File name:

avast_vpn_online_setup.exe

Full analysis: https://app.any.run/tasks/8ee17571-fc1f-4183-af48-c032a20aac05
Verdict: Malicious activity
Analysis date: January 08, 2024, 17:09:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

F0015BD4724E734ADD0161F2D4731CB1

SHA1:

EAE7C6B84E069CEA66E584BDFE7F1B63E6902CC3

SHA256:

BB3EF47058EF096F522BCD4E7B1F26CF4BE6DAC5C5B83D7EB2784C6AD8643665

SSDEEP:

49152:2GExgdT9v5E9I1jiqvFupkcf0RMEybHZYyMik:5Exgrv5yI1jiqvFursRMEybu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Creates a writable file in the system directory

      • icarus.exe (PID: 2340)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • avast_vpn_online_setup.exe (PID: 2420)

    • The process verifies whether the antivirus software is installed

      • icarus.exe (PID: 2340)

  • INFO

    • Drops the executable file immediately after the start

      • avast_vpn_online_setup.exe (PID: 2420)
      • icarus.exe (PID: 1864)
      • icarus.exe (PID: 2340)

    • Checks supported languages

      • avast_vpn_online_setup.exe (PID: 2420)
      • icarus.exe (PID: 1864)
      • icarus_ui.exe (PID: 1236)
      • icarus.exe (PID: 2340)

    • Creates files in the program directory

      • icarus.exe (PID: 1864)
      • avast_vpn_online_setup.exe (PID: 2420)
      • icarus_ui.exe (PID: 1236)
      • icarus.exe (PID: 2340)

    • Reads the machine GUID from the registry

      • avast_vpn_online_setup.exe (PID: 2420)
      • icarus.exe (PID: 1864)
      • icarus_ui.exe (PID: 1236)
      • icarus.exe (PID: 2340)

    • Reads the computer name

      • avast_vpn_online_setup.exe (PID: 2420)
      • icarus_ui.exe (PID: 1236)
      • icarus.exe (PID: 1864)
      • icarus.exe (PID: 2340)

    • Reads CPU info

      • icarus.exe (PID: 1864)
      • icarus_ui.exe (PID: 1236)
      • icarus.exe (PID: 2340)

    • Starts itself from another location

      • icarus.exe (PID: 1864)

    • Process drops legitimate windows executable

      • icarus.exe (PID: 2340)

    • The process drops C-runtime libraries

      • icarus.exe (PID: 2340)

    • Dropped object may contain TOR URL's

      • icarus.exe (PID: 2340)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:12:02 11:00:51+01:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 14.29
CodeSize: 809472
InitializedDataSize: 344576
UninitializedDataSize: -
EntryPoint: 0x286d0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 21.8.3960.0
ProductVersionNumber: 5.15.5913.3604
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Avast Software
FileDescription: Avast Self-Extract Package
FileVersion: 21.8.3960.0
InternalName: icarus_sfx
LegalCopyright: © 2021 Avast Software
OriginalFileName: icarus_sfx.exe
ProductId: avast-icarus
ProductName: Avast Installer
ProductVersion: 5.15.5913.3604
Vpnincluded: 5.15.5913.3604
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start avast_vpn_online_setup.exe icarus.exe icarus_ui.exe no specs icarus.exe avast_vpn_online_setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
128"C:\Users\admin\AppData\Local\Temp\avast_vpn_online_setup.exe" C:\Users\admin\AppData\Local\Temp\avast_vpn_online_setup.exeexplorer.exe
User:
admin
Company:
Avast Software
Integrity Level:
MEDIUM
Description:
Avast Self-Extract Package
Exit code:
3221226540
Version:
21.8.3960.0
Modules
Images
c:\users\admin\appdata\local\temp\avast_vpn_online_setup.exe
c:\windows\system32\ntdll.dll
1236C:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\icarus_ui.exe /sssid:2420 /er_master:master_ep_673bc5d8-f6af-43e0-92bd-c8d46aba0f4f /er_ui:ui_ep_6c3d3c15-ade7-44a3-b08f-4a5914565895C:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\icarus_ui.exeicarus.exe
User:
admin
Company:
Avast Software
Integrity Level:
HIGH
Description:
Avast UI
Exit code:
0
Version:
23.2.5620.0
Modules
Images
c:\windows\temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\icarus_ui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\userenv.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\shell32.dll
1864C:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\icarus-info.xml /install /sssid:2420C:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\icarus.exe
avast_vpn_online_setup.exe
User:
admin
Company:
Avast Software
Integrity Level:
HIGH
Description:
Avast Installer
Exit code:
0
Version:
23.2.5620.0
Modules
Images
c:\windows\temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\icarus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\webio.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\user32.dll
2340C:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\avast-vpn\icarus.exe /sssid:2420 /er_master:master_ep_673bc5d8-f6af-43e0-92bd-c8d46aba0f4f /er_ui:ui_ep_6c3d3c15-ade7-44a3-b08f-4a5914565895 /er_slave:avast-vpn_slave_ep_a7402707-9a62-47fd-8f4c-df58fc2afd63 /slave:avast-vpnC:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\avast-vpn\icarus.exe
icarus.exe
User:
admin
Company:
Avast Software
Integrity Level:
HIGH
Description:
Avast Installer
Exit code:
0
Version:
23.2.5620.0
Modules
Images
c:\windows\temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\avast-vpn\icarus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\webio.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\user32.dll
2420"C:\Users\admin\AppData\Local\Temp\avast_vpn_online_setup.exe" C:\Users\admin\AppData\Local\Temp\avast_vpn_online_setup.exe
explorer.exe
User:
admin
Company:
Avast Software
Integrity Level:
HIGH
Description:
Avast Self-Extract Package
Exit code:
0
Version:
21.8.3960.0
Modules
Images
c:\users\admin\appdata\local\temp\avast_vpn_online_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
4 055
Read events
4 040
Write events
15
Delete events
0

