Malware Analysis Report

2025-03-14 22:51

Sample ID 240406-1e63xscc96
Target 2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber
SHA256 eb2eb7f54a3a69f88bd30aedd9c3c76d3cf314878a8d5b1795d394c1ecd59520
Tags
bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

eb2eb7f54a3a69f88bd30aedd9c3c76d3cf314878a8d5b1795d394c1ecd59520

Threat Level: Shows suspicious behavior

The file 2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Executes dropped EXE

Loads dropped DLL

Checks for any installed AV software in registry

Writes to the Master Boot Record (MBR)

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Modifies registry class

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:34

Reported

2024-04-06 21:37

Platform

win7-20240221-en

Max time kernel

121s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe"

Signatures

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avast Software\Avast C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\avg-du\icarus.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\avg-du\icarus.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\avg-du\icarus.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus_ui.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus_ui.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\avg-du\icarus.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "66FC9A86B023D8FFC79948E2D373B0F2" C:\Users\Admin\AppData\Local\Temp\2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "66FC9A86B023D8FFC79948E2D373B0F2" C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F C:\Users\Admin\AppData\Local\Temp\2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\5E1D6A55-0134-486E-A166-38C2E4919BB1 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAaaOq9/rSbEaN5Dz9v60/mwQAAAACAAAAAAAQZgAAAAEAACAAAADC3Ktk1wpetjcvZG0sZRbUsHhDGUt72WSpqUiag9GhtAAAAAAOgAAAAAIAACAAAABPczoJwDEoX19hYe3pVG7jgpyyVhkPk/61j3hQ/GxdtFAAAAAobzPKoXuKb2e8VJ5e+aooMhM+o4biLQB3CwqXjnieWDtQ//L24E/UluEmCJJ/QdUgvO/MXI4wjx6qIw+kX2PH2/EoS2NFL8oGbnRRkcE4X0AAAADMfSyXVPWORCYajybW0JlzvBEQwU1hk6jQwy7MvFGa6y4+uT7fyfknfkgunLLb5HfNTrptsyuTFrEpEZ7br9y7" C:\Users\Admin\AppData\Local\Temp\2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "120d9c01-7082-4180-b3f5-3d226a4c5d69" C:\Users\Admin\AppData\Local\Temp\2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "120d9c01-7082-4180-b3f5-3d226a4c5d69" C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\avg-du\icarus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "120d9c01-7082-4180-b3f5-3d226a4c5d69" C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\avg-du\icarus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "66FC9A86B023D8FFC79948E2D373B0F2" C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\avg-du\icarus.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus_ui.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus_ui.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\avg-du\icarus.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus_ui.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2648 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus.exe
PID 2648 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus.exe
PID 2648 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus.exe
PID 2648 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus.exe
PID 2516 wrote to memory of 2500 N/A C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus.exe C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus_ui.exe
PID 2516 wrote to memory of 2500 N/A C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus.exe C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus_ui.exe
PID 2516 wrote to memory of 2500 N/A C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus.exe C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus_ui.exe
PID 2516 wrote to memory of 2348 N/A C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus.exe C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\avg-du\icarus.exe
PID 2516 wrote to memory of 2348 N/A C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus.exe C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\avg-du\icarus.exe
PID 2516 wrote to memory of 2348 N/A C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus.exe C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\avg-du\icarus.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe"

C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus.exe

C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\icarus-info.xml /install /sssid:2648

C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus_ui.exe

C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus_ui.exe /sssid:2648 /er_master:master_ep_922767b5-9948-4595-bda0-4b192e17b88e /er_ui:ui_ep_dce3cf69-2f08-4d7a-89f2-9671f934418f

C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\avg-du\icarus.exe

C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\avg-du\icarus.exe /sssid:2648 /er_master:master_ep_922767b5-9948-4595-bda0-4b192e17b88e /er_ui:ui_ep_dce3cf69-2f08-4d7a-89f2-9671f934418f /er_slave:avg-du_slave_ep_53e5abec-349a-4d36-9446-dbe673324c7d /slave:avg-du

