| File name: | avast_cleanup_online_setup.exe |
| Full analysis: | https://app.any.run/tasks/f5c67e77-4384-4cdd-8c85-038bb689694d |
| Verdict: | Malicious activity |
| Analysis date: | June 20, 2025, 14:11:03 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections |
| MD5: | 7329FDEE92A113974C09A071DAFFB1FC |
| SHA1: | 9C930B418227D71EA80561EECC8A01F57870764D |
| SHA256: | 85F9B4F020A9C0590704DA91F68A43871E07149F5406DC2318C11E2A549E2AEA |
| SSDEEP: | 49152:41bG5fcUazFpkSpBPiU9pG4hWBr0E3cJwmc/dAJnWxKzn9gJp/c:414cH/kYBPd9pG4k+E3cJwmceV |
MALICIOUS
No malicious indicators.SUSPICIOUS
Executable content was dropped or overwritten
- avast_cleanup_online_setup.exe (PID: 1232)
- icarus.exe (PID: 2296)
- icarus.exe (PID: 3672)
Starts itself from another location
- icarus.exe (PID: 2296)
The process creates files with name similar to system file names
- icarus.exe (PID: 3672)
The process verifies whether the antivirus software is installed
- icarus.exe (PID: 3672)
Process drops legitimate windows executable
- icarus.exe (PID: 3672)
The process drops C-runtime libraries
- icarus.exe (PID: 3672)
INFO
The sample compiled with english language support
- avast_cleanup_online_setup.exe (PID: 1232)
- icarus.exe (PID: 3672)
- icarus.exe (PID: 2296)
Checks proxy server information
- avast_cleanup_online_setup.exe (PID: 1232)
- slui.exe (PID: 3644)
Reads the machine GUID from the registry
- avast_cleanup_online_setup.exe (PID: 1232)
- icarus_ui.exe (PID: 4768)
- icarus.exe (PID: 2296)
- icarus.exe (PID: 3672)
Create files in a temporary directory
- avast_cleanup_online_setup.exe (PID: 1232)
Creates files in the program directory
- avast_cleanup_online_setup.exe (PID: 1232)
- icarus.exe (PID: 2296)
- icarus_ui.exe (PID: 4768)
- icarus.exe (PID: 3672)
Reads the software policy settings
- avast_cleanup_online_setup.exe (PID: 1232)
- slui.exe (PID: 3644)
Checks supported languages
- avast_cleanup_online_setup.exe (PID: 1232)
- icarus_ui.exe (PID: 4768)
- icarus.exe (PID: 2296)
- icarus.exe (PID: 3672)
Reads the computer name
- avast_cleanup_online_setup.exe (PID: 1232)
- icarus.exe (PID: 2296)
- icarus_ui.exe (PID: 4768)
- icarus.exe (PID: 3672)
Reads CPU info
- icarus.exe (PID: 2296)
- icarus_ui.exe (PID: 4768)
- icarus.exe (PID: 3672)
Manual execution by a user
- wscript.exe (PID: 6756)
- wscript.exe (PID: 7072)
- wscript.exe (PID: 2980)
- wscript.exe (PID: 3668)
- wscript.exe (PID: 7060)
- wscript.exe (PID: 2668)
- wscript.exe (PID: 3872)
- wscript.exe (PID: 4088)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable (generic) (52.9) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (23.5) |
| .exe | | | DOS Executable Generic (23.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2025:03:26 12:07:28+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit, Removable run from swap, Net run from swap |
| PEType: | PE32 |
| LinkerVersion: | 14.38 |
| CodeSize: | 1147392 |
| InitializedDataSize: | 534016 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x66fe0 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 25.3.8935.0 |
| ProductVersionNumber: | 24.4.17598.20292 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | Gen Digital Inc. |
| FileDescription: | Avast Self-Extract Package |
| FileVersion: | 25.3.8935.0 |
| InternalName: | icarus_sfx |
| LegalCopyright: | Copyright © 2025 Gen Digital Inc. All rights reserved. |
| MainProductId: | avast-tu |
| OriginalFileName: | icarus_sfx.exe |
| ProductId: | avast-icarus |
| ProductName: | Avast Installer |
| ProductVersion: | 24.4.17598.20292 |
Total processes
146
Monitored processes
14
