xworm | a98f459547ffc3c515a83fd42be76c4b0eb89c07b2e268d110bbce4cb096182d

Analysis

max time kernel
26s
max time network
25s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
02-11-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Code Extractor C++ and c# Craked by Lucifer.exe
Size

340KB
MD5

df2a298979ca5221c86d537e707c650b
SHA1

a7d76d26fb7a5c16b76231bc9f5c2cfb0fc1161a
SHA256

a98f459547ffc3c515a83fd42be76c4b0eb89c07b2e268d110bbce4cb096182d
SHA512

310f5508a7e87773d8f18689d0d166e3c5d6139c976e36c4f7242bdca1c80ab55520819eb7f3eb9b564321b3bad571120ef3f068b39d2599f8bce65d2a7064e6
SSDEEP

6144:bt/u6mhPJGk59wRsyU9I9Vx1rcPm3m72XeN1mk5gOvZf1VLVRnIINQvq:bJyhRVf9I9Rcu3mqXomkuufbxRnTcq

Score

10^/10

xworm bootkit discovery persistence rat trojan

Malware Config

Extracted

Family

xworm

147.185.221.21:27938

Attributes

Install_directory
%Userprofile%
install_file
svchost.exe
telegram
https://api.telegram.org/bot6575053517:AAHfQSqLTvzOajvn1QldlaGUVj-u9hK2upc/sendMessage?chat_id=7492036336

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001e00000002aa76-34.dat	family_xworm
behavioral1/memory/2232-60-0x0000000000E20000-0x0000000000E3A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Downloads MZ/PE file

Executes dropped EXE 7 IoCs

pid	Process
3188	Code Extractor C++.exe
2232	svchost.exe
1628	avg_antivirus_free_online_setup.exe
1472	icarus.exe
2036	icarus_ui.exe
1760	icarus.exe
4696	icarus.exe