Network

Country Destination Domain Proto
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 honzik.avcdn.net udp
US 23.220.113.74:443 honzik.avcdn.net tcp
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 shepherd.avcdn.net udp
US 34.160.176.28:443 shepherd.avcdn.net tcp
US 8.8.8.8:53 honzik.avcdn.net udp
US 8.8.8.8:53 honzik.avcdn.net udp
US 23.220.113.74:443 honzik.avcdn.net tcp
US 23.220.113.74:443 honzik.avcdn.net tcp
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp

Files

\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus.exe

MD5 d2b966df5b0e2736b07c3ed7701648d3
SHA1 6b7af201fd696a692f6fe1275e4904228ff323d5
SHA256 e463deb55e082cf53a47737c851daacdb0c2aa9cf939854ffb874c5a383c2829
SHA512 bc5ae0f083c296e9472d23773ffd1fad404336f5e621b2868e41fe25352708ad80c03a3805823fb058c81ee1cb22e7a4b7b7f092ac5a334d7aca90f78944899d

C:\ProgramData\AVG\Icarus\Logs\sfx.log

MD5 3c3397f05d02412a19615121be5201d7
SHA1 c9573cadf1c9ed76fcfbc8245a4c0d0e618dc409
SHA256 1f0b168ae917a09461498c4c92482d49f6d7e312de679d31a1551ffc66b40cb4
SHA512 7a87575658050e3f45a8f8a35b282577724078773129e3badf994ff9de2c8ec888f4889513697a0c7d65a219cc7efcf302e10a3301c84cc604fa0205f4c59665

C:\Users\Admin\AppData\Local\Temp\F07D8C6A-04B6-4025-869C-70A788D7B5C0

MD5 397f9adfb3031344b02b85d5a7cc6c19
SHA1 901a4d800dba8d8fa573d822d65a39886291553a
SHA256 93655368abb0a79a3d79cc098b6a0ccf3e2e14654b6b14ff3b09469163a02cfd
SHA512 feab9216e9208b2349c3a91eff081e96ace9c93f5ad4d3096225d207232fbc42ceae264dea8edaab68176eafebf1ce7640ee7300a99002922b333952fd92ac12

C:\Users\Admin\AppData\Local\Temp\D566D7D7-DCD6-471C-8109-BE0AD33199E3

MD5 22417b5d5eb168147f2c237d658a7163
SHA1 6ae67daf07c0a187f397923ecba497e5ab01ed58
SHA256 f1945b77f21bf5b8174bc94d0d69d4446baffd6808185554f8ae541e4254ecb1
SHA512 392b79a63b451495cc81877c288c0068d6c159bf0d7ce9ac0cc290128e57a5a1ebe0569dcbab85433448b3c1928be03cf01300ec7ae99573cfc4ef8c4c9b3cb8

C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\eref.edat

MD5 e5913d9f76897190e98996018ca4d7c4
SHA1 a4c89df4e0d012df0cff9655d217218d019692aa
SHA256 84b1788f47ec1643168352f836f608ba5f5e3b3cc6f316fbd359dc5efe9bcb2c
SHA512 8173020f7ba6e4d3c7fcea79df705890b511039f6118750e53b3243debffbb47c131f3f03f3a7329c28168b946b1e8aa15f38012a0f30f5872389eb1d53865a9

C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\icarus-info.xml

MD5 c18976ba0a6e8c9a349bc77424bb2052
SHA1 5d04c5d9f2fac508a5d00edb97a4eebe465c58cf
SHA256 b7a505ce106653432c7f86b5e87b88f016e3c3685abc27a10cc5fdf8e30ec1fa
SHA512 79208aeeafbf84ac3563f3584ef191f455b4f65ca7ab912cf582ff0257d376bd30cce49aeffcc3e8d30b7d82084782cf7da63f5188eddfb2524f386ed77c2735

C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus_ui.exe

MD5 3f25bb38aaee8c47848817edc7dd5793
SHA1 70b71c474f8f49d31624cbcbf4343fe9c6afb318
SHA256 6d8da46af1e03c29f48d97a6a39870264158ef2c87edaed7b1b8a62cef742268
SHA512 f70eaea41684226ed3484eddf0998d1938635018d997e97ea45aa63a5ec762b8fb9ff3093b1f9d9dd1987835596bdc447d60ebc86de08ed8ee16f3bb19d5f1fe

C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\product-info.xml

MD5 4cd56abe1d9846b864765770dc7e856b
SHA1 28827dc46f887b66003bd9b1953dfc355ec742e2
SHA256 e115b4da472bbc0b0042337f9ef5cb2da075b8e3dacdd7ef8393fe570d5fb0a4
SHA512 3b4c349611809d1df34b52c438074c719a5775c7484acda5489ce5da95ef5272d8ab210f8552391cbdc3042a291011815e5c1b555f0405bcc2152733eb84dd62

C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\ecoo.edat

MD5 fac1bb5616a3b11b7a4e82bb17735ebd
SHA1 b3384971ec069823d20183070558eb03b7df35fb
SHA256 e90c4482daa3ce10324b0ef7f4c95a4f70803c0746b5b87c53078e9204962a2d
SHA512 f4f48a9b45d8274646c0699255f2f0bb5e8c37cf90a0a4c6f8809965acc73142ee21035e09fd77349bd988a565bdef2d86e849867a2e632035e1c39c3196ee5d

C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\setupui.cont

MD5 17d7bd78b7192a5115a3c32639ffe2e0
SHA1 e57c42de150ea99d87375de4d1dac305abb2868a
SHA256 2690af4dca3322a0d0f99582370c9bea85263f0b2ee1b4c38e293b06acdd0f66
SHA512 88626d9ddd3610d1a369017773d9811cc707c02f7c039237da1a189d24d796977d6c1a596adcc77e38d4a073a472f6040598fff54b78adffab3a04fc520b4b66

C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\dump_process.exe

MD5 26209014834bea1bf6b25ccaeb17cf4e
SHA1 8e9278463abc3070334cfaccb6a385d1fb399ada
SHA256 e767d9460894a4e5a882aa99c073637fc45cb1db369704c2895db9a725652018
SHA512 580bceeba9a4a2890b0a58f60f95e95a115c27d18f07158fca15c29c02456c7b8e83df9529fca45846df787a153f75741a9e13b93a28ec5da75c684660786659

C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\bug_report.exe

MD5 1d1ae7dd9eca36d6e070f19f6080b62b
SHA1 6ccd71808890b3674a4627949bf95b6c3a2dc06b
SHA256 07720d52b091b20507180e9485539bf6971d834e8e52a686a7f1dcd059f07b3f
SHA512 e2aca0953cf44f3f017f450d08ae252a0c25c69570bec7c8ba6494a060e81f70535aa4b814b491d3f5c02bc98cb588f3848bb4b16fab118073339d76a3ff49b0

C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\product-def.xml

MD5 548a0818747231ebc5053a6c7dafbf2b
SHA1 179133d1777cddaf1d72b76bcedbcd9db6d9499a
SHA256 b83c924d75587032d3d1cc3149096feca0b55fdf4400cf6d8cbf0b911885ebc4
SHA512 71380216999acff3a83da62fa8c6f08414d2460a387b9dab8e88b648c5518b26a9a40a15941b7e065ec2205dd8c51c1303c0841126ff15e16aad6274c8dbd1d3

C:\ProgramData\AVG\Icarus\settings\proxy.ini

MD5 d6de6577f75a4499fe64be2006979ae5
SHA1 0c83a2008fa28a97eb4b01d98aeab90a2e4c8e69
SHA256 87d882d37f63429088955a59b126f0d44fa728ce60142478004381a3604c9ea9
SHA512 cb4b42c07aa2da7857106c92bc6860a29d8a92f00e34f0df54f68c17945982bc01475c83b1a1079543404bb49342fc7cdc41d2ac32d71332439ceb27b5ad1c0c

C:\ProgramData\AVG\Icarus\Logs\sui.log

MD5 6975d013ce7251439bc99127b914babf
SHA1 b861e1e7759b682a18e92f86c21c0ab14b4963da
SHA256 182dcf4d76f665387fa12b819ace204904e75501e9b7cd7fc57b9ecd3d8a7a6f
SHA512 3083e5e7cc03e825d57c2ac9cfaa92e17a66230664913efc88fc806d752e87ba7a58d63f4b624d646229308d064c853b0a82cf97ed62be6d16e0b02c6456fcd2

C:\ProgramData\AVG\Icarus\Logs\report.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\ProgramData\AVG\Icarus\Logs\icarus.log

MD5 16a2d74a8a35273f4729b94650948329
SHA1 46e635b0b09501a8f673a8dea5f78ac48cf3ea05
SHA256 05286ec8a8cbd3ca97620fad7183cc591dac62e6cbca454b79d96f4c2b4225b3
SHA512 6f2fc744352c8f1d99bb65bc70fe914bd4f2384c405bfffa72cd0adc76c65da1c4d3ec04098e05e8d5933a7e5d17c3fe587124cd6ba8ef2cd07005f8bf9f5d59

C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\avg-du\config.def

MD5 034b36267199768b675b84210a88ec58
SHA1 fb619e2a77013960d4a84b822b1225ec442b2020
SHA256 ae4c6c353cf7442bb86d0b219b0cee4ee52458586b1e8de12e21851c86d22c48
SHA512 8c2ecb10c04279c23498e6c9efe5518355383142f135d46813864c588efab09a181459f902f778bfb80f03c8832193828bde0e9ac8048d97d4b067a8c4410a5a

C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\avg-du\icarus_product.dll

MD5 d6a017483a5af86c762372d765eb36ba
SHA1 3644193fcf645113448eb8b0ddcd1f5d68763ba1
SHA256 563581e1a1f32a392ed60af488d1fd194d5eabe3db21042ac7e0f4f85a231ccf
SHA512 42d65eae3636d3871ace9ea273546ed3472fe007f0180f1335d28bad6b9ea0a7c345713fe08b5ab6cd9cd0bc925b7c7d1bbf5ea5d64d54f7f24faa05a43b0235

memory/2500-127-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:34

Reported

2024-04-06 21:37

Platform

win10v2004-20240226-en

Max time kernel

92s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\avg-du\icarus.exe N/A

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avast Software\Avast C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\avg-du\icarus.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\common\icarus.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\avg-du\icarus.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\common\icarus.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\common\icarus_ui.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\common\icarus_ui.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\avg-du\icarus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\avg-du\icarus.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\common\icarus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\common\icarus.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "66FC9A86B023D8FFC79948E2D373B0F2" C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\avg-du\icarus.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F C:\Users\Admin\AppData\Local\Temp\2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "d0fa1792-eafc-4d3f-8898-374533cf7294" C:\Users\Admin\AppData\Local\Temp\2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "d0fa1792-eafc-4d3f-8898-374533cf7294" C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\common\icarus.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\avg-du\icarus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "d0fa1792-eafc-4d3f-8898-374533cf7294" C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\avg-du\icarus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "66FC9A86B023D8FFC79948E2D373B0F2" C:\Users\Admin\AppData\Local\Temp\2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\5E1D6A55-0134-486E-A166-38C2E4919BB1 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA/7tUb8mDTUWmlZA4o785QQQAAAACAAAAAAAQZgAAAAEAACAAAABvJoEQ/JhkyeMCmQQD27S3Rils9a0kyqpSWujSVSAWgwAAAAAOgAAAAAIAACAAAABkcgbYUoHiWMWyWv6WQ9sfdqcllgmby8PThnFoW/QWXlAAAABoBNMnRhhIYweleGdQcQ2A4Ff9/rns9tC+jM8IQAn6T5OAc2yoL7OKgJ1m0YuoXSRBulI14+6PnUx6dNXddOHtunB80LsCfmc3jxrz8RNS6UAAAACsTdwUwXIwVL7PtQtKELj+PkPHbLT/2novNjvwvk9LIEKlmFEevyTVRX+Y9W01LB+sh2ctkiSg3b1/FgvMdhwh" C:\Users\Admin\AppData\Local\Temp\2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\common\icarus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "66FC9A86B023D8FFC79948E2D373B0F2" C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\common\icarus.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\common\icarus.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\common\icarus_ui.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\avg-du\icarus.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\common\icarus_ui.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe"

C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\common\icarus.exe

C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\icarus-info.xml /install /sssid:2436

C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\common\icarus_ui.exe

C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\common\icarus_ui.exe /sssid:2436 /er_master:master_ep_a47df9cf-8a89-4c27-8dbe-5d32f34d411a /er_ui:ui_ep_a6f67036-5b86-45fd-be46-76b2648e50d8

C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\avg-du\icarus.exe

C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\avg-du\icarus.exe /sssid:2436 /er_master:master_ep_a47df9cf-8a89-4c27-8dbe-5d32f34d411a /er_ui:ui_ep_a6f67036-5b86-45fd-be46-76b2648e50d8 /er_slave:avg-du_slave_ep_d524bf76-b600-450f-ba1a-c338c3491828 /slave:avg-du

Network

Country Destination Domain Proto
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 honzik.avcdn.net udp
US 23.220.113.74:443 honzik.avcdn.net tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 223.223.117.34.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 74.113.220.23.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 shepherd.avcdn.net udp
US 34.160.176.28:443 shepherd.avcdn.net tcp
US 8.8.8.8:53 honzik.avcdn.net udp
US 8.8.8.8:53 honzik.avcdn.net udp
US 23.220.113.74:443 honzik.avcdn.net tcp
US 23.220.113.74:443 honzik.avcdn.net tcp
US 8.8.8.8:53 28.176.160.34.in-addr.arpa udp
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp

Files

C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\common\icarus.exe

MD5 d2b966df5b0e2736b07c3ed7701648d3
SHA1 6b7af201fd696a692f6fe1275e4904228ff323d5
SHA256 e463deb55e082cf53a47737c851daacdb0c2aa9cf939854ffb874c5a383c2829
SHA512 bc5ae0f083c296e9472d23773ffd1fad404336f5e621b2868e41fe25352708ad80c03a3805823fb058c81ee1cb22e7a4b7b7f092ac5a334d7aca90f78944899d

C:\ProgramData\AVG\Icarus\Logs\sfx.log

MD5 8228287e11ad46b8543fc4173749b42e
SHA1 3f46587c64d9843292c91d9c1780833c888c91c9
SHA256 4a6a68cca68be7d31f7afb8d309f784c3c0d24cf6ea7a343c6ff5a258a5ca014
SHA512 7ca072598547b0a357ceb11cf19a0d30388a965a7ee1319e83a2c64da51963b6d45a691d5a810fb4948a4591a1e5087abc5469b0554092bb145c2a6c77ef91dc

C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\common\icarus_ui.exe

MD5 3f25bb38aaee8c47848817edc7dd5793
SHA1 70b71c474f8f49d31624cbcbf4343fe9c6afb318
SHA256 6d8da46af1e03c29f48d97a6a39870264158ef2c87edaed7b1b8a62cef742268
SHA512 f70eaea41684226ed3484eddf0998d1938635018d997e97ea45aa63a5ec762b8fb9ff3093b1f9d9dd1987835596bdc447d60ebc86de08ed8ee16f3bb19d5f1fe

C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\eref.edat

MD5 e5913d9f76897190e98996018ca4d7c4
SHA1 a4c89df4e0d012df0cff9655d217218d019692aa
SHA256 84b1788f47ec1643168352f836f608ba5f5e3b3cc6f316fbd359dc5efe9bcb2c
SHA512 8173020f7ba6e4d3c7fcea79df705890b511039f6118750e53b3243debffbb47c131f3f03f3a7329c28168b946b1e8aa15f38012a0f30f5872389eb1d53865a9

C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\icarus-info.xml

MD5 0e0e6fd998c0349cf1cc1820e89f7627
SHA1 dccf449325cf8964af8941966307daf92ecb441a
SHA256 bbf7fab6a579b128d20fa2a54bf58b9aa358470195e96cf24444bb775996fb85
SHA512 e135922d13c2a15be3a8dc041300b787e576455c099e30a755725e18b69f408bd6874a36a8fff8cd8e0f9b87d76c103751a61b7814a2400e613a7a1c716133f6

C:\Users\Admin\AppData\Local\Temp\D566D7D7-DCD6-471C-8109-BE0AD33199E3

MD5 22417b5d5eb168147f2c237d658a7163
SHA1 6ae67daf07c0a187f397923ecba497e5ab01ed58
SHA256 f1945b77f21bf5b8174bc94d0d69d4446baffd6808185554f8ae541e4254ecb1
SHA512 392b79a63b451495cc81877c288c0068d6c159bf0d7ce9ac0cc290128e57a5a1ebe0569dcbab85433448b3c1928be03cf01300ec7ae99573cfc4ef8c4c9b3cb8

C:\Users\Admin\AppData\Local\Temp\F07D8C6A-04B6-4025-869C-70A788D7B5C0

MD5 b65f7a67ff22c0083f4215e1040149c5
SHA1 47f1cbaab2be8ade7fea575a1862b2a0f9237603
SHA256 88973e9e1628a1f44da72a982d742443b89b24dbb6876e3164fc2b0631397b32
SHA512 2543b8cdd63de7a0b206a422a3e1c0c4f4b4247cff25dce7dc622ead842c2d0e7ba7a0ac99869e0a0a7081a50ce9d1e56131e5d1c4cd5cd64861ad21d486b6b6

C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\common\product-info.xml

MD5 4cd56abe1d9846b864765770dc7e856b
SHA1 28827dc46f887b66003bd9b1953dfc355ec742e2
SHA256 e115b4da472bbc0b0042337f9ef5cb2da075b8e3dacdd7ef8393fe570d5fb0a4
SHA512 3b4c349611809d1df34b52c438074c719a5775c7484acda5489ce5da95ef5272d8ab210f8552391cbdc3042a291011815e5c1b555f0405bcc2152733eb84dd62

C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\ecoo.edat

MD5 fac1bb5616a3b11b7a4e82bb17735ebd
SHA1 b3384971ec069823d20183070558eb03b7df35fb
SHA256 e90c4482daa3ce10324b0ef7f4c95a4f70803c0746b5b87c53078e9204962a2d
SHA512 f4f48a9b45d8274646c0699255f2f0bb5e8c37cf90a0a4c6f8809965acc73142ee21035e09fd77349bd988a565bdef2d86e849867a2e632035e1c39c3196ee5d

C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\common\setupui.cont

MD5 17d7bd78b7192a5115a3c32639ffe2e0
SHA1 e57c42de150ea99d87375de4d1dac305abb2868a
SHA256 2690af4dca3322a0d0f99582370c9bea85263f0b2ee1b4c38e293b06acdd0f66
SHA512 88626d9ddd3610d1a369017773d9811cc707c02f7c039237da1a189d24d796977d6c1a596adcc77e38d4a073a472f6040598fff54b78adffab3a04fc520b4b66

C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\common\dump_process.exe

MD5 26209014834bea1bf6b25ccaeb17cf4e
SHA1 8e9278463abc3070334cfaccb6a385d1fb399ada
SHA256 e767d9460894a4e5a882aa99c073637fc45cb1db369704c2895db9a725652018
SHA512 580bceeba9a4a2890b0a58f60f95e95a115c27d18f07158fca15c29c02456c7b8e83df9529fca45846df787a153f75741a9e13b93a28ec5da75c684660786659

