phorphiex | cd13d7872186301845faf0a63a5e921f9d32faf5a3e51b5fb7a2936646b93792

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2025, 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-14_27db8d4890c6699842726f11858ae56e_black-basta_cobalt-strike_elex_luca-stealer.exe
Size

247KB
MD5

27db8d4890c6699842726f11858ae56e
SHA1

4e076534775aa428c3697e658ea6d42a656d34a6
SHA256

cd13d7872186301845faf0a63a5e921f9d32faf5a3e51b5fb7a2936646b93792
SHA512

cf5778a5902b27e6d2045d3e76de2c9ad4904763a1cdc55e0306196765896df9fe1aadc3693b9c1d1b71d19ec0e72cddb518089c870aaa091bd9d3ab438825d8
SSDEEP

3072:GeJbDwLibLaZ/S91gxiJPU3qtmQv2cthYSdqMREwPLr6VsOWPGWyrVFsQMeJqeuQ:GkDOZargxSHmQv2+B9EwC/sQMeQLqv7

Score

10^/10

phorphiex bootkit discovery loader persistence trojan worm

Malware Config

Extracted

Family

phorphiex

http://185.215.113.66/

http://185.39.17.124/

Wallets

TW3wpRJmZgC5WifuY468JBUCF3TEkzBT5H

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LdgchXq1sKbAaAJ1EXAPSRBzLb8jnTZstT

MF6iVGLmErYP9y4B9SwtzarDoy3ETSzYrh

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

0x46e5cc402BC848ceC9f4d65c9B48aE7D7A24821B

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1B8FF5WwJXNnjkVzxgPkAznVZ8uKb3Watx

ltc1qyfzdpxky7q2grz4zmqv5x0t0uwfuznl5u43c93

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3GcQJkfHq7NWgBhhNKjz7uSfM6LzADpLvX

CSLKveRL2zqkbV2TqiFVuW6twtpqgFajoUZLAJQTTQk2

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

Attributes

mutex
x5x7x2x9x
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Signatures

Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00070000000241fe-191.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Downloads MZ/PE file 3 IoCs

flow	pid	Process
77	4340	E791.exe
1	1328	2025-04-14_27db8d4890c6699842726f11858ae56e_black-basta_cobalt-strike_elex_luca-stealer.exe
11	1328	2025-04-14_27db8d4890c6699842726f11858ae56e_black-basta_cobalt-strike_elex_luca-stealer.exe

Executes dropped EXE 9 IoCs

pid	Process
4340	E791.exe
3220	avast_free_antivirus_online_setup.exe
4808	icarus.exe
5532	icarus_ui.exe
3288	icarus.exe
3924	icarus.exe
5492	3342028962.exe
936	sysldrvsn.exe
5580	sysldrvsn.exe

Loads dropped DLL 4 IoCs

pid	Process
1328	2025-04-14_27db8d4890c6699842726f11858ae56e_black-basta_cobalt-strike_elex_luca-stealer.exe
3220	avast_free_antivirus_online_setup.exe
3288	icarus.exe
3924	icarus.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysldrvsn.exe"	3342028962.exe

Checks for any installed AV software in registry 1 TTPs 7 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	icarus.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	icarus.exe
Key opened	\REGISTRY\MACHINE\Software\Avast Software\Avast	icarus.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings	icarus.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	icarus.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avast Software\Avast	icarus.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	icarus.exe

Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	2025-04-14_27db8d4890c6699842726f11858ae56e_black-basta_cobalt-strike_elex_luca-stealer.exe
File opened for modification	\??\PhysicalDrive0	avast_free_antivirus_online_setup.exe
File opened for modification	\??\PhysicalDrive0	icarus.exe
File opened for modification	\??\PhysicalDrive0	icarus.exe
File opened for modification	\??\PhysicalDrive0	icarus.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\sysldrvsn.exe	3342028962.exe
File created	C:\Windows\sysldrvsn.exe	3342028962.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-14_27db8d4890c6699842726f11858ae56e_black-basta_cobalt-strike_elex_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E791.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avast_free_antivirus_online_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3342028962.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysldrvsn.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	icarus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	icarus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	icarus_ui.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	icarus.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	icarus_ui.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	icarus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	icarus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	icarus.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	icarus.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "32662e7a-61de-4d1a-9c57-1ef6b3f44ee8"	avast_free_antivirus_online_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F	avast_free_antivirus_online_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "65F115A51CCCDBF623206AEDE3B3D8A4"	avast_free_antivirus_online_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\5E1D6A55-0134-486E-A166-38C2E4919BB1 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAgVGyj+M86EabxMdOSdik8AQAAAACAAAAAAAQZgAAAAEAACAAAACEicsYSQHziXLT7xGIX5x0DCPN49aLfTDqBlWLDGfoOwAAAAAOgAAAAAIAACAAAAD7tS42nXhJtGUk/WgeSoBubHGsrwboIp3dj/zsrOhy5jAAAAAqReeEGCoJ0vF/CHfuq4QZDHkD9axJIrNLKUM7L67pcDVQg88MUGAvpvAQapnqfo5AAAAAsMMHkurstpWttjA/6ojSe5bdyEGiXFXTwct8If8DO6kq4c/XIVXyOP7bdlSXm52QBQD45p2LaBZFAdsZfRuoDg=="	avast_free_antivirus_online_setup.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5532	icarus_ui.exe
5532	icarus_ui.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeRestorePrivilege	4808	icarus.exe
Token: SeTakeOwnershipPrivilege	4808	icarus.exe
Token: SeRestorePrivilege	4808	icarus.exe
Token: SeTakeOwnershipPrivilege	4808	icarus.exe
Token: SeRestorePrivilege	4808	icarus.exe
Token: SeTakeOwnershipPrivilege	4808	icarus.exe
Token: SeRestorePrivilege	4808	icarus.exe
Token: SeTakeOwnershipPrivilege	4808	icarus.exe
Token: SeDebugPrivilege	4808	icarus.exe
Token: SeDebugPrivilege	5532	icarus_ui.exe
Token: SeRestorePrivilege	3288	icarus.exe
Token: SeTakeOwnershipPrivilege	3288	icarus.exe
Token: SeRestorePrivilege	3288	icarus.exe
Token: SeTakeOwnershipPrivilege	3288	icarus.exe
Token: SeRestorePrivilege	3288	icarus.exe
Token: SeTakeOwnershipPrivilege	3288	icarus.exe
Token: SeRestorePrivilege	3288	icarus.exe
Token: SeTakeOwnershipPrivilege	3288	icarus.exe
Token: SeRestorePrivilege	3924	icarus.exe
Token: SeTakeOwnershipPrivilege	3924	icarus.exe
Token: SeRestorePrivilege	3924	icarus.exe
Token: SeTakeOwnershipPrivilege	3924	icarus.exe
Token: SeRestorePrivilege	3924	icarus.exe
Token: SeTakeOwnershipPrivilege	3924	icarus.exe
Token: SeRestorePrivilege	3924	icarus.exe
Token: SeTakeOwnershipPrivilege	3924	icarus.exe
Token: SeDebugPrivilege	3288	icarus.exe
Token: SeDebugPrivilege	3924	icarus.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3220	avast_free_antivirus_online_setup.exe
5532	icarus_ui.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5532	icarus_ui.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1328 wrote to memory of 4340	1328	2025-04-14_27db8d4890c6699842726f11858ae56e_black-basta_cobalt-strike_elex_luca-stealer.exe	86
PID 1328 wrote to memory of 4340	1328	2025-04-14_27db8d4890c6699842726f11858ae56e_black-basta_cobalt-strike_elex_luca-stealer.exe	86
PID 1328 wrote to memory of 4340	1328	2025-04-14_27db8d4890c6699842726f11858ae56e_black-basta_cobalt-strike_elex_luca-stealer.exe	86
PID 1328 wrote to memory of 3220	1328	2025-04-14_27db8d4890c6699842726f11858ae56e_black-basta_cobalt-strike_elex_luca-stealer.exe	88
PID 1328 wrote to memory of 3220	1328	2025-04-14_27db8d4890c6699842726f11858ae56e_black-basta_cobalt-strike_elex_luca-stealer.exe	88
