| File name: | avast_cleanup_online_setup.exe |
| Full analysis: | https://app.any.run/tasks/f5c67e77-4384-4cdd-8c85-038bb689694d |
| Verdict: | Malicious activity |
| Analysis date: | June 20, 2025, 14:11:03 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections |
| MD5: | 7329FDEE92A113974C09A071DAFFB1FC |
| SHA1: | 9C930B418227D71EA80561EECC8A01F57870764D |
| SHA256: | 85F9B4F020A9C0590704DA91F68A43871E07149F5406DC2318C11E2A549E2AEA |
| SSDEEP: | 49152:41bG5fcUazFpkSpBPiU9pG4hWBr0E3cJwmc/dAJnWxKzn9gJp/c:414cH/kYBPd9pG4k+E3cJwmceV |
MALICIOUS
No malicious indicators.SUSPICIOUS
Executable content was dropped or overwritten
- avast_cleanup_online_setup.exe (PID: 1232)
- icarus.exe (PID: 2296)
- icarus.exe (PID: 3672)
Starts itself from another location
- icarus.exe (PID: 2296)
The process creates files with name similar to system file names
- icarus.exe (PID: 3672)
The process verifies whether the antivirus software is installed
- icarus.exe (PID: 3672)
Process drops legitimate windows executable
- icarus.exe (PID: 3672)
The process drops C-runtime libraries
- icarus.exe (PID: 3672)
INFO
The sample compiled with english language support
- avast_cleanup_online_setup.exe (PID: 1232)
- icarus.exe (PID: 2296)
- icarus.exe (PID: 3672)
Reads the computer name
- avast_cleanup_online_setup.exe (PID: 1232)
- icarus.exe (PID: 2296)
- icarus.exe (PID: 3672)
- icarus_ui.exe (PID: 4768)
Checks proxy server information
- avast_cleanup_online_setup.exe (PID: 1232)
- slui.exe (PID: 3644)
Create files in a temporary directory
- avast_cleanup_online_setup.exe (PID: 1232)
Creates files in the program directory
- avast_cleanup_online_setup.exe (PID: 1232)
- icarus.exe (PID: 2296)
- icarus_ui.exe (PID: 4768)
- icarus.exe (PID: 3672)
Checks supported languages
- avast_cleanup_online_setup.exe (PID: 1232)
- icarus_ui.exe (PID: 4768)
- icarus.exe (PID: 2296)
- icarus.exe (PID: 3672)
Reads the machine GUID from the registry
- icarus.exe (PID: 2296)
- avast_cleanup_online_setup.exe (PID: 1232)
- icarus_ui.exe (PID: 4768)
- icarus.exe (PID: 3672)
Reads the software policy settings
- avast_cleanup_online_setup.exe (PID: 1232)
- slui.exe (PID: 3644)
Reads CPU info
- icarus.exe (PID: 2296)
- icarus.exe (PID: 3672)
- icarus_ui.exe (PID: 4768)
Manual execution by a user
- wscript.exe (PID: 7060)
- wscript.exe (PID: 6756)
- wscript.exe (PID: 2980)
- wscript.exe (PID: 7072)
- wscript.exe (PID: 3668)
- wscript.exe (PID: 3872)
- wscript.exe (PID: 2668)
- wscript.exe (PID: 4088)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable (generic) (52.9) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (23.5) |
| .exe | | | DOS Executable Generic (23.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2025:03:26 12:07:28+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit, Removable run from swap, Net run from swap |
| PEType: | PE32 |
| LinkerVersion: | 14.38 |
| CodeSize: | 1147392 |
| InitializedDataSize: | 534016 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x66fe0 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 25.3.8935.0 |
| ProductVersionNumber: | 24.4.17598.20292 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | Gen Digital Inc. |
| FileDescription: | Avast Self-Extract Package |
| FileVersion: | 25.3.8935.0 |
| InternalName: | icarus_sfx |
| LegalCopyright: | Copyright © 2025 Gen Digital Inc. All rights reserved. |
| MainProductId: | avast-tu |
| OriginalFileName: | icarus_sfx.exe |
| ProductId: | avast-icarus |
| ProductName: | Avast Installer |
| ProductVersion: | 24.4.17598.20292 |
Total processes
146
Monitored processes
14
