Malware analysis https://www.avira.com/en/free-vpn?x-clickref=1100lyhCQBNP&x-c-channel=partnerize&x-a-medium=1011l105151&x-utm_content=1011l54130&x-utm_term=safetydetectives Malicious activity

Add for printing

URL:	https://www.avira.com/en/free-vpn?x-clickref=1100lyhCQBNP&x-c-channel=partnerize&x-a-medium=1011l105151&x-utm_content=1011l54130&x-utm_term=safetydetectives
Full analysis:	https://app.any.run/tasks/e72f10f3-54cf-45ea-827f-caee2d49f6fc
Verdict:	Malicious activity
Analysis date:	February 25, 2024, 15:18:27
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:	1D083FD78E104CA2253B4FAE15A15D5E
SHA1:	A2900685D9B29B13376D698E2980B154E2B2D057
SHA256:	161DDDDC3BD73CF17C16B1F747C5F9A6B2FAE735B26F434E070C6C21BDFACF7A
SSDEEP:	3:N8DSLSKKFDO+CMKVVS1rvIGW/AWuXtw+EIIkX+w3lAL+VUmBIQurXFg1RAwWn:2OLSbDrCMOV8XW/A3X6+hIkobmBtk+1q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: off
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.110 (8.110)
Skype version 8.110 (8.110)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - avira_en_vpnb0_1080661381-1708874323__pvpnws-spotlightvpnadw-test.exe (PID: 3812)
  - avira_en_vpnb0_1080661381-1708874323__pvpnws-spotlightvpnadw-test.exe (PID: 3672)
  - Avira.Spotlight.Bootstrapper.exe (PID: 2636)
  - MicrosoftEdgeWebView2RuntimeInstallerX86.exe (PID: 2768)
  - Avira.Spotlight.Bootstrapper.exe (PID: 1992)
  - MicrosoftEdgeWebview_X86_108.0.1462.54.exe (PID: 2452)
  - setup.exe (PID: 3324)
  - Avira.Spotlight.Bootstrapper.exe (PID: 3852)
  - avira_spotlight_setup_pvpnws.exe (PID: 2324)
  - avira_system_speedup.exe (PID: 2452)
  - avira_spotlight_setup_pvpnws.tmp (PID: 2732)
  - avira_system_speedup.tmp (PID: 2356)
  - Avira_Optimizer_Host.exe (PID: 3792)
  - Avira_Optimizer_Host.tmp (PID: 2312)
  - VpnInstaller.exe (PID: 1220)
  - tapinstall.exe (PID: 5080)
  - drvinst.exe (PID: 5120)
  - drvinst.exe (PID: 5532)
- Creates a writable file in the system directory
  - MicrosoftEdgeUpdate.exe (PID: 3156)
  - Avira.OptimizerHost.exe (PID: 1092)
  - Avira.Spotlight.Service.exe (PID: 2312)
  - drvinst.exe (PID: 5120)
- Actions looks like stealing of personal data
  - Avira.VpnService.exe (PID: 3488)
- The DLL Hijacking
  - msedgewebview2.exe (PID: 4208)
  - msedgewebview2.exe (PID: 4516)
- Scans artifacts that could help determine the target
  - msedgewebview2.exe (PID: 2956)
SUSPICIOUS
- The process checks if it is being run in the virtual environment
  - firefox.exe (PID: 4052)
  - avira_en_vpnb0_1080661381-1708874323__pvpnws-spotlightvpnadw-test.exe (PID: 3812)
  - avira_en_vpnb0_1080661381-1708874323__pvpnws-spotlightvpnadw-test.exe (PID: 3672)
  - Avira.Spotlight.Bootstrapper.exe (PID: 1992)
- The process creates files with name similar to system file names
  - avira_en_vpnb0_1080661381-1708874323__pvpnws-spotlightvpnadw-test.exe (PID: 3812)
  - avira_en_vpnb0_1080661381-1708874323__pvpnws-spotlightvpnadw-test.exe (PID: 3672)
  - avira_en_vpnb0_1080661381-1708874323__pvpnws-spotlightvpnadw-test.exe (PID: 3316)
  - Avira.OptimizerHost.exe (PID: 992)
  - Avira.OptimizerHost.exe (PID: 1092)
  - VpnInstaller.exe (PID: 1220)
- Executable content was dropped or overwritten
  - avira_en_vpnb0_1080661381-1708874323__pvpnws-spotlightvpnadw-test.exe (PID: 3812)
  - avira_en_vpnb0_1080661381-1708874323__pvpnws-spotlightvpnadw-test.exe (PID: 3672)
  - Avira.Spotlight.Bootstrapper.exe (PID: 2636)
  - MicrosoftEdgeWebView2RuntimeInstallerX86.exe (PID: 2768)
  - Avira.Spotlight.Bootstrapper.exe (PID: 1992)
  - MicrosoftEdgeWebview_X86_108.0.1462.54.exe (PID: 2452)
  - setup.exe (PID: 3324)
  - Avira.Spotlight.Bootstrapper.exe (PID: 3852)
  - avira_spotlight_setup_pvpnws.tmp (PID: 2732)
  - avira_spotlight_setup_pvpnws.exe (PID: 2324)
  - avira_system_speedup.exe (PID: 2452)
  - avira_system_speedup.tmp (PID: 2356)
  - Avira_Optimizer_Host.exe (PID: 3792)
  - Avira_Optimizer_Host.tmp (PID: 2312)
  - VpnInstaller.exe (PID: 1220)
  - tapinstall.exe (PID: 5080)
  - drvinst.exe (PID: 5120)
  - drvinst.exe (PID: 5532)
- Reads settings of System Certificates
  - Avira.Spotlight.Bootstrapper.exe (PID: 2636)
  - Avira.Spotlight.Bootstrapper.exe (PID: 1992)
  - MicrosoftEdgeUpdate.exe (PID: 2980)
  - Avira.Spotlight.Bootstrapper.exe (PID: 3852)
  - avira_system_speedup.tmp (PID: 2356)
  - Avira.SystemSpeedup.Core.Common.Starter.exe (PID: 3012)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 3728)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 3120)
