File name:

avast_vpn_online_setup.exe

Full analysis: https://app.any.run/tasks/8ee17571-fc1f-4183-af48-c032a20aac05
Verdict: Malicious activity
Analysis date: January 08, 2024, 17:09:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

F0015BD4724E734ADD0161F2D4731CB1

SHA1:

EAE7C6B84E069CEA66E584BDFE7F1B63E6902CC3

SHA256:

BB3EF47058EF096F522BCD4E7B1F26CF4BE6DAC5C5B83D7EB2784C6AD8643665

SSDEEP:

49152:2GExgdT9v5E9I1jiqvFupkcf0RMEybHZYyMik:5Exgrv5yI1jiqvFursRMEybu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Creates a writable file in the system directory

      • icarus.exe (PID: 2340)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • avast_vpn_online_setup.exe (PID: 2420)

    • The process verifies whether the antivirus software is installed

      • icarus.exe (PID: 2340)

  • INFO

    • Drops the executable file immediately after the start

      • avast_vpn_online_setup.exe (PID: 2420)
      • icarus.exe (PID: 1864)
      • icarus.exe (PID: 2340)

    • Checks supported languages

      • avast_vpn_online_setup.exe (PID: 2420)
      • icarus.exe (PID: 1864)
      • icarus_ui.exe (PID: 1236)
      • icarus.exe (PID: 2340)

    • Reads the computer name

      • avast_vpn_online_setup.exe (PID: 2420)
      • icarus.exe (PID: 1864)
      • icarus_ui.exe (PID: 1236)
      • icarus.exe (PID: 2340)

    • Reads the machine GUID from the registry

      • avast_vpn_online_setup.exe (PID: 2420)
      • icarus.exe (PID: 1864)
      • icarus_ui.exe (PID: 1236)
      • icarus.exe (PID: 2340)

    • Creates files in the program directory

      • avast_vpn_online_setup.exe (PID: 2420)
      • icarus.exe (PID: 1864)
      • icarus_ui.exe (PID: 1236)
      • icarus.exe (PID: 2340)

    • Reads CPU info

      • icarus.exe (PID: 1864)
      • icarus_ui.exe (PID: 1236)
      • icarus.exe (PID: 2340)

    • Starts itself from another location

      • icarus.exe (PID: 1864)

    • Process drops legitimate windows executable

      • icarus.exe (PID: 2340)

    • Dropped object may contain TOR URL's

      • icarus.exe (PID: 2340)

    • The process drops C-runtime libraries

      • icarus.exe (PID: 2340)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:12:02 11:00:51+01:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 14.29
CodeSize: 809472
InitializedDataSize: 344576
UninitializedDataSize: -
EntryPoint: 0x286d0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 21.8.3960.0
ProductVersionNumber: 5.15.5913.3604
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Avast Software
FileDescription: Avast Self-Extract Package
FileVersion: 21.8.3960.0
InternalName: icarus_sfx
LegalCopyright: © 2021 Avast Software
OriginalFileName: icarus_sfx.exe
ProductId: avast-icarus
ProductName: Avast Installer
ProductVersion: 5.15.5913.3604
Vpnincluded: 5.15.5913.3604
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start avast_vpn_online_setup.exe icarus.exe icarus_ui.exe no specs icarus.exe avast_vpn_online_setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
128"C:\Users\admin\AppData\Local\Temp\avast_vpn_online_setup.exe" C:\Users\admin\AppData\Local\Temp\avast_vpn_online_setup.exeexplorer.exe
User:
admin
Company:
Avast Software
Integrity Level:
MEDIUM
Description:
Avast Self-Extract Package
Exit code:
3221226540
Version:
21.8.3960.0
Modules
Images
c:\users\admin\appdata\local\temp\avast_vpn_online_setup.exe
c:\windows\system32\ntdll.dll
1236C:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\icarus_ui.exe /sssid:2420 /er_master:master_ep_673bc5d8-f6af-43e0-92bd-c8d46aba0f4f /er_ui:ui_ep_6c3d3c15-ade7-44a3-b08f-4a5914565895C:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\icarus_ui.exeicarus.exe
User:
admin
Company:
Avast Software
Integrity Level:
HIGH
Description:
Avast UI
Exit code:
0
Version:
23.2.5620.0
Modules
Images
c:\windows\temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\icarus_ui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\userenv.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\shell32.dll
1864C:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\icarus-info.xml /install /sssid:2420C:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\icarus.exe
avast_vpn_online_setup.exe
User:
admin
Company:
Avast Software
Integrity Level:
HIGH
Description:
Avast Installer
Exit code:
0
Version:
23.2.5620.0
Modules
Images
c:\windows\temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\icarus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\webio.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\user32.dll
2340C:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\avast-vpn\icarus.exe /sssid:2420 /er_master:master_ep_673bc5d8-f6af-43e0-92bd-c8d46aba0f4f /er_ui:ui_ep_6c3d3c15-ade7-44a3-b08f-4a5914565895 /er_slave:avast-vpn_slave_ep_a7402707-9a62-47fd-8f4c-df58fc2afd63 /slave:avast-vpnC:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\avast-vpn\icarus.exe
icarus.exe
User:
admin
Company:
Avast Software
Integrity Level:
HIGH
Description:
Avast Installer
Exit code:
0
Version:
23.2.5620.0
Modules
Images
c:\windows\temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\avast-vpn\icarus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\webio.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\user32.dll
2420"C:\Users\admin\AppData\Local\Temp\avast_vpn_online_setup.exe" C:\Users\admin\AppData\Local\Temp\avast_vpn_online_setup.exe
explorer.exe
User:
admin
Company:
Avast Software
Integrity Level:
HIGH
Description:
Avast Self-Extract Package
Exit code:
0
Version:
21.8.3960.0
Modules
Images
c:\users\admin\appdata\local\temp\avast_vpn_online_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
4 055
Read events
4 040
Write events
15
Delete events
0

Modification events

(PID) Process:(2420) avast_vpn_online_setup.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2340) icarus.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:writeName:BootExecute
Value:
autocheck autochk *
Executable files
110
Suspicious files
123
Text files
48
Unknown types
0

Dropped files

PID
Process
Filename
Type
2420avast_vpn_online_setup.exeC:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\bug_report.exeexecutable
MD5:427360DDFC724244D83D633D03644D0B
SHA256:F81E8E1844166CC73D2C93A255DE9961B9A751F0E8DF8ED9A43CFEE0EFC61FCC
1864icarus.exeC:\ProgramData\Avast Software\Icarus\Logs\report.log
MD5:
SHA256:
2420avast_vpn_online_setup.exeC:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\setupui.contbinary
MD5:EB6452DA8A5DA56869CC5354F62A1BC5
SHA256:B0DCE494EAE002553BCE20BCFF5DD513109C14BF0C0524008CD414CC7CF970B7
2420avast_vpn_online_setup.exeC:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\59e1dfc4-f49d-4683-b3a1-c2a748f94004binary
MD5:634090477C1C04F06E2DD15993237FD2
SHA256:273A824B5734EE7C2E8611D9D5A29C1EC6466AAFFF9D66C551727E8815C70C1C
2420avast_vpn_online_setup.exeC:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\54798b64-f4ae-4afe-87d6-c1ce0dc387b8binary
MD5:993E986CBAE19CD462A64689184626E9
SHA256:508ABE57745D9F4CD46F2630ED921B34F36DE6FCCCD4305FDEA1DD52D33CDC9F
2420avast_vpn_online_setup.exeC:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\product-def.xmlxml
MD5:2FDB6C2285F7E9B674A23E540332E16D
SHA256:017FB96C1109E87DB4B25C24F443D727035B2D2C1E11489D16F2693BFB6B19B6
2420avast_vpn_online_setup.exeC:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\icarus_ui.exeexecutable
MD5:BF4545F6EC415EFCC13E1F76E6ACA6EF
SHA256:03B86B1D8FDB076521C2222EC5D9043C2F43F22ADCA4AD9DA5B457AAAF23B16F
2420avast_vpn_online_setup.exeC:\ProgramData\Avast Software\Icarus\Logs\sfx.logtext
MD5:ECAA88F7FA0BF610A5A26CF545DCD3AA
SHA256:F1945CD6C19E56B3C1C78943EF5EC18116907A4CA1EFC40A57D48AB1DB7ADFC5
2420avast_vpn_online_setup.exeC:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\ecoo.edattext
MD5:C92B1DCEE4FD4AB19A1FDC6369E79E29
SHA256:1BCC46B9FD6E52CD32E3DAF3805B357D0418B0598AB45B43918B0CA71437FB99
2420avast_vpn_online_setup.exeC:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\icarus-info.xmlxml
MD5:A45090FB7E4C76ED901AE59BEDCD5D1E
SHA256:139E3589383300D2F2F8BB41B11EB847FAEE62D442B99E85DB0B5D3357EAEBE1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
30
DNS requests
30
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2420
avast_vpn_online_setup.exe
GET
404
184.30.25.22:80
http://honzik.avcdn.net/dll/avast-vpn/x86/icarus_mod.dll.lzma
unknown
html
235 b
unknown
2340
icarus.exe
GET
2.18.161.23:80
http://honzik.avcdn.net//universe/b0e8/c2d7/2395/b0e8c2d7239544001e8bd8d1e79914b122c67b7e1aed3959584ecf15dc5b812f.lzma
unknown
unknown
2340
icarus.exe
GET
2.18.161.23:80
http://honzik.avcdn.net//universe/b0e8/c2d7/2395/b0e8c2d7239544001e8bd8d1e79914b122c67b7e1aed3959584ecf15dc5b812f.lzma
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
2420
avast_vpn_online_setup.exe
34.117.223.223:443
analytics.ff.avast.com
GOOGLE-CLOUD-PLATFORM
US
unknown
2420
avast_vpn_online_setup.exe
184.30.25.22:443
honzik.avcdn.net
AKAMAI-AS
DE
unknown
2420
avast_vpn_online_setup.exe
184.30.25.22:80
honzik.avcdn.net
AKAMAI-AS
DE
unknown
1864
icarus.exe
34.117.223.223:443
analytics.ff.avast.com
GOOGLE-CLOUD-PLATFORM
US
unknown
1864
icarus.exe
34.160.176.28:443
shepherd.ff.avast.com
GOOGLE
US
unknown
1864
icarus.exe
184.30.25.22:443
honzik.avcdn.net
AKAMAI-AS
DE
unknown
2340
icarus.exe
184.30.25.22:443
honzik.avcdn.net
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
analytics.ff.avast.com
  • 34.117.223.223
whitelisted
honzik.avcdn.net
  • 184.30.25.22
  • 2a02:26f0:3500:59a::240d
  • 2a02:26f0:3500:595::240d
  • 2.18.161.23
unknown
shepherd.ff.avast.com
  • 34.160.176.28
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
avast_vpn_online_setup.exe