File name:

avast_cleanup_online_setup.exe

Full analysis: https://app.any.run/tasks/cccae5ee-422f-44c8-9430-3246a67ff242
Verdict: Malicious activity
Analysis date: June 09, 2024, 20:44:22
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

C16610645E37402B49D478EA1015471B

SHA1:

E8F47463C587992B44BC73EA9A798DD118109D6F

SHA256:

13CE949A162816C81E54C6E3E4AF2E22BD73706318C2E7E9ADB230DA6CB67668

SSDEEP:

49152:2SYjq9+4pc2UOmL/+BBJ/EHQnwsSXLA1xqKm9XUeVCf2D0u:2SYjXic2U5L/+BBJ/EHQnWbA1xqKmS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • avast_cleanup_online_setup.exe (PID: 6480)
      • icarus.exe (PID: 7020)
      • icarus.exe (PID: 6804)

    • Creates a writable file in the system directory

      • icarus.exe (PID: 7020)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • avast_cleanup_online_setup.exe (PID: 6480)
      • icarus.exe (PID: 6804)
      • icarus.exe (PID: 7020)

    • Starts itself from another location

      • icarus.exe (PID: 6804)

    • The process creates files with name similar to system file names

      • icarus.exe (PID: 7020)

    • Process drops legitimate windows executable

      • icarus.exe (PID: 7020)

    • The process drops C-runtime libraries

      • icarus.exe (PID: 7020)

    • The process verifies whether the antivirus software is installed

      • icarus.exe (PID: 7020)

  • INFO

    • Checks supported languages

      • avast_cleanup_online_setup.exe (PID: 6480)
      • icarus.exe (PID: 6804)
      • icarus_ui.exe (PID: 6852)
      • icarus.exe (PID: 7020)

    • Checks proxy server information

      • avast_cleanup_online_setup.exe (PID: 6480)

    • Create files in a temporary directory

      • avast_cleanup_online_setup.exe (PID: 6480)
      • icarus.exe (PID: 6804)
      • icarus.exe (PID: 7020)

    • Reads the software policy settings

      • avast_cleanup_online_setup.exe (PID: 6480)

    • Creates files in the program directory

      • icarus.exe (PID: 6804)
      • icarus_ui.exe (PID: 6852)
      • icarus.exe (PID: 7020)
      • avast_cleanup_online_setup.exe (PID: 6480)

    • Reads the computer name

      • icarus.exe (PID: 6804)
      • icarus_ui.exe (PID: 6852)
      • icarus.exe (PID: 7020)
      • avast_cleanup_online_setup.exe (PID: 6480)

    • Reads the machine GUID from the registry

      • icarus.exe (PID: 6804)
      • icarus_ui.exe (PID: 6852)
      • avast_cleanup_online_setup.exe (PID: 6480)
      • icarus.exe (PID: 7020)

    • Reads CPU info

      • icarus.exe (PID: 6804)
      • icarus_ui.exe (PID: 6852)
      • icarus.exe (PID: 7020)

    • Dropped object may contain TOR URL's

      • icarus.exe (PID: 7020)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:03:05 07:08:45+00:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 14.38
CodeSize: 1030656
InitializedDataSize: 510976
UninitializedDataSize: -
EntryPoint: 0x52810
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 24.2.7007.0
ProductVersionNumber: 23.4.15807.16040
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Avast Software
FileDescription: Avast Self-Extract Package
FileVersion: 24.2.7007.0
InternalName: icarus_sfx
LegalCopyright: Copyright © 2024 Avast Software
MainProductId: avast-tu
OriginalFileName: icarus_sfx.exe
ProductId: avast-icarus
ProductName: Avast Installer
ProductVersion: 23.4.15807.16040
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
121
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start avast_cleanup_online_setup.exe icarus.exe icarus_ui.exe no specs icarus.exe avast_cleanup_online_setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6432"C:\Users\admin\Desktop\avast_cleanup_online_setup.exe" C:\Users\admin\Desktop\avast_cleanup_online_setup.exeexplorer.exe
User:
admin
Company:
Avast Software
Integrity Level:
MEDIUM
Description:
Avast Self-Extract Package
Exit code:
3221226540
Version:
24.2.7007.0
Modules
Images
c:\users\admin\desktop\avast_cleanup_online_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6480"C:\Users\admin\Desktop\avast_cleanup_online_setup.exe" C:\Users\admin\Desktop\avast_cleanup_online_setup.exe
explorer.exe
User:
admin
Company:
Avast Software
Integrity Level:
HIGH
Description:
Avast Self-Extract Package
Version:
24.2.7007.0
Modules
Images
c:\users\admin\desktop\avast_cleanup_online_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
6804C:\WINDOWS\Temp\asw-91f53179-ad14-4128-a090-2765197baef0\common\icarus.exe /icarus-info-path:C:\WINDOWS\Temp\asw-91f53179-ad14-4128-a090-2765197baef0\icarus-info.xml /install /sssid:6480C:\Windows\Temp\asw-91f53179-ad14-4128-a090-2765197baef0\common\icarus.exe
avast_cleanup_online_setup.exe
User:
admin
Company:
Avast Software
Integrity Level:
HIGH
Description:
Avast Installer
Version:
24.2.7007.0
Modules
Images
c:\windows\temp\asw-91f53179-ad14-4128-a090-2765197baef0\common\icarus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\ucrtbase.dll
6852C:\WINDOWS\Temp\asw-91f53179-ad14-4128-a090-2765197baef0\common\icarus_ui.exe /sssid:6480 /er_master:master_ep_116959b4-3f16-4701-b9ae-c3061bceecfa /er_ui:ui_ep_7c1652ee-bd78-4ccf-aa77-403ab48ef0a2C:\Windows\Temp\asw-91f53179-ad14-4128-a090-2765197baef0\common\icarus_ui.exeicarus.exe
User:
admin
Company:
Avast Software
Integrity Level:
HIGH
Description:
Avast UI
Version:
24.2.7007.0
Modules
Images
c:\windows\temp\asw-91f53179-ad14-4128-a090-2765197baef0\common\icarus_ui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wtsapi32.dll
7020C:\WINDOWS\Temp\asw-91f53179-ad14-4128-a090-2765197baef0\avast-tu\icarus.exe /sssid:6480 /er_master:master_ep_116959b4-3f16-4701-b9ae-c3061bceecfa /er_ui:ui_ep_7c1652ee-bd78-4ccf-aa77-403ab48ef0a2 /er_slave:avast-tu_slave_ep_8814d526-2e98-460c-a316-db64db823c26 /slave:avast-tuC:\Windows\Temp\asw-91f53179-ad14-4128-a090-2765197baef0\avast-tu\icarus.exe
icarus.exe
User:
admin
Company:
Avast Software
Integrity Level:
HIGH
Description:
Avast Installer
Version:
24.2.7007.0
Modules
Images
c:\windows\temp\asw-91f53179-ad14-4128-a090-2765197baef0\avast-tu\icarus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\ucrtbase.dll
Total events
5 359
Read events
5 334
Write events
24
Delete events
1