  - VpnInstaller.exe (PID: 1220)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 3096)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 1644)
  - Avira.Spotlight.UI.Application.exe (PID: 3104)
  - msedgewebview2.exe (PID: 2956)
- Reads the Internet Settings
  - Avira.Spotlight.Bootstrapper.exe (PID: 2636)
  - Avira.Spotlight.Bootstrapper.exe (PID: 1992)
  - MicrosoftEdgeUpdate.exe (PID: 2980)
  - MicrosoftEdgeUpdate.exe (PID: 3156)
  - Avira.Spotlight.Bootstrapper.exe (PID: 3852)
  - Avira.Spotlight.Bootstrapper.ReportingTool.exe (PID: 268)
  - avira_system_speedup.tmp (PID: 2356)
  - RegAsm.exe (PID: 2320)
  - VpnInstaller.exe (PID: 1220)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 3096)
  - Avira.WebAppHost.exe (PID: 3196)
  - Avira.Spotlight.UI.Application.exe (PID: 3104)
  - msedgewebview2.exe (PID: 2956)
- Reads security settings of Internet Explorer
  - Avira.Spotlight.Bootstrapper.exe (PID: 2636)
  - Avira.Spotlight.Bootstrapper.exe (PID: 1992)
  - MicrosoftEdgeUpdate.exe (PID: 2980)
  - MicrosoftEdgeUpdate.exe (PID: 3156)
  - Avira.Spotlight.Bootstrapper.exe (PID: 3852)
  - avira_system_speedup.tmp (PID: 2356)
  - RegAsm.exe (PID: 2320)
  - Avira.SystemSpeedup.Core.Common.Starter.exe (PID: 3012)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 3728)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 3120)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 1644)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 3096)
  - VpnInstaller.exe (PID: 1220)
  - Avira.VpnService.exe (PID: 3488)
  - Avira.WebAppHost.exe (PID: 3196)
  - Avira.Spotlight.UI.Application.exe (PID: 3104)
  - RegAsm.exe (PID: 3988)
  - Avira.Spotlight.Service.exe (PID: 2312)
- Searches for installed software
  - Avira.Spotlight.Bootstrapper.exe (PID: 2636)
  - Avira.Spotlight.Bootstrapper.exe (PID: 1992)
  - setup.exe (PID: 3324)
  - Avira.Spotlight.Bootstrapper.exe (PID: 3852)
  - Avira.VpnService.exe (PID: 3488)
  - Avira.Spotlight.UI.Application.exe (PID: 3104)
  - Avira.Spotlight.Service.exe (PID: 2312)
  - msedgewebview2.exe (PID: 2956)
- Checks Windows Trust Settings
  - Avira.Spotlight.Bootstrapper.exe (PID: 1992)
  - MicrosoftEdgeUpdate.exe (PID: 2980)
  - MicrosoftEdgeUpdate.exe (PID: 3156)
  - Avira.Spotlight.Bootstrapper.exe (PID: 3852)
  - avira_system_speedup.tmp (PID: 2356)
  - Avira.SystemSpeedup.Core.Common.Starter.exe (PID: 3012)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 3728)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 3120)
  - Avira.OptimizerHost.exe (PID: 1092)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 1644)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 3096)
  - VpnInstaller.exe (PID: 1220)
  - Avira.Spotlight.Service.exe (PID: 2312)
  - Avira.VpnService.exe (PID: 3488)
  - tapinstall.exe (PID: 5080)
  - drvinst.exe (PID: 5120)
- Starts a Microsoft application from unusual location
  - MicrosoftEdgeWebView2RuntimeInstallerX86.exe (PID: 2768)
  - MicrosoftEdgeUpdate.exe (PID: 2136)
- Adds/modifies Windows certificates
  - Avira.Spotlight.Bootstrapper.exe (PID: 1992)
  - Avira.VpnService.exe (PID: 3488)
  - tapinstall.exe (PID: 5080)
- Process drops legitimate windows executable
  - MicrosoftEdgeWebView2RuntimeInstallerX86.exe (PID: 2768)
  - MicrosoftEdgeUpdate.exe (PID: 2136)
  - MicrosoftEdgeWebview_X86_108.0.1462.54.exe (PID: 2452)
  - setup.exe (PID: 3324)
  - avira_spotlight_setup_pvpnws.tmp (PID: 2732)
  - avira_system_speedup.tmp (PID: 2356)
  - VpnInstaller.exe (PID: 1220)
- Disables SEHOP
  - MicrosoftEdgeUpdate.exe (PID: 2136)
- Starts itself from another location
  - MicrosoftEdgeUpdate.exe (PID: 2136)
- Creates/Modifies COM task schedule object
  - MicrosoftEdgeUpdate.exe (PID: 3644)
  - RegAsm.exe (PID: 2320)
  - RegAsm.exe (PID: 3988)
- Creates a software uninstall entry
  - MicrosoftEdgeUpdate.exe (PID: 2136)
  - setup.exe (PID: 3324)
  - Avira.Spotlight.Bootstrapper.exe (PID: 3852)
  - Avira.Spotlight.Bootstrapper.exe (PID: 1992)
  - VpnInstaller.exe (PID: 1220)
- Executes as Windows Service
  - MicrosoftEdgeUpdate.exe (PID: 3412)
  - Avira.OptimizerHost.exe (PID: 1092)
  - Avira.VpnService.exe (PID: 3488)
  - Avira.Spotlight.Service.exe (PID: 2312)
  - VSSVC.exe (PID: 5152)
- Application launched itself
  - MicrosoftEdgeUpdate.exe (PID: 3412)
  - msedgewebview2.exe (PID: 2956)
- The process verifies whether the antivirus software is installed
  - Avira.Spotlight.Bootstrapper.exe (PID: 3852)
  - icacls.exe (PID: 2080)
  - RegAsm.exe (PID: 2320)
  - Avira.SystemSpeedup.Core.Common.Starter.exe (PID: 3012)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 3120)
  - avira_spotlight_setup_pvpnws.tmp (PID: 2732)
  - cmd.exe (PID: 3420)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 3728)
  - avira_system_speedup.tmp (PID: 2356)
  - Avira_Optimizer_Host.tmp (PID: 2312)
  - Avira.OptimizerHost.exe (PID: 992)
  - Avira.OptimizerHost.exe (PID: 1092)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 1644)
  - ns2AE8.tmp (PID: 3756)
  - ns31DE.tmp (PID: 3420)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 3096)
  - sc.exe (PID: 3700)
  - Avira.WebAppHost.exe (PID: 3196)
  - Avira.VpnService.exe (PID: 3488)
  - Avira.NetworkBlocker.exe (PID: 2620)
  - Avira.Spotlight.Systray.Application.exe (PID: 3820)
  - Avira.Spotlight.Service.exe (PID: 2312)
  - VpnInstaller.exe (PID: 1220)
  - RegAsm.exe (PID: 3988)
  - msedgewebview2.exe (PID: 2956)
  - Avira.Spotlight.UI.Application.exe (PID: 3104)
  - tapinstall.exe (PID: 5024)
  - tapinstall.exe (PID: 5052)
  - drvinst.exe (PID: 5120)
  - tapinstall.exe (PID: 5080)
- Reads the Windows owner or organization settings
  - avira_spotlight_setup_pvpnws.tmp (PID: 2732)
  - avira_system_speedup.tmp (PID: 2356)
  - Avira_Optimizer_Host.tmp (PID: 2312)
  - Avira.VpnService.exe (PID: 3488)
- Uses ICACLS.EXE to modify access control lists
  - avira_spotlight_setup_pvpnws.tmp (PID: 2732)
- The process drops C-runtime libraries
  - avira_spotlight_setup_pvpnws.tmp (PID: 2732)
  - avira_system_speedup.tmp (PID: 2356)
- Starts SC.EXE for service management
  - avira_spotlight_setup_pvpnws.tmp (PID: 2732)
  - ns31DE.tmp (PID: 3420)
- Starts CMD.EXE for commands execution
  - avira_system_speedup.tmp (PID: 2356)
- Write to the desktop.ini file (may be used to cloak folders)
  - Avira.SystemSpeedup.Core.Common.Starter.exe (PID: 3012)
- Creates or modifies Windows services
  - Avira.OptimizerHost.exe (PID: 992)
  - VpnInstaller.exe (PID: 1220)
- Drops a system driver (possible attempt to evade defenses)
  - VpnInstaller.exe (PID: 1220)
  - tapinstall.exe (PID: 5080)
  - drvinst.exe (PID: 5120)
  - drvinst.exe (PID: 5532)
- Starts application with an unusual extension
  - VpnInstaller.exe (PID: 1220)
- Changes Internet Explorer settings (feature browser emulation)
  - Avira.Spotlight.UI.Application.exe (PID: 3104)
- The process executes via Task Scheduler
  - Avira.Spotlight.Systray.Application.exe (PID: 3820)
- Creates files in the driver directory
  - drvinst.exe (PID: 5120)
INFO
- Application launched itself
  - firefox.exe (PID: 3864)
  - firefox.exe (PID: 4052)
- Checks supported languages
  - avira_en_vpnb0_1080661381-1708874323__pvpnws-spotlightvpnadw-test.exe (PID: 3812)
  - Avira.Spotlight.Bootstrapper.exe (PID: 2636)
  - avira_en_vpnb0_1080661381-1708874323__pvpnws-spotlightvpnadw-test.exe (PID: 3672)
  - Avira.Spotlight.Bootstrapper.exe (PID: 1992)
  - Avira.Spotlight.Bootstrapper.ReportingTool.exe (PID: 2016)
  - MicrosoftEdgeWebView2RuntimeInstallerX86.exe (PID: 2768)
  - MicrosoftEdgeUpdate.exe (PID: 2136)
  - MicrosoftEdgeUpdate.exe (PID: 3320)
  - MicrosoftEdgeUpdate.exe (PID: 3644)
  - MicrosoftEdgeUpdate.exe (PID: 2980)
  - MicrosoftEdgeUpdate.exe (PID: 1388)
  - MicrosoftEdgeUpdate.exe (PID: 3412)
  - MicrosoftEdgeWebview_X86_108.0.1462.54.exe (PID: 2452)
  - setup.exe (PID: 3324)
  - MicrosoftEdgeUpdate.exe (PID: 3156)
  - avira_en_vpnb0_1080661381-1708874323__pvpnws-spotlightvpnadw-test.exe (PID: 3316)
  - Avira.Spotlight.Bootstrapper.exe (PID: 3852)
  - Avira.Spotlight.Bootstrapper.ReportingTool.exe (PID: 268)
  - avira_spotlight_setup_pvpnws.exe (PID: 2324)
  - avira_spotlight_setup_pvpnws.tmp (PID: 2732)
  - avira_system_speedup.tmp (PID: 2356)
  - avira_system_speedup.exe (PID: 2452)
  - Avira.SystemSpeedup.Core.Common.Starter.exe (PID: 3012)
  - RegAsm.exe (PID: 2320)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 3120)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 3728)
  - Avira_Optimizer_Host.exe (PID: 3792)
  - Avira_Optimizer_Host.tmp (PID: 2312)
  - Avira.OptimizerHost.exe (PID: 992)
  - Avira.OptimizerHost.exe (PID: 1092)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 3096)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 1644)
  - VpnInstaller.exe (PID: 1220)
  - ns2AE8.tmp (PID: 3756)
  - ns31DE.tmp (PID: 3420)
  - Avira.VpnService.exe (PID: 3488)
  - Avira.WebAppHost.exe (PID: 3196)
  - Avira.Spotlight.Service.exe (PID: 2312)
  - Avira.NetworkBlocker.exe (PID: 2620)
  - Avira.Spotlight.UI.Application.exe (PID: 3104)
  - Avira.Spotlight.Systray.Application.exe (PID: 3820)
  - RegAsm.exe (PID: 3988)
  - msedgewebview2.exe (PID: 2956)
  - msedgewebview2.exe (PID: 4236)
  - msedgewebview2.exe (PID: 3896)
  - msedgewebview2.exe (PID: 4208)
  - msedgewebview2.exe (PID: 4220)
  - msedgewebview2.exe (PID: 4352)
  - msedgewebview2.exe (PID: 4516)
  - Avira.Spotlight.Bootstrapper.ReportingTool.exe (PID: 4760)
  - tapinstall.exe (PID: 5052)
  - tapinstall.exe (PID: 5080)
  - drvinst.exe (PID: 5120)
  - tapinstall.exe (PID: 5024)
- Manual execution by a user
  - avira_en_vpnb0_1080661381-1708874323__pvpnws-spotlightvpnadw-test.exe (PID: 3364)
  - avira_en_vpnb0_1080661381-1708874323__pvpnws-spotlightvpnadw-test.exe (PID: 3812)
  - avira_en_vpnb0_1080661381-1708874323__pvpnws-spotlightvpnadw-test.exe (PID: 3024)
  - avira_en_vpnb0_1080661381-1708874323__pvpnws-spotlightvpnadw-test.exe (PID: 3672)
  - Avira.WebAppHost.exe (PID: 3196)
  - msedgewebview2.exe (PID: 2956)
- Reads the computer name
  - Avira.Spotlight.Bootstrapper.exe (PID: 2636)
  - Avira.Spotlight.Bootstrapper.exe (PID: 1992)
  - MicrosoftEdgeUpdate.exe (PID: 2136)
  - MicrosoftEdgeUpdate.exe (PID: 3644)
  - MicrosoftEdgeUpdate.exe (PID: 3320)
  - MicrosoftEdgeUpdate.exe (PID: 2980)
  - MicrosoftEdgeUpdate.exe (PID: 1388)
  - MicrosoftEdgeUpdate.exe (PID: 3412)
  - MicrosoftEdgeWebview_X86_108.0.1462.54.exe (PID: 2452)
  - setup.exe (PID: 3324)
  - Avira.Spotlight.Bootstrapper.ReportingTool.exe (PID: 2016)
  - MicrosoftEdgeUpdate.exe (PID: 3156)
  - Avira.Spotlight.Bootstrapper.exe (PID: 3852)
  - Avira.Spotlight.Bootstrapper.ReportingTool.exe (PID: 268)
  - avira_spotlight_setup_pvpnws.tmp (PID: 2732)
  - avira_system_speedup.tmp (PID: 2356)
  - Avira.SystemSpeedup.Core.Common.Starter.exe (PID: 3012)
  - RegAsm.exe (PID: 2320)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 3120)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 3728)
  - Avira_Optimizer_Host.tmp (PID: 2312)
  - Avira.OptimizerHost.exe (PID: 992)
  - Avira.OptimizerHost.exe (PID: 1092)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 3096)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 1644)
  - VpnInstaller.exe (PID: 1220)
  - Avira.WebAppHost.exe (PID: 3196)
  - Avira.VpnService.exe (PID: 3488)
  - Avira.Spotlight.Service.exe (PID: 2312)
  - Avira.NetworkBlocker.exe (PID: 2620)
  - Avira.Spotlight.UI.Application.exe (PID: 3104)
  - Avira.Spotlight.Systray.Application.exe (PID: 3820)
  - RegAsm.exe (PID: 3988)
  - msedgewebview2.exe (PID: 4220)
  - msedgewebview2.exe (PID: 4208)
  - msedgewebview2.exe (PID: 2956)
  - msedgewebview2.exe (PID: 4516)
  - Avira.Spotlight.Bootstrapper.ReportingTool.exe (PID: 4760)
  - tapinstall.exe (PID: 5052)
  - tapinstall.exe (PID: 5080)
  - tapinstall.exe (PID: 5024)
  - drvinst.exe (PID: 5120)
- Create files in a temporary directory
  - avira_en_vpnb0_1080661381-1708874323__pvpnws-spotlightvpnadw-test.exe (PID: 3812)
  - Avira.Spotlight.Bootstrapper.exe (PID: 2636)
  - Avira.Spotlight.Bootstrapper.exe (PID: 1992)
  - avira_en_vpnb0_1080661381-1708874323__pvpnws-spotlightvpnadw-test.exe (PID: 3672)
  - MicrosoftEdgeUpdate.exe (PID: 2980)
  - avira_en_vpnb0_1080661381-1708874323__pvpnws-spotlightvpnadw-test.exe (PID: 3316)
  - Avira.Spotlight.Bootstrapper.exe (PID: 3852)
  - avira_spotlight_setup_pvpnws.tmp (PID: 2732)
  - avira_spotlight_setup_pvpnws.exe (PID: 2324)
  - avira_system_speedup.exe (PID: 2452)
  - avira_system_speedup.tmp (PID: 2356)
  - Avira_Optimizer_Host.exe (PID: 3792)
  - VpnInstaller.exe (PID: 1220)
  - msedgewebview2.exe (PID: 2956)
- The process uses the downloaded file
  - avira_en_vpnb0_1080661381-1708874323__pvpnws-spotlightvpnadw-test.exe (PID: 3812)
  - firefox.exe (PID: 4052)
  - avira_en_vpnb0_1080661381-1708874323__pvpnws-spotlightvpnadw-test.exe (PID: 3672)
- Executable content was dropped or overwritten
  - firefox.exe (PID: 4052)
- Reads the machine GUID from the registry
  - Avira.Spotlight.Bootstrapper.exe (PID: 2636)
  - Avira.Spotlight.Bootstrapper.ReportingTool.exe (PID: 2016)
  - Avira.Spotlight.Bootstrapper.exe (PID: 1992)
  - Avira.Spotlight.Bootstrapper.exe (PID: 3852)
  - Avira.Spotlight.Bootstrapper.ReportingTool.exe (PID: 268)
  - avira_system_speedup.tmp (PID: 2356)
  - RegAsm.exe (PID: 2320)
  - Avira.SystemSpeedup.Core.Common.Starter.exe (PID: 3012)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 3728)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 3120)
  - Avira.OptimizerHost.exe (PID: 1092)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 1644)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 3096)
  - VpnInstaller.exe (PID: 1220)
  - Avira.VpnService.exe (PID: 3488)
  - Avira.WebAppHost.exe (PID: 3196)
  - Avira.Spotlight.Service.exe (PID: 2312)
  - Avira.Spotlight.Systray.Application.exe (PID: 3820)
  - Avira.Spotlight.UI.Application.exe (PID: 3104)
  - RegAsm.exe (PID: 3988)
  - Avira.Spotlight.Bootstrapper.ReportingTool.exe (PID: 4760)
  - msedgewebview2.exe (PID: 2956)
  - tapinstall.exe (PID: 5080)
  - drvinst.exe (PID: 5120)
- Drops the executable file immediately after the start
  - firefox.exe (PID: 4052)
- Reads Environment values
  - Avira.Spotlight.Bootstrapper.exe (PID: 2636)
  - Avira.Spotlight.Bootstrapper.ReportingTool.exe (PID: 2016)
  - Avira.Spotlight.Bootstrapper.exe (PID: 1992)
  - MicrosoftEdgeUpdate.exe (PID: 2980)
  - MicrosoftEdgeUpdate.exe (PID: 3156)
  - Avira.Spotlight.Bootstrapper.exe (PID: 3852)
  - Avira.Spotlight.Bootstrapper.ReportingTool.exe (PID: 268)
  - avira_system_speedup.tmp (PID: 2356)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 1644)
  - VpnInstaller.exe (PID: 1220)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 3096)
  - Avira.VpnService.exe (PID: 3488)
  - Avira.Spotlight.Service.exe (PID: 2312)
  - Avira.Spotlight.UI.Application.exe (PID: 3104)
  - msedgewebview2.exe (PID: 2956)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 3728)
  - Avira.Spotlight.Bootstrapper.ReportingTool.exe (PID: 4760)
- Reads the software policy settings
  - Avira.Spotlight.Bootstrapper.exe (PID: 2636)
  - Avira.Spotlight.Bootstrapper.exe (PID: 1992)
  - MicrosoftEdgeUpdate.exe (PID: 2980)
  - MicrosoftEdgeUpdate.exe (PID: 3156)
  - Avira.Spotlight.Bootstrapper.exe (PID: 3852)
  - avira_system_speedup.tmp (PID: 2356)
  - Avira.SystemSpeedup.Core.Common.Starter.exe (PID: 3012)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 3120)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 3728)
  - Avira.OptimizerHost.exe (PID: 1092)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 1644)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 3096)
  - VpnInstaller.exe (PID: 1220)
  - Avira.Spotlight.Service.exe (PID: 2312)
  - Avira.VpnService.exe (PID: 3488)
  - Avira.Spotlight.UI.Application.exe (PID: 3104)
  - msedgewebview2.exe (PID: 2956)
  - tapinstall.exe (PID: 5080)
  - drvinst.exe (PID: 5120)
- Creates files in the program directory
  - Avira.Spotlight.Bootstrapper.exe (PID: 2636)
  - Avira.Spotlight.Bootstrapper.exe (PID: 1992)
  - MicrosoftEdgeWebView2RuntimeInstallerX86.exe (PID: 2768)
  - MicrosoftEdgeWebview_X86_108.0.1462.54.exe (PID: 2452)
  - setup.exe (PID: 3324)
  - Avira.Spotlight.Bootstrapper.exe (PID: 3852)
  - avira_spotlight_setup_pvpnws.tmp (PID: 2732)
  - avira_system_speedup.tmp (PID: 2356)
  - cmd.exe (PID: 3420)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 3120)
  - Avira_Optimizer_Host.tmp (PID: 2312)
  - Avira.OptimizerHost.exe (PID: 992)
  - Avira.OptimizerHost.exe (PID: 1092)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 3728)
  - VpnInstaller.exe (PID: 1220)
  - Avira.VpnService.exe (PID: 3488)
  - Avira.Spotlight.Service.exe (PID: 2312)
  - Avira.Spotlight.Systray.Application.exe (PID: 3820)
  - Avira.Spotlight.UI.Application.exe (PID: 3104)
- Checks proxy server information
  - MicrosoftEdgeUpdate.exe (PID: 2980)
  - MicrosoftEdgeUpdate.exe (PID: 3156)
  - avira_system_speedup.tmp (PID: 2356)
  - VpnInstaller.exe (PID: 1220)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 3096)
  - Avira.VpnService.exe (PID: 3488)
- Creates files or folders in the user directory
  - MicrosoftEdgeUpdate.exe (PID: 2980)
  - VpnInstaller.exe (PID: 1220)
  - msedgewebview2.exe (PID: 2956)
  - msedgewebview2.exe (PID: 3896)
  - msedgewebview2.exe (PID: 4220)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 3728)
- Creates a software uninstall entry
  - avira_spotlight_setup_pvpnws.tmp (PID: 2732)
  - avira_system_speedup.tmp (PID: 2356)
- Reads product name
  - avira_system_speedup.tmp (PID: 2356)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 1644)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 3096)
  - Avira.SystemSpeedup.Maintenance.exe (PID: 3728)
  - Avira.VpnService.exe (PID: 3488)
- Reads CPU info
  - Avira.VpnService.exe (PID: 3488)
- Process checks computer location settings
  - msedgewebview2.exe (PID: 2956)
  - msedgewebview2.exe (PID: 4352)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

170

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

268

"C:\Users\admin\AppData\Local\Temp\.CR.27751\7ecd2b86-7825-4fdb-a072-0be46e21a43c\.CR.4014\Avira.Spotlight.Bootstrapper.ReportingTool.exe" /TrackUnsentEvents

C:\Users\admin\AppData\Local\Temp\.CR.27751\7ecd2b86-7825-4fdb-a072-0be46e21a43c\.CR.4014\Avira.Spotlight.Bootstrapper.ReportingTool.exe

—

avira_en_vpnb0_1080661381-1708874323__pvpnws-spotlightvpnadw-test.exe

User:

admin

Company:

Avira Operations GmbH

Integrity Level:

HIGH

Description:

Avira Security

Exit code:

Version:

1.0.47.529

Modules

Images
c:\users\admin\appdata\local\temp\.cr.27751\7ecd2b86-7825-4fdb-a072-0be46e21a43c\.cr.4014\avira.spotlight.bootstrapper.reportingtool.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

896

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4052.10.382240354\1843780445" -childID 7 -isForBrowser -prefsHandle 8032 -prefMapHandle 8040 -prefsLen 30860 -prefMapSize 244195 -jsInitHandle 928 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5c9c378-0265-4473-92cb-3cfc8d8d6de5} 4052 "\\.\pipe\gecko-crash-server-pipe.4052" 8028 1afdf110 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

115.0.2

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll

908

"C:\Windows\system32\sc.exe" create AviraSecurityUpdater DisplayName= "Avira Security Updater" binPath= "\"C:\Program Files\Avira\Security\Avira.Spotlight.Common.Updater.exe\"" start= delayed-auto

C:\Windows\System32\sc.exe

—

avira_spotlight_setup_pvpnws.tmp

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

A tool to aid in developing services for WindowsNT

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

932

"C:\Windows\system32\schtasks.exe" /Create /F /TN Avira_Security_Update /XML "\\?\C:\Users\admin\AppData\Local\Temp\is-OS7H6.tmp\UpdateFallbackTask.xml"

C:\Windows\System32\schtasks.exe

—

avira_spotlight_setup_pvpnws.tmp

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll

992

"C:\Program Files\Avira\Optimizer Host\Avira.OptimizerHost.exe" /Install /Silent

C:\Program Files\Avira\Optimizer Host\Avira.OptimizerHost.exe

—

Avira_Optimizer_Host.tmp

User:

admin

Company:

Avira Operations GmbH

Integrity Level:

HIGH

Description:

Avira Optimizer Host

Exit code:

Version:

1.3.0.53

Modules

Images
c:\program files\avira\optimizer host\avira.optimizerhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

1092

"C:\Program Files\Avira\Optimizer Host\Avira.OptimizerHost.exe"

C:\Program Files\Avira\Optimizer Host\Avira.OptimizerHost.exe

services.exe

User:

SYSTEM

Company:

Avira Operations GmbH

Integrity Level:

SYSTEM

Description:

Avira Optimizer Host

Exit code:

Version:

1.3.0.53

Modules

Images
c:\program files\avira\optimizer host\avira.optimizerhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

1220

"C:\Users\admin\AppData\Local\Temp\.CR.27751\2a9f8871-bffd-438e-8df4-13637a5eb944\VpnInstaller.exe" /S /LANG=en-us /bundle=vpnb0

C:\Users\admin\AppData\Local\Temp\.CR.27751\2a9f8871-bffd-438e-8df4-13637a5eb944\VpnInstaller.exe

Avira.Spotlight.Bootstrapper.exe

User:

admin

Company:

Avira Operations GmbH & Co. KG

Integrity Level:

HIGH

Description:

Avira Phantom VPN Installer

Exit code:

Version:

2.43.1.16819

Modules

Images
c:\users\admin\appdata\local\temp\.cr.27751\2a9f8871-bffd-438e-8df4-13637a5eb944\vpninstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll

1388

"C:\Program Files\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20WebView2%20Runtime&needsadmin=Prefers" /installsource offline /sessionid "{0CCAB5B4-B293-46BC-95ED-D6377976FAAC}" /silent /offlinedir "{E97B871A-9DE7-4F24-BC72-73649805AA60}"

C:\Program Files\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

—

MicrosoftEdgeUpdate.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Edge Update

Exit code:

Version:

1.3.171.37

Modules

Images
c:\program files\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

1492

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4052.1.1852132928\579868534" -parentBuildID 20230710165010 -prefsHandle 1408 -prefMapHandle 1404 -prefsLen 28600 -prefMapSize 244195 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0836029f-ab75-497a-8ae2-d27c3b0f5646} 4052 "\\.\pipe\gecko-crash-server-pipe.4052" 1420 ee1ed50 socket