Loads dropped DLL 4 IoCs

pid	Process
3188	Code Extractor C++.exe
1628	avg_antivirus_free_online_setup.exe
4696	icarus.exe
1760	icarus.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Code Extractor C++.exe
File opened for modification	\??\PhysicalDrive0	avg_antivirus_free_online_setup.exe
File opened for modification	\??\PhysicalDrive0	icarus.exe
File opened for modification	\??\PhysicalDrive0	icarus.exe
File opened for modification	\??\PhysicalDrive0	icarus.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Code Extractor C++.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avg_antivirus_free_online_setup.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	icarus_ui.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	icarus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	icarus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	icarus.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	icarus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	icarus.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	icarus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	icarus.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	icarus_ui.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "c86409c1-277a-4a9f-8b6d-cdd2152bdb15"	avg_antivirus_free_online_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F	avg_antivirus_free_online_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "65F115A51CCCDBF623206AEDE3B3D8A4"	avg_antivirus_free_online_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\5E1D6A55-0134-486E-A166-38C2E4919BB1 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA5wXA8kj0ZEmzD4a8PrF44AQAAAACAAAAAAAQZgAAAAEAACAAAAAowk6i3QOEEMSq5218E3TDT5NU2SKCpSwmJLrFSc1hXwAAAAAOgAAAAAIAACAAAACGwhJV+YViAI38lqkt+BNDBfSJZuWUZOxCVuD0/8fKdjAAAACB4yH8U8xJzcEikfI25t970OUV4WQ5++7tJhrVVQ7MKQ4MhR8SHNeN4kdg34GtqkdAAAAAX3JvhLgxENG5Xxj11c5y0l5EPSur6qhtAHkGKBp5b4z/uwVts1ErX8ecAgf14c1Rfx8rTUuMjtuak3lVasEdJw=="	avg_antivirus_free_online_setup.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2036	icarus_ui.exe
2036	icarus_ui.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2232	svchost.exe
Token: SeRestorePrivilege	1472	icarus.exe
Token: SeTakeOwnershipPrivilege	1472	icarus.exe
Token: SeRestorePrivilege	1472	icarus.exe
Token: SeTakeOwnershipPrivilege	1472	icarus.exe
Token: SeRestorePrivilege	1472	icarus.exe
Token: SeTakeOwnershipPrivilege	1472	icarus.exe
Token: SeRestorePrivilege	1472	icarus.exe
Token: SeTakeOwnershipPrivilege	1472	icarus.exe
Token: SeDebugPrivilege	1472	icarus.exe
Token: SeDebugPrivilege	2036	icarus_ui.exe
Token: SeRestorePrivilege	1760	icarus.exe
Token: SeRestorePrivilege	4696	icarus.exe
Token: SeTakeOwnershipPrivilege	1760	icarus.exe
Token: SeTakeOwnershipPrivilege	4696	icarus.exe
Token: SeRestorePrivilege	4696	icarus.exe
Token: SeTakeOwnershipPrivilege	4696	icarus.exe
Token: SeRestorePrivilege	1760	icarus.exe
Token: SeTakeOwnershipPrivilege	1760	icarus.exe
Token: SeRestorePrivilege	4696	icarus.exe
Token: SeTakeOwnershipPrivilege	4696	icarus.exe
Token: SeRestorePrivilege	1760	icarus.exe
Token: SeTakeOwnershipPrivilege	1760	icarus.exe
Token: SeRestorePrivilege	4696	icarus.exe
Token: SeRestorePrivilege	1760	icarus.exe
Token: SeTakeOwnershipPrivilege	4696	icarus.exe
Token: SeTakeOwnershipPrivilege	1760	icarus.exe
Token: SeDebugPrivilege	4696	icarus.exe
Token: SeDebugPrivilege	1760	icarus.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1628	avg_antivirus_free_online_setup.exe
2036	icarus_ui.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2036	icarus_ui.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 3188	1908	Code Extractor C++ and c# Craked by Lucifer.exe	80
PID 1908 wrote to memory of 3188	1908	Code Extractor C++ and c# Craked by Lucifer.exe	80
PID 1908 wrote to memory of 3188	1908	Code Extractor C++ and c# Craked by Lucifer.exe	80
PID 1908 wrote to memory of 2232	1908	Code Extractor C++ and c# Craked by Lucifer.exe	81
PID 1908 wrote to memory of 2232	1908	Code Extractor C++ and c# Craked by Lucifer.exe	81
PID 3188 wrote to memory of 1628	3188	Code Extractor C++.exe	83
PID 3188 wrote to memory of 1628	3188	Code Extractor C++.exe	83
PID 3188 wrote to memory of 1628	3188	Code Extractor C++.exe	83
PID 1628 wrote to memory of 1472	1628	avg_antivirus_free_online_setup.exe	89
PID 1628 wrote to memory of 1472	1628	avg_antivirus_free_online_setup.exe	89
PID 1472 wrote to memory of 2036	1472	icarus.exe	90
PID 1472 wrote to memory of 2036	1472	icarus.exe	90
PID 1472 wrote to memory of 1760	1472	icarus.exe	92
PID 1472 wrote to memory of 1760	1472	icarus.exe	92
PID 1472 wrote to memory of 4696	1472	icarus.exe	91
PID 1472 wrote to memory of 4696	1472	icarus.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Code Extractor C++ and c# Craked by Lucifer.exe
"C:\Users\Admin\AppData\Local\Temp\Code Extractor C++ and c# Craked by Lucifer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Users\Admin\Code Extractor C++.exe
  "C:\Users\Admin\Code Extractor C++.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3188
- - C:\Windows\Temp\asw.5765cb18c0059f26\avg_antivirus_free_online_setup.exe
    "C:\Windows\Temp\asw.5765cb18c0059f26\avg_antivirus_free_online_setup.exe" /cookie:mmm_bav_tst_007_402_c:dlid_FREEGSR /ga_clientid:464520ab-5125-4e55-94be-7ed7d5818c94 /edat_dir:C:\Windows\Temp\asw.5765cb18c0059f26 /geo:GB
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\Windows\Temp\asw-19e0031e-91de-4f68-9af4-3b0ea9ae8b89\common\icarus.exe
      C:\Windows\Temp\asw-19e0031e-91de-4f68-9af4-3b0ea9ae8b89\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-19e0031e-91de-4f68-9af4-3b0ea9ae8b89\icarus-info.xml /install /cookie:mmm_bav_tst_007_402_c:dlid_FREEGSR /edat_dir:C:\Windows\Temp\asw.5765cb18c0059f26 /geo:GB /track-guid:464520ab-5125-4e55-94be-7ed7d5818c94 /sssid:1628
      4⤵
      Executes dropped EXE
      Writes to the Master Boot Record (MBR)
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1472
    - - C:\Windows\Temp\asw-19e0031e-91de-4f68-9af4-3b0ea9ae8b89\common\icarus_ui.exe
        