PID 1328 wrote to memory of 3220	1328	2025-04-14_27db8d4890c6699842726f11858ae56e_black-basta_cobalt-strike_elex_luca-stealer.exe	88
PID 3220 wrote to memory of 4808	3220	avast_free_antivirus_online_setup.exe	91
PID 3220 wrote to memory of 4808	3220	avast_free_antivirus_online_setup.exe	91
PID 4808 wrote to memory of 5532	4808	icarus.exe	92
PID 4808 wrote to memory of 5532	4808	icarus.exe	92
PID 4808 wrote to memory of 3288	4808	icarus.exe	94
PID 4808 wrote to memory of 3288	4808	icarus.exe	94
PID 4808 wrote to memory of 3924	4808	icarus.exe	95
PID 4808 wrote to memory of 3924	4808	icarus.exe	95
PID 4340 wrote to memory of 5492	4340	E791.exe	96
PID 4340 wrote to memory of 5492	4340	E791.exe	96
PID 4340 wrote to memory of 5492	4340	E791.exe	96
PID 5492 wrote to memory of 936	5492	3342028962.exe	98
PID 5492 wrote to memory of 936	5492	3342028962.exe	98
PID 5492 wrote to memory of 936	5492	3342028962.exe	98
PID 5700 wrote to memory of 5580	5700	cmd.exe	100
PID 5700 wrote to memory of 5580	5700	cmd.exe	100
PID 5700 wrote to memory of 5580	5700	cmd.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2025-04-14_27db8d4890c6699842726f11858ae56e_black-basta_cobalt-strike_elex_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-14_27db8d4890c6699842726f11858ae56e_black-basta_cobalt-strike_elex_luca-stealer.exe"
1⤵
- Downloads MZ/PE file
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Users\Admin\AppData\Local\Temp\E791.exe
  "C:\Users\Admin\AppData\Local\Temp\E791.exe"
  2⤵
  - Downloads MZ/PE file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4340
- - C:\Users\Admin\AppData\Local\Temp\3342028962.exe
    C:\Users\Admin\AppData\Local\Temp\3342028962.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5492
  - - C:\Windows\sysldrvsn.exe
      C:\Windows\sysldrvsn.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:936
- C:\Windows\Temp\asw.f876fce89f08783e\avast_free_antivirus_online_setup.exe
  "C:\Windows\Temp\asw.f876fce89f08783e\avast_free_antivirus_online_setup.exe" /cookie:mmm_ava_998_999_000_m:dlid_FAV-PPC /ga_clientid:bd8c4305-bc95-4096-a68d-146b5a47dcd2 /edat_dir:C:\Windows\Temp\asw.f876fce89f08783e /geo:GB
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3220
- - C:\Windows\Temp\asw-38c2e5d6-03fe-4ca0-bac7-95a8294d934e\common\icarus.exe
    C:\Windows\Temp\asw-38c2e5d6-03fe-4ca0-bac7-95a8294d934e\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-38c2e5d6-03fe-4ca0-bac7-95a8294d934e\icarus-info.xml /install /cookie:mmm_ava_998_999_000_m:dlid_FAV-PPC /edat_dir:C:\Windows\Temp\asw.f876fce89f08783e /geo:GB /track-guid:bd8c4305-bc95-4096-a68d-146b5a47dcd2 /sssid:3220
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4808
  - - C:\Windows\Temp\asw-38c2e5d6-03fe-4ca0-bac7-95a8294d934e\common\icarus_ui.exe
      C:\Windows\Temp\asw-38c2e5d6-03fe-4ca0-bac7-95a8294d934e\common\icarus_ui.exe /cookie:mmm_ava_998_999_000_m:dlid_FAV-PPC /edat_dir:C:\Windows\Temp\asw.f876fce89f08783e /geo:GB /track-guid:bd8c4305-bc95-4096-a68d-146b5a47dcd2 /sssid:3220 /er_master:master_ep_c1d746be-90ce-4c3a-96ea-6d527f4a9fce /er_ui:ui_ep_70ae832d-bd32-4c2f-ac99-332cbd603a71
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:5532
  - - C:\Windows\Temp\asw-38c2e5d6-03fe-4ca0-bac7-95a8294d934e\avast-av\icarus.exe
      C:\Windows\Temp\asw-38c2e5d6-03fe-4ca0-bac7-95a8294d934e\avast-av\icarus.exe /cookie:mmm_ava_998_999_000_m:dlid_FAV-PPC /edat_dir:C:\Windows\Temp\asw.f876fce89f08783e /geo:GB /track-guid:bd8c4305-bc95-4096-a68d-146b5a47dcd2 /sssid:3220 /er_master:master_ep_c1d746be-90ce-4c3a-96ea-6d527f4a9fce /er_ui:ui_ep_70ae832d-bd32-4c2f-ac99-332cbd603a71 /er_slave:avast-av_slave_ep_6d971610-909f-49b0-a6a1-c6303d88d00b /slave:avast-av
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks for any installed AV software in registry
      Writes to the Master Boot Record (MBR)
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      PID:3288
  - - C:\Windows\Temp\asw-38c2e5d6-03fe-4ca0-bac7-95a8294d934e\avast-av-vps\icarus.exe
      C:\Windows\Temp\asw-38c2e5d6-03fe-4ca0-bac7-95a8294d934e\avast-av-vps\icarus.exe /cookie:mmm_ava_998_999_000_m:dlid_FAV-PPC /edat_dir:C:\Windows\Temp\asw.f876fce89f08783e /geo:GB /track-guid:bd8c4305-bc95-4096-a68d-146b5a47dcd2 /sssid:3220 /er_master:master_ep_c1d746be-90ce-4c3a-96ea-6d527f4a9fce /er_ui:ui_ep_70ae832d-bd32-4c2f-ac99-332cbd603a71 /er_slave:avast-av-vps_slave_ep_899ac853-487a-42e2-93c8-0535c4996ba4 /slave:avast-av-vps
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\sysldrvsn.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5700
- C:\Windows\sysldrvsn.exe
  C:\Windows\sysldrvsn.exe
  2⤵
  - Executes dropped EXE
  PID:5580