Modification events

(PID) Process:(6480) avast_cleanup_online_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\1D0EC6DE-4A80-4CC3-A335-E6E41C951198
Operation:writeName:5FD38555-4B16-40AE-9A09-E2C969CB74AF
Value:
F6D4F52220BB5A3D7246A004278BB23F
(PID) Process:(6480) avast_cleanup_online_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F
Operation:writeName:7CCD586D-2ABC-42FF-A23B-3731F4F183D9
Value:
F6D4F52220BB5A3D7246A004278BB23F
(PID) Process:(6480) avast_cleanup_online_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\1D0EC6DE-4A80-4CC3-A335-E6E41C951198
Operation:writeName:8C5CFDF4-AB05-4EB0-8EF6-7B4620DC2CF3
Value:
AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA0N29cCFdeU6bRZGXes+ZTAQAAAACAAAAAAAQZgAAAAEAACAAAADbr9u+dbcCPauZyyavv2uML6INvFKz6Tq5J6gPVMT36AAAAAAOgAAAAAIAACAAAAB8KHs6U4zy4osLgqY0V89EPWERYuK5WajeDmTPagrGU1AAAACpT+0BtWw5lunKGgmDs2qvMJlZQu8R0AP4XooanrpLusKgtvmMelf0q4SsIB3jDUvPbxv00dnsAPNirpCDkiEA3uXnFit7PpIyo/sqy/xjCUAAAADwU5OHhZiE1STTPA0u2Apbv7FxOTGyzFZzMk5tsWvrCW+TRaWai5I5VgfFoNok3dzxiiEHmHcjjxe5FXQX0jxn
(PID) Process:(6480) avast_cleanup_online_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F
Operation:writeName:5E1D6A55-0134-486E-A166-38C2E4919BB1
Value:
AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA0N29cCFdeU6bRZGXes+ZTAQAAAACAAAAAAAQZgAAAAEAACAAAADbr9u+dbcCPauZyyavv2uML6INvFKz6Tq5J6gPVMT36AAAAAAOgAAAAAIAACAAAAB8KHs6U4zy4osLgqY0V89EPWERYuK5WajeDmTPagrGU1AAAACpT+0BtWw5lunKGgmDs2qvMJlZQu8R0AP4XooanrpLusKgtvmMelf0q4SsIB3jDUvPbxv00dnsAPNirpCDkiEA3uXnFit7PpIyo/sqy/xjCUAAAADwU5OHhZiE1STTPA0u2Apbv7FxOTGyzFZzMk5tsWvrCW+TRaWai5I5VgfFoNok3dzxiiEHmHcjjxe5FXQX0jxn
(PID) Process:(6480) avast_cleanup_online_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\1D0EC6DE-4A80-4CC3-A335-E6E41C951198
Operation:writeName:144807F0-DE37-4C62-9C05-EB4CC64A7A2F
Value:
3a75e3d4-bed1-4c75-865b-3b9822451d42
(PID) Process:(6480) avast_cleanup_online_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F
Operation:writeName:56C7A9DA-4B11-406A-8B1A-EFF157C294D6
Value:
3a75e3d4-bed1-4c75-865b-3b9822451d42
(PID) Process:(6804) icarus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\1D0EC6DE-4A80-4CC3-A335-E6E41C951198
Operation:writeName:144807F0-DE37-4C62-9C05-EB4CC64A7A2F
Value:
3a75e3d4-bed1-4c75-865b-3b9822451d42
(PID) Process:(6804) icarus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F
Operation:writeName:56C7A9DA-4B11-406A-8B1A-EFF157C294D6
Value:
3a75e3d4-bed1-4c75-865b-3b9822451d42
(PID) Process:(6804) icarus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\1D0EC6DE-4A80-4CC3-A335-E6E41C951198
Operation:writeName:5FD38555-4B16-40AE-9A09-E2C969CB74AF
Value:
F6D4F52220BB5A3D7246A004278BB23F
(PID) Process:(6804) icarus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F
Operation:writeName:7CCD586D-2ABC-42FF-A23B-3731F4F183D9
Value:
F6D4F52220BB5A3D7246A004278BB23F
Executable files
83
Suspicious files
71
Text files
22
Unknown types
0

Dropped files

PID
Process
Filename
Type
6480avast_cleanup_online_setup.exeC:\WINDOWS\Temp\asw-91f53179-ad14-4128-a090-2765197baef0\common\product-info.xmlxml
MD5:FB05DD2DE4199F098883747AAC7C635D
SHA256:F9EC1BD83E13C5A241FEADFA96526E58BC627E4A19E4DA3C9AD1B3B545B3E33B
6480avast_cleanup_online_setup.exeC:\WINDOWS\Temp\asw-91f53179-ad14-4128-a090-2765197baef0\common\fecc1d20-7e61-48c2-a50c-ab505c706e7abinary
MD5:E98A6FFDC8FCA4D3CF0E3EE8AEF10D67
SHA256:8108ADF3E6E394C42E0D419B2072B39EA62C907A32C4E84319399D89AF4C09CC
6480avast_cleanup_online_setup.exeC:\Users\admin\AppData\Local\Temp\F07D8C6A-04B6-4025-869C-70A788D7B5C0binary
MD5:77077684115532B81AFFCBCED84BEA71
SHA256:41F4AD92EBBCF503B6B4029ADCA6AFF653DC07CB9144B05F1C5C3CE67DE5F1FD
6480avast_cleanup_online_setup.exeC:\ProgramData\Avast Software\Icarus\Logs\sfx.logtext
MD5:ECAA88F7FA0BF610A5A26CF545DCD3AA
SHA256:F1945CD6C19E56B3C1C78943EF5EC18116907A4CA1EFC40A57D48AB1DB7ADFC5
6480avast_cleanup_online_setup.exeC:\Users\admin\AppData\Local\Temp\6358C710-B89F-46B9-93F2-F6CAC44F5286binary
MD5:5B80EFF33947ECC8848A6E5E87664232
SHA256:C354051D1B81105C222AD2BA6261F778FC8737272A5CF214F45BFE2654E6EF7B
6804icarus.exeC:\ProgramData\Avast Software\Icarus\Logs\report.log
MD5:
SHA256:
6480avast_cleanup_online_setup.exeC:\Users\admin\AppData\Local\Temp\D566D7D7-DCD6-471C-8109-BE0AD33199E3binary
MD5:51CACEA0FBAE8346C20FB94EFEEF8809
SHA256:5749457FC3E5EE160FE41B6BC0743A890B38FD3F09965828BD19FE269E5BD434
6480avast_cleanup_online_setup.exeC:\WINDOWS\Temp\asw-91f53179-ad14-4128-a090-2765197baef0\common\icarus_ui.exeexecutable
MD5:59FA7564E52436739CBE6AFDB3D01EB7
SHA256:AB57748F6C1079E61DE1397CC853BAA1EBC5D6DD6731227AD26D6A073DD523D8
6480avast_cleanup_online_setup.exeC:\WINDOWS\Temp\asw-91f53179-ad14-4128-a090-2765197baef0\common\a4bf9c9a-7e62-4da0-99cf-72bdb04bb6d2binary
MD5:02806F3C99B2CAB6D8DEFE7A2745B933
SHA256:F57F33041244E4DE5AF5ED2F0855622DF7A37C1ED7319A51E6B8B65C1075F845
6480avast_cleanup_online_setup.exeC:\WINDOWS\Temp\asw-91f53179-ad14-4128-a090-2765197baef0\common\613601df-6616-455d-95ea-81eaca9b977ccompressed
MD5:1700DFF55203A55C9DF6CB49744C745C
SHA256:6A891D71560E60633478C1076DF0844C40AE3F7E9C9068AF3EF51252EE825260
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
168
TCP/UDP connections
40
DNS requests
46
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
528
svchost.exe
GET
200
23.216.155.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
5140
MoUsoCoreWorker.exe
GET
200
23.216.155.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
528
svchost.exe
GET
200
23.37.9.217:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
4856
RUXIMICS.exe
GET
200
23.37.9.217:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
4856
RUXIMICS.exe
GET
200
23.216.155.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
5140
MoUsoCoreWorker.exe
GET
200
23.37.9.217:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
GET
200
23.61.132.66:443
https://honzik.avcdn.net/defs/avast-tu/release.xml.lzma
unknown
1.91 Kb
GET
200
23.61.132.66:443
https://honzik.avcdn.net/universe/473f/b601/61ce/473fb60161ce8aca028dfe95745b614cf32c4b74928d9a17f53f3a34d897ae6f.lzma
unknown
946 Kb
GET
200
23.61.132.66:443
https://honzik.avcdn.net/universe/10d1/0466/b725/10d10466b725991fb3e79cc29f91a603bb1b041f3d7386cfbd6e4c8307981289.lzma
unknown
1.39 Mb
GET
200
23.61.132.66:443
https://honzik.avcdn.net/universe/a1a0/9bad/8632/a1a09bad86329d618e67e323d367b24c244cf693ccbb6214918e229e18c58f99.lzma
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
528
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4856
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5140
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
528
svchost.exe
23.216.155.114:80
crl.microsoft.com
Akamai International B.V.
IE
unknown
5140
MoUsoCoreWorker.exe
23.216.155.114:80
crl.microsoft.com
Akamai International B.V.
IE
unknown
239.255.255.250:1900
unknown
4856
RUXIMICS.exe
23.216.155.114:80
crl.microsoft.com
Akamai International B.V.
IE
unknown
528
svchost.exe
23.37.9.217:80
www.microsoft.com
AKAMAI-AS
PH
unknown
4856
RUXIMICS.exe
23.37.9.217:80
www.microsoft.com
AKAMAI-AS
PH
unknown

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.216.155.114
  • 23.216.155.66
unknown
www.microsoft.com
  • 23.37.9.217
unknown
analytics.avcdn.net
  • 34.117.223.223
unknown
honzik.avcdn.net
  • 23.61.132.66
  • 2a02:26f0:3500:f9c::240d
  • 2a02:26f0:3500:f92::240d
unknown
settings-win.data.microsoft.com
  • 40.127.240.158
unknown
shepherd.avcdn.net
  • 34.160.176.28
unknown
self.events.data.microsoft.com
  • 20.189.173.10
unknown

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection
A Network Trojan was detected
ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection
A Network Trojan was detected
ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection
A Network Trojan was detected
ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection
A Network Trojan was detected
ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection
A Network Trojan was detected
ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection
A Network Trojan was detected
ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection
A Network Trojan was detected
ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection
A Network Trojan was detected
ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection
A Network Trojan was detected
ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
avast_cleanup_online_setup.exe