        C:\Windows\Temp\asw-19e0031e-91de-4f68-9af4-3b0ea9ae8b89\common\icarus_ui.exe /cookie:mmm_bav_tst_007_402_c:dlid_FREEGSR /edat_dir:C:\Windows\Temp\asw.5765cb18c0059f26 /geo:GB /track-guid:464520ab-5125-4e55-94be-7ed7d5818c94 /sssid:1628 /er_master:master_ep_f8d5ec2b-e553-42a7-b102-584f6dd1754e /er_ui:ui_ep_f09ab10b-2415-4064-b2a0-e6533ef90be7
        5⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2036
    - - C:\Windows\Temp\asw-19e0031e-91de-4f68-9af4-3b0ea9ae8b89\avg-av-vps\icarus.exe
        
        C:\Windows\Temp\asw-19e0031e-91de-4f68-9af4-3b0ea9ae8b89\avg-av-vps\icarus.exe /cookie:mmm_bav_tst_007_402_c:dlid_FREEGSR /edat_dir:C:\Windows\Temp\asw.5765cb18c0059f26 /geo:GB /track-guid:464520ab-5125-4e55-94be-7ed7d5818c94 /sssid:1628 /er_master:master_ep_f8d5ec2b-e553-42a7-b102-584f6dd1754e /er_ui:ui_ep_f09ab10b-2415-4064-b2a0-e6533ef90be7 /er_slave:avg-av-vps_slave_ep_2300e324-72ea-451c-94f8-fc677da444ed /slave:avg-av-vps
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:4696
    - - C:\Windows\Temp\asw-19e0031e-91de-4f68-9af4-3b0ea9ae8b89\avg-av\icarus.exe
        
        C:\Windows\Temp\asw-19e0031e-91de-4f68-9af4-3b0ea9ae8b89\avg-av\icarus.exe /cookie:mmm_bav_tst_007_402_c:dlid_FREEGSR /edat_dir:C:\Windows\Temp\asw.5765cb18c0059f26 /geo:GB /track-guid:464520ab-5125-4e55-94be-7ed7d5818c94 /sssid:1628 /er_master:master_ep_f8d5ec2b-e553-42a7-b102-584f6dd1754e /er_ui:ui_ep_f09ab10b-2415-4064-b2a0-e6533ef90be7 /er_slave:avg-av_slave_ep_a910aa91-e48c-4147-8e16-9de112f95ab3 /slave:avg-av
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
- C:\Users\Admin\svchost.exe
  "C:\Users\Admin\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AVG\Icarus\Logs\icarus.log

Filesize
57KB

MD5
7726aef8f65c4ee000f4ca788347c6a8

SHA1
2510d3ebeb3dbee2c19a1261b9a8cbb2dd59523a

SHA256
cab1966b5c756e968b43c416f41fa11b46acb1ffd1a374aae48f2717259004ae

SHA512
8b008218234517cf0aee981c50cdfcbdfa1609f7b3af9c6a9f86366318f208a03a2d15b0c712bef683cdcc21b7bf231b49f1f12725bf7b88e5442092cc6078e4

Download Submit
C:\ProgramData\AVG\Icarus\Logs\icarus.log

Filesize
154KB

MD5
7d16008fd4b17c7fa1dad5113d7cecb4

SHA1
0d710ee3750c5d1d4570b35b8eca3c2cd59b16dc

SHA256
0422d6021331587b8a18fcb0704f1facab47d504c9b2a8903b313b8414238aa3

SHA512
3354d447f798ddf26d58521ca81d28aafc9e7aca22ab48f67d5b49d1f175a8e5275dcfb3a0225d14e34b51168326ad0297445c83e907472cd30030c0fff9abf3

Download Submit
C:\ProgramData\AVG\Icarus\Logs\icarus.log

Filesize
624KB

MD5
632905953b33554541e528f4cb6538cc

SHA1
8e67fcc8f4449032eebbb1761535d8820de8316a

SHA256
7f27ebc3bc6c716a801fc15d1c30540f691eb90616c6e34879e74a8a83057809

SHA512
be1e8e8e046fcaf3467ce5617ee0a04831da8f18437c03453d345537721b8997f7b1e2c8fd846bd3f8d021678788547bf1aa5ab136c29bfd03c49439d2b0545f

Download Submit
C:\ProgramData\AVG\Icarus\Logs\sfx.log

Filesize
12KB

MD5
d4c7ecc6ca585ad5dfadbc1cf2b290cf

SHA1
ab21e1ceee38ab487dc84a1eafadcf5a7e906833

SHA256
687b0eb492bfad12ba15fc764cb898ae2a5d651a1daaeb5f12c610818c5178e4

SHA512
cf961f49e5cc0b640f895d162173c5f92a4ab404ab0af880ca4f20310e925645c3d34d2600d15049cfc6f05211f521ddd74b878a10ab8bb3aaf5195be6f338c7

Download Submit
C:\ProgramData\AVG\Icarus\Logs\sui.log

Filesize
10KB

MD5
4a69b038ff8640435801cd36f4bb04d0

SHA1
bb35cada69666261984e026d4b0031cc6206dc83

SHA256
332dc138dc1692dc2f39fb29b8948fd6b4a9bde70470320ee1c84f89ee340100

SHA512
6c250879228601906af2e7610242eff60a31987611157451f6db68afeb104282dc5436793bcb5092ad62fb74033ad892a3cc48549e36be9c7e87c8b1babae07a

Download Submit
C:\ProgramData\AVG\Icarus\settings\temporary_proxy.ini

Filesize
278B

MD5
b8853a8e6228549b5d3ad97752d173d4

SHA1
cd471a5d57e0946c19a694a6be8a3959cef30341

SHA256
8e511706c04e382e58153c274138e99a298e87e29e12548d39b7f3d3442878b9

SHA512
cf4edd9ee238c1e621501f91a4c3338ec0cb07ca2c2df00aa7c44d3db7c4f3798bc4137c11c15379d0c71fab1c5c61f19be32ba3fc39dc242313d0947461a787

Download Submit
C:\Users\Admin\Code Extractor C++.exe

Filesize
248KB

MD5
e700c29f47cfdfb873b80cd2ab7ffa7a

SHA1
1d1455344a4423da50c2eb230eb8f2bffa5506a7

SHA256
9a5b89407360c5fbb33c0a60ba7bf57114cc2c082c46ecff1997d0b0c9af8ccf

SHA512
eeab5377ee43fea154561ad52d7f3b5bfd80b4d656653cec827bcfd2821a03a4d0b5d34d77bcfad0cd0f93ac68410c99f032d40533bf75e154e73f8a07338d74

Download Submit
C:\Users\Admin\svchost.exe

Filesize
77KB

MD5
7a663541653efa34e7e2aabf0acf6ada

SHA1
ae14101f62220e6435ed3d80e03dbb4e5f29b344

SHA256
829016d508f4064cc618eef8c9250ad000b15355ce563f172e6e54f776c74f9c

SHA512
7267f6b0c41dff35a761171a30ebdfde83e81a29f4511fe808cb28b0d7d0a2a2b101fac57aefe74b9c8475ae37c87471b8dcedf1e9458da5dd8d839270a20508

Download Submit
C:\Windows\Temp\asw-19e0031e-91de-4f68-9af4-3b0ea9ae8b89\avg-av-vps\config.def

Filesize
549B

MD5
3e9c87ef79aec6ef3af203b32b003198

SHA1
82d9dbecbb20ff8160439d9f7d8b87466bcdfbef

SHA256
e3e8cbe0a09239f7c977bfc7d283c32e1a8dacd5fadc2f6643724e4e68cb8489

SHA512
88e65718a1d7b538c14822cbfe1eea21dd8c102c9b3c0c4b6dff719ec0f74e3c5c5b83b630f4c8506049b1e793ec2a1f4aed279bc44f904ca8355a0e1c4bfdc5

Download Submit
C:\Windows\Temp\asw-19e0031e-91de-4f68-9af4-3b0ea9ae8b89\avg-av-vps\dump_process.exe

Filesize
3.4MB

MD5
5190cf05ae2e298cb94e85dc83f2e161

SHA1
6701689a71f7de48fc9bc990774d8d9fcee8bd4a

SHA256
e80d3f009fb029dbc537e9967bb00d8362d3e1ad6378cce6beeabf231cf86c0a

SHA512
63eb01823e15a7ec1e4fbf8eda944264db9c14fde404889312f0189a7559a3ea2ea93d216b78492ab2194923a056bea3f083d72c1650576823ef98091f2ef568

Download Submit
C:\Windows\Temp\asw-19e0031e-91de-4f68-9af4-3b0ea9ae8b89\avg-av-vps\icarus_product.dll

Filesize
858KB

MD5
264df24da7afca448f922f625c1b8ced

SHA1
7cf8f98892aaa7a57920f7ff4fffe8b344e63f5e

SHA256
305a51e4f4c05a8e0332d039c7e5f36c0d9b75097754aa67f43153716c0d728b

SHA512
d73359b290ac3ed119fd208c58e983d74bc4d96fcb03b53d4f4c63330428e8f07e11931409655aa3070bae44accf1a4d9255b41b5db3b99219f27ddf5e61b929

Download Submit
C:\Windows\Temp\asw-19e0031e-91de-4f68-9af4-3b0ea9ae8b89\avg-av-vps\product-def.xml

Filesize
59KB

MD5
026ee07c038e1ec819a133bbc1a74c70

SHA1
b237e5cd63594d97c1165dc9feea9c42d2db68a6

SHA256
1cd8b9aa79c8d596215e1e3262bc09634da317ee0b4b4bcbe84c8347d27f7cbf

SHA512
773ea9e946f6d75cb1ff932a28fc23cd7bb85fab9a9123be156950bbbbd236671bd6c0be4061a256ea0f8b2abcfb0831f5d00d47612e9e925cd4ba559c71cfb5

Download Submit
C:\Windows\Temp\asw-19e0031e-91de-4f68-9af4-3b0ea9ae8b89\avg-av-vps\product-info.xml

Filesize
5KB

MD5
447d00beb75c296a89f673a34f6e54ed

SHA1
443271925532127c9074ecd26254f0bada02f387

SHA256
24df193be0c446924c0248b93b10e541ab559f9f13cb06c715285d2a878f7e04

SHA512
476552fb5c3f3d82f04bad2a783a1e125ab9f2c7f9dc4e7678a46e4eb4da5625ff4dd2bc0b24050980784d2623f65c989a306e237f70c634d354f20009f27a1e

Download Submit
C:\Windows\Temp\asw-19e0031e-91de-4f68-9af4-3b0ea9ae8b89\avg-av\config.def

Filesize
709B

MD5
7f4e744fd9e79159cace879a9e6e04df

SHA1
2735b64ff03d0b5086865b59ecf795bd60ee072a

SHA256
26bd6950866b9668b3fff122f24ab483ed1932d4cc3ad9424aa32d5a9d99b264

SHA512
6ee3e9d7359ac9a971b4adf26fa2416b6622bfc992c382881c486f3d52a45d53a698412bc019e930fd3e07aff0fb2d4fb7227cc24f96f8ce457d851366c37644

Download Submit
C:\Windows\Temp\asw-19e0031e-91de-4f68-9af4-3b0ea9ae8b89\avg-av\config.def.edat

Filesize
20KB

MD5
0ebc6555ec72edd10d3af993d6c2c646

SHA1
7177762bd74eb4eb0b9954cd7e576a28f2b90ab8

SHA256
6cb1bbff5f93c6b7fdcae067ce6e49c8cbc6cee7343aac6e0915b2a101933e35

SHA512
f4f12da80499353766c82b72feb39f777f2e63e5b0de770ef930cf35a26e1b2119aad8720176d955f288afcc48d221e7062919ab89b1fd1ee8d528029a69ec12

Download Submit
C:\Windows\Temp\asw-19e0031e-91de-4f68-9af4-3b0ea9ae8b89\avg-av\edition.edat

Filesize
2B

MD5
9bf31c7ff062936a96d3c8bd1f8f2ff3

SHA1
f1abd670358e036c31296e66b3b66c382ac00812

SHA256
e629fa6598d732768f7c726b4b621285f9c3b85303900aa912017db7617d8bdb

SHA512
9a6398cffc55ade35b39f1e41cf46c7c491744961853ff9571d09abb55a78976f72c34cd7a8787674efa1c226eaa2494dbd0a133169c9e4e2369a7d2d02de31a