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1232 | "C:\Users\admin\Desktop\avast_cleanup_online_setup.exe" | C:\Users\admin\Desktop\avast_cleanup_online_setup.exe | explorer.exe | ||||||||||||
User: admin Company: Gen Digital Inc. Integrity Level: HIGH Description: Avast Self-Extract Package Version: 25.3.8935.0 Modules
| |||||||||||||||
| 2076 | "C:\Users\admin\Desktop\avast_cleanup_online_setup.exe" | C:\Users\admin\Desktop\avast_cleanup_online_setup.exe | — | explorer.exe | |||||||||||
User: admin Company: Gen Digital Inc. Integrity Level: MEDIUM Description: Avast Self-Extract Package Exit code: 3221226540 Version: 25.3.8935.0 Modules
| |||||||||||||||
| 2296 | C:\WINDOWS\Temp\asw-2505eea3-3502-4aad-9ad5-866333e0a578\common\icarus.exe /icarus-info-path:C:\WINDOWS\Temp\asw-2505eea3-3502-4aad-9ad5-866333e0a578\icarus-info.xml /install /sssid:1232 | C:\Windows\Temp\asw-2505eea3-3502-4aad-9ad5-866333e0a578\common\icarus.exe | avast_cleanup_online_setup.exe | ||||||||||||
User: admin Company: Gen Digital Inc. Integrity Level: HIGH Description: Avast Installer Version: 25.3.8935.0 Modules
| |||||||||||||||
| 2668 | "C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\s-checkbox.js | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 1 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 2980 | "C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\s-button-forward.js | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 1 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 3644 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3668 | "C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\data-filters.js | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 1 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 3672 | C:\WINDOWS\Temp\asw-2505eea3-3502-4aad-9ad5-866333e0a578\avast-tu\icarus.exe /sssid:1232 /er_master:master_ep_bd1acf80-0ab1-4dcd-9652-c1254b665eef /er_ui:ui_ep_7d47decc-2d06-4678-9951-cc046d0fd211 /er_slave:avast-tu_slave_ep_a9fbfb59-004f-4e2a-9d09-10bb5a78d240 /slave:avast-tu | C:\Windows\Temp\asw-2505eea3-3502-4aad-9ad5-866333e0a578\avast-tu\icarus.exe | icarus.exe | ||||||||||||
User: admin Company: Gen Digital Inc. Integrity Level: HIGH Description: Avast Installer Version: 25.3.8935.0 Modules
| |||||||||||||||
| 3872 | "C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\s-desc.js | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 1 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 4088 | "C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\s-button-back.js | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 1 Version: 5.812.10240.16384 Modules
| |||||||||||||||
Total events
9 562
Read events
9 552
Write events
9
Delete events
1
Modification events
| (PID) Process: | (1232) avast_cleanup_online_setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\1D0EC6DE-4A80-4CC3-A335-E6E41C951198 |
| Operation: | write | Name: | 5FD38555-4B16-40AE-9A09-E2C969CB74AF |
Value: F6D4F52220BB5A3D7246A004278BB23F | |||
| (PID) Process: | (1232) avast_cleanup_online_setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F |
| Operation: | write | Name: | 7CCD586D-2ABC-42FF-A23B-3731F4F183D9 |
Value: F6D4F52220BB5A3D7246A004278BB23F | |||
| (PID) Process: | (1232) avast_cleanup_online_setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\1D0EC6DE-4A80-4CC3-A335-E6E41C951198 |
| Operation: | write | Name: | 8C5CFDF4-AB05-4EB0-8EF6-7B4620DC2CF3 |
Value: AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAwmxgkjVFzUyc7MrHDodfoQQAAAACAAAAAAAQZgAAAAEAACAAAABSPmTbWTYGCtzinahA1XRVyIuwmRG7sPm/Fas8IV16CgAAAAAOgAAAAAIAACAAAACXSTLOujV0/MnDFHnDFQAfD62ZxDSeY6opAWfPVtRYKVAAAACr/KZZfdc+NC80cJw3LcirTyZnvBNBc/LhzzIseMyDs0Fnu+TOnrIopM6GW9sxEQbqoqyQTYMxJF9KgoQ6WSnjjJgadQp8Iaec4xlpG/9z9kAAAACZMiFyvvNq1ZFiJTcyctejNuqNotQun91GtQ4Crw0As3u0HrLstw+6aDXiGWH3uRiFNfPRqHPv88mOp29ZXVZY | |||