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1232 | "C:\Users\admin\Desktop\avast_cleanup_online_setup.exe" | C:\Users\admin\Desktop\avast_cleanup_online_setup.exe | explorer.exe | ||||||||||||
User: admin Company: Gen Digital Inc. Integrity Level: HIGH Description: Avast Self-Extract Package Version: 25.3.8935.0 Modules
| |||||||||||||||
| 2076 | "C:\Users\admin\Desktop\avast_cleanup_online_setup.exe" | C:\Users\admin\Desktop\avast_cleanup_online_setup.exe | — | explorer.exe | |||||||||||
User: admin Company: Gen Digital Inc. Integrity Level: MEDIUM Description: Avast Self-Extract Package Exit code: 3221226540 Version: 25.3.8935.0 Modules
| |||||||||||||||
| 2296 | C:\WINDOWS\Temp\asw-2505eea3-3502-4aad-9ad5-866333e0a578\common\icarus.exe /icarus-info-path:C:\WINDOWS\Temp\asw-2505eea3-3502-4aad-9ad5-866333e0a578\icarus-info.xml /install /sssid:1232 | C:\Windows\Temp\asw-2505eea3-3502-4aad-9ad5-866333e0a578\common\icarus.exe | avast_cleanup_online_setup.exe | ||||||||||||
User: admin Company: Gen Digital Inc. Integrity Level: HIGH Description: Avast Installer Version: 25.3.8935.0 Modules
| |||||||||||||||
| 2668 | "C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\s-checkbox.js | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 1 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 2980 | "C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\s-button-forward.js | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 1 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 3644 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3668 | "C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\data-filters.js | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 1 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 3672 | C:\WINDOWS\Temp\asw-2505eea3-3502-4aad-9ad5-866333e0a578\avast-tu\icarus.exe /sssid:1232 /er_master:master_ep_bd1acf80-0ab1-4dcd-9652-c1254b665eef /er_ui:ui_ep_7d47decc-2d06-4678-9951-cc046d0fd211 /er_slave:avast-tu_slave_ep_a9fbfb59-004f-4e2a-9d09-10bb5a78d240 /slave:avast-tu | C:\Windows\Temp\asw-2505eea3-3502-4aad-9ad5-866333e0a578\avast-tu\icarus.exe | icarus.exe | ||||||||||||
User: admin Company: Gen Digital Inc. Integrity Level: HIGH Description: Avast Installer Version: 25.3.8935.0 Modules
| |||||||||||||||
| 3872 | "C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\s-desc.js | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 1 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 4088 | "C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\s-button-back.js | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 1 Version: 5.812.10240.16384 Modules
| |||||||||||||||
Total events
9 562
Read events
9 552
Write events
9
Delete events
1
Modification events
| (PID) Process: | (1232) avast_cleanup_online_setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\1D0EC6DE-4A80-4CC3-A335-E6E41C951198 |
| Operation: | write | Name: | 5FD38555-4B16-40AE-9A09-E2C969CB74AF |
Value: F6D4F52220BB5A3D7246A004278BB23F | |||
| (PID) Process: | (1232) avast_cleanup_online_setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F |
| Operation: | write | Name: | 7CCD586D-2ABC-42FF-A23B-3731F4F183D9 |
Value: F6D4F52220BB5A3D7246A004278BB23F | |||
| (PID) Process: | (1232) avast_cleanup_online_setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\1D0EC6DE-4A80-4CC3-A335-E6E41C951198 |
| Operation: | write | Name: | 8C5CFDF4-AB05-4EB0-8EF6-7B4620DC2CF3 |
Value: AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAwmxgkjVFzUyc7MrHDodfoQQAAAACAAAAAAAQZgAAAAEAACAAAABSPmTbWTYGCtzinahA1XRVyIuwmRG7sPm/Fas8IV16CgAAAAAOgAAAAAIAACAAAACXSTLOujV0/MnDFHnDFQAfD62ZxDSeY6opAWfPVtRYKVAAAACr/KZZfdc+NC80cJw3LcirTyZnvBNBc/LhzzIseMyDs0Fnu+TOnrIopM6GW9sxEQbqoqyQTYMxJF9KgoQ6WSnjjJgadQp8Iaec4xlpG/9z9kAAAACZMiFyvvNq1ZFiJTcyctejNuqNotQun91GtQ4Crw0As3u0HrLstw+6aDXiGWH3uRiFNfPRqHPv88mOp29ZXVZY | |||
