marsstealer | 628e36d50c06b940d90d2e0a245e1c7d089eb2371a034781bc6b3e5281537e55

Analysis

max time kernel
140s
max time network
147s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
03/10/2023, 14:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

628e36d50c06b940d90d2e0a245e1c7d089eb2371a034781bc6b3e5281537e55_JC.exe
Size

4.5MB
MD5

f03efc23b03c45fa93341ad9b8a854fc
SHA1

e18d4b32afaa3f8468304b0d5decf93151bfa65a
SHA256

628e36d50c06b940d90d2e0a245e1c7d089eb2371a034781bc6b3e5281537e55
SHA512

26917beea4e0866ba39a08575d4755b263f3283ff44024b138306417dc620449ed921230545e2d4c885a81c041354b0678e2d586cd728bc5959202ad94dc9ce4
SSDEEP

49152:TcwCiApWDe5AhKt2eU5u5UxV3VsKQzihlFrOR5f9IqC0f6tmMACHZ3UqBzIUFolL:

Score

10^/10

marsstealer default bootkit persistence stealer

Malware Config

Extracted

Family

marsstealer

Botnet

Default

rakishev.org/wp-mail.php

Signatures

Mars Stealer
An infostealer written in C++ based on other infostealers.
stealer marsstealer

Executes dropped EXE 6 IoCs

pid	Process
2432	887CWEJQ.exe
2832	F0RB684G.exe
1744	I16WW2D.exe
2584	icarus.exe
1340	icarus_ui.exe
1784	icarus.exe