| (PID) Process: | (1232) avast_cleanup_online_setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F |
| Operation: | write | Name: | 5E1D6A55-0134-486E-A166-38C2E4919BB1 |
Value: AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAwmxgkjVFzUyc7MrHDodfoQQAAAACAAAAAAAQZgAAAAEAACAAAABSPmTbWTYGCtzinahA1XRVyIuwmRG7sPm/Fas8IV16CgAAAAAOgAAAAAIAACAAAACXSTLOujV0/MnDFHnDFQAfD62ZxDSeY6opAWfPVtRYKVAAAACr/KZZfdc+NC80cJw3LcirTyZnvBNBc/LhzzIseMyDs0Fnu+TOnrIopM6GW9sxEQbqoqyQTYMxJF9KgoQ6WSnjjJgadQp8Iaec4xlpG/9z9kAAAACZMiFyvvNq1ZFiJTcyctejNuqNotQun91GtQ4Crw0As3u0HrLstw+6aDXiGWH3uRiFNfPRqHPv88mOp29ZXVZY | |||
| (PID) Process: | (1232) avast_cleanup_online_setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\1D0EC6DE-4A80-4CC3-A335-E6E41C951198 |
| Operation: | write | Name: | 144807F0-DE37-4C62-9C05-EB4CC64A7A2F |
Value: d93a66b9-19c7-49ff-a343-4748e4c9bed3 | |||
| (PID) Process: | (1232) avast_cleanup_online_setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F |
| Operation: | write | Name: | 56C7A9DA-4B11-406A-8B1A-EFF157C294D6 |
Value: d93a66b9-19c7-49ff-a343-4748e4c9bed3 | |||
| (PID) Process: | (2296) icarus.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\1D0EC6DE-4A80-4CC3-A335-E6E41C951198 |
| Operation: | write | Name: | 144807F0-DE37-4C62-9C05-EB4CC64A7A2F |
Value: d93a66b9-19c7-49ff-a343-4748e4c9bed3 | |||
| (PID) Process: | (2296) icarus.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\1D0EC6DE-4A80-4CC3-A335-E6E41C951198 |
| Operation: | write | Name: | 5FD38555-4B16-40AE-9A09-E2C969CB74AF |
Value: F6D4F52220BB5A3D7246A004278BB23F | |||
| (PID) Process: | (3672) icarus.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\Software\Avast Software\Icarus |
| Operation: | write | Name: | DataFolder |
Value: C:\ProgramData\Avast Software\Icarus | |||
| (PID) Process: | (3672) icarus.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\Software\Avast Software\Icarus |
| Operation: | delete value | Name: | UninstallToken |
Value: | |||
Executable files
71
Suspicious files
12
Text files
35
Unknown types
60
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1232 | avast_cleanup_online_setup.exe | C:\Windows\Temp\asw-2505eea3-3502-4aad-9ad5-866333e0a578\common\icarus_ui.exe | executable | |
MD5:FCE88A5F912D540D54FE54954EBBA0B4 | SHA256:E2025F4B929D564C886E1C295A748785BA017F4F6635525CCBB892A8E4694750 | |||
| 1232 | avast_cleanup_online_setup.exe | C:\Windows\Temp\asw-2505eea3-3502-4aad-9ad5-866333e0a578\common\79d69e2d-02a7-4902-9d7d-0f55c3eea1c5 | compressed | |
MD5:2853234177CAF8A6AE16C01D67A52CDC | SHA256:00C2DFA07537B9D3B33BBD29A2B716E59252B447451DCED160FE9374D74BA3BE | |||
| 1232 | avast_cleanup_online_setup.exe | C:\ProgramData\Avast Software\Icarus\Logs\sfx.log | text | |
MD5:ECAA88F7FA0BF610A5A26CF545DCD3AA | SHA256:F1945CD6C19E56B3C1C78943EF5EC18116907A4CA1EFC40A57D48AB1DB7ADFC5 | |||
| 1232 | avast_cleanup_online_setup.exe | C:\Windows\Temp\asw-2505eea3-3502-4aad-9ad5-866333e0a578\common\ca679ef9-a2fc-4ee0-a885-b3a232cb86d5 | compressed | |
MD5:2D34252CC78645E921A188DC41D0AC25 | SHA256:D95C7216444CB70B83E738C191401EE7C27F490908A5EB5D650663628EC86709 | |||
| 1232 | avast_cleanup_online_setup.exe | C:\Windows\Temp\asw-2505eea3-3502-4aad-9ad5-866333e0a578\common\eba2633c-4b9c-4a53-8bb7-e33b68749437 | compressed | |
MD5:BCBC37C639E49C49705C719E1A0F14FB | SHA256:E8DBBB28A3A7AA17F3E5E73948E6234619CF84D3639CA7167A7E638CA75FE865 | |||
