3d829d5826297e66e2471fa4c0b4a7fc23e784ca1cdca0288c435f367bb912d1

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 20:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Avira Phantom VPN Pro 2.41.1.25731.kuyhAa/Avira Phantom VPN 2.41.1.25731.exe
Size

7.2MB
MD5

bf245b7db7637e6b2991105f62cc76de
SHA1

1d7252929d5c4cb404a34e553b72757729c701d5
SHA256

c414e764c53a81c6beb2c393635044661da238380492c182162b37f3e82a8c89
SHA512

08380e7ab2012f453ec4cb72646ca3a920d32f2f253f5c956b239780d1d08e434c4353580f6f9c95317b0e76810bc9351def59039350b96a4d989ece80722076
SSDEEP

196608:cI+4fSWrh9ry+5jCyVCavZ7jnEDHGV6uXVM4Fz6Krg:cIBZrXryiC8fnImV1zIKrg

Score

8^/10

discovery evasion execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Modifies Windows Firewall 2 TTPs 3 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3084	netsh.exe
3208	netsh.exe
3752	netsh.exe

Executes dropped EXE 9 IoCs

pid	Process
2776	Avira Phantom VPN 2.41.1.25731.tmp
4248	Avira.VpnService.exe
4772	Avira.WebAppHost.exe
2796	Avira.NetworkBlocker.exe
1316	Avira.WebAppHost.exe
2248	Avira.WebAppHost.exe
4548	Avira.WebAppHost.exe
3832	Avira.WebAppHost.exe
1384	Avira.WebAppHost.exe

Loads dropped DLL 4 IoCs

pid	Process
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\Security\Benchmark	Avira.VpnService.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Avira\VPN\FSharp.Core.dll	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\fonts\is-EAEBA.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-25SRV.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\Templates\is-LN4L7.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File opened for modification	C:\Program Files (x86)\Avira\VPN\zh-TW\Avira.VpnService.resources.dll	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\OpenVpn\TAP\win10\i386\is-1TGC0.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File opened for modification	C:\Program Files (x86)\Avira\VPN\OpenVpn\liblzo2-2.dll	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-OGSHH.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-HHE7S.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\is-MRB6Q.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-53FUG.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\views\directives\is-LM5LV.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\OpenVpn\TAP\win10\amd64\is-DU4S3.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-INOP4.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\is-EO3FS.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\is-5AM3B.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-CTR3P.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-5EKJA.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-105MF.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\Templates\images\is-EO25E.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-6MHI4.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File opened for modification	C:\Program Files (x86)\Avira\VPN\Messaging.dll	Avira Phantom VPN 2.41.1.25731.tmp
File opened for modification	C:\Program Files (x86)\Avira\VPN\it-IT\Avira.VpnService.resources.dll	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\is-2UN5D.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\is-NABGR.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\OpenVpn\is-03AQQ.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\Templates\is-C5281.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\fonts\is-CV9IV.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-5V9CT.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-FUQCS.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-V34RC.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-4UJUS.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-CPFTO.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\is-090HT.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-Q1S3C.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File opened for modification	C:\Program Files (x86)\Avira\VPN\OpenVpn\TAP\win7\i386\tapinstall.exe	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-9413N.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File opened for modification	C:\Program Files (x86)\Avira\VPN\Serilog.dll	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\nl-NL\is-M3GJQ.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\is-956R8.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\Templates\is-I72AQ.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\Templates\images\is-GNFO6.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File opened for modification	C:\Program Files (x86)\Avira\VPN\System.ComponentModel.TypeConverter.dll	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\is-IAV4I.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-OFF6K.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\OpenVpn\TAP\win10\amd64\is-3N2IH.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File opened for modification	C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe	Avira Phantom VPN 2.41.1.25731.tmp
File opened for modification	C:\Program Files (x86)\Avira\VPN\System.Runtime.InteropServices.RuntimeInformation.dll	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-E7J20.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\is-PB5LB.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-CB787.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\views\directives\is-UIU00.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\is-1A8IB.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-9GS5U.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-JE431.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-HL8AG.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\OpenVpn\TAP\win10\i386\is-AS2RJ.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\is-ARBKC.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\unins000.dat	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\is-A2D7F.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-AS081.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\Defaults\is-7BIUS.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-7QJJ9.tmp	Avira Phantom VPN 2.41.1.25731.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-3VUK2.tmp	Avira Phantom VPN 2.41.1.25731.tmp

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4444	sc.exe
1352	sc.exe
4012	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Avira Phantom VPN 2.41.1.25731.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Avira.NetworkBlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Avira Phantom VPN 2.41.1.25731.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Avira.VpnService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Avira.VpnService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 48 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Avira.VpnService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	Avira.VpnService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Avira.VpnService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	Avira.VpnService.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\telemetry = "987041deba2e477888dafe4c9d12db9a19ba14cf"	Avira.VpnService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\machine = "0b14cc557f5f4a599c3e3d773b097d90142c9c99"	Avira.VpnService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\vpnclient = "ae88e26f64ff44f78186d043312b6691b1638669"	Avira.WebAppHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\telemetry = "cabb367ac1da48dab5404584a250f75f4f9e149c"	Avira.WebAppHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\telemetry = "68da27fb3f2043808243ceed17d44b73887550e2"	Avira.WebAppHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\vpnclient = "8d2bf0fc2ba949f3a324099741e220f7569f3ace"	Avira.VpnService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\vpnclient = "60fdc2a26d2c45cabecc0ddc1bfb6f3a3e92e8f5"	Avira.WebAppHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\telemetry = "02192c05f35540bca7f2e6dfe9f1f75f437cd459"	Avira.WebAppHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\vpnclient = "176e7b7260eb4d9f97d32b59ca5b9cfe84581243"	Avira.WebAppHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\vpnclient = "e2f2cb587c2d43b9ab84861c0e65417f3f8ee3f7"	Avira.WebAppHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\telemetry = "a3e7b284991747e398a67c8070c06c743fc78904"	Avira.WebAppHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}	Avira.VpnService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\vpnclient = "de0064842976473cb41044d7aeecc58c134411e9"	Avira.WebAppHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\vpnclient = "7fbc703fa63c469d9c3d6566a0d8076ae0843834"	Avira.WebAppHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\telemetry = "c8315e4c174c448aa56f7c106e6e40317b3e9691"	Avira.WebAppHost.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431\Blob = 5c00000001000000040000000008000019000000010000001000000091fad483f14848a8a69b18b805cdbb3a0f0000000100000014000000327fc447408de9bf596f83d4b2fa4b8e3e7097d8090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b060105050703076200000001000000200000006dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb1770b000000010000001e00000045006e00740072007500730074002000280032003000340038002900000014000000010000001400000055e481d11180bed889b908a331f9a1240916b9701d0000000100000010000000e871723e266f38af5d49cda2a502669c7e000000010000000800000000c001b39667d601030000000100000014000000503006091d97d4f5ae39f7cbe7927d7d652d3431040000000100000010000000ee2931bc327e9ae6e8b5f751b434719020000000010000002e0400003082042a30820312a00302010202043863def8300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3239303732343134313531325a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970300d06092a864886f70d010105050003820101003b9b8f569b30e753997c7a79a74d97d7199590fb061fca337c46638f966624fa401b2127cae67273f24ffe3199fdc80c4c6853c680821398fab6adda5d3df1ce6ef6151194820cee3f95af11ab0fd72fde1f038f572c1ec9bb9a1a4495eb184fa61fcd7d57102f9b04095a84b56ed81d3ae1d69ed16c795e791c14c5e3d04c933b653ceddf3dbea6e5951ac3b519c3bd5e5bbbff23ef6819cb1293275c032d6f30d01eb61aacde5af7d1aaa827a6fe7981c479993357ba12b0a9e0426c93ca56defe6d840b088b7e8dead79821c6f3e73c792f5e9cd14c158de1ec2237cc9a430b97dc80908db3679b6f48081556cfbff12b7c5e9a76e95990c57c8335116551	Avira.VpnService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	Avira.VpnService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	Avira.VpnService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	Avira.VpnService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431\Blob = 040000000100000010000000ee2931bc327e9ae6e8b5f751b4347190030000000100000014000000503006091d97d4f5ae39f7cbe7927d7d652d34317e000000010000000800000000c001b39667d6011d0000000100000010000000e871723e266f38af5d49cda2a502669c14000000010000001400000055e481d11180bed889b908a331f9a1240916b9700b000000010000001e00000045006e0074007200750073007400200028003200300034003800290000006200000001000000200000006dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb1777f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000014000000327fc447408de9bf596f83d4b2fa4b8e3e7097d819000000010000001000000091fad483f14848a8a69b18b805cdbb3a20000000010000002e0400003082042a30820312a00302010202043863def8300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3239303732343134313531325a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970300d06092a864886f70d010105050003820101003b9b8f569b30e753997c7a79a74d97d7199590fb061fca337c46638f966624fa401b2127cae67273f24ffe3199fdc80c4c6853c680821398fab6adda5d3df1ce6ef6151194820cee3f95af11ab0fd72fde1f038f572c1ec9bb9a1a4495eb184fa61fcd7d57102f9b04095a84b56ed81d3ae1d69ed16c795e791c14c5e3d04c933b653ceddf3dbea6e5951ac3b519c3bd5e5bbbff23ef6819cb1293275c032d6f30d01eb61aacde5af7d1aaa827a6fe7981c479993357ba12b0a9e0426c93ca56defe6d840b088b7e8dead79821c6f3e73c792f5e9cd14c158de1ec2237cc9a430b97dc80908db3679b6f48081556cfbff12b7c5e9a76e95990c57c8335116551	Avira.VpnService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	Avira.VpnService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431	Avira.VpnService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431\Blob = 0f0000000100000014000000327fc447408de9bf596f83d4b2fa4b8e3e7097d8090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b060105050703076200000001000000200000006dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb1770b000000010000001e00000045006e00740072007500730074002000280032003000340038002900000014000000010000001400000055e481d11180bed889b908a331f9a1240916b9701d0000000100000010000000e871723e266f38af5d49cda2a502669c7e000000010000000800000000c001b39667d601030000000100000014000000503006091d97d4f5ae39f7cbe7927d7d652d343120000000010000002e0400003082042a30820312a00302010202043863def8300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3239303732343134313531325a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970300d06092a864886f70d010105050003820101003b9b8f569b30e753997c7a79a74d97d7199590fb061fca337c46638f966624fa401b2127cae67273f24ffe3199fdc80c4c6853c680821398fab6adda5d3df1ce6ef6151194820cee3f95af11ab0fd72fde1f038f572c1ec9bb9a1a4495eb184fa61fcd7d57102f9b04095a84b56ed81d3ae1d69ed16c795e791c14c5e3d04c933b653ceddf3dbea6e5951ac3b519c3bd5e5bbbff23ef6819cb1293275c032d6f30d01eb61aacde5af7d1aaa827a6fe7981c479993357ba12b0a9e0426c93ca56defe6d840b088b7e8dead79821c6f3e73c792f5e9cd14c158de1ec2237cc9a430b97dc80908db3679b6f48081556cfbff12b7c5e9a76e95990c57c8335116551	Avira.VpnService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431\Blob = 19000000010000001000000091fad483f14848a8a69b18b805cdbb3a0f0000000100000014000000327fc447408de9bf596f83d4b2fa4b8e3e7097d8090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b060105050703076200000001000000200000006dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb1770b000000010000001e00000045006e00740072007500730074002000280032003000340038002900000014000000010000001400000055e481d11180bed889b908a331f9a1240916b9701d0000000100000010000000e871723e266f38af5d49cda2a502669c7e000000010000000800000000c001b39667d601030000000100000014000000503006091d97d4f5ae39f7cbe7927d7d652d343120000000010000002e0400003082042a30820312a00302010202043863def8300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3239303732343134313531325a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970300d06092a864886f70d010105050003820101003b9b8f569b30e753997c7a79a74d97d7199590fb061fca337c46638f966624fa401b2127cae67273f24ffe3199fdc80c4c6853c680821398fab6adda5d3df1ce6ef6151194820cee3f95af11ab0fd72fde1f038f572c1ec9bb9a1a4495eb184fa61fcd7d57102f9b04095a84b56ed81d3ae1d69ed16c795e791c14c5e3d04c933b653ceddf3dbea6e5951ac3b519c3bd5e5bbbff23ef6819cb1293275c032d6f30d01eb61aacde5af7d1aaa827a6fe7981c479993357ba12b0a9e0426c93ca56defe6d840b088b7e8dead79821c6f3e73c792f5e9cd14c158de1ec2237cc9a430b97dc80908db3679b6f48081556cfbff12b7c5e9a76e95990c57c8335116551	Avira.VpnService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	Avira.VpnService.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
4248	Avira.VpnService.exe
4772	Avira.WebAppHost.exe
4772	Avira.WebAppHost.exe
3824	msedge.exe
3824	msedge.exe
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
64	msedge.exe
64	msedge.exe
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
64	msedge.exe
64	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4248	Avira.VpnService.exe
Token: SeDebugPrivilege	4772	Avira.WebAppHost.exe
Token: SeDebugPrivilege	1316	Avira.WebAppHost.exe
Token: SeDebugPrivilege	2248	Avira.WebAppHost.exe
Token: SeDebugPrivilege	4548	Avira.WebAppHost.exe
Token: SeDebugPrivilege	3832	Avira.WebAppHost.exe
Token: SeDebugPrivilege	1384	Avira.WebAppHost.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
2776	Avira Phantom VPN 2.41.1.25731.tmp
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
1316	Avira.WebAppHost.exe
1316	Avira.WebAppHost.exe
2248	Avira.WebAppHost.exe
2248	Avira.WebAppHost.exe
4548	Avira.WebAppHost.exe
4548	Avira.WebAppHost.exe
3832	Avira.WebAppHost.exe
3832	Avira.WebAppHost.exe
1384	Avira.WebAppHost.exe
1384	Avira.WebAppHost.exe

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
1316	Avira.WebAppHost.exe
1316	Avira.WebAppHost.exe
2248	Avira.WebAppHost.exe
2248	Avira.WebAppHost.exe
4548	Avira.WebAppHost.exe
4548	Avira.WebAppHost.exe
3832	Avira.WebAppHost.exe
3832	Avira.WebAppHost.exe
1384	Avira.WebAppHost.exe
1384	Avira.WebAppHost.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
2776	Avira Phantom VPN 2.41.1.25731.tmp
1316	Avira.WebAppHost.exe
1316	Avira.WebAppHost.exe
2248	Avira.WebAppHost.exe
2248	Avira.WebAppHost.exe
4548	Avira.WebAppHost.exe
4548	Avira.WebAppHost.exe
3832	Avira.WebAppHost.exe
3832	Avira.WebAppHost.exe
1384	Avira.WebAppHost.exe
1384	Avira.WebAppHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 424 wrote to memory of 2776	424	Avira Phantom VPN 2.41.1.25731.exe	84
PID 424 wrote to memory of 2776	424	Avira Phantom VPN 2.41.1.25731.exe	84
PID 424 wrote to memory of 2776	424	Avira Phantom VPN 2.41.1.25731.exe	84
PID 2776 wrote to memory of 2260	2776	Avira Phantom VPN 2.41.1.25731.tmp	86
PID 2776 wrote to memory of 2260	2776	Avira Phantom VPN 2.41.1.25731.tmp	86
PID 2776 wrote to memory of 2260	2776	Avira Phantom VPN 2.41.1.25731.tmp	86
PID 2260 wrote to memory of 4868	2260	net.exe	88
PID 2260 wrote to memory of 4868	2260	net.exe	88
PID 2260 wrote to memory of 4868	2260	net.exe	88
PID 2776 wrote to memory of 4012	2776	Avira Phantom VPN 2.41.1.25731.tmp	104
PID 2776 wrote to memory of 4012	2776	Avira Phantom VPN 2.41.1.25731.tmp	104
PID 2776 wrote to memory of 4012	2776	Avira Phantom VPN 2.41.1.25731.tmp	104
PID 2776 wrote to memory of 4444	2776	Avira Phantom VPN 2.41.1.25731.tmp	106
PID 2776 wrote to memory of 4444	2776	Avira Phantom VPN 2.41.1.25731.tmp	106
PID 2776 wrote to memory of 4444	2776	Avira Phantom VPN 2.41.1.25731.tmp	106
PID 2776 wrote to memory of 1352	2776	Avira Phantom VPN 2.41.1.25731.tmp	108
PID 2776 wrote to memory of 1352	2776	Avira Phantom VPN 2.41.1.25731.tmp	108
PID 2776 wrote to memory of 1352	2776	Avira Phantom VPN 2.41.1.25731.tmp	108
PID 2776 wrote to memory of 3752	2776	Avira Phantom VPN 2.41.1.25731.tmp	112
PID 2776 wrote to memory of 3752	2776	Avira Phantom VPN 2.41.1.25731.tmp	112
PID 2776 wrote to memory of 3752	2776	Avira Phantom VPN 2.41.1.25731.tmp	112
PID 2776 wrote to memory of 3208	2776	Avira Phantom VPN 2.41.1.25731.tmp	113
PID 2776 wrote to memory of 3208	2776	Avira Phantom VPN 2.41.1.25731.tmp	113
PID 2776 wrote to memory of 3208	2776	Avira Phantom VPN 2.41.1.25731.tmp	113
PID 2776 wrote to memory of 3084	2776	Avira Phantom VPN 2.41.1.25731.tmp	114
PID 2776 wrote to memory of 3084	2776	Avira Phantom VPN 2.41.1.25731.tmp	114
PID 2776 wrote to memory of 3084	2776	Avira Phantom VPN 2.41.1.25731.tmp	114
PID 2776 wrote to memory of 64	2776	Avira Phantom VPN 2.41.1.25731.tmp	118
PID 2776 wrote to memory of 64	2776	Avira Phantom VPN 2.41.1.25731.tmp	118
PID 64 wrote to memory of 2792	64	msedge.exe	119
PID 64 wrote to memory of 2792	64	msedge.exe	119
PID 64 wrote to memory of 2160	64	msedge.exe	122
PID 64 wrote to memory of 2160	64	msedge.exe	122
PID 64 wrote to memory of 2160	64	msedge.exe	122
PID 64 wrote to memory of 2160	64	msedge.exe	122
PID 64 wrote to memory of 2160	64	msedge.exe	122
PID 64 wrote to memory of 2160	64	msedge.exe	122
PID 64 wrote to memory of 2160	64	msedge.exe	122
PID 64 wrote to memory of 2160	64	msedge.exe	122
PID 64 wrote to memory of 2160	64	msedge.exe	122
PID 64 wrote to memory of 2160	64	msedge.exe	122
PID 64 wrote to memory of 2160	64	msedge.exe	122
PID 64 wrote to memory of 2160	64	msedge.exe	122
PID 64 wrote to memory of 2160	64	msedge.exe	122
PID 64 wrote to memory of 2160	64	msedge.exe	122
PID 64 wrote to memory of 2160	64	msedge.exe	122
PID 64 wrote to memory of 2160	64	msedge.exe	122
PID 64 wrote to memory of 2160	64	msedge.exe	122
PID 64 wrote to memory of 2160	64	msedge.exe	122
PID 64 wrote to memory of 2160	64	msedge.exe	122
PID 64 wrote to memory of 2160	64	msedge.exe	122
PID 64 wrote to memory of 2160	64	msedge.exe	122
PID 64 wrote to memory of 2160	64	msedge.exe	122
PID 64 wrote to memory of 2160	64	msedge.exe	122
PID 64 wrote to memory of 2160	64	msedge.exe	122
PID 64 wrote to memory of 2160	64	msedge.exe	122
PID 64 wrote to memory of 2160	64	msedge.exe	122
PID 64 wrote to memory of 2160	64	msedge.exe	122
PID 64 wrote to memory of 2160	64	msedge.exe	122
PID 64 wrote to memory of 2160	64	msedge.exe	122
PID 64 wrote to memory of 2160	64	msedge.exe	122
PID 64 wrote to memory of 2160	64	msedge.exe	122
PID 64 wrote to memory of 2160	64	msedge.exe	122
PID 64 wrote to memory of 2160	64	msedge.exe	122

C:\Users\Admin\AppData\Local\Temp\Avira Phantom VPN Pro 2.41.1.25731.kuyhAa\Avira Phantom VPN 2.41.1.25731.exe
"C:\Users\Admin\AppData\Local\Temp\Avira Phantom VPN Pro 2.41.1.25731.kuyhAa\Avira Phantom VPN 2.41.1.25731.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:424
- C:\Users\Admin\AppData\Local\Temp\is-ISD92.tmp\Avira Phantom VPN 2.41.1.25731.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-ISD92.tmp\Avira Phantom VPN 2.41.1.25731.tmp" /SL5="$80060,7215309,64512,C:\Users\Admin\AppData\Local\Temp\Avira Phantom VPN Pro 2.41.1.25731.kuyhAa\Avira Phantom VPN 2.41.1.25731.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\net.exe
    "net" stop "AviraPhantomVPN"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2260
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "AviraPhantomVPN"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4868
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\system32\sc.exe" create "AviraPhantomVPN" binPath= "C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe" start= auto error= ignore DisplayName= "Avira Phantom VPN"
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4012
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\system32\sc.exe" description "AviraPhantomVPN" "AviraPhantomVPN"
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4444
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\system32\sc.exe" start "AviraPhantomVPN"
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1352
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="Avira Phantom VPN"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3752
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Avira Phantom VPN" program="C:\Program Files (x86)\Avira\VPN\OpenVpn\phantomvpn.exe" dir=in enable=yes profile=any action=allow
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3208
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Avira Phantom VPN" program="C:\Program Files (x86)\Avira\VPN\OpenVpn\phantomvpn.exe" dir=out enable=yes profile=any action=allow
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://lrepacks.net/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:64
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffb9fff46f8,0x7ffb9fff4708,0x7ffb9fff4718
      4⤵
      PID:2792
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,9421556071052096560,7376346147719609683,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
      4⤵
      PID:2160
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,9421556071052096560,7376346147719609683,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,9421556071052096560,7376346147719609683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
      4⤵
      PID:4736
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9421556071052096560,7376346147719609683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
      4⤵
      PID:5072
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9421556071052096560,7376346147719609683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
      4⤵
      PID:5096
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,9421556071052096560,7376346147719609683,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5276 /prefetch:8
      4⤵
      PID:2044

C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe
"C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe"
1⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4248
- C:\Program Files (x86)\Avira\VPN\Avira.NetworkBlocker.exe
  "C:\Program Files (x86)\Avira\VPN\Avira.NetworkBlocker.exe" delete
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2796

C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe
"C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe" /migrateSettings
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3452

C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe
"C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1316

C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe
"C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2248

C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe
"C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4548

C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe
"C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3832

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2564

C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe
"C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Avira\VPN\App\css\vpn-1.0.0.min.css

Filesize
62KB

MD5
db263a64edafc8ecd283907ae14cea80

SHA1
0b32e6aa37c1bffb523adc02a08016521607b1d7

SHA256
e5137cb2ffb9c98cb95f6432018670720a6b10d2af9ce6b2f841d5e5596b61f6

SHA512
dc8b7ddaed02f3bff36c21fd25774f2f34c3b5e003e7c83373fa986378622c153f33cc383f0f9f48ab97cad6e396acdb2157cfc066cb76225d826c7a229898ca

Download Submit
C:\Program Files (x86)\Avira\VPN\App\css\vpn-vendor-1.0.0.min.css

Filesize
50KB

MD5
3e010afca2c5420d1793cd51ede3ea14

SHA1
190f42c1d34aa8de83939619df0440401b01f869

SHA256
7146bb2cd47b3bf090b202cd88c53467318f534c5f4e079c1ac3bf7be56f485f

SHA512
01b6062081c22503c24ef8cc55f5ecbd089ff36f102d35a9a1b919a4ab7851f69d59929e69579fc9d647a98d22b44720d758f0d838b8b8eed6e650322c21c475

Download Submit
C:\Program Files (x86)\Avira\VPN\App\fonts\KievitWeb-Light.woff

Filesize
54KB

MD5
a8a9d6aaf9f3940badc66e2a2aa21047

SHA1
8d2cd2f4fd9fd36f19033c01272dc3fe43bccdb7

SHA256
a791aba3842d3766494ad0aa2a1b9cdbd2bb8aa8b2235aedea82e993c851a1ab

SHA512
46561f0b8f178e4e4cc836a4561d12f6a0670543ac5567bcede9cb193bfdb4bf654e3f01372210f158ae3de58643e4c963c1e1cb788f497ee817877a019fcfd4

Download Submit
C:\Program Files (x86)\Avira\VPN\App\images\gif\loading.gif

Filesize
8KB

MD5
8a7630caadfb15dbd13cb469853ab004

SHA1
8947a7e8900a4e4359ded13199f4f05ee0e55e84

SHA256
c9c616de646e94b9adea60ef1e8ffe5246f82b82baa1e039b1b6007067791773

SHA512
5c229f934e5c764247f990e2b813ad8ad055c81df1739b0a773aafe1e7f1285c098ac8db24bd4a074eb8981a933955fa9ed69c0da1503259d30d397bdb5809df

Download Submit
C:\Program Files (x86)\Avira\VPN\App\images\png\regions\is-5HQEG.tmp

Filesize
743B

MD5
d3b58f803a9a01a59210dd673998a229

SHA1
6caddb6c8e749e9c5b786a3984bb7bdbba2bafc5

SHA256
3cf52e677d7f7be201cbf6e3ec56ed1f48b95c47e5969ef2c2510e270133c4f0

SHA512
88aade4affd629926e473df3d26ecca5ba49c4b77da9343e58729cf3a2b1cd0b9d27d9e019018455bffd18b7a7570a5c14d918eff46deecc5821903f76094988

Download Submit
C:\Program Files (x86)\Avira\VPN\App\index.html

Filesize
4KB

MD5
7da80eb8be2f4ad337e913d9dcabe6dc

SHA1
f21c2d3044fe0c7699c86bb91dd5b911f254bdc3

SHA256
f3e9a70674fc47536fc416cece6a54a90cf4b71c9389525671cca73a2f5744ce

SHA512
3afc58ff2d28447edb6bd583dad60faf28ad75d784845a820969f4410602580e96f6523464949fcd4d99dabd0a786c7d50c06c937fd6b33e6833c85bba945abe

Download Submit
C:\Program Files (x86)\Avira\VPN\App\js\vpn-1.0.0.min.js

Filesize
313KB

MD5
1a19dc38b9c1f8941491e5b1faec2cc7

SHA1
90dbf3705a81354b0c8e1e88bd39233769a45d46

SHA256
9cb67133e6b03fb006e86d78d67f752d7ea423e1bdca024c927685a1d0b06739

SHA512
549032577be676f4dd5711bb2afe24442374573376a1540e8f3779e863a880b5996ecfcf4c6f6e9d91456a41c6448177043a7ded66e5350e18378446c6058a8a

Download Submit
C:\Program Files (x86)\Avira\VPN\App\js\vpn-vendor-1.0.0.min.js

Filesize
317KB

MD5
fd6679775b921878549ef80e6d9d59d3

SHA1
fb89bc2eb33f47cc56b00630ea79818d61fd678d

SHA256
696393aa261c0980dac558ce58fc30e9806d8b64f65c28c572b282ebf2a04f56

SHA512
66976a9b0002f1d32b6c7618a7a7c6ccbbc373ffc565415448428eb75fb60251b3b1934571b6bc725ec5ce456f5adaddfc994595cc3b1d87ef02ba3478ed7e34

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.Acp.Common.dll

Filesize
24KB

MD5
581016c89a77c77f58f223cb2c3e11f9

SHA1
c0fb60681e4b648e492bb6db21885d35538c37bd

SHA256
67091dd1cc0f8e9758e161db5f1bc6a251145239aefa2f2fb07cb17c9aa69d8b

SHA512
3d8899fedad4fbf4f00836280d983afb13026f6ecb98f4d52c223007c93ecc430bf0032571add9d957faab8d4d269481f468fdf9fc366f44bd6e7f479c977729

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.Acp.Resources.dll

Filesize
58KB

MD5
093d314f56c72cc419162cf7a5ca7c30

SHA1
b988bd91504bb98db307ed71419067c2f96fd28c

SHA256
e5c1e86ddb3c64bfb0dc7e2f5cfe4663a87afe6bbd6dba1a7ef89bf8147b85f2

SHA512
a372830b1321c42443e6d83a0f66a10640f01ecbf4504f6d7080533e03a8f161aa7f663c99b331e5b955a5b1402389697ec4333b9af98e894a1bd9acffa1808e

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.Acp.dll

Filesize
183KB

MD5
604479ca6f96a609af4e655a264ebb4a

SHA1
bbbc311db7bb57076e7155aa001d7b80505244ae

SHA256
08bf986a2ca137da66933c6f6652b3ad6c6bf82293b6dbbe5f685ecbd0180102

SHA512
6c7416998bbcd463d123b82ed52f17accf8dfb3c82f565587c1850c1aef4e9776764771f91eed037a4bfd8579a5f15b7fea2ae874188142bac5350096bf6c2c6

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.Common.Acp.AppClient.dll

Filesize
32KB

MD5
ca7b6f611d0e7d6dbe9eaf26171cdbbf

SHA1
4f46b4d3742a78bdf38c89d2762222d1588e4e3e

SHA256
33940c3a56379a53b3e8da2919aab1f7521552ae79d280285539ee8ed653798e

SHA512
d67f50c21839607bdd50c10a7db40e1c296ad367c88a18d43201f91bbeeb084c98da9ee48d0477428996f79793d72b355cbc38d385354a05b7c588f2768cdfea

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.Common.Core.dll

Filesize
65KB

MD5
7917445a0a68b182f1dcb5e389f227e8

SHA1
a68f0585ce492127b6853e81ab56922d543d8a66

SHA256
dafb2a29f8bca71a4afb8cca62e002cdaa23c0ba18b1612dbf3dd6f79ab4c9c8

SHA512
3783ab69b86cf86944a584efeb5a1ae79322f5eef3b2beb1544e2de8c8b875317f05bd0b9c55678d7dd0b4736e60f1c4774b0bae891aeeabd8b7c2f2318b1581

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.Messaging.dll

Filesize
47KB

MD5
d3c5f5e36d142bce892fa433fca550d2

SHA1
8dced1a5ebe426d99fc05bcda4ade921473c6666

SHA256
258ee9787f113dc88b2dd92e6b282c557cc9cb1348aa5e2d77e35ed9de495c34

SHA512
84340cfd05fdc058b27db9eef9b9840124570dda42b121a9b9df74ff47b0ed11970090384b83785dd91ea64c80c3bd49d9db662ec98b7db86f9608194f756039

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.NetworkBlocker.exe

Filesize
236KB

MD5
6a0aa7dbe87f694a7239ae76e7567c1d

SHA1
a2615c144d5148778e9ba0d67697fecd31e109e2

SHA256
69fcb3e43543edeca208f16bc14a5c8318bdfd4e87ccb8ddba4be7e0d5482f09

SHA512
b6b2b9edf41380c946e484876c7e4c15118476cc9b03ddc48fc907568f0aca8fc24c92fa7e0a6afe07c6d651e3faa123ad372cd635cdf35852ecd08a433be317

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.VPN.Acp.dll

Filesize
33KB

MD5
6e9f407e8b6a1509ddd05767768a21dd

SHA1
72e725ac83013e4824b21d9514645439728a1057

SHA256
2cc0100e647d583f6536679a883f3aebe793471b3c910d76fc0f554335cdfa77

SHA512
0b36abe2e9aa863125e20b3d0ac7aecc95a8de3ca10297c062d3307897307c92beaf31b734a84353dca8a58574cad26c51d11f34aeb90c51c4f7debcf2ee0dc8

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.VPN.Core.dll

Filesize
145KB

MD5
8e560c4384508d3a91dc0fe99fcf95f3

SHA1
f523346df8eb743d889ac40887fb15e65d2d87dd

SHA256
568399fb7b5de227e005fdcad3c9252070ac468db219bb590400ebf320d7fbfb

SHA512
54807bf6dc35d8ed28427f88b26f1a62f509ba5747294b6e3d8006be09ce69d965caa7a2a46588f09f57c07dffaeafcb36c3b91c0cdb5a8cbb8c99dbbdfe96bd

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.VPN.NotifierClient.dll

Filesize
28KB

MD5
91231fadbd4750fd0f7aff4451817de9

SHA1
b0dbebd34968d49efaed34b49e39f512f0f5f319

SHA256
01de4b3d0f561d957940c899138e3f6259591c2e2a1a5397dc5e68f8f3bfc6f6

SHA512
e1192e4873dc20e0248f6d3ac71a2af0268c4eb2ba131eeca5ff9962aac4f11d731aca84cd882b47f1e7a479dc2efc5c4db55630729f6f07ddfbe6827d84d3fa

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.VPN.OeConnector.dll

Filesize
41KB

MD5
3c5a6b77e6b042f10c71dbea818b47df

SHA1
bffa109b195b73d75ece3189026a15b51cd7dc90

SHA256
8185636f5d1839d2955a49865557982b1e1f69083ad7c6758358181b21ef7561

SHA512
6f6412355762846975a7433e9f84f2302333d147497884f374aeaace6f23ff4214f425d121f2c29aec80032cb5f42e2dd8e38ce1905642cf357a95d1243c18ae

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe

Filesize
330KB

MD5
af72ccc85709fa9d9844005e88cd4730

SHA1
dad8e2003f4d88e4cd7952a17ef236a3571187bc

SHA256
230e0c61d80d6ad1e1426ba7308c3f2b40266e78a6796e3343dd4b34d7d4cee9

SHA512
d495d1e4316de38cb60b211e90582fbbad1752647ae35baaaa330ad05b02f899e3cf40d06934fb3fe16d7314c9338c944fc7c5a14d149033ab646298444ba97a

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe.config

Filesize
8KB

MD5
1f63cf3e535b97a59e128168157b3f56

SHA1
be5a9afc3fcd74329f5406abcf85e0d241bf094d

SHA256
15210a2f511dae748e70bc78ead98bb6b76e2ac3e45cd93bca3bfce5ab7f6b0d

SHA512
d16ea8d1c1a2c6ba0cdef471ee36c5c3b486c862e636de7f748d14ed394d0838c9bf54bff9efc099199e81d30e4e2e503f14436d7815af7d5ddb21327464ee28

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe

Filesize
822KB

MD5
15251f271169251e9b962c57dd763d31

SHA1
ef590cd7b6e854111851c9f9e397b2108fed01d1

SHA256
f3f28506d8419457640bb4e623db9e78906051fa179180634d3dabddb6d4f9db

SHA512
eec9cf30918c1c61eb4f5e427b944816b103d41719d567039be8b2c08705ef3605c53c115cf93fbdfb0e2a0030e47a91f4fd6337b5a6878c01587af399c029ee

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe.config

Filesize
2KB

MD5
d1b8c0544f8c0620a66484fdec9e6ba0

SHA1
1da95e37623fdbf78a58d5a45710ae0fdeca5110

SHA256
777ccd894c1c49cddbf84f41a215b50fe30da29c2d4ddced6e394066e3f82f50

SHA512
6ff4e4e9ca73c1ad64afbf1d948162b2a07effdeeef5cde83f9ac8e54483432a522723acd19cae98a69c654ace07319d6227496b6a5ebaefaeb65d828fe4a2c0

Download Submit
C:\Program Files (x86)\Avira\VPN\Defaults\ProductSettings.json

Filesize
1KB

MD5
f9eb282786f0c1d27f9f6ae8b448d4d1

SHA1
df4f115df8a7dc8ffc2d7dbdd9953170cb0f8b32

SHA256
7e84e38c4b147fa13e871249a9986c4621176ed0afc88c999901e354f603d096

SHA512
db8a15d8b7b830dd63819eea73aa160accee27dca61a4b9b76d30f9b4161d28307c47d1f412faad9f92d2b77c17832226c16e8db0bb1d413444de1e918692753

Download Submit
C:\Program Files (x86)\Avira\VPN\Messaging.dll

Filesize
36KB

MD5
b1a97af12a736c53cd06501653e2e4cb

SHA1
6be48e266948fc173e8dc5f0852881f2d2dedae2

SHA256
1570229665cccbc32a605fa8c7becf35f7db9b029d581be252e3d19cf7952101

SHA512
817750fb29f208274ca615cdf6044e7cb5f40afd6155993f5ba876b9c9d288822f572fe5b30b3d7d915c1c08105ad006239410026a515004558342cd00ecb2aa

Download Submit
C:\Program Files (x86)\Avira\VPN\Newtonsoft.Json.dll

Filesize
694KB

MD5
5c72fad6a58a4a1a6a1a7ae8dc8a167e

SHA1
61deeb15fb4628cd7f7c32b7ef844211ab79f5ad

SHA256
554f9a657d6db8654a63aaaa90389ce2ef7f323cb0798148770d8c7e11dd17c7

SHA512
75a311f81b0a391d016fd825911ed5ba42d441de0148717f6d46654bfdbb287ed92ab0bbfed1ee54a783f2929bc5958e33c71dc8432c6089f971d94e28e95262

Download Submit
C:\Program Files (x86)\Avira\VPN\Serilog.Sinks.File.dll

Filesize
35KB

MD5
b58456f9a160e2736d7ee5602337dd9c

SHA1
82efcf79f21117f5fe6e2e2ab60d211f63e20684

SHA256
ff82098459238bd848372e8cd57457c520ce6bd04b23a59013dfaeb002a7cb88

SHA512
71d22e506ee948c000b37978a4cf1716872ee7a07842ff70c968a82c8c9d9914948ac6174156097fd68fe4208a7b80e31938b89913a84abba27286a72c103f85

Download Submit
C:\Program Files (x86)\Avira\VPN\Serilog.dll

Filesize
128KB

MD5
b61849eb6b545dea8851fd4e8c19efad

SHA1
2095a79a037daac7587b0a649cabe35de7b0c795

SHA256
e0ea1ea9bef21956ed2225c0e476a8d64381e57572150554e34deb4817ae5b3e

SHA512
e49e91678e90b7dff23504d864b61525f7907f4685a69def542fb6496d8d62194a968c794f2f40729e67abc3f3e4e07269b423821624f958fc2daf3c89e3d27b

Download Submit
C:\Program Files (x86)\Avira\VPN\ServiceStack.Text.dll

Filesize
202KB

MD5
64bbe4659a9c875de8b484c32a4a37e9

SHA1
2706c2b3068a7e84f76b708cccc22a9aabd6ea5c

SHA256
c77a86b4ce4e079ea333d7aca9e4d440d65290c9325ca1d8bc26c857853b13b9

SHA512
d8d713561e143152ef8546371380aeb244cad82057135c5ea208f5dd9d95ff750dd4c07f65a76b4a6ce14140838f6089f484973123c72409107bf5751fd5ae9c

Download Submit
C:\Program Files (x86)\Avira\VPN\SharpRavenPortable.dll

Filesize
71KB

MD5
8c2bc678cd38c9900be1ef6b0393abb2

SHA1
b7ef732ba1c584bbf21145199b7d32ad3620fe25

SHA256
387b3854074a36556c8bcdf67d58c51c7b1e74db7198c99c1b3fd86015a11bf9

SHA512
54f2e604d729ba1369144f855b0d2776e3850a2e97fe3e3fbd24f6f16c16cae822e2b41cfb1f09520c1c9fdaccb287c552b51f55546ca036f58d8c555bdae87d

Download Submit
C:\Program Files (x86)\Avira\VPN\VPN.Core.dll

Filesize
193KB

MD5
f9a0de6dd03121b8c6329371ef51be31

SHA1
1cc3551261614e65332487b2050fd41bed70bd11

SHA256
e27fe6bae04faaba2ff2b99e6bb612a5b6cdc7567677208a7a6ed82c1b36ef1f

SHA512
c8a852ffe62cbcf6af5be86ec43556dd2328a9d5478665974dba68130f961d207fd3d93dfad342fda15da00e6c75878f4e95d1f09e4d278f792bfb60d6c83ffa

Download Submit
C:\Program Files (x86)\Avira\VPN\en-US\Avira.VpnService.resources.dll

Filesize
20KB

MD5
5992773bb8a669fabae3e211d8c78d18

SHA1
18f31073260f545f7e70b54a41ba5cdab0f9e766

SHA256
79cdfb169e886a8d277227ef2be96041ccea2b4e8c77ae339efbe77f26ed63f6

SHA512
3821513767f6bd3bf35c65cde43608d843a526c33aa22fcd8e7744a0fac8bb564a8e93a8bf58027143613422f39f2141741dcfcd67cbc1d16567a1d00c5087c5

Download Submit
C:\Program Files (x86)\Avira\VPN\lrepacks.dll

Filesize
3KB

MD5
806d697d22bae29e300ef1c0cf0d4dfa

SHA1
d03676f772dc82e17acf2f1681f847bac015b260

SHA256
2bf947b782b448750b619ef75117efaf252538782f9e67c760b295f11affe1be

SHA512
568d28de46af2475f0b5bd9b0041c45a7f69c823f539d4d0eccf918877a02b7ecac4db1c0467bdb36d4de67fc3e98d36f362647d6ddaaace78f7e8b3b37d5d3e

Download Submit
C:\Program Files (x86)\Avira\VPN\vpn.shared.core.dll

Filesize
19KB

MD5
eb27f5e8937f4cf8b46391edb2d99d0d

SHA1
92f7b3bdca6445d6d34d85bf54a7e35d998a4365

SHA256
a03f591ee090e376ef80830beba9e5a6aeb1090000db6825832ff6e638661872

SHA512
34ada2524b6919766a1a9ad116ffeba62df6a8f3e805439aeebcaf09e434a6fe6d3a1337d3bb73049e22e5fb69322e3af93f049acea207f2255a43215734f7df

Download Submit
C:\ProgramData\Avira\VPN\VpnPrivateSettings.backup

Filesize
520B

MD5
2567aefaab51dd74cb8ef32a420ccfda

SHA1
bbaf74e284dc34900358a2923029b51958cf929a

SHA256
e3a344b64a511c2c5b4a94eaf932a3de8e35dd1a9ee14acec9799e397c4e963b

SHA512
f6cc645c07a25e2834be25a05a1a491ef66e3029d110848641ab56269caa071aaa10e0759642c0f31cfed82308cb89b2b13e645181eb0528a9332e8df8f0de62

Download Submit
C:\ProgramData\Avira\VPN\VpnPrivateSettings.config

Filesize
415B

MD5
4c80e60049f27cd39c60665a801eb514

SHA1
13232b6c83686c14002afaa1662e1db86481ceb0

SHA256
7ab90de6791fa1e6e6a67f8739dd651ed647f04d8a4e62662ce5b4d29ee7e2ee

SHA512
6f023dfff3610a8190d0165637368cec7cb3053509a57ac404dc37350b2d4c2c83e36e4a289da0b8114fc2120b283fc4bc97a84a69378b619fc9e4f11f91ef49

Download Submit
C:\ProgramData\Avira\VPN\VpnPrivateSettings.config

Filesize
6KB

MD5
3f3a39f6738d7cf88d8981e79c74eb17

SHA1
0b1a862323ed28c1d280ef28b958e216f71a545c

SHA256
6c3aaa82a01905ebac8111f773a2103ea1ea790a7b11d535e7e8661d13b67cc9

SHA512
85b0c96f0924a8b3d28d4fb70e795b64095a415d7b8986335d1bb8b1e3333a3eab29e897dec094bc74a90693f514f3fce8b2053b62c6ab9dde21ec8eb5fc3086

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
305B

MD5
62dbcb555774bbfcd7bc2653d42d560b

SHA1
61bed3e08ed8d88cac225bc1b245d7380e44db5b

SHA256
c4e1ab3cef51b0357bc199230b114c0d06aaabd2f4addf637a6a62414eb55c84

SHA512
8e5a00a52eed223662499995480c90b86ee44e89c1091afaae13183e5014ca832c618482f1d585e156a50eecd331d7e6cbe878065bf2b613affd556095a32235

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
305B

MD5
98e6c8253e7023dba3752ca2eb2e276d

SHA1
010f761b21997646d11b6403bfbdd79a8df92a48

SHA256
c6c74cbc16c7c3dcff515c8284b5917bbdb307c7cbce23df603591718534f7c2

SHA512
defef704e19c6f7b4f9f66a765040a07888b7423a52498ca9f2c24f4ae1a706c430fcdbebc4824cff263a4a62236c6ab3a60934094b711a496d6382efb943a39

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
381B

MD5
17a1e41343c72ffbb53fa1871f77df0b

SHA1
b687bc21fbd0d23a3acfe99a24f3dd4272a81159

SHA256
fa0e13d5378fcbc2a66a4634442904466531b89bfd2849ee08ed2516ac1b3924

SHA512
eea923466a8f0dc95115f8839edab28fddba7ea9af1d1049de73254bbe55627630a2b20543f0d2d93bd7c4a8114bf9bd9268c4541741fbd2a09fe4816ae1c94c

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
452B

MD5
bbe21548b52d1bf5222541de2e10abcc

SHA1
4d6d118b909808d923d2afb53c22d2621cda3b68

SHA256
81ab1d1dd23bc6c9a4e57839076f4905646183bccae04245a98a213d696edbfa

SHA512
b6d99977452eb98ff56e6df4483987b878dcfe4e9d4ccea80b89fef130513b088a6c0ce31b432e0138cf28c252f2e65da02c04aef2fb579627da43f5d920429c

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
600B

MD5
7b73b6d74430a9ae55fe2e2a2b50ff53

SHA1
f6dbea56151e7bec3469f82585685291dbcab489

SHA256
8660934cdcfb3204ac84942c265eda2036795fb24a37c9e31f0b7b19ed46c9c5

SHA512
db31c476934ca75ed91a55ca568cdd435bab53c2e779e47c3d9f363b99124b28531a81885dde5cac0a05bb37d00975e463d7678e2d7a303a6c62c5d12a2b8e42

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
813B

MD5
73b094223bc184de883bc89eab841ed6

SHA1
6dd6002849a1abb5ccca48e158148f4fb5eff9fb

SHA256
9b2c9320dcdf915d9c048999fef6adaf4611777bc5c7f91c234d01f8c5257407

SHA512
a06a6ac1c1224b59995f663ff4093d929969f12591c54fadc1876940004c87ffb4ba3f91948ba71e3489ae131423fbfd4f2dc9b5b1a79ebefda15b28fd1a4c18

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
814B

MD5
e8cca2c1f01a6a7bbca9902502031129

SHA1
f28f41c66edd7a61d57cad50eaafcd71968a2d1c

SHA256
2a428b1116bf73d8b46fe0a84162e498249aac1efe87db4bda92066e77b90391

SHA512
210ca63db706bcb9026e43cf381931e89ce57b9b6e08bf2df9bdc8c2327e53ef02e4c1028dbd16f4a4b97585eaa78390f97911fa157bb4c36bbb8df9b9976e70

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
814B

MD5
e6582b12b013aeb7bfc70f37574c3a3b

SHA1
90768c673038c9f553028d2b29fb58460bd68ab7

SHA256
99b4e98332e31215773452ca8dddd67482f122b242828c08f251c9bc2647d454

SHA512
dae00816216f17162e430cae2f4f5abe4951f99e75f769cf6f4b96e991c1d5498eef4d201c203bd3b8e63915aee023340e472adcd1f54e8afe265c05e7c41d78

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
814B

MD5
68a38ad59f5352ecce7ac50b718b8bbb

SHA1
a32dfdec2fd927dee0c03ac46c6b9da7730658d0

SHA256
a0b93297372e81a81d597394db39e8deae400afecf8772dae67331181ceb2f85

SHA512
a8e21e100be84d890e9a2d6acf9b7c1de229b41194a1a123510aebc99dd099d8b6529bf47398cd88eea1b6398d8cd0627a8545e07f0c01b3f25ed8380a2074a5

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
814B

MD5
dc3cfa3f09eaf86692682fd100a9bfbf

SHA1
12f1e961c9e75ccb31d5925be6224d0740e2916b

SHA256
bdc08c336245493b92cad39e7707491ef849b878166b43244f9d1d8cc79e4b18

SHA512
15e72d0e26797fafa1f43881426ae4bdc3e2999bc13542a0e63bfe09308a9b7dd1f6ce8d3a119500c158a5fa8ea07c58122ad4cda2fc01420cc79bdc7734ef64

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.config

Filesize
233B

MD5
1940984642456b4b7622d79d6770a58a

SHA1
9af13869c8384987df614e2e8039b712f09eb1be

SHA256
cf1600b2e8dc1148144faafa416fa2ec028bf6c2a614ad51a928193e89bbf7dc

SHA512
2384bc17f95880a5b79df17dfedf66dd3ff5739aa8a039ca74f9d0c17f4e72436b612989f1ba29bfcf6e265eb55f080e0b5f2a8b0f0529c75623d6fe3936a5e5

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.config

Filesize
263B

MD5
5ee56e651b4fe3b9e596cc89f093fd64

SHA1
b43dcb1dc9e07fd8e833dfb4a51e67528a014b55

SHA256
96a9694feb591bab4d96772113dd9f27c6321d326116e90e084a6f38055f7c33

SHA512
9724afe6298a5cee353988401db3c7ef78f9896e2571232e033b7df4d98ecba91baebb1f56ef9cc3b6b17d1b937e76ac8041d76340b0464ed2d6e4dab42ee724

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.config

Filesize
600B

MD5
f41e04c82a94c0e92a9077bd10f23b25

SHA1
fa31926f52608beb0cffd960f0700aeb93070e12

SHA256
e5c03c15da9d7f5f0d7b4af94472e96e73f2f469889e33065378bea55eb5c5b9

SHA512
69934a0b78657a3343c7322b5b798282a4832dcf779578230ac6c9a39ae1726db0a0729e20e2d62f101264cdcc8875142e66658bcebda49e911251cca0da41bf

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.config

Filesize
600B

MD5
6bb38cd762ff4e88e15c37b02fef7d2b

SHA1
a021d0cc8a8c484c849adc07d7c125438d668658

SHA256
af3a6d7be9ffee9164673b54bc8e3b71be830bff7289f45b24e868d6c67a5ab6

SHA512
40761851d3c676043f206cb99acb6b16a32caf6bd8d2716246c7dda38d251304fbc4280c49318ab1418891f38cfeac4b5d04f69c1a91fdc085167cbf7def969e

Download Submit
C:\ProgramData\Avira\VPN\vpndbg.log

Filesize
2KB

MD5
3c205a3e040b3b70bfd4b04995b0b2f1

SHA1
dcf21134311f78d68a7b17116c51aaa55dcd162d

SHA256
b59cbed8c3df074f37ec03743ad33f79d6994c4c768fccf55af872540d4a588a

SHA512
9baa079d28dc10dedbeb2efc9062d4eff16d80865ef57b0557f089c1ee4a31f1085329c991359f3374f689e1c972c3b5e8a8a6495d60bfa56f20de6ea273bd60

Download Submit
C:\ProgramData\Avira\VPN\vpndbg.log

Filesize
4KB

MD5
6ee79d77cf7ae719837b7cf7fd01a773

SHA1
b0b8cf9202bd94ced93465d475895dd250a6da88

SHA256
20e0d2392f7bdf981c9e0e1efc1e94f8e20bc2e723e5c32f8db2c74c7fdfb877

SHA512
0eaa7751b086f4f087a8f91d0d478e65423cc3a03c5c24ebaec1a4aea167ddc8ec5968805ff3f313d309a37a5a7d89ffd72ad79509e77c30941c49e355676dff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Avira.WebAppHost.exe.log

Filesize
2KB

MD5
9194cef6008fe04330d9d8073274d969

SHA1
2dffdd7f7ac4f4a67c03366a23e04c56044dc305

SHA256
cf3ddd4d9cac32a8eca4a6674e278ef46798eb01a4e90b43940a617d95dcbd8e

SHA512
a614ab1da6d4925456302e009c0e72ec79049a7fe4d8cae752821046639328700d2646cf98289dab342569f746a12b1b553f60b01554665f3b6eeb029d875c63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b008261dda31857d68792b46af6dd6d

SHA1
e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

SHA256
9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

SHA512
78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
ddf7d7f307a9bdf4292e4ce1fbc0b0fa

SHA1
5c6947cd7a8eaecf7a00972583ec1af05d04b869

SHA256
aa6df20f7115b40582aa944895377fea89d03f6eafb64d6b4a991d0ef2c9b21d

SHA512
a077d0e18e4d3de3fbdf2b68c31a4f3deaa0a3848b27e85275eea73c22d55da78d274b7d44e83c6109a242191deb387e05b0bcf22a6278a5f40920c1fe583394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
a42657f127c81342150f5747eb5f2ae3

SHA1
78ea61b39726639bc04a9f6979150d5b6f247ca6

SHA256
d47c76bd0039aab447e093315ec4063888aa5c69c9386a492da6550b79051f80

SHA512
f3cc3c6e0e22e12d0f8ff43c7483d6b7af563da5ca5ee14bda65e1973da2c354967607845c6df3567d4e8d999d32c1ff25c89fda9687e1f54959e57442465aea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4c6dafd5efd35b814565352d7a5ec7cf

SHA1
a135e7d46b37fb3d4c3f5ea5402f41c175741deb

SHA256
030cbd0554b6e424fcf83ba511b904f18a869ec15d0f530ea29ea1483cc87bf6

SHA512
a701707426f52ee0bba270dd687db9de8bf63df50ef6ec0ebc78b763e16a29cde7239f0159639706b92c3887a6a57597dee5c9bea7d9499a68cebf3b2570e901

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3b4ee2d89c20f0305cd8204b68741c47

SHA1
c06a532db1bc8a2ee14807e1d1c717d1a6cb2d4e

SHA256
f6de3da0382f625644ce2c9214b8286a39955191183a1010ce96b7db6e020231

SHA512
4d69c1844429e0122aa01cb0657a264f3953d03a7f85b50e9342c8890be5cb058f99afda61045227670d96efa95c005c5c09feefc3b1daf66f8a8e08b2e80a10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
57da6cbd15ab144e7cada376d388cf47

SHA1
61d3b8f7392cd9971569ff607d980814c340376f

SHA256
41362c6e40015779fe6ccb723a0f9e31852dfafc48db157c375b7475d07c26de

SHA512
bc52b641aea8b0417c73113c6a2c731bf1d7dc5e75bafa34992bece5cee4bc2c55d362452d19c134842c8b6d2e006123bb4c135acdedcdd6bab9bdef4fa3a28b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DTLNS.tmp\ISTask.dll

Filesize
66KB

MD5
86a1311d51c00b278cb7f27796ea442e

SHA1
ac08ac9d08f8f5380e2a9a65f4117862aa861a19

SHA256
e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d

SHA512
129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DTLNS.tmp\VclStylesInno.dll

Filesize
3.0MB

MD5
b0ca93ceb050a2feff0b19e65072bbb5

SHA1
7ebbbbe2d2acd8fd516f824338d254a33b69f08d

SHA256
0e93313f42084d804b9ac4be53d844e549cfcaf19e6f276a3b0f82f01b9b2246

SHA512
37242423e62af30179906660c6dbbadca3dc2ba9e562f84315a69f3114765bc08e88321632843dbd78ba1728f8d1ce54a4edfa3b96a9d13e540aee895ae2d8e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ISD92.tmp\Avira Phantom VPN 2.41.1.25731.tmp

Filesize
911KB

MD5
02c5691af81933ce36735946e3ed1ea4

SHA1
2faed8d51a0800f127e424bfba9d44bab6aee1b2

SHA256
e1f5e87796c015e567153db6b994a35a34b0819b1093d1ea12064ee35102c42d

SHA512
ebde4772c94f5199a2936f8fdbcf80e57d11a820276b1e1323fbcde6d192cd89bcc69a441cff17e26d688427fe05e62cc858e896c0647d93c9e2ebe74a6e6749

Download Submit
memory/424-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/424-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1316-1493-0x0000025D524C0000-0x0000025D52C66000-memory.dmp

Filesize
7.6MB

Download
memory/2776-82-0x0000000007940000-0x0000000007941000-memory.dmp

Filesize
4KB

Download
memory/2776-69-0x00000000076D0000-0x0000000007810000-memory.dmp

Filesize
1.2MB

Download
memory/2776-90-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/2776-91-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/2776-94-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/2776-88-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/2776-87-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/2776-709-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/2776-60-0x00000000076D0000-0x0000000007810000-memory.dmp

Filesize
1.2MB

Download
memory/2776-77-0x00000000076D0000-0x0000000007810000-memory.dmp

Filesize
1.2MB

Download
memory/2776-11-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/2776-58-0x00000000078C0000-0x00000000078C1000-memory.dmp

