darkcomet | 201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9

Analysis

max time kernel
120s
max time network
93s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
17-11-2024 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exe
Size

9.2MB
MD5

8fcc43370d7bdc75cf0381164a6bee50
SHA1

af7c3b094d2c5cbd153b8fa6815418eb28d7ddbd
SHA256

201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9
SHA512

137a418afed97a79352a6981b91793bfecd9026f6b5bc45c5268ad60aa1d1d6e6095571bdec0a8103ce8087ec41ed5ae387b43c26ede02c91dea4962030e6368
SSDEEP

196608:ltqD/NMreh/CtTODi/hXFufhOAjXhC01/oicfjRx2g/6GN4Br:cVMmDi/ojFC0qicLR0gCG6V

Score

10^/10

darkcomet don discovery evasion persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

darkcomet

Botnet

don

victoire.dyndns.biz:62955

Mutex

DC_MUTEX-DUXZFBC

Attributes

gencode
pZpvGTDgPY6R
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet
Disables Task Manager via registry modification
evasion
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2304 netsh.exe

pid	process
2304	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

VpnInstaller.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AviraPhantomVPN\ImagePath = "\"C:\\Program Files (x86)\\Avira\\VPN\\Avira.VpnService.exe\""	VpnInstaller.exe

Drops startup file 2 IoCs

Processes:

bhmnlmvpxs.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk	bhmnlmvpxs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk	bhmnlmvpxs.exe

Executes dropped EXE 9 IoCs

Processes:

Avira.Phantom.VPN.v2.28.6.26289.exeVpnInstaller.exetapinstall.exeAvira.VpnService.exeAvira.WebAppHost.exedako01fud.exebhmnlmvpxs.exeAvira.NetworkBlocker.exeRegSvcs.exe

pid	process
2840	Avira.Phantom.VPN.v2.28.6.26289.exe
1184	VpnInstaller.exe
2620	tapinstall.exe
2776	Avira.VpnService.exe
2408	Avira.WebAppHost.exe
2792	dako01fud.exe
1756	bhmnlmvpxs.exe
1944	Avira.NetworkBlocker.exe
2188	RegSvcs.exe

Loads dropped DLL 43 IoCs

Processes:

201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exeAvira.Phantom.VPN.v2.28.6.26289.exeVpnInstaller.exedako01fud.exebhmnlmvpxs.exe

pid	process
2956	201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exe
2956	201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exe
2956	201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exe
2956	201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exe
2840	Avira.Phantom.VPN.v2.28.6.26289.exe
2840	Avira.Phantom.VPN.v2.28.6.26289.exe
2840	Avira.Phantom.VPN.v2.28.6.26289.exe
2840	Avira.Phantom.VPN.v2.28.6.26289.exe
2840	Avira.Phantom.VPN.v2.28.6.26289.exe
2840	Avira.Phantom.VPN.v2.28.6.26289.exe
2840	Avira.Phantom.VPN.v2.28.6.26289.exe
1184	VpnInstaller.exe
1184	VpnInstaller.exe
1184	VpnInstaller.exe
1184	VpnInstaller.exe
1184	VpnInstaller.exe
1184	VpnInstaller.exe
1184	VpnInstaller.exe
1184	VpnInstaller.exe
1184	VpnInstaller.exe
1184	VpnInstaller.exe
1184	VpnInstaller.exe
1184	VpnInstaller.exe
1184	VpnInstaller.exe
1184	VpnInstaller.exe
1184	VpnInstaller.exe
1184	VpnInstaller.exe
1184	VpnInstaller.exe
1184	VpnInstaller.exe
2840	Avira.Phantom.VPN.v2.28.6.26289.exe
2840	Avira.Phantom.VPN.v2.28.6.26289.exe
2840	Avira.Phantom.VPN.v2.28.6.26289.exe
2840	Avira.Phantom.VPN.v2.28.6.26289.exe
2840	Avira.Phantom.VPN.v2.28.6.26289.exe
2840	Avira.Phantom.VPN.v2.28.6.26289.exe
2956	201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exe
2956	201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exe
2956	201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exe
2792	dako01fud.exe
2792	dako01fud.exe
2792	dako01fud.exe
2792	dako01fud.exe
1756	bhmnlmvpxs.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

bhmnlmvpxs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\00117830 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\00117830\\start.vbs"	bhmnlmvpxs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dakosdfrrsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\00117830\\BHMNLM~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\00117830\\qemcqnq.ngs"	bhmnlmvpxs.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

bhmnlmvpxs.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bhmnlmvpxs.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bhmnlmvpxs.exe

Drops file in System32 directory 4 IoCs

Processes:

Avira.VpnService.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	Avira.VpnService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	Avira.VpnService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	Avira.VpnService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	Avira.VpnService.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

bhmnlmvpxs.exe

description pid process target process

PID 1756 set thread context of 2188 1756 bhmnlmvpxs.exe RegSvcs.exe

description	pid	process	target process
PID 1756 set thread context of 2188	1756	bhmnlmvpxs.exe	RegSvcs.exe

Drops file in Program Files directory 64 IoCs

Processes:

VpnInstaller.exe201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exe

description	ioc	process
File created	C:\Program Files (x86)\Avira\VPN\Messaging.dll	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\[email protected]	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\bo.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\bw.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\ls.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\vi.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\vpn.shared.core.dll	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\de.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\ht.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\Avira.Acp.Common.dll	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\pulsarGreen.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\dj.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\sc.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\Templates\Template0.html	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\bd.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\views\directives\subscription_terms.html	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\Templates\images\FTU-gfx-screen-2.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\uz.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\OpenVpn\phantomvpn.exe	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\purchase\mac_Black.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\cz.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\ee.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\gt.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\nz.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\tj.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\views\directives\register.html	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira Operations GmbH & Co. KG\Avira Phantom VPN\Uninstall.ini	201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exe
File created	C:\Program Files (x86)\Avira\VPN\OpenVpn\TAP\win7\amd64\tapinstall.exe	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\fj.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\fr.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\ge.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\gr.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\Templates\images\vpn-gray.svg	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\gif\pulsar-active-pro.gif	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\at.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\widgets\rate-5stars\images\png\[email protected]	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\wifi-connected-dark.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\bf.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\cg.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\gl.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\Templates\images\alert.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\OpenVpn\libpkcs11-helper-1.dll	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\VPN.Shared.WIN.dll	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\be.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\no.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\views\directives\trial.html	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\uy.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\fr-FR\Avira.VpnService.resources.dll	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\OpenVpn\TAP\win7\amd64\phantomtap.cat	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\package.json	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\[email protected]	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\three-blue-stars.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\mc.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\sk.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\gf.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\svg\us.svg	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\Templates\TemplateVpn2.html	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\pm.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\ye.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\Templates\notifier.css	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\FSharp.Core.dll	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\Nearest.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\pg.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\uninstaller.exe	VpnInstaller.exe

Drops file in Windows directory 2 IoCs

Processes:

tapinstall.exe

description ioc process

File created C:\Windows\INF\oem0.PNF tapinstall.exe
File created C:\Windows\INF\oem1.PNF tapinstall.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1136 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\INF\oem0.PNF	tapinstall.exe
File created	C:\Windows\INF\oem1.PNF	tapinstall.exe

pid	process
1136	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

mshta.exemshta.exeAvira.Phantom.VPN.v2.28.6.26289.exenetsh.exenet1.exemshta.exemshta.exeAvira.NetworkBlocker.exemshta.exeRegSvcs.exesc.exenet.exenet1.exenet.exebhmnlmvpxs.exe201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exeroute.exemshta.exeVpnInstaller.exedako01fud.exemshta.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Avira.Phantom.VPN.v2.28.6.26289.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Avira.NetworkBlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bhmnlmvpxs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	route.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VpnInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dako01fud.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nsy717A.tmp\VpnInstaller.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\nsy717A.tmp\VpnInstaller.exe	nsis_installer_2

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Avira.VpnService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Avira.VpnService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Avira.VpnService.exe

Modifies data under HKEY_USERS 45 IoCs

Processes:

Avira.VpnService.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	Avira.VpnService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Avira.VpnService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	Avira.VpnService.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	Avira.VpnService.exe

Modifies registry class 6 IoCs

Processes:

Avira.VpnService.exeAvira.Phantom.VPN.v2.28.6.26289.exeAvira.WebAppHost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}	Avira.VpnService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\vpnclient = "fca2b673bc9745809a89a39aa8c4b245102b44ae"	Avira.VpnService.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}	Avira.Phantom.VPN.v2.28.6.26289.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\telemetry = "90ce5e5abfb34715b806496758f60a024e595262"	Avira.VpnService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\vpnclient = "9275eeab30cd4b69880c6f5399807ed639891662"	Avira.WebAppHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\machine = "4233f1b5c2e54f8d948fd79380164287c6a2efec"	Avira.VpnService.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Avira.VpnService.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Avira.VpnService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Avira.VpnService.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

VpnInstaller.exeAvira.VpnService.exeAvira.WebAppHost.exebhmnlmvpxs.exe

pid	process
1184	VpnInstaller.exe
1184	VpnInstaller.exe
1184	VpnInstaller.exe
1184	VpnInstaller.exe
1184	VpnInstaller.exe
1184	VpnInstaller.exe
1184	VpnInstaller.exe
1184	VpnInstaller.exe
1184	VpnInstaller.exe
1184	VpnInstaller.exe
1184	VpnInstaller.exe
1184	VpnInstaller.exe
1184	VpnInstaller.exe
1184	VpnInstaller.exe
1184	VpnInstaller.exe
1184	VpnInstaller.exe
1184	VpnInstaller.exe
2776	Avira.VpnService.exe
2408	Avira.WebAppHost.exe
1756	bhmnlmvpxs.exe
1756	bhmnlmvpxs.exe
1756	bhmnlmvpxs.exe
1756	bhmnlmvpxs.exe
1756	bhmnlmvpxs.exe
1756	bhmnlmvpxs.exe
2776	Avira.VpnService.exe
1756	bhmnlmvpxs.exe
1756	bhmnlmvpxs.exe
1756	bhmnlmvpxs.exe
1756	bhmnlmvpxs.exe
1756	bhmnlmvpxs.exe
1756	bhmnlmvpxs.exe
1756	bhmnlmvpxs.exe
1756	bhmnlmvpxs.exe
1756	bhmnlmvpxs.exe
1756	bhmnlmvpxs.exe
1756	bhmnlmvpxs.exe
1756	bhmnlmvpxs.exe
1756	bhmnlmvpxs.exe
1756	bhmnlmvpxs.exe
1756	bhmnlmvpxs.exe
1756	bhmnlmvpxs.exe
1756	bhmnlmvpxs.exe
1756	bhmnlmvpxs.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

tapinstall.exeAvira.VpnService.exeAvira.WebAppHost.exeRegSvcs.exe

description	pid	process
Token: SeRestorePrivilege	2620	tapinstall.exe
Token: SeRestorePrivilege	2620	tapinstall.exe
Token: SeRestorePrivilege	2620	tapinstall.exe
Token: SeRestorePrivilege	2620	tapinstall.exe
Token: SeRestorePrivilege	2620	tapinstall.exe
Token: SeRestorePrivilege	2620	tapinstall.exe
Token: SeRestorePrivilege	2620	tapinstall.exe
Token: SeDebugPrivilege	2776	Avira.VpnService.exe
Token: SeDebugPrivilege	2408	Avira.WebAppHost.exe
Token: SeIncreaseQuotaPrivilege	2188	RegSvcs.exe
Token: SeSecurityPrivilege	2188	RegSvcs.exe
Token: SeTakeOwnershipPrivilege	2188	RegSvcs.exe
Token: SeLoadDriverPrivilege	2188	RegSvcs.exe
Token: SeSystemProfilePrivilege	2188	RegSvcs.exe
Token: SeSystemtimePrivilege	2188	RegSvcs.exe
Token: SeProfSingleProcessPrivilege	2188	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2188	RegSvcs.exe
Token: SeCreatePagefilePrivilege	2188	RegSvcs.exe
Token: SeBackupPrivilege	2188	RegSvcs.exe
Token: SeRestorePrivilege	2188	RegSvcs.exe
Token: SeShutdownPrivilege	2188	RegSvcs.exe
Token: SeDebugPrivilege	2188	RegSvcs.exe
Token: SeSystemEnvironmentPrivilege	2188	RegSvcs.exe
Token: SeChangeNotifyPrivilege	2188	RegSvcs.exe
Token: SeRemoteShutdownPrivilege	2188	RegSvcs.exe
Token: SeUndockPrivilege	2188	RegSvcs.exe
Token: SeManageVolumePrivilege	2188	RegSvcs.exe
Token: SeImpersonatePrivilege	2188	RegSvcs.exe
Token: SeCreateGlobalPrivilege	2188	RegSvcs.exe
Token: 33	2188	RegSvcs.exe
Token: 34	2188	RegSvcs.exe
Token: 35	2188	RegSvcs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

2188 RegSvcs.exe

pid	process
2188	RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exeAvira.Phantom.VPN.v2.28.6.26289.exeVpnInstaller.exenet.exenet.exe