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Avast Software\Icarus\Logs\icarus.log

Filesize
69KB

MD5
b0e4b562d224bcdcbbd3ae50c4634c99

SHA1
b9f0b687b269011faab4e472901127ed47cea5d0

SHA256
40152ba3c0fc5026d61fb3b3378719d25cdf0143e31c0d75644340faf506a14f

SHA512
a6c12d842478e8e62f67267dd9e48048c4e2668785498ebf41401ed5bbc77cd1e03ceb3502a8bb8ec43a91415bc0bcd6165286bb16316abed1b554c713b5580b

Download Submit
C:\ProgramData\Avast Software\Icarus\Logs\icarus.log

Filesize
146KB

MD5
67369364df9106961954ad825c02381a

SHA1
e136411683d9a43ad6ddfdfd1bd85435181aaca8

SHA256
cc7fb26f35992f3fcec0d9408dd93f1fbabddfd68b0bfa99bbe37252b4e285f9

SHA512
5f5940b6b647504f670b45c9056d7d17883355abd8896e0a205cf2750b62c1be1ad423acaaa8f9d088656dfdf073f803aa9d89ad046e5a4a61b13a0ff1bcf44b

Download Submit
C:\ProgramData\Avast Software\Icarus\Logs\sfx.log

Filesize
14KB

MD5
04e2d967cce1b5ac55a1e1be3e461277

SHA1
d916edfd6bd53955422b80ada16a5a5f326057c4

SHA256
620410ce57fea40ff05b1e8d74590c7bbf34d6b50cd6919e720ebf95e3496dc5

SHA512
9d38bb5d68d85ad494b79a53636b31d24837c7536f74ad38624229e9ed951d4e5ae86ecce0f44441502aaa682f959c2a13fafdf94cbf134dcaeb3c4a69f4b181