| 1232 | avast_cleanup_online_setup.exe | C:\Windows\Temp\asw-2505eea3-3502-4aad-9ad5-866333e0a578\common\product-def.xml | xml | |
MD5:9AF55772F951C9AE2A3450353005DF83 | SHA256:37B5D82A10FF184301555C22D4361DE212F4CBACB3541B15F3705B6A4D58E4B0 | |||
| 1232 | avast_cleanup_online_setup.exe | C:\Windows\Temp\asw-2505eea3-3502-4aad-9ad5-866333e0a578\common\a83aee66-b8ae-4430-be42-642e7d757091 | compressed | |
MD5:16D98A61E4BBCAD905DA86D6FA6277F3 | SHA256:002F7FC387CF06549101A1F0DEF09CA3E7832E1C24CC66B7A56D607AB78982AA | |||
| 1232 | avast_cleanup_online_setup.exe | C:\Windows\Temp\asw-2505eea3-3502-4aad-9ad5-866333e0a578\common\dump_process.exe | executable | |
MD5:328298835BA8F5C18E55CD1829387021 | SHA256:8C23E03376C13ACE6CAC464211B4AEAF3C80906862E328560705244F8A59DA86 | |||
| 2296 | icarus.exe | C:\ProgramData\Avast Software\Icarus\Logs\report.log | — | |
MD5:— | SHA256:— | |||
| 1232 | avast_cleanup_online_setup.exe | C:\Users\admin\AppData\Local\Temp\F07D8C6A-04B6-4025-869C-70A788D7B5C0 | binary | |
MD5:68B8B60821870008636D1F3A953395E9 | SHA256:EE4D3527526E28B081C22384FAD873E9D97A82E5982253DC900F79E23DB438FC | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
168
TCP/UDP connections
42
DNS requests
40
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3844 | RUXIMICS.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 2.18.161.23:443 | https://honzik.avcdn.net/universe/e202/5f4b/929d/e2025f4b929d564c886e1c295a748785ba017f4f6635525ccbb892a8e4694750.lzma | unknown | compressed | 3.82 Mb | whitelisted |
— | — | GET | 200 | 2.18.161.23:443 | https://honzik.avcdn.net/universe/8c23/e033/76c1/8c23e03376c13ace6cac464211b4aeaf3c80906862e328560705244f8a59da86.lzma | unknown | compressed | 964 Kb | whitelisted |
1268 | svchost.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 2.18.161.23:443 | https://honzik.avcdn.net/universe/37b5/d82a/10ff/37b5d82a10ff184301555c22d4361de212f4cbacb3541b15f3705b6a4d58e4b0.lzma | unknown | compressed | 47.0 Kb | whitelisted |
— | — | GET | 200 | 2.18.161.23:443 | https://honzik.avcdn.net/universe/cc0f/ffc4/a8b7/cc0fffc4a8b71f916503f86ffb59c176eab8d1856de0f6523fb96a1a17e04871.lzma | unknown | compressed | 1.79 Mb | whitelisted |
— | — | POST | 200 | 34.117.223.223:443 | https://analytics.avcdn.net/v4/receive/json/25 | unknown | binary | 19 b | whitelisted |
— | — | GET | 200 | 2.18.161.23:443 | https://honzik.avcdn.net/universe/2f28/43cc/6dad/2f2843cc6dad8b10b339ea4d46114396e0933c362b71863afd9082e4e90b811b.lzma | unknown | compressed | 327 Kb | whitelisted |
— | — | GET | 200 | 184.25.159.22:443 | https://branding.avast.com/PROD/24.4/1062590/121686/21465816/policy.def | unknown | — | — | — |
— | — | GET | 200 | 184.25.159.22:443 | https://branding.avast.com/PROD/24.4/1062590/121686/21465816/brandcfg.js | unknown | — | — | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
1268 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3844 | RUXIMICS.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1232 | avast_cleanup_online_setup.exe | 34.117.223.223:443 | analytics.avcdn.net | GOOGLE-CLOUD-PLATFORM | US | whitelisted |
1232 | avast_cleanup_online_setup.exe | 2.18.161.23:443 | honzik.avcdn.net | AKAMAI-AS | DE | whitelisted |
5944 | MoUsoCoreWorker.exe | 23.48.23.161:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
1268 | svchost.exe | 23.48.23.161:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
3844 | RUXIMICS.exe | 23.48.23.161:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
analytics.avcdn.net |
| whitelisted |
honzik.avcdn.net |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
shepherd.avcdn.net |
| whitelisted |
branding.avast.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |