e5f0efdb833e0b8ec06d88d13039ac9ab2b46a70a26a6c9c07868a79b8f11f62

Resubmissions

21-04-2024 20:52

240421-zn1rtsbc83 7

19-04-2024 15:44

240419-s6n3esgb57 8

Analysis

max time kernel
442s
max time network
490s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FA Installer.bat
Size

42KB
MD5

ac48f9875234a4e5649d152672903198
SHA1

6795362296194a79770a385a1a81efa89c6fe203
SHA256

e5f0efdb833e0b8ec06d88d13039ac9ab2b46a70a26a6c9c07868a79b8f11f62
SHA512

b5a8cf484eca8afde45a78b6768970a3ccd9f4731f4f9a227ac22e02cb3c9c158c8221c136fef191ce9967b2b4bc8c7f4aa6a4310e04dc5e3e5b8b7fc712df44
SSDEEP

768:lnwnjP9zogqnrT9AHuhUcKhnuxGTBmF5p8yJVS5LTf+iA0:FI89nf9tUc+nuxGIFwyKhTf+r0

Score

8^/10

bootkit persistence

Malware Config

Signatures

Downloads MZ/PE file

Uses Session Manager for persistence 2 TTPs 1 IoCs

Creates Session Manager registry key to run executable early in system boot.

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

icarus.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session Manager\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000	icarus.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation cmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 8 IoCs

Processes:

avg_antivirus_free_setup.exeavg_antivirus_free_online_setup.exeicarus.exeicarus_ui.exeicarus.exeicarus.exeaswOfferTool.exeaswOfferTool.exe

pid	process
5616	avg_antivirus_free_setup.exe
4464	avg_antivirus_free_online_setup.exe
1716	icarus.exe
2404	icarus_ui.exe
1780	icarus.exe
3380	icarus.exe
2308	aswOfferTool.exe
5444	aswOfferTool.exe

Loads dropped DLL 5 IoCs

Processes:

avg_antivirus_free_setup.exeavg_antivirus_free_online_setup.exeicarus.exeicarus.exeaswOfferTool.exe

pid process

5616 avg_antivirus_free_setup.exe
4464 avg_antivirus_free_online_setup.exe
1780 icarus.exe
3380 icarus.exe
5444 aswOfferTool.exe

Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

icarus.exeavg_antivirus_free_setup.exeavg_antivirus_free_online_setup.exeicarus.exeicarus.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	icarus.exe
File opened for modification	\??\PhysicalDrive0	avg_antivirus_free_setup.exe
File opened for modification	\??\PhysicalDrive0	avg_antivirus_free_online_setup.exe
File opened for modification	\??\PhysicalDrive0	icarus.exe
File opened for modification	\??\PhysicalDrive0	icarus.exe

Drops file in System32 directory 2 IoCs

Processes:

icarus.exe

description	ioc	process
File opened for modification	C:\Windows\system32\icarus_rvrt.exe	icarus.exe
File created	C:\Windows\system32\icarus_rvrt.exe	icarus.exe

Drops file in Program Files directory 64 IoCs

Processes:

icarus.exe

description	ioc	process
File created	C:\Program Files\AVG\Antivirus\aswEngLdr.dll.ipending.de986602.lzma	icarus.exe
File created	C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\msvcp140_codecvt_ids.dll.ipending.de986602.lzma	icarus.exe
File created	C:\Program Files\AVG\Antivirus\Licenses\lexbor.txt.ipending.de986602	icarus.exe
File created	C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-core-processthreads-l1-1-1.dll.ipending.de986602	icarus.exe
File created	C:\Program Files\AVG\Antivirus\locales\ml.pak.ipending.de986602	icarus.exe
File created	C:\Program Files\AVG\Antivirus\Licenses\LZMA.txt.ipending.de986602.lzma	icarus.exe
File created	C:\Program Files\AVG\Antivirus\event_manager_burger.dll.ipending.de986602.lzma	icarus.exe
File created	C:\Program Files\AVG\Antivirus\gui_resources\default_av\antiRansomware.js.ipending.de986602.lzma	icarus.exe
File created	C:\Program Files\AVG\Antivirus\Inf\x64\avgbidsh.sys.ipending.de986602	icarus.exe
File created	C:\Program Files\AVG\Antivirus\aswremoval.dll.ipending.de986602	icarus.exe
File created	C:\Program Files\AVG\Antivirus\locales\ca.pak.ipending.de986602.lzma	icarus.exe
File created	C:\Program Files\AVG\Antivirus\crts.cat.ipending.de986602	icarus.exe
File created	C:\Program Files\AVG\Antivirus\ashServ.dll.ipending.de986602	icarus.exe
File created	C:\Program Files\AVG\Antivirus\locales\sw.pak.ipending.de986602	icarus.exe
File created	C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-core-handle-l1-1-0.dll.ipending.de986602.lzma	icarus.exe
File created	C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-core-rtlsupport-l1-1-0.dll.ipending.de986602	icarus.exe
File created	C:\Program Files\AVG\Antivirus\avgToolsSvc.exe.ipending.de986602	icarus.exe
File created	C:\Program Files\AVG\Antivirus\hns_tools.dll.ipending.de986602.lzma	icarus.exe
File created	C:\Program Files\AVG\Antivirus\aswBrowser.dll.ipending.de986602.lzma	icarus.exe
File created	C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-crt-heap-l1-1-0.dll.ipending.de986602.lzma	icarus.exe
File created	C:\Program Files\AVG\Antivirus\aswVmm.dll.ipending.de986602.lzma	icarus.exe
File created	C:\Program Files\AVG\Antivirus\gui_resources\default_av\mainFont.css.ipending.de986602.lzma	icarus.exe
File created	C:\Program Files\AVG\Antivirus\Licenses\LZMA.txt.ipending.de986602	icarus.exe
File created	C:\Program Files\AVG\Antivirus\BrowserCleanup.ini.ipending.de986602.lzma	icarus.exe
File created	C:\Program Files\AVG\Antivirus\aswDld.dll.ipending.de986602.lzma	icarus.exe
File created	C:\Program Files\AVG\Antivirus\locales\fa.pak.ipending.de986602.lzma	icarus.exe
File created	C:\Program Files\AVG\Antivirus\Licenses\brotli.txt.ipending.de986602	icarus.exe
File created	C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\vccorlib140.dll.ipending.de986602	icarus.exe
File created	C:\Program Files\AVG\Antivirus\1033\aswInfTg.txt.ipending.de986602	icarus.exe
File created	C:\Program Files\AVG\Antivirus\Licenses\c-ares.txt.ipending.de986602	icarus.exe
File created	C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\concrt140.dll.ipending.de986602	icarus.exe
File created	C:\Program Files\AVG\Antivirus\gui_resources\default_av\notify.ogg.ipending.de986602	icarus.exe
File created	C:\Program Files\AVG\Antivirus\gui_resources\default_av\software.js.ipending.de986602	icarus.exe
File created	C:\Program Files\AVG\Antivirus\nos.dll.ipending.de986602.lzma	icarus.exe
File created	C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-crt-runtime-l1-1-0.dll.ipending.de986602.lzma	icarus.exe
File created	C:\Program Files\AVG\Antivirus\x86\aswCmnOS.dll.ipending.de986602	icarus.exe
File created	C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-crt-multibyte-l1-1-0.dll.ipending.de986602	icarus.exe
File created	C:\Program Files\AVG\Antivirus\locales\bg.pak.ipending.de986602	icarus.exe
File created	C:\Program Files\AVG\Antivirus\gui_resources\default_av\locale-sr_CS.json.ipending.de986602	icarus.exe
File created	C:\Program Files\AVG\Antivirus\aswpsic.dll.ipending.de986602.lzma	icarus.exe
File created	C:\Program Files\AVG\Antivirus\gui_resources\default_av\locale-en.json.ipending.de986602.lzma	icarus.exe
File created	C:\Program Files\AVG\Antivirus\locales\tr.pak.ipending.de986602	icarus.exe
File created	C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\msvcp140_2.dll.ipending.de986602.lzma	icarus.exe
File created	C:\Program Files\AVG\Antivirus\gui_resources\default_av\locale-pt_BR.json.ipending.de986602.lzma	icarus.exe
File created	C:\Program Files\AVG\Antivirus\gui_resources\default_av\mainWindow.html.ipending.de986602.lzma	icarus.exe
File created	C:\Program Files\AVG\Antivirus\Licenses\bsdiff.txt.ipending.de986602	icarus.exe
File created	C:\Program Files\AVG\Antivirus\ashUpd.exe.ipending.de986602	icarus.exe
File created	C:\Program Files\AVG\Antivirus\aswcomm.dll.ipending.de986602.lzma	icarus.exe
File created	C:\Program Files\AVG\Antivirus\gui_resources\default_av\update.js.ipending.de986602.lzma	icarus.exe
File created	C:\Program Files\AVG\Antivirus\x86\ashShell.dll.ipending.de986602.lzma	icarus.exe
File created	C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-crt-runtime-l1-1-0.dll.ipending.de986602.lzma	icarus.exe
File created	C:\Program Files\AVG\Antivirus\RegSvr.exe.ipending.de986602	icarus.exe
File created	C:\Program Files\AVG\Antivirus\gui_resources\default_av\update.js.ipending.de986602	icarus.exe
File created	C:\Program Files\AVG\Antivirus\1033\aswClnTg.htm.ipending.de986602.lzma	icarus.exe
File created	C:\Program Files\AVG\Antivirus\Licenses\rapidjson.txt.ipending.de986602.lzma	icarus.exe
File created	C:\Program Files\AVG\Antivirus\gui_resources\default_av\notifications.js.ipending.de986602.lzma	icarus.exe
File created	C:\Program Files\AVG\Antivirus\chrome_200_percent.pak.ipending.de986602	icarus.exe
File created	C:\Program Files\AVG\Antivirus\gui_resources\default_av\kin.js.ipending.de986602	icarus.exe
File created	C:\Program Files\AVG\Antivirus\RescueDisk\wxbase315u_vc.dll.ipending.de986602.lzma	icarus.exe
File created	C:\Program Files\AVG\Antivirus\locales\bn.pak.ipending.de986602.lzma	icarus.exe
File created	C:\Program Files\AVG\Antivirus\libGLESv2.dll.ipending.de986602	icarus.exe
File created	C:\Program Files\AVG\Antivirus\AvBugReport.exe.ipending.de986602.lzma	icarus.exe
File created	C:\Program Files\AVG\Antivirus\gui_resources\default_av\driverUpdater.js.ipending.de986602.lzma	icarus.exe
File created	C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-crt-stdio-l1-1-0.dll.ipending.de986602	icarus.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

icarus.exeicarus.exefirefox.exeicarus_ui.exeicarus.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	icarus.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	icarus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	icarus.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	icarus.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	icarus_ui.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	icarus_ui.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	icarus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	icarus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	icarus.exe

Modifies registry class 15 IoCs

Processes:

avg_antivirus_free_online_setup.exeicarus.exeicarus.exeicarus.execmd.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F	avg_antivirus_free_online_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F	icarus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "b3cf3119-e241-4a7b-889b-ebee51dbad62"	icarus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "b3cf3119-e241-4a7b-889b-ebee51dbad62"	icarus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "66FC9A86B023D8FFC79948E2D373B0F2"	icarus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\5E1D6A55-0134-486E-A166-38C2E4919BB1 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAcDXBsudKNkChzy8eEpjYZwQAAAACAAAAAAAQZgAAAAEAACAAAACBgKxFMJBqB70J7gqmxty3N3yUdyqonpr+N+4ONic2UgAAAAAOgAAAAAIAACAAAAD6F2EOAndoYPWgXZm1Jg90nVoWUf7gN2fW5Z3GFSv1glAAAAAkQ3X+YSB9CrflQKZqdK8JiPoxfQFaeyaY7SjDFyjfCdW4yC2wHVDBPK68k/UR8JjOfpwoHs2MMv8BzEQ248AjSKWS2gGQB0XTQ4Jn1wRnQEAAAABftQLECAg7KRPFz5uM/0FxPFGjiKwLvswVmuNDmA9vGfljxn0dqzN1wEme8sshihJgc6PzRnw64uN9HUaQh6fy"	avg_antivirus_free_online_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "66FC9A86B023D8FFC79948E2D373B0F2"	icarus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "66FC9A86B023D8FFC79948E2D373B0F2"	icarus.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F	icarus.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F	icarus.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "66FC9A86B023D8FFC79948E2D373B0F2"	avg_antivirus_free_online_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "b3cf3119-e241-4a7b-889b-ebee51dbad62"	avg_antivirus_free_online_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "b3cf3119-e241-4a7b-889b-ebee51dbad62"	icarus.exe

NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\avg_antivirus_free_setup.exe:Zone.Identifier firefox.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

3320 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

icarus_ui.exe

pid process

2404 icarus_ui.exe
2404 icarus_ui.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\avg_antivirus_free_setup.exe:Zone.Identifier	firefox.exe

pid	process
3320	NOTEPAD.EXE

pid	process
2404	icarus_ui.exe
2404	icarus_ui.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

firefox.exeicarus.exeicarus_ui.exeicarus.exeicarus.exeaswOfferTool.exe

description	pid	process
Token: SeDebugPrivilege	4832	firefox.exe
Token: SeDebugPrivilege	4832	firefox.exe
Token: SeDebugPrivilege	4832	firefox.exe
Token: SeDebugPrivilege	4832	firefox.exe
Token: SeDebugPrivilege	4832	firefox.exe
Token: SeRestorePrivilege	1716	icarus.exe
Token: SeTakeOwnershipPrivilege	1716	icarus.exe
Token: SeRestorePrivilege	1716	icarus.exe
Token: SeTakeOwnershipPrivilege	1716	icarus.exe
Token: SeRestorePrivilege	1716	icarus.exe
Token: SeTakeOwnershipPrivilege	1716	icarus.exe
Token: SeRestorePrivilege	1716	icarus.exe
Token: SeTakeOwnershipPrivilege	1716	icarus.exe
Token: SeDebugPrivilege	1716	icarus.exe
Token: SeDebugPrivilege	2404	icarus_ui.exe
Token: SeRestorePrivilege	1780	icarus.exe
Token: SeTakeOwnershipPrivilege	1780	icarus.exe
Token: SeRestorePrivilege	1780	icarus.exe
Token: SeTakeOwnershipPrivilege	1780	icarus.exe
Token: SeRestorePrivilege	1780	icarus.exe
Token: SeTakeOwnershipPrivilege	1780	icarus.exe
Token: SeRestorePrivilege	1780	icarus.exe
Token: SeTakeOwnershipPrivilege	1780	icarus.exe
Token: SeRestorePrivilege	3380	icarus.exe
Token: SeTakeOwnershipPrivilege	3380	icarus.exe
Token: SeRestorePrivilege	3380	icarus.exe
Token: SeTakeOwnershipPrivilege	3380	icarus.exe
Token: SeRestorePrivilege	3380	icarus.exe
Token: SeTakeOwnershipPrivilege	3380	icarus.exe
Token: SeRestorePrivilege	3380	icarus.exe
Token: SeTakeOwnershipPrivilege	3380	icarus.exe
Token: SeDebugPrivilege	1780	icarus.exe
Token: SeDebugPrivilege	3380	icarus.exe
Token: SeDebugPrivilege	2308	aswOfferTool.exe
Token: SeImpersonatePrivilege	2308	aswOfferTool.exe
Token: SeDebugPrivilege	4832	firefox.exe
Token: SeDebugPrivilege	4832	firefox.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

firefox.exeavg_antivirus_free_online_setup.exeicarus_ui.exe

pid process

4832 firefox.exe
4832 firefox.exe
4832 firefox.exe
4832 firefox.exe
4464 avg_antivirus_free_online_setup.exe
2404 icarus_ui.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

4832 firefox.exe
4832 firefox.exe
4832 firefox.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

firefox.exeavg_antivirus_free_setup.exeavg_antivirus_free_online_setup.exeicarus.exeicarus_ui.exeicarus.exeicarus.exeaswOfferTool.exe

pid	process
4832	firefox.exe
4832	firefox.exe
4832	firefox.exe
4832	firefox.exe
5616	avg_antivirus_free_setup.exe
4464	avg_antivirus_free_online_setup.exe
1716	icarus.exe
2404	icarus_ui.exe
2404	icarus_ui.exe
1780	icarus.exe
3380	icarus.exe
2308	aswOfferTool.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exefirefox.exefirefox.exe

description	pid	process	target process
PID 864 wrote to memory of 2888	864	cmd.exe	WScript.exe
PID 864 wrote to memory of 2888	864	cmd.exe	WScript.exe
PID 864 wrote to memory of 2372	864	cmd.exe	WScript.exe
PID 864 wrote to memory of 2372	864	cmd.exe	WScript.exe
PID 864 wrote to memory of 516	864	cmd.exe	WScript.exe
PID 864 wrote to memory of 516	864	cmd.exe	WScript.exe
PID 864 wrote to memory of 3980	864	cmd.exe	WScript.exe
PID 864 wrote to memory of 3980	864	cmd.exe	WScript.exe
PID 4324 wrote to memory of 4832	4324	firefox.exe	firefox.exe
PID 4324 wrote to memory of 4832	4324	firefox.exe	firefox.exe
PID 4324 wrote to memory of 4832	4324	firefox.exe	firefox.exe
PID 4324 wrote to memory of 4832	4324	firefox.exe	firefox.exe
PID 4324 wrote to memory of 4832	4324	firefox.exe	firefox.exe
PID 4324 wrote to memory of 4832	4324	firefox.exe	firefox.exe
PID 4324 wrote to memory of 4832	4324	firefox.exe	firefox.exe
PID 4324 wrote to memory of 4832	4324	firefox.exe	firefox.exe
PID 4324 wrote to memory of 4832	4324	firefox.exe	firefox.exe
PID 4324 wrote to memory of 4832	4324	firefox.exe	firefox.exe
PID 4324 wrote to memory of 4832	4324	firefox.exe	firefox.exe
PID 4832 wrote to memory of 2740	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 2740	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 4896	4832	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\FA Installer.bat"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:864
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAinfo4.vbs"
  2⤵
  PID:2888
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAinfo3.vbs"
  2⤵
  PID:2372
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAinfo2.vbs"
  2⤵
  PID:516
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAinfo1.vbs"
  2⤵
  PID:3980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3808 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:4168

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4832.0.1808150028\1298626879" -parentBuildID 20221007134813 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {20ad9f62-ef1b-4dc5-a91a-38fe354b751c} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" 1980 19b669d8758 gpu
    3⤵
    PID:2740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4832.1.370538982\1435188403" -parentBuildID 20221007134813 -prefsHandle 2336 -prefMapHandle 2332 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa3c3f84-2fbf-4b18-9efd-7818744f69f0} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" 2380 19b52e72858 socket
    3⤵
    PID:4896
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4832.2.2006225544\1590238269" -childID 1 -isForBrowser -prefsHandle 3104 -prefMapHandle 3100 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e62a874-dbf9-4bc1-ac79-3a96a74499e9} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" 3116 19b6aabd358 tab
    3⤵
    PID:932
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4832.3.477527518\1641190431" -childID 2 -isForBrowser -prefsHandle 3688 -prefMapHandle 3684 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab5944dc-0b88-4f24-8976-c0c32cadbef9} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" 3696 19b6926e058 tab
    3⤵
    PID:4528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4832.4.1483196055\1189721371" -childID 3 -isForBrowser -prefsHandle 3252 -prefMapHandle 3244 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3a9ec13-2aa9-44ee-8572-9795ced8de54} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" 4776 19b6ab9be58 tab
    3⤵
    PID:3980
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4832.5.2070088086\954160974" -childID 4 -isForBrowser -prefsHandle 4972 -prefMapHandle 5000 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd5e99c6-91b1-4e73-ba11-b613167b3fca} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" 5116 19b6bc04a58 tab
    3⤵
    PID:1120
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4832.6.34593773\786418689" -childID 5 -isForBrowser -prefsHandle 5240 -prefMapHandle 5236 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {46feda08-b1a1-4b48-970d-742f5f543fb5} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" 5248 19b6bc05058 tab
    3⤵
    PID:3296
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4832.7.132561483\163483540" -childID 6 -isForBrowser -prefsHandle 5368 -prefMapHandle 5372 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cdf8d557-b7df-4fad-a187-74b641044976} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" 5360 19b6bc05c58 tab
    3⤵
    PID:3332
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4832.8.919777946\829229351" -childID 7 -isForBrowser -prefsHandle 2804 -prefMapHandle 5692 -prefsLen 26550 -prefMapSize 233444 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {204e1f00-2eea-45b5-af16-a880fb662629} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" 2796 19b6913f458 tab
    3⤵
    PID:5704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4832.9.856911536\567036701" -childID 8 -isForBrowser -prefsHandle 5548 -prefMapHandle 1716 -prefsLen 26725 -prefMapSize 233444 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {99f5cc7f-fcef-4472-aafe-a1d5454d3b91} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" 1732 19b52e65c58 tab
    3⤵
    PID:5156
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4832.10.1308446778\1336635524" -childID 9 -isForBrowser -prefsHandle 7304 -prefMapHandle 7308 -prefsLen 26725 -prefMapSize 233444 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {787391c3-3057-4936-aac5-07c3c3d85ad2} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" 7340 19b6ee94e58 tab
    3⤵
    PID:316
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4832.11.757924215\1709294691" -childID 10 -isForBrowser -prefsHandle 9256 -prefMapHandle 9308 -prefsLen 26765 -prefMapSize 233444 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f157be14-bc34-4274-9614-e7c562180db5} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" 9208 19b6e209058 tab
    3⤵
    PID:5988

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3960

C:\Users\Admin\Downloads\avg_antivirus_free_setup.exe
"C:\Users\Admin\Downloads\avg_antivirus_free_setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:5616
- C:\Windows\Temp\asw.b71d3dcbb511612b\avg_antivirus_free_online_setup.exe
  "C:\Windows\Temp\asw.b71d3dcbb511612b\avg_antivirus_free_online_setup.exe" /cookie:mmm_bav_012_999_a8d_m /ga_clientid:5f47c6bd-bff2-4fc5-a2db-307cd3d00726 /edat_dir:C:\Windows\Temp\asw.b71d3dcbb511612b
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4464
- - C:\Windows\Temp\asw-970a0b33-3574-4e17-b620-568ed5291330\common\icarus.exe
    C:\Windows\Temp\asw-970a0b33-3574-4e17-b620-568ed5291330\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-970a0b33-3574-4e17-b620-568ed5291330\icarus-info.xml /install /cookie:mmm_bav_012_999_a8d_m /edat_dir:C:\Windows\Temp\asw.b71d3dcbb511612b /track-guid:5f47c6bd-bff2-4fc5-a2db-307cd3d00726 /sssid:4464
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1716
  - - C:\Windows\Temp\asw-970a0b33-3574-4e17-b620-568ed5291330\common\icarus_ui.exe
      C:\Windows\Temp\asw-970a0b33-3574-4e17-b620-568ed5291330\common\icarus_ui.exe /cookie:mmm_bav_012_999_a8d_m /edat_dir:C:\Windows\Temp\asw.b71d3dcbb511612b /track-guid:5f47c6bd-bff2-4fc5-a2db-307cd3d00726 /sssid:4464 /er_master:master_ep_4da1756c-08f0-4a60-a2be-b91c0f2d9259 /er_ui:ui_ep_ed1a93cb-40f3-4e2d-b349-3f5abff21d11
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2404
  - - C:\Windows\Temp\asw-970a0b33-3574-4e17-b620-568ed5291330\avg-av-vps\icarus.exe
      C:\Windows\Temp\asw-970a0b33-3574-4e17-b620-568ed5291330\avg-av-vps\icarus.exe /cookie:mmm_bav_012_999_a8d_m /edat_dir:C:\Windows\Temp\asw.b71d3dcbb511612b /track-guid:5f47c6bd-bff2-4fc5-a2db-307cd3d00726 /sssid:4464 /er_master:master_ep_4da1756c-08f0-4a60-a2be-b91c0f2d9259 /er_ui:ui_ep_ed1a93cb-40f3-4e2d-b349-3f5abff21d11 /er_slave:avg-av-vps_slave_ep_884c404e-b21c-4964-8415-f32f348073b6 /slave:avg-av-vps
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Checks processor information in registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3380
  - - C:\Windows\Temp\asw-970a0b33-3574-4e17-b620-568ed5291330\avg-av\icarus.exe
      C:\Windows\Temp\asw-970a0b33-3574-4e17-b620-568ed5291330\avg-av\icarus.exe /cookie:mmm_bav_012_999_a8d_m /edat_dir:C:\Windows\Temp\asw.b71d3dcbb511612b /track-guid:5f47c6bd-bff2-4fc5-a2db-307cd3d00726 /sssid:4464 /er_master:master_ep_4da1756c-08f0-4a60-a2be-b91c0f2d9259 /er_ui:ui_ep_ed1a93cb-40f3-4e2d-b349-3f5abff21d11 /er_slave:avg-av_slave_ep_e18dcdb4-513a-463f-a11b-d95e6b2a6af7 /slave:avg-av
      4⤵
      Uses Session Manager for persistence
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Drops file in System32 directory
      Drops file in Program Files directory
      Checks processor information in registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1780
    - - C:\Windows\Temp\asw-970a0b33-3574-4e17-b620-568ed5291330\avg-av\aswOfferTool.exe
        
        "C:\Windows\Temp\asw-970a0b33-3574-4e17-b620-568ed5291330\avg-av\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AWFC
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2308
      - C:\Users\Public\Documents\aswOfferTool.exe
        
        "C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AWFC
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5444

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log
1⤵
- Opens file in notepad (likely ransom note)
PID:3320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FA_Antivira\FAinfo1.vbs

Filesize
84B

MD5
fad7cd2a49837444cde4548abdf478b6

SHA1
376a4ff6acc6ca44f2b660286633c5a31eddd764

SHA256
9c08b7d014ab766305e4525478bf8a1bc2f8cbe4f04aedf38f7daa0660ba3cda

SHA512
287223fdf6ec6347c37b51fc7913ab8931d1fe87c03fae93e1cf8bcacf1b4a2dc13605b08506a0299e5536fac5b02fc15ab387781b5b16873ea3c686daa81cc5

Download Submit
C:\FA_Antivira\FAinfo2.vbs

Filesize
87B

MD5
5a1fc5e5db483c5926a50ee931581cd9

SHA1
419644277a92e109d4ce6739a0d5e2d0ba8f2d42

SHA256
0f79e391fe889e01a6ef37619023af6672e98f1551753a10021efda8dee607ab

SHA512
0351928a53a5586c560e8155d99eb1838c873cbc2b554ae25c6be1433cdae41cea7508b60c016e23e0d2687d99bcc96066bc72f15c1ffb922f348f81e044c240

Download Submit
C:\FA_Antivira\FAinfo3.vbs

Filesize
71B

MD5
a61c87927d31edff281df2818dde924d

SHA1
f076867cb0411e0c584f2f9052d4c1e550cd53b7

SHA256
9220b169c1f0179caa92218990b05bc48cf75c9c36d4e45dd1c2b5f973910517

SHA512
ce5c730e3dea3c9b1a565b02925ca95ee0c50abfe15a5a8a43c21b4cb7daedd1b582ebf264dba5d7dc3fad98e1014e0557a810baa111e83596ecd22fde8fc970

Download Submit
C:\FA_Antivira\FAinfo4.vbs

Filesize
97B

MD5
d912098669bc85cc04cccf0248617120

SHA1
a817741d0ce4427cf0a0fceb7ba483972789fc60

SHA256
e044130f2e60f76a963f3e903af9d077f0ff1a8437d1c7d52ff42345e7e28422

SHA512
578127a4aedf65bb415602b08c16c29724a874b35a40dce0e116b4bf6daf513e8a511f3aed2cee8756efd45ee9245a34381433abbef91ab3908859f47f013a48

Download Submit
C:\Program Files\AVG\Antivirus\BrowserCleanup.ini

Filesize
42B

MD5
4957ed73d5e5e303e351c8f8b7b53e1c

SHA1
e61238f49e44237c56d4d5b41aeb150160880b74

SHA256
59727f7a256b7a70971f2e62b43b0a923937f85689fc3aa4ae50e4fbfbf83499

SHA512
db4854667285bb1cd8d07ab189607ec5bc489afb2d0a5b5a3388f91cefd012feca689787452901e0eb1de6e8792e69c0097c38b89bba0d977d0b29e5e5ef2feb

Download Submit
C:\Program Files\AVG\Antivirus\Licenses\Detours.txt.ipending.de986602

Filesize
1KB

MD5
c26b34f5996c7ed7f7bce6aaf6c8a98b

SHA1
553e3a3efec9a07d9b08fcaadbcd88f2099aada8

SHA256
f854ae8aabc0404652b48a2b3bf7f21ec174c69d73f5596934c20884eb0639ef

SHA512
e3c82bfe3bacb07e3a8327a01b2c9772e44bfa1a8012c0f0b363d6e3b2ee2371bc66f9c207611cd6f73d6f1ff1ceb9b2bf2c7d0864ade256d41d533b598a804f

Download Submit
C:\Program Files\AVG\Antivirus\Licenses\zlib.txt

Filesize
982B

MD5
8041053262bc492837749777c930a791

SHA1
e8cbe20136c6d1627d40932dc4398d2053be5228

SHA256
d988d5362ea432d8c8ad9f05af876ba9409eb1ebad8c34b899fc9cc8c7ea5311

SHA512
0f321a821b1ab36a5e60a5d5e94dc26564a2cb03347b54279b5530f7b50ab3105d537637f338553dfc4ef800d28be103ab0ca50f77da3b4627fb6d7c558bd3ea

Download Submit
C:\Program Files\AVG\Antivirus\RescueDisk\aswShMin.exe.ipending.de986602

Filesize
305KB

MD5
c30fe640386274b2edadad9ef9f86a80

SHA1
18377c748b0b5712712a89062bcc382851461e66

SHA256
7ae87eeb8a7b294f5f020c6605d614e80635ef60f699e8b087d14bab99d4ea4b

SHA512
1e094ebf7cf7d988a7023ec929fbd2b5a73663873eab873dae45a6526c2d722b560d5724767715f03f907203afbc31bbda342679d9b971ae960795b19b3331c4

Download Submit
C:\Program Files\AVG\Antivirus\TuneupSmartScan.dll

Filesize
640KB

MD5
9e3ca6950f42410b3bd58b14549bb302

SHA1
bc85f375275776453af20c60b6a64e472606d37a

SHA256
e78a22b72f820dd3082f2f2d6f424421f4c4e0e8fffd0b21ee1317a07824e478

SHA512
4bebbc3647973d50822d428f9609bb3953bbce651e2e46950399110193ee8a831a72cc4e9c0b5d76ced91c72234269acfed60f4722a0159b2ef2abf066e41b13

Download Submit
C:\Program Files\AVG\Antivirus\afwCoreClient.dll

Filesize
781KB

MD5
2e7ff52254d46c8cfd67fff72f610dea

SHA1
c6e5bda7fd29d8a48655b6abc168a5a50ec89103

SHA256
6de73cfac923f1c1d0c0d1957f312fd247af87eeb183c718cd01e11f2b320e21

SHA512
50bffd120a7e03340dbcecdf9d7687e9a4718e18930789a8464ed62ff66ecd575793bb1398b81f11990c59c0df13b60073cd14284b50fd042ae4c5161d86dfd8

Download Submit
C:\Program Files\AVG\Antivirus\aswChLic.exe

Filesize
192KB

MD5
44425fa2b6e381a1127c961aadd7e14a

SHA1
c4c95a8fa2dd3d1e77dbad9b2ae48f8c577a0a6a

SHA256
48c3ddcbedc9b5eb91d53b762ac99f265c280b3feb602b2a945f3a29920df8e9

SHA512
99a8cf72a008345b259f3a883ff207f54d783b1da59abb707305ce044d7fce6d2a480fae28a754a3197424021c54d81ec6ff50c3f8aea4a3ffcce5568237c462

Download Submit
C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-core-synch-l1-1-0.dll

Filesize
21KB

MD5
afc4db1ae7eb74d1b43eda3d7ea5b43c

SHA1
f31b2c1161024ec2f89c72631631e11fd5ceac60

SHA256
fb4b382e2dfa80b3427a98c51d3270b1e80b5c2a10fdae1a72b7c464e57fc6a7

SHA512
a014e4bbe207fd707a87aaa0228241fa7c414062af8922f51e46210b958284096357b21f89e59141fef28039a999dc6ac832ec7fc38bc4895e88fbed6b9a45a0

Download Submit
C:\Program Files\AVG\Antivirus\crts.cat

Filesize
130KB

MD5
477255e0a760041d38c98bccb99a403d

SHA1
2bcdb96bbe2dbb6d85db7cf50d0345b72959ad00

SHA256
d4113f0402d704e9a0ad29e696e4d142838c0c5f0ac349c6e9af106890528e97

SHA512
0564fcddf1d01925ae7d8ff93f338f197b67994efd9f7ee39bc5ee0d09b72c29054bdca198b03e873572dc9b07cafff96bba31da3828caa78728b2bf2c005c89

Download Submit
C:\Program Files\AVG\Antivirus\gui_resources\default_av\libs.js

Filesize
17KB

MD5
f42d2057fac13f883d977704d6617454

SHA1
39e617488f90fc3df0f26a8e8fa56f128c324e24

SHA256
277425906c3c9178e3c55fec7de3c34b47ee2930359b3b1e2222a243fc7d777e

SHA512
39b51d1e9f0a2849eef0b7389a6c016d150075cbb58ca15f0b83fa408554f13ec56e9fe71ae4c6d42f624973e66c91f8c8a77ec3ce26733c2e13a6bbf8917900

Download Submit
C:\Program Files\AVG\Antivirus\gui_resources\default_av\locale-es_ES.json.ipending.de986602

Filesize
365KB

MD5
78d309127c8cd52a24158ee363eb9f1a

SHA1
2dec0897832aa30da77922c441298c3f9dd10105

SHA256
61ecdb60d35cad0c0ba5a58e89e1a6147e806830e27b69203a8d4ecd689f1092

SHA512
cae07063765df94603162c75fdff4824badb0d447a16dc7c970f224353bee5a38be96d0ca2fed1f885dc566688d3c1cbbd83645792a636e5eacfe054bff18377

Download Submit
C:\Program Files\AVG\Antivirus\libwaheap.dll

Filesize
100KB

MD5
3380fb5ef6fcaf34070a71d52aea0403

SHA1
c6891e8894cd70b0f1648bea3197dc08c2661c50

SHA256
f456b99b1cc7bca914b27b4c2b602bbffa24e5f6204e8286f227f5a2cf9fbad0

SHA512
ad06fbaeffd9f98999eb4ccc3f8620c516dde410ee5f0bb5ccb0eb2e745b221b99e74c676759f6fff34980f342ea583cc995462360278e9be752ce0bc1063067

Download Submit
C:\Program Files\AVG\Antivirus\libwautils.dll

Filesize
651KB

MD5
442fbd5aab40d89df819f9a9642c2c7a

SHA1
8bc7500e2661142856bba7c1c40b5a479d322996

SHA256
743e3cf3199e59adf550a9796aa1dd23e2debc5f688694bb0473227d7dc5886e

SHA512
f87ef12a5d4d70a1bf74bee0911a1d2504296bbd8ab214d3f5c7e47b88a7cceda8dd58ba5f6cd3afed3630b03f8afdf539dd4a95088f7eac5c5b9c77c09bf0cb

Download Submit
C:\Program Files\AVG\Antivirus\su_adapter.dll

Filesize
521KB

MD5
6376934d84eda5acc466d685266338c1

SHA1
90bbf7d6978dfd7fbed4b976089e583fe5586af5

SHA256
52028f3662b22d0975fd9eda7d843db2e78ad34bb099b8bb055e60c01e013e89

SHA512
ebb3f8291c6da8cb923304b13c1a429fd2ed9c1ef39f68c54e22810475bba2cd7a9ec32d65110582b89babc050a9c54dcba01b35c3c79f3e063398df20635118

Download Submit
C:\Program Files\AVG\Antivirus\su_worker.exe

Filesize
1.5MB

MD5
f43de7d535bd6bfe1c1c00bba4f5b619

SHA1
7fa33242f9c5199b6f07a7fd90ac599e4e5866ff

SHA256
1be3718de546b48e2c420982e7b96d607e725a40be57fee12678e1938da6b8a8

SHA512
89f1196d90c6523b30a8b00755bd3534130ad8c7725938132616bb4b2c235850f4e950e84e916c9d0276e83ce60cf2003511a4004847ed7afc302c5b714a885f

Download Submit
C:\Program Files\AVG\Antivirus\x86\aswProperty.dll

Filesize
223KB

MD5
1aa25db755b35a876d86ea8f4cd5ecc7

SHA1
4b06a524cb5d4468d005af0b5177a329dee1cc1a

SHA256
7ba6fdddf2ef7a2a156838cdbcbff65b9dac93e75d7d760b8d5deff4ff9813ad

SHA512
4b4e15d3c083e53109a16111d64e431a00e774a86b3f51e0223da0433724a990bcebd8c29a8897ee6063c36d1e8e8cb50147cdf1d9091be46e3b82faddb7557c

Download Submit
C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-crt-utility-l1-1-0.dll

Filesize
12KB

MD5
b52238936bdf50ab985435a176281f68

SHA1
7bd2be0808c538b6f15f20a9a1228cf4a20adbdd

SHA256
3a23171aac49453f931d69cd55f6ec742243f5835386d9e6b18efad96c2be450

SHA512
36999e6cd50e26b1620fe24ba2dc11a40b25d1d77cc7a0337c7a3f65b16383fdb224e179392a215e6dae846e8bda6acb3e027445fd334e26e34278a397452f6e

Download Submit
C:\Program Files\AVG\Antivirus\x86\snxhk.dll

Filesize
337KB

MD5
dc393ef8c39a6dd271cafafa0cbb45e0

SHA1
1db93769bbb8aaa2c4ca540edd1a22d3b70a85c3

SHA256
db65d410a625e05e2684fad90d53d555f314e27c9fc0a58a63a8d14b1247ef37

SHA512
4feef91bf6d39517d6786020cd55de8f9a6bf48a0b09878cd6046220cfa234d5241b7a4da778368b3d4598eeb853f14af0aa0dd3eae95d42d36e460b45a0ec02

Download Submit
C:\ProgramData\AVG\Antivirus\fw\networks.xml.ipending.de986602

Filesize
2KB

MD5
75128eadc720b56babb24ac629172155

SHA1
83bc1da43e4f51326713e43a44625987507b4467

SHA256
130a4428ee45f3a17252aa797cfaa35d8e71070dcccbc6059b31eaa087c5f5f8

SHA512
da45704247caf68c7deb59f587f392eb431a1ad89a653b78b7d6af286f6c6af7676575fcbc310679e4043040038f5ca3e0ef0167f6f6aa199bd4007291a39c57

Download Submit
C:\ProgramData\AVG\Antivirus\gaming_mode\dndrules.dat.ver

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\ProgramData\AVG\Icarus\Logs\icarus.log

Filesize
90KB

MD5
f7050000a42a688a6a6b1639ed877b50

SHA1
2e8d8177bb8d95b5cccc6b30f9c649158b15f6f8

SHA256
14e92ee51c6fde7cfecf9eb9a5c561b9ba02250a3e4aaec25d0e1cc6852b348f

SHA512
a41b7b9438319ed6d62bffc73af07dea41833a289ca3bca69d984e35006183c7aa1581aebac67c5a5a4eb8e1cc78629c8fb1d6ab3a3e70a4a311df6c47f2f4b6

Download Submit
C:\ProgramData\AVG\Icarus\Logs\icarus.log

Filesize
354KB

MD5
8c86d729bc74c57c593995ea1a82c1fa

SHA1
886a6f42acd73b199e9dff78d0fba6031e25d48b

SHA256
20c663b08a7916ee309bc6ac3edaab4709f5a6d53262eac2a36fb200880f4c9a

SHA512
0379cf2fbe09924ae495e86eeec0a2c1054204cac063a293b2b1a9214ab4408f21bad2e08504d26c32cd6c0f3054feb1c53ad0da4f81bdbe3c4adba765861f1f

Download Submit
C:\ProgramData\AVG\Icarus\Logs\icarus.log

Filesize
693KB

MD5
9a003a4e55f19f59f6abc557dc75826b

SHA1
7e11a4dd3d0990aaea4115fad0acbede0741a537

SHA256
bf682d160d9e84d136e73558bc33a9d766283de34649ae4154d30adf1c8b38b4

SHA512
d84166c7a5313b9ba378d8c8dab9cc6a2bdfdb87dbfafb1ceaeaf0c35914766e5b6f8940554f3c49fa1b2333c318149e6180ce8c64feb1f4be30f4dce3b5e8b0

Download Submit
C:\ProgramData\AVG\Icarus\Logs\report.log

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\AVG\Icarus\Logs\sfx.log

Filesize
13KB

MD5
c2614e6e78609bcc23f1f0e5423bd252

SHA1
dcd7244d43f650be3899f609cd9e18aceb36b8af

SHA256
c93cc1a67e3674009fd494cd58127b614bef0a64876b1efa30a172faed7b64fd

SHA512
469c2edd86ac2740182b14a632e71cb73368c838587fddff7dd1ba8b1055d64302c657605bab7d8db55204c8d63d80f79506aaf9f7cc9fc75439e216f9ffbce9

Download Submit
C:\ProgramData\AVG\Icarus\Logs\sui.log

Filesize
20KB

MD5
9047ca3b6dcc4874e26e09ef0d76b5ec

SHA1
1b2fa42e8a35be0890f26c1482981a20761a2ed6

SHA256
925fe59dda90ae05a70a06e7662b668fe65af6ece0e82981fd40017db831d77f

SHA512
e5aaa6ebbe90a9317a5aadba92032d8ee657e7572dbd9fdb60da9fdf13b447cbb04e4c7ac5cf5fcf952a7a2999374da7f73db1ed95aa96f5fcc052c3ff8438c7

Download Submit
C:\ProgramData\AVG\Icarus\Logs\sui.log

Filesize
177KB

MD5
7169f77ef3dcda5b0c736f3f6c0897c4

SHA1
4dad8062fefbe31f145ce7698f4739a9f8bebe55

SHA256
bd4f51d2a6ef3147cc12cffebf831bb02cf0efb39693f09e91867e3055b54b08

SHA512
0561c6ea517af08619836265e7cb23451189dc779c68a468aa58ad737a143d51587674c5b5bbed91f088f771038020effc598d686fd3b0c79322ea89b29a1d7a

Download Submit
C:\ProgramData\AVG\Icarus\avg-av\icarus.ini

Filesize
166B

MD5
c043a3beb23cc43cb3e9acae2ad9d8b4

SHA1
f8a300a14643d9d2ef708839d882fa8fae274f73

SHA256
3df024f72a0bcdd90a7c140591e224492481eb7f32a940bfb9af1cdb6472af9e

SHA512
e5baa81e296b7f06360ed20d9484a137ca49c0505d2c94947b978b09b277f13184e540098e21daad0a72d8ddd831a57d6ac0e67c0aa860d87a051b55c3c9fff2

Download Submit
C:\ProgramData\AVG\Icarus\settings\proxy.ini

Filesize
214B

MD5
d6de6577f75a4499fe64be2006979ae5

SHA1
0c83a2008fa28a97eb4b01d98aeab90a2e4c8e69

SHA256
87d882d37f63429088955a59b126f0d44fa728ce60142478004381a3604c9ea9

SHA512
cb4b42c07aa2da7857106c92bc6860a29d8a92f00e34f0df54f68c17945982bc01475c83b1a1079543404bb49342fc7cdc41d2ac32d71332439ceb27b5ad1c0c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4s2odj76.default-release\cache2\doomed\12117

Filesize
9KB

MD5
4a50aa48c1eb945cceebfc336c4b5cae

SHA1
0db05649067649ebca07eabac79a6a80fea760d0

SHA256
1388830c254fed2bc0adf811bb5b9179bfd21a32f8605271684600849b141ad6

SHA512
316c3779560973f916c33128b10655aa8edf77d86a2fb95354cd5c9269f58e26bcfbc0b7e45b33213a8f86ef6937863d91f33828c9f9969a480e5c67b6c35946

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4s2odj76.default-release\cache2\doomed\27693

Filesize
7KB

MD5
62e52740db3663ba25b0f6de7f76a7a0

SHA1
456367766017f9a96db742d01c0b29a6da033a50

SHA256
1b628ec8e8be2c2e69907e0e9f674ca01fc19b8e6f7c478010722fbe2db66a06

SHA512
d602753a02123d016e6d118baffd0a455ac607c2656bfce642b994003c480f0715f54790aa7765e3f158cba160bcdba0c941bde7c9cabc1e6e2380f8eaff1d1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D566D7D7-DCD6-471C-8109-BE0AD33199E3

Filesize
64B

MD5
22417b5d5eb168147f2c237d658a7163

SHA1
6ae67daf07c0a187f397923ecba497e5ab01ed58

SHA256
f1945b77f21bf5b8174bc94d0d69d4446baffd6808185554f8ae541e4254ecb1

SHA512
392b79a63b451495cc81877c288c0068d6c159bf0d7ce9ac0cc290128e57a5a1ebe0569dcbab85433448b3c1928be03cf01300ec7ae99573cfc4ef8c4c9b3cb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\F07D8C6A-04B6-4025-869C-70A788D7B5C0

Filesize
72B

MD5
186c1af3826987a15d808125aa9f69be

SHA1
90518391cf68a94af8ee6b55a455036de5a3c596

SHA256
de207e727f3d75bafc96b20d96fc21c0a0d659e2c9a95e600f2ba70a719295d7

SHA512
a2b07e5ed87ce52b0a4791ce79a14676d9758a23c052203c81f9c530dbe1972d17db6432e3a541573627121166569e984a9c0eeec6b9edc109d4dd43aced18b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
18KB

MD5
96260975245eac2c9bb8c140dd8be051

SHA1
a60d9532bd466c18e3b53229312a8b47f351f9d6

SHA256
56940b34fc2ac2d8e163b50993e34daea0ac7071329c3d5ff77bd5497f6e29de

SHA512
4988b445de1f7514491ecf3526b51f77fbef230b3831b821c5bbc58e04a28d1a09aa61d4168d1d59389b6b57fafc00c89cced735bb9639ef81dbb2a6cf3d7a2e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
18KB

MD5
829cd850644f029c2e80ad3053f34cf8

SHA1
0b55e9fd67c42d313552559c8f551784dd04fa9b

SHA256
6f0e5723520eb99b0277933514f6f4dc3d20475f18eb80cbacc6154bd9eb3c80

SHA512
fdbdd0923d4e18921c5988534f8a586680df895a7d1def231125e032eabc352a7c3f741e056a6855beb02d62448696e36fe33fa10b4ea2de6439ea8328b3c47e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
c7b0d9761027999c98592e5a3c4676ed

SHA1
70b5c7b6e72e00f18e8c45afcbde9e4dfb339eeb

SHA256
e4cb2910a60977682a4d3d48bd29bd72344a179ab33709b2fda9b1e2693936a8

SHA512
9048cdfe4702eb1819560e77069fe25a9c83bf7440b35537d00cefe5e14d3065c22a35c7c283c35044220b44537e521eac0e486c0501d613c0a7e23192a2b65c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\a2b759cc-520b-4f64-bf4f-eec885865cd2

Filesize
746B

MD5
e58f1a3874bef8a477d799f51d217095

SHA1
d57d4cecd14056a7abde84f68802b7185933f270

SHA256
8e9de2c085692f02bf8bc9982db84e3710877b9a9334e05e5968bee36f9cff97

SHA512
af79ce73f5ca635c3883ce0250fd7d33855a64c6e72d0aa92605c26d294a1eb58f5ede81d64c6c941668a2545eda00680e48e98ba1483740ec99a46507b7d447

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\c4267801-2b11-4ac7-8348-4f6f00ab4ea3

Filesize
11KB

MD5
0b6148304c0074e978680903b15f5e2d

SHA1
a19dd642b2f584383fa30102f19dc822a493838d

SHA256
cab05ac049e5909b0c4bb310b9aaecfc231bd0668a0558337f381c87ddb09e44

SHA512
5c8bccc86d8613ad60ae42a504c141bfe578ac249ac4780f8a2e5b82078a9ab3ae5e25ebd5b24c8d97eda4d7265482071670731836d948908ea30d4df3376178

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js

Filesize
6KB

MD5
81fbceeb0906fe59cf89ca41cd2e46bb

SHA1
0289f2161989982eb80f606387b61c4a7de1d587

SHA256
95c7ea9059c8ec938a904fa13e2eecfc9a66f3af48743e489fe512d0c8a5a4dc

SHA512
5e9eb90f4db0a72c046ca8afe82a721f637403568d59a33b73d494b50e429d0f45b9eb463ebb948f49cee9052b970ba9257690e85a7694a9ed9db42d6a69647b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js

Filesize
6KB

MD5
0fd7080e6a2b56254a504b8258d7ecfb

SHA1
e46eed10f035cb35001bf892c0e2ace26efaf6b4

SHA256
1965df1e44be1d8882e77150133b8f2d660d1572e647a75d968e088c050ca653

SHA512
49ea6fb1343c135b812ff0e9163db7a4d676de0a3edbc562b9795317f37122e2a158739876cd017da7eaa1ae680ec0ed939e145c8aaa1b31f278701c5320c87c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
91e3b2af5a844f5c26b9c38079344c13

SHA1
20585d585aea889cfba4bfcf2bb947ec8204bf07

SHA256
c323cfb3907ca04f69adfc349262fc376f6811844da0d777b9cc3214bd63fdc9

SHA512
109fdb433f45b8deada4d6c3f879db2346e2dcb73b4059f72cb26e7fe1bc4c289bbaa0eb1e2bab6c463b8d46e0151b3cdf5a6aae296ae146b98594d46670dac3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
bc2de221be5d2b9a409b8db0a80866e7

SHA1
0b90e37b5a8c318f90ff2ad9d98f63ff036cc631

SHA256
5beac254a807a47b26699ffd59082bd8a7aead86ae003c36999f3d662d93dc7d

SHA512
a4cef00bf38cc76593543e323ab92e2775c84e89dc110ec914284e7889690380e0fdcb1e444f3a97501386e4b178704c2353212c24683aecb45631c615cc0a0b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
99e7dbb2c3755312863c5633fbfbf325

SHA1
3b685e1ebec21a4e47fb4580d0c45040aa04b233

SHA256
276fd6d71067dd14dfe77400e856a50721987ff5d9fbfe255250ea831e75774a

SHA512
9b4b75c7fcfa50dfb8fac98ca6c9a43a01ec4d95c27f96f4fb1723bc5031b9cf19e6ce8916d927ee4f13bcae45f402c2bf95c22b62b9f1af67e639d7fa30ad46

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
e9ba48649035dec5b79aec07d7977476

SHA1
7682b1d2f6bfb0434644650c1b9a5ef6b50bb08b

SHA256
f046cd57f4e70844119ef7e758cb155acc2c81cc466e7d3508750084992ea778

SHA512
c3c85531fcc869ff2db02ae2dd9112ad9fe3c4faec94ef97625f1e2cd01ead26dbd79c7bb1ec7c52649f80b4b0116622f52a216b3be5a7a5a0183e36efcc089c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
7b363a86addafe360b962a8ff1b07d52

SHA1
3fd6db33d3361d78dfe45d0c21de483275fa9e6d

SHA256
4c149ffed89d5456cc9a3c8cb23b207de493a552aac86a91da95d623b4a660c4

SHA512
cd04e894c68d31da122673c38f6804d6cc346a2bfe3bdf49bd0ee5f54aeaa4205667eab666dd11fc4f0a49fc3ba1adcf429d5105cac4274e6a73553882ab3613

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
6ac00075f3b7b3fb4eec3f6afe7c0550

SHA1
5f91c40e78f5fa8d6e2a70cd0f208d8afac21912

SHA256
d04471590125e9987d53c96c1d0adb92e3fd4e6acb27e9e8e23e01809ce504de

SHA512
4bf5a09144f5fec06e4812960d503d1c09c135112b08ed176fc43473ca12868a8f722462a7447a4c0b02ef9f843e8ca0b5506532733121f145df11391e821adf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
b40cf0383350cc11dded8a6837c874df

SHA1
386882c533601a9366a8de94791c203941389eb0

SHA256
f3620b070acecea941cc3547e32dae10b1611f5ed7ecb55ccb39e1992af0571d

SHA512
c44938db3f7553b4cdceab2ff55fa7f73939c8d292bd657455a9a2f4dc2c3ecdc4c03725424bef0118a6eb8df595dc13d1ed8f6ff353b485805c8181a46dcdad

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
b01efd0877d8bb4a5d754d6d5a5922cf

SHA1
6dfaecd4219afbb206185171c64c777e9c73ae21

SHA256
ef1ebedd446ce18b79317f09953ff8a6069f92749188b45945567c315388aa90

SHA512
6f5fce89b6dc7e6979fdb01493c0811bcd55cb945d7665cd9a23e93419a5aa28207b3f614461103f04b0406741e8020c35252fda5529e41e3e918e42fd89c086

Download Submit
C:\Users\Admin\Downloads\avg_antivirus_free_setup.IMhTgC0E.exe.part

Filesize
228KB

MD5
39a9914dd313d660d34421a7e5b576ec

SHA1
a158d1675a3aabda0396589346dd8556121596d5

SHA256
967deefbc63f5285eb871d07b7a136893d85d648c53aee2975a3a039718fa0ee

SHA512
fd09d6fa7deb4d7ff8e92d3c474246756146205013dbd82167ae1b32887c7407cd6d9968fd45657b44975796b68b09dbb0d6f9da9797826d13470c72c34a6b38

Download Submit
C:\Users\Admin\Downloads\avg_antivirus_free_setup.exe

Filesize
229KB

MD5
81690c6101328ea5f93003ac2b41cc95

SHA1
0037a5ab96b1c77cd80f5c4c954c16575a181cba

SHA256
0ee00b7e3b1072de799d5a164e0cb8632241bdcf98666ba31959f38fb6fe77fe

SHA512
832188c6bd6eb2518b2b9b1a0e8a784f0129108996bfd838479963b02c210aad302776e559720dde970c4dbdd6d824c70f1dfce47c9bcb5fb658f21e7827730f

Download Submit
C:\Users\Public\Documents\gcapi.dll

Filesize
867KB

MD5
3ead47f44293e18d66fb32259904197a

SHA1
e61e88bd81c05d4678aeb2d62c75dee35a25d16b

SHA256
e0d08b9da7e502ad8c75f8be52e9a08a6bcd0c5f98d360704173be33777e4905

SHA512
927a134bdaec1c7c13d11e4044b30f7c45bbb23d5caf1756c2beada6507a69df0a2e6252ec28a913861e4924d1c766704f1036d7fc39c6ddb22e5eb81f3007f0

Download Submit
C:\Windows\Temp\asw-970a0b33-3574-4e17-b620-568ed5291330\avg-av-vps\config.def

Filesize
583B

MD5
88b8bbca6adfb658e9f64786290b1508

SHA1
a7e19f0be671882e7c0de8d546482d20045139de

SHA256
a98977649c4c1e25f732e3023515cac1cf5d54df88d58c170dde6f895bc695fc

SHA512
b7329cac2951e04645771d207dc0c095fe81dfa17bd3df185f4da1e1cc4f726750a48921fd97345b6777638e212624d4f0d3824d39f363d9421bbbffd44f3968

Download Submit
C:\Windows\Temp\asw-970a0b33-3574-4e17-b620-568ed5291330\avg-av-vps\icarus_product.dll

Filesize
852KB

MD5
7045e386d00a84dfa30089eb3a0d393d

SHA1
bccfbb3af88eb2cd6e6382447bd334abe64ebee3

SHA256
920b1f4f62fcdca79de87bc19f8dc303fa30a028eebec768b09c5d25bddb38da

SHA512
249b8acca384574f1b8326d0b99b1c71ded884909589d769c3d34d7b1e92fc1743caf880caaba9c7abd6e217b1cb97bfa52f5f94e3621273beeb1873bc262575

Download Submit
C:\Windows\Temp\asw-970a0b33-3574-4e17-b620-568ed5291330\avg-av-vps\product-def.xml

Filesize
57KB

MD5
7b85ed8361f355c622a77736e22c62c9

SHA1
c28922f23de4062b214adf398164b36b316e796b

SHA256
311cfdef693778bb04505f552712e00da738340a3705f1562e958ca8938734cf

SHA512
41fa432dd5f595a365c6e091e4cf56758c898ea6bd5f3511caa6faab197ef2581b7df3bd97b699b8154030b60551c329edacbcb86e2cabe377cea2327a8be36b

Download Submit
C:\Windows\Temp\asw-970a0b33-3574-4e17-b620-568ed5291330\avg-av-vps\product-info.xml

Filesize
5KB

MD5
ed290f93287e07885cac8ea20307c93f

SHA1
30da23bb771f42f9491d8261b5373764e005b714

SHA256
48d76bd140ae06741886f39fddd52f9d59c476a94c58c89eb66afaeff9d6ed2c

SHA512
64fc57830445b50fa0822bb2e377f5f7a43340359fbc95f8e518945d072cd56efe5954e44f2fbd1d34c98e369def0c75f2cfd5840b4b3b3fe9add213da4ca001

Download Submit
C:\Windows\Temp\asw-970a0b33-3574-4e17-b620-568ed5291330\avg-av\aswOfferTool.exe

Filesize
2.3MB

MD5
682b0f6442803ed8aa0f172eb0b84cf5

SHA1
82a21900959e42fe4665c4f8a1cd6c68db9f1dc7

SHA256
df50e470eb476f3612a5e0cb506ef5ada0979fc670c796fdf398a8acee54b03d

SHA512
48c15bebcc3c9a46f8961ce7af7f4089d8c4a9f382842353637c1c2fedc16c35f68af7eeae7cc4829f2018a532e4102c8f74ca8eee647e01367179d2533e311c

Download Submit
C:\Windows\Temp\asw-970a0b33-3574-4e17-b620-568ed5291330\avg-av\bug_report.exe

Filesize
2.1MB

MD5
987cf1c98edb6770da9592df621ba296

SHA1
984e70966249544b2aaf0f7a8cc43aaef467a4a4

SHA256
ff34fc5131111550f884a6e09f72393423b1c659f2a379a3b273286861f81c98

SHA512
0a5df3f26ce9eb81944503694894ecad526c393026a66e67fba6f64a3a0b729e44882396435eedb10b866faabcc4b45c8354c6888912d021ff9e7f24c6bec3ba

Download Submit
C:\Windows\Temp\asw-970a0b33-3574-4e17-b620-568ed5291330\avg-av\config.def

Filesize
757B

MD5
264d61ef38e6f06891da07c11bf71436

SHA1
e4a258aa41ce4aaacdfa7f5c0f6f11d4859fe1b2

SHA256
96976bd5ecb653aded30321685e44a59886901652c031de101e3a13326d61387

SHA512
c818737bcb76b4d50673c8007118320f0b6081108f4934016a04167d5a8f4835393274438769e05276c5db79c5d9f5e4e3748788a1439c974bdf16b3d5dd6890

Download Submit
C:\Windows\Temp\asw-970a0b33-3574-4e17-b620-568ed5291330\avg-av\config.def.edat

Filesize
18KB

MD5
076b2b6ca0ee724bd28a39e5d4646df9

SHA1
742a1b37f09a5d2f030e62589eb17574d055ee16

SHA256
48d1f4cbcc7797deee084f3256f7f52055dd9b28453cdb72fbbfb79f1b0ab25a

SHA512
b33cff1732c69fdccc7d043e8bf9a0f8bf6cd8bbab1e43ec0a174731a64bdfb181279e34643f4b2d8b191cda7dda30c47c18f973ba2c0622611485b054dbb269

Download Submit
C:\Windows\Temp\asw-970a0b33-3574-4e17-b620-568ed5291330\avg-av\edition.edat

Filesize
2B

MD5
9bf31c7ff062936a96d3c8bd1f8f2ff3

SHA1
f1abd670358e036c31296e66b3b66c382ac00812

SHA256
e629fa6598d732768f7c726b4b621285f9c3b85303900aa912017db7617d8bdb

SHA512
9a6398cffc55ade35b39f1e41cf46c7c491744961853ff9571d09abb55a78976f72c34cd7a8787674efa1c226eaa2494dbd0a133169c9e4e2369a7d2d02de31a

Download Submit
C:\Windows\Temp\asw-970a0b33-3574-4e17-b620-568ed5291330\avg-av\icarus_product.dll

Filesize
6.0MB

MD5
e6c57a243f922ba5eadf2f1a674805d9

SHA1
709701f6ca054be481f119dab27053a64929dced

SHA256
153b57ce3f3cf5c811ad33b346ebae5f1c2521afc7986a7e4a17404170617a94

SHA512
44ac6d0a7f7b7d7d9cc8f5bc445d2b8b4597dd38243bbc1fbf6cf4dc2f16b8f407474f4b36f26131f16c81ecc4857bf41211f830dab9757350e1afea31c8b49e

Download Submit
C:\Windows\Temp\asw-970a0b33-3574-4e17-b620-568ed5291330\avg-av\icarus_rvrt.exe

Filesize
49KB

MD5
97f5d0caaa1988c95bf38385d2cf260e

SHA1
255099f6e976837a0c3eb43a57599789a6330e85

SHA256
73ee549578ded906711189edcef0eedbc9db7ccbd30cf7776bd1f7dd9e034339

SHA512
ad099c25868c12246ed3d4ee54cef4df49d5276a5696ca72efa64869367e262a57c8ff1fb947ad2f70caef1d618849dbab2ec6161c25758d9f96733a7534b18f

Download Submit
C:\Windows\Temp\asw-970a0b33-3574-4e17-b620-568ed5291330\common\bug_report.exe

Filesize
4.8MB

MD5
b1a75ca7946d7958b4a6236cfba98222

SHA1
3f7238efbe6c76eddbca1f0fab2ec42e165d173b

SHA256
89859bdb497d81204c601932e1be1fd208248f37d90548da39b8fa19e6d71c21

SHA512
79a073fdb6a7cbad501a7fc4b2e924e7dd9ed9bf1a2dc214ff0d8115df60abb4342d0b8caa74b988c67ea494b8f358e729e4d0e226184e5c6a8b294861030ec2

Download Submit
C:\Windows\Temp\asw-970a0b33-3574-4e17-b620-568ed5291330\common\dump_process.exe

Filesize
3.4MB

MD5
c88671eb853f0ce492adfc781871e129

SHA1
5e19a30b36779eb9ef5bac7cf39112cf7823e2b8

SHA256
02b26cc48fb5c1f34969be1364c171159f563664bab9422189ade809785ab3ca

SHA512
1b6ea1504cd43f655880a1fd38704cfb50aa7b94c3bd42ac9d4b7576353bf24355b547e199f1901d541cd0dd2982645dbf12f8c35fa8df1fb33f0938dc7b18e5

Download Submit
C:\Windows\Temp\asw-970a0b33-3574-4e17-b620-568ed5291330\common\icarus.exe

Filesize
7.6MB

MD5
565c8b2269debc4903628d576a8bc47c

SHA1
9c85b48e4b1bfe95bbb9126e6d7718aa72a033ba

SHA256
6db67f96c01094215223f38c2703052bebe2a298521f8f0d8bed4492c3d1984c

SHA512
f3a011c8ba0f21106e69f9d57e12ddaef29665832d20e21566a3eab38825d510ecb8955915511e0273d02648d5ce9da4ab30d86c2cda3619fe82d9ebca5d1b6b

Download Submit
C:\Windows\Temp\asw-970a0b33-3574-4e17-b620-568ed5291330\common\icarus_mod.dll

Filesize
14KB

MD5
7ce3328789a3bdf6cdce52e5df446373

SHA1
a9054aa148f110d7ae266b089e0e28c50fae30c2

SHA256
b4b2960fc093aa3964ec1172999c6c24af2d09eae6b0096de46d9884a98a32ef

SHA512
7dbf63e583bc0c0ca39fa33057ec6f99606ef4c6d4a631e9391ff1fc829aee9a346ef418473b8ddd09a249c5a7629226808a4b5d65c24d11326ef3a38f355fdc

Download Submit
C:\Windows\Temp\asw-970a0b33-3574-4e17-b620-568ed5291330\common\icarus_ui.exe

Filesize
11.8MB

MD5
d93f0e473a80ffcb86f31dc72c1772f4

SHA1
0e003c7cae9fc2f2c981de22d2fd326454cf0f65

SHA256
03537ec10aa8ade09d10ff1377d396c2ee88a6cea0e270f7716ebf4cfaa408d9

SHA512
df025bf6e91bb5ae33c35d314031883c356706c61e881d9a181377354673c5d07873e23518fc6461fe0e8b1ccf1631af3cfa23d21b0d768426321a0216218d3e

Download Submit
C:\Windows\Temp\asw-970a0b33-3574-4e17-b620-568ed5291330\common\product-def.xml

Filesize
1.3MB

MD5
e448581ceecf4664accf896034ba4a8a

SHA1
cf0bea0ba9e36ffbf77b04a2b247947d8e7ad1d4

SHA256
a258b0665965bfa2c9c58b77aa1e2aa566449362b94ef7238dafc98da7918b88

SHA512
10bfd0d959f47c4012116f5a596ea2661058469ac29718231a91417f90937cbd0dd11d465f8059290b78c421db080d53c776810d93d4e8f965393229f830a1fc

Download Submit
C:\Windows\Temp\asw-970a0b33-3574-4e17-b620-568ed5291330\common\product-info.xml

Filesize
9KB

MD5
f8c5aa34a71e54c0fa083f4b66cabb46

SHA1
f2cf1959cfdbe4e57f22f3c84ced078157fa02c1

SHA256
25bb4b2fb2badfcac785c65a07eab34bfbe9dabb748a89f922c33c7ac4c21288

SHA512
64ed9a6cc5e767f10523c4aac8756998ef1b6d8e2621e5a88cf85505484774843ebd0a95fb3453c586d490ced8e0eba441c916ebaaa6a3ff173784d36ea10903

Download Submit
C:\Windows\Temp\asw-970a0b33-3574-4e17-b620-568ed5291330\common\setupui.cont

Filesize
339KB

MD5
cec94dabbcd5294811060976fb71a369

SHA1
88358121f8f1e2ee10e1eb30aa408692b0ef592d

SHA256
930851cef3d3f67d1aee8d4f9429871e4fa3f1f188ec98197bf3283c1762df3c

SHA512
b157eea685392ff5556bb14153be5c8f5f42a2d3354719dab81432209826f0c9f0b756a731065f425c6a2acd2d4495688f41011734902a09aa29042e0fd96bc8

Download Submit
C:\Windows\Temp\asw-970a0b33-3574-4e17-b620-568ed5291330\icarus-info.xml

Filesize
1KB

MD5
fa523498e657e60b16b67dcb1a955fbf

SHA1
6b1adbe171b8e3d74f0c09a95c58964e491d3ebc

SHA256
6293de36c7e9ad9d52acedb67e29d65cf851a1b1f42155e9f49c9f32737e83f3

SHA512
f40e3b884fae28c843c65487e352f6dc2dd0ca5a556523961dcca903cfb2050079964aa1edbe4cde724614d25116d919139b8cedcec490f7f38f1d7a75690933

Download Submit
C:\Windows\Temp\asw.b71d3dcbb511612b\avg_antivirus_free_online_setup.exe

Filesize
1.5MB

MD5
df1696578adf282382c97ca708bf7fac

SHA1
b9c93436e470fc8ce31cec359b2631a2e050558c

SHA256
c28dde93349a99806c03191785e06b4b9658d2e5e320f1d91d8cd5646100e1ca

SHA512
03c226297dc17b81c24c832ebf60d7fc0d9e45ad8b25a9f89a578f015131a9267286db89444ffa8bcd0f5ef1fa96322dc95f292fc701b7c206f75f055b89c247

Download Submit
C:\Windows\Temp\asw.b71d3dcbb511612b\ecoo.edat

Filesize
21B

MD5
6553aa6c618318946b719a0f96016b36

SHA1
d5e033fb3e19d24f69ff9c099651d59497236474

SHA256
69ffdadd0b15e22cdfd13cfaa14f8a457c249af5532ea8c965439cccd0ebd107

SHA512
742cb9ded69875aede3875adc9a18182fede84abee74e7058b4f77e509ac6acbc0aec8cd886093f52cb0e6d4b2aac64a4381404665f16b9e6e683419fa11dac6

Download Submit
C:\Windows\Temp\asw.b71d3dcbb511612b\eref.edat

Filesize
51B

MD5
bde5017bff2cacaa97f901141ad0aaab

SHA1
88584dff4e6a30f912fd0dc31194c3d6078cfb75

SHA256
25192c8fa64a8b3d4cda730c611cc67ee6bf48405b4329f2cc854d99db474fd1

SHA512
f6d3bb3ac1369d74c979b86ed9d8a4cdc6f6eff835b05761f7691046902be9b5b9a15c4da20e02b78e4597b4ca83dfb4518429c73b896f16d0e9ec2dbe85b725

Download Submit