File name:

privax_vpn_online_setup.exe

Full analysis: https://app.any.run/tasks/ffbff559-1d2c-45ac-86fb-05fa2f8744c2
Verdict: Malicious activity
Analysis date: January 11, 2024, 06:10:34
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

41921ED6B77699A399E3C7EFC0991285

SHA1:

2520DF09BC1311319619C96B90CB37A8E3F19665

SHA256:

F2A0BE515F4167ADF1FB890E8DFDE5FDB91207A230C7A7E7897922B74F827EAE

SSDEEP:

49152:wUc/lrf6Dr6085H1HpGeKQjz3JKqOscVATUmRMB+1BqQynJWEi8DOWtfF:wFf6DrgH1p8wz3EqE3Qyno

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Creates a writable file in the system directory

      • icarus.exe (PID: 2300)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • privax_vpn_online_setup.exe (PID: 2024)

  • INFO

    • Checks supported languages

      • privax_vpn_online_setup.exe (PID: 2024)
      • icarus.exe (PID: 1216)
      • icarus_ui.exe (PID: 1936)
      • icarus.exe (PID: 2300)

    • Creates files in the program directory

      • privax_vpn_online_setup.exe (PID: 2024)
      • icarus.exe (PID: 1216)
      • icarus_ui.exe (PID: 1936)
      • icarus.exe (PID: 2300)

    • Drops the executable file immediately after the start

      • privax_vpn_online_setup.exe (PID: 2024)
      • icarus.exe (PID: 1216)
      • icarus.exe (PID: 2300)

    • Reads the computer name

      • privax_vpn_online_setup.exe (PID: 2024)
      • icarus.exe (PID: 1216)
      • icarus_ui.exe (PID: 1936)
      • icarus.exe (PID: 2300)

    • Reads the machine GUID from the registry

      • privax_vpn_online_setup.exe (PID: 2024)
      • icarus.exe (PID: 1216)
      • icarus_ui.exe (PID: 1936)
      • icarus.exe (PID: 2300)

    • Reads CPU info

      • icarus.exe (PID: 1216)
      • icarus_ui.exe (PID: 1936)
      • icarus.exe (PID: 2300)

    • Starts itself from another location

      • icarus.exe (PID: 1216)

    • Process drops legitimate windows executable

      • icarus.exe (PID: 2300)

    • Dropped object may contain TOR URL's

      • icarus.exe (PID: 2300)

