darkcomet | 201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-11-2024 23:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exe
Size

9.2MB
MD5

8fcc43370d7bdc75cf0381164a6bee50
SHA1

af7c3b094d2c5cbd153b8fa6815418eb28d7ddbd
SHA256

201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9
SHA512

137a418afed97a79352a6981b91793bfecd9026f6b5bc45c5268ad60aa1d1d6e6095571bdec0a8103ce8087ec41ed5ae387b43c26ede02c91dea4962030e6368
SSDEEP

196608:ltqD/NMreh/CtTODi/hXFufhOAjXhC01/oicfjRx2g/6GN4Br:cVMmDi/ojFC0qicLR0gCG6V

Score

10^/10

darkcomet don discovery evasion persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

darkcomet

Botnet

don

victoire.dyndns.biz:62955

Mutex

DC_MUTEX-DUXZFBC

Attributes

gencode
pZpvGTDgPY6R
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet
Disables Task Manager via registry modification
evasion

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2716	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AviraPhantomVPN\ImagePath = "\"C:\\Program Files (x86)\\Avira\\VPN\\Avira.VpnService.exe\""	VpnInstaller.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk	bhmnlmvpxs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk	bhmnlmvpxs.exe

Executes dropped EXE 9 IoCs

pid	Process
2664	Avira.Phantom.VPN.v2.28.6.26289.exe
540	VpnInstaller.exe
3000	tapinstall.exe
2040	Avira.VpnService.exe
580	Avira.WebAppHost.exe
2732	dako01fud.exe
540	bhmnlmvpxs.exe
1796	Avira.NetworkBlocker.exe
1544	RegSvcs.exe

Loads dropped DLL 43 IoCs

pid	Process
2364	201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exe
2364	201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exe
2364	201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exe
2364	201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exe
2664	Avira.Phantom.VPN.v2.28.6.26289.exe
2664	Avira.Phantom.VPN.v2.28.6.26289.exe
2664	Avira.Phantom.VPN.v2.28.6.26289.exe
2664	Avira.Phantom.VPN.v2.28.6.26289.exe
2664	Avira.Phantom.VPN.v2.28.6.26289.exe
2664	Avira.Phantom.VPN.v2.28.6.26289.exe
2664	Avira.Phantom.VPN.v2.28.6.26289.exe
540	VpnInstaller.exe
540	VpnInstaller.exe
540	VpnInstaller.exe
540	VpnInstaller.exe
540	VpnInstaller.exe
540	VpnInstaller.exe
540	VpnInstaller.exe
540	VpnInstaller.exe
540	VpnInstaller.exe
540	VpnInstaller.exe
540	VpnInstaller.exe
540	VpnInstaller.exe
540	VpnInstaller.exe
540	VpnInstaller.exe
540	VpnInstaller.exe
540	VpnInstaller.exe
540	VpnInstaller.exe
540	VpnInstaller.exe
2664	Avira.Phantom.VPN.v2.28.6.26289.exe
2664	Avira.Phantom.VPN.v2.28.6.26289.exe
2664	Avira.Phantom.VPN.v2.28.6.26289.exe
2664	Avira.Phantom.VPN.v2.28.6.26289.exe
2664	Avira.Phantom.VPN.v2.28.6.26289.exe
2664	Avira.Phantom.VPN.v2.28.6.26289.exe
2364	201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exe
2364	201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exe
2364	201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exe
2732	dako01fud.exe
2732	dako01fud.exe
2732	dako01fud.exe
2732	dako01fud.exe
540	bhmnlmvpxs.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\00117830 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\00117830\\start.vbs"	bhmnlmvpxs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dakosdfrrsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\00117830\\BHMNLM~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\00117830\\qemcqnq.ngs"	bhmnlmvpxs.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bhmnlmvpxs.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	Avira.VpnService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	Avira.VpnService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	Avira.VpnService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	Avira.VpnService.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 540 set thread context of 1544	540	bhmnlmvpxs.exe	63

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\Nearest.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\cz.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\ir.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\Templates\Template2.html	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\Templates\avira-icons.woff	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\gif\pulsar-progress.gif	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\bf.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\fi.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\gb.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira Operations GmbH & Co. KG\Avira Phantom VPN\Uninstall.ini	201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\az.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\br.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\views\directives\wifi.html	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\widgets\rate-5stars\rate.html	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\purchase\[email protected]	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\views\directives\diagnostics.html	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\pt-BR\FSharp.Core.resources.dll	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\zm.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\css\vpn-1.0.0.min.css	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\gq.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\OpenVpn\TAP\win7\i386\phantomtap.sys	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\de.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\gp.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\wifi-disconnected-light.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\vi.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\js\vpn-1.0.0.js	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\views\directives\privacy.html	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\Avira.Common.Core.dll	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\views\directives\login.html	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\wifi-connected-dark.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\cx.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\gs.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\nr.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\to.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\uz.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\es-ES\Avira.VpnService.resources.dll	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\ServiceStack.Text.dll	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\widgets\rate-5stars\images\png\Star.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\Logo_pro.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\fonts\KievitWebPro-Medi.eot	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\gif\pulsar-green.gif	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\ca.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\views\directives\status.html	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\Templates\KievitCompPro-Light.woff	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\Templates\images\alert.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\Defaults\ProductSettings.json	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\views\directives\whitelabel_loc.html	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\PCLAppConfig.FileSystemStream.dll	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\ec.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe.config	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\Serilog.dll	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\ge.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\pa.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\pw.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\aw.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\fonts\ionicons.svg	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\sn.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\widgets\rate-5stars\images\png\[email protected]	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\fonts\avira-icons-regular-webfont.woff	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\Templates\images\lock.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\fo.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\lb.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\mg.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\ua.png	VpnInstaller.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\INF\oem0.PNF	tapinstall.exe
File created	C:\Windows\INF\oem1.PNF	tapinstall.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2108	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bhmnlmvpxs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	route.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dako01fud.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Avira.NetworkBlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VpnInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Avira.Phantom.VPN.v2.28.6.26289.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0005000000019456-63.dat	nsis_installer_1
behavioral1/files/0x0005000000019456-63.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Avira.VpnService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Avira.VpnService.exe