Download Submit
C:\ProgramData\Avast Software\Icarus\Logs\sui.log

Filesize
17KB

MD5
ad623e90fb1d2904ffa7c7b98c4c0462

SHA1
f2e62ac80224593203126a1f8f543685cb2ec7af

SHA256
379d816424b23cf9a2eea23088d91a810f6f59a955f4fcbf8059c2e3b1e094f7

SHA512
7d5ffa403d974430d8a88b3d952444c30183b96d1c3288658cb6d7ff87db2bdbba05579976245bee48e1506304238d42584d1ac2ec220ee70da9a05c52d1d642

Download Submit
C:\ProgramData\Avast Software\Icarus\settings\temporary_proxy.ini

Filesize
278B

MD5
b8853a8e6228549b5d3ad97752d173d4

SHA1
cd471a5d57e0946c19a694a6be8a3959cef30341

SHA256
8e511706c04e382e58153c274138e99a298e87e29e12548d39b7f3d3442878b9

SHA512
cf4edd9ee238c1e621501f91a4c3338ec0cb07ca2c2df00aa7c44d3db7c4f3798bc4137c11c15379d0c71fab1c5c61f19be32ba3fc39dc242313d0947461a787

Download Submit
C:\Users\Admin\AppData\Local\Temp\3342028962.exe

Filesize
79KB

MD5
00306e1e4a4230f9dc6b626a68dcbbb0

SHA1
1d71fc3b6a308396c8f03bdc0ee012b44d7782e9

SHA256
8133c11eeec328b9995eec62438ecd87535d540f320beab4642d032661e448b2

SHA512
6899d3bac0cf0b493e0f4e85700a40f6ebc433c8319f746e803a948fe9715f00682adb09f967e9a02e6e4bffa020083d12192e1e375fa82a4a648ba28b3d6af9

Download Submit
C:\Users\Admin\AppData\Local\Temp\E791.exe

Filesize
10KB

MD5
21789ebcbfca1eb0c6881e6af6216a81

SHA1
30152ddbe1150a2a612eb7b08e6551830276c8f0

SHA256
c0d12405d2a5cd6064e6e498d6f5f7fd48c72b2d02f171f20f898a4d2832968c

SHA512
cf3296247865130e4e769f09280d5f15237bedf474734f7b383130dfd01c5407a081e3f571152c393845b08d8ed48a0b2d23d11e905783332fb2552d20ad4514

Download Submit
C:\Windows\Temp\asw-38c2e5d6-03fe-4ca0-bac7-95a8294d934e\avast-av-vps\config.def

Filesize
606B

MD5
de14cd6aa7fc1891bed7728752aaef1f

SHA1
5e1e01eb1b93220044c15ed93a75a898054211c1

SHA256
fad562251862ba72222a4ae2620c7b9df2b1fb3ae0967d84d1ab809a1364a2c7

SHA512
4a5b3a6451987b82468f6a3c73c40182d70898022fd042277229d5fe5f0a3b3338ec43147aaa6c43f11704470b2023636475d8dd9272061bae528969524c5331

Download Submit
C:\Windows\Temp\asw-38c2e5d6-03fe-4ca0-bac7-95a8294d934e\avast-av-vps\dump_process.exe

Filesize
3.4MB

MD5
328298835ba8f5c18e55cd1829387021

SHA1
59042af2cda92cf4d767a6c03730140232cafeb2

SHA256
8c23e03376c13ace6cac464211b4aeaf3c80906862e328560705244f8a59da86

SHA512
e905266e41257986cc0a086cde18d76a2aa59ac9c111dac4ed7c872646f390232f8de525aa3e2a140bd3f22bda34431fc8e63dd46a005f9bc4957eb1c0bd8107

Download Submit
C:\Windows\Temp\asw-38c2e5d6-03fe-4ca0-bac7-95a8294d934e\avast-av-vps\icarus_product.dll

Filesize
921KB

MD5
276f0197ea7d6bbeb7a93854a3086646

SHA1
39490faa2f4929239d5dbb6836d2aba81e1fdb93

SHA256
82acc620b2f175066ee5ca79c2da5b3f7bd93d12fbf41746f3dfd36fba7140a4

SHA512
41f1dff12604d19cca8795fbd6fccd5d32017e5894532aa15b79a43e2ce45a9f0992350e015fd728317e3bbcbacc637dcaf2785b5f234312e16a4409de7b5e90

Download Submit
C:\Windows\Temp\asw-38c2e5d6-03fe-4ca0-bac7-95a8294d934e\avast-av-vps\product-def.xml

Filesize
60KB

MD5
398a5ca99230efa620900f840a3ae231

SHA1
06fa0e52f6a349eb47a52ccfad49982ea3ef9388

SHA256
902bfb97a041d211b9c88c2fe703f8e75da73a2b55adcf49accc5c1b45fc4133

SHA512
a77c459f652c57e0d192ffad93441d22d97b820703edca3482f3a8da8fb3fc0a4608321dd3d58dea51813fdf63bdba678ec71542f536525cfc6159b64d541b35

Download Submit
C:\Windows\Temp\asw-38c2e5d6-03fe-4ca0-bac7-95a8294d934e\avast-av-vps\product-info.xml

Filesize
5KB

MD5
9830d83c32f9f42f7f2374e210d5b648

SHA1
457f8a0669aa97a433f247ee925ea96406b2bfe7

SHA256
014a9d2a56a35151ce74833a0d62a098ebf9cffdf1ca578476d804f7140f164b

SHA512
da43901abe4ebd45d6907d57ba1cddb22ef5152713077ca7050544102dd3155b25b596d7b094b7ade0150f9238aaa7f0fe7c8fd978a410ef6054f6a9f74a612b

Download Submit
C:\Windows\Temp\asw-38c2e5d6-03fe-4ca0-bac7-95a8294d934e\avast-av\brandingdata\av\licensing\policy.def

Filesize
2KB

MD5
36b145e83a140adf7d8d83865477ebc0

SHA1
8569d16b78bf72eeaac9ff969dbafc83407a6e13

SHA256
d5e81070a7863d28e74ce85bfd1677dc9158fb091c14e59f858546c711ea3877

SHA512
e8bd62b8de1d8474bc7234e42519155f9c5d6fb6a5e9e258a4c862ed3702654138310f09a25b77a9dd67e2859c57c55fd65a5b313d443657d9220db7584fd9fb

Download Submit
C:\Windows\Temp\asw-38c2e5d6-03fe-4ca0-bac7-95a8294d934e\avast-av\config.def

Filesize
954B

MD5
2bd8891aed11ab5baa6a2ef6446c4b3b

SHA1
4466706f4a378b782197ad0812326573c0bb120f

SHA256
67b3aea190053a7a84a10645dff43d46b9e7c5645d34b2f7db19ffa8d31a8c04

SHA512
4ef97a126084b038d3d84765b479c778831d2665aeaa864de0e9fcf7cbf59963a84d92bb7c6b5f9983fed63b3697d517b67b3a17073b1ce22ab45670683fb29a

Download Submit
C:\Windows\Temp\asw-38c2e5d6-03fe-4ca0-bac7-95a8294d934e\avast-av\edition.edat

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Windows\Temp\asw-38c2e5d6-03fe-4ca0-bac7-95a8294d934e\avast-av\icarus_product.dll

Filesize
6.9MB

MD5
f6eb67c4727b55cb07a224ca0e04b365

SHA1
00a9d58261895f4fe4cabe1af744a221640bebb9

SHA256
643523316ad0681bc81383b9431fb126d9e56e245be67081d34c78bc282401fa

SHA512
3e275ef8f2c0625a0646ef90516f14887ad6ca68bd66a3c82fda37b462b74105d0b1645da2ef38ef4b92bac9f7d3bbedcb5cab8fc35c52e57f5e1dc9e06e91e3

Download Submit
C:\Windows\Temp\asw-38c2e5d6-03fe-4ca0-bac7-95a8294d934e\common\bug_report.exe

Filesize
5.8MB

MD5
f330a8d0e8966159e46e89651012eb12

SHA1
7a90500fa801292de337f2d44aad348796702111

SHA256
cc0fffc4a8b71f916503f86ffb59c176eab8d1856de0f6523fb96a1a17e04871

SHA512
8302edda4d6dd68b0010f68030a200697f40b2a16dba585b51aad63b60f36e7b61464330e667c7e87a2084da88104da7ef37ef12f444a858a92f82b31877deb7

Download Submit
C:\Windows\Temp\asw-38c2e5d6-03fe-4ca0-bac7-95a8294d934e\common\icarus.exe

Filesize
8.2MB

MD5
2b311462ed571a7318fea1dbcc778fb5

SHA1
b5ec2757657889b0c8e99ff6604051b14bd978a0

SHA256
92b4f97818b53243a1db36cf80922643cdaeb03b18d1caf61dd8500caef4dbad

SHA512
9d59e526ae783ab3dcf6d2c8e352f8169d6299d849432b169c079633bb75b96dd7388e0673cb75f6a536e6fc0c5e7f8ebae0f33f96b2f91b2899a702c18a8592

Download Submit
C:\Windows\Temp\asw-38c2e5d6-03fe-4ca0-bac7-95a8294d934e\common\icarus_mod.dll

Filesize
15KB

MD5
1604f43bef5ef6b780f1489da0f753db

SHA1
db1d946418da351e0591e063aee4681852465b19

SHA256
686afc95a5d1bd5522aa62d81b8416556d7b01ff7c314b9668ca8137bf751bf8

SHA512
9477bf90462e9267b528442ed65070eb7a4d36a859c046369f5596af3457b6c15d09ee038b2980be03536f1cb629610935fca0c10fb33f26bfa1d7d21777bc50

Download Submit
C:\Windows\Temp\asw-38c2e5d6-03fe-4ca0-bac7-95a8294d934e\common\icarus_ui.exe

Filesize
11.9MB

MD5
fce88a5f912d540d54fe54954ebba0b4

SHA1
659eba4723451f22e444ea437249a357a6243358

SHA256
e2025f4b929d564c886e1c295a748785ba017f4f6635525ccbb892a8e4694750

SHA512
4c5f6b29286f273107133e4a31193640dd478c3961150962c111d3cd2d8d2d96fe41e90c178deb782c3d033a01e2c9ff0a6eee3fd67c7db30f171c3fd42d7d48

Download Submit
C:\Windows\Temp\asw-38c2e5d6-03fe-4ca0-bac7-95a8294d934e\common\product-def.xml

Filesize
1.3MB

MD5
701a4924eb0b1f658be8c0c0f97a2b4c

SHA1
da0054b7848267b8aae230e041af599db536d800

SHA256
6b8ae13f658a1980dc370a3158f30ba30bbc8d599e542da72bb76b6d296c2bbf

SHA512
0afa1a4f095922f8c96eb73ddd575c19e9755dbf6351ccfe4bf2fdc218d10b5093a39ad89b1e4f32ca27677d1b88590b2052b508ebe46c242fedaec20f05beea

Download Submit
C:\Windows\Temp\asw-38c2e5d6-03fe-4ca0-bac7-95a8294d934e\common\product-info.xml

Filesize
11KB

MD5
5608d3606d4fe05bcb22b992983154a7

SHA1
4ae52cb9e2a17bb3ae15e5cae7ef6f28bf8d545a

SHA256
966125b4619789d64eb7b17cc87f3eb9318ca6e589bba5e31dc26c27981f35e2

SHA512
d74f575243a059e2a0d4da295b7fb09e53c4e6223a89106233d7c5093953847e961d16204e19d5bd99fdf30155ced6dfd6f076fc315329c3b87094b16addcad0

Download Submit
C:\Windows\Temp\asw-38c2e5d6-03fe-4ca0-bac7-95a8294d934e\common\setupui.cont

Filesize
539KB

MD5
4a2a48dc2f4f0da3d1d80b741bc572bc

SHA1
9870d30674165931645503ed8c9181b4e49b2195

SHA256
eb0f3e913f9ca44593cd614e8abf0d3fadc5cdd05f37aa7d00e4a0a976269e80

SHA512
dc53291d11e3f5b44052d0a198e8d60dbc2e2023670b778b0d493184da43af7ad88ae1efb72e6c0a346550d98ab79d87ad6db1ec4b0be6ff18ce20a86b841051