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

115.0.2

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll

1540

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4052.6.255736573\571050017" -childID 5 -isForBrowser -prefsHandle 4024 -prefMapHandle 4028 -prefsLen 29102 -prefMapSize 244195 -jsInitHandle 928 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5ffd8fa-3f6c-447c-9318-7b1a95b32afb} 4052 "\\.\pipe\gecko-crash-server-pipe.4052" 3936 173caf70 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

115.0.2

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll

Add for printing

Total events

303 935

Read events

301 363

Write events

2 321

Delete events

251

Modification events


(PID) Process:	(3864) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Launcher
Value: CC79FD4E01000000
(PID) Process:	(4052) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Browser
Value: C120FF4E01000000
(PID) Process:	(4052) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Installer\308046B0AF4A39CB
Operation:	delete value	Name:	installer.taskbarpin.win10.enabled
Value:
(PID) Process:	(4052) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Telemetry
Value: 0
(PID) Process:	(4052) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\DllPrefetchExperiment
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe
Value: 0
(PID) Process:	(4052) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Theme
Value: 1
(PID) Process:	(4052) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Enabled
Value: 1
(PID) Process:	(4052) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\|DisableTelemetry
Value: 1
(PID) Process:	(4052) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\|DisableDefaultBrowserAgent
Value: 0
(PID) Process:	(4052) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\|SetDefaultBrowserUserChoice
Value: 1

Add for printing

Executable files

1 120

Suspicious files

232

Text files

595

Unknown types

189

Dropped files

PID	Process	Filename		Type
4052	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp		binary
		MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A	SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
4052	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\activity-stream.discovery_stream.json.tmp		binary
		MD5:4AEA87EB10FA290E1F6567BDD9FC721B	SHA256:E586BA80A66FC7835ADEE7CF388DFDD0BDDACC394DD50B4EE45D8D4B95324FE4
4052	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cert9.db		binary
		MD5:EF71CA5B43166DCA574076EFE0083D8F	SHA256:C1D46AC688CC33BEDB7E81BB34527D2577E0EF3807A963A4311BC00950BED936
4052	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage.sqlite-journal		binary
		MD5:C6559474CDEC2DF58CAC672F61C8EB27	SHA256:FFE79EF32AB499D2E4F0D65A8409662082EA7C14AB7EFD8410503E5FDD3565DB
4052	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\activity-stream.discovery_stream.json		binary
		MD5:4AEA87EB10FA290E1F6567BDD9FC721B	SHA256:E586BA80A66FC7835ADEE7CF388DFDD0BDDACC394DD50B4EE45D8D4B95324FE4
4052	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\glean\db\data.safe.bin		binary
		MD5:7FBA44CB533472C1E260D1F28892D86B	SHA256:14FB5CDA1708000576F35C39C15F80A0C653AFAF42ED137A3D31678F94B6E8BF
4052	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\glean\db\data.safe.tmp		binary
		MD5:7FBA44CB533472C1E260D1F28892D86B	SHA256:14FB5CDA1708000576F35C39C15F80A0C653AFAF42ED137A3D31678F94B6E8BF
4052	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.js		text
		MD5:E7481358F3262E63D9731FBEC185E133	SHA256:C5017BA495B75FA71F81B694182134ADEDF8B3B18C91F0EC8D6114C22A20ADE5
4052	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\protections.sqlite-journal		binary
		MD5:0F758D89FC5FC83A54456B783B7FC579	SHA256:7A881E20BC6C51527B56EC1F0610EACD207ED57C7F1FEEC614CA149A855F7B90
4052	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

195

DNS requests

245

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4052	firefox.exe	POST	200	142.250.185.131:80	http://ocsp.pki.goog/gts1c3	US	binary	472 b	unknown
4052	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/canonical.html	US	text	90 b	unknown
4052	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/success.txt?ipv4	US	text	8 b	unknown
4052	firefox.exe	POST	—	95.101.54.139:80	http://r3.o.lencr.org/	DE	—	—	unknown
4052	firefox.exe	POST	—	95.101.54.139:80	http://r3.o.lencr.org/	DE	—	—	unknown
4052	firefox.exe	POST	200	95.101.54.139:80	http://r3.o.lencr.org/	DE	binary	503 b	unknown
4052	firefox.exe	POST	200	95.101.54.139:80	http://r3.o.lencr.org/	DE	binary	503 b	unknown
4052	firefox.exe	POST	200	95.101.54.137:80	http://r3.o.lencr.org/	DE	binary	503 b	unknown
4052	firefox.exe	POST	200	142.250.185.131:80	http://ocsp.pki.goog/gts1c3	US	binary	471 b	unknown
4052	firefox.exe	POST	200	95.101.54.139:80	http://r3.o.lencr.org/	DE	binary	503 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
1080	svchost.exe	224.0.0.252:5355	—	—	—	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
4052	firefox.exe	142.250.185.234:443	safebrowsing.googleapis.com	—	—	whitelisted
4052	firefox.exe	95.101.54.121:443	www.avira.com	Akamai International B.V.	DE	unknown
4052	firefox.exe	142.250.185.131:80	ocsp.pki.goog	GOOGLE	US	whitelisted
4052	firefox.exe	95.101.54.137:80	r3.o.lencr.org	Akamai International B.V.	DE	unknown
4052	firefox.exe	34.107.221.82:80	detectportal.firefox.com	GOOGLE	US	whitelisted
4052	firefox.exe	34.117.237.239:443	contile.services.mozilla.com	GOOGLE-CLOUD-PLATFORM	US	unknown
4052	firefox.exe	34.117.188.166:443	spocs.getpocket.com	GOOGLE-CLOUD-PLATFORM	US	unknown

