Edit tour

Windows Analysis Report
setup-avast-premium-x64.exe

Overview

General Information

Sample name:	setup-avast-premium-x64.exe
Analysis ID:	1585136
MD5:	e099255ea4aa8eb41e26e5d94737fc26
SHA1:	2c13d842e788e6c981b2fae65834b1220d55f5a8
SHA256:	89b9f7499d59d0d308f5ad02cd6fddd55b368190c37f6c5413c4cfcd343eeff3
Tags:	exefunklockerfunksecransomwareuser-TheRavenFile
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Bypasses PowerShell execution policy

Creates files in the recycle bin to hide itself

Disables Windows Defender (via service or powershell)

Loading BitLocker PowerShell Module

Modifies Windows Defender protection settings

Sigma detected: Disable of ETW Trace

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Powershell Defender Disable Scan Feature

Sigma detected: Suspicious Eventlog Clear or Configuration Change

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Drops PE files

Enables debug privileges

Enables security privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

setup-avast-premium-x64.exe (PID: 7420 cmdline: "C:\Users\user\Desktop\setup-avast-premium-x64.exe" MD5: E099255EA4AA8EB41E26E5D94737FC26)

conhost.exe (PID: 7428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 7488 cmdline: "net" session MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

net1.exe (PID: 7504 cmdline: C:\Windows\system32\net1 session MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)

tasklist.exe (PID: 7520 cmdline: "tasklist" /fi "IMAGENAME eq vmware" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

powershell.exe (PID: 7552 cmdline: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true" MD5: 04029E121A0CFA5991749937DD22A1D9)

WmiPrvSE.exe (PID: 7988 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 7568 cmdline: "powershell" -Command "wevtutil sl Security /e:false" MD5: 04029E121A0CFA5991749937DD22A1D9)

wevtutil.exe (PID: 7936 cmdline: "C:\Windows\system32\wevtutil.exe" sl Security /e:false MD5: 1AAE26BD68B911D0420626A27070EB8D)

powershell.exe (PID: 7588 cmdline: "powershell" -Command "wevtutil sl Application /e:false" MD5: 04029E121A0CFA5991749937DD22A1D9)

wevtutil.exe (PID: 7944 cmdline: "C:\Windows\system32\wevtutil.exe" sl Application /e:false MD5: 1AAE26BD68B911D0420626A27070EB8D)

powershell.exe (PID: 7612 cmdline: "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force" MD5: 04029E121A0CFA5991749937DD22A1D9)

cleanup

Sigma Signatures

System Summary

Sigma detected: Disable of ETW Trace

Source: Process started

Author: @neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community: Data: Command: "powershell" -Command "wevtutil sl Security /e:false", CommandLine: "powershell" -Command "wevtutil sl Security /e:false", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\setup-avast-premium-x64.exe", ParentImage: C:\Users\user\Desktop\setup-avast-premium-x64.exe, ParentProcessId: 7420, ParentProcessName: setup-avast-premium-x64.exe, ProcessCommandLine: "powershell" -Command "wevtutil sl Security /e:false", ProcessId: 7568, ProcessName: powershell.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", CommandLine: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\setup-avast-premium-x64.exe", ParentImage: C:\Users\user\Desktop\setup-avast-premium-x64.exe, ParentProcessId: 7420, ParentProcessName: setup-avast-premium-x64.exe, ProcessCommandLine: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", ProcessId: 7552, ProcessName: powershell.exe

Sigma detected: Powershell Defender Disable Scan Feature

Source: Process started

Sigma detected: Suspicious Eventlog Clear or Configuration Change

Source: Process started

Author: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105: Data: Command: "C:\Windows\system32\wevtutil.exe" sl Security /e:false, CommandLine: "C:\Windows\system32\wevtutil.exe" sl Security /e:false, CommandLine|base64offset|contains: , Image: C:\Windows\System32\wevtutil.exe, NewProcessName: C:\Windows\System32\wevtutil.exe, OriginalFileName: C:\Windows\System32\wevtutil.exe, ParentCommandLine: "powershell" -Command "wevtutil sl Security /e:false", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7568, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\wevtutil.exe" sl Security /e:false, ProcessId: 7936, ProcessName: wevtutil.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force", CommandLine: "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\setup-avast-premium-x64.exe", ParentImage: C:\Users\user\Desktop\setup-avast-premium-x64.exe, ParentProcessId: 7420, ParentProcessName: setup-avast-premium-x64.exe, ProcessCommandLine: "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force", ProcessId: 7612, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", CommandLine: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\setup-avast-premium-x64.exe", ParentImage: C:\Users\user\Desktop\setup-avast-premium-x64.exe, ParentProcessId: 7420, ParentProcessName: setup-avast-premium-x64.exe, ProcessCommandLine: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", ProcessId: 7552, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: unknown

HTTPS traffic detected: 199.232.192.193:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: setup-avast-premium-x64.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: dev.pdbw source: setup-avast-premium-x64.exe, Dmj5T5AvOD.exe.0.dr
Source:	Binary string: dev.pdb source: setup-avast-premium-x64.exe, Dmj5T5AvOD.exe.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: setup-avast-premium-x64.exe, 00000000.00000003.1920242400.0000020B12CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: setup-avast-premium-x64.exe, 00000000.00000003.1920242400.0000020B12CD9000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\	Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.4:52532 -> 162.159.36.2:53

Source: global traffic

HTTP traffic detected: GET /HCYQoVR.jpeg HTTP/1.1accept: */*host: i.imgur.com

Source: Joe Sandbox View

IP Address: 199.232.192.193 199.232.192.193

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /HCYQoVR.jpeg HTTP/1.1accept: */*host: i.imgur.com

