File name:

avast_vpn_online_setup.exe

Full analysis: https://app.any.run/tasks/8ee17571-fc1f-4183-af48-c032a20aac05
Verdict: Malicious activity
Analysis date: January 08, 2024, 17:09:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

F0015BD4724E734ADD0161F2D4731CB1

SHA1:

EAE7C6B84E069CEA66E584BDFE7F1B63E6902CC3

SHA256:

BB3EF47058EF096F522BCD4E7B1F26CF4BE6DAC5C5B83D7EB2784C6AD8643665

SSDEEP:

49152:2GExgdT9v5E9I1jiqvFupkcf0RMEybHZYyMik:5Exgrv5yI1jiqvFursRMEybu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Creates a writable file in the system directory

      • icarus.exe (PID: 2340)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • avast_vpn_online_setup.exe (PID: 2420)

    • The process verifies whether the antivirus software is installed

      • icarus.exe (PID: 2340)

  • INFO

    • Checks supported languages

      • avast_vpn_online_setup.exe (PID: 2420)
      • icarus_ui.exe (PID: 1236)
      • icarus.exe (PID: 1864)
      • icarus.exe (PID: 2340)

    • Reads the computer name

      • icarus.exe (PID: 1864)
      • avast_vpn_online_setup.exe (PID: 2420)
      • icarus_ui.exe (PID: 1236)
      • icarus.exe (PID: 2340)

    • Reads CPU info

      • icarus_ui.exe (PID: 1236)
      • icarus.exe (PID: 1864)
      • icarus.exe (PID: 2340)

    • Reads the machine GUID from the registry

      • icarus.exe (PID: 1864)
      • avast_vpn_online_setup.exe (PID: 2420)
      • icarus_ui.exe (PID: 1236)
      • icarus.exe (PID: 2340)

    • Drops the executable file immediately after the start

      • icarus.exe (PID: 1864)
      • avast_vpn_online_setup.exe (PID: 2420)
      • icarus.exe (PID: 2340)

    • Creates files in the program directory

      • avast_vpn_online_setup.exe (PID: 2420)
      • icarus_ui.exe (PID: 1236)
      • icarus.exe (PID: 1864)
      • icarus.exe (PID: 2340)

    • Starts itself from another location

      • icarus.exe (PID: 1864)

    • Dropped object may contain TOR URL's

      • icarus.exe (PID: 2340)

    • Process drops legitimate windows executable

      • icarus.exe (PID: 2340)

    • The process drops C-runtime libraries

      • icarus.exe (PID: 2340)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:12:02 11:00:51+01:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 14.29
CodeSize: 809472
InitializedDataSize: 344576
UninitializedDataSize: -
EntryPoint: 0x286d0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 21.8.3960.0
ProductVersionNumber: 5.15.5913.3604
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Avast Software
FileDescription: Avast Self-Extract Package
FileVersion: 21.8.3960.0
InternalName: icarus_sfx
LegalCopyright: © 2021 Avast Software
OriginalFileName: icarus_sfx.exe
ProductId: avast-icarus
ProductName: Avast Installer
ProductVersion: 5.15.5913.3604
Vpnincluded: 5.15.5913.3604
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start avast_vpn_online_setup.exe icarus.exe icarus_ui.exe no specs icarus.exe avast_vpn_online_setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
128"C:\Users\admin\AppData\Local\Temp\avast_vpn_online_setup.exe" C:\Users\admin\AppData\Local\Temp\avast_vpn_online_setup.exeexplorer.exe
User:
admin
Company:
Avast Software
Integrity Level:
MEDIUM
Description:
Avast Self-Extract Package
Exit code:
3221226540
Version:
21.8.3960.0
Modules
Images
c:\users\admin\appdata\local\temp\avast_vpn_online_setup.exe
c:\windows\system32\ntdll.dll
1236C:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\icarus_ui.exe /sssid:2420 /er_master:master_ep_673bc5d8-f6af-43e0-92bd-c8d46aba0f4f /er_ui:ui_ep_6c3d3c15-ade7-44a3-b08f-4a5914565895C:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\icarus_ui.exeicarus.exe
User:
admin
Company:
Avast Software
Integrity Level:
HIGH
Description:
Avast UI
Exit code:
0
Version:
23.2.5620.0
Modules
Images
c:\windows\temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\icarus_ui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\userenv.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\shell32.dll
1864C:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\icarus-info.xml /install /sssid:2420C:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\icarus.exe
avast_vpn_online_setup.exe
User:
admin
Company:
Avast Software
Integrity Level:
HIGH
Description:
Avast Installer
Exit code:
0
Version:
23.2.5620.0
Modules
Images
c:\windows\temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\icarus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\webio.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\user32.dll
2340C:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\avast-vpn\icarus.exe /sssid:2420 /er_master:master_ep_673bc5d8-f6af-43e0-92bd-c8d46aba0f4f /er_ui:ui_ep_6c3d3c15-ade7-44a3-b08f-4a5914565895 /er_slave:avast-vpn_slave_ep_a7402707-9a62-47fd-8f4c-df58fc2afd63 /slave:avast-vpnC:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\avast-vpn\icarus.exe
icarus.exe
User:
admin
Company:
Avast Software
Integrity Level:
HIGH
Description:
Avast Installer
Exit code:
0
Version:
23.2.5620.0
Modules
Images
c:\windows\temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\avast-vpn\icarus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\webio.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\user32.dll
2420"C:\Users\admin\AppData\Local\Temp\avast_vpn_online_setup.exe" C:\Users\admin\AppData\Local\Temp\avast_vpn_online_setup.exe
explorer.exe
User:
admin
Company:
Avast Software
Integrity Level:
HIGH
Description:
Avast Self-Extract Package
Exit code:
0
Version:
21.8.3960.0
Modules
Images
c:\users\admin\appdata\local\temp\avast_vpn_online_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
4 055
Read events
4 040
Write events
15
Delete events
0

Modification events

(PID) Process:(2420) avast_vpn_online_setup.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2340) icarus.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:writeName:BootExecute
Value:
autocheck autochk *
Executable files
110
Suspicious files
123
Text files
48
Unknown types
0

Dropped files

PID
Process
Filename
Type
2420avast_vpn_online_setup.exeC:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\bug_report.exeexecutable
MD5:427360DDFC724244D83D633D03644D0B
SHA256:F81E8E1844166CC73D2C93A255DE9961B9A751F0E8DF8ED9A43CFEE0EFC61FCC
1864icarus.exeC:\ProgramData\Avast Software\Icarus\Logs\report.log
MD5:
SHA256:
2420avast_vpn_online_setup.exeC:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\55c396ef-2586-442b-8e6f-f61d879311b1binary
MD5:73577181670C7B91432AE7DE4CD7C55B
SHA256:938210BFB9B9EF28984385D92F9D9DC5682465ED1FA8E241B6675E4A4B1A8942
2420avast_vpn_online_setup.exeC:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\icarus.exeexecutable
MD5:40241D144A6D5A818E243BC137675159
SHA256:EEFCBD068E6B59B9A7E3EBCC8D88DE70BF0B834F93FB3C558FB87599FC2722F6
2420avast_vpn_online_setup.exeC:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\dump_process.exeexecutable
MD5:207852B9C0CE5C112C697A909A1421DF
SHA256:48DE6C0115E81DB55B24EA45D518B4E66731F331D5687170101D66EEC238E5E4
2420avast_vpn_online_setup.exeC:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\product-info.xmlxml
MD5:47C1885F5F64BD30DB6DAD056D6E1A5C
SHA256:2A44462AB672662599A9973B936E7B9FB96331672F560334ED41F333A4714FA6
2420avast_vpn_online_setup.exeC:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\setupui.contbinary
MD5:EB6452DA8A5DA56869CC5354F62A1BC5
SHA256:B0DCE494EAE002553BCE20BCFF5DD513109C14BF0C0524008CD414CC7CF970B7
2420avast_vpn_online_setup.exeC:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\cd8a20ce-f34c-4ad6-be41-02b5a88d8e03binary
MD5:93C8167E1AF7D6882EF2B13FA92FB2CC
SHA256:285A5B06E95A79FF313F1EB6A814D1ECB1DEF1AEFA80B4765D9A2617329B6B41
2420avast_vpn_online_setup.exeC:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\icarus_ui.exeexecutable
MD5:BF4545F6EC415EFCC13E1F76E6ACA6EF
SHA256:03B86B1D8FDB076521C2222EC5D9043C2F43F22ADCA4AD9DA5B457AAAF23B16F
2420avast_vpn_online_setup.exeC:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\99e5244f-8896-403b-ba90-64554b21db36binary
MD5:08270C2DD07E6E4C19174A5906E007D3
SHA256:702EA81279E162CD01B59002FA3E1270F40A75AEA15AAC8A31D3DFC2128D1347
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
30
DNS requests
30
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2420
avast_vpn_online_setup.exe
GET
404
184.30.25.22:80
http://honzik.avcdn.net/dll/avast-vpn/x86/icarus_mod.dll.lzma
unknown
html
235 b
unknown
2340
icarus.exe
GET
2.18.161.23:80
http://honzik.avcdn.net//universe/b0e8/c2d7/2395/b0e8c2d7239544001e8bd8d1e79914b122c67b7e1aed3959584ecf15dc5b812f.lzma
unknown
unknown
2340
icarus.exe
GET
2.18.161.23:80
http://honzik.avcdn.net//universe/b0e8/c2d7/2395/b0e8c2d7239544001e8bd8d1e79914b122c67b7e1aed3959584ecf15dc5b812f.lzma
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
2420
avast_vpn_online_setup.exe
34.117.223.223:443
analytics.ff.avast.com
GOOGLE-CLOUD-PLATFORM
US
unknown
2420
avast_vpn_online_setup.exe
184.30.25.22:443
honzik.avcdn.net
AKAMAI-AS
DE
unknown
2420
avast_vpn_online_setup.exe
184.30.25.22:80
honzik.avcdn.net
AKAMAI-AS
DE
unknown
1864
icarus.exe
34.117.223.223:443
analytics.ff.avast.com
GOOGLE-CLOUD-PLATFORM
US
unknown
1864
icarus.exe
34.160.176.28:443
shepherd.ff.avast.com
GOOGLE
US
unknown
1864
icarus.exe
184.30.25.22:443
honzik.avcdn.net
AKAMAI-AS
DE
unknown
2340
icarus.exe
184.30.25.22:443
honzik.avcdn.net
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
analytics.ff.avast.com
  • 34.117.223.223
whitelisted
honzik.avcdn.net
  • 184.30.25.22
  • 2a02:26f0:3500:59a::240d
  • 2a02:26f0:3500:595::240d
  • 2.18.161.23
unknown
shepherd.ff.avast.com
  • 34.160.176.28
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
avast_vpn_online_setup.exe