Loads dropped DLL 6 IoCs

pid	Process
2832	F0RB684G.exe
2584	icarus.exe
2584	icarus.exe
2584	icarus.exe
2584	icarus.exe
1784	icarus.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	F0RB684G.exe
File opened for modification	\??\PhysicalDrive0	icarus.exe
File opened for modification	\??\PhysicalDrive0	icarus.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	icarus.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	icarus_ui.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	icarus_ui.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	icarus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	icarus.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	icarus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	icarus.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	F0RB684G.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	F0RB684G.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1340	icarus_ui.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2584	icarus.exe
Token: SeDebugPrivilege	1340	icarus_ui.exe
Token: SeDebugPrivilege	1784	icarus.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2832	F0RB684G.exe
1340	icarus_ui.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1340	icarus_ui.exe
1340	icarus_ui.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2432	2460	628e36d50c06b940d90d2e0a245e1c7d089eb2371a034781bc6b3e5281537e55_JC.exe	29
PID 2460 wrote to memory of 2432	2460	628e36d50c06b940d90d2e0a245e1c7d089eb2371a034781bc6b3e5281537e55_JC.exe	29
PID 2460 wrote to memory of 2432	2460	628e36d50c06b940d90d2e0a245e1c7d089eb2371a034781bc6b3e5281537e55_JC.exe	29
PID 2460 wrote to memory of 2832	2460	628e36d50c06b940d90d2e0a245e1c7d089eb2371a034781bc6b3e5281537e55_JC.exe	31
PID 2460 wrote to memory of 2832	2460	628e36d50c06b940d90d2e0a245e1c7d089eb2371a034781bc6b3e5281537e55_JC.exe	31
PID 2460 wrote to memory of 2832	2460	628e36d50c06b940d90d2e0a245e1c7d089eb2371a034781bc6b3e5281537e55_JC.exe	31
PID 2460 wrote to memory of 2832	2460	628e36d50c06b940d90d2e0a245e1c7d089eb2371a034781bc6b3e5281537e55_JC.exe	31
PID 2460 wrote to memory of 2832	2460	628e36d50c06b940d90d2e0a245e1c7d089eb2371a034781bc6b3e5281537e55_JC.exe	31
PID 2460 wrote to memory of 2832	2460	628e36d50c06b940d90d2e0a245e1c7d089eb2371a034781bc6b3e5281537e55_JC.exe	31
PID 2460 wrote to memory of 2832	2460	628e36d50c06b940d90d2e0a245e1c7d089eb2371a034781bc6b3e5281537e55_JC.exe	31
PID 2432 wrote to memory of 1744	2432	887CWEJQ.exe	32
PID 2432 wrote to memory of 1744	2432	887CWEJQ.exe	32
PID 2432 wrote to memory of 1744	2432	887CWEJQ.exe	32
PID 2432 wrote to memory of 1744	2432	887CWEJQ.exe	32
PID 2832 wrote to memory of 2584	2832	F0RB684G.exe	33
PID 2832 wrote to memory of 2584	2832	F0RB684G.exe	33
PID 2832 wrote to memory of 2584	2832	F0RB684G.exe	33
PID 2832 wrote to memory of 2584	2832	F0RB684G.exe	33
PID 2584 wrote to memory of 1340	2584	icarus.exe	34
PID 2584 wrote to memory of 1340	2584	icarus.exe	34
PID 2584 wrote to memory of 1340	2584	icarus.exe	34
PID 2584 wrote to memory of 1784	2584	icarus.exe	35
PID 2584 wrote to memory of 1784	2584	icarus.exe	35
PID 2584 wrote to memory of 1784	2584	icarus.exe	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\628e36d50c06b940d90d2e0a245e1c7d089eb2371a034781bc6b3e5281537e55_JC.exe
"C:\Users\Admin\AppData\Local\Temp\628e36d50c06b940d90d2e0a245e1c7d089eb2371a034781bc6b3e5281537e55_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\887CWEJQ.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\887CWEJQ.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\ProgramData\I16WW2D.exe
    "C:\ProgramData\I16WW2D.exe"
    3⤵
    - Executes dropped EXE
    PID:1744
- C:\ProgramData\Package Cache\F0RB684G.exe
  "C:\ProgramData\Package Cache\F0RB684G.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Modifies system certificate store
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\Temp\asw-45cd0085-e25b-4583-9502-911bc573a06e\common\icarus.exe
    C:\Windows\Temp\asw-45cd0085-e25b-4583-9502-911bc573a06e\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-45cd0085-e25b-4583-9502-911bc573a06e\icarus-info.xml /install /sssid:2832
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\Temp\asw-45cd0085-e25b-4583-9502-911bc573a06e\common\icarus_ui.exe
      C:\Windows\Temp\asw-45cd0085-e25b-4583-9502-911bc573a06e\common\icarus_ui.exe /sssid:2832 /er_master:master_ep_92bed03a-4137-48d3-a7b7-5b093318fa65 /er_ui:ui_ep_382c095f-469b-4d12-84b5-4b6be3038346
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:1340
  - - C:\Windows\Temp\asw-45cd0085-e25b-4583-9502-911bc573a06e\avast-vpn\icarus.exe
      C:\Windows\Temp\asw-45cd0085-e25b-4583-9502-911bc573a06e\avast-vpn\icarus.exe /sssid:2832 /er_master:master_ep_92bed03a-4137-48d3-a7b7-5b093318fa65 /er_ui:ui_ep_382c095f-469b-4d12-84b5-4b6be3038346 /er_slave:avast-vpn_slave_ep_004f3194-8948-47e1-91bb-ac03445e234a /slave:avast-vpn
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Avast Software\Icarus\Logs\icarus.log

Filesize
45KB

MD5
0e97b44a3fc91e6e379998bc59a59c40

SHA1
c9b9b5e82166a09a479e8819e0582a867fe001a7

SHA256
eed0a9834030513985ffb98bc44f47a741a799ad36672494fbc64e697c152316

SHA512
9ac99f4b402d392898c9613dde2f9e8e4cfa8ff1c5b1dd94c0d617b41a76c3d0ef1b833d58ddce7ad2222c4bbcf4efd62d165b8a5f091d98b8479818e33ff2fa

Download Submit
C:\ProgramData\Avast Software\Icarus\settings\proxy.ini

Filesize
214B

MD5
d6de6577f75a4499fe64be2006979ae5

SHA1
0c83a2008fa28a97eb4b01d98aeab90a2e4c8e69

SHA256
87d882d37f63429088955a59b126f0d44fa728ce60142478004381a3604c9ea9

SHA512
cb4b42c07aa2da7857106c92bc6860a29d8a92f00e34f0df54f68c17945982bc01475c83b1a1079543404bb49342fc7cdc41d2ac32d71332439ceb27b5ad1c0c

Download Submit
C:\ProgramData\I16WW2D.exe

Filesize
159KB

MD5
cdae01e46ea3123bae7b1d77bbf9d3a9

SHA1
59d84c8b2d5058331ea076dac6c71bd8512d04bc

SHA256
3630911c356752e83799548176fbf7e90c59b2abf9b4dfa773bc896b325cab5e

SHA512
ba3988589ac0c0ba6d7dc02aadd49b1d81b084e871e272634c5880fbc5f39c00ee4410bd5a1ece087188891e903995b68fc02301a9b6e3823839cd7d890741ae

Download Submit
C:\ProgramData\I16WW2D.exe

Filesize
159KB

MD5
cdae01e46ea3123bae7b1d77bbf9d3a9

SHA1
59d84c8b2d5058331ea076dac6c71bd8512d04bc

SHA256
3630911c356752e83799548176fbf7e90c59b2abf9b4dfa773bc896b325cab5e

SHA512
ba3988589ac0c0ba6d7dc02aadd49b1d81b084e871e272634c5880fbc5f39c00ee4410bd5a1ece087188891e903995b68fc02301a9b6e3823839cd7d890741ae

Download Submit
C:\ProgramData\Package Cache\F0RB684G.exe

Filesize
1.2MB

MD5
d568fbc2839540496d2895941a4529bf

SHA1
a74b4c8b28dea386c551101ea14532844b4cd3bf

SHA256
3fa3aa7a5e6216eb78a22b343b786c4b609374afcb18f845c8f7f5378a6cf917

SHA512
dc0e38cd2a2c800400b96d64eaa78857e7893280dd38d3d6c07feefea8267b53b33910ed9bab47a9c902736b7bc0a11f1dc4f54d12f5665ab8aaab3c14cb1255

Download Submit
C:\ProgramData\Package Cache\F0RB684G.exe

Filesize
1.2MB

MD5
d568fbc2839540496d2895941a4529bf

SHA1
a74b4c8b28dea386c551101ea14532844b4cd3bf

SHA256
3fa3aa7a5e6216eb78a22b343b786c4b609374afcb18f845c8f7f5378a6cf917

SHA512
dc0e38cd2a2c800400b96d64eaa78857e7893280dd38d3d6c07feefea8267b53b33910ed9bab47a9c902736b7bc0a11f1dc4f54d12f5665ab8aaab3c14cb1255

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\887CWEJQ.exe

Filesize
434KB

MD5
c3da46884d23b3b494867dbf1953f83a

SHA1
c7c72dfe36faa8064d57f2dea50faa45ac0cbf8d

SHA256
81b3ff369512d5ecf6af14c59115c149f56f64c3ffccca64bf1cffa7cb4614a6

SHA512
2ca2f95d88803d12197e284374fe1fbc67b27db2db33304f1b88cc1678cb63ce4c894c3ed2ff71b9e0863179e1d4c3800f33184adf5d67e6009d6f04287f38fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\887CWEJQ.exe

Filesize
434KB

MD5
c3da46884d23b3b494867dbf1953f83a

SHA1
c7c72dfe36faa8064d57f2dea50faa45ac0cbf8d

SHA256
81b3ff369512d5ecf6af14c59115c149f56f64c3ffccca64bf1cffa7cb4614a6

SHA512
2ca2f95d88803d12197e284374fe1fbc67b27db2db33304f1b88cc1678cb63ce4c894c3ed2ff71b9e0863179e1d4c3800f33184adf5d67e6009d6f04287f38fe

