File name:

privax_vpn_online_setup.exe

Full analysis: https://app.any.run/tasks/ffbff559-1d2c-45ac-86fb-05fa2f8744c2
Verdict: Malicious activity
Analysis date: January 11, 2024, 06:10:34
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

41921ED6B77699A399E3C7EFC0991285

SHA1:

2520DF09BC1311319619C96B90CB37A8E3F19665

SHA256:

F2A0BE515F4167ADF1FB890E8DFDE5FDB91207A230C7A7E7897922B74F827EAE

SSDEEP:

49152:wUc/lrf6Dr6085H1HpGeKQjz3JKqOscVATUmRMB+1BqQynJWEi8DOWtfF:wFf6DrgH1p8wz3EqE3Qyno

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Creates a writable file in the system directory

      • icarus.exe (PID: 2300)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • privax_vpn_online_setup.exe (PID: 2024)

  • INFO

    • Reads the computer name

      • privax_vpn_online_setup.exe (PID: 2024)
      • icarus_ui.exe (PID: 1936)
      • icarus.exe (PID: 1216)
      • icarus.exe (PID: 2300)

    • Reads the machine GUID from the registry

      • privax_vpn_online_setup.exe (PID: 2024)
      • icarus.exe (PID: 1216)
      • icarus_ui.exe (PID: 1936)
      • icarus.exe (PID: 2300)

    • Drops the executable file immediately after the start

      • privax_vpn_online_setup.exe (PID: 2024)
      • icarus.exe (PID: 1216)
      • icarus.exe (PID: 2300)

    • Creates files in the program directory

      • privax_vpn_online_setup.exe (PID: 2024)
      • icarus.exe (PID: 1216)
      • icarus_ui.exe (PID: 1936)
      • icarus.exe (PID: 2300)

    • Reads CPU info

      • icarus.exe (PID: 1216)
      • icarus_ui.exe (PID: 1936)
      • icarus.exe (PID: 2300)

    • Checks supported languages

      • icarus_ui.exe (PID: 1936)
      • icarus.exe (PID: 1216)
      • privax_vpn_online_setup.exe (PID: 2024)
      • icarus.exe (PID: 2300)

    • Starts itself from another location

      • icarus.exe (PID: 1216)

    • Dropped object may contain TOR URL's

      • icarus.exe (PID: 2300)

    • The process drops C-runtime libraries

      • icarus.exe (PID: 2300)

    • Process drops legitimate windows executable

      • icarus.exe (PID: 2300)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:04:04 08:32:44+02:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 14.34
CodeSize: 931328
InitializedDataSize: 363008
UninitializedDataSize: -
EntryPoint: 0x4b650
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 23.2.5620.0
ProductVersionNumber: 5.28.9117.9570
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Privax Limited
FileDescription: Privax Self-Extract Package
FileVersion: 23.2.5620.0
InternalName: icarus_sfx
LegalCopyright: Copyright © 2023 Privax Limited
MainProductId: privax-vpn
OriginalFileName: icarus_sfx.exe
ProductId: privax-icarus
ProductName: Privax Installer
ProductVersion: 5.28.9117.9570
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
5
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start privax_vpn_online_setup.exe icarus.exe icarus_ui.exe no specs icarus.exe privax_vpn_online_setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1216C:\Windows\Temp\asw-d73a74b3-ad25-4776-a1d3-e48b6dcc2809\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-d73a74b3-ad25-4776-a1d3-e48b6dcc2809\icarus-info.xml /install /sssid:2024C:\Windows\Temp\asw-d73a74b3-ad25-4776-a1d3-e48b6dcc2809\common\icarus.exe
privax_vpn_online_setup.exe
User:
admin
Company:
Privax Limited
Integrity Level:
HIGH
Description:
Privax Installer
Exit code:
0
Version:
23.2.5620.0
Modules
Images
c:\windows\temp\asw-d73a74b3-ad25-4776-a1d3-e48b6dcc2809\common\icarus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\webio.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\user32.dll
1936C:\Windows\Temp\asw-d73a74b3-ad25-4776-a1d3-e48b6dcc2809\common\icarus_ui.exe /sssid:2024 /er_master:master_ep_ca7a18be-603c-4c72-b29d-08df47073c18 /er_ui:ui_ep_7631e202-6a15-4dc5-a4b0-7b3aee34d621C:\Windows\Temp\asw-d73a74b3-ad25-4776-a1d3-e48b6dcc2809\common\icarus_ui.exeicarus.exe
User:
admin
Company:
Privax Limited
Integrity Level:
HIGH
Description:
Privax UI
Exit code:
0
Version:
23.2.5620.0
Modules
Images
c:\windows\temp\asw-d73a74b3-ad25-4776-a1d3-e48b6dcc2809\common\icarus_ui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\userenv.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\shell32.dll
2024"C:\Users\admin\AppData\Local\Temp\privax_vpn_online_setup.exe" C:\Users\admin\AppData\Local\Temp\privax_vpn_online_setup.exe
explorer.exe
User:
admin
Company:
Privax Limited
Integrity Level:
HIGH
Description:
Privax Self-Extract Package
Exit code:
0
Version:
23.2.5620.0
Modules
Images
c:\users\admin\appdata\local\temp\privax_vpn_online_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2036"C:\Users\admin\AppData\Local\Temp\privax_vpn_online_setup.exe" C:\Users\admin\AppData\Local\Temp\privax_vpn_online_setup.exeexplorer.exe
User:
admin
Company:
Privax Limited
Integrity Level:
MEDIUM
Description:
Privax Self-Extract Package
Exit code:
3221226540
Version:
23.2.5620.0
Modules
Images
c:\users\admin\appdata\local\temp\privax_vpn_online_setup.exe
c:\windows\system32\ntdll.dll
2300C:\Windows\Temp\asw-d73a74b3-ad25-4776-a1d3-e48b6dcc2809\privax-vpn\icarus.exe /sssid:2024 /er_master:master_ep_ca7a18be-603c-4c72-b29d-08df47073c18 /er_ui:ui_ep_7631e202-6a15-4dc5-a4b0-7b3aee34d621 /er_slave:privax-vpn_slave_ep_7e874b83-46dd-4773-a2e4-e2d210531161 /slave:privax-vpnC:\Windows\Temp\asw-d73a74b3-ad25-4776-a1d3-e48b6dcc2809\privax-vpn\icarus.exe
icarus.exe
User:
admin
Company:
Privax Limited
Integrity Level:
HIGH
Description:
Privax Installer
Exit code:
0
Version:
23.2.5620.0
Modules
Images
c:\windows\temp\asw-d73a74b3-ad25-4776-a1d3-e48b6dcc2809\privax-vpn\icarus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\webio.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\user32.dll
Total events
3 885
Read events
3 870
Write events
15
Delete events
0

Modification events

(PID) Process:(2024) privax_vpn_online_setup.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2300) icarus.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:writeName:BootExecute
Value:
autocheck autochk *
Executable files
110
Suspicious files
108
Text files
56
Unknown types
0

Dropped files

PID
Process
Filename
Type
2024privax_vpn_online_setup.exeC:\Windows\Temp\asw-d73a74b3-ad25-4776-a1d3-e48b6dcc2809\common\615f8bd0-5a42-41ec-b27d-d21238b4db12binary
MD5:0B765CE1FA27B0C8DCE395E930528728
SHA256:ED15073CA2DF9AE4459CADBDE4EBED2C174D511C488E6BEA4AFBD24FC265C942
1216icarus.exeC:\ProgramData\Privax\Icarus\Logs\report.log
MD5:
SHA256:
2024privax_vpn_online_setup.exeC:\Windows\Temp\asw-d73a74b3-ad25-4776-a1d3-e48b6dcc2809\common\icarus_ui.exeexecutable
MD5:A395459323B849D254CA40F6066B3C79
SHA256:3ECBD3A0A24F070DBA91585B9B1393B260595B92B4234AE2D737BF09FA2A7E46
2024privax_vpn_online_setup.exeC:\Windows\Temp\asw-d73a74b3-ad25-4776-a1d3-e48b6dcc2809\common\icarus.exeexecutable
MD5:110C28E8AA3461F02B1F64B901C59C14
SHA256:C2086E30C5ED9B870081BF7A45F011F9B10F1680F291F7C4F531B77029BC4EED
2024privax_vpn_online_setup.exeC:\Windows\Temp\asw-d73a74b3-ad25-4776-a1d3-e48b6dcc2809\common\581c1dff-2e62-4ed9-bf56-a4423c734940binary
MD5:FF0957E9F030B581AFF68B6B8E521F5D
SHA256:A585DAEF706AF131571E2B92BA3720FE6EE49459914F66FE9C63F0BA5C64D6DA
2024privax_vpn_online_setup.exeC:\Windows\Temp\asw-d73a74b3-ad25-4776-a1d3-e48b6dcc2809\common\dump_process.exeexecutable
MD5:82FFD1B2C312764D6AD2E25197FA1819
SHA256:8441BF488836A3C77C28C02592B48507CFA4D7D784A7E602DD9CFED0BEE6F706
2024privax_vpn_online_setup.exeC:\Windows\Temp\asw-d73a74b3-ad25-4776-a1d3-e48b6dcc2809\common\bug_report.exeexecutable
MD5:E2EF9FE6A7345AB364B59171562288EB
SHA256:406313D79120C0C76B427EEC6CD7FCD14DD19382C83745972FD71D4AFE0379E2
2024privax_vpn_online_setup.exeC:\ProgramData\Privax\Icarus\Logs\sfx.logtext
MD5:ECAA88F7FA0BF610A5A26CF545DCD3AA
SHA256:F1945CD6C19E56B3C1C78943EF5EC18116907A4CA1EFC40A57D48AB1DB7ADFC5
2024privax_vpn_online_setup.exeC:\Windows\Temp\asw-d73a74b3-ad25-4776-a1d3-e48b6dcc2809\common\e8d0a377-fabc-496b-9659-599823c5c3b2binary
MD5:CF1BF2B301CDDFF0A04F43735097BCC8
SHA256:058C7B67A375B6D4F769C5B1563D2145DA25F2E0D4FCB407A838C6448E79A24B
2024privax_vpn_online_setup.exeC:\Windows\Temp\asw-d73a74b3-ad25-4776-a1d3-e48b6dcc2809\common\product-info.xmlxml
MD5:DAAE9A6F3DFA78A7E24FDFE26E4486CA
SHA256:86FFE202C65872512823386041F71843410559529917C94AE48DDBBDC138687F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
18
DNS requests
24
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
unknown
2024
privax_vpn_online_setup.exe
34.117.223.223:443
analytics.ff.avast.com
GOOGLE-CLOUD-PLATFORM
US
unknown
2024
privax_vpn_online_setup.exe
2.18.161.23:443
honzik.avcdn.net
AKAMAI-AS
DE
unknown
1216
icarus.exe
34.117.223.223:443
analytics.ff.avast.com
GOOGLE-CLOUD-PLATFORM
US
unknown
1216
icarus.exe
34.160.176.28:443
shepherd.ff.avast.com
GOOGLE
US
unknown
1216
icarus.exe
2.18.161.23:443
honzik.avcdn.net
AKAMAI-AS
DE
unknown
2300
icarus.exe
23.53.233.33:443
honzik.avcdn.net
AKAMAI-AS
DE
unknown
2300
icarus.exe
2.18.161.23:443
honzik.avcdn.net
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
analytics.ff.avast.com
  • 34.117.223.223
whitelisted
honzik.avcdn.net
  • 2.18.161.23
  • 2a02:26f0:3500:595::240d
  • 2a02:26f0:3500:59a::240d
  • 23.53.233.33
unknown
shepherd.ff.avast.com
  • 34.160.176.28
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
privax_vpn_online_setup.exe