Modifies data under HKEY_USERS 45 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	Avira.VpnService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	Avira.VpnService.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Avira.VpnService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	Avira.VpnService.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}	Avira.VpnService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\vpnclient = "802e42feff714dd487bac6de0f7b219a588102cc"	Avira.VpnService.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}	Avira.Phantom.VPN.v2.28.6.26289.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\telemetry = "1dc58c903a594687bd7e8f927d3206aebafcb98a"	Avira.VpnService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\vpnclient = "c2a46113cbe7491f9c80a2aca034c0d434e839a7"	Avira.WebAppHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\machine = "aa4fd0d772e54ff08af7b9336647ea6aaa87725a"	Avira.VpnService.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Avira.VpnService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Avira.VpnService.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
540	VpnInstaller.exe
540	VpnInstaller.exe
540	VpnInstaller.exe
540	VpnInstaller.exe
540	VpnInstaller.exe
540	VpnInstaller.exe
540	VpnInstaller.exe
540	VpnInstaller.exe
540	VpnInstaller.exe
540	VpnInstaller.exe
540	VpnInstaller.exe
540	VpnInstaller.exe
540	VpnInstaller.exe
540	VpnInstaller.exe
540	VpnInstaller.exe
540	VpnInstaller.exe
540	VpnInstaller.exe
2040	Avira.VpnService.exe
580	Avira.WebAppHost.exe
540	bhmnlmvpxs.exe
540	bhmnlmvpxs.exe
540	bhmnlmvpxs.exe
540	bhmnlmvpxs.exe
540	bhmnlmvpxs.exe
540	bhmnlmvpxs.exe
2040	Avira.VpnService.exe
540	bhmnlmvpxs.exe
540	bhmnlmvpxs.exe
540	bhmnlmvpxs.exe
540	bhmnlmvpxs.exe
540	bhmnlmvpxs.exe
540	bhmnlmvpxs.exe
540	bhmnlmvpxs.exe
540	bhmnlmvpxs.exe
540	bhmnlmvpxs.exe
540	bhmnlmvpxs.exe
540	bhmnlmvpxs.exe
540	bhmnlmvpxs.exe
540	bhmnlmvpxs.exe
540	bhmnlmvpxs.exe
540	bhmnlmvpxs.exe
540	bhmnlmvpxs.exe
540	bhmnlmvpxs.exe
540	bhmnlmvpxs.exe
540	bhmnlmvpxs.exe
540	bhmnlmvpxs.exe
540	bhmnlmvpxs.exe
540	bhmnlmvpxs.exe
540	bhmnlmvpxs.exe
540	bhmnlmvpxs.exe
540	bhmnlmvpxs.exe
540	bhmnlmvpxs.exe
540	bhmnlmvpxs.exe
540	bhmnlmvpxs.exe
540	bhmnlmvpxs.exe
540	bhmnlmvpxs.exe
540	bhmnlmvpxs.exe
540	bhmnlmvpxs.exe
540	bhmnlmvpxs.exe
540	bhmnlmvpxs.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeRestorePrivilege	3000	tapinstall.exe
Token: SeRestorePrivilege	3000	tapinstall.exe
Token: SeRestorePrivilege	3000	tapinstall.exe
Token: SeRestorePrivilege	3000	tapinstall.exe
Token: SeRestorePrivilege	3000	tapinstall.exe
Token: SeRestorePrivilege	3000	tapinstall.exe
Token: SeRestorePrivilege	3000	tapinstall.exe
Token: SeDebugPrivilege	2040	Avira.VpnService.exe
Token: SeDebugPrivilege	580	Avira.WebAppHost.exe
Token: SeIncreaseQuotaPrivilege	1544	RegSvcs.exe
Token: SeSecurityPrivilege	1544	RegSvcs.exe
Token: SeTakeOwnershipPrivilege	1544	RegSvcs.exe
Token: SeLoadDriverPrivilege	1544	RegSvcs.exe
Token: SeSystemProfilePrivilege	1544	RegSvcs.exe
Token: SeSystemtimePrivilege	1544	RegSvcs.exe
Token: SeProfSingleProcessPrivilege	1544	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1544	RegSvcs.exe
Token: SeCreatePagefilePrivilege	1544	RegSvcs.exe
Token: SeBackupPrivilege	1544	RegSvcs.exe
Token: SeRestorePrivilege	1544	RegSvcs.exe
Token: SeShutdownPrivilege	1544	RegSvcs.exe
Token: SeDebugPrivilege	1544	RegSvcs.exe
Token: SeSystemEnvironmentPrivilege	1544	RegSvcs.exe
Token: SeChangeNotifyPrivilege	1544	RegSvcs.exe
Token: SeRemoteShutdownPrivilege	1544	RegSvcs.exe
Token: SeUndockPrivilege	1544	RegSvcs.exe
Token: SeManageVolumePrivilege	1544	RegSvcs.exe
Token: SeImpersonatePrivilege	1544	RegSvcs.exe
Token: SeCreateGlobalPrivilege	1544	RegSvcs.exe
Token: 33	1544	RegSvcs.exe
Token: 34	1544	RegSvcs.exe
Token: 35	1544	RegSvcs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1544	RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2664	2364	201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exe	31
PID 2364 wrote to memory of 2664	2364	201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exe	31
PID 2364 wrote to memory of 2664	2364	201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exe	31
PID 2364 wrote to memory of 2664	2364	201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exe	31
PID 2364 wrote to memory of 2664	2364	201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exe	31
PID 2364 wrote to memory of 2664	2364	201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exe	31
PID 2364 wrote to memory of 2664	2364	201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exe	31
PID 2664 wrote to memory of 2716	2664	Avira.Phantom.VPN.v2.28.6.26289.exe	32
PID 2664 wrote to memory of 2716	2664	Avira.Phantom.VPN.v2.28.6.26289.exe	32
PID 2664 wrote to memory of 2716	2664	Avira.Phantom.VPN.v2.28.6.26289.exe	32
PID 2664 wrote to memory of 2716	2664	Avira.Phantom.VPN.v2.28.6.26289.exe	32
PID 2664 wrote to memory of 2716	2664	Avira.Phantom.VPN.v2.28.6.26289.exe	32
PID 2664 wrote to memory of 2716	2664	Avira.Phantom.VPN.v2.28.6.26289.exe	32
PID 2664 wrote to memory of 2716	2664	Avira.Phantom.VPN.v2.28.6.26289.exe	32
PID 2664 wrote to memory of 2796	2664	Avira.Phantom.VPN.v2.28.6.26289.exe	34
PID 2664 wrote to memory of 2796	2664	Avira.Phantom.VPN.v2.28.6.26289.exe	34
PID 2664 wrote to memory of 2796	2664	Avira.Phantom.VPN.v2.28.6.26289.exe	34
PID 2664 wrote to memory of 2796	2664	Avira.Phantom.VPN.v2.28.6.26289.exe	34
PID 2664 wrote to memory of 2796	2664	Avira.Phantom.VPN.v2.28.6.26289.exe	34
PID 2664 wrote to memory of 2796	2664	Avira.Phantom.VPN.v2.28.6.26289.exe	34
PID 2664 wrote to memory of 2796	2664	Avira.Phantom.VPN.v2.28.6.26289.exe	34
PID 2664 wrote to memory of 540	2664	Avira.Phantom.VPN.v2.28.6.26289.exe	36
PID 2664 wrote to memory of 540	2664	Avira.Phantom.VPN.v2.28.6.26289.exe	36
PID 2664 wrote to memory of 540	2664	Avira.Phantom.VPN.v2.28.6.26289.exe	36
PID 2664 wrote to memory of 540	2664	Avira.Phantom.VPN.v2.28.6.26289.exe	36
PID 2664 wrote to memory of 540	2664	Avira.Phantom.VPN.v2.28.6.26289.exe	36
PID 2664 wrote to memory of 540	2664	Avira.Phantom.VPN.v2.28.6.26289.exe	36
PID 2664 wrote to memory of 540	2664	Avira.Phantom.VPN.v2.28.6.26289.exe	36
PID 540 wrote to memory of 3000	540	VpnInstaller.exe	38
PID 540 wrote to memory of 3000	540	VpnInstaller.exe	38
PID 540 wrote to memory of 3000	540	VpnInstaller.exe	38
PID 540 wrote to memory of 3000	540	VpnInstaller.exe	38
PID 540 wrote to memory of 2108	540	VpnInstaller.exe	40
PID 540 wrote to memory of 2108	540	VpnInstaller.exe	40
PID 540 wrote to memory of 2108	540	VpnInstaller.exe	40
PID 540 wrote to memory of 2108	540	VpnInstaller.exe	40
PID 540 wrote to memory of 2108	540	VpnInstaller.exe	40
PID 540 wrote to memory of 2108	540	VpnInstaller.exe	40
PID 540 wrote to memory of 2108	540	VpnInstaller.exe	40
PID 2664 wrote to memory of 300	2664	Avira.Phantom.VPN.v2.28.6.26289.exe	43
PID 2664 wrote to memory of 300	2664	Avira.Phantom.VPN.v2.28.6.26289.exe	43
PID 2664 wrote to memory of 300	2664	Avira.Phantom.VPN.v2.28.6.26289.exe	43
PID 2664 wrote to memory of 300	2664	Avira.Phantom.VPN.v2.28.6.26289.exe	43
PID 2664 wrote to memory of 300	2664	Avira.Phantom.VPN.v2.28.6.26289.exe	43
PID 2664 wrote to memory of 300	2664	Avira.Phantom.VPN.v2.28.6.26289.exe	43
PID 2664 wrote to memory of 300	2664	Avira.Phantom.VPN.v2.28.6.26289.exe	43
PID 300 wrote to memory of 3064	300	net.exe	45
PID 300 wrote to memory of 3064	300	net.exe	45
PID 300 wrote to memory of 3064	300	net.exe	45
PID 300 wrote to memory of 3064	300	net.exe	45
PID 300 wrote to memory of 3064	300	net.exe	45
PID 300 wrote to memory of 3064	300	net.exe	45
PID 300 wrote to memory of 3064	300	net.exe	45
PID 2664 wrote to memory of 1588	2664	Avira.Phantom.VPN.v2.28.6.26289.exe	47
PID 2664 wrote to memory of 1588	2664	Avira.Phantom.VPN.v2.28.6.26289.exe	47
PID 2664 wrote to memory of 1588	2664	Avira.Phantom.VPN.v2.28.6.26289.exe	47
PID 2664 wrote to memory of 1588	2664	Avira.Phantom.VPN.v2.28.6.26289.exe	47
PID 2664 wrote to memory of 1588	2664	Avira.Phantom.VPN.v2.28.6.26289.exe	47
PID 2664 wrote to memory of 1588	2664	Avira.Phantom.VPN.v2.28.6.26289.exe	47
PID 2664 wrote to memory of 1588	2664	Avira.Phantom.VPN.v2.28.6.26289.exe	47
PID 1588 wrote to memory of 2308	1588	net.exe	49
PID 1588 wrote to memory of 2308	1588	net.exe	49
PID 1588 wrote to memory of 2308	1588	net.exe	49
PID 1588 wrote to memory of 2308	1588	net.exe	49

C:\Users\Admin\AppData\Local\Temp\201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exe
"C:\Users\Admin\AppData\Local\Temp\201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Program Files (x86)\Avira Operations GmbH & Co. KG\Avira Phantom VPN\Avira.Phantom.VPN.v2.28.6.26289.exe
  "C:\Program Files (x86)\Avira Operations GmbH & Co. KG\Avira Phantom VPN\Avira.Phantom.VPN.v2.28.6.26289.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\SysWOW64\netsh.exe
    netsh.exe advfirewall firewall delete rule name="all" remoteip=95.141.193.133
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2716
- - C:\Windows\SysWOW64\route.exe
    route.exe delete 95.141.193.133
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2796
- - C:\Users\Admin\AppData\Local\Temp\nsyDC6C.tmp\VpnInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\nsyDC6C.tmp\VpnInstaller.exe" /S
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:540
  - - C:\Program Files (x86)\Avira\VPN\OpenVpn\TAP\win7\amd64\tapinstall.exe
      "C:\Program Files (x86)\Avira\VPN\OpenVpn\TAP\win7\amd64\tapinstall.exe" tap_remove "phantomtap"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      PID:3000
  - - C:\Windows\SysWOW64\sc.exe
      "sc.exe" failure AviraPhantomVPN reset= 86400 actions= restart/5000/restart/10000//1000
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2108
- - C:\Windows\SysWOW64\net.exe
    net.exe stop AviraPhantomVPN
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:300
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop AviraPhantomVPN
      4⤵
      System Location Discovery: System Language Discovery
      PID:3064
- - C:\Windows\SysWOW64\net.exe
    net.exe start AviraPhantomVPN
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start AviraPhantomVPN
      4⤵
      System Location Discovery: System Language Discovery
      PID:2308
- C:\Users\Admin\AppData\Roaming\dako01fud.exe
  "C:\Users\Admin\AppData\Roaming\dako01fud.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2732
- - C:\Users\Admin\AppData\Local\Temp\00117830\bhmnlmvpxs.exe
    "C:\Users\Admin\AppData\Local\Temp\00117830\bhmnlmvpxs.exe" qemcqnq.ngs
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:540
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:772
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1760
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1672
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1912
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1080
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1132
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1100
  - - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1544

C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe
"C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040
- C:\Program Files (x86)\Avira\VPN\Avira.NetworkBlocker.exe
  "C:\Program Files (x86)\Avira\VPN\Avira.NetworkBlocker.exe" delete
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1796

C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe
"C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe" /migrateSettings
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Avira Operations GmbH & Co. KG\Avira Phantom VPN\Avira.Phantom.VPN.v2.28.6.26289.exe

Filesize
7.5MB

MD5
9a1a105fde49554adb1416169756e0e8

SHA1
225ef5756f6ae585d1e8d11dfed42ca9b9d6df62

SHA256
9b87578cd4dd8d9112f46ae90632043615fa89aa1a5f4b0ae847911589694853

SHA512
1139643d6f0912b393a0b134cbcd66f8e8ac029919aa738ed709a09e518ddc43f3c918dbdf2af5808cd380750c6ea0b3de6caa7303d3d9c3411bfd44de00b36c

Download Submit
C:\Program Files (x86)\Avira\VPN\App\Views\Directives\features.html

Filesize
12KB

MD5
95d195a155c9d424d60e18fb6cdc8bc2

SHA1
289be7dd920df5d75840426ed08c51287ca974bf

SHA256
b97ae091304a77e5d819a794b9aa1626e25c80c2cb997ade4cf5e479ecb1f833

SHA512
26d97b9aa1ac6e377aa84b9b41cd2a8a7ea95ab18bfcf38f0d5535200ffd4cfc0ebdfe0bca62a32eb1c08359c904ea2810a6fbd16a7a21c9a47eb1626f98921a

Download Submit
C:\Program Files (x86)\Avira\VPN\App\Views\Directives\header.html

Filesize
853B

MD5
15e95ddd84b8b7ebbde343b8e22411d5

SHA1
8be7feb7a2e3c86b36813346f8499ee697561839

SHA256
de9975847f5557263eec5d98cfd7e2a525f18f04a528cb0880206a4ea62f8c89

SHA512
96d178e20f7b88066f9b329547413724c334a90485bad25119932f1a7dac109d439818452c3f1ae676533578030c740a3889c2ad0660a72ebb98cf9ea1feafc3

Download Submit
C:\Program Files (x86)\Avira\VPN\App\Views\Directives\location.html

Filesize
400B

MD5
53e041f4f6dcf6246fab53a4f180860e

SHA1
1545bd7dcd0ef0d41708200066c8565b8e32fb68

SHA256
8e61b3ca9e7080a6d666ec29355cf90349404152c983c3964bc0c3f8e5bb59ea

SHA512
0a19d6f5be93909a884e6daee02eb132872d1fb79d1ca53572c8799bdba375e647b7eedacb4922b8800485fbf458b0fd0f1a6dcca42c5c8d64d10b3b44400d91

Download Submit
C:\Program Files (x86)\Avira\VPN\App\Views\Directives\traffic.html

Filesize
231B

MD5
7f812658a2ea569bafc662b86f6acd51

SHA1
b6d55f875c930dbd9e7fd80a5551da1c79acbf65

SHA256
96c2deabc5c7c13937e6b471430558b096c4b23486d2370763a236e40df3086c

SHA512
b56ac9195f60cde94b62b6335ba00bff90e3cf23a3cd2059dcfc4befca54d54ecf705f923fd042aac40007821a8eae67e00d84d616897ce8b92c256d45f1fd08

Download Submit
C:\Program Files (x86)\Avira\VPN\App\css\vpn-1.0.0.css

Filesize
79KB

MD5
bf1f2ff6931a2c53664a1cfbda1d0a08

SHA1
77e20c24555b2ef39936033e23ff8bef2aa7fe85

SHA256
405e6a10183055962363907e6777091bb0c9dc1bfddc9bb79af8fe7263ed6fdf

SHA512
652ef6104f2524a1cc76ed1c7e4aa78c4598787d3c841e7a8dc2d222e1be4a5fe35465d4e98a63dc898ef6b41b0f2882dad369759be264536931bc6ce3f57ab8

Download Submit
C:\Program Files (x86)\Avira\VPN\App\css\vpn-1.0.0.min.css

Filesize
57KB

MD5
73fc31a0d916a4cd80e88ecebe51ea3a

SHA1
8ce84808c3d3c8555192c5c14ee72e7063d988b4

SHA256
fb3953800850c5d51239bc49d48fbf583daabd015fd697cac171525696eec07e

SHA512
1d3b424625c92ee3f759b16ab1ff428ef61d1f3047e0500d7ea27a7b26572dd0ffc96ef6028a2fd3ddaa883b1d59c3f2762676b112c8dfe640767ad1ed2fe242

Download Submit
C:\Program Files (x86)\Avira\VPN\App\images\png\VPN.png

Filesize
3KB

MD5
2ed8ee5abb189105e4366e46039808c6

SHA1
d4719e46452d1555d1ca854c44439019c1286d7a

SHA256
54486518290f7766543e5e000bd46958132055874296e45ac6178699b3d244e2

SHA512
ad0fbadf6630101fad21d31c58d823140d525f4a8de12fbad3443daead45f1b48c1558137c42c17b97d6bcb42b90908e257b2c343302d325585b92ac667b02b1

Download Submit
C:\Program Files (x86)\Avira\VPN\App\images\png\regions\no.png

Filesize
743B

MD5
d3b58f803a9a01a59210dd673998a229

SHA1
6caddb6c8e749e9c5b786a3984bb7bdbba2bafc5

SHA256
3cf52e677d7f7be201cbf6e3ec56ed1f48b95c47e5969ef2c2510e270133c4f0

SHA512
88aade4affd629926e473df3d26ecca5ba49c4b77da9343e58729cf3a2b1cd0b9d27d9e019018455bffd18b7a7570a5c14d918eff46deecc5821903f76094988

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.Common.Core.dll

Filesize
81KB

MD5
66529a863632a34059b39423a395b2eb

SHA1
e45a2dadc30f3d4d01f8af47fc890aa12d403763

SHA256
10bb57d115b244a6e0db19d46930d613b585de60c292450a4145d5ae5d7109bb

SHA512
86a701a40dbfb3f83a05dd68e797e66d6a923582181df50eff6593d5a27fba7b725d25776c81f1a0ee2280e57ddb3055dd73acd82ae26a898776d09f495c2efe

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.Messaging.dll

Filesize
45KB

MD5
02314a13c85328939ab1f94a8129161b

SHA1
fc294e41374e27e3f44e8e3a364323a0aefff233

SHA256
b0b370c7c18fd12ee9467909a231d5462ef22d9e7abec0a4ce57bdf6d4b6553c

SHA512
cb71b0eb83221f5e0843bd53af55378791fd8e48a7ed9342604432435825e80ff1a4a3b94462916c4a259c0fc33ac49d3cd4b974f76c42382f5392d285d1c102

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.TrialReset.exe

Filesize
183KB

MD5
43f3af8aa83a6b8d1e79a8fb4e344c54

SHA1
7e058ab6d60d1ae347035c54237856507a8d5673

SHA256
2025c58e3c211027c893acaf1c3154cd4fb734704bc8de69d791b620a8add7d4

SHA512
c3c270f067956432ebb18492ce99b4aa9b497a126339d3c852d257bcad3cf9d1f8ac9748ffa26b2289b40554c40b0ac8c673740afcf591336bd88e67ee6aab52

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.VPN.Core.dll

Filesize
143KB

MD5
8953872ce7d04abcfe626304478e995c

SHA1
135d91864caef7d4f576f4710f1301c96b8e167d

SHA256
7b1c7bf24927e51d93ac1fdd8493df2c09cd09640a07cea0242b8bfacc61d149

SHA512
b3e9da53283e12ff68c6294e3c4e3bb55df2f37bd1eaee4ff87833d009f7e2545dc26194edca5829b6a6c6bf27813c00b11361fa7c3e83374657d8b146cdb373

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.VPN.NotifierClient.dll

Filesize
27KB

MD5
ab53a374517faa444022ee42b6e03098

SHA1
b12875117e39ed9b58741e1522b29b81febfc235

SHA256
53709c4651de892c2c24dcab2819f3681b0c15024f1eca3cacaa0751b0ffa7b7

SHA512
275a67605d590ea46eb3b8fe169e62f373de3d714b37101ebe6a23bdcda13f2dda20f3ca20f72bb393de1edd0e0b3a2cc03952e8679be9d60055fca340f5101e

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe

Filesize
373KB

MD5
70b49c08e24f16528a4728beb12b153c

SHA1
38df5fbf15fc3e52300fea45ed4be5359587ddac

SHA256
901e7c6539c86f367d41a3e0355f08c93260e1b169b74f196a8ef67fb738d52a

SHA512
ef5dc8a983742085f8948e8bc87277d745d56223d5378d782efe425a0e06a1afb78ab6c7f17bbb405fac5a3ad67f81b4d594e1f146a39bf8b21091bf27f17b57

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe.config

Filesize
6KB

MD5
1b1535565652be6907811bd7a3035cf2

SHA1
90a2c8d197dd618fc1d0b4ed1d95c9ca40938174

SHA256
7cd74c9ac05823daffbeb89bebb6392f1180f3e3136ed5163ef4c02ff7056e2d

SHA512
0e4e7bd2016330d22b600667968b67f4c285f3c06dc2fbacbdc83790c7e31ca3f02062013fb4268f235de06412d6e429a40c58c75a1159d09ab87ce898ec1cb1

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe.config

Filesize
2KB

MD5
dc8317bbca5445236aa3bb82f84963b7

SHA1
ab856d220b047bce64ab657968a7742fa3e149e4

SHA256
efb1695a64024244d70aaac4455e5a3749aed245f7ccfc55370fa27b2e436831

SHA512
421102dcb0854d40a7b7e3739badea22f20615f2636e0885e5b91a4231cc5555893c97d5437e015c121bc12ea97de0e6d4e5a2a8314abadc9470155e6ae304f9

Download Submit
C:\Program Files (x86)\Avira\VPN\Defaults\ProductSettings.json

Filesize
1KB

MD5
874cae6f6bb5487a1b2a4a9fe02d544f

SHA1
d769e6814da1a5c588c595db49ae20432f823108

SHA256
0b582b307dc99b74850ead4708fef3209d0a52943857c3abd05f63d606de9fb6

SHA512
f3b69416297b4ca5a940cc738779453ce5f00927696958fe45e84ac022618215bcd3cc74bf635752fb7ce538443cd2227c0c040561159eb294211ae139f64be2

Download Submit
C:\Program Files (x86)\Avira\VPN\Messaging.dll

Filesize
35KB

MD5
a25956d47a10cd877e4a09343ef82cd5

SHA1
a6124da73ef08d739599423e4184edac0b997461

SHA256
7bf590f56f8e097b01cd1cc496d2d85ef2cc54803fcf7d0ab02d58aaa072f91d

SHA512
1994ba66dd554309cf4c97d2947abcdded66507c2beda9baa25fb90eaf40ff397d70bfc1bd1531a4eafaa69495ca5b1979f4f1ed7b4a91cd7ba95677fe94f20e

Download Submit
C:\Program Files (x86)\Avira\VPN\Newtonsoft.Json.dll

Filesize
668KB

MD5
de8257a9b2a736b15f2f942ed1e64392

SHA1
dd5072bf3c46d4f3b3f4339a8fbdede1e8cca02d

SHA256
7a5852c6e62efe55009ddcd75b88cdb7d16fddf47b684c5d638ba2a408901187

SHA512
02d177eaa0fdade4fdc5e2bfa5afeec101666422ec2fc0b0602dc3fe4ed5e5ea99568db580a9e50a677f4806a8b1de9f501d7b4d495b3a4fedb16938254c8c9b

Download Submit
C:\Program Files (x86)\Avira\VPN\Serilog.Sinks.File.dll

Filesize
35KB

MD5
f8076784ba6921883424cd8ee99e7a37

SHA1
9eb101f753c8cd2b04a55607eada86dac3b43430

SHA256
dca4cee96a2c83a768358a06d34efac551babb07ec2ca92338bcc302651c572e

SHA512
450e320be90bf505034aca84726695619873d7e6e6b11a1927826628c8ea697e17e8aa8bc7b441fabc032889ae3124e0716d6972ebc07bf7cc09943a73e2ca71

Download Submit
C:\Program Files (x86)\Avira\VPN\Serilog.dll

Filesize
129KB

MD5
07d1bdc3cc673b6049a4553fbf03d52b

SHA1
3c41d1838bc23f268eb444cba4390b042b0836df

SHA256
e103d413130745cbe587c18c2305d6254e49c8025f43125390e68a66038fdd8b

SHA512
b2489ffdf0cfa8803bb225b8f5d44cbe3dd6e009dfe26bdd6d2e60f462580451f57fabf07bdbaff278350d3d484854769dfab728efa17b0ca068d3407fbeed53

Download Submit
C:\Program Files (x86)\Avira\VPN\SharpRavenPortable.dll

Filesize
72KB

MD5
83cfd775579aec81d095d87a7d7434e8

SHA1
59965342456da6b307dd18f2e31f769fc0b4fba8

SHA256
608f72350b187749986c8fab79905764752a66b0b47ccba868229b03fa439e9b

SHA512
035a1b998356be5b1ed4ca637f521cbe348d9cd5576882b590097c4058512ad025bb974479f82e2d7c7a5fc8ab257792a48659a9e9340d6497f9e5cd0c5d33ae

Download Submit
C:\Program Files (x86)\Avira\VPN\VPN.Core.dll

Filesize
185KB

MD5
845b3a6481fb257dbe40d4299a0caf92

SHA1
7c871c272493c610f98ad72d0f6c6444132f9740

SHA256
2d3ff7a2c94d0d9dae400307080fdcddc38c111ffe896e4aa6fd9c955b654c70

SHA512
a8837a3e26678b672258af5343bd4afcf7f94d222c79dbe2be30b115c4a96bd5c716f223d5ff8ac9707e4b3297288bb574c900017802cbbb6d806b9aebc857e5

Download Submit
C:\Program Files (x86)\Avira\VPN\VPN.Shared.WIN.dll

Filesize
20KB

MD5
6b2b6959de910d335bfa3f3da3045227

SHA1
98551698e970d2d59f202ed88e53c4a36be42d2b

SHA256
49d8e911dd589a5177f96e7455d7508d187581e745168b349904910046043354

SHA512
2189d19938cec1f2d1971f8a42721a7a1dbc81bffaffa8b3450fc015685f529ec7dc010405352b17ad3f6739ae8ac75889d383ed34a1841ece571ea4f49eda9a

Download Submit
C:\Program Files (x86)\Avira\VPN\vpn.shared.core.dll

Filesize
18KB

MD5
696e5e4ddfe5ee707633eaa3133f6b43

SHA1
9b392b1a9833b0615716d0c81a319e868a55ddd1

SHA256
711e96fb4ab06ef937879e269f9204ccff33d8f4a27416fad714d7c0aa976d4a

SHA512
c4b72881896b3c1e823189f5e701d792116067c9ab924d0db91f879f6f09c88b31a69229704b82a5b010f3bc21bf5116980f1f05165cbbd86cb3baff78c1296f

Download Submit
C:\ProgramData\Avira\VPN\VpnPrivateSettings.backup

Filesize
295B

MD5
a5a335ce4b80924021fb68f7ad967004

SHA1
9430aadc92806982ab05c0e6c7e9dfc00380685a

SHA256
25b83ea28a540d49eb32b9d6569d31937a51071fe1e98f5aa1d7ac3416aa8848

SHA512
bb3751dc0dae49293526fa63c275a6941a36e3f61df1e661459bb84e5e4d8e51220bb7518a917f99b68d17590f9c9db606b68d52d792fd58356858e6e1651d97

Download Submit
C:\ProgramData\Avira\VPN\VpnPrivateSettings.backup

Filesize
375B

MD5
472bab993e04c92f5ca5ce18cabe3ece

SHA1
72e897be231da863a699179c345fa9ab3872da66

SHA256
c467e3f0f0d7d31cf55c9ce5ae35dd109c7426a1b0e312f4f480923ac18c0840

SHA512
4bc4a396999d341513fe728d245e86466d21160252570ca22e0626e91ff9156697ad757a0a41e13b017fe4017ef6ba639dac4723e8b53a25b5418f54be2ead57

Download Submit
C:\ProgramData\Avira\VPN\VpnPrivateSettings.backup

Filesize
531B

MD5
78a694673a562f43bdf13cd4ddb5e065

SHA1
04ea8d50a5fc6663d5fb33df017dc87aae7e1583

SHA256
771ea4d415e0d9867187b5ef2ecbab8a04351560e4f8eaf6d8525badef3623ae

SHA512
44d7a8ca102158d9ce94f7872b09fcc4a3e0d22ff5a26c695f7be2b601282b1c1240a639712ebe8f8651ac212d4cac1dbd833459740c3c517a4d01d521952362

Download Submit
C:\ProgramData\Avira\VPN\VpnPrivateSettings.backup

Filesize
871B

MD5
b8c68efa1befc766d6bc19fea0cc23d8

SHA1
d57edb50b158cd6bf6a618de93fdd1ff174ae7ad

SHA256
6983168f16840152a00fe462bf8beb93ef096b621fe427c8915f0185f826b5bb

SHA512
314755dd1399a60a1a06f819a9837daf0b4f9b66aab94029a82aebca19153f44c4625b39be92f07cf040c396c0ba1481838cc867b533812fda368d30160dce7e

Download Submit
C:\ProgramData\Avira\VPN\VpnPrivateSettings.config

Filesize
66B

MD5
44944cd590899045e3cdeb971fddd252

SHA1
33c584007e0df8fea3e677c6892d6b5549d1c94d

SHA256
cc05bd02cb929f5ef7a9362698d7794845899dd6510fd41eb5f0a95d708a68dc

SHA512
f4f4feec8c79599f41ce83371dd861fea9dd05aaa5211f5be53e2d61df154b6965db17ee8df952a8d8c864fa67aba5b9d1ef0f94608e42a50c057cfd82ccf5ed

Download Submit
C:\ProgramData\Avira\VPN\VpnPrivateSettings.config

Filesize
262B

MD5
02a3c88e21bd2cdf774c3ea08758b7f1

SHA1
8c58e3b16425bf2103d42069e7800c888a194b91

SHA256
291ed56031d965d67d3d05fa08341680bd9b4c33fca31abce28a43caf10f8f4a

SHA512
77317fe0a7350750c05149eec65a0842dafdd498d9e1390121c08ed50e9e1249c95f61aa712cd05937fd3fc4fd443e4fa2639030700f2c0fb039ab1efb15f9c6

Download Submit
C:\ProgramData\Avira\VPN\VpnPrivateSettings.config

Filesize
868B

MD5
24c02e75a9ad3a10a54e5ea5950aaf8a

SHA1
b879ff1ef1532db9367a7ebab5777af7223dc9ea

SHA256
b2e58002690b00126e5bc3cbc8cee24d6dfb396103b7ef2b8e107f88137081a7

SHA512
332690ecaea8e57299f20afe0af4175c338f708d089d0324b233a6c51f69aa538693c5ded85cfbd2d584823a60f581cdf3edeb6942892d40740296aa14d4eef4

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
388B

MD5
bbf5125fd6bd6983e5d51d286399832e

SHA1
6ed7333c7b8b7918ec7777757c3d3d8440484e97

SHA256
adf5acc3abeea3182abaa860325b62b550b98d606323c188375c049337e0021a

SHA512
9f916fc651100ccb5f7437fb3d01edddc2ae2a158e2dbcbd865291232f1791ca532f30eca242ed514da5df26d25a6c945a1b4d8fed646ceb8e7dbf8ed6460d41

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
752B

MD5
b546245445696aaed4e782fec0cf1ea6

SHA1
08bcf6c9622b7e21e482e680375289674adfa429

SHA256
19aadfd2a5abdb814ec1cebb24c4817649a6d7181a9202191b4a5c3d78ab3dad

SHA512
e28a50c2018829eb98228277dc00135be1ebbf5cf95e7a4681c480bb6d89f6360c376835efb4b45da50b40424dd6690fed9e6a2d03023954d57cf0fd3e3c1794

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.config

Filesize
233B

MD5
c832a55b0c5b4ab099435dfe4dbe7305

SHA1
bc7e9d6714f2da472b1ef978814fa86216ef3a2a

SHA256
62b2d3edcbe58d4c057c6b2a724b3a3c01d5c22e69a59e9aea8105022476c65b

SHA512
29bfa7d38fdc01af26d5acfc7a64b260a13a06a44a90ad72819717cd72532d87e2a41ad0277d82be8473d2296730a111236e8fbeb12d5fd1d73c637ee584c20e

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.config

Filesize
388B

MD5
a5de0b6750b45202c0f0ae4225983431

SHA1
91b90abd454ec29330a92e10136e07465dfd2ba9

SHA256
fa0acdec25c70c67bf5285bc5fa7db560bba94234c28a7d82b9a32b2f4270250

SHA512
7a634d8e2bc0c7193bda40c1f7769f5d4c2414be1d86c006e815554cde6e7c2e26cc1f7bc193e3367e498d405326aeb5f18e6973edbec683dcda1dde36230178

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0001.tmp

Filesize
1.0MB

MD5
89579d7c233794e63c2bac3ec0a26619

SHA1
50125cc27495fcef2edc99c0f35663ec5e2da21b

SHA256
c8800edc3c347af90b9858a7914059c70f072d6764de87d367dc4d6df69d6808

SHA512
6220ba6c5c42c10456b6782d6be97b6cd50cac1c7a6cf66741d95bd7aec9ebc059e83ca890f6384472db63a7d295dee4ed26165cfa5fab9cbdcc43498e37eb7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\00117830\bhmnlmvpxs.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\AppData\Local\Temp\00117830\start.vbs

Filesize
206B

MD5
3bfe800717572523d057b7cc16630435

SHA1
a076bedefbe7ff57ba6b9a48e9b04c563eba4492

SHA256
8efc451a0d2579776e55501400299d4c3bf26ad7e671f77e29f43b4a3468c123

SHA512
af98c55bd5ed8bcbfb8bb1c53c776277d2efc7feae30b1c17ed831b5617ac7415c15b2c347ced49e754b9494ccb389bd5b7ec08c02e2cd7023834581ad173341

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyDC6C.tmp\NewTextreplace.dll

Filesize
10KB

MD5
6d57b2cc33721890cd11cc604805362e

SHA1
900c5fb5b7cd1194a25a80468076324dc6c03ac8

SHA256
86b6cb434a0491ea16bf480e6ad16c935d0668535da17aa7df0dc4392e10d74e

SHA512
0e0134b0e9b1e9cffd053bcf05a84b2d7420d85756b7208a27407966878a724e9c91d21ddcccb95c53e0d78f89230fe2cebb68d0f5530711b4c30c99aea803cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyDC6C.tmp\repackme.gif

Filesize
6KB

MD5
23d3840adb8f4f1efc083a1f7e640191

SHA1
adf0c7daa49637767b2abe2f390d1da4780eea9c

SHA256
82a1454402156d74f4f23c992d5d772b665546208eff44790871b8dcb36d2304

SHA512
7743a17141581ffa8023097678bf2eaf6db7d337af45052d00caba74f21f13e7ffa95097b629c3a28a3366eda873afdce240344adfdf7c0ef662a0ba0fe6db25

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
30033b30d7782d73bff3b8a211cefa46

SHA1
e87350ae4967e29f563eadc6a6b13d05be502426

SHA256
3c6634b314719293f57b6ee44c497a764cba9581571d79b764d83cc1ef9a90e2

SHA512
f79c5682e75ea93d42e9496fda351634bd3e9aaa8f945e4ad77b7ff865237d8a6f3de75bc286f3f1b151e1ecada8b9cb503d82114b05369ef191973fe247f57e

Download Submit
C:\Users\Admin\AppData\Roaming\dako01fud.exe

Filesize
1.8MB

MD5
7d768d7481c429a6cc08edcaffb81431

SHA1
5ec0e7b013fd958cc72c757022136b00f496423e

SHA256
cc3462f899a23fa997c40d6c06a46cd17846de0ae9b4d93d7a708223f825fc5c

SHA512
77ecf3b4b09d64815a56bfaffaae3ddbbe09312ea69d917861e293708504722cb495fec5ca8ff74f4a97e142e9874e23fd10e0749ee83f1fa5bea9dd0f05ebbf

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\Temp\Cab32A4.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar32B9.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe

Filesize
821KB

MD5
d413cb41ea3d10d3861db1575edaf391

SHA1
427b8ccfb7fd45d76a94a72f9b2889b524011369

SHA256
e0e854376e454a2d5fbfa076bf32e8e8b1472e4614729be4b700aeb6593ceb59

SHA512
a7ea984c5d11596c282a13fb02a67473817817676cc4b855aac1afb190c9467678cb1179b4b446335cdbb16306746365ece17ff94ce4de53077d06b4e4b26658

Download Submit
\Program Files (x86)\Avira\VPN\OpenVpn\TAP\win7\amd64\tapinstall.exe

Filesize
482KB

MD5
2b1bddf7f9d3190ff73563a41bcb72be

SHA1
8a522e9cb1007b922cec9e5ed2b70f01ff12cf0d

SHA256
85ab4bbb77ab248956d0da02ace1a2bc58ce6c6db9f421808ef03ed31bbcf3b6

SHA512
6a42ac53262c6bafc8d7a5ff225acb07754af8cf044f0135251d4b3cf983a53494d755052296cf49627b3bbe6acead3aa9bacc33b51d222a1d2a0fe6d2bb4f93

Download Submit
\Users\Admin\AppData\Local\Temp\nsyA6D.tmp\FindProcDLL.dll

Filesize
3KB

MD5
75e7351a0f836b8659e6f315683c29f7

SHA1
66b733d1c978d68cadc245e7efbfcae32807429d

SHA256
7ffc549e7f679a08c77fa230654b77cdffb3444296bb7c6b8b5769db374b61ee

SHA512
f03400798b07ccca5e12fa119a586ee9444deb0d2419aced24d93fd84a4702d66864a71b40a11b04b1dbe56e36481cd6a644aec0347bc82bc7375b27bc403fe4

Download Submit
\Users\Admin\AppData\Local\Temp\nsyA6D.tmp\INetC.dll

Filesize
21KB

MD5
92ec4dd8c0ddd8c4305ae1684ab65fb0

SHA1
d850013d582a62e502942f0dd282cc0c29c4310e

SHA256
5520208a33e6409c129b4ea1270771f741d95afe5b048c2a1e6a2cc2ad829934

SHA512
581351aef694f2489e1a0977ebca55c4d7268ca167127cefb217ed0d2098136c7eb433058469449f75be82b8e5d484c9e7b6cf0b32535063709272d7810ec651

Download Submit
\Users\Admin\AppData\Local\Temp\nsyA6D.tmp\System.dll

Filesize
11KB

MD5
6f5257c0b8c0ef4d440f4f4fce85fb1b

SHA1
b6ac111dfb0d1fc75ad09c56bde7830232395785

SHA256
b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

SHA512
a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

Download Submit
\Users\Admin\AppData\Local\Temp\nsyA6D.tmp\base64.dll

Filesize
40KB

MD5
ac6fb776262b63562c00374392fe1c55

SHA1
045dcad3edcd1c6865f5dea95ace35f4d9964b78

SHA256
7e10ef2723a50b7346449f8bb39efab8a99e2815d33d311ecb8112734f91519d

SHA512
2c511c5f2bb265fd247e43c47046a3cddad2b72a0fd3b35fcb70ab53d7fbc070d36eadd93c279680306d30d6ef5730fcbfed01195a85761ae571e2d324416ed5

Download Submit
\Users\Admin\AppData\Local\Temp\nsyA6D.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
\Users\Admin\AppData\Local\Temp\nsyA6D.tmp\nsProcess.dll

Filesize
70KB

MD5
9c452d3cb1f2b06c16467849755cd724

SHA1
35f2e9754e9dc226baa8b0cbf21db2b523248a73

SHA256
8f80ef429ce7c8a1ac7958ab36ec177f732dc924d14b21230da045e5ed1b255a

SHA512
438e406a18db363008776172e20f6422db71c5b1eaeb63f0a8100f05c5365f52ee177851c7710985b529e1b5fb2be2ac8142cc6e0ca08628054b6eabe063fea2

Download Submit
\Users\Admin\AppData\Local\Temp\nsyA6D.tmp\nsisXML.dll

Filesize
12KB

MD5
9f3d5344e7ede1f41f99d8fc37fd01ad

SHA1
d0322ce3ba30a924daa1c9e322846a3d8ccda878

SHA256
77aa1a74a556f00f16baf9b94637fa997bd4085695ba81bf496223644e43e815

SHA512
2849b261b77fa2abf0d0efc7604ccce7f502d20a556eea9877cfe1cbc6d515d8fe41986943081629243b81987cddd54613ee01fc7859ae16eab57f6ca2cd4bfc