Source: global traffic

DNS traffic detected: DNS query: i.imgur.com

Source: setup-avast-premium-x64.exe, 00000000.00000003.1920242400.0000020B12CD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte
Source: setup-avast-premium-x64.exe, 00000000.00000003.1948652886.0000020B129EE000.00000004.00000020.00020000.00000000.sdmp, setup-avast-premium-x64.exe, 00000000.00000003.1945477299.0000020B1295B000.00000004.00000020.00020000.00000000.sdmp, setup-avast-premium-x64.exe, 00000000.00000003.1948652886.0000020B12A22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: setup-avast-premium-x64.exe, 00000000.00000003.1945477299.0000020B1295B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: setup-avast-premium-x64.exe, 00000000.00000003.1948652886.0000020B12A22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: setup-avast-premium-x64.exe, 00000000.00000003.1948652886.0000020B12A22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: setup-avast-premium-x64.exe, 00000000.00000003.1948652886.0000020B129EE000.00000004.00000020.00020000.00000000.sdmp, setup-avast-premium-x64.exe, 00000000.00000003.1945477299.0000020B1295B000.00000004.00000020.00020000.00000000.sdmp, setup-avast-premium-x64.exe, 00000000.00000003.1948652886.0000020B12A22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: setup-avast-premium-x64.exe, 00000000.00000003.1948652886.0000020B129EE000.00000004.00000020.00020000.00000000.sdmp, setup-avast-premium-x64.exe, 00000000.00000003.1945477299.0000020B1295B000.00000004.00000020.00020000.00000000.sdmp, setup-avast-premium-x64.exe, 00000000.00000003.1948652886.0000020B12A22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: setup-avast-premium-x64.exe, 00000000.00000003.1948652886.0000020B12A22000.00000004.00000020.00020000.00000000.sdmp, setup-avast-premium-x64.exe, 00000000.00000003.1945477299.0000020B12990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: setup-avast-premium-x64.exe, 00000000.00000003.1945477299.0000020B12A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: setup-avast-premium-x64.exe, 00000000.00000003.1892390944.0000020B12CE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://g.live.com/0CR%1/30
Source: Dmj5T5AvOD.exe.0.dr	String found in binary or memory: http://ns.adobe.
Source: powershell.exe, 00000008.00000002.1809700620.000001BCD7905000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1791484832.000001BCC9205000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: setup-avast-premium-x64.exe, 00000000.00000003.1892390944.0000020B12CE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://oe.msn.msnmail.hotmail.com/cgi-bin/hmdata
Source: powershell.exe, 00000008.00000002.1791484832.000001BCC7AB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1818135399.000001BCDFB5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.1791484832.000001BCC7AB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1791484832.000001BCC863D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000008.00000002.1791484832.000001BCC7891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000008.00000002.1791484832.000001BCC7AB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1791484832.000001BCC863D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000008.00000002.1791484832.000001BCC7AB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1818135399.000001BCDFB5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/msangcwam
Source: powershell.exe, 00000008.00000002.1791484832.000001BCC7891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000008.00000002.1791484832.000001BCC89C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000008.00000002.1791484832.000001BCC8EBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com/v4
Source: setup-avast-premium-x64.exe, 00000000.00000003.1943876392.0000020B12558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.147.37?clientId=s:92C86F7C-DB2B-4F6A-95AD-98B
Source: setup-avast-premium-x64.exe, 00000000.00000003.1943876392.0000020B12558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.177.11?clientId=s:92C86F7C-DB2B-4F6A-95AD-98B
Source: powershell.exe, 00000008.00000002.1791484832.000001BCC9205000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.1791484832.000001BCC9205000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.1791484832.000001BCC9205000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: setup-avast-premium-x64.exe, Dmj5T5AvOD.exe.0.dr	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: setup-avast-premium-x64.exe, 00000000.00000003.1948652886.0000020B129CE000.00000004.00000020.00020000.00000000.sdmp, setup-avast-premium-x64.exe, 00000000.00000003.1945477299.0000020B12A05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: setup-avast-premium-x64.exe, 00000000.00000003.1945477299.0000020B129B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: setup-avast-premium-x64.exe, 00000000.00000003.1945477299.0000020B12A05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: setup-avast-premium-x64.exe, 00000000.00000003.1945477299.0000020B129E6000.00000004.00000020.00020000.00000000.sdmp, setup-avast-premium-x64.exe, 00000000.00000003.1945477299.0000020B12A2B000.00000004.00000020.00020000.00000000.sdmp, setup-avast-premium-x64.exe, 00000000.00000003.1948652886.0000020B129CE000.00000004.00000020.00020000.00000000.sdmp, setup-avast-premium-x64.exe, 00000000.00000003.1945477299.0000020B12A4A000.00000004.00000020.00020000.00000000.sdmp, setup-avast-premium-x64.exe, 00000000.00000003.1945477299.0000020B12A37000.00000004.00000020.00020000.00000000.sdmp, setup-avast-premium-x64.exe, 00000000.00000003.1945477299.0000020B12A05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: setup-avast-premium-x64.exe, 00000000.00000003.1945477299.0000020B12A05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: setup-avast-premium-x64.exe, Dmj5T5AvOD.exe.0.dr	String found in binary or memory: https://getsession.org/
Source: powershell.exe, 00000008.00000002.1791484832.000001BCC7AB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1818135399.000001BCDFB5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000008.00000002.1791484832.000001BCC8EBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: Dmj5T5AvOD.exe.0.dr	String found in binary or memory: https://i.imgur.com/HCYQoVR.jpeg
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srf
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ListSessions.srf
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srf
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageLoginKeys.srf
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srf
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/didtou.srf
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getrealminfo.srf
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getuserrealm.srf
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/resetpw.srf
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/retention.srf
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/common
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srf
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
Source: setup-avast-premium-x64.exe, 00000000.00000003.1892390944.0000020B12CE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://m-vnext.sqlazurelabs.com/
Source: setup-avast-premium-x64.exe, 00000000.00000003.1920242400.0000020B12CD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nexus.officeapps.live.comhttps://nexusrules.officeapps.live.com
Source: powershell.exe, 00000008.00000002.1809700620.000001BCD7905000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1791484832.000001BCC9205000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: setup-avast-premium-x64.exe, 00000000.00000003.1948652886.0000020B129CE000.00000004.00000020.00020000.00000000.sdmp, setup-avast-premium-x64.exe, 00000000.00000003.1945477299.0000020B12A05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: setup-avast-premium-x64.exe, 00000000.00000003.1945477299.0000020B129B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: setup-avast-premium-x64.exe, 00000000.00000003.1920242400.0000020B12CD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otelrules.azureedge.net/rules/.bundlesdxhelper.exeFailed
Source: setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://signup.live.com/signup.aspx
Source: setup-avast-premium-x64.exe, Dmj5T5AvOD.exe.0.dr	String found in binary or memory: https://www.blockchain.com/)
Source: setup-avast-premium-x64.exe, Dmj5T5AvOD.exe.0.dr	String found in binary or memory: https://www.coinbase.com/)
Source: setup-avast-premium-x64.exe, Dmj5T5AvOD.exe.0.dr	String found in binary or memory: https://www.torproject.org/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 199.232.192.193:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: setup-avast-premium-x64.exe, 00000000.00000003.1920242400.0000020B12CD9000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

memstr_5641f97b-1

Source: C:\Windows\System32\wevtutil.exe

Process token adjusted: Security

Jump to behavior

Source: setup-avast-premium-x64.exe, 00000000.00000003.1920242400.0000020B130CD000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameIntegrator.exeB vs setup-avast-premium-x64.exe

Source: Dmj5T5AvOD.exe.0.dr	Binary string: Failed to open \Device\Afd\Mio: X
Source: Dmj5T5AvOD.exe.0.dr	Binary string: 0\Device\Afd\Mio

Source: setup-avast-premium-x64.exe, 00000000.00000003.1892390944.0000020B12CE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft.Vbe.Interop.VBProjectClass
Source: setup-avast-premium-x64.exe, 00000000.00000003.1892390944.0000020B12CE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft.Vbe.Interop.VBProjectsClass

Source: classification engine

Classification label: mal76.evad.winEXE@21/157@1/1

Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe

File created: C:\Users\user\Desktop\README-UjVyOM6MOO.md

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7428:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nxjnhxgd.zrj.ps1

Jump to behavior

Source: setup-avast-premium-x64.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\tasklist.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE'

Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe

File read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: setup-avast-premium-x64.exe, 00000000.00000003.1920242400.0000020B12CD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: setup-avast-premium-x64.exe, 00000000.00000003.1881240156.0000020B12D08000.00000004.00000020.00020000.00000000.sdmp, setup-avast-premium-x64.exe, 00000000.00000003.1881240156.0000020B12CD8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE SchemaVersions(schema_id INTEGER PRIMARY KEY NOT NULL, SchemaVersion INTEGER NOT NULL, GitSHA1 TEXT NOT NULL , UNIQUE (SchemaVersion, GitSHA1));
Source: setup-avast-premium-x64.exe, 00000000.00000003.1920242400.0000020B12CD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: setup-avast-premium-x64.exe, 00000000.00000003.1920242400.0000020B12CD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: setup-avast-premium-x64.exe, 00000000.00000003.1920242400.0000020B12CD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

Source: setup-avast-premium-x64.exe

String found in binary or memory: /load_hpack; header malformed -- pseudo not at head of block

Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe

File read: C:\Users\user\Desktop\setup-avast-premium-x64.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\setup-avast-premium-x64.exe "C:\Users\user\Desktop\setup-avast-premium-x64.exe"
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\net.exe "net" session
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 session
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmware"
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Security /e:false"
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Application /e:false"
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Security /e:false
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Application /e:false
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\net.exe "net" session	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmware"	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Security /e:false"	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Application /e:false"	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force"	Jump to behavior
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 session	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Security /e:false	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Application /e:false	Jump to behavior

Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\wevtutil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wevtutil.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\wevtutil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wevtutil.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Windows\System32\tasklist.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe

Process created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmware"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: setup-avast-premium-x64.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: setup-avast-premium-x64.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: setup-avast-premium-x64.exe

Static file information: File size 5485056 > 1048576

Source: setup-avast-premium-x64.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x37c600
Source: setup-avast-premium-x64.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x18bc00