Download Submit
C:\Windows\Temp\asw-38c2e5d6-03fe-4ca0-bac7-95a8294d934e\gpid.edat

Filesize
7B

MD5
585c03383897322264239eed29ffb5cf

SHA1
949cbae2ebbfbdb315c4eecff6be0ac8bd83b88f

SHA256
98b48cc449adda0174b82b5bc4ac9179cb8fff98add04dcc14d0422d5b3908c7

SHA512
d23ab0becc53c5ce98a45afff600ce178339eac91889b3867baeaea424c7044a80218ea1752f1195d2c397f06e910a5c68ac1e465263598433f03524ba676568

Download Submit
C:\Windows\Temp\asw-38c2e5d6-03fe-4ca0-bac7-95a8294d934e\gpud.edat

Filesize
6B

MD5
252842cfac83631f3184d7c071b2c26d

SHA1
d27b6cb5675c99421885a51676be9658de336b46

SHA256
3f42931cd0bbebbe3198dd8b8c11305c50a63f9575254c9d44aacc918eb7ae09

SHA512
b641dc789d6ab8d9c80d11cfce7a639f74641366647a565b29167ceeef055f7df4561bae6b6065e084cc12f3b0618f654f833bf9957d7ab49c15d176551bd6f6

Download Submit
C:\Windows\Temp\asw-38c2e5d6-03fe-4ca0-bac7-95a8294d934e\icarus-info.xml

Filesize
2KB

MD5
0a5e8986cbc8025be66aeef5aa2e67dc

SHA1
5baf2e70038ad78822b2dea994f7380468ec645c

SHA256
fb0a80ff92e1853a66c6842d13e9ca7c2cefcfaa3e8b40d60cc774c7fa1c5721

SHA512
3f123ad9ac5c07e10871d7990001ec2ba2ebe000633cbd2838cddd04b1360c83f24feb3a210641cbcb15870a66c65e048ae75afcc88162001c5ee2db6f31f997

Download Submit
C:\Windows\Temp\asw-38c2e5d6-03fe-4ca0-bac7-95a8294d934e\package.edat

Filesize
2B

MD5
aac1259dfa2c6c5ead508f34e52bb990

SHA1
8ccb8a3f7ac5bd9c4f1ab74cb453f7f32903fb1b

SHA256
27a26bca625b223971909dd88fc93faeb050dc5b34d91c0871661740dcfb9d18

SHA512
2a404c9768dc86190bcc7c98645afa7b6f74488371b974d14da48d7379b2cfae6c8c5bc878ed17d0f9f4c4e62138bfe416cf9a1be31eab07e062c0f5f55ef811

Download Submit
C:\Windows\Temp\asw-38c2e5d6-03fe-4ca0-bac7-95a8294d934e\skup.edat

Filesize
8B

MD5
e3d5dd4fa9db9ef78ce048492c97739c

SHA1
e974733d553cf23430023f4b7b770dc7c17378ec

SHA256
21e21939386de29943d6a7128d10c9bb4cbab8ca949698394c6d583912e74e4a

SHA512
678a9776934cecc34ce353bcaf624d5800200e76d01005172ac816d217d9172f8dc590a2f3e6e117144ee56c4746b2d57103d72bfdd19e4b48400f611675a170

Download Submit
C:\Windows\Temp\asw.f876fce89f08783e\avast_free_antivirus_online_setup.exe

Filesize
1.6MB

MD5
fbd02cac3275cf3561873272e35d5188

SHA1
adaba99b9f75b4ead8ef80a27a06cb6377cd39e5

SHA256
a4b8927b591720cc61c9135b7cfbfebf302560793fcc6ba6f9be2f633a95a871

SHA512
0454d8ba7fb29691da3230ff7b15af27268fb081bdea60f6fc373d8df8499d04188e712638d5f8e28004692fffcd338d35646eb800a630b8a910d1b7fba55c9b

Download Submit