File name:

avg_tuneup_online_setup.exe

Full analysis: https://app.any.run/tasks/cf4704c4-02dd-49e3-a6e1-e5b30f16ad81
Verdict: Malicious activity
Analysis date: November 06, 2023, 14:33:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

BC164BD9F8E381FC74112B3C5FCABE17

SHA1:

8857A252964EC5A1E67644A7127FA8A3AAB470BD

SHA256:

B1D3A6F89D9BF1694148AA84ECCE4904F6EF8247963CA3FCB58D043B56C8F3D8

SSDEEP:

49152:ljhWnDfYCqVT3y/0N1prjCmNXrF6ETisbaNJ0FOzohYX2DISkzNvCkt:lEfYCGT3y/0NH5N7FfFbaNJ0FECIS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • icarus.exe (PID: 3528)
      • avg_tuneup_online_setup.exe (PID: 3504)
      • icarus.exe (PID: 3724)

    • Creates a writable file the system directory

      • icarus.exe (PID: 3724)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • avg_tuneup_online_setup.exe (PID: 3504)

    • Starts itself from another location

      • icarus.exe (PID: 3528)

    • Process drops legitimate windows executable

      • icarus.exe (PID: 3724)

    • The process creates files with name similar to system file names

      • icarus.exe (PID: 3724)

    • The process drops C-runtime libraries

      • icarus.exe (PID: 3724)

    • The process verifies whether the antivirus software is installed

      • icarus.exe (PID: 3724)

  • INFO

    • Reads the machine GUID from the registry

      • avg_tuneup_online_setup.exe (PID: 3504)
      • wmpnscfg.exe (PID: 3576)
      • icarus.exe (PID: 3528)
      • icarus.exe (PID: 3724)
      • icarus_ui.exe (PID: 3756)

    • Checks supported languages

      • avg_tuneup_online_setup.exe (PID: 3504)
      • wmpnscfg.exe (PID: 3576)
      • icarus.exe (PID: 3528)
      • icarus.exe (PID: 3724)
      • icarus_ui.exe (PID: 3756)

    • Reads the computer name

      • avg_tuneup_online_setup.exe (PID: 3504)
      • wmpnscfg.exe (PID: 3576)
      • icarus.exe (PID: 3528)
      • icarus_ui.exe (PID: 3756)
      • icarus.exe (PID: 3724)

    • Creates files in the program directory

      • avg_tuneup_online_setup.exe (PID: 3504)
      • icarus_ui.exe (PID: 3756)
      • icarus.exe (PID: 3528)
      • icarus.exe (PID: 3724)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3576)

    • Reads CPU info

      • icarus.exe (PID: 3724)
      • icarus.exe (PID: 3528)
      • icarus_ui.exe (PID: 3756)

    • Create files in a temporary directory

      • icarus.exe (PID: 3724)
      • icarus.exe (PID: 3528)

    • Dropped object may contain TOR URL's

      • icarus.exe (PID: 3724)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:10:20 09:41:05+02:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 14.36
CodeSize: 917504
InitializedDataSize: 485888
UninitializedDataSize: -
EntryPoint: 0x4e070
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 23.7.6305.0
ProductVersionNumber: 23.3.15198.8344
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: AVG Technologies
FileDescription: AVG Self-Extract Package
FileVersion: 23.7.6305.0
InternalName: icarus_sfx
LegalCopyright: Copyright © 2023 AVG Technologies
MainProductId: avg-tu
OriginalFileName: icarus_sfx.exe
ProductId: avg-icarus
ProductName: AVG Installer
ProductVersion: 23.3.15198.8344
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start avg_tuneup_online_setup.exe wmpnscfg.exe no specs icarus.exe icarus_ui.exe no specs icarus.exe avg_tuneup_online_setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3428"C:\Users\admin\AppData\Local\Temp\avg_tuneup_online_setup.exe" C:\Users\admin\AppData\Local\Temp\avg_tuneup_online_setup.exeexplorer.exe
User:
admin
Company:
AVG Technologies
Integrity Level:
MEDIUM
Description:
AVG Self-Extract Package
Exit code:
3221226540
Version:
23.7.6305.0
Modules
Images
c:\users\admin\appdata\local\temp\avg_tuneup_online_setup.exe
c:\windows\system32\ntdll.dll
3504"C:\Users\admin\AppData\Local\Temp\avg_tuneup_online_setup.exe" C:\Users\admin\AppData\Local\Temp\avg_tuneup_online_setup.exe
explorer.exe
User:
admin
Company:
AVG Technologies
Integrity Level:
HIGH
Description:
AVG Self-Extract Package
Exit code:
0
Version:
23.7.6305.0
Modules
Images
c:\users\admin\appdata\local\temp\avg_tuneup_online_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3528C:\Windows\Temp\asw-24a24b4e-fbe7-4a65-818e-a34a7f8db33e\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-24a24b4e-fbe7-4a65-818e-a34a7f8db33e\icarus-info.xml /install /sssid:3504C:\Windows\Temp\asw-24a24b4e-fbe7-4a65-818e-a34a7f8db33e\common\icarus.exe
avg_tuneup_online_setup.exe
User:
admin
Company:
AVG Technologies
Integrity Level:
HIGH
Description:
AVG Installer
Exit code:
0
Version:
23.7.6305.0
Modules
Images
c:\windows\temp\asw-24a24b4e-fbe7-4a65-818e-a34a7f8db33e\common\icarus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\webio.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
3576"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
3724C:\Windows\Temp\asw-24a24b4e-fbe7-4a65-818e-a34a7f8db33e\avg-tu\icarus.exe /sssid:3504 /er_master:master_ep_8390e4cd-e4db-41d4-bea0-42c522672816 /er_ui:ui_ep_30920f92-ff02-4da3-8d71-4ff4fb1bbf3a /er_slave:avg-tu_slave_ep_39e330f3-8277-428f-8894-0fb2109e206d /slave:avg-tuC:\Windows\Temp\asw-24a24b4e-fbe7-4a65-818e-a34a7f8db33e\avg-tu\icarus.exe
icarus.exe
User:
admin
Company:
AVG Technologies
Integrity Level:
HIGH
Description:
AVG Installer
Exit code:
0
Version:
23.7.6305.0
Modules
Images
c:\windows\temp\asw-24a24b4e-fbe7-4a65-818e-a34a7f8db33e\avg-tu\icarus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\webio.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
3756C:\Windows\Temp\asw-24a24b4e-fbe7-4a65-818e-a34a7f8db33e\common\icarus_ui.exe /sssid:3504 /er_master:master_ep_8390e4cd-e4db-41d4-bea0-42c522672816 /er_ui:ui_ep_30920f92-ff02-4da3-8d71-4ff4fb1bbf3aC:\Windows\Temp\asw-24a24b4e-fbe7-4a65-818e-a34a7f8db33e\common\icarus_ui.exeicarus.exe
User:
admin
Company:
AVG Technologies
Integrity Level:
HIGH
Description:
AVG UI
Exit code:
0
Version:
23.7.6305.0
Modules
Images
c:\windows\temp\asw-24a24b4e-fbe7-4a65-818e-a34a7f8db33e\common\icarus_ui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\userenv.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\shell32.dll
Total events
3 985
Read events
3 965
Write events
17
Delete events
3

Modification events

(PID) Process:(3504) avg_tuneup_online_setup.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17A\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3576) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{90D713E4-8FBB-4433-A838-EC00DF3EF1F2}\{05DCF10E-8BCB-419B-8EF0-F8AFEDEB8911}
Operation:delete keyName:(default)
Value:
(PID) Process:(3576) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{90D713E4-8FBB-4433-A838-EC00DF3EF1F2}
Operation:delete keyName:(default)
Value:
(PID) Process:(3576) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{60BAD3A4-18E3-4F55-BE83-12D9DF2F157A}
Operation:delete keyName:(default)
Value:
(PID) Process:(3724) icarus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\1D0EC6DE-4A80-4CC3-A335-E6E41C951198
Operation:writeName:144807F0-DE37-4C62-9C05-EB4CC64A7A2F
Value:
12927a33-4426-43b8-aef4-5afbb5afc126
(PID) Process:(3724) icarus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F
Operation:writeName:56C7A9DA-4B11-406A-8B1A-EFF157C294D6
Value:
12927a33-4426-43b8-aef4-5afbb5afc126
(PID) Process:(3724) icarus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\1D0EC6DE-4A80-4CC3-A335-E6E41C951198
Operation:writeName:5FD38555-4B16-40AE-9A09-E2C969CB74AF
Value:
138F65F3DE11A9670C8CF1AB7F8C2DEC
(PID) Process:(3724) icarus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F
Operation:writeName:7CCD586D-2ABC-42FF-A23B-3731F4F183D9
Value:
138F65F3DE11A9670C8CF1AB7F8C2DEC
(PID) Process:(3724) icarus.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:writeName:BootExecute
Value:
autocheck autochk *
Executable files
102
Suspicious files
129
Text files
55
Unknown types
0

Dropped files

PID
Process
Filename
Type
3504avg_tuneup_online_setup.exeC:\Windows\Temp\asw-24a24b4e-fbe7-4a65-818e-a34a7f8db33e\common\product-info.xmlxml
MD5:F4E747C3C570C2F2B505023AE7E83400
SHA256:6E3DE9DC40FC3D5EBB909712BF61753D90ACCC1C1FF25057F1BCCC71FC58A36B
3504avg_tuneup_online_setup.exeC:\Windows\Temp\asw-24a24b4e-fbe7-4a65-818e-a34a7f8db33e\common\5eac38bb-970e-46e2-bc62-0065d8a00ee2binary
MD5:756ADEADCE97C753037B6ED5F7F9AADD
SHA256:F7501070E9F867C9FE00CF852653FD520A37F4F80965313751774A4B2B788494
3504avg_tuneup_online_setup.exeC:\Windows\Temp\asw-24a24b4e-fbe7-4a65-818e-a34a7f8db33e\common\icarus.exeexecutable
MD5:7150D43D236409877A0CB2E5C0965428
SHA256:A1FB1BF840D417E6BAEAF525CE6F4C4C6ED5E6C669D7F5F35F5832C88C0FF431
3504avg_tuneup_online_setup.exeC:\Windows\Temp\asw-24a24b4e-fbe7-4a65-818e-a34a7f8db33e\common\0d26bb67-a942-488a-97a6-e4049c9d6654binary
MD5:A8FC819D883075896A8F4D9E62E5850F
SHA256:E0C612E0E76085A6865A6BCDE153944C1A41383006D8B782592E55C1597ABD7B
3528icarus.exeC:\ProgramData\AVG\Icarus\Logs\report.log
MD5:
SHA256:
3504avg_tuneup_online_setup.exeC:\Windows\Temp\asw-24a24b4e-fbe7-4a65-818e-a34a7f8db33e\common\dump_process.exeexecutable
MD5:4FF7C4B4DE78FA1E124F7B66050DE88B
SHA256:56E141BF1B0B391407FACDE06F52FF0D4C1CD80A803C4FCB5CB6B9CCB48C2985
3504avg_tuneup_online_setup.exeC:\Windows\Temp\asw-24a24b4e-fbe7-4a65-818e-a34a7f8db33e\common\icarus_ui.exeexecutable
MD5:D0AB6C3CADE5D2E3864DF63DF5EFEF0D
SHA256:385F5DFB811CF2D91535B666A91682E0F6ED9115D730D541E5FA192074E46663
3504avg_tuneup_online_setup.exeC:\Windows\Temp\asw-24a24b4e-fbe7-4a65-818e-a34a7f8db33e\common\7072cc76-50fa-4df0-8264-0ad2e95b0999binary
MD5:05062FBF79AE0510033E9A6532451890
SHA256:BC94701617CFE950ACF49C09B8CAA9F239403B148689DFFC2AE99059C7ED79F4
3504avg_tuneup_online_setup.exeC:\Windows\Temp\asw-24a24b4e-fbe7-4a65-818e-a34a7f8db33e\common\1739e2d9-b53b-4dc2-b7c3-4f564ef9e65dbinary
MD5:C4C6AC7D50303726DA416CBFE4E26448
SHA256:E35285C9B583098CA4172AE03D9E3778562515D57EDF7D596DFDE2A858172E14
3504avg_tuneup_online_setup.exeC:\Windows\Temp\asw-24a24b4e-fbe7-4a65-818e-a34a7f8db33e\common\bug_report.exeexecutable
MD5:45DCB7F4548F14A67FC7679A434E7E85
SHA256:D16D9AF6744EE37520157E8EFD31C93DF319A055E969EA3D357EF8CB11DDD226
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
24
DNS requests
30
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3504
avg_tuneup_online_setup.exe
34.117.223.223:443
analytics.avcdn.net
GOOGLE-CLOUD-PLATFORM
US
unknown
4
System
192.168.100.255:137
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
3504
avg_tuneup_online_setup.exe
2.18.161.23:443
honzik.avcdn.net
AKAMAI-AS
DE
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
3528
icarus.exe
34.117.223.223:443
analytics.avcdn.net
GOOGLE-CLOUD-PLATFORM
US
unknown
3528
icarus.exe
34.160.176.28:443
shepherd.ff.avast.com
GOOGLE
US
unknown
3528
icarus.exe
2.18.161.23:443
honzik.avcdn.net
AKAMAI-AS
DE
unknown
3724
icarus.exe
2.18.161.23:443
honzik.avcdn.net
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
analytics.avcdn.net
  • 34.117.223.223
unknown
honzik.avcdn.net
  • 2.18.161.23
  • 2a02:26f0:3100:1a3::240d
  • 2a02:26f0:3100:1aa::240d
unknown
shepherd.ff.avast.com
  • 34.160.176.28
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
avg_tuneup_online_setup.exe