description	pid	process	target process
PID 2956 wrote to memory of 2840	2956	201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exe	Avira.Phantom.VPN.v2.28.6.26289.exe
PID 2956 wrote to memory of 2840	2956	201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exe	Avira.Phantom.VPN.v2.28.6.26289.exe
PID 2956 wrote to memory of 2840	2956	201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exe	Avira.Phantom.VPN.v2.28.6.26289.exe
PID 2956 wrote to memory of 2840	2956	201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exe	Avira.Phantom.VPN.v2.28.6.26289.exe
PID 2956 wrote to memory of 2840	2956	201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exe	Avira.Phantom.VPN.v2.28.6.26289.exe
PID 2956 wrote to memory of 2840	2956	201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exe	Avira.Phantom.VPN.v2.28.6.26289.exe
PID 2956 wrote to memory of 2840	2956	201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exe	Avira.Phantom.VPN.v2.28.6.26289.exe
PID 2840 wrote to memory of 2304	2840	Avira.Phantom.VPN.v2.28.6.26289.exe	netsh.exe
PID 2840 wrote to memory of 2304	2840	Avira.Phantom.VPN.v2.28.6.26289.exe	netsh.exe
PID 2840 wrote to memory of 2304	2840	Avira.Phantom.VPN.v2.28.6.26289.exe	netsh.exe
PID 2840 wrote to memory of 2304	2840	Avira.Phantom.VPN.v2.28.6.26289.exe	netsh.exe
PID 2840 wrote to memory of 2304	2840	Avira.Phantom.VPN.v2.28.6.26289.exe	netsh.exe
PID 2840 wrote to memory of 2304	2840	Avira.Phantom.VPN.v2.28.6.26289.exe	netsh.exe
PID 2840 wrote to memory of 2304	2840	Avira.Phantom.VPN.v2.28.6.26289.exe	netsh.exe
PID 2840 wrote to memory of 2900	2840	Avira.Phantom.VPN.v2.28.6.26289.exe	route.exe
PID 2840 wrote to memory of 2900	2840	Avira.Phantom.VPN.v2.28.6.26289.exe	route.exe
PID 2840 wrote to memory of 2900	2840	Avira.Phantom.VPN.v2.28.6.26289.exe	route.exe
PID 2840 wrote to memory of 2900	2840	Avira.Phantom.VPN.v2.28.6.26289.exe	route.exe
PID 2840 wrote to memory of 2900	2840	Avira.Phantom.VPN.v2.28.6.26289.exe	route.exe
PID 2840 wrote to memory of 2900	2840	Avira.Phantom.VPN.v2.28.6.26289.exe	route.exe
PID 2840 wrote to memory of 2900	2840	Avira.Phantom.VPN.v2.28.6.26289.exe	route.exe
PID 2840 wrote to memory of 1184	2840	Avira.Phantom.VPN.v2.28.6.26289.exe	VpnInstaller.exe
PID 2840 wrote to memory of 1184	2840	Avira.Phantom.VPN.v2.28.6.26289.exe	VpnInstaller.exe
PID 2840 wrote to memory of 1184	2840	Avira.Phantom.VPN.v2.28.6.26289.exe	VpnInstaller.exe
PID 2840 wrote to memory of 1184	2840	Avira.Phantom.VPN.v2.28.6.26289.exe	VpnInstaller.exe
PID 2840 wrote to memory of 1184	2840	Avira.Phantom.VPN.v2.28.6.26289.exe	VpnInstaller.exe
PID 2840 wrote to memory of 1184	2840	Avira.Phantom.VPN.v2.28.6.26289.exe	VpnInstaller.exe
PID 2840 wrote to memory of 1184	2840	Avira.Phantom.VPN.v2.28.6.26289.exe	VpnInstaller.exe
PID 1184 wrote to memory of 2620	1184	VpnInstaller.exe	tapinstall.exe
PID 1184 wrote to memory of 2620	1184	VpnInstaller.exe	tapinstall.exe
PID 1184 wrote to memory of 2620	1184	VpnInstaller.exe	tapinstall.exe
PID 1184 wrote to memory of 2620	1184	VpnInstaller.exe	tapinstall.exe
PID 1184 wrote to memory of 1136	1184	VpnInstaller.exe	sc.exe
PID 1184 wrote to memory of 1136	1184	VpnInstaller.exe	sc.exe
PID 1184 wrote to memory of 1136	1184	VpnInstaller.exe	sc.exe
PID 1184 wrote to memory of 1136	1184	VpnInstaller.exe	sc.exe
PID 1184 wrote to memory of 1136	1184	VpnInstaller.exe	sc.exe
PID 1184 wrote to memory of 1136	1184	VpnInstaller.exe	sc.exe
PID 1184 wrote to memory of 1136	1184	VpnInstaller.exe	sc.exe
PID 2840 wrote to memory of 1480	2840	Avira.Phantom.VPN.v2.28.6.26289.exe	net.exe
PID 2840 wrote to memory of 1480	2840	Avira.Phantom.VPN.v2.28.6.26289.exe	net.exe
PID 2840 wrote to memory of 1480	2840	Avira.Phantom.VPN.v2.28.6.26289.exe	net.exe
PID 2840 wrote to memory of 1480	2840	Avira.Phantom.VPN.v2.28.6.26289.exe	net.exe
PID 2840 wrote to memory of 1480	2840	Avira.Phantom.VPN.v2.28.6.26289.exe	net.exe
PID 2840 wrote to memory of 1480	2840	Avira.Phantom.VPN.v2.28.6.26289.exe	net.exe
PID 2840 wrote to memory of 1480	2840	Avira.Phantom.VPN.v2.28.6.26289.exe	net.exe
PID 1480 wrote to memory of 2484	1480	net.exe	net1.exe
PID 1480 wrote to memory of 2484	1480	net.exe	net1.exe
PID 1480 wrote to memory of 2484	1480	net.exe	net1.exe
PID 1480 wrote to memory of 2484	1480	net.exe	net1.exe
PID 1480 wrote to memory of 2484	1480	net.exe	net1.exe
PID 1480 wrote to memory of 2484	1480	net.exe	net1.exe
PID 1480 wrote to memory of 2484	1480	net.exe	net1.exe
PID 2840 wrote to memory of 1704	2840	Avira.Phantom.VPN.v2.28.6.26289.exe	net.exe
PID 2840 wrote to memory of 1704	2840	Avira.Phantom.VPN.v2.28.6.26289.exe	net.exe
PID 2840 wrote to memory of 1704	2840	Avira.Phantom.VPN.v2.28.6.26289.exe	net.exe
PID 2840 wrote to memory of 1704	2840	Avira.Phantom.VPN.v2.28.6.26289.exe	net.exe
PID 2840 wrote to memory of 1704	2840	Avira.Phantom.VPN.v2.28.6.26289.exe	net.exe
PID 2840 wrote to memory of 1704	2840	Avira.Phantom.VPN.v2.28.6.26289.exe	net.exe
PID 2840 wrote to memory of 1704	2840	Avira.Phantom.VPN.v2.28.6.26289.exe	net.exe
PID 1704 wrote to memory of 1684	1704	net.exe	net1.exe
PID 1704 wrote to memory of 1684	1704	net.exe	net1.exe
PID 1704 wrote to memory of 1684	1704	net.exe	net1.exe
PID 1704 wrote to memory of 1684	1704	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exe
"C:\Users\Admin\AppData\Local\Temp\201a2a3fea59997395e53238d65ea07d7b5818dd7c2d6462420bf3c0b63cfed9N.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Program Files (x86)\Avira Operations GmbH & Co. KG\Avira Phantom VPN\Avira.Phantom.VPN.v2.28.6.26289.exe
  "C:\Program Files (x86)\Avira Operations GmbH & Co. KG\Avira Phantom VPN\Avira.Phantom.VPN.v2.28.6.26289.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\netsh.exe
    netsh.exe advfirewall firewall delete rule name="all" remoteip=95.141.193.133
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2304
- - C:\Windows\SysWOW64\route.exe
    route.exe delete 95.141.193.133
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2900
- - C:\Users\Admin\AppData\Local\Temp\nsy717A.tmp\VpnInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\nsy717A.tmp\VpnInstaller.exe" /S
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1184
  - - C:\Program Files (x86)\Avira\VPN\OpenVpn\TAP\win7\amd64\tapinstall.exe
      "C:\Program Files (x86)\Avira\VPN\OpenVpn\TAP\win7\amd64\tapinstall.exe" tap_remove "phantomtap"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      PID:2620
  - - C:\Windows\SysWOW64\sc.exe
      "sc.exe" failure AviraPhantomVPN reset= 86400 actions= restart/5000/restart/10000//1000
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1136
- - C:\Windows\SysWOW64\net.exe
    net.exe stop AviraPhantomVPN
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1480
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop AviraPhantomVPN
      4⤵
      System Location Discovery: System Language Discovery
      PID:2484
- - C:\Windows\SysWOW64\net.exe
    net.exe start AviraPhantomVPN
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start AviraPhantomVPN
      4⤵
      System Location Discovery: System Language Discovery
      PID:1684
- C:\Users\Admin\AppData\Roaming\dako01fud.exe
  "C:\Users\Admin\AppData\Roaming\dako01fud.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\00117830\bhmnlmvpxs.exe
    "C:\Users\Admin\AppData\Local\Temp\00117830\bhmnlmvpxs.exe" qemcqnq.ngs
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1756
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:756
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1264
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1740
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2240
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2060
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1984
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1472
  - - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2188