Filesize
4KB

Download
memory/2776-81-0x00000000076D0000-0x0000000007810000-memory.dmp

Filesize
1.2MB

Download
memory/2776-17-0x0000000007180000-0x0000000007196000-memory.dmp

Filesize
88KB

Download
memory/2776-23-0x00000000073B0000-0x00000000076CA000-memory.dmp

Filesize
3.1MB

Download
memory/2776-57-0x00000000076D0000-0x0000000007810000-memory.dmp

Filesize
1.2MB

Download
memory/2776-59-0x00000000076D0000-0x0000000007810000-memory.dmp

Filesize
1.2MB

Download
memory/2776-61-0x00000000078D0000-0x00000000078D1000-memory.dmp

Filesize
4KB

Download
memory/2776-26-0x00000000076D0000-0x0000000007810000-memory.dmp

Filesize
1.2MB

Download
memory/2776-39-0x00000000076D0000-0x0000000007810000-memory.dmp

Filesize
1.2MB

Download
memory/2776-51-0x00000000076D0000-0x0000000007810000-memory.dmp

Filesize
1.2MB

Download
memory/2776-62-0x00000000076D0000-0x0000000007810000-memory.dmp

Filesize
1.2MB

Download
memory/2776-56-0x00000000076D0000-0x0000000007810000-memory.dmp

Filesize
1.2MB

Download
memory/2776-55-0x00000000078B0000-0x00000000078B1000-memory.dmp

Filesize
4KB

Download
memory/2776-63-0x00000000076D0000-0x0000000007810000-memory.dmp

Filesize
1.2MB

Download
memory/2776-54-0x00000000076D0000-0x0000000007810000-memory.dmp

Filesize
1.2MB

Download
memory/2776-64-0x00000000078E0000-0x00000000078E1000-memory.dmp

Filesize
4KB

Download
memory/2776-53-0x00000000076D0000-0x0000000007810000-memory.dmp

Filesize
1.2MB

Download
memory/2776-52-0x00000000078A0000-0x00000000078A1000-memory.dmp

Filesize
4KB

Download
memory/2776-67-0x00000000078F0000-0x00000000078F1000-memory.dmp

Filesize
4KB

Download
memory/2776-68-0x00000000076D0000-0x0000000007810000-memory.dmp

Filesize
1.2MB

Download
memory/2776-66-0x00000000076D0000-0x0000000007810000-memory.dmp

Filesize
1.2MB

Download
memory/2776-50-0x00000000076D0000-0x0000000007810000-memory.dmp

Filesize
1.2MB

Download
memory/2776-49-0x0000000007890000-0x0000000007891000-memory.dmp

Filesize
4KB

Download
memory/2776-48-0x00000000076D0000-0x0000000007810000-memory.dmp

Filesize
1.2MB

Download
memory/2776-31-0x0000000007830000-0x0000000007831000-memory.dmp

Filesize
4KB

Download
memory/2776-47-0x00000000076D0000-0x0000000007810000-memory.dmp

Filesize
1.2MB

Download
memory/2776-70-0x0000000007900000-0x0000000007901000-memory.dmp

Filesize
4KB

Download
memory/2776-46-0x0000000007880000-0x0000000007881000-memory.dmp

Filesize
4KB

Download
memory/2776-45-0x00000000076D0000-0x0000000007810000-memory.dmp

Filesize
1.2MB

Download
memory/2776-71-0x00000000076D0000-0x0000000007810000-memory.dmp

Filesize
1.2MB

Download
memory/2776-44-0x00000000076D0000-0x0000000007810000-memory.dmp

Filesize
1.2MB

Download
memory/2776-43-0x0000000007870000-0x0000000007871000-memory.dmp

Filesize
4KB

Download
memory/2776-72-0x00000000076D0000-0x0000000007810000-memory.dmp

Filesize
1.2MB

Download
memory/2776-42-0x00000000076D0000-0x0000000007810000-memory.dmp

Filesize
1.2MB

Download
memory/2776-73-0x0000000007910000-0x0000000007911000-memory.dmp

Filesize
4KB

Download
memory/2776-74-0x00000000076D0000-0x0000000007810000-memory.dmp

Filesize
1.2MB

Download
memory/2776-41-0x00000000076D0000-0x0000000007810000-memory.dmp

Filesize
1.2MB

Download
memory/2776-75-0x00000000076D0000-0x0000000007810000-memory.dmp

Filesize
1.2MB

Download
memory/2776-40-0x0000000007860000-0x0000000007861000-memory.dmp

Filesize
4KB

Download
memory/2776-78-0x00000000076D0000-0x0000000007810000-memory.dmp

Filesize
1.2MB

Download
memory/2776-38-0x00000000076D0000-0x0000000007810000-memory.dmp

Filesize
1.2MB

Download
memory/2776-79-0x0000000007930000-0x0000000007931000-memory.dmp

Filesize
4KB

Download
memory/2776-37-0x0000000007850000-0x0000000007851000-memory.dmp

Filesize
4KB

Download
memory/2776-36-0x00000000076D0000-0x0000000007810000-memory.dmp

Filesize
1.2MB

Download
memory/2776-89-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/2776-35-0x00000000076D0000-0x0000000007810000-memory.dmp

Filesize
1.2MB

Download
memory/2776-80-0x00000000076D0000-0x0000000007810000-memory.dmp

Filesize
1.2MB

Download
memory/2776-1225-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/2776-83-0x00000000076D0000-0x0000000007810000-memory.dmp

Filesize
1.2MB

Download
memory/2776-84-0x00000000076D0000-0x0000000007810000-memory.dmp

Filesize
1.2MB

Download
memory/2776-76-0x0000000007920000-0x0000000007921000-memory.dmp

Filesize
4KB

Download
memory/2776-65-0x00000000076D0000-0x0000000007810000-memory.dmp

Filesize
1.2MB

Download
memory/2776-27-0x00000000076D0000-0x0000000007810000-memory.dmp

Filesize
1.2MB

Download
memory/2776-25-0x0000000007810000-0x0000000007811000-memory.dmp

Filesize
4KB

Download
memory/2776-34-0x0000000007840000-0x0000000007841000-memory.dmp

Filesize
4KB

Download
memory/2776-33-0x00000000076D0000-0x0000000007810000-memory.dmp

Filesize
1.2MB

Download
memory/2776-28-0x0000000007820000-0x0000000007821000-memory.dmp

Filesize
4KB

Download
memory/2776-32-0x00000000076D0000-0x0000000007810000-memory.dmp

Filesize
1.2MB

Download
memory/2776-29-0x00000000076D0000-0x0000000007810000-memory.dmp

Filesize
1.2MB

Download
memory/2776-30-0x00000000076D0000-0x0000000007810000-memory.dmp

Filesize
1.2MB

Download
memory/4248-1142-0x0000023BBA590000-0x0000023BBA63A000-memory.dmp

Filesize
680KB

Download
memory/4248-1457-0x0000023BBA550000-0x0000023BBA558000-memory.dmp

Filesize
32KB

Download
memory/4248-1128-0x0000023BBA3D0000-0x0000023BBA3D8000-memory.dmp

Filesize
32KB

Download
memory/4248-1129-0x0000023BBA3E0000-0x0000023BBA3E8000-memory.dmp

Filesize
32KB

Download
memory/4248-1133-0x0000023BBA430000-0x0000023BBA45E000-memory.dmp

Filesize
184KB

Download
memory/4248-1139-0x0000023BBA4A0000-0x0000023BBA4D6000-memory.dmp

Filesize
216KB

Download
memory/4248-1193-0x0000023BBA4F0000-0x0000023BBA4F8000-memory.dmp

Filesize
32KB

Download
memory/4248-1144-0x0000023BBA4E0000-0x0000023BBA4EA000-memory.dmp

Filesize
40KB

Download
memory/4248-1141-0x0000023BBA420000-0x0000023BBA428000-memory.dmp

Filesize
32KB

Download
memory/4248-1135-0x0000023BBA400000-0x0000023BBA410000-memory.dmp

Filesize
64KB

Download
memory/4248-1242-0x0000023BBA510000-0x0000023BBA518000-memory.dmp

Filesize
32KB

Download
memory/4248-1243-0x0000023BBA540000-0x0000023BBA548000-memory.dmp

Filesize
32KB

Download
memory/4248-1137-0x0000023BBA410000-0x0000023BBA41C000-memory.dmp

Filesize
48KB

Download
memory/4248-1276-0x0000023BBA700000-0x0000023BBA74A000-memory.dmp

Filesize
296KB

Download
memory/4248-1127-0x0000023BBA0D0000-0x0000023BBA0DE000-memory.dmp

Filesize
56KB

Download
memory/4248-1013-0x0000023BA00C0000-0x0000023BA0118000-memory.dmp

Filesize
352KB

Download
memory/4248-1120-0x0000023BBA0F0000-0x0000023BBA0FA000-memory.dmp

Filesize
40KB

Download
memory/4248-1115-0x0000023BBA090000-0x0000023BBA09C000-memory.dmp

Filesize
48KB

Download
memory/4248-1117-0x0000023BBA0C0000-0x0000023BBA0C8000-memory.dmp

Filesize
32KB

Download
memory/4248-1131-0x0000023BBA3F0000-0x0000023BBA3FC000-memory.dmp

Filesize
48KB

Download
memory/4248-1118-0x0000023BBA0E0000-0x0000023BBA0E8000-memory.dmp

Filesize
32KB

Download
memory/4248-1093-0x0000023BBA0A0000-0x0000023BBA0BE000-memory.dmp

Filesize
120KB

Download
memory/4248-1092-0x0000023BBA100000-0x0000023BBA176000-memory.dmp

Filesize
472KB

Download
memory/4248-1050-0x0000023BB9220000-0x0000023BB9230000-memory.dmp

Filesize
64KB

Download
memory/4248-1048-0x0000023BB92E0000-0x0000023BB92E8000-memory.dmp

Filesize
32KB

Download
memory/4248-1046-0x0000023BB92C0000-0x0000023BB92D6000-memory.dmp

Filesize
88KB

Download
memory/4248-1047-0x0000023BA0A00000-0x0000023BA0A08000-memory.dmp

Filesize
32KB

Download
memory/4248-1027-0x0000023BA09C0000-0x0000023BA09C8000-memory.dmp

Filesize
32KB

Download
memory/4248-1029-0x0000023BA09B0000-0x0000023BA09BC000-memory.dmp

Filesize
48KB

Download
memory/4248-1031-0x0000023BB92A0000-0x0000023BB92B4000-memory.dmp

Filesize
80KB

Download
memory/4248-1017-0x0000023BB9230000-0x0000023BB9266000-memory.dmp

Filesize
216KB

Download
memory/4248-1018-0x0000023BA0950000-0x0000023BA095A000-memory.dmp

Filesize
40KB

Download
memory/4248-1020-0x0000023BA0970000-0x0000023BA0978000-memory.dmp

Filesize
32KB

Download
memory/4248-1026-0x0000023BB9270000-0x0000023BB9292000-memory.dmp

Filesize
136KB

Download
memory/4248-1024-0x0000023BB9320000-0x0000023BB93D0000-memory.dmp

Filesize
704KB

Download
memory/4248-1022-0x0000023BB91F0000-0x0000023BB9214000-memory.dmp

Filesize
144KB

Download
memory/4248-1015-0x0000023BA0980000-0x0000023BA09AA000-memory.dmp

Filesize
168KB

Download
memory/4772-1121-0x0000016EB6270000-0x0000016EB633E000-memory.dmp

Filesize
824KB

Download