File name:

avast-free-antivirus-5-0-677-setup_av_free.exe

Full analysis: https://app.any.run/tasks/cc8fd748-6e3b-480b-90bc-540962bdad16
Verdict: Malicious activity
Analysis date: June 22, 2025, 11:15:56
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

1A05397E76846AEC154BA45936FA4455

SHA1:

132C517E506C3F190525C7045AF254D72D248433

SHA256:

9CFCF86B83376FEB8B1E9165FA244CB83D5D28ACEC1B00B6EBD8CAAB6B69E014

SSDEEP:

393216:mWuyhXQqfDZMwU5UEC6JbRxyP+hIb8c0Pag3PWHkQ2jqMKcuoYGhXlcap:EyhXQqZMwUjk+pc0PnWEQtMKpgp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • avast-free-antivirus-5-0-677-setup_av_free.exe (PID: 5480)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • avast-free-antivirus-5-0-677-setup_av_free.exe (PID: 3564)

    • Starts application with an unusual extension

      • avast-free-antivirus-5-0-677-setup_av_free.exe (PID: 3564)

  • INFO

    • Reads the computer name

      • avast-free-antivirus-5-0-677-setup_av_free.exe (PID: 3564)

    • Checks supported languages

      • avast-free-antivirus-5-0-677-setup_av_free.exe (PID: 3564)

    • Checks proxy server information

      • slui.exe (PID: 5456)

    • Reads the software policy settings

      • slui.exe (PID: 5456)