| (PID) Process: | (1232) avast_cleanup_online_setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F |
| Operation: | write | Name: | 5E1D6A55-0134-486E-A166-38C2E4919BB1 |
Value: AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAwmxgkjVFzUyc7MrHDodfoQQAAAACAAAAAAAQZgAAAAEAACAAAABSPmTbWTYGCtzinahA1XRVyIuwmRG7sPm/Fas8IV16CgAAAAAOgAAAAAIAACAAAACXSTLOujV0/MnDFHnDFQAfD62ZxDSeY6opAWfPVtRYKVAAAACr/KZZfdc+NC80cJw3LcirTyZnvBNBc/LhzzIseMyDs0Fnu+TOnrIopM6GW9sxEQbqoqyQTYMxJF9KgoQ6WSnjjJgadQp8Iaec4xlpG/9z9kAAAACZMiFyvvNq1ZFiJTcyctejNuqNotQun91GtQ4Crw0As3u0HrLstw+6aDXiGWH3uRiFNfPRqHPv88mOp29ZXVZY | |||
| (PID) Process: | (1232) avast_cleanup_online_setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\1D0EC6DE-4A80-4CC3-A335-E6E41C951198 |
| Operation: | write | Name: | 144807F0-DE37-4C62-9C05-EB4CC64A7A2F |
Value: d93a66b9-19c7-49ff-a343-4748e4c9bed3 | |||
| (PID) Process: | (1232) avast_cleanup_online_setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F |
| Operation: | write | Name: | 56C7A9DA-4B11-406A-8B1A-EFF157C294D6 |
Value: d93a66b9-19c7-49ff-a343-4748e4c9bed3 | |||
| (PID) Process: | (2296) icarus.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\1D0EC6DE-4A80-4CC3-A335-E6E41C951198 |
| Operation: | write | Name: | 144807F0-DE37-4C62-9C05-EB4CC64A7A2F |
Value: d93a66b9-19c7-49ff-a343-4748e4c9bed3 | |||
| (PID) Process: | (2296) icarus.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\1D0EC6DE-4A80-4CC3-A335-E6E41C951198 |
| Operation: | write | Name: | 5FD38555-4B16-40AE-9A09-E2C969CB74AF |
Value: F6D4F52220BB5A3D7246A004278BB23F | |||
| (PID) Process: | (3672) icarus.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\Software\Avast Software\Icarus |
| Operation: | write | Name: | DataFolder |
Value: C:\ProgramData\Avast Software\Icarus | |||
| (PID) Process: | (3672) icarus.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\Software\Avast Software\Icarus |
| Operation: | delete value | Name: | UninstallToken |
Value: | |||
Executable files
71
Suspicious files
12
Text files
35
Unknown types
60
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1232 | avast_cleanup_online_setup.exe | C:\Users\admin\AppData\Local\Temp\6358C710-B89F-46B9-93F2-F6CAC44F5286 | binary | |
MD5:F0F62F5DF2F0F42450B5798E8326E468 | SHA256:B5787B38A630AC7FA605D935340F89FE98867975F4A2FF417F56A8BF44D6B5D2 | |||
| 1232 | avast_cleanup_online_setup.exe | C:\Users\admin\AppData\Local\Temp\D566D7D7-DCD6-471C-8109-BE0AD33199E3 | binary | |
MD5:51CACEA0FBAE8346C20FB94EFEEF8809 | SHA256:5749457FC3E5EE160FE41B6BC0743A890B38FD3F09965828BD19FE269E5BD434 | |||
| 1232 | avast_cleanup_online_setup.exe | C:\Users\admin\AppData\Local\Temp\F07D8C6A-04B6-4025-869C-70A788D7B5C0 | binary | |
MD5:68B8B60821870008636D1F3A953395E9 | SHA256:EE4D3527526E28B081C22384FAD873E9D97A82E5982253DC900F79E23DB438FC | |||
| 1232 | avast_cleanup_online_setup.exe | C:\Windows\Temp\asw-2505eea3-3502-4aad-9ad5-866333e0a578\common\product-def.xml | xml | |
MD5:9AF55772F951C9AE2A3450353005DF83 | SHA256:37B5D82A10FF184301555C22D4361DE212F4CBACB3541B15F3705B6A4D58E4B0 | |||
| 1232 | avast_cleanup_online_setup.exe | C:\Windows\Temp\asw-2505eea3-3502-4aad-9ad5-866333e0a578\common\eba2633c-4b9c-4a53-8bb7-e33b68749437 | compressed | |
MD5:BCBC37C639E49C49705C719E1A0F14FB | SHA256:E8DBBB28A3A7AA17F3E5E73948E6234619CF84D3639CA7167A7E638CA75FE865 | |||