Source: setup-avast-premium-x64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: setup-avast-premium-x64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: setup-avast-premium-x64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: setup-avast-premium-x64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: setup-avast-premium-x64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: setup-avast-premium-x64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: setup-avast-premium-x64.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: setup-avast-premium-x64.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: dev.pdbw source: setup-avast-premium-x64.exe, Dmj5T5AvOD.exe.0.dr
Source:	Binary string: dev.pdb source: setup-avast-premium-x64.exe, Dmj5T5AvOD.exe.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: setup-avast-premium-x64.exe, 00000000.00000003.1920242400.0000020B12CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: setup-avast-premium-x64.exe, 00000000.00000003.1920242400.0000020B12CD9000.00000004.00000020.00020000.00000000.sdmp

Source: setup-avast-premium-x64.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: setup-avast-premium-x64.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: setup-avast-premium-x64.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: setup-avast-premium-x64.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: setup-avast-premium-x64.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD9B770C06 pushad ; retf	8_2_00007FFD9B770C6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD9B770B8D pushad ; retf	8_2_00007FFD9B770C6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD9B7700BD pushad ; iretd	8_2_00007FFD9B7700C1

Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe

File created: C:\Users\user\Desktop\Dmj5T5AvOD.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Creates files in the recycle bin to hide itself

Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe

File created: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.funksec

Jump to behavior

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8981	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 404	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1448	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1431	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6448	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 495	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7796	Thread sleep count: 8981 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7960	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7748	Thread sleep count: 404 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7792	Thread sleep count: 1448 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7900	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7800	Thread sleep count: 1431 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7888	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7804	Thread sleep count: 6448 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7820	Thread sleep count: 495 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7964	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7896	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\	Jump to behavior

Source: setup-avast-premium-x64.exe, 00000000.00000003.1881240156.0000020B12D08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: elwKk1x5+9NJD0oC1Sm0PchOiV+3spsDahFOwVMcIA7E=/
Source: tasklist.exe, 00000004.00000002.1717843770.0000024EF8165000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE'A
Source: tasklist.exe, 00000004.00000003.1717379731.0000024EF8018000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.ExecQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE');
Source: tasklist.exe, 00000004.00000002.1717813453.0000024EF801A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IMAGENAME eq vmware
Source: setup-avast-premium-x64.exe, 00000000.00000003.1943876392.0000020B12558000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10/03/23 08:56:22.600][MicrosoftEdgeUpdate:msedgeupdate][3356:4472][Send][url=https://msedge.api.cdp.microsoft.com/api/v1.1/contents/Browser/namespaces/Default/names/msedgeupdate-stable-win-x86/versions/latest?action=select][request={"targetingAttributes":{"AppAp":"","AppBrandCode":"INBX","AppCohort":"","AppCohortHint":"","AppCohortName":"","AppLang":"","AppMajorVersion":"1","AppRollout":0.96,"AppTargetVersionPrefix":"","AppVersion":"1.3.147.37","ExpETag":"\"VPQoP1F+fq15wRzh1kPL4PMpWh8ORMB5izvrOC/chjQ=\"","HW_AVX":true,"HW_DiskType":2,"HW_LogicalCpus":2,"HW_PhysicalRamGB":4,"HW_SSE":true,"HW_SSE2":true,"HW_SSE3":true,"HW_SSE41":true,"HW_SSE42":true,"HW_SSSE3":true,"InstallSource":"core","IsInternalUser":false,"IsMachine":true,"OemProductManufacturer":"VMware, Inc.","OemProductName":"VMware20,1","OsArch":"x64","OsPlatform":"win","OsVersion":"10.0.19045.2006","Priority":0,"Updater":"MicrosoftEdgeUpdate","UpdaterVersion":"1.3.147.37"}}][filename=]
Source: setup-avast-premium-x64.exe, 00000000.00000000.1706742637.00007FF62C0AE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: *Set-MpPreference -DisableRealtimeMonitoring $truewevtutil sl Security /e:falsewevtutil sl Application /e:falsevboxserviceqemuhypervvmwaretasklist/fiIMAGENAME eq LB
Source: tasklist.exe, 00000004.00000002.1717787103.0000024EF800B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: , ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE'0P
Source: Dmj5T5AvOD.exe.0.dr	Binary or memory string: *Set-MpPreference -DisableRealtimeMonitoring $truewevtutil sl Security /e:falsewevtutil sl Application /e:falsevboxserviceqemuhypervvmwaretasklist/fiIMAGENAME eq LB8@
Source: setup-avast-premium-x64.exe, 00000000.00000003.1881240156.0000020B12D08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eeKcxqaYUpQemuF/g4XeY+/GN/5r9nu6fcwnr/bvuY4c=/
Source: Dmj5T5AvOD.exe.0.dr	Binary or memory string: Set-MpPreference -DisableRealtimeMonitoring $truewevtutil sl Security /e:falsewevtutil sl Application /e:falsevboxserviceqemuhypervvmwaretasklist/fiIMAGENAME eq
Source: setup-avast-premium-x64.exe, 00000000.00000003.1943876392.0000020B12558000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10/03/23 08:56:35.318][MicrosoftEdgeUpdate:msedgeupdate][4092:4100][Send][url=https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.147.37?clientId=s:92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A&appBrandCode_stable=INBX&appChannel_stable=4&appConsentState_stable=0&appDayOfInstall_stable=0&appInstallTimeDiffSec_stable=0&appLastLaunchTime_stable=0&appUpdateCheckIsUpdateDisabled_stable=false&appVersion_stable=92.0.902.67&hwDiskType=2&hwHasSsse3=true&hwLogicalCpus=2&hwPhysmemory=4&isMsftDomainJoined=false&oemProductManufacturer=VMware,%20Inc.&oemProductName=VMware20,1&osArch=x64&osPlatform=win&osVersion=10.0.19045.2006&requestCheckPeriodSec=-1&requestDomainJoined=false&requestInstallSource=core&requestIsMachine=true&requestOmahaShellVersion=1.3.147.37&requestOmahaVersion=1.3.147.37][request=][filename=]
Source: setup-avast-premium-x64.exe, 00000000.00000003.1881240156.0000020B12D08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: enHfHDfN6bsbeT8o/5kyYSl66SsuWvyQeMuXDlHbQfqo=/
Source: setup-avast-premium-x64.exe, 00000000.00000003.1943876392.0000020B12558000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10/03/23 13:05:10.568][MicrosoftEdgeUpdate:msedgeupdate][4796:8636][Send][url=https://msedge.api.cdp.microsoft.com/api/v2/contents/Browser/namespaces/Default/names?action=batchupdates][request=[{"Product":"msedgewebview-stable-win-x64","targetingAttributes":{"AppAp":"","AppBrandCode":"","AppCohort":"","AppCohortHint":"","AppCohortName":"","AppLang":"","AppMajorVersion":"","AppRollout":0.63,"AppTargetVersionPrefix":"","AppVersion":"","ExpETag":"\"VPQoP1F+fq15wRzh1kPL4PMpWh8ORMB5izvrOC/chjQ=\"","HW_AVX":true,"HW_DiskType":2,"HW_LogicalCpus":2,"HW_PhysicalRamGB":4,"HW_SSE":true,"HW_SSE2":true,"HW_SSE3":true,"HW_SSE41":true,"HW_SSE42":true,"HW_SSSE3":true,"InstallSource":"otherinstallcmd","IsInternalUser":false,"IsMachine":true,"IsWIP":false,"OemProductManufacturer":"VMware, Inc.","OemProductName":"VMware20,1","OsArch":"x64","OsPlatform":"win","OsRegionDMA":false,"OsRegionName":"CH","OsRegionNation":"223","OsVersion":"10.0.19045.2006","Priority":10,"Updater":"MicrosoftEdgeUpdate","UpdaterVersion":"1.3.177.11","WIPBranch":""}}]][filename=]
Source: setup-avast-premium-x64.exe, 00000000.00000003.1881240156.0000020B12D08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ePXA5AScIvMCImrQWnUlK4F/6o1LRBi5HHuZNpAnWxvI=/
Source: tasklist.exe, 00000004.00000002.1717813453.0000024EF801A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE');
Source: tasklist.exe, 00000004.00000002.1717754296.0000024EF7FE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "tasklist" /fi "IMAGENAME eq vmware"
Source: setup-avast-premium-x64.exe, 00000000.00000003.1965568622.0000020B10C77000.00000004.00000020.00020000.00000000.sdmp, setup-avast-premium-x64.exe, 00000000.00000002.1967760210.0000020B10C77000.00000004.00000020.00020000.00000000.sdmp, setup-avast-premium-x64.exe, 00000000.00000003.1964677788.0000020B10C77000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: tasklist.exe, 00000004.00000002.1717813453.0000024EF801A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasklist/fiIMAGENAME eq vmware
Source: tasklist.exe, 00000004.00000002.1717754296.0000024EF7FE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\tasklist.exe"tasklist" /fi "IMAGENAME eq vmware"C:\Windows\system32\tasklist.exeWinsta0\Default2f
Source: setup-avast-premium-x64.exe, 00000000.00000003.1881240156.0000020B12D08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lwKk1x5+9NJD0oC1Sm0PchOiV+3spsDahFOwVMcIA7E=!
Source: setup-avast-premium-x64.exe, 00000000.00000003.1943876392.0000020B12558000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10/03/23 13:11:26.031][MicrosoftEdgeUpdate:msedgeupdate][6164:6168][Send][url=https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.177.11?clientId=s:92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A&appBrandCode_edgeupdate=INBX&appBrandCode_webview=GGLS&appChannel_edgeupdate=6&appChannel_webview=5&appCohort_edgeupdate=rrf@0.24&appCohort_webview=rrf@0.75&appConsentState_edgeupdate=0&appConsentState_webview=0&appDayOfInstall_edgeupdate=0&appDayOfInstall_webview=6118&appInactivityBadgeApplied_edgeupdate=0&appInactivityBadgeApplied_webview=0&appInactivityBadgeCleared_edgeupdate=0&appInactivityBadgeCleared_webview=0&appInactivityBadgeDuration_edgeupdate=0&appInactivityBadgeDuration_webview=0&appInstallTimeDiffSec_edgeupdate=0&appInstallTimeDiffSec_webview=0&appIsPinnedSystem_edgeupdate=false&appIsPinnedSystem_webview=false&appLastLaunchCount_edgeupdate=0&appLastLaunchCount_webview=0&appLastLaunchTime_edgeupdate=0&appLastLaunchTimeJson_edgeupdate=0&appLastLaunchTimeDaysAgo_edgeupdate=0&appLastLaunchTime_webview=0&appLastLaunchTimeJson_webview=0&appLastLaunchTimeDaysAgo_webview=0&appUpdateCheckIsUpdateDisabled_edgeupdate=false&appUpdateCheckIsUpdateDisabled_webview=false&appUpdatesAllowedForMeteredNetworks_edgeupdate=false&appUpdatesAllowedForMeteredNetworks_webview=false&appVersion_edgeupdate=1.3.177.11&appVersion_webview=117.0.2045.47&hwDiskType=2&hwHasSsse3=true&hwLogicalCpus=2&hwPhysmemory=4&isCTADevice=false&isMsftDomainJoined=false&oemProductManufacturer=VMware,%20Inc.&oemProductName=VMware20,1&osArch=x64&osIsDefaultNetworkConnectionMetered=false&osIsInLockdownMode=false&osIsWIP=false&osPlatform=win&osProductType=48&osVersion=10.0.19045.2006&requestCheckPeriodSec=-1&requestDomainJoined=false&requestInstallSource=scheduler&requestIsMachine=true&requestOmahaShellVersion=1.3.147.37&requestOmahaVersion=1.3.177.11][request=][filename=]
Source: setup-avast-premium-x64.exe, 00000000.00000003.1881240156.0000020B12D08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PXA5AScIvMCImrQWnUlK4F/6o1LRBi5HHuZNpAnWxvI=+
Source: tasklist.exe, 00000004.00000002.1717813453.0000024EF802B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE' Files (x86
Source: setup-avast-premium-x64.exe, 00000000.00000003.1943876392.0000020B12558000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10/03/23 13:06:04.175][MicrosoftEdgeUpdate:msedgeupdate][8536:732][Send][url=https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.177.11?clientId=s:92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A&appChannel_webview=5&appConsentState_webview=0&appDayOfInstall_webview=-1&appInactivityBadgeApplied_webview=0&appInactivityBadgeCleared_webview=0&appInactivityBadgeDuration_webview=0&appInstallTimeDiffSec_webview=-86400&appIsPinnedSystem_webview=false&appLastLaunchCount_webview=0&appLastLaunchTime_webview=0&appLastLaunchTimeJson_webview=0&appLastLaunchTimeDaysAgo_webview=0&appVersion_webview=117.0.2045.47&appUpdateCheckIsUpdateDisabled_webview=false&appUpdatesAllowedForMeteredNetworks_webview=false&hwDiskType=2&hwHasSsse3=true&hwLogicalCpus=2&hwPhysmemory=4&isCTADevice=false&isMsftDomainJoined=false&oemProductManufacturer=VMware,%20Inc.&oemProductName=VMware20,1&osArch=x64&osIsDefaultNetworkConnectionMetered=false&osIsInLockdownMode=false&osIsWIP=false&osPlatform=win&osProductType=48&osVersion=10.0.19045.2006&requestCheckPeriodSec=-1&requestDomainJoined=false&requestInstallSource=otherinstallcmd&requestIsMachine=true&requestOmahaShellVersion=1.3.147.37&requestOmahaVersion=1.3.177.11][request=][filename=]
Source: setup-avast-premium-x64.exe, 00000000.00000003.1881240156.0000020B12D08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nHfHDfN6bsbeT8o/5kyYSl66SsuWvyQeMuXDlHbQfqo=9
Source: setup-avast-premium-x64.exe, 00000000.00000003.1943876392.0000020B12558000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10/03/23 13:05:09.866][MicrosoftEdgeUpdate:msedgeupdate][1336:8952][Send][url=https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.177.11?clientId=s:92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A&appChannel_edgeupdate=6&appConsentState_edgeupdate=0&appDayOfInstall_edgeupdate=0&appInactivityBadgeApplied_edgeupdate=0&appInactivityBadgeCleared_edgeupdate=0&appInactivityBadgeDuration_edgeupdate=0&appInstallTimeDiffSec_edgeupdate=0&appIsPinnedSystem_edgeupdate=false&appLastLaunchCount_edgeupdate=0&appLastLaunchTime_edgeupdate=0&appLastLaunchTimeJson_edgeupdate=0&appLastLaunchTimeDaysAgo_edgeupdate=0&appVersion_edgeupdate=1.3.177.11&appUpdateCheckIsUpdateDisabled_edgeupdate=false&appUpdatesAllowedForMeteredNetworks_edgeupdate=false&hwDiskType=2&hwHasSsse3=true&hwLogicalCpus=2&hwPhysmemory=4&isCTADevice=false&isMsftDomainJoined=false&oemProductManufacturer=VMware,%20Inc.&oemProductName=VMware20,1&osArch=x64&osIsDefaultNetworkConnectionMetered=false&osIsInLockdownMode=false&osIsWIP=false&osPlatform=win&osProductType=48&osVersion=10.0.19045.2006&requestCheckPeriodSec=-1&requestDomainJoined=false&requestInstallSource=otherinstallcmd&requestIsMachine=true&requestOmahaShellVersion=1.3.147.37&requestOmahaVersion=1.3.177.11][request=][filename=]
Source: tasklist.exe, 00000004.00000002.1717813453.0000024EF801A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE'J!
Source: tasklist.exe, 00000004.00000002.1717843770.0000024EF8160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasklist/fiIMAGENAME eq vmwareuser\
Source: setup-avast-premium-x64.exe, 00000000.00000003.1881240156.0000020B12D08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: A8eXZTvg7YGvCcJUzyxbHGFSKXp/UmDdgVxDyBqqswI=e*1
Source: tasklist.exe, 00000004.00000002.1717754296.0000024EF7FE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "tasklist" /fi "IMAGENAME eq vmware"vf
Source: setup-avast-premium-x64.exe, 00000000.00000003.1943876392.0000020B12558000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10/03/23 13:10:48.035][MicrosoftEdgeUpdate:msedgeupdate][4220:5516][Send][url=https://msedge.api.cdp.microsoft.com/api/v2/contents/Browser/namespaces/Default/names?action=batchupdates][request=[{"Product":"msedgeupdate-stable-win-x86","targetingAttributes":{"AppAp":"","AppBrandCode":"INBX","AppCohort":"","AppCohortHint":"","AppCohortName":"","AppLang":"","AppMajorVersion":"1","AppRollout":0.72,"AppTargetVersionPrefix":"","AppVersion":"1.3.177.11","ExpETag":"\"qWJSzWwPfdcLR+XGIv6xrZfiYOxhPU2s1NWmjWcaFPg=\"","HW_AVX":true,"HW_DiskType":2,"HW_LogicalCpus":2,"HW_PhysicalRamGB":4,"HW_SSE":true,"HW_SSE2":true,"HW_SSE3":true,"HW_SSE41":true,"HW_SSE42":true,"HW_SSSE3":true,"InstallSource":"scheduler","IsInternalUser":false,"IsMachine":true,"IsWIP":false,"OemProductManufacturer":"VMware, Inc.","OemProductName":"VMware20,1","OsArch":"x64","OsPlatform":"win","OsRegionDMA":false,"OsRegionName":"CH","OsRegionNation":"223","OsVersion":"10.0.19045.2006","Priority":0,"Updater":"MicrosoftEdgeUpdate","UpdaterVersion":"1.3.177.11","WIPBranch":""}},{"Product":"msedge-stable-win-x64","targetingAttributes":{"AppAp":"","AppBrandCode":"INBX","AppCohort":"","AppCohortHint":"","AppCohortName":"","AppLang":"","AppMajorVersion":"92","AppRollout":0.65,"AppTargetVersionPrefix":"","AppVersion":"92.0.902.67","ExpETag":"\"qWJSzWwPfdcLR+XGIv6xrZfiYOxhPU2s1NWmjWcaFPg=\"","HW_AVX":true,"HW_DiskType":2,"HW_LogicalCpus":2,"HW_PhysicalRamGB":4,"HW_SSE":true,"HW_SSE2":true,"HW_SSE3":true,"HW_SSE41":true,"HW_SSE42":true,"HW_SSSE3":true,"InstallSource":"scheduler","IsInternalUser":false,"IsMachine":true,"IsWIP":false,"OemProductManufacturer":"VMware, Inc.","OemProductName":"VMware20,1","OsArch":"x64","OsPlatform":"win","OsRegionDMA":false,"OsRegionName":"CH","OsRegionNation":"223","OsVersion":"10.0.19045.2006","Priority":0,"Updater":"MicrosoftEdgeUpdate","UpdaterVersion":"1.3.177.11","WIPBranch":""}},{"Product":"msedgewebview-stable-win-x64","targetingAttributes":{"AppAp":"","AppBrandCode":"GGLS","AppCohort":"","AppCohortHint":"","AppCohortName":"","AppLang":"","AppMajorVersion":"117","AppRollout":0.6,"AppTargetVersionPrefix":"","AppVersion":"117.0.2045.47","ExpETag":"\"qWJSzWwPfdcLR+XGIv6xrZfiYOxhPU2s1NWmjWcaFPg=\"","HW_AVX":true,"HW_DiskType":2,"HW_LogicalCpus":2,"HW_PhysicalRamGB":4,"HW_SSE":true,"HW_SSE2":true,"HW_SSE3":true,"HW_SSE41":true,"HW_SSE42":true,"HW_SSSE3":true,"InstallSource":"scheduler","IsInternalUser":false,"IsMachine":true,"IsWIP":false,"OemProductManufacturer":"VMware, Inc.","OemProductName":"VMware20,1","OsArch":"x64","OsPlatform":"win","OsRegionDMA":false,"OsRegionName":"CH","OsRegionNation":"223","OsVersion":"10.0.19045.2006","Priority":0,"Updater":"MicrosoftEdgeUpdate","UpdaterVersion":"1.3.177.11","WIPBranch":""}}]][filename=]
Source: setup-avast-premium-x64.exe, 00000000.00000003.1881240156.0000020B12D08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eKcxqaYUpQemuF/g4XeY+/GN/5r9nu6fcwnr/bvuY4c=A
Source: tasklist.exe, 00000004.00000003.1717379731.0000024EF802B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE' Files (x86ff
Source: setup-avast-premium-x64.exe, 00000000.00000003.1881240156.0000020B12D08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eA8eXZTvg7YGvCcJUzyxbHGFSKXp/UmDdgVxDyBqqswI=/

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force"

Disables Windows Defender (via service or powershell)

Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"			Jump to behavior

Modifies Windows Defender protection settings

Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"			Jump to behavior

Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\net.exe "net" session	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmware"	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Security /e:false"	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Application /e:false"	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force"	Jump to behavior
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 session	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Security /e:false	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Application /e:false	Jump to behavior

Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\$Recycle.Bin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\$WinREAgent VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\$WinREAgent\Scratch VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\AppV VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\AppV\Setup VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.1.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.1.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.1.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\DeploymentConfiguration.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\DeploymentConfiguration.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\DeploymentConfiguration.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserDeploymentConfiguration.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserDeploymentConfiguration.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserDeploymentConfiguration.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserManifest.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserManifest.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserManifest.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Integration VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Integration\ShortcutBackups VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\MasterDescriptor.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\MasterDescriptor.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\MasterDescriptor.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\s321033.hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\s321033.hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\stream.x86.en-us.dat.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\stream.x86.en-us.dat.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\stream.x86.en-us.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\stream.x86.en-us.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\stream.x86.en-us.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\stream.x86.en-us.man.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\stream.x86.en-us.man.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\stream.x86.en-us.man.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\operations.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\operations.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\operations.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\VirtualRegistry.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\VirtualRegistry.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\VirtualRegistry.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\i320.c2rx.hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\i320.c2rx.hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\MasterDescriptor.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\MasterDescriptor.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\MasterDescriptor.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\s320.hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\s320.hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\stream.x86.x-none.dat.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\stream.x86.x-none.dat.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\stream.x86.x-none.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\stream.x86.x-none.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\stream.x86.x-none.hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\stream.x86.x-none.man.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\UserData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.man VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.man VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Access.Access.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.accessmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.accessmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.accessmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.dcfmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.dcfmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.excelmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.lyncmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.lyncmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.lyncmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office64mui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office64mui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office64mui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office64ww.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office64ww.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office64ww.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.onenotemui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.onenotemui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.onenotemui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmuxmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmuxmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmuxmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.outlookmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.outlookmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.outlookmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.powerpointmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.powerpointmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.es-es.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.es-es.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.es-es.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.fr-fr.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.publishermui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.publishermui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.shared.Office.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.shared.Office.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Word.Word.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Word.Word.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Word.Word.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.wordmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates Logon.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates Logon.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\msoutilstat.etw.man VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\wordEtw.man VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Crypto\DSS VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Crypto\Keys VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Crypto\PCPKSP VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Crypto\PCPKSP\WindowsAIK VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Crypto\RSA VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Crypto\SystemKeys VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Crypto\SystemKeys\4fbf593b24f129e7d8c9fc84ba6a1ac3_9e146be9-c76a-4720-bcdb-53011b87bd06 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-GB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-GB\resource.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-GB\resource.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-GB\resource.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\folder.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\pictures.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ringtones.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ringtones.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\settings.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\settings.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\sync.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\sync.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\wmp.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\wmp.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-GB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-GB\resource.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-GB\resource.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-GB\resource.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_pref.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_property.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_property.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_queue.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_settings.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\DeviceSync VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\CustomTraceProfiles VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedScenarios VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json.bk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json.bk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\TELEMETRY.ASM-WINDOWSSQ.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\TELEMETRY.ASM-WINDOWSSQ.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\TELEMETRY.ASM-WINDOWSSQ.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-4bb4d6f7cafc4e9292f972dca2dcde42-bd019ee8-e59c-4b0f-a02c-84e72157a3ef-7485.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-4bb4d6f7cafc4e9292f972dca2dcde42-bd019ee8-e59c-4b0f-a02c-84e72157a3ef-7485.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-4bb4d6f7cafc4e9292f972dca2dcde42-bd019ee8-e59c-4b0f-a02c-84e72157a3ef-7485.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-7005b72804a64fa4b2138faab88f877b-14cf798a-05a4-4b7b-9d02-4d99259ebd4a-7553.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-7005b72804a64fa4b2138faab88f877b-14cf798a-05a4-4b7b-9d02-4d99259ebd4a-7553.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-7005b72804a64fa4b2138faab88f877b-14cf798a-05a4-4b7b-9d02-4d99259ebd4a-7553.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-af397ef28e484961ba48646a5d38cf54-77418283-d6f6-4a90-b0c8-37e0f5e7b087-7425.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-af397ef28e484961ba48646a5d38cf54-77418283-d6f6-4a90-b0c8-37e0f5e7b087-7425.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-af397ef28e484961ba48646a5d38cf54-77418283-d6f6-4a90-b0c8-37e0f5e7b087-7425.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-d5a8f02229be41efb047bd8f883ba799-59258264-451c-4459-8c09-75d7d721219a-7112.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-d5a8f02229be41efb047bd8f883ba799-59258264-451c-4459-8c09-75d7d721219a-7112.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-d5a8f02229be41efb047bd8f883ba799-59258264-451c-4459-8c09-75d7d721219a-7112.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-Eco3PTelDefault.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-Eco3PTelDefault.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.allow.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.allow.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.bk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.bk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.cert.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.cert.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.privacy.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.privacy.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json.bk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json.bk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\ETLLogs VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\Autologger VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ScenarioShutdownLogger VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\Diagtrack-Listener.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\Diagtrack-Listener.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\Diagtrack-Listener.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\EventStore.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\EventStore.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\EventStore.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\EventTranscript VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\FeedbackHub VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\LocalTraceStore VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\osver.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\osver.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\osver.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\parse.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\parse.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\parse.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\Siufloc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\SoftLanding VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\Temp\DiagTrackTraceSlot_alternativeTrace VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\Temp\DiagTrackTraceSlot_aot VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\Temp\DiagTrackTraceSlot_diag VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\Temp\DiagTrackTraceSlot_miniTrace VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\TimeTravelDebuggingStorage VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_Autopilot_2023_10_3_9_57_25.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_Autopilot_2023_10_3_9_59_39.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_Autopilot_2023_10_3_9_59_39.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2023_10_4_9_46_43.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2023_10_4_9_46_43.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\DRM\Server VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\EdgeUpdate VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\IdentityCRL\INT VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\IdentityCRL\production\wlidsvcconfig.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\IdentityCRL\production\wlidsvcconfig.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\MF\Active.GRL VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\MF\Active.GRL VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\MF\Pending.GRL VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Connections VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edbres00001.jrs VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edbres00001.jrs VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Office VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Office\ClickToRunPackageLocker VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Provisioning VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Provisioning\AssetCache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Search\Data VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe

Code function: 0_2_00007FF62C09B7B8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF62C09B7B8

Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	11 Input Capture	1 System Time Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	21 Disable or Modify Tools	LSASS Memory	1 Query Registry	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	1 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	21 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	14 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
setup-avast-premium-x64.exe	3%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Desktop\Dmj5T5AvOD.exe	3%	ReversingLabs

Source	Detection	Scanner	Label
http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte	0%	Avira URL Cloud	safe
https://getsession.org/	0%	Avira URL Cloud	safe
http://ns.adobe.	0%	Avira URL Cloud	safe
http://oe.msn.msnmail.hotmail.com/cgi-bin/hmdata	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipv4.imgur.map.fastly.net	199.232.192.193	true	false		high
i.imgur.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf	setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://g.live.com/0CR%1/30	setup-avast-premium-x64.exe, 00000000.00000003.1892390944.0000020B12CE0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000008.00000002.1791484832.000001BCC9205000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/DeviceQuery.srf	setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.rs/getrandom#nodejs-es-module-support	setup-avast-premium-x64.exe, Dmj5T5AvOD.exe.0.dr	false		high
https://g.live.com/odclientsettings/ProdV2.C:	setup-avast-premium-x64.exe, 00000000.00000003.1945477299.0000020B129E6000.00000004.00000020.00020000.00000000.sdmp, setup-avast-premium-x64.exe, 00000000.00000003.1945477299.0000020B12A2B000.00000004.00000020.00020000.00000000.sdmp, setup-avast-premium-x64.exe, 00000000.00000003.1948652886.0000020B129CE000.00000004.00000020.00020000.00000000.sdmp, setup-avast-premium-x64.exe, 00000000.00000003.1945477299.0000020B12A4A000.00000004.00000020.00020000.00000000.sdmp, setup-avast-premium-x64.exe, 00000000.00000003.1945477299.0000020B12A37000.00000004.00000020.00020000.00000000.sdmp, setup-avast-premium-x64.exe, 00000000.00000003.1945477299.0000020B12A05000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.torproject.org/	setup-avast-premium-x64.exe, Dmj5T5AvOD.exe.0.dr	false		high
http://oe.msn.msnmail.hotmail.com/cgi-bin/hmdata	setup-avast-premium-x64.exe, 00000000.00000003.1892390944.0000020B12CE0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://login.microsoftonline.com/ppsecure/ResolveUser.srf	setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/MSARST2.srf	setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/Prod.C:	setup-avast-premium-x64.exe, 00000000.00000003.1945477299.0000020B129B5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2	setup-avast-premium-x64.exe, 00000000.00000003.1945477299.0000020B12A05000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000008.00000002.1791484832.000001BCC9205000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000008.00000002.1809700620.000001BCD7905000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1791484832.000001BCC9205000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/devicechangecredential.srf	setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf	setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/InlineSignup.aspx?iww=1&id=80502	setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000008.00000002.1791484832.000001BCC7891000.00000004.00000800.00020000.00000000.sdmp	false		high
https://signup.live.com/signup.aspx	setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	setup-avast-premium-x64.exe, 00000000.00000003.1948652886.0000020B129CE000.00000004.00000020.00020000.00000000.sdmp, setup-avast-premium-x64.exe, 00000000.00000003.1945477299.0000020B12A05000.00000004.00000020.00020000.00000000.sdmp	false		high
https://getsession.org/	setup-avast-premium-x64.exe, Dmj5T5AvOD.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000008.00000002.1809700620.000001BCD7905000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1791484832.000001BCC9205000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000008.00000002.1791484832.000001BCC89C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000008.00000002.1791484832.000001BCC7AB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1818135399.000001BCDFB5E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000008.00000002.1791484832.000001BCC7AB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1791484832.000001BCC863D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000008.00000002.1791484832.000001BCC7AB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1818135399.000001BCDFB5E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000008.00000002.1791484832.000001BCC8EBD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.live.com/msangcwam	setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000008.00000002.1791484832.000001BCC9205000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelpX	powershell.exe, 00000008.00000002.1791484832.000001BCC8EBD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf	setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://i.imgur.com/HCYQoVR.jpeg	Dmj5T5AvOD.exe.0.dr	false		high
https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf	setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000008.00000002.1791484832.000001BCC7AB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1818135399.000001BCDFB5E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf	setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/Wizard/Password/Change?id=80601	setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80601	setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.coinbase.com/)	setup-avast-premium-x64.exe, Dmj5T5AvOD.exe.0.dr	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80600	setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	setup-avast-premium-x64.exe, 00000000.00000003.1945477299.0000020B12A05000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000008.00000002.1791484832.000001BCC7AB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1791484832.000001BCC863D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf	setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte	setup-avast-premium-x64.exe, 00000000.00000003.1920242400.0000020B12CD9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000008.00000002.1791484832.000001BCC7891000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ns.adobe.	Dmj5T5AvOD.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://account.live.com/inlinesignup.aspx?iww=1&id=80605	setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80603	setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80604	setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.blockchain.com/)	setup-avast-premium-x64.exe, Dmj5T5AvOD.exe.0.dr	false		high
https://login.microsoftonline.com/common	setup-avast-premium-x64.exe, 00000000.00000003.1942073636.0000020B12AE0000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
199.232.192.193	ipv4.imgur.map.fastly.net	United States		54113	FASTLYUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585136
Start date and time:	2025-01-07 06:06:21 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	setup-avast-premium-x64.exe
Detection:	MAL
Classification:	mal76.evad.winEXE@21/157@1/1
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.45
Excluded domains from analysis (whitelisted): d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 7612 because it is empty
Execution Graph export aborted for target setup-avast-premium-x64.exe, PID 7420 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: setup-avast-premium-x64.exe