Download Submit
\Users\Admin\AppData\Local\Temp\nsyA6D.tmp\registry.dll

Filesize
24KB

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit
\Users\Admin\AppData\Local\Temp\nsyDC6C.tmp\VpnInstaller.exe

Filesize
7.2MB

MD5
94e7257f1dcecb215abd34b2adb6d35c

SHA1
0ff59285603c6babbfeab77037201e4da71af466

SHA256
c4c462893ebe48a58030a71db03e7bc7caee854271882f3941dfeeadf71a219f

SHA512
60c7ecf25051a2cadfc5c7b6e01373c11eceb097db661485c94beeab0d8ad34b25bf19b6b6630ee4544f07090178262fcbc5afd6022ff331da52c301e23765b7

Download Submit
\Users\Admin\AppData\Local\Temp\nsyDC6C.tmp\newadvsplash.dll

Filesize
8KB

MD5
55a723e125afbc9b3a41d46f41749068

SHA1
01618b26fec6b8c6bdb866e6e4d0f7a0529fe97c

SHA256
0a70cc4b93d87ecd93e538cfbed7c9a4b8b5c6f1042c6069757bda0d1279ed06

SHA512
559157fa1b3eb6ae1f9c0f2c71ccc692a0a0affb1d6498a8b8db1436d236fd91891897ac620ed5a588beba2efa43ef064211a7fcadb5c3a3c5e2be1d23ef9d4c

Download Submit
\Users\Admin\AppData\Local\Temp\nsyDC6C.tmp\nsExec.dll

Filesize
6KB

MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
memory/540-93-0x00000000003F0000-0x00000000003FB000-memory.dmp

Filesize
44KB

Download
memory/540-1120-0x00000000040F0000-0x0000000004149000-memory.dmp

Filesize
356KB

Download
memory/540-1165-0x0000000003180000-0x000000000318B000-memory.dmp

Filesize
44KB

Download
memory/580-1248-0x0000000000A40000-0x0000000000B0E000-memory.dmp

Filesize
824KB

Download
memory/1544-1586-0x00000000003B0000-0x00000000013B0000-memory.dmp

Filesize
16.0MB

Download
memory/1544-1585-0x00000000003B0000-0x00000000013B0000-memory.dmp

Filesize
16.0MB

Download
memory/1544-1584-0x00000000003B0000-0x00000000013B0000-memory.dmp

Filesize
16.0MB

Download
memory/1544-1582-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1544-1583-0x00000000003B0000-0x00000000013B0000-memory.dmp

Filesize
16.0MB

Download
memory/1544-1580-0x00000000003B0000-0x00000000013B0000-memory.dmp

Filesize
16.0MB

Download
memory/2040-1133-0x00000000007C0000-0x00000000007F2000-memory.dmp

Filesize
200KB

Download
memory/2040-1159-0x0000000000850000-0x0000000000858000-memory.dmp

Filesize
32KB

Download
memory/2040-1285-0x0000000001030000-0x000000000103E000-memory.dmp

Filesize
56KB

Download
memory/2040-1288-0x0000000001060000-0x0000000001068000-memory.dmp

Filesize
32KB

Download
memory/2040-1255-0x0000000001040000-0x000000000104C000-memory.dmp

Filesize
48KB

Download
memory/2040-1266-0x0000000001050000-0x000000000105A000-memory.dmp

Filesize
40KB

Download
memory/2040-1308-0x0000000001090000-0x000000000109C000-memory.dmp

Filesize
48KB

Download
memory/2040-1307-0x0000000001080000-0x0000000001088000-memory.dmp

Filesize
32KB

Download
memory/2040-1321-0x00000000194B0000-0x00000000194DC000-memory.dmp

Filesize
176KB

Download
memory/2040-1322-0x00000000010A0000-0x00000000010AE000-memory.dmp

Filesize
56KB

Download
memory/2040-1323-0x00000000194E0000-0x00000000194EC000-memory.dmp

Filesize
48KB

Download
memory/2040-1324-0x0000000019610000-0x0000000019646000-memory.dmp

Filesize
216KB

Download
memory/2040-1325-0x00000000194F0000-0x00000000194F8000-memory.dmp

Filesize
32KB

Download
memory/2040-1272-0x0000000001070000-0x0000000001078000-memory.dmp

Filesize
32KB

Download
memory/2040-1129-0x0000000000340000-0x00000000003A0000-memory.dmp

Filesize
384KB

Download
memory/2040-1341-0x0000000019500000-0x000000001950A000-memory.dmp

Filesize
40KB

Download
memory/2040-1250-0x0000000000F10000-0x0000000000F18000-memory.dmp

Filesize
32KB

Download
memory/2040-1235-0x0000000000F00000-0x0000000000F10000-memory.dmp

Filesize
64KB

Download
memory/2040-1357-0x0000000019F00000-0x0000000019F08000-memory.dmp

Filesize
32KB

Download
memory/2040-1161-0x0000000000840000-0x0000000000850000-memory.dmp

Filesize
64KB

Download
memory/2040-1131-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/2040-1251-0x0000000000F20000-0x0000000000F28000-memory.dmp

Filesize
32KB

Download
memory/2040-1158-0x0000000000830000-0x0000000000838000-memory.dmp

Filesize
32KB

Download
memory/2040-1157-0x0000000000810000-0x0000000000826000-memory.dmp

Filesize
88KB

Download
memory/2040-1536-0x0000000019F90000-0x0000000019F98000-memory.dmp

Filesize
32KB

Download
memory/2040-1537-0x0000000019FA0000-0x0000000019FA8000-memory.dmp

Filesize
32KB

Download
memory/2040-1144-0x0000000000690000-0x00000000006A8000-memory.dmp

Filesize
96KB

Download
memory/2040-1564-0x000000001A510000-0x000000001A518000-memory.dmp

Filesize
32KB

Download
memory/2040-1565-0x000000001A500000-0x000000001A508000-memory.dmp

Filesize
32KB

Download
memory/2040-1566-0x000000001A620000-0x000000001A628000-memory.dmp

Filesize
32KB

Download
memory/2040-1567-0x000000001A770000-0x000000001A778000-memory.dmp

Filesize
32KB

Download
memory/2040-1568-0x000000001A630000-0x000000001A638000-memory.dmp

Filesize
32KB

Download
memory/2040-1569-0x000000001A640000-0x000000001A648000-memory.dmp

Filesize
32KB

Download
memory/2040-1142-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/2040-1140-0x00000000005F0000-0x00000000005F8000-memory.dmp

Filesize
32KB

Download
memory/2040-1138-0x0000000000DD0000-0x0000000000E7A000-memory.dmp

Filesize
680KB

Download
memory/2040-1136-0x0000000000520000-0x0000000000544000-memory.dmp

Filesize
144KB

Download
memory/2040-1134-0x0000000000460000-0x000000000046A000-memory.dmp

Filesize
40KB

Download
memory/2364-1477-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2364-1333-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2364-62-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download