| 1232 | avast_cleanup_online_setup.exe | C:\Windows\Temp\asw-2505eea3-3502-4aad-9ad5-866333e0a578\common\product-info.xml | xml | |
MD5:8A7E308E0ACF01CC1EDEE7B64B9F922B | SHA256:A44B1800325E75172BFFE69AA9BEC6C241DA5A7D29559A52386CA7284F3DC766 | |||
| 1232 | avast_cleanup_online_setup.exe | C:\Windows\Temp\asw-2505eea3-3502-4aad-9ad5-866333e0a578\package.edat | text | |
MD5:B6B4CE6DF035DCFAA26F3BC32FB89E6A | SHA256:764C4C7B78D6FD3B7BF72E531E81B2304FF57DF646D084F9B4BDD51B8E350955 | |||
| 1232 | avast_cleanup_online_setup.exe | C:\Windows\Temp\asw-2505eea3-3502-4aad-9ad5-866333e0a578\common\ca679ef9-a2fc-4ee0-a885-b3a232cb86d5 | compressed | |
MD5:2D34252CC78645E921A188DC41D0AC25 | SHA256:D95C7216444CB70B83E738C191401EE7C27F490908A5EB5D650663628EC86709 | |||
| 2296 | icarus.exe | C:\ProgramData\Avast Software\Icarus\Logs\report.log | — | |
MD5:— | SHA256:— | |||
| 1232 | avast_cleanup_online_setup.exe | C:\Windows\Temp\asw-2505eea3-3502-4aad-9ad5-866333e0a578\common\79d69e2d-02a7-4902-9d7d-0f55c3eea1c5 | compressed | |
MD5:2853234177CAF8A6AE16C01D67A52CDC | SHA256:00C2DFA07537B9D3B33BBD29A2B716E59252B447451DCED160FE9374D74BA3BE | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
168
TCP/UDP connections
42
DNS requests
40
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5944 | MoUsoCoreWorker.exe | GET | 200 | 23.48.23.161:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | POST | 200 | 34.117.223.223:443 | https://analytics.avcdn.net/v4/receive/json/25 | unknown | binary | 19 b | whitelisted |
— | — | GET | 200 | 2.18.161.23:443 | https://honzik.avcdn.net/defs/avast-tu/release.xml.lzma | unknown | compressed | 2.63 Kb | whitelisted |
— | — | GET | 200 | 2.18.161.23:443 | https://honzik.avcdn.net/universe/92b4/f978/18b5/92b4f97818b53243a1db36cf80922643cdaeb03b18d1caf61dd8500caef4dbad.lzma | unknown | compressed | 2.43 Mb | whitelisted |
— | — | POST | 200 | 34.117.223.223:443 | https://analytics.avcdn.net/v4/receive/json/25 | unknown | binary | 19 b | whitelisted |
— | — | GET | 200 | 2.18.161.23:443 | https://honzik.avcdn.net/universe/cc0f/ffc4/a8b7/cc0fffc4a8b71f916503f86ffb59c176eab8d1856de0f6523fb96a1a17e04871.lzma | unknown | compressed | 1.79 Mb | whitelisted |
1268 | svchost.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 2.18.161.23:443 | https://honzik.avcdn.net/universe/37b5/d82a/10ff/37b5d82a10ff184301555c22d4361de212f4cbacb3541b15f3705b6a4d58e4b0.lzma | unknown | compressed | 47.0 Kb | whitelisted |
— | — | GET | 200 | 2.18.161.23:443 | https://honzik.avcdn.net/universe/2f28/43cc/6dad/2f2843cc6dad8b10b339ea4d46114396e0933c362b71863afd9082e4e90b811b.lzma | unknown | compressed | 327 Kb | whitelisted |
— | — | POST | 200 | 34.117.223.223:443 | https://analytics.avcdn.net/v4/receive/json/25 | unknown | binary | 19 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
1268 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3844 | RUXIMICS.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1232 | avast_cleanup_online_setup.exe | 34.117.223.223:443 | analytics.avcdn.net | GOOGLE-CLOUD-PLATFORM | US | whitelisted |
1232 | avast_cleanup_online_setup.exe | 2.18.161.23:443 | honzik.avcdn.net | AKAMAI-AS | DE | whitelisted |
5944 | MoUsoCoreWorker.exe | 23.48.23.161:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
1268 | svchost.exe | 23.48.23.161:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
3844 | RUXIMICS.exe | 23.48.23.161:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
analytics.avcdn.net |
| whitelisted |
honzik.avcdn.net |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
shepherd.avcdn.net |
| whitelisted |
branding.avast.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |