TL;DR: see Part 1 for an introduction to this series and an overview of the available posts.


After a slow first day, let’s up our game with some AntiVirus fun from our friends over at Avira (21 executables) and one launcher (at the end of the post):

  • Avira Antivirus(x86) - 1 executable
  • Avira Free Software Updater(x86) - 4 executables
  • Avira Game Booster(x86) - 1 executable
  • Avira Optimizer Host(x86) - 1 executable
  • Avira Phantom VPN (x86 & x64) - 2 executables
  • Avira Privacy Pal(x86) - 3 executables
  • Avira Safe Shopping(x86) - 1 executable
  • Avira System Speedup(x86) - 7 executables
  • Avira Systray(x86) - 1 executable

  • Name: Avira - Antivirus(x86)
  • Executable: checkwindows10drivers.exe
  • SHA256: 02398908b347153c737672f1acf53d554d4bca4e6c2a7a8ddf304024d2447919
  • SHA1: 8c8c5c8dada23712fbc4a7f487ec74221e6a9a92
  • MD5: 7fdb91966a7d49ff9e4eaa5b6d25a600
  • Certificate: Avira Operations GmbH & Co. KG/VeriSign Class 3 Code Signing 2010 CA/VeriSign Class 3 Public Primary Certification Authority - G5

  • Name: Avira - Free Software Updater(x86)
  • Executable: Avira.SoftwareUpdater.ServiceHost.exe
  • SHA256: d7f7c3fd07642684076a99647d07333757e39a38b2dada3e9efb8144bf41c1c8
  • SHA1: 68d1a5b02376f64af6ce1d5ad4c1acce71a77c4f
  • MD5: a5c8805730e06c2c1991e9430c3184a0
  • Certificate: Avira Operations GmbH & Co. KG/Symantec Class 3 Extended Validation Code Signing CA - G2/VeriSign Class 3 Public Primary Certification Authority - G5

  • Name: Avira - Free Software Updater(x86)
  • Executable: AviraSoftwareUpdater.exe
  • SHA256: bcc0f1bef8fc27b2e7f29e79d7ef84bd0429c27394bb4fc25517315e46d54627
  • SHA1: f8a01413030cb1ecdafe7c1b42761de8d7b25224
  • MD5: 8b0b1c85f79efeedea7b6ed61bf1efe3
  • Certificate: Avira Operations GmbH & Co. KG/Symantec Class 3 Extended Validation Code Signing CA - G2/VeriSign Class 3 Public Primary Certification Authority - G5

  • Name: Avira - Free Software Updater(x86)
  • Executable: AviraSoftwareUpdaterToastNotificationsBridge.exe
  • SHA256: 99014c90eaf5187f35e7a72f16556168bd945ea67e45224a1d0e57c434ae997b
  • SHA1: 7379a19a5459647240df47ba7b3569308cbadf9a
  • MD5: 2ea3069953a03743a2a4196958d3ff08
  • Certificate: Avira Operations GmbH & Co. KG/Symantec Class 3 Extended Validation Code Signing CA - G2/VeriSign Class 3 Public Primary Certification Authority - G5

  • Name: Avira - Free Software Updater(x86)
  • Executable: CefSharp.BrowserSubprocess.exe
  • SHA256: 34d07045fa780db5aab7936b4c945af6cfbef65b4e4e1eaa371c4cfe684632f1
  • SHA1: 0c1d5610e31fa2a3718a1e58eee8c69f7919cd10
  • MD5: 5fe5007222e135cdf0704693e3d2f40f
  • Certificate: Avira Operations GmbH & Co. KG/Symantec Class 3 Extended Validation Code Signing CA - G2/VeriSign Class 3 Public Primary Certification Authority - G5

  • Name: Avira - Game Booster(x86)
  • Executable: Avira.GameBooster.Core.ErrorReporter.exe
  • SHA256: 8c0edc3bc3a4000b2857738730984dd7df4c1d776a9953f619a38c71ba4709d8
  • SHA1: a6b50f05713aeb5be6e7df060e070b6f4d2567e8
  • MD5: 32d12e975879c7ea90a2885ab5122b8b
  • Certificate: Avira Operations GmbH & Co. KG/Symantec Class 3 Extended Validation Code Signing CA - G2/VeriSign Class 3 Public Primary Certification Authority - G5

  • Name: Avira - Optimizer Host(x86)
  • Executable: Avira.OptimizerHost.exe
  • SHA256: 70131f57d22fe3e8de85a8e95fb74cc1bbb1e8706e51b09771e4d6c3a5721c05
  • SHA1: ddd8ac17c08a6ce2e2ceb4e0110a211eb597d7a1
  • MD5: 10172704730e637a1d4815a24fb14d95
  • Certificate: Avira Operations GmbH & Co. KG/Symantec Class 3 Extended Validation Code Signing CA - G2/VeriSign Class 3 Public Primary Certification Authority - G5

  • Name: Avira Phantom VPN (x86)
  • Executable: Avira.VPN.Notifier.exe
  • SHA256: 3518ec7a125da4fe7bb0fc3b26cdeeef3b0afb6c747c7157316163d1e7ab2feb
  • SHA1: 1d99e6c551e5ef9ad0088db3868eb5d77cd05b7d
  • MD5: 258b1b3824eafafec8e4d2d098c23277
  • Certificate: Avira Operations GmbH & Co. KG/VeriSign Class 3 Code Signing 2010 CA/VeriSign Class 3 Public Primary Certification Authority - G5

  • Name: Avira Phantom VPN (x64)
  • Executable: Avira.WebAppHost.exe
  • SHA256: 8b58a80c56cf5e668ead219836b5f0013a696108fdf5542720f4a94f48d96c7c
  • SHA1: 857b9967c067a05c2bfabc79f087fd66eb198e93
  • MD5: 248f70a1f626518a7591959cf47d19b6
  • Certificate: Avira Operations GmbH & Co. KG/VeriSign Class 3 Code Signing 2010 CA/VeriSign Class 3 Public Primary Certification Authority - G5

  • Name: Avira - Privacy Pal(x86)
  • Executable: Avira.Optimizer.Common.ErrorReporter.exe
  • SHA256: b3ca7f3db9ef464d7891370c0fb7f3e20c2bce683e204b25a5c46d00c899bfe7
  • SHA1: 754ccff14b3313b864b1e8fa55100a7dff781e30
  • MD5: 51fc630ba6fbe50a76593c38a3dfc27e
  • Certificate: Avira Operations GmbH & Co. KG/Symantec Class 3 Extended Validation Code Signing CA - G2/VeriSign Class 3 Public Primary Certification Authority - G5

  • Name: Avira - Privacy Pal(x86)
  • Executable: Avira.PrivacyPal.Service.exe
  • SHA256: b3a6afcc4e2a020144284d131c3ca249f534e4bc657b1ce1edd43aeafc7989c5
  • SHA1: 222f9373fc31a49ba6be92adf73aab5cbdb835c7
  • MD5: 043d2289eb1fbd53679d07ce10a0c876
  • Certificate: Avira Operations GmbH & Co. KG/Symantec Class 3 Extended Validation Code Signing CA - G2/VeriSign Class 3 Public Primary Certification Authority - G5

  • Name: Avira - Privacy Pal(x86)
  • Executable: Avira.PrivacyPal.UI.Application.exe
  • SHA256: b400e06940709384aeec578e0603e4694a51d4e7c7aaa9eb7b19bb2e49a499a9
  • SHA1: 9b0587653e253a296b5da86d69008340e02f2374
  • MD5: 3f18e5c14b8ad588f962e5dfaed1c251
  • Certificate: Avira Operations GmbH & Co. KG/Symantec Class 3 Extended Validation Code Signing CA - G2/VeriSign Class 3 Public Primary Certification Authority - G5

  • Name: Avira - Safe Shopping(x86)
  • Executable: Avira Safe Shopping.exe
  • SHA256: a9b5678e868936998e215305d2d5d860d6077480bc74896463c914a8fb5c0f54
  • SHA1: 2ae7f4668ddcccf4efc97c895a74bf1416f4e376
  • MD5: 0558054a7b14823f52177814ab8e71ed
  • Certificate: Solute GmbH/thawte SHA256 Code Signing CA/thawte Primary Root CA

  • Name: Avira - System Speedup(x86)
  • Executable: Avira.SystemSpeedup.Core.Common.Starter.exe
  • SHA256: 6fb25bea61d07fd683d08bd25091e91a7ebdfe38ab8672e124449aef308cb16b
  • SHA1: 5fe163332729812394faafd97d12ed1248f41f10
  • MD5: 88e2bfdd248eae47aa608938d51094c7
  • Certificate: Avira Operations GmbH & Co. KG/Symantec Class 3 Extended Validation Code Signing CA - G2/VeriSign Class 3 Public Primary Certification Authority - G5

  • Name: Avira - System Speedup(x86)
  • Executable: Avira.SystemSpeedup.Maintenance.exe
  • SHA256: 104ee193f8b008ca7889c9c101607458a4a5d9dd3bbad0c85435415c082e15d0
  • SHA1: 7d23786ac1db3c2f0c47b4dadd327a84f2c469f1
  • MD5: 40ad0c81196dcc00e144b84a8183ee76
  • Certificate: Avira Operations GmbH & Co. KG/Symantec Class 3 Extended Validation Code Signing CA - G2/VeriSign Class 3 Public Primary Certification Authority - G5

  • Name: Avira - System Speedup(x86)
  • Executable: Avira.SystemSpeedup.Service.exe
  • SHA256: 2ca9a2aa5aba579765b75548915b6339a1d503c1eb15a9f5cc4e0950b5031ea1
  • SHA1: 410266c83c3c4a6b142eb7ef18b8d3c7e0d893d3
  • MD5: 424b47d51d5330d4a7f1f030580e8d0f
  • Certificate: Avira Operations GmbH & Co. KG/Symantec Class 3 Extended Validation Code Signing CA - G2/VeriSign Class 3 Public Primary Certification Authority - G5

  • Name: Avira - System Speedup(x86)
  • Executable: Avira.SystemSpeedup.UI.HelpOverlay.exe
  • SHA256: 9ec2b86c617b58ecc3dce28c65284cd6c1e80228848d812e91eec3fa49c13e7b
  • SHA1: f4fb072beb76bb1aeaa09d736db05afff55e8972
  • MD5: 3efffeb3df594423784122d0a885f7ef
  • Certificate: Avira Operations GmbH & Co. KG/Symantec Class 3 Extended Validation Code Signing CA - G2/VeriSign Class 3 Public Primary Certification Authority - G5

  • Name: Avira - System Speedup(x86)
  • Executable: Avira.SystemSpeedup.UI.Popup.exe
  • SHA256: 46a4cb520498987ea38fcff8b9bcac5987d2acc9436449d413a4859b0bb77cc1
  • SHA1: 4fa9e229f805ffb1eb10be23e1ece83a73f32fef
  • MD5: 60003473cde1f5377caee09eb9afec4c
  • Certificate: Avira Operations GmbH & Co. KG/Symantec Class 3 Extended Validation Code Signing CA - G2/VeriSign Class 3 Public Primary Certification Authority - G5

  • Name: Avira - System Speedup(x86)
  • Executable: Avira.SystemSpeedup.UI.ServiceProfiler.exe
  • SHA256: 2423ed625ca857c466840337f857ca069727239a2284042e7e676fed77739ff8
  • SHA1: 4d5e90c06599e2bdbda3ad830cbf4d3a0629385e
  • MD5: 5aa1ad636dd8d43ede9f076fc56d01fd
  • Certificate: Avira Operations GmbH & Co. KG/Symantec Class 3 Extended Validation Code Signing CA - G2/VeriSign Class 3 Public Primary Certification Authority - G5

  • Name: Avira - System Speedup(x86)
  • Executable: Avira_System_Speedup.exe
  • SHA256: a5017f00a56ce58397e56ba7b185d08763ba26edf03220d9c4704846bd5776fa
  • SHA1: b305ec97f553731a662dcb77f70a4039a0308aa5
  • MD5: 6342eedd81595a67fea103cfddd8d5c0
  • Certificate: Avira Operations GmbH & Co. KG/Symantec Class 3 Extended Validation Code Signing CA - G2/VeriSign Class 3 Public Primary Certification Authority - G5

  • Name: Avira - Systray(x86)
  • Executable: Avira.Systray.exe
  • SHA256: 17dc9e5321c2af351e47f914219a920df37ffa2f625563327aaf34bb7c12506d
  • SHA1: 519f64bea775ed6ab86d0c12087a9a1086805358
  • MD5: d63d9bfd8947f60f7e9e74e8fef40059
  • Certificate: Avira Operations GmbH & Co. KG/Symantec Class 3 Extended Validation Code Signing CA - G2/VeriSign Class 3 Public Primary Certification Authority - G5

DLL-Template:

; ---------------------------------------------------------------------------
;- Exports: version.dll

ProcedureDLL.l GetFileVersionInfoSizeW()
  DbgOutFunctionName()
EndProcedure

ProcedureDLL.l GetFileVersionInfoW()
  DbgOutFunctionName()
EndProcedure

ProcedureDLL.l VerQueryValueW()
  DbgOutFunctionName()
EndProcedure

Download: I do not provide the executables in question as they can easily be found on the Internet and I don’t want any eager companies to send me DMCA take-down letters ;-). Hybrid Analysis / reverse.it or VirusTotal are always happy to help with downloads for these files…

A description of all executables will be collected on Github: signed-loaders

… and as an added bonus, you can use Avira.GameBooster.ProcessStarter.exe as an Launcher …

  • Name: Avira - Game Booster(x86)
  • Executable: Avira.GameBooster.ProcessStarter.exe
  • SHA256: c0def4ff61a4545699422273761c464f35d532cc0cc65756e4ec20be383ff897
  • SHA1: 653c5fef45774243354fc718f3fb98a8a5d3e223
  • MD5: f6fb5c1eb58aff98c0815919a3a5e03d
  • Certificate: Avira Operations GmbH & Co. KG/Symantec Class 3 Extended Validation Code Signing CA - G2/VeriSign Class 3 Public Primary Certification Authority - G5

… via: Avira.GameBooster.ProcessStarter.exe calc.exe

About this site // disclaimer

This is my personal blog. The views expressed on these pages are mine alone and not those of my employer or former employers. As with time views may change and become outdated and even invalid and therefore may not represent my current views. All information is provided as-is. If not otherwise stated the content is provided under the 2-clause BSD License.

Follow me on Twitter @markus_pieton