Download Submit
C:\Windows\Temp\asw-19e0031e-91de-4f68-9af4-3b0ea9ae8b89\avg-av\icarus_product.dll

Filesize
6.7MB

MD5
7ff07f1d86a7b8c1d28b5de1760f9a71

SHA1
affc73ee9828bb2151a6c88b84098f9b8c0df1b5

SHA256
3024ac600d3b29893cc17f7615af081654930b55c356fdd9fbb51b2b17acd105

SHA512
cdba8696cda67582d769db58a28ac87d30fe9bc869f7a0f718d9149b6edd42622d5fa83e5b1f5c37e0433a244a3b020c9d90b8708927926c2480a7ed5bcc894a

Download Submit
C:\Windows\Temp\asw-19e0031e-91de-4f68-9af4-3b0ea9ae8b89\common\bug_report.exe

Filesize
5.6MB

MD5
d51365da191d9548b76fae6cde050af2

SHA1
8445144dce25fe03dce30e0ec8099e2b926c2a43

SHA256
8c273c61324efbc3a773588dbbba308a6b148ea77cdc3703104dc4808655fc21

SHA512
4ee64c1c174971b7f7ea53cde92f2007bed50799140e164b93b03b86885226a0bc813686c4003b0f6b7e2c1f8b60db4fc66b96baff4bab860412c100bd7a4502

Download Submit
C:\Windows\Temp\asw-19e0031e-91de-4f68-9af4-3b0ea9ae8b89\common\icarus.exe

Filesize
7.8MB

MD5
4e824521a083138869fa6246cb33ccde

SHA1
7228689c5088a6d4faf4f7dc5fdf4389c56f76cd

SHA256
6a16511aab82faa51440197bddd11c1cce52ddd20160a630ee191eb9f626ce6c

SHA512
a7af2652d1a5c810845f3e0f6115477fb5e47cf1db645a7d8567c100277d213103fe6418a52a71aa8c83ba5a47d2f81a98b429456293f58ef9aa730811b29c5f

Download Submit
C:\Windows\Temp\asw-19e0031e-91de-4f68-9af4-3b0ea9ae8b89\common\icarus_mod.dll

Filesize
15KB

MD5
b58aa1772b0da86313ea07903be02002

SHA1
2e3cf5b6c6b575633b687de9463e247460d9c833

SHA256
801ff2ea4307cd3a1f6a6f3744f7510c3de7e9ddac1db863859ee7d3207d46ff

SHA512
075ab7db5632dd2ca6a63cd7d7e7df905c1348269b3f0e8e3bd2efff1663950b4c50f22ea8f1ab5286f55ba0d3eb1d234a631425c4578b27797f15ac88a6172d

Download Submit
C:\Windows\Temp\asw-19e0031e-91de-4f68-9af4-3b0ea9ae8b89\common\icarus_ui.exe

Filesize
11.8MB

MD5
630f299a07c056d3ccfd8b6499304af4

SHA1
bb06310b3cfbe95069e37d389655b4616369c3e4

SHA256
5a717caa148a79724d65f72b437b7d169fef26cfa676ac8bf7fb59354cf489a0

SHA512
e68d70727e51008a3b7438b65e921be69e17eadc0b3e86b7010d4900ca50988d4a1e20ca869efcc5d3802bc22364aa7714d7a18592c736f18ea6bac822ae4035

Download Submit
C:\Windows\Temp\asw-19e0031e-91de-4f68-9af4-3b0ea9ae8b89\common\product-def.xml

Filesize
1.3MB

MD5
0cbe03f2a4315fd99a2d7c1b3434e392

SHA1
542cdee4a6013afc88710b73bdb9f7bc73890bfb

SHA256
5ddc8de2bfd97b3e5ef529b3f340145bad10c122b6f00669d09e6ed6a8f22b43

SHA512
e72836cb99da8c0d14f5da9db02e0a855e231adebbd0255d56c1b05216e0058c443e2795e87868e85e18335231232ec75888f3722560e4835c14000edb73d5e2

Download Submit
C:\Windows\Temp\asw-19e0031e-91de-4f68-9af4-3b0ea9ae8b89\common\product-info.xml

Filesize
9KB

MD5
d7e8b97d50765365e6793fade40742dc

SHA1
78229d4731a07f3efe18c6eb9bc36de380a98b5e

SHA256
d8780ee84985530a785f07c6f959de5d0835d7ee4db536bef5acef1379602e75

SHA512
d311d33f3b412132bf20e0f7773d32efbc4e71f5c19fa176cb6c994390dc5ce32ccaad2eb9081cb7bbcbf23cd0ddc916951781f83af68ba3c9084667a68b7e87

Download Submit
C:\Windows\Temp\asw-19e0031e-91de-4f68-9af4-3b0ea9ae8b89\common\setupui.cont

Filesize
382KB

MD5
b790cb82fe208a019358579c9c610021

SHA1
98810354ed887fe4d5d83d379bf0776e51d71d4b

SHA256
175b34fdca1a4b61c1c95d4f27f2ca408eaf7607a7acbe51edd6484f01df2ba1

SHA512
2d58422aa465fdf2f5846516aa393bd1c47f6b46d6e37999de466fd48f8b4607bd0942d8a136ab48a6f19301df5b3a1374b73c6f516cc597c5637cfbf6410169

Download Submit
C:\Windows\Temp\asw-19e0031e-91de-4f68-9af4-3b0ea9ae8b89\icarus-info.xml

Filesize
1KB

MD5
0a2475de95503d49215e9a5a4c55aa59

SHA1
40f0a00291674979e7c55670999dcfc555eb38c9

SHA256
25b889a5f2d14d6235e876e9a55ca33c64ec55086ce6a7dc7df03f74510110dc

SHA512
c90770b7493ef70ac6217f7776c22bd7ce46aa2ce5ddd9198f04c7075149917fa02839850f2ff0e64cd5059a599113d408ef0af1c63043cab93d0d91f92a11b3

Download Submit
C:\Windows\Temp\asw.5765cb18c0059f26\avg_antivirus_free_online_setup.exe

Filesize
1.6MB

MD5
f09798c668ab48b3c69278290e971cfc

SHA1
28a88f8c2a11eee6200198d4c1ff85ebe7ee5be8

SHA256
1e628a18b0e339dc6f72441cd3fbe0f43248ad63ba2b8f8c648a2d450e5ba529

SHA512
8f42cad525d25f1df2a66be6f663c4a0a5a9fd001a54918eed1df9cff26518082a046bec9f46331338f306c3c0e4ed6f5a555ae6b4e5ad5bf70c6b03b7ceaf58

Download Submit
C:\Windows\Temp\asw.5765cb18c0059f26\ecoo.edat

Filesize
34B

MD5
7b3b7f5d1ab49c1c4757d3354ce0606d

SHA1
6945df9d9ef1ca7e189d46cc7b920477c3ff02a4

SHA256
6ccdd4adc2a17cf156316e467b5b760a7754ac1c469d79105ec7c00b24ba78b1

SHA512
1767b5abe9169b4b8bcf18569f98c4d1606ea7e69aa90a6acc4db11dc49e3ba058c502d0dcebda01e05bdc02bd6baee05ad8ce5ba04cdfe983ae1aa345bf2e04

Download Submit
C:\Windows\Temp\asw.5765cb18c0059f26\eref.edat

Filesize
50B

MD5
9c489ccafa7c14d8ce15f6b607b484d1

SHA1
1fcd80d73752dfc63876870f7cd1b2ddf53e8c5e

SHA256
c8adafee0e5f7185ba61cfe94a1dbdb9a2ce5f6be09cee49adc55b456d38c967

SHA512
56d899636f640de9ffa576d792c50ce693f31e0822ccb86245fc570dfddb16b5e76a9e486ef335f2ecd7856b8e8e9deac88b0922ae59c479c476cd1df99e9b87

Download Submit
memory/1908-0-0x00007FF8EC763000-0x00007FF8EC765000-memory.dmp

Filesize
8KB

Download
memory/1908-1-0x00000000003B0000-0x000000000040C000-memory.dmp

Filesize
368KB

Download
memory/2232-114-0x00007FF8EC760000-0x00007FF8ED222000-memory.dmp

Filesize
10.8MB

Download
memory/2232-63-0x00007FF8EC760000-0x00007FF8ED222000-memory.dmp

Filesize
10.8MB

Download
memory/2232-60-0x0000000000E20000-0x0000000000E3A000-memory.dmp

Filesize
104KB

Download