C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe
"C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776
- C:\Program Files (x86)\Avira\VPN\Avira.NetworkBlocker.exe
  "C:\Program Files (x86)\Avira\VPN\Avira.NetworkBlocker.exe" delete
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1944

C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe
"C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe" /migrateSettings
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Avira\VPN\App\Views\Directives\features.html

Filesize
12KB

MD5
6129045d8395118e0461bee63653e7dd

SHA1
cdacd7cc7b6d98e8e9fa414d665eb109f5c5d8ee

SHA256
aa18654380251928f3b679328cd0f2918f9bf684319bd7d5603f7365604936d7

SHA512
6947a485209e647914d1d6eb799d027c7d6e7149176b27e2829696e38eeaa78562e001258884e9a67647955f7fd37cbd7c166e50a33dda319c3db2577cd95475

Download Submit
C:\Program Files (x86)\Avira\VPN\App\Views\Directives\header.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Avira\VPN\App\Views\Directives\location.html

Filesize
795B

MD5
471f9b763e3129386cff81dd0d14235c

SHA1
fe6b0b9e17f2fb08597f9dd572e913d5ac5ea4bf

SHA256
b40e6e4aac10877a3fe412119be34561635e6a1393de6708f4d9f82ce30d618a

SHA512
40acef3d3e44cd4d0f3db4d1e9fe9132f5384cf9f97889c5a7db8a63c9b81dbac2c3763d82fbcecee91e538e90638805bf00c093ba49c9c8ce36f5e173c07cc6

Download Submit
C:\Program Files (x86)\Avira\VPN\App\Views\Directives\traffic.html

Filesize
231B

MD5
8461dcec2ef09944185468a19b72d3e5

SHA1
516100c8d0cdba4c5a6712e9cb4bfe7d038037a9

SHA256
6081945d3e6eb2d7e388abe4bf9e23fabfd550009dc490c263d5f6d60f099640

SHA512
7914228be8820374e1644375e592cab936097861bf426682ca036c4aeee22942c5c5f187e0cb0d9ea9853c4f6e856b2ac0c85bbb543a4e2e656b74d58f11303b

Download Submit
C:\Program Files (x86)\Avira\VPN\App\css\vpn-1.0.0.css

Filesize
79KB

MD5
d0d346c511e83901c2f6fa84f2da10eb

SHA1
b71208cba377a8539fcf1ec992dfae80b9cec40f

SHA256
1e32dddfcd1f5891c54781d7b8c7841c0f220489eec3906f3e7a505ea9896cdf

SHA512
4d87767c9dc4a45e6e7c60e0dd22195fe7344fe5f8e82db476d72a199703f54ce90404c385a381495188de39aa9876ec76573685ab537a936646c6460c3f6c0b

Download Submit
C:\Program Files (x86)\Avira\VPN\App\css\vpn-1.0.0.min.css

Filesize
57KB

MD5
73fc31a0d916a4cd80e88ecebe51ea3a

SHA1
8ce84808c3d3c8555192c5c14ee72e7063d988b4

SHA256
fb3953800850c5d51239bc49d48fbf583daabd015fd697cac171525696eec07e

SHA512
1d3b424625c92ee3f759b16ab1ff428ef61d1f3047e0500d7ea27a7b26572dd0ffc96ef6028a2fd3ddaa883b1d59c3f2762676b112c8dfe640767ad1ed2fe242

Download Submit
C:\Program Files (x86)\Avira\VPN\App\images\png\VPN.png

Filesize
3KB

MD5
2ed8ee5abb189105e4366e46039808c6

SHA1
d4719e46452d1555d1ca854c44439019c1286d7a

SHA256
54486518290f7766543e5e000bd46958132055874296e45ac6178699b3d244e2

SHA512
ad0fbadf6630101fad21d31c58d823140d525f4a8de12fbad3443daead45f1b48c1558137c42c17b97d6bcb42b90908e257b2c343302d325585b92ac667b02b1

Download Submit
C:\Program Files (x86)\Avira\VPN\App\images\png\regions\no.png

Filesize
743B

MD5
d3b58f803a9a01a59210dd673998a229

SHA1
6caddb6c8e749e9c5b786a3984bb7bdbba2bafc5

SHA256
3cf52e677d7f7be201cbf6e3ec56ed1f48b95c47e5969ef2c2510e270133c4f0

SHA512
88aade4affd629926e473df3d26ecca5ba49c4b77da9343e58729cf3a2b1cd0b9d27d9e019018455bffd18b7a7570a5c14d918eff46deecc5821903f76094988

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.Common.Core.dll

Filesize
81KB

MD5
66529a863632a34059b39423a395b2eb

SHA1
e45a2dadc30f3d4d01f8af47fc890aa12d403763

SHA256
10bb57d115b244a6e0db19d46930d613b585de60c292450a4145d5ae5d7109bb

SHA512
86a701a40dbfb3f83a05dd68e797e66d6a923582181df50eff6593d5a27fba7b725d25776c81f1a0ee2280e57ddb3055dd73acd82ae26a898776d09f495c2efe

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.Messaging.dll

Filesize
45KB

MD5
02314a13c85328939ab1f94a8129161b

SHA1
fc294e41374e27e3f44e8e3a364323a0aefff233

SHA256
b0b370c7c18fd12ee9467909a231d5462ef22d9e7abec0a4ce57bdf6d4b6553c

SHA512
cb71b0eb83221f5e0843bd53af55378791fd8e48a7ed9342604432435825e80ff1a4a3b94462916c4a259c0fc33ac49d3cd4b974f76c42382f5392d285d1c102

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.VPN.Core.dll

Filesize
143KB

MD5
8953872ce7d04abcfe626304478e995c

SHA1
135d91864caef7d4f576f4710f1301c96b8e167d

SHA256
7b1c7bf24927e51d93ac1fdd8493df2c09cd09640a07cea0242b8bfacc61d149

SHA512
b3e9da53283e12ff68c6294e3c4e3bb55df2f37bd1eaee4ff87833d009f7e2545dc26194edca5829b6a6c6bf27813c00b11361fa7c3e83374657d8b146cdb373