Download Submit
C:\Windows\Temp\asw-45cd0085-e25b-4583-9502-911bc573a06e\avast-vpn\bug_report.exe

Filesize
4.7MB

MD5
636c5401b150bf7c29d47b3a9a79489d

SHA1
a6f0e6115d110d28416a5f2d990d0220b4df4129

SHA256
f4d2bf5ca20503fbd635484e8fcdf05b174dc62cd4b83aa74453e282d969f673

SHA512
a9ec410d2f8436b51548edf50d9e359aa7325ac0c7e085ae8abd4309ea09320e3e40278fd8436e073181c32289e8b70b72f48d82a31dbf7e5d3fe2b059b40a5d

Download Submit
C:\Windows\Temp\asw-45cd0085-e25b-4583-9502-911bc573a06e\avast-vpn\config.def

Filesize
225B

MD5
fa5d03897300c9d450350a8fa0d4c839

SHA1
96494262d4f5ea7e156a0cdf1c8aeefd9c1c6649

SHA256
732a68347746e88aaaf67fb5e318d13b65188a00bc9181af72c87ecaa736d6e0

SHA512
ea33a4dd74ef5b6f5650cebf43f6dd7c542f5bf8fd61432fff27db80db7baeade3a5038eaabf000b63396dd38e60ae0860873f12b8d0a429cb1295dc4721ca45

Download Submit
C:\Windows\Temp\asw-45cd0085-e25b-4583-9502-911bc573a06e\avast-vpn\dump_process.exe

Filesize
1.0MB

MD5
4a5284a46dc0f854f381211ba3aa69b9

SHA1
e2e1a9de1ab998e493db06e8e79a1bd730959e90

SHA256
44025ecdced796f65280f316aae9cefeb447556972395b737105d2d26df4da68

SHA512
15c33233529ffbeecce1df8d3c1de4f1cb39c069e321601e50c5b75a175284e6389973420921f501259d948ca7c6a3a3f562a1dd51bc739b1e7740f911c543de

Download Submit
C:\Windows\Temp\asw-45cd0085-e25b-4583-9502-911bc573a06e\avast-vpn\icarus.exe

Filesize
6.8MB

MD5
ddeaba46a13e7af2b7704c741f09a047

SHA1
e34e76f49ca7d1dac81ded2d69232a648571a767

SHA256
7be14e1e958d02a59ac95bb3c8a912387c4be96afb2a4abc5b66b7b3b6184e3f

SHA512
f0f3de9ea5c2587352fef34038e230f29820e55cf75602d595d1fa0e7caa26a7aebe46d2331dc120a3958d414dc8fb2972544570db673fe447dbd5b4e54f5fa3

Download Submit
C:\Windows\Temp\asw-45cd0085-e25b-4583-9502-911bc573a06e\avast-vpn\icarus.exe

Filesize
6.8MB

MD5
ddeaba46a13e7af2b7704c741f09a047

SHA1
e34e76f49ca7d1dac81ded2d69232a648571a767

SHA256
7be14e1e958d02a59ac95bb3c8a912387c4be96afb2a4abc5b66b7b3b6184e3f

SHA512
f0f3de9ea5c2587352fef34038e230f29820e55cf75602d595d1fa0e7caa26a7aebe46d2331dc120a3958d414dc8fb2972544570db673fe447dbd5b4e54f5fa3

Download Submit
C:\Windows\Temp\asw-45cd0085-e25b-4583-9502-911bc573a06e\avast-vpn\icarus_product.dll

Filesize
872KB

MD5
668f3ebe64838c4616358971f1cada7b

SHA1
575feaa1798b9baec54cd8b601c55cd605cfb30a

SHA256
52c0af6f90aa02ab736ac1674eaf9a0db14b83dcaf6726b6d9f3fefaffc52ec3

SHA512
a289f86a278a07d408695defb54634cc5c07b1d5e478898dc9d90240d9be063531f30567cee88ffc83755b484175229a001a556eea60a475f9bf21cb57527664

Download Submit
C:\Windows\Temp\asw-45cd0085-e25b-4583-9502-911bc573a06e\avast-vpn\icarus_ui.exe

Filesize
10.9MB

MD5
d105e50bbf068c74ca4ed0a1308f820c

SHA1
e342655b045ba540b617bce713e437ebbc70f5fc

SHA256
7c93aec0620b984b4060c0b6dfcbcf44a8cf0f5d5e8d4c621495dcdab32db909

SHA512
0681bf5c16ff5a52640fb85de04d2a9c111ed5e9855f3ac7257cf678808e6f865c6bb8fd4ad56601957e31a82cdb037b0d9b9d27d8ce4519164187ad16c673ad

Download Submit
C:\Windows\Temp\asw-45cd0085-e25b-4583-9502-911bc573a06e\avast-vpn\product-def.xml

Filesize
207KB

MD5
0c7b8309a70f23776f4d667c8512a9fb

SHA1
50123dc527645c3c50127f0ce08afd6c9fd803f2

SHA256
9f87e1ff6e33dc38f1fb62b12c597b70fd01600e8e9cb858f2b6dda3ce0ba1d4

SHA512
f64c0e4708fc6cd130ecc839030c0b20c43112153b3671e75aeedc68e6572c55b707366ea2fab11d4bea4b043a792f0068560216fdf0637ce59b6a4b6af39875

Download Submit
C:\Windows\Temp\asw-45cd0085-e25b-4583-9502-911bc573a06e\avast-vpn\product-def.xml

Filesize
207KB

MD5
0c7b8309a70f23776f4d667c8512a9fb

SHA1
50123dc527645c3c50127f0ce08afd6c9fd803f2

SHA256
9f87e1ff6e33dc38f1fb62b12c597b70fd01600e8e9cb858f2b6dda3ce0ba1d4

SHA512
f64c0e4708fc6cd130ecc839030c0b20c43112153b3671e75aeedc68e6572c55b707366ea2fab11d4bea4b043a792f0068560216fdf0637ce59b6a4b6af39875

Download Submit
C:\Windows\Temp\asw-45cd0085-e25b-4583-9502-911bc573a06e\avast-vpn\product-info.xml

Filesize
6KB

MD5
bfe86660082b0d398a03b75b308f3e44

SHA1
e108169636ca159c81a8e989edfba0f85f708e46

SHA256
d3ea3b0bb8dbc57a912be958702fcf9cb78ef6feb85033d1d2971d90d6738682

SHA512
1055dd6c71e205c948e799ddd935dd0584eebd9e8e9cfc61119c3ee551d24d97f0d6ce5d4ee9aa2495dc21a48a17e0f76627fe18d309e508e76c77cb03b31ff3

Download Submit
C:\Windows\Temp\asw-45cd0085-e25b-4583-9502-911bc573a06e\avast-vpn\setupui.cont

Filesize
131KB

MD5
eb6452da8a5da56869cc5354f62a1bc5

SHA1
b50ee67c133055395daaf188735eeafdec249b8b

SHA256
b0dce494eae002553bce20bcff5dd513109c14bf0c0524008cd414cc7cf970b7

SHA512
1a793be8f5b2c327c97761046595b857124268940da3ac5e9eac5ce7cb9b6d69d54c9974308d73a6ecf236499cf49313d4abdc7388d89dc441e0d2a7a451f6a7

Download Submit
C:\Windows\Temp\asw-45cd0085-e25b-4583-9502-911bc573a06e\common\bug_report.exe

Filesize
4.7MB

MD5
636c5401b150bf7c29d47b3a9a79489d

SHA1
a6f0e6115d110d28416a5f2d990d0220b4df4129

SHA256
f4d2bf5ca20503fbd635484e8fcdf05b174dc62cd4b83aa74453e282d969f673

SHA512
a9ec410d2f8436b51548edf50d9e359aa7325ac0c7e085ae8abd4309ea09320e3e40278fd8436e073181c32289e8b70b72f48d82a31dbf7e5d3fe2b059b40a5d

Download Submit
C:\Windows\Temp\asw-45cd0085-e25b-4583-9502-911bc573a06e\common\dump_process.exe

Filesize
1.0MB

MD5
4a5284a46dc0f854f381211ba3aa69b9

SHA1
e2e1a9de1ab998e493db06e8e79a1bd730959e90

SHA256
44025ecdced796f65280f316aae9cefeb447556972395b737105d2d26df4da68

SHA512
15c33233529ffbeecce1df8d3c1de4f1cb39c069e321601e50c5b75a175284e6389973420921f501259d948ca7c6a3a3f562a1dd51bc739b1e7740f911c543de

Download Submit
C:\Windows\Temp\asw-45cd0085-e25b-4583-9502-911bc573a06e\common\icarus.exe

Filesize
6.8MB

MD5
ddeaba46a13e7af2b7704c741f09a047

SHA1
e34e76f49ca7d1dac81ded2d69232a648571a767

SHA256
7be14e1e958d02a59ac95bb3c8a912387c4be96afb2a4abc5b66b7b3b6184e3f

SHA512
f0f3de9ea5c2587352fef34038e230f29820e55cf75602d595d1fa0e7caa26a7aebe46d2331dc120a3958d414dc8fb2972544570db673fe447dbd5b4e54f5fa3

Download Submit
C:\Windows\Temp\asw-45cd0085-e25b-4583-9502-911bc573a06e\common\icarus.exe

Filesize
6.8MB

MD5
ddeaba46a13e7af2b7704c741f09a047

SHA1
e34e76f49ca7d1dac81ded2d69232a648571a767

SHA256
7be14e1e958d02a59ac95bb3c8a912387c4be96afb2a4abc5b66b7b3b6184e3f

SHA512
f0f3de9ea5c2587352fef34038e230f29820e55cf75602d595d1fa0e7caa26a7aebe46d2331dc120a3958d414dc8fb2972544570db673fe447dbd5b4e54f5fa3

Download Submit
C:\Windows\Temp\asw-45cd0085-e25b-4583-9502-911bc573a06e\common\icarus_ui.exe

Filesize
10.9MB

MD5
d105e50bbf068c74ca4ed0a1308f820c

SHA1
e342655b045ba540b617bce713e437ebbc70f5fc

SHA256
7c93aec0620b984b4060c0b6dfcbcf44a8cf0f5d5e8d4c621495dcdab32db909

SHA512
0681bf5c16ff5a52640fb85de04d2a9c111ed5e9855f3ac7257cf678808e6f865c6bb8fd4ad56601957e31a82cdb037b0d9b9d27d8ce4519164187ad16c673ad

Download Submit
C:\Windows\Temp\asw-45cd0085-e25b-4583-9502-911bc573a06e\common\icarus_ui.exe

Filesize
10.9MB

MD5
d105e50bbf068c74ca4ed0a1308f820c

SHA1
e342655b045ba540b617bce713e437ebbc70f5fc

SHA256
7c93aec0620b984b4060c0b6dfcbcf44a8cf0f5d5e8d4c621495dcdab32db909

SHA512
0681bf5c16ff5a52640fb85de04d2a9c111ed5e9855f3ac7257cf678808e6f865c6bb8fd4ad56601957e31a82cdb037b0d9b9d27d8ce4519164187ad16c673ad