Simulations

Behavior and APIs

Time	Type	Description
00:07:22	API Interceptor	35x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
199.232.192.193	https://report-scam.malwarebouncer.com/XcUR2TnV2VTlXT0s0Z0NYa01KSGt3dUtWMWNiblBrc29mMlpZUU1WdThBSjdDdTlRQTVDV1ZZd0pDeWRmUU5rQ1QvVDNiSlBNYWd2bTd0eTRkZW5jT0hrYTBKWHFiVUc4TVZBOGpiNkh4VG9OTm9zNTVUWHNmNWVydHpqbzhIc1llSzdzTHZ0dENVNWRLZy9BbCsyVDRMSGRHOThUWnV5QUxPU0RZL1dPalNYTmUzMTVoRzl5bmk1ZVZRPT0tLUdVYnJkMC9GazI3MWlxYmotLUpFOURyOWkzK1l6Vy9BYTVOVDBVNkE9PQ==?cid=2346401253	Get hash	malicious	KnowBe4	Browse
	https://pwv95gp5r-xn--r3h9jdud-xn----c1a2cj-xn----p1ai.translate.goog/sIQKSvTC/b8KvU/uoTt6?ZFhObGNpNXBiblp2YkhabGJXVnVkRUJ6YjNWMGFHVnliblJ5ZFhOMExtaHpZMjVwTG01bGRBPT06c1JsOUE+&_x_tr_sch=http&_x_tr_sl=hrLWHGLm&_x_tr_tl=bTtllyql	Get hash	malicious	HTMLPhisher	Browse
	https://covid19.protected-forms.com/XQTNkY0hwMkttOEdiZmZ0V2RRTHpDdDNqUTROanhES0NBYmdFOG1KTGRSTUtrK3VMMzlEN1JKVVFXNUxaNGJOQmd1YzQ3ajJMeVdZUDU3TytRbGtIaFhWRkxnT0lkeTZhdy9xWEhjeFBoRXRTb2hxdjlVbi9iSk1qZytLQ0JxRjd4UmpOS3VUQ2lpOEZneTRoVmpzY2dyekR1WlhYOWVteVcrUXg0a2Y2aEU2ZEZwMVNId3R0U01RK3N3PT0tLVR0bDl1WEFUelg3K2VzTystLUxaMkFrZnU0UmJXRkR3aE5NRE9BOEE9PQ==?cid=2351432832	Get hash	malicious	KnowBe4	Browse
	https://employeeportal.net-login.com/XL0pFWEloTnBYUmM5TnBUSmVpbWxiSUpWb3BBL1lPY1hwYU5uYktNWkd5ME82bWJMcUhoRklFUWJiVmFOUi9uUS81dGZ4dnJZYkltK2NMZG5BV1pmbFhqMXNZcm1QeXBXTXI4R090NHo5NWhuL2l4TXdxNlY4VlZxWHVPNTdnc1M3aU4xWjhFTmJiTEJWVUYydWVqZjNPbnFkM3M5T0FNQ2lRL3EySjhvdVVDNzZ2UHJQb0xQdlhZbTZRPT0tLTJaT0Z2TlJ3S0NMTTZjc2ktLTZGNUIwRnVkbFRTTHR2dUFITkcxVFE9PQ==?cid=2341891188	Get hash	malicious	KnowBe4	Browse
	https://en.newsnowbangla.com/archives/69912	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse
	https://gmail.net-login.com/Xb1Rnb3pKRC9CUEdpbldIVTREbHhIK1Vza1NvaWlrblBIbkN4aUdCZUt0Y2NlSGJiWmZ2d0M1dTB5dEpRbnRoVDdBVkFTcEJqWGowNVZycWJNWHlIUHlLOG1qS0FvemVPSXpFRFhGcUhmaVU1ekQwMklrVmM0QjVpNmhLaDdoY1I4UlhMcFo1TTJaSFhtaWpiWWFqWGZ5WEg4TnBiOUl4MDI1RFMyWStQRFoyNFo5UFZNUUpmWXBtaUg0Y0FjUG1jejdSVnFVOXJQL2VzdmNLM1lEaWtmRkZnZEk2Vi0tVHFIeU0vOWxTN01YVEtXbS0tTTh5Skh1eEtsc0xTT0J5Rzg2Q2ZJQT09?cid=2330416057%3EOpen	Get hash	malicious	KnowBe4	Browse
	https://www.asda.com@hnvs.xyz/asda-christmas-prizes	Get hash	malicious	Unknown	Browse
	Ball - Temp.data for GCMs.doc	Get hash	malicious	HTMLPhisher	Browse
	https://mail.donotreply.biz/XWW04VVZpU2JyWTFmVy96T2RUOUEvcEhyMWhFSm5uZElnVUlmb2dTZEdMRFdGSU1UV2V3S3RUNGdrNmNQRFJ4WTFPRHdYYlkraDV3S1YyVVpuU3E3K2p1bWowcEt3M24ySVBLanRDUkwyYitYWExuYTB5YlhVTUhySWZKbGJCTE9oRHl2RCtjR29BbEk3ZEwxZFJaNmNoK29ESk0vTGcxSmtyK0FWTExLWTdxYlQ1Yys1bjNiTUczY0RnPT0tLTU2R0pFM1VwZFRnVndZSWktLXptU2lWOHlQdjR0eGI1K09OQVZtRnc9PQ==?cid=2315575162	Get hash	malicious	KnowBe4	Browse
	https://mail.donotreply.biz/XWW04VVZpU2JyWTFmVy96T2RUOUEvcEhyMWhFSm5uZElnVUlmb2dTZEdMRFdGSU1UV2V3S3RUNGdrNmNQRFJ4WTFPRHdYYlkraDV3S1YyVVpuU3E3K2p1bWowcEt3M24ySVBLanRDUkwyYitYWExuYTB5YlhVTUhySWZKbGJCTE9oRHl2RCtjR29BbEk3ZEwxZFJaNmNoK29ESk0vTGcxSmtyK0FWTExLWTdxYlQ1Yys1bjNiTUczY0RnPT0tLTU2R0pFM1VwZFRnVndZSWktLXptU2lWOHlQdjR0eGI1K09OQVZtRnc9PQ==?cid=2315575162	Get hash	malicious	KnowBe4	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipv4.imgur.map.fastly.net	https://report-scam.malwarebouncer.com/XcUR2TnV2VTlXT0s0Z0NYa01KSGt3dUtWMWNiblBrc29mMlpZUU1WdThBSjdDdTlRQTVDV1ZZd0pDeWRmUU5rQ1QvVDNiSlBNYWd2bTd0eTRkZW5jT0hrYTBKWHFiVUc4TVZBOGpiNkh4VG9OTm9zNTVUWHNmNWVydHpqbzhIc1llSzdzTHZ0dENVNWRLZy9BbCsyVDRMSGRHOThUWnV5QUxPU0RZL1dPalNYTmUzMTVoRzl5bmk1ZVZRPT0tLUdVYnJkMC9GazI3MWlxYmotLUpFOURyOWkzK1l6Vy9BYTVOVDBVNkE9PQ==?cid=2346401253	Get hash	malicious	KnowBe4	Browse	199.232.192.193
	https://pwv95gp5r-xn--r3h9jdud-xn----c1a2cj-xn----p1ai.translate.goog/sIQKSvTC/b8KvU/uoTt6?ZFhObGNpNXBiblp2YkhabGJXVnVkRUJ6YjNWMGFHVnliblJ5ZFhOMExtaHpZMjVwTG01bGRBPT06c1JsOUE+&_x_tr_sch=http&_x_tr_sl=hrLWHGLm&_x_tr_tl=bTtllyql	Get hash	malicious	HTMLPhisher	Browse	199.232.192.193
	https://covid19.protected-forms.com/XQTNkY0hwMkttOEdiZmZ0V2RRTHpDdDNqUTROanhES0NBYmdFOG1KTGRSTUtrK3VMMzlEN1JKVVFXNUxaNGJOQmd1YzQ3ajJMeVdZUDU3TytRbGtIaFhWRkxnT0lkeTZhdy9xWEhjeFBoRXRTb2hxdjlVbi9iSk1qZytLQ0JxRjd4UmpOS3VUQ2lpOEZneTRoVmpzY2dyekR1WlhYOWVteVcrUXg0a2Y2aEU2ZEZwMVNId3R0U01RK3N3PT0tLVR0bDl1WEFUelg3K2VzTystLUxaMkFrZnU0UmJXRkR3aE5NRE9BOEE9PQ==?cid=2351432832	Get hash	malicious	KnowBe4	Browse	199.232.192.193
	https://employeeportal.net-login.com/XL0pFWEloTnBYUmM5TnBUSmVpbWxiSUpWb3BBL1lPY1hwYU5uYktNWkd5ME82bWJMcUhoRklFUWJiVmFOUi9uUS81dGZ4dnJZYkltK2NMZG5BV1pmbFhqMXNZcm1QeXBXTXI4R090NHo5NWhuL2l4TXdxNlY4VlZxWHVPNTdnc1M3aU4xWjhFTmJiTEJWVUYydWVqZjNPbnFkM3M5T0FNQ2lRL3EySjhvdVVDNzZ2UHJQb0xQdlhZbTZRPT0tLTJaT0Z2TlJ3S0NMTTZjc2ktLTZGNUIwRnVkbFRTTHR2dUFITkcxVFE9PQ==?cid=2341891188	Get hash	malicious	KnowBe4	Browse	199.232.192.193
	https://en.newsnowbangla.com/archives/69912	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	199.232.192.193
	https://gmail.net-login.com/Xb1Rnb3pKRC9CUEdpbldIVTREbHhIK1Vza1NvaWlrblBIbkN4aUdCZUt0Y2NlSGJiWmZ2d0M1dTB5dEpRbnRoVDdBVkFTcEJqWGowNVZycWJNWHlIUHlLOG1qS0FvemVPSXpFRFhGcUhmaVU1ekQwMklrVmM0QjVpNmhLaDdoY1I4UlhMcFo1TTJaSFhtaWpiWWFqWGZ5WEg4TnBiOUl4MDI1RFMyWStQRFoyNFo5UFZNUUpmWXBtaUg0Y0FjUG1jejdSVnFVOXJQL2VzdmNLM1lEaWtmRkZnZEk2Vi0tVHFIeU0vOWxTN01YVEtXbS0tTTh5Skh1eEtsc0xTT0J5Rzg2Q2ZJQT09?cid=2330416057%3EOpen	Get hash	malicious	KnowBe4	Browse	199.232.196.193
	https://www.asda.com@hnvs.xyz/asda-christmas-prizes	Get hash	malicious	Unknown	Browse	199.232.196.193
	Ball - Temp.data for GCMs.doc	Get hash	malicious	HTMLPhisher	Browse	199.232.196.193
	Ball - Temp.data for GCMs.doc	Get hash	malicious	HTMLPhisher	Browse	199.232.192.193
	https://mail.donotreply.biz/XWW04VVZpU2JyWTFmVy96T2RUOUEvcEhyMWhFSm5uZElnVUlmb2dTZEdMRFdGSU1UV2V3S3RUNGdrNmNQRFJ4WTFPRHdYYlkraDV3S1YyVVpuU3E3K2p1bWowcEt3M24ySVBLanRDUkwyYitYWExuYTB5YlhVTUhySWZKbGJCTE9oRHl2RCtjR29BbEk3ZEwxZFJaNmNoK29ESk0vTGcxSmtyK0FWTExLWTdxYlQ1Yys1bjNiTUczY0RnPT0tLTU2R0pFM1VwZFRnVndZSWktLXptU2lWOHlQdjR0eGI1K09OQVZtRnc9PQ==?cid=2315575162	Get hash	malicious	KnowBe4	Browse	199.232.192.193