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe

Filesize
373KB

MD5
70b49c08e24f16528a4728beb12b153c

SHA1
38df5fbf15fc3e52300fea45ed4be5359587ddac

SHA256
901e7c6539c86f367d41a3e0355f08c93260e1b169b74f196a8ef67fb738d52a

SHA512
ef5dc8a983742085f8948e8bc87277d745d56223d5378d782efe425a0e06a1afb78ab6c7f17bbb405fac5a3ad67f81b4d594e1f146a39bf8b21091bf27f17b57

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe.config

Filesize
6KB

MD5
1b1535565652be6907811bd7a3035cf2

SHA1
90a2c8d197dd618fc1d0b4ed1d95c9ca40938174

SHA256
7cd74c9ac05823daffbeb89bebb6392f1180f3e3136ed5163ef4c02ff7056e2d

SHA512
0e4e7bd2016330d22b600667968b67f4c285f3c06dc2fbacbdc83790c7e31ca3f02062013fb4268f235de06412d6e429a40c58c75a1159d09ab87ce898ec1cb1

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe.config

Filesize
2KB

MD5
dc8317bbca5445236aa3bb82f84963b7

SHA1
ab856d220b047bce64ab657968a7742fa3e149e4

SHA256
efb1695a64024244d70aaac4455e5a3749aed245f7ccfc55370fa27b2e436831

SHA512
421102dcb0854d40a7b7e3739badea22f20615f2636e0885e5b91a4231cc5555893c97d5437e015c121bc12ea97de0e6d4e5a2a8314abadc9470155e6ae304f9

Download Submit
C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe.config

Filesize
2KB

MD5
ebaa4c1b8b4153745752918fafd16c81

SHA1
d4c17db3991c839d938095133d8d5a522d8e677f

SHA256
30363d2d092c809bf01da76b08c47c0246e6b07b881995fd809a87aa447daccb

SHA512
7974951a9613ba1461300a77b7a9210bf1c9d9ce34a8faaba3e27d15a0604d3e460655528c5e5ecfc0d9053c79deb92636584e3dbc300926a34070cdcc45895e

Download Submit
C:\Program Files (x86)\Avira\VPN\Defaults\ProductSettings.json

Filesize
1KB

MD5
874cae6f6bb5487a1b2a4a9fe02d544f

SHA1
d769e6814da1a5c588c595db49ae20432f823108

SHA256
0b582b307dc99b74850ead4708fef3209d0a52943857c3abd05f63d606de9fb6

SHA512
f3b69416297b4ca5a940cc738779453ce5f00927696958fe45e84ac022618215bcd3cc74bf635752fb7ce538443cd2227c0c040561159eb294211ae139f64be2

Download Submit
C:\Program Files (x86)\Avira\VPN\Newtonsoft.Json.dll

Filesize
668KB

MD5
de8257a9b2a736b15f2f942ed1e64392

SHA1
dd5072bf3c46d4f3b3f4339a8fbdede1e8cca02d

SHA256
7a5852c6e62efe55009ddcd75b88cdb7d16fddf47b684c5d638ba2a408901187

SHA512
02d177eaa0fdade4fdc5e2bfa5afeec101666422ec2fc0b0602dc3fe4ed5e5ea99568db580a9e50a677f4806a8b1de9f501d7b4d495b3a4fedb16938254c8c9b

Download Submit
C:\Program Files (x86)\Avira\VPN\Serilog.Sinks.File.dll

Filesize
35KB

MD5
f8076784ba6921883424cd8ee99e7a37

SHA1
9eb101f753c8cd2b04a55607eada86dac3b43430

SHA256
dca4cee96a2c83a768358a06d34efac551babb07ec2ca92338bcc302651c572e

SHA512
450e320be90bf505034aca84726695619873d7e6e6b11a1927826628c8ea697e17e8aa8bc7b441fabc032889ae3124e0716d6972ebc07bf7cc09943a73e2ca71

Download Submit
C:\Program Files (x86)\Avira\VPN\Serilog.dll

Filesize
129KB

MD5
07d1bdc3cc673b6049a4553fbf03d52b

SHA1
3c41d1838bc23f268eb444cba4390b042b0836df

SHA256
e103d413130745cbe587c18c2305d6254e49c8025f43125390e68a66038fdd8b

SHA512
b2489ffdf0cfa8803bb225b8f5d44cbe3dd6e009dfe26bdd6d2e60f462580451f57fabf07bdbaff278350d3d484854769dfab728efa17b0ca068d3407fbeed53

Download Submit
C:\Program Files (x86)\Avira\VPN\SharpRavenPortable.dll

Filesize
72KB

MD5
83cfd775579aec81d095d87a7d7434e8

SHA1
59965342456da6b307dd18f2e31f769fc0b4fba8

SHA256
608f72350b187749986c8fab79905764752a66b0b47ccba868229b03fa439e9b

SHA512
035a1b998356be5b1ed4ca637f521cbe348d9cd5576882b590097c4058512ad025bb974479f82e2d7c7a5fc8ab257792a48659a9e9340d6497f9e5cd0c5d33ae

Download Submit
C:\Program Files (x86)\Avira\VPN\VPN.Core.dll

Filesize
185KB

MD5
845b3a6481fb257dbe40d4299a0caf92

SHA1
7c871c272493c610f98ad72d0f6c6444132f9740

SHA256
2d3ff7a2c94d0d9dae400307080fdcddc38c111ffe896e4aa6fd9c955b654c70

SHA512
a8837a3e26678b672258af5343bd4afcf7f94d222c79dbe2be30b115c4a96bd5c716f223d5ff8ac9707e4b3297288bb574c900017802cbbb6d806b9aebc857e5

Download Submit
C:\ProgramData\Avira\VPN\VpnPrivateSettings.backup

Filesize
295B

MD5
a5a335ce4b80924021fb68f7ad967004

SHA1
9430aadc92806982ab05c0e6c7e9dfc00380685a

SHA256
25b83ea28a540d49eb32b9d6569d31937a51071fe1e98f5aa1d7ac3416aa8848

SHA512
bb3751dc0dae49293526fa63c275a6941a36e3f61df1e661459bb84e5e4d8e51220bb7518a917f99b68d17590f9c9db606b68d52d792fd58356858e6e1651d97

Download Submit
C:\ProgramData\Avira\VPN\VpnPrivateSettings.backup

Filesize
329B

MD5
9f7d03eac3d41e4b36b3de58b5ea4903

SHA1
cd7d6e7c2e83931104d306f7aa53ea2ce557ee09

SHA256
a36a2890f08a88ec3fcfb0ee7d83afd55eed593bf0a08de41ab5a105be38c555

SHA512
69d85c4cdfc6484f0d98a6307dcda52befce9770720d5f1b6f0d931c5b830450937f6698a7b00b0ef5294c7bbdc1910d79d0daca1f1efe6b60c899a76b11dce7

Download Submit
C:\ProgramData\Avira\VPN\VpnPrivateSettings.backup

Filesize
429B

MD5
0473d1e10c4aa217a584dad7275e2c53

SHA1
3f20878f0e321b182ca9850a5b0ea221a4045ebe

SHA256
35a033f7077db801021a2a210597023965ecfeff5927c5384200c49bbff09e59

SHA512
60ed95f613759a9a9d750c50b7a0dda25b14fc9b839c277f820d05b73fcf1309a7469baca69970043fb3cadb9a9437ef8b3b77c309dab9aa8f811428dc2d8821

Download Submit
C:\ProgramData\Avira\VPN\VpnPrivateSettings.backup

Filesize
871B

MD5
b8c68efa1befc766d6bc19fea0cc23d8

SHA1
d57edb50b158cd6bf6a618de93fdd1ff174ae7ad

SHA256
6983168f16840152a00fe462bf8beb93ef096b621fe427c8915f0185f826b5bb

SHA512
314755dd1399a60a1a06f819a9837daf0b4f9b66aab94029a82aebca19153f44c4625b39be92f07cf040c396c0ba1481838cc867b533812fda368d30160dce7e

Download Submit
C:\ProgramData\Avira\VPN\VpnPrivateSettings.backup

Filesize
6KB

MD5
806a78b5d772ddc6b6efd075d1b46fc5

SHA1
45a49e294706ad1d695cd6428b34cbcfd0f26516

SHA256
536490b8f18e34ff79e032110132cc72aeff650242f0bac258947115a52bf625

SHA512
86ceed63e0e2ad3988eeaf142e1c02ed24f65fb0fe8ab5bcaa94c6c171f02caf00e64a22006399e773ca557889ac1cdca662efb01d55b7e0d4adc9584022a647

Download Submit
C:\ProgramData\Avira\VPN\VpnPrivateSettings.config

Filesize
66B

MD5
44944cd590899045e3cdeb971fddd252

SHA1
33c584007e0df8fea3e677c6892d6b5549d1c94d

SHA256
cc05bd02cb929f5ef7a9362698d7794845899dd6510fd41eb5f0a95d708a68dc

SHA512
f4f4feec8c79599f41ce83371dd861fea9dd05aaa5211f5be53e2d61df154b6965db17ee8df952a8d8c864fa67aba5b9d1ef0f94608e42a50c057cfd82ccf5ed

Download Submit
C:\ProgramData\Avira\VPN\VpnPrivateSettings.config

Filesize
868B

MD5
24c02e75a9ad3a10a54e5ea5950aaf8a

SHA1
b879ff1ef1532db9367a7ebab5777af7223dc9ea

SHA256
b2e58002690b00126e5bc3cbc8cee24d6dfb396103b7ef2b8e107f88137081a7

SHA512
332690ecaea8e57299f20afe0af4175c338f708d089d0324b233a6c51f69aa538693c5ded85cfbd2d584823a60f581cdf3edeb6942892d40740296aa14d4eef4

Download Submit
C:\ProgramData\Avira\VPN\VpnPrivateSettings.config

Filesize
896B

MD5
70ffff71033516cd0f570a21c1ae5d28

SHA1
07614ffcd2fc0ee392b987d2de2b07101d788723

SHA256
1de36331495a08b0abf5c5dd28d50e5c27135088eca2ca6c72a078dbf78a9abe

SHA512
8ee85fe3e2de6a325c9d6dcd405310db1d27d187a911870a4c1c8ec99c474419fd0f9e5e543049147823e3f9a92f3ad7c755a15c1d926ae8c076023a4eaa734f

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
388B

MD5
99d152b237dab6675765f0db9a620233

SHA1
f1e1985e82eae024e1fb14a0ed21c22206846f3d

SHA256
cda5c9d126f99e0a6f445dc5a68e89f5bbd8a96b79e467d6b292f32de8974af0

SHA512
5867551d0454c849b4b91055343777c14af2732995c19cd52deb096ed20b57917de72d9b08b6ccd01fc284cba865d88424a08c85769d38e93c275debeabd27d5

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.backup

Filesize
753B

MD5
83aa8c427056e94b0d9acd5cc511434b

SHA1
a39795a4182d22c18f452b9abed610ef2fdbe9b8

SHA256
12a2181232cff11e8babf01c0288ef5795bd963ef9ded54348a21e75ece4322e

SHA512
2abb422fc677f149607869266ff59dbdf8a64fd9315669d60eccbde16e0819a6881be86fde85147c583265c7936853c4b7bcee72627ffd97c3ca71c11d27446a

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.config

Filesize
233B

MD5
63c46aadba269c990df7a28e57fcf88a

SHA1
8f6e7932def4949ca5ee5feca16fdb438c926958

SHA256
839c5aaf72d00b6f45a6bc384884d40e21dc8cd2660bbda5ee2aefbb14d5842c

SHA512
0c2f4899c7208585bec777ec7577afa13ebdbd3893eb0201c246d1ff8f007096009285c632d6c7d654396d0e8854d633fb734048be1c7ba8324673209f1da3a8

Download Submit
C:\ProgramData\Avira\VPN\VpnSharedSettings.config

Filesize
388B

MD5
3aab5d8cb94378bcf549ac1d8cf0fbc6

SHA1
725e0cc4e72fa9c1b0db0543c3aca4e1bab4793c

SHA256
4ffc7db7bfb051059d11b58a1ace34262cf79ab226a04d241e00cea7da7a8b1b

SHA512
cde1d12f0a105366598f6313b79c64b54d1bef2c78844dce9ff47fce37c753d2cc047a756bdeac6f0fe68ccdec738d4205e33448e96187a22a9275489f19f64f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0001.tmp

Filesize
1.0MB

MD5
89579d7c233794e63c2bac3ec0a26619

SHA1
50125cc27495fcef2edc99c0f35663ec5e2da21b

SHA256
c8800edc3c347af90b9858a7914059c70f072d6764de87d367dc4d6df69d6808

SHA512
6220ba6c5c42c10456b6782d6be97b6cd50cac1c7a6cf66741d95bd7aec9ebc059e83ca890f6384472db63a7d295dee4ed26165cfa5fab9cbdcc43498e37eb7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\00117830\bhmnlmvpxs.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\AppData\Local\Temp\00117830\start.vbs

Filesize
206B

MD5
3bfe800717572523d057b7cc16630435

SHA1
a076bedefbe7ff57ba6b9a48e9b04c563eba4492

SHA256
8efc451a0d2579776e55501400299d4c3bf26ad7e671f77e29f43b4a3468c123

SHA512
af98c55bd5ed8bcbfb8bb1c53c776277d2efc7feae30b1c17ed831b5617ac7415c15b2c347ced49e754b9494ccb389bd5b7ec08c02e2cd7023834581ad173341

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy717A.tmp\NewTextreplace.dll

Filesize
10KB

MD5
6d57b2cc33721890cd11cc604805362e

SHA1
900c5fb5b7cd1194a25a80468076324dc6c03ac8

SHA256
86b6cb434a0491ea16bf480e6ad16c935d0668535da17aa7df0dc4392e10d74e

SHA512
0e0134b0e9b1e9cffd053bcf05a84b2d7420d85756b7208a27407966878a724e9c91d21ddcccb95c53e0d78f89230fe2cebb68d0f5530711b4c30c99aea803cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy717A.tmp\repackme.gif