Modification events

(PID) Process:(2420) avast_vpn_online_setup.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2340) icarus.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:writeName:BootExecute
Value:
autocheck autochk *
Executable files
110
Suspicious files
123
Text files
48
Unknown types
0

Dropped files

PID
Process
Filename
Type
2420avast_vpn_online_setup.exeC:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\icarus_ui.exeexecutable
MD5:BF4545F6EC415EFCC13E1F76E6ACA6EF
SHA256:03B86B1D8FDB076521C2222EC5D9043C2F43F22ADCA4AD9DA5B457AAAF23B16F
1864icarus.exeC:\ProgramData\Avast Software\Icarus\Logs\report.log
MD5:
SHA256:
2420avast_vpn_online_setup.exeC:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\99e5244f-8896-403b-ba90-64554b21db36binary
MD5:08270C2DD07E6E4C19174A5906E007D3
SHA256:702EA81279E162CD01B59002FA3E1270F40A75AEA15AAC8A31D3DFC2128D1347
2420avast_vpn_online_setup.exeC:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\setupui.contbinary
MD5:EB6452DA8A5DA56869CC5354F62A1BC5
SHA256:B0DCE494EAE002553BCE20BCFF5DD513109C14BF0C0524008CD414CC7CF970B7
2420avast_vpn_online_setup.exeC:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\59e1dfc4-f49d-4683-b3a1-c2a748f94004binary
MD5:634090477C1C04F06E2DD15993237FD2
SHA256:273A824B5734EE7C2E8611D9D5A29C1EC6466AAFFF9D66C551727E8815C70C1C
2420avast_vpn_online_setup.exeC:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\55c396ef-2586-442b-8e6f-f61d879311b1binary
MD5:73577181670C7B91432AE7DE4CD7C55B
SHA256:938210BFB9B9EF28984385D92F9D9DC5682465ED1FA8E241B6675E4A4B1A8942
2420avast_vpn_online_setup.exeC:\ProgramData\Avast Software\Icarus\Logs\sfx.logtext
MD5:ECAA88F7FA0BF610A5A26CF545DCD3AA
SHA256:F1945CD6C19E56B3C1C78943EF5EC18116907A4CA1EFC40A57D48AB1DB7ADFC5
2420avast_vpn_online_setup.exeC:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\product-info.xmlxml
MD5:47C1885F5F64BD30DB6DAD056D6E1A5C
SHA256:2A44462AB672662599A9973B936E7B9FB96331672F560334ED41F333A4714FA6
2420avast_vpn_online_setup.exeC:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\icarus.exeexecutable
MD5:40241D144A6D5A818E243BC137675159
SHA256:EEFCBD068E6B59B9A7E3EBCC8D88DE70BF0B834F93FB3C558FB87599FC2722F6
2420avast_vpn_online_setup.exeC:\Windows\Temp\asw-18435c92-fd9f-42c7-b615-8c74d695f021\common\product-def.xmlxml
MD5:2FDB6C2285F7E9B674A23E540332E16D
SHA256:017FB96C1109E87DB4B25C24F443D727035B2D2C1E11489D16F2693BFB6B19B6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
30
DNS requests
30
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2340
icarus.exe
GET
2.18.161.23:80
http://honzik.avcdn.net//universe/b0e8/c2d7/2395/b0e8c2d7239544001e8bd8d1e79914b122c67b7e1aed3959584ecf15dc5b812f.lzma
unknown
unknown
2420
avast_vpn_online_setup.exe
GET
404
184.30.25.22:80
http://honzik.avcdn.net/dll/avast-vpn/x86/icarus_mod.dll.lzma
unknown
html
235 b
unknown
2340
icarus.exe
GET
2.18.161.23:80
http://honzik.avcdn.net//universe/b0e8/c2d7/2395/b0e8c2d7239544001e8bd8d1e79914b122c67b7e1aed3959584ecf15dc5b812f.lzma
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
2420
avast_vpn_online_setup.exe
34.117.223.223:443
analytics.ff.avast.com
GOOGLE-CLOUD-PLATFORM
US
unknown
2420
avast_vpn_online_setup.exe
184.30.25.22:443
honzik.avcdn.net
AKAMAI-AS
DE
unknown
2420
avast_vpn_online_setup.exe
184.30.25.22:80
honzik.avcdn.net
AKAMAI-AS
DE
unknown
1864
icarus.exe
34.117.223.223:443
analytics.ff.avast.com
GOOGLE-CLOUD-PLATFORM
US
unknown
1864
icarus.exe
34.160.176.28:443
shepherd.ff.avast.com
GOOGLE
US
unknown
1864
icarus.exe
184.30.25.22:443
honzik.avcdn.net
AKAMAI-AS
DE
unknown
2340
icarus.exe
184.30.25.22:443
honzik.avcdn.net
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
analytics.ff.avast.com
  • 34.117.223.223
whitelisted
honzik.avcdn.net
  • 184.30.25.22
  • 2a02:26f0:3500:59a::240d
  • 2a02:26f0:3500:595::240d
  • 2.18.161.23
unknown
shepherd.ff.avast.com
  • 34.160.176.28
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
avast_vpn_online_setup.exe