    • The process drops C-runtime libraries

      • icarus.exe (PID: 2300)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:04:04 08:32:44+02:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 14.34
CodeSize: 931328
InitializedDataSize: 363008
UninitializedDataSize: -
EntryPoint: 0x4b650
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 23.2.5620.0
ProductVersionNumber: 5.28.9117.9570
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Privax Limited
FileDescription: Privax Self-Extract Package
FileVersion: 23.2.5620.0
InternalName: icarus_sfx
LegalCopyright: Copyright © 2023 Privax Limited
MainProductId: privax-vpn
OriginalFileName: icarus_sfx.exe
ProductId: privax-icarus
ProductName: Privax Installer
ProductVersion: 5.28.9117.9570
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
5
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start privax_vpn_online_setup.exe icarus.exe icarus_ui.exe no specs icarus.exe privax_vpn_online_setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1216C:\Windows\Temp\asw-d73a74b3-ad25-4776-a1d3-e48b6dcc2809\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-d73a74b3-ad25-4776-a1d3-e48b6dcc2809\icarus-info.xml /install /sssid:2024C:\Windows\Temp\asw-d73a74b3-ad25-4776-a1d3-e48b6dcc2809\common\icarus.exe
privax_vpn_online_setup.exe
User:
admin
Company:
Privax Limited
Integrity Level:
HIGH
Description:
Privax Installer
Exit code:
0
Version:
23.2.5620.0
Modules
Images
c:\windows\temp\asw-d73a74b3-ad25-4776-a1d3-e48b6dcc2809\common\icarus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\webio.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\user32.dll
1936C:\Windows\Temp\asw-d73a74b3-ad25-4776-a1d3-e48b6dcc2809\common\icarus_ui.exe /sssid:2024 /er_master:master_ep_ca7a18be-603c-4c72-b29d-08df47073c18 /er_ui:ui_ep_7631e202-6a15-4dc5-a4b0-7b3aee34d621C:\Windows\Temp\asw-d73a74b3-ad25-4776-a1d3-e48b6dcc2809\common\icarus_ui.exeicarus.exe
User:
admin
Company:
Privax Limited
Integrity Level:
HIGH
Description:
Privax UI
Exit code:
0
Version:
23.2.5620.0
Modules
Images
c:\windows\temp\asw-d73a74b3-ad25-4776-a1d3-e48b6dcc2809\common\icarus_ui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\userenv.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\shell32.dll
2024"C:\Users\admin\AppData\Local\Temp\privax_vpn_online_setup.exe" C:\Users\admin\AppData\Local\Temp\privax_vpn_online_setup.exe
explorer.exe
User:
admin
Company:
Privax Limited
Integrity Level:
HIGH
Description:
Privax Self-Extract Package
Exit code:
0
Version:
23.2.5620.0
Modules
Images
c:\users\admin\appdata\local\temp\privax_vpn_online_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2036"C:\Users\admin\AppData\Local\Temp\privax_vpn_online_setup.exe" C:\Users\admin\AppData\Local\Temp\privax_vpn_online_setup.exeexplorer.exe
User:
admin
Company:
Privax Limited
Integrity Level:
MEDIUM
Description:
Privax Self-Extract Package
Exit code:
3221226540
Version:
23.2.5620.0
Modules
Images
c:\users\admin\appdata\local\temp\privax_vpn_online_setup.exe
c:\windows\system32\ntdll.dll
2300C:\Windows\Temp\asw-d73a74b3-ad25-4776-a1d3-e48b6dcc2809\privax-vpn\icarus.exe /sssid:2024 /er_master:master_ep_ca7a18be-603c-4c72-b29d-08df47073c18 /er_ui:ui_ep_7631e202-6a15-4dc5-a4b0-7b3aee34d621 /er_slave:privax-vpn_slave_ep_7e874b83-46dd-4773-a2e4-e2d210531161 /slave:privax-vpnC:\Windows\Temp\asw-d73a74b3-ad25-4776-a1d3-e48b6dcc2809\privax-vpn\icarus.exe
icarus.exe
User:
admin
Company:
Privax Limited
Integrity Level:
HIGH
Description:
Privax Installer
Exit code:
0
Version:
23.2.5620.0
Modules
Images
c:\windows\temp\asw-d73a74b3-ad25-4776-a1d3-e48b6dcc2809\privax-vpn\icarus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\webio.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\user32.dll
Total events
3 885
Read events
3 870
Write events
15
Delete events
0

Modification events

(PID) Process:(2024) privax_vpn_online_setup.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2300) icarus.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:writeName:BootExecute
Value:
autocheck autochk *
Executable files
110
Suspicious files
108
Text files
56
Unknown types
0

