc284c72218216

SHA512
3582ed4c1a001209ff4cb938020b65886e0a95b8466f91074aa3b2b7df57d5c1278c10105e696a2ac7a0453bd9ea26742042bd5f51fee20461d151300050e8a0

Download Submit
C:\Program Files (x86)\Avira\VPN\Defaults\ProductSettings.json

Filesize
1KB

MD5
f9eb282786f0c1d27f9f6ae8b448d4d1

SHA1
df4f115df8a7dc8ffc2d7dbdd9953170cb0f8b32

SHA256
7e84e38c4b147fa13e871249a9986c4621176ed0afc88c999901e354f603d096

SHA512
db8a15d8b7b830dd63819eea73aa160accee27dca61a4b9b76d30f9b4161d28307c47d1f412faad9f92d2b77c17832226c16e8db0bb1d413444de1e918692753

Download Submit
C:\Program Files (x86)\Avira\VPN\Messaging.dll

Filesize
36KB

MD5
198703a2aa65565b3c6232add7d9d22d

SHA1
b161ab7056be4892ca92bea1d3ce21d228c4641f

SHA256
304c76f16380cdfbe2a1adbbd36f3a9e3a9bcd8c6901a400f0add66027f885b7

SHA512
603594e89f1e23d5f649a65d8cb8fbf25bdbc7be4213b436c9bc14518fe81d2eed9393c051f1b97ccb6725ed62bee811b88f9c70262d03f5015b3aebc951f591

Download Submit
C:\Program Files (x86)\Avira\VPN\Newtonsoft.Json.dll

Filesize
693KB

MD5
a358964e94bf3cb71172d6776f28fc3d

SHA1
9f16e876559759cdb52a0cb05db6528dd8f1951c

SHA256
cdf68de50fc05055120968d89dfa40f0dcd0a052fe381de1daa312e84b6e41f4

SHA512
5de2c65e1e14443ebcff3f09bc7639c7bf9f1033b11533229df610480c9149292cc3336902102c9983368914e92a49a76edfae493b0378e7212e69e3e808c6ca

Download Submit
C:\Program Files (x86)\Avira\VPN\OpenVpn\TAP\win10\amd64\OemVista.inf

Filesize
7KB

MD5
66b9dec2074c3425e6ee6382aa3600c1

SHA1
372b2b314cfa40450303c52c52ab1b24516abca6

SHA256
427f9551921202143ba72f8d3abec45ad7c887a827fac2864a501551ce309685

SHA512
a9c64b8686f750700fe63fa214e4f0780918edc365e8ed8dda4d0305aaf90d74280a47e0c3c688ec1ca6a7b7fd270e24446fcf33c7343b292ea83279d23b85a8

Download Submit
C:\Program Files (x86)\Avira\VPN\OpenVpn\TAP\win10\amd64\tapinstall.exe

Filesize
482KB

MD5
2b1bddf7f9d3190ff73563a41bcb72be

SHA1
8a522e9cb1007b922cec9e5ed2b70f01ff12cf0d

SHA256
85ab4bbb77ab248956d0da02ace1a2bc58ce6c6db9f421808ef03ed31bbcf3b6

SHA512
6a42ac53262c6bafc8d7a5ff225acb07754af8cf044f0135251d4b3cf983a53494d755052296cf49627b3bbe6acead3aa9bacc33b51d222a1d2a0fe6d2bb4f93

Download Submit
C:\Program Files (x86)\Avira\VPN\Serilog.Sinks.File.dll

Filesize
35KB

MD5
97f20eb6f1c67873802f0851859e2aed

SHA1
45e83bdbc9c6d992df5bb7233e9a0f8f661c38b2

SHA256
d1a929b7aa1b1cfa330a33b3c1f238fb1fcf73c7bd9d43bc3579ad8a9625d824

SHA512
0180e31bf95e1ecc6cffc90cbab5b736c61d86bd5b0ac23ae9f3ac7f7602e2b63a0e6f579ff7105f891547deb9beb8bd86fd16995cea4b62b80439a56f7cb761

Download Submit
C:\Program Files (x86)\Avira\VPN\Serilog.dll

Filesize
150KB

MD5
a4cb9f0cd0a7f720cadb28c07542d3de

SHA1
39d5a8fc0474224211db95fa80c6c7d12864c8a8

SHA256
f14f61e815adbb6403ff70941c7d98f1836792dcd4cdf1fbc77f9164694fc932

SHA512
1044a204a3ba81739cb3d937571d9f70fa92e45c754341b35fbbdd5d604ccf8c005b7c92877437f9a827b8ab478627a08c3dca6bf5fa0bc9df72ce2f02f200ca

Download Submit
C:\Program Files (x86)\Avira\VPN\ServiceStack.Text.dll

Filesize
199KB

MD5
537b82928ce015be0594e07587267e41

SHA1
4203b59a6563832db4c012e62e09a66501f8ee62

SHA256
93003778ab63e158cc18b86066e8fbb2c0104cae570dc3f53aa56b38faf41817

SHA512
a073f4b23a1ade5cd27972996fd1b1feeb50c0a04a1c6640124b62cfc2b8b911e793bdbd673147cd89d8ef67b87eaa51668e540f287bdf4d7bb33092aa9d1fd4

Download Submit
C:\Program Files (x86)\Avira\VPN\SharpRaven.dll

Filesize
100KB

MD5
e66983a1cceb2c7cd3f7e3448957d9f6

SHA1
b97981265121322034e04f567faf39cbdbd19679

SHA256
5521dc13a0264e2f178e205b2fbf76c57ed34ef650bd7508348cba0c9f6b2dd6

SHA512
455fe9b542faca8f4add763de2df1fdb4c8b5371e3cdd8df9fda6d743e9c59c22f45a13097159aa92e6fe4d75c2c62aa1192d029368fd4ae58ce4d3f0a2052f2

Download Submit
C:\Program Files (x86)\Avira\VPN\System.Diagnostics.DiagnosticSource.dll

Filesize
169KB

MD5
8a260507f7fe8815fdfd66b97678ddaf

SHA1
2d0893fd0b2cc6c4e83d90ac8ef114bdf229d3e7

SHA256
30fbf5b1aa8736badeebb85a2e630dc44b65659564d6e8399a71a887e2244b98

SHA512
379adb0692dfa46e399e28fe2ea9a0f0a2106f6b5c6b74456f376726d921f3e44cee3c9489fc774ed4b1dad5cbc24247b5e1c2ad2d6efe9cbff469f9eaa44024

Download Submit
C:\Program Files (x86)\Avira\VPN\VPN.Core.dll

Filesize
179KB

MD5
ea3cfd2c4256b3045d7a812c12023feb

SHA1
2b3a99ca1876c0f34a7d771227cc35d779077c02

SHA256
13db96190d32798a2a1224b309991a69300424f5345d83684ed13c074371dd67

SHA512
fc04f26847cd34201fc7e3e2060487a72dac9afc29df849731f311c93f5422cd79031ebc1d28dc2190cee7ceeb66b33a0550ee866981d0646ad9f48a1cd42292

Download Submit
C:\Program Files (x86)\Avira\VPN\en-US\Avira.VpnService.resources.dll

Filesize
21KB

MD5
05d0d2f37e6b683e59cdfd05bcb3b08a

SHA1
b21b207367d0b5dba10d67e9bcc5c29175aa6ab9

SHA256
57b7256eec2eb64deb1f52ecc3ea529c061b99ae009e4a28f70ad76ce565cbc4

SHA512
4c1fa9a21599cc86d4de858d4adb870135be706394a009241425d166c417b9216393ec721ac9f4e2e6659f1d39036672d582a11265a57c715b592f60f5399070

Download Submit
C:\ProgramData\Avira\VPN\VpnPrivateSettings.backup

Filesize
6KB

MD5
d0a82d1f6812d69aab47854a72db915c

SHA1
d0c7eee94f5e20351b4f411898669be86be5836f

SHA256
8cd642c39ec85d454ff8a598279fff07e10c7b59fa5802118146ef6bb261850b

SHA512
4dda2f2bc580772edee950af469ae222e9e5b57d007f5c092fb35e8ebc283e8a8ba911ce54c23082b7124ac1f44b5ef330d0f35f2aea9dc26be5480606bbfa69

Download Submit
C:\ProgramData\Avira\VPN\VpnPrivateSettings.backup

Filesize
5KB

MD5
3ff7097b68d488902cb7b896e654c578

SHA1
670f59ba147750607499db3108c7acf6f6421ea1

SHA256
ffffcf6237d21ba89ce975f59372079fc01fd85e205e88151f9794183454f1db

SHA512
8cd618c43a71029e3cd2af8d41b7a0d01a56bddd65d4fcbba1e1eca5b7f20beebe6e5f5aa5600cf3a9b1e5c555d1b78cbeab44f385581cbe819b3f46ea3befdc

Download Submit
C:\ProgramData\Avira\VPN\VpnPrivateSettings.config

Filesize
6KB

MD5
c260750ef073ff5f47f56ba1115eb25d

SHA1
37e52aac332a5ec71c78f9059b910117fe923222

SHA256
2fde44bd25894e3a626297de734fe83736bd4d970a86895c59a330a19dcb3d5f

SHA512
2229f2bf94f26b7e032b71b2eee05c8cbee938eac0c9a32405e9736e62a47585b54b66fb379af0e343b7ce487b09cb28158b7a21de02bfab29a003327aa0f9e0

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
1KB

MD5
d7cd5bc483cf692ec7ea5cc75c9154fb

SHA1
919b5feb84a489b9ba04fbb22d21b72296bbf108

SHA256
647e9c20b459b939edb722c992a344a3d4921d75d0bf4039b626ec318f55407a

SHA512
e6f84bbe439c63768f938da50121a5814cf07d650c58dc4b3d9dc37be763d495b590d93ba1db75df15953ed60e37e997b38ffbcc18e12c509fcfa754c5076e64

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
1KB

MD5
efc1184db0506551856f130aae498902

SHA1
16f2e3e4085935e50f4ce99be18eb033f098ab7d

SHA256
49b606c2483ca38912548871e26e00e9cba4cbe9b9c0df51bb35ca7c73a57691

SHA512
686a0247a140f1df847f17751bac0a10e327bb973042674282689feefa9e022896046a1ac62396cd50f18ca1a0650b131be0b9c74aca3c17191fd29a72bafd5e

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
1KB

MD5
0884e49a46825963df9f41fe63456a88

SHA1
76b875cec2a39e7ae332e75985229d3f34a9a8fd

SHA256
c8e167aabcf662a403b81a56f85435022475323c36d13abefa8a151f72883a31

SHA512
31fbb83bf632fc0732f081b7b269c649f6f34b118b4015a2ada6c3b1a32ee2c7292dac2e5011cec0904817ce0874da3fe2544d31966722be7ac05f3b71aa5027

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
1KB

MD5
318ff3ae6a8939b629c95ddd8fab6cd7

SHA1
b92a56954c655f5941057ce5552ad201549173a8

SHA256
d7606c6870f1db2f4e62d03d7992e67c85ed6979915ce5f53b18aa501c51bd40

SHA512
720bcd01e15beb29f0de499f14d8bfcf39d3c587637b3cb5818377cd816f8d61e0991fd1fa43f87ccef095566c99d52e9a9022baec92edbecdd8db274e80bcfc

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
1KB

MD5
76bb21a82dd1c89cc0366947dbb30a14

SHA1
7b3b7c0d9608bc820d68867a5650721fe69f2dd8

SHA256
a7d438d2594ab94ec868875bd7708e92862f30a8b04bf844fb2f4b80f6aa144d

SHA512
5b92f0ee94e31126a9029aa8b27c5c9ef508ad68339360e583b7a08336c528d9828457a756340849166e07acfe5dabea2f8d8fdbea8a7d9ef3aa35ce9ae13d09

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
1KB

MD5
6ea05cdd1ea6888d59ba054106d72d92

SHA1
f3846a3640e360762de9412986098cf500d12ef1

SHA256
3f0b5665c895f3bf32883bb2bb2980bf36350ba18842859257d4ba12c0f28953

SHA512
a2a022825d69a0fe0e9b65f663c2e2bfef66b9cf74fcd588443220e20410a05d802d69091ec5c68a96a31a903ff7968de55090483123d6679744097f3a468d91

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.config

Filesize
1KB

MD5
15d329e42c82e88d24a101df3a20b5b9

SHA1
c8227ba9ce6892c532e8e43a8b1c9d94183a0ce6

SHA256
abd246496373cd49bfcd63bc2d740874dde83c11598137526e9ff75056cfb58f

SHA512
06d5a641fab000037d2c84f9e1f33920eccec1ae1e3145525b537eaa5ce7db605bcb0b5cbec7b63d1d370c64a0db9267f708b3b10bc354fa24739fa1e4d13c1f

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.config

Filesize
1KB

MD5
408347e969743abb7ab69949d9d970ff

SHA1
4dd1b19930d5cab70e1a183cc8f8829ef6ab662f

SHA256
b27522fe75254f5345f7228ac08c8815cd6209e478e97d50290e2873fd458155

SHA512
fadfafe74d2c6fda63d343ca8e44936f1fcacd6a56f60637b5b9689749f4dee20f01a65946526a1679f68b1f8153436b6b79def62d5c9c36bddf232b5309794e

Download Submit
C:\ProgramData\Avira\VPN\vpndbg.log

Filesize
4KB

MD5
fdb0b6e88a6e0db64cb7f75c7c8ca8ff

SHA1
4cd1409faa23210827758dfd25c5463ea6ee334a

SHA256
8e169e44886bd0f5be92f7ab62c0d6b9f921fc87d7ab3e9ea2a059de99645e8c

SHA512
021543d5a74c98600136afef2090eb1fa22b038d37cac79c8279dd0f995f0f93d1201f8fa8521e5c88d1277eef6591dfe1a78e6807323b96029964c5f5c32629

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7PGU8.tmp\Avira Phantom VPN Pro 2.44.1.19908.tmp

Filesize
1.5MB

MD5
0c1c8eb89026af3bc48b56d10759c400

SHA1
46052ea988389f440ebbf5ff2fe3cc4570f2131c

SHA256
02febfffcac96296e9cbad84cccf0153a11c051e0f2421e86360eccfc21f7f4d

SHA512
5c85df79f85c31557cb9d5d5974314fddd71ddaf66427c5d673b5db887b752a31e2dd510b2ab0bc5953751037c97e436c6bfa149a22ae7a8031a24e92c319d20

Download Submit
\??\c:\PROGRA~2\avira\vpn\openvpn\tap\win10\amd64\PHANTO~1.SYS

Filesize
49KB

MD5
7513d18baafa3384276f74ae45d19d40

SHA1
d3f898d2cb8a0267c6e9c38a408d35f1c6220de0

SHA256
2f7801552ae07f3c3d1ed3ea62a3eb3f7ddeda1cee20123eadc4e416a4550e3d

SHA512
5f0b7fca6c1858f73e77c3301037c1144c7a03031001b4be712683a1cd93f5909b28824ee56c6b8fb2bb45f1ce248f6d73b8d921498323bc30817068afba76bc