C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\common\bug_report.exe

MD5 1d1ae7dd9eca36d6e070f19f6080b62b
SHA1 6ccd71808890b3674a4627949bf95b6c3a2dc06b
SHA256 07720d52b091b20507180e9485539bf6971d834e8e52a686a7f1dcd059f07b3f
SHA512 e2aca0953cf44f3f017f450d08ae252a0c25c69570bec7c8ba6494a060e81f70535aa4b814b491d3f5c02bc98cb588f3848bb4b16fab118073339d76a3ff49b0

C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\avg-du\product-def.xml

MD5 548a0818747231ebc5053a6c7dafbf2b
SHA1 179133d1777cddaf1d72b76bcedbcd9db6d9499a
SHA256 b83c924d75587032d3d1cc3149096feca0b55fdf4400cf6d8cbf0b911885ebc4
SHA512 71380216999acff3a83da62fa8c6f08414d2460a387b9dab8e88b648c5518b26a9a40a15941b7e065ec2205dd8c51c1303c0841126ff15e16aad6274c8dbd1d3

C:\ProgramData\AVG\Icarus\Logs\sui.log

MD5 9d5a05c0bef902f8e8c70945535bfa5f
SHA1 27d4ea73de38a2686de5e89ae7d55c41ffbb9ce3
SHA256 06e60152d0eed543b7a6ffef31123074af3edb5d2fb3b607009e0f7fcd599297
SHA512 54bbcf88257b0923f6b1a6aa6df9be23ece8f5d640ab8645ef42de049a1d22632eab1fc54fa481d28829b73c73f61d18249a32b1f6251fd13d9fe1470b9fcd5a

C:\ProgramData\AVG\Icarus\Logs\report.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\ProgramData\AVG\Icarus\Logs\icarus.log

MD5 4e2fdfa22d641b0c6079c3734c23183f
SHA1 1455d9436e5fa59941ff9f92ed2d1914ecd97bc8
SHA256 b5be687252eefa9ecf291a77e0b97a6100b9d1213f30f9b6da1239addf341551
SHA512 3ba3938c8360e48609eec1cdfe218c2b59a0572f7a6ce37df8094183ac726eddd962ecb080b1d73e8cecc87344b7cc097a5e99c78090ce838cc004fe3daaf0e2

C:\ProgramData\AVG\Icarus\settings\proxy.ini

MD5 d6de6577f75a4499fe64be2006979ae5
SHA1 0c83a2008fa28a97eb4b01d98aeab90a2e4c8e69
SHA256 87d882d37f63429088955a59b126f0d44fa728ce60142478004381a3604c9ea9
SHA512 cb4b42c07aa2da7857106c92bc6860a29d8a92f00e34f0df54f68c17945982bc01475c83b1a1079543404bb49342fc7cdc41d2ac32d71332439ceb27b5ad1c0c

C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\avg-du\icarus_product.dll

MD5 d6a017483a5af86c762372d765eb36ba
SHA1 3644193fcf645113448eb8b0ddcd1f5d68763ba1
SHA256 563581e1a1f32a392ed60af488d1fd194d5eabe3db21042ac7e0f4f85a231ccf
SHA512 42d65eae3636d3871ace9ea273546ed3472fe007f0180f1335d28bad6b9ea0a7c345713fe08b5ab6cd9cd0bc925b7c7d1bbf5ea5d64d54f7f24faa05a43b0235

C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\avg-du\config.def

MD5 034b36267199768b675b84210a88ec58
SHA1 fb619e2a77013960d4a84b822b1225ec442b2020
SHA256 ae4c6c353cf7442bb86d0b219b0cee4ee52458586b1e8de12e21851c86d22c48
SHA512 8c2ecb10c04279c23498e6c9efe5518355383142f135d46813864c588efab09a181459f902f778bfb80f03c8832193828bde0e9ac8048d97d4b067a8c4410a5a