Download Submit
C:\Windows\Temp\asw-45cd0085-e25b-4583-9502-911bc573a06e\common\product-def.xml

Filesize
207KB

MD5
0c7b8309a70f23776f4d667c8512a9fb

SHA1
50123dc527645c3c50127f0ce08afd6c9fd803f2

SHA256
9f87e1ff6e33dc38f1fb62b12c597b70fd01600e8e9cb858f2b6dda3ce0ba1d4

SHA512
f64c0e4708fc6cd130ecc839030c0b20c43112153b3671e75aeedc68e6572c55b707366ea2fab11d4bea4b043a792f0068560216fdf0637ce59b6a4b6af39875

Download Submit
C:\Windows\Temp\asw-45cd0085-e25b-4583-9502-911bc573a06e\common\product-info.xml

Filesize
6KB

MD5
bfe86660082b0d398a03b75b308f3e44

SHA1
e108169636ca159c81a8e989edfba0f85f708e46

SHA256
d3ea3b0bb8dbc57a912be958702fcf9cb78ef6feb85033d1d2971d90d6738682

SHA512
1055dd6c71e205c948e799ddd935dd0584eebd9e8e9cfc61119c3ee551d24d97f0d6ce5d4ee9aa2495dc21a48a17e0f76627fe18d309e508e76c77cb03b31ff3

Download Submit
C:\Windows\Temp\asw-45cd0085-e25b-4583-9502-911bc573a06e\common\setupui.cont

Filesize
131KB

MD5
eb6452da8a5da56869cc5354f62a1bc5

SHA1
b50ee67c133055395daaf188735eeafdec249b8b

SHA256
b0dce494eae002553bce20bcff5dd513109c14bf0c0524008cd414cc7cf970b7

SHA512
1a793be8f5b2c327c97761046595b857124268940da3ac5e9eac5ce7cb9b6d69d54c9974308d73a6ecf236499cf49313d4abdc7388d89dc441e0d2a7a451f6a7

Download Submit
C:\Windows\Temp\asw-45cd0085-e25b-4583-9502-911bc573a06e\ecoo.edat

Filesize
21B

MD5
eb3d95b2b94c521beda1c5abf3fe0c22

SHA1
5fded644d8d5aee5c7620e51dd1be0feb4dd5879

SHA256
45425cfacb158541340bc30daa070b0b4412e30b675b8eca0ef160b4de198bd0

SHA512
31bc235e711c065a1b79e865f979507ad81b149eab32ef7caab07ebaf3d1f1216869a70b1b32ca494bc2d7186f99b256cdf48c5464f47630ef8ff80cec756bdc

Download Submit
C:\Windows\Temp\asw-45cd0085-e25b-4583-9502-911bc573a06e\icarus-info.xml

Filesize
1KB

MD5
1fcb8c6a2297035ce895566848528bc0

SHA1
4f4fa6cb330862be501cafaaff1a693270dd73fc

SHA256
ca75b879643f46b361734195b9ce1225e415332d8b22974f20794b7bae264696

SHA512
897229eef88e41f632114ea9d9cc2bbe98b55c8c6ae2ccc72935a3dc23913201f6fa84644601608ee7f3ce606ce15eafeb45d48780535048605215816e6db9cc

Download Submit
\Windows\Temp\asw-45cd0085-e25b-4583-9502-911bc573a06e\avast-vpn\icarus.exe

Filesize
6.8MB

MD5
ddeaba46a13e7af2b7704c741f09a047

SHA1
e34e76f49ca7d1dac81ded2d69232a648571a767

SHA256
7be14e1e958d02a59ac95bb3c8a912387c4be96afb2a4abc5b66b7b3b6184e3f

SHA512
f0f3de9ea5c2587352fef34038e230f29820e55cf75602d595d1fa0e7caa26a7aebe46d2331dc120a3958d414dc8fb2972544570db673fe447dbd5b4e54f5fa3