Filesize
6KB

MD5
23d3840adb8f4f1efc083a1f7e640191

SHA1
adf0c7daa49637767b2abe2f390d1da4780eea9c

SHA256
82a1454402156d74f4f23c992d5d772b665546208eff44790871b8dcb36d2304

SHA512
7743a17141581ffa8023097678bf2eaf6db7d337af45052d00caba74f21f13e7ffa95097b629c3a28a3366eda873afdce240344adfdf7c0ef662a0ba0fe6db25

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
484bf40e6593716c466ea00824d50434

SHA1
23e60dc88e02accf0399675544ae2b43d1156a69

SHA256
4a0331e4902621f9a418b7ce09f829bc776dae042357bef020ff6c0ce50020c6

SHA512
b0438083a517ed8cccd9e0697a3ac6f5ed9247d535b0d63a97d7f5566a30f12e43d68cd03c98c15ef4c64eb72635f88180935782872cf1a1348f9e1bfd270ad0

Download Submit
C:\Users\Admin\AppData\Roaming\dako01fud.exe

Filesize
1.8MB

MD5
7d768d7481c429a6cc08edcaffb81431

SHA1
5ec0e7b013fd958cc72c757022136b00f496423e

SHA256
cc3462f899a23fa997c40d6c06a46cd17846de0ae9b4d93d7a708223f825fc5c

SHA512
77ecf3b4b09d64815a56bfaffaae3ddbbe09312ea69d917861e293708504722cb495fec5ca8ff74f4a97e142e9874e23fd10e0749ee83f1fa5bea9dd0f05ebbf

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\Temp\CabC459.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarC45D.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
\Program Files (x86)\Avira Operations GmbH & Co. KG\Avira Phantom VPN\Avira.Phantom.VPN.v2.28.6.26289.exe

Filesize
7.5MB

MD5
9a1a105fde49554adb1416169756e0e8

SHA1
225ef5756f6ae585d1e8d11dfed42ca9b9d6df62

SHA256
9b87578cd4dd8d9112f46ae90632043615fa89aa1a5f4b0ae847911589694853

SHA512
1139643d6f0912b393a0b134cbcd66f8e8ac029919aa738ed709a09e518ddc43f3c918dbdf2af5808cd380750c6ea0b3de6caa7303d3d9c3411bfd44de00b36c

Download Submit
\Program Files (x86)\Avira\VPN\Avira.TrialReset.exe

Filesize
183KB

MD5
43f3af8aa83a6b8d1e79a8fb4e344c54

SHA1
7e058ab6d60d1ae347035c54237856507a8d5673

SHA256
2025c58e3c211027c893acaf1c3154cd4fb734704bc8de69d791b620a8add7d4

SHA512
c3c270f067956432ebb18492ce99b4aa9b497a126339d3c852d257bcad3cf9d1f8ac9748ffa26b2289b40554c40b0ac8c673740afcf591336bd88e67ee6aab52

Download Submit
\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe

Filesize
821KB

MD5
d413cb41ea3d10d3861db1575edaf391

SHA1
427b8ccfb7fd45d76a94a72f9b2889b524011369

SHA256
e0e854376e454a2d5fbfa076bf32e8e8b1472e4614729be4b700aeb6593ceb59

SHA512
a7ea984c5d11596c282a13fb02a67473817817676cc4b855aac1afb190c9467678cb1179b4b446335cdbb16306746365ece17ff94ce4de53077d06b4e4b26658

Download Submit
\Program Files (x86)\Avira\VPN\OpenVpn\TAP\win7\amd64\tapinstall.exe

Filesize
482KB

MD5
2b1bddf7f9d3190ff73563a41bcb72be

SHA1
8a522e9cb1007b922cec9e5ed2b70f01ff12cf0d

SHA256
85ab4bbb77ab248956d0da02ace1a2bc58ce6c6db9f421808ef03ed31bbcf3b6

SHA512
6a42ac53262c6bafc8d7a5ff225acb07754af8cf044f0135251d4b3cf983a53494d755052296cf49627b3bbe6acead3aa9bacc33b51d222a1d2a0fe6d2bb4f93

Download Submit
\Users\Admin\AppData\Local\Temp\nsj9E34.tmp\FindProcDLL.dll

Filesize
3KB

MD5
75e7351a0f836b8659e6f315683c29f7

SHA1
66b733d1c978d68cadc245e7efbfcae32807429d

SHA256
7ffc549e7f679a08c77fa230654b77cdffb3444296bb7c6b8b5769db374b61ee

SHA512
f03400798b07ccca5e12fa119a586ee9444deb0d2419aced24d93fd84a4702d66864a71b40a11b04b1dbe56e36481cd6a644aec0347bc82bc7375b27bc403fe4

Download Submit
\Users\Admin\AppData\Local\Temp\nsj9E34.tmp\INetC.dll

Filesize
21KB

MD5
92ec4dd8c0ddd8c4305ae1684ab65fb0

SHA1
d850013d582a62e502942f0dd282cc0c29c4310e

SHA256
5520208a33e6409c129b4ea1270771f741d95afe5b048c2a1e6a2cc2ad829934

SHA512
581351aef694f2489e1a0977ebca55c4d7268ca167127cefb217ed0d2098136c7eb433058469449f75be82b8e5d484c9e7b6cf0b32535063709272d7810ec651

Download Submit
\Users\Admin\AppData\Local\Temp\nsj9E34.tmp\System.dll

Filesize
11KB

MD5
6f5257c0b8c0ef4d440f4f4fce85fb1b

SHA1
b6ac111dfb0d1fc75ad09c56bde7830232395785

SHA256
b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

SHA512
a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

Download Submit
\Users\Admin\AppData\Local\Temp\nsj9E34.tmp\base64.dll

Filesize
40KB

MD5
ac6fb776262b63562c00374392fe1c55

SHA1
045dcad3edcd1c6865f5dea95ace35f4d9964b78

SHA256
7e10ef2723a50b7346449f8bb39efab8a99e2815d33d311ecb8112734f91519d

SHA512
2c511c5f2bb265fd247e43c47046a3cddad2b72a0fd3b35fcb70ab53d7fbc070d36eadd93c279680306d30d6ef5730fcbfed01195a85761ae571e2d324416ed5

Download Submit
\Users\Admin\AppData\Local\Temp\nsj9E34.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
\Users\Admin\AppData\Local\Temp\nsj9E34.tmp\nsProcess.dll

Filesize
70KB

MD5
9c452d3cb1f2b06c16467849755cd724

SHA1
35f2e9754e9dc226baa8b0cbf21db2b523248a73

SHA256
8f80ef429ce7c8a1ac7958ab36ec177f732dc924d14b21230da045e5ed1b255a

SHA512
438e406a18db363008776172e20f6422db71c5b1eaeb63f0a8100f05c5365f52ee177851c7710985b529e1b5fb2be2ac8142cc6e0ca08628054b6eabe063fea2

Download Submit
\Users\Admin\AppData\Local\Temp\nsj9E34.tmp\nsisXML.dll

Filesize
12KB

MD5
9f3d5344e7ede1f41f99d8fc37fd01ad

SHA1
d0322ce3ba30a924daa1c9e322846a3d8ccda878

SHA256
77aa1a74a556f00f16baf9b94637fa997bd4085695ba81bf496223644e43e815

SHA512
2849b261b77fa2abf0d0efc7604ccce7f502d20a556eea9877cfe1cbc6d515d8fe41986943081629243b81987cddd54613ee01fc7859ae16eab57f6ca2cd4bfc

Download Submit
\Users\Admin\AppData\Local\Temp\nsj9E34.tmp\registry.dll

Filesize
24KB

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit
\Users\Admin\AppData\Local\Temp\nsy717A.tmp\VpnInstaller.exe

Filesize
7.2MB

MD5
94e7257f1dcecb215abd34b2adb6d35c

SHA1
0ff59285603c6babbfeab77037201e4da71af466

SHA256
c4c462893ebe48a58030a71db03e7bc7caee854271882f3941dfeeadf71a219f

SHA512
60c7ecf25051a2cadfc5c7b6e01373c11eceb097db661485c94beeab0d8ad34b25bf19b6b6630ee4544f07090178262fcbc5afd6022ff331da52c301e23765b7

Download Submit
\Users\Admin\AppData\Local\Temp\nsy717A.tmp\newadvsplash.dll

Filesize
8KB

MD5
55a723e125afbc9b3a41d46f41749068

SHA1
01618b26fec6b8c6bdb866e6e4d0f7a0529fe97c

SHA256
0a70cc4b93d87ecd93e538cfbed7c9a4b8b5c6f1042c6069757bda0d1279ed06

SHA512
559157fa1b3eb6ae1f9c0f2c71ccc692a0a0affb1d6498a8b8db1436d236fd91891897ac620ed5a588beba2efa43ef064211a7fcadb5c3a3c5e2be1d23ef9d4c

Download Submit
\Users\Admin\AppData\Local\Temp\nsy717A.tmp\nsExec.dll

Filesize
6KB

MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
memory/1184-93-0x0000000000330000-0x000000000033B000-memory.dmp

Filesize
44KB

Download
memory/1184-1120-0x0000000003E10000-0x0000000003E69000-memory.dmp

Filesize
356KB

Download
memory/1184-1165-0x0000000001E20000-0x0000000001E2B000-memory.dmp

Filesize
44KB

Download
memory/2188-1584-0x00000000003F0000-0x00000000013F0000-memory.dmp

Filesize
16.0MB

Download
memory/2188-1585-0x00000000003F0000-0x00000000013F0000-memory.dmp

Filesize
16.0MB

Download
memory/2188-1583-0x00000000003F0000-0x00000000013F0000-memory.dmp

Filesize
16.0MB

Download
memory/2188-1582-0x00000000003F0000-0x00000000013F0000-memory.dmp

Filesize
16.0MB

Download
memory/2188-1581-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2188-1579-0x00000000003F0000-0x00000000013F0000-memory.dmp

Filesize
16.0MB

Download
memory/2408-1268-0x0000000001080000-0x000000000114E000-memory.dmp

Filesize
824KB

Download
memory/2776-1133-0x0000000000510000-0x0000000000542000-memory.dmp

Filesize
200KB

Download
memory/2776-1159-0x0000000000D90000-0x0000000000D98000-memory.dmp

Filesize
32KB

Download
memory/2776-1308-0x0000000019450000-0x000000001945C000-memory.dmp

Filesize
48KB

Download
memory/2776-1307-0x0000000000FB0000-0x0000000000FB8000-memory.dmp

Filesize
32KB

Download
memory/2776-1321-0x0000000000FC0000-0x0000000000FCE000-memory.dmp

Filesize
56KB

Download
memory/2776-1322-0x0000000019970000-0x0000000019978000-memory.dmp

Filesize
32KB

Download
memory/2776-1325-0x0000000019F10000-0x0000000019F3C000-memory.dmp

Filesize
176KB

Download
memory/2776-1324-0x0000000019F00000-0x0000000019F0C000-memory.dmp

Filesize
48KB

Download
memory/2776-1323-0x0000000019990000-0x0000000019998000-memory.dmp

Filesize
32KB

Download
memory/2776-1328-0x000000001A4F0000-0x000000001A526000-memory.dmp

Filesize
216KB

Download
memory/2776-1327-0x000000001A090000-0x000000001A09C000-memory.dmp

Filesize
48KB

Download
memory/2776-1326-0x000000001A040000-0x000000001A04E000-memory.dmp

Filesize
56KB

Download
memory/2776-1333-0x000000001A530000-0x000000001A538000-memory.dmp

Filesize
32KB

Download
memory/2776-1310-0x0000000019980000-0x0000000019988000-memory.dmp

Filesize
32KB

Download
memory/2776-1346-0x000000001A540000-0x000000001A54A000-memory.dmp

Filesize
40KB

Download
memory/2776-1306-0x0000000000FA0000-0x0000000000FA8000-memory.dmp

Filesize
32KB

Download
memory/2776-1129-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/2776-1354-0x000000001A550000-0x000000001A558000-memory.dmp

Filesize
32KB

Download
memory/2776-1259-0x0000000000F90000-0x0000000000FA0000-memory.dmp

Filesize
64KB

Download
memory/2776-1131-0x00000000004E0000-0x0000000000508000-memory.dmp

Filesize
160KB

Download
memory/2776-1161-0x0000000000BF0000-0x0000000000C00000-memory.dmp

Filesize
64KB

Download
memory/2776-1309-0x0000000019460000-0x000000001946A000-memory.dmp

Filesize
40KB

Download
memory/2776-1158-0x0000000000BE0000-0x0000000000BE8000-memory.dmp

Filesize
32KB

Download
memory/2776-1535-0x000000001A6E0000-0x000000001A6E8000-memory.dmp

Filesize
32KB

Download
memory/2776-1536-0x000000001A6F0000-0x000000001A6F8000-memory.dmp

Filesize
32KB

Download
memory/2776-1157-0x0000000000BC0000-0x0000000000BD6000-memory.dmp

Filesize
88KB

Download
memory/2776-1144-0x0000000000BA0000-0x0000000000BB8000-memory.dmp

Filesize
96KB

Download
memory/2776-1563-0x000000001A740000-0x000000001A748000-memory.dmp

Filesize
32KB

Download
memory/2776-1564-0x000000001A730000-0x000000001A738000-memory.dmp

Filesize
32KB

Download
memory/2776-1565-0x000000001AA20000-0x000000001AA28000-memory.dmp

Filesize
32KB

Download
memory/2776-1566-0x000000001ABF0000-0x000000001ABF8000-memory.dmp

Filesize
32KB

Download
memory/2776-1567-0x000000001AA30000-0x000000001AA38000-memory.dmp

Filesize
32KB

Download
memory/2776-1568-0x000000001AB40000-0x000000001AB48000-memory.dmp

Filesize
32KB

Download
memory/2776-1142-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/2776-1140-0x0000000000700000-0x0000000000708000-memory.dmp

Filesize
32KB

Download
memory/2776-1138-0x00000000198C0000-0x000000001996A000-memory.dmp

Filesize
680KB

Download
memory/2776-1136-0x0000000000B70000-0x0000000000B94000-memory.dmp

Filesize
144KB

Download
memory/2776-1134-0x0000000000140000-0x000000000014A000-memory.dmp

Filesize
40KB

Download
memory/2956-1474-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2956-1353-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2956-62-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download