Download Submit
\??\c:\program files (x86)\avira\vpn\openvpn\tap\win10\amd64\phantomtap.cat

Filesize
10KB

MD5
6fc419f92374da0a876cf3d8a3225572

SHA1
46df79f2ad14be1b3c7cce9c901dd24d2e61641d

SHA256
c0de7a55d22d85605e2342e63f35e774d5c35dbeccaef4ade98e0be8482077cc

SHA512
050c3dd0129e60a802d299dbcf4f59a519b306d0e3062e8e160195910b72926389b4235ef91f66622de3548e0eabc86fe419226b878da7eea46054ec5a165df4

Download Submit
memory/1936-1092-0x0000023E6F010000-0x0000023E6F0DE000-memory.dmp

Filesize
824KB

Download
memory/2680-1118-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2680-1088-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2680-6-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2844-1119-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2844-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2844-1083-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2844-2-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/3912-996-0x000001C625830000-0x000001C625894000-memory.dmp

Filesize
400KB

Download
memory/3912-1000-0x000001C626270000-0x000001C6262A4000-memory.dmp

Filesize
208KB

Download
memory/3912-1026-0x000001C6262C0000-0x000001C6262D0000-memory.dmp

Filesize
64KB

Download
memory/3912-1044-0x000001C63EB70000-0x000001C63EB7E000-memory.dmp

Filesize
56KB

Download
memory/3912-1054-0x000001C63F970000-0x000001C63F9A6000-memory.dmp

Filesize
216KB

Download
memory/3912-1056-0x000001C63F8B0000-0x000001C63F8B8000-memory.dmp

Filesize
32KB

Download
memory/3912-1048-0x000001C63F8E0000-0x000001C63F90A000-memory.dmp

Filesize
168KB

Download
memory/3912-1057-0x000001C63FA60000-0x000001C63FB0A000-memory.dmp

Filesize
680KB

Download
memory/3912-1059-0x000001C63F8C0000-0x000001C63F8CA000-memory.dmp

Filesize
40KB

Download
memory/3912-1050-0x000001C63F910000-0x000001C63F922000-memory.dmp

Filesize
72KB

Download
memory/3912-1052-0x000001C63EB90000-0x000001C63EB9E000-memory.dmp

Filesize
56KB

Download
memory/3912-1002-0x000001C626110000-0x000001C62613A000-memory.dmp

Filesize
168KB

Download
memory/3912-1082-0x000001C63FD60000-0x000001C63FDAA000-memory.dmp

Filesize
296KB

Download
memory/3912-1004-0x000001C63EAA0000-0x000001C63EB52000-memory.dmp

Filesize
712KB

Download
memory/3912-1006-0x000001C6262E0000-0x000001C626302000-memory.dmp

Filesize
136KB

Download
memory/3912-1046-0x000001C63EB80000-0x000001C63EB8C000-memory.dmp

Filesize
48KB

Download
memory/3912-1038-0x000001C63EB60000-0x000001C63EB6A000-memory.dmp

Filesize
40KB

Download
memory/3912-1036-0x000001C63EA90000-0x000001C63EA9E000-memory.dmp

Filesize
56KB

Download
memory/3912-998-0x000001C6260E0000-0x000001C62610A000-memory.dmp

Filesize
168KB

Download
memory/3912-1008-0x000001C6260D0000-0x000001C6260DC000-memory.dmp

Filesize
48KB

Download
memory/3912-1010-0x000001C63E9E0000-0x000001C63E9F4000-memory.dmp

Filesize
80KB

Download
memory/3912-1029-0x000001C63EA40000-0x000001C63EA48000-memory.dmp

Filesize
32KB

Download
memory/3912-1028-0x000001C63EA50000-0x000001C63EA7E000-memory.dmp

Filesize
184KB

Download
memory/3912-1024-0x000001C63EA00000-0x000001C63EA1C000-memory.dmp

Filesize
112KB

Download