Download Submit
\Windows\Temp\asw-45cd0085-e25b-4583-9502-911bc573a06e\avast-vpn\icarus.exe

Filesize
6.8MB

MD5
ddeaba46a13e7af2b7704c741f09a047

SHA1
e34e76f49ca7d1dac81ded2d69232a648571a767

SHA256
7be14e1e958d02a59ac95bb3c8a912387c4be96afb2a4abc5b66b7b3b6184e3f

SHA512
f0f3de9ea5c2587352fef34038e230f29820e55cf75602d595d1fa0e7caa26a7aebe46d2331dc120a3958d414dc8fb2972544570db673fe447dbd5b4e54f5fa3

Download Submit
\Windows\Temp\asw-45cd0085-e25b-4583-9502-911bc573a06e\avast-vpn\icarus.exe

Filesize
6.8MB

MD5
ddeaba46a13e7af2b7704c741f09a047

SHA1
e34e76f49ca7d1dac81ded2d69232a648571a767

SHA256
7be14e1e958d02a59ac95bb3c8a912387c4be96afb2a4abc5b66b7b3b6184e3f

SHA512
f0f3de9ea5c2587352fef34038e230f29820e55cf75602d595d1fa0e7caa26a7aebe46d2331dc120a3958d414dc8fb2972544570db673fe447dbd5b4e54f5fa3

Download Submit
\Windows\Temp\asw-45cd0085-e25b-4583-9502-911bc573a06e\avast-vpn\icarus_product.dll

Filesize
872KB

MD5
668f3ebe64838c4616358971f1cada7b

SHA1
575feaa1798b9baec54cd8b601c55cd605cfb30a

SHA256
52c0af6f90aa02ab736ac1674eaf9a0db14b83dcaf6726b6d9f3fefaffc52ec3

SHA512
a289f86a278a07d408695defb54634cc5c07b1d5e478898dc9d90240d9be063531f30567cee88ffc83755b484175229a001a556eea60a475f9bf21cb57527664

Download Submit
\Windows\Temp\asw-45cd0085-e25b-4583-9502-911bc573a06e\common\icarus.exe

Filesize
6.8MB

MD5
ddeaba46a13e7af2b7704c741f09a047

SHA1
e34e76f49ca7d1dac81ded2d69232a648571a767

SHA256
7be14e1e958d02a59ac95bb3c8a912387c4be96afb2a4abc5b66b7b3b6184e3f

SHA512
f0f3de9ea5c2587352fef34038e230f29820e55cf75602d595d1fa0e7caa26a7aebe46d2331dc120a3958d414dc8fb2972544570db673fe447dbd5b4e54f5fa3

Download Submit
\Windows\Temp\asw-45cd0085-e25b-4583-9502-911bc573a06e\common\icarus_ui.exe

Filesize
10.9MB

MD5
d105e50bbf068c74ca4ed0a1308f820c

SHA1
e342655b045ba540b617bce713e437ebbc70f5fc

SHA256
7c93aec0620b984b4060c0b6dfcbcf44a8cf0f5d5e8d4c621495dcdab32db909

SHA512
0681bf5c16ff5a52640fb85de04d2a9c111ed5e9855f3ac7257cf678808e6f865c6bb8fd4ad56601957e31a82cdb037b0d9b9d27d8ce4519164187ad16c673ad

Download Submit
memory/1340-134-0x000007FFFFF60000-0x000007FFFFF70000-memory.dmp

Filesize
64KB

Download
memory/1744-23-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1744-143-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2432-15-0x000000001B490000-0x000000001B510000-memory.dmp

Filesize
512KB

Download
memory/2432-13-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2432-25-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2432-12-0x0000000000C40000-0x0000000000CB2000-memory.dmp

Filesize
456KB

Download
memory/2460-14-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2460-1-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2460-0-0x0000000000D20000-0x000000000119A000-memory.dmp

Filesize
4.5MB

Download