DNS requests

Domain	IP	Reputation
www.avira.com	95.101.54.121 95.101.54.145 193.108.153.7 193.108.153.8	whitelisted
detectportal.firefox.com	34.107.221.82	whitelisted
a1879.dscr.akamai.net	95.101.54.121 95.101.54.145 2a02:26f0:480:f::213:7ed2 2a02:26f0:480:f::213:7ee3 193.108.153.7 193.108.153.8	whitelisted
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82 2600:1901:0:38d7::	whitelisted
contile.services.mozilla.com	34.117.237.239	whitelisted
example.org	93.184.216.34	whitelisted
ipv4only.arpa	192.0.0.170 192.0.0.171	whitelisted
spocs.getpocket.com	34.117.188.166	shared
gkegw.prod.ads.prod.webservices.mozgcp.net	34.117.188.166	unknown
r3.o.lencr.org	95.101.54.139 95.101.54.130 95.101.54.210 95.101.54.105 95.101.54.217 95.101.54.106 95.101.54.216 95.101.54.137 184.24.77.67 184.24.77.57 184.24.77.62 184.24.77.63 184.24.77.58 184.24.77.55 184.24.77.64 184.24.77.82 184.24.77.74 184.24.77.65 184.24.77.71 184.24.77.76	shared

Threats

Found threats are available for the paid subscriptions

1 ETPRO signatures available at the full report

Add for printing

Process	Message
Avira.SystemSpeedup.Maintenance.exe	Native library pre-loader is trying to load native SQLite library "C:\Program Files\Avira\System Speedup\x86\SQLite.Interop.dll"...
Avira.SystemSpeedup.Maintenance.exe	Native library pre-loader is trying to load native SQLite library "C:\Program Files\Avira\System Speedup\x86\SQLite.Interop.dll"...
Avira.SystemSpeedup.Maintenance.exe	Verify completed in 31.25 milliseconds, total of 1 times in 31.25 milliseconds.
Avira.SystemSpeedup.Maintenance.exe	Verify completed in 7.8125 milliseconds, total of 2 times in 39.0625 milliseconds.
Avira.SystemSpeedup.Maintenance.exe	Verify completed in 52.7344 milliseconds, total of 1 times in 52.7344 milliseconds.
Avira.SystemSpeedup.Maintenance.exe	Verify completed in 6.8359 milliseconds, total of 2 times in 59.5703 milliseconds.
Avira.SystemSpeedup.Maintenance.exe	SQLite error (17): statement aborts at 29: [CREATE TABLE DbSchema (Name NVARCHAR NOT NULL DEFAULT '',Version INTEGER NOT NULL DEFAULT 0)] database schema has changed
Avira.SystemSpeedup.Maintenance.exe	SQLite error (1): table DbSchema already exists in "CREATE TABLE DbSchema (Name NVARCHAR NOT NULL DEFAULT '',Version INTEGER NOT NULL DEFAULT 0)"
Avira.SystemSpeedup.Maintenance.exe	Native library pre-loader is trying to load native SQLite library "C:\Program Files\Avira\System Speedup\x86\SQLite.Interop.dll"...
Avira.SystemSpeedup.Maintenance.exe	Verify completed in 15.625 milliseconds, total of 1 times in 15.625 milliseconds.

General Info

https://www.avira.com/en/free-vpn?x-clickref=1100lyhCQBNP&x-c-channel=partnerize&x-a-medium=1011l105151&x-utm_content=1011l54130&x-utm_term=safetydetectives

1D083FD78E104CA2253B4FAE15A15D5E

A2900685D9B29B13376D698E2980B154E2B2D057

161DDDDC3BD73CF17C16B1F747C5F9A6B2FAE735B26F434E070C6C21BDFACF7A

3:N8DSLSKKFDO+CMKVVS1rvIGW/AWuXtw+EIIkX+w3lAL+VUmBIQurXFg1RAwWn:2OLSbDrCMOV8XW/A3X6+hIkobmBtk+1q

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Creates a writable file in the system directory

Actions looks like stealing of personal data

The DLL Hijacking

Scans artifacts that could help determine the target

SUSPICIOUS

The process checks if it is being run in the virtual environment

The process creates files with name similar to system file names

Executable content was dropped or overwritten

Reads settings of System Certificates

Reads the Internet Settings

Reads security settings of Internet Explorer

Searches for installed software

Checks Windows Trust Settings

Starts a Microsoft application from unusual location

Adds/modifies Windows certificates

Process drops legitimate windows executable

Disables SEHOP

Starts itself from another location

Creates/Modifies COM task schedule object

Creates a software uninstall entry

Executes as Windows Service

Application launched itself

The process verifies whether the antivirus software is installed

Reads the Windows owner or organization settings

Uses ICACLS.EXE to modify access control lists

The process drops C-runtime libraries

Starts SC.EXE for service management

Starts CMD.EXE for commands execution

Write to the desktop.ini file (may be used to cloak folders)

Creates or modifies Windows services

Drops a system driver (possible attempt to evade defenses)

Starts application with an unusual extension

Changes Internet Explorer settings (feature browser emulation)

The process executes via Task Scheduler

Creates files in the driver directory

INFO

Application launched itself

Checks supported languages

Manual execution by a user

Reads the computer name

Create files in a temporary directory

The process uses the downloaded file

Executable content was dropped or overwritten

Reads the machine GUID from the registry

Drops the executable file immediately after the start

Reads Environment values

Reads the software policy settings

Creates files in the program directory

Checks proxy server information

Creates files or folders in the user directory

Creates a software uninstall entry

Reads product name

Reads CPU info

Process checks computer location settings

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information