Dropped files

PID
Process
Filename
Type
2024privax_vpn_online_setup.exeC:\Windows\Temp\asw-d73a74b3-ad25-4776-a1d3-e48b6dcc2809\common\581c1dff-2e62-4ed9-bf56-a4423c734940binary
MD5:FF0957E9F030B581AFF68B6B8E521F5D
SHA256:A585DAEF706AF131571E2B92BA3720FE6EE49459914F66FE9C63F0BA5C64D6DA
1216icarus.exeC:\ProgramData\Privax\Icarus\Logs\report.log
MD5:
SHA256:
2024privax_vpn_online_setup.exeC:\Windows\Temp\asw-d73a74b3-ad25-4776-a1d3-e48b6dcc2809\common\dump_process.exeexecutable
MD5:82FFD1B2C312764D6AD2E25197FA1819
SHA256:8441BF488836A3C77C28C02592B48507CFA4D7D784A7E602DD9CFED0BEE6F706
2024privax_vpn_online_setup.exeC:\Windows\Temp\asw-d73a74b3-ad25-4776-a1d3-e48b6dcc2809\ecoo.edattext
MD5:67DE908DA29F0FEDEF4A61000B83FBEE
SHA256:1F9C02201E717EAE7CB2F02240D6AAB6159324BEBC3C69BD6AF4CFF365D755DD
1216icarus.exeC:\ProgramData\Privax\Icarus\settings\proxy.initext
MD5:D6DE6577F75A4499FE64BE2006979AE5
SHA256:87D882D37F63429088955A59B126F0D44FA728CE60142478004381A3604C9EA9
2024privax_vpn_online_setup.exeC:\Windows\Temp\asw-d73a74b3-ad25-4776-a1d3-e48b6dcc2809\common\102d7bc1-c35c-4e30-ab57-b308917504c2binary
MD5:A04E7EE4253F1E228D2F626B10C15E75
SHA256:DD410BDB752A210FECB09502AFE822205E82A2C72B5EF8B05A741A1670ED7298
2024privax_vpn_online_setup.exeC:\Windows\Temp\asw-d73a74b3-ad25-4776-a1d3-e48b6dcc2809\common\615f8bd0-5a42-41ec-b27d-d21238b4db12binary
MD5:0B765CE1FA27B0C8DCE395E930528728
SHA256:ED15073CA2DF9AE4459CADBDE4EBED2C174D511C488E6BEA4AFBD24FC265C942
2024privax_vpn_online_setup.exeC:\Windows\Temp\asw-d73a74b3-ad25-4776-a1d3-e48b6dcc2809\common\setupui.contbinary
MD5:BB2C0E81675D8E9F805BEE21EE21E89A
SHA256:C23AB46F7C5F7B1941362478A916CFE67E94BB1FFF49760990518C3C5D68EB8F
2024privax_vpn_online_setup.exeC:\Windows\Temp\asw-d73a74b3-ad25-4776-a1d3-e48b6dcc2809\common\8b530eff-c4d8-4650-98e5-5651844a6c07binary
MD5:A0E824741587DE5096948013F0A4B2E4
SHA256:52882EDEA937C75370C624F555B51CB3112A56178F137C51D81AF17FA04B5649
2024privax_vpn_online_setup.exeC:\Windows\Temp\asw-d73a74b3-ad25-4776-a1d3-e48b6dcc2809\common\3d9bfff2-1155-4104-b7bb-345b73072dddbinary
MD5:4AE5F15C283A7397C4ADF00CD5994947
SHA256:7E3BF9519709ED95E41809F5CA7075A6993876D66D33128D17C95C61DA01D538
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
18
DNS requests
24
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
unknown
2024
privax_vpn_online_setup.exe
34.117.223.223:443
analytics.ff.avast.com
GOOGLE-CLOUD-PLATFORM
US
unknown
2024
privax_vpn_online_setup.exe
2.18.161.23:443
honzik.avcdn.net
AKAMAI-AS
DE
unknown
1216
icarus.exe
34.117.223.223:443
analytics.ff.avast.com
GOOGLE-CLOUD-PLATFORM
US
unknown
1216
icarus.exe
34.160.176.28:443
shepherd.ff.avast.com
GOOGLE
US
unknown
1216
icarus.exe
2.18.161.23:443
honzik.avcdn.net
AKAMAI-AS
DE
unknown
2300
icarus.exe
23.53.233.33:443
honzik.avcdn.net
AKAMAI-AS
DE
unknown
2300
icarus.exe
2.18.161.23:443
honzik.avcdn.net
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
analytics.ff.avast.com
  • 34.117.223.223
whitelisted
honzik.avcdn.net
  • 2.18.161.23
  • 2a02:26f0:3500:595::240d
  • 2a02:26f0:3500:59a::240d
  • 23.53.233.33
unknown
shepherd.ff.avast.com
  • 34.160.176.28
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
privax_vpn_online_setup.exe