    • Create files in a temporary directory

      • avast-free-antivirus-5-0-677-setup_av_free.exe (PID: 3564)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (39.3)
.exe | Win32 EXE Yoda's Crypter (38.6)
.dll | Win32 Dynamic Link Library (generic) (9.5)
.exe | Win32 Executable (generic) (6.5)
.exe | Generic Win/DOS Executable (2.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:09:07 17:43:12+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 1056768
InitializedDataSize: 77824
UninitializedDataSize: 741376
EntryPoint: 0x1b7390
OSVersion: 5
ImageVersion: 5
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 5.0.677.0
ProductVersionNumber: 5.0.677.0
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription: AVAST Software Setup Engine
FileVersion: 5.0.677.0
InternalName: avast.setup
LegalCopyright: Copyright (c) 2010 AVAST Software
OriginalFileName: setup.exe
ProductName: AVAST Software Security
ProductVersion: 5.0.677.0
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
5
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start avast-free-antivirus-5-0-677-setup_av_free.exe avast.setup no specs pcaui.exe no specs slui.exe avast-free-antivirus-5-0-677-setup_av_free.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3564"C:\Users\admin\Desktop\avast-free-antivirus-5-0-677-setup_av_free.exe" C:\Users\admin\Desktop\avast-free-antivirus-5-0-677-setup_av_free.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
AVAST Software Setup Engine
Exit code:
0
Version:
5.0.677.0
Modules
Images
c:\users\admin\desktop\avast-free-antivirus-5-0-677-setup_av_free.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
3588"C:\WINDOWS\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {712fa9dc-8b80-49ae-b426-1314c000c26e} -a "avast! Antivirus" -v "AVAST Software" -s "This app can't run because it causes security or performance issues on Windows. A new version may be available. Check with your software provider for an updated version that runs on this version of Windows." -n 2 -f 0 -k 0 -e "C:\Users\admin\AppData\Local\Temp\_av_sfx.tm~a05060\avast.setup"C:\Windows\System32\pcaui.exeavast.setup
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Program Compatibility Assistant User Interface
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\pcaui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
5456C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5480"C:\Users\admin\Desktop\avast-free-antivirus-5-0-677-setup_av_free.exe" C:\Users\admin\Desktop\avast-free-antivirus-5-0-677-setup_av_free.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
AVAST Software Setup Engine
Exit code:
3221226540
Version:
5.0.677.0
Modules
Images
c:\users\admin\desktop\avast-free-antivirus-5-0-677-setup_av_free.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6256"C:\Users\admin\AppData\Local\Temp\_av_sfx.tm~a05060\avast.setup" /sfx /sfxstorage "C:\Users\admin\AppData\Local\Temp\_av_sfx.tm~a05060" /srcpath "C:\Users\admin\Desktop" /sfxname "setup_av_free"C:\Users\admin\AppData\Local\Temp\_av_sfx.tm~a05060\avast.setupavast-free-antivirus-5-0-677-setup_av_free.exe
User:
admin
Company:
AVAST Software
Integrity Level:
HIGH
Description:
avast! antivirus Update
Exit code:
0
Version:
5, 0, 0, 0
Modules
Images
c:\users\admin\appdata\local\temp\_av_sfx.tm~a05060\avast.setup
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\sechost.dll
Total events
3 539
Read events
3 539
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
53
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3564avast-free-antivirus-5-0-677-setup_av_free.exeC:\Users\admin\AppData\Local\Temp\_av_sfx.tm~a05060\ais_dll_cze-1f3.vpxbinary
MD5:176BDB106359E3220E1F3AB5B3288C3D
SHA256:6C6E0E611B500E14B6E2BCCD9F9F68056F86B65EC1634A1F5AB20F6E0D875982
3564avast-free-antivirus-5-0-677-setup_av_free.exeC:\Users\admin\AppData\Local\Temp\_av_sfx.tm~a05060\avast.setupexecutable
MD5:AEB21490315B3F93EAF87449CE4D61A2
SHA256:A09E91D08B27DA793E5ED72BFFF19AF55F1F862264044AF8C801E2A5BD9B4358
3564avast-free-antivirus-5-0-677-setup_av_free.exeC:\Users\admin\AppData\Local\Temp\_av_sfx.tm~a05060\ais_dll_blg-fd.vpxbinary
MD5:7ED6C273EF1AA3376E070813243D130B
SHA256:713B57AB8A6A8AB994C1D58C41C0D2A824E6CED51759D8584A90BEDBD0FF6D46
3564avast-free-antivirus-5-0-677-setup_av_free.exeC:\Users\admin\AppData\Local\Temp\_av_sfx.tm~a05060\ais_core-21d.vpxbinary
MD5:8DBA81A0007F43362836FBA040BA8AE3
SHA256:6A119257586DF1906B41652A529335B18B1953548B7AFE4EA200397E9738D876
3564avast-free-antivirus-5-0-677-setup_av_free.exeC:\Users\admin\AppData\Local\Temp\_av_sfx.tm~a05060\ais_dll_bel-62.vpxbinary
MD5:8FA11347ECE807CAFE6A9AFFEAAA5BD6
SHA256:85510F472432DBD8EEBA41DBB474E63ABA7F56BD23F27536CCE8FC256765E3AC
3564avast-free-antivirus-5-0-677-setup_av_free.exeC:\Users\admin\AppData\Local\Temp\_av_sfx.tm~a05060\ais_dll_cht-f6.vpxbinary
MD5:236CF825F30C4E58A2ACDF129B8BBE0D
SHA256:897ACB2546F4611905B0272CCF7BE540062D8DD46DCBB41E61F1A1597196F3EF
3564avast-free-antivirus-5-0-677-setup_av_free.exeC:\Users\admin\AppData\Local\Temp\_av_sfx.tm~a05060\ais_dll_chs-1f4.vpxbinary
MD5:567E638259D9864FF8FACD32871E5371
SHA256:9B58F80CB8FDB8723E0E4DC95AB54DFFAF2FD6A577C9E97FF6E87473943FDD38
3564avast-free-antivirus-5-0-677-setup_av_free.exeC:\Users\admin\AppData\Local\Temp\_av_sfx.tm~a05060\ais_dll_esp-1f1.vpxbinary
MD5:AEC803C32DBE8BF1E54124B7ACE197BA
SHA256:E3B3F8CA41952A26E591A5945E014CC4AF8D349332E3F04DDE21503DB6EA91F1
3564avast-free-antivirus-5-0-677-setup_av_free.exeC:\Users\admin\AppData\Local\Temp\_av_sfx.tm~a05060\ais_dll_eng-21f.vpxbinary
MD5:769E8B894105ED0C98B4CB761619D87B
SHA256:E5363A6737650FFECA513322AA52325AD47308BBF723B115CF3D6FA7916C638E
3564avast-free-antivirus-5-0-677-setup_av_free.exeC:\Users\admin\AppData\Local\Temp\_av_sfx.tm~a05060\ais_dll_dan-36.vpxbinary
MD5:63C54687AF7F9B661D4856066B7FEBE6
SHA256:27039702A3D1671C6951DE549711B314AC41A0BF7BC29E4D6578EF5345C082E9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
22
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
2.18.121.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.18.121.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.18.121.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
2.18.121.147:80
crl.microsoft.com
AKAMAI-AS
FR
whitelisted
5944
MoUsoCoreWorker.exe
2.18.121.147:80
crl.microsoft.com
AKAMAI-AS
FR
whitelisted
2.18.121.147:80
crl.microsoft.com
AKAMAI-AS
FR
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 2.18.121.147
  • 2.18.121.139
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 52.182.141.63
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
avast-free-antivirus-5-0-677-setup_av_free.exe