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	https://u896278.ct.sendgrid.net/ls/click?upn=u001.qpi-2F0q-2FpcJZ7AGoG9N-2BrxLxoGn8scq-2BedBfmGHFAiwRCk-2Fciku7nsS3YfQMNNJI09mLo_nYx4-2F6dkZkjW10KMIp5mXhxys1ng1sBiI-2Bi9ROMYt6d5xhIh5rIqEUIaIxVHh8-2Ftz-2FouCgfXZk6mMUe2uKm92SOgBLlBdhjnRJuhENZnIuGoEoPqnROi7OCzdabJBBnGjEwd2iK-2BngR2RyIIgM3XrJQ7wQhHrfqScifSW3iAsv3H5nGFK9ntcSdChvkxj0yXdE-2FQ0ICDszl57i6aZSB-2Fow-3D-3D	Get hash	malicious	Unknown	Browse	151.101.192.176
	https://report-scam.malwarebouncer.com/XcUR2TnV2VTlXT0s0Z0NYa01KSGt3dUtWMWNiblBrc29mMlpZUU1WdThBSjdDdTlRQTVDV1ZZd0pDeWRmUU5rQ1QvVDNiSlBNYWd2bTd0eTRkZW5jT0hrYTBKWHFiVUc4TVZBOGpiNkh4VG9OTm9zNTVUWHNmNWVydHpqbzhIc1llSzdzTHZ0dENVNWRLZy9BbCsyVDRMSGRHOThUWnV5QUxPU0RZL1dPalNYTmUzMTVoRzl5bmk1ZVZRPT0tLUdVYnJkMC9GazI3MWlxYmotLUpFOURyOWkzK1l6Vy9BYTVOVDBVNkE9PQ==?cid=2346401253	Get hash	malicious	KnowBe4	Browse	199.232.196.193
	https://bs32c.golfercaps.com/vfd23ced/#sean@virtualintelligencebriefing.com	Get hash	malicious	HTMLPhisher	Browse	151.101.66.137
	https://app.saner.ai/shared/notes/7353e5ae-dd5f-410b-92c3-210c9e88052a	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
	https://u43161309.ct.sendgrid.net/ls/click?upn=u001.L9-2FCbhkaoUACh7As3yZ8i4iABGphfl-2FJgS6Xiu1aw6I-3DgXpA_qO4VbBWAKg4gLfGs-2BfuSyZki3gKzG4I1DrYN15Q8fD7JV1twLeLo1AFs1GBSG3ZgA22dFJdXJloKc56aXDeV3olJKTBJd8NprednZ2LeXdX-2BkcSQE-2F2FRwgBng5RbUCLfjS8-2FI3mrpwyYu9lRatIB62qUwPSax-2Fhh2c7R-2B7pT3Kos0wK0SEJGj4ZMkgOGYhEniKYT7Kn7jN25xFz2sFdtPlVQkIdCFKwDNWmq-2BrAxerZE2GuKgfkuf3l1UY4J42sOOltybAAVyLhV-2BXfmbuQpN4NpshXRIuhta8ho3ChcTA5NtgjludQThyLtwhGns-2ByLqSbpO1Bhhc-2FCgdgP-2BAOxYrGHvKHjVYRr6-2BiryADxfM-3D	Get hash	malicious	HTMLPhisher	Browse	151.101.1.229
	Vernales Restaurant-encrypted.pdf	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
	ZipThis.exe	Get hash	malicious	Unknown	Browse	151.101.65.229
	https://sign.zoho.com/zsguest?locale=en&sign_id=234b4d535f4956235d3ed2bb80da1204238e412cdfe561cf1e7cff409a79a97da8a2d431ccef9065ebae57f03416d61f0971abb897fde199a21f0da5d9085251df31eb6747d99920190103a51a045e3e309308fa5f3a1ca3&action_type=SIGN	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
	http://click.pstmrk.it	Get hash	malicious	Unknown	Browse	151.101.1.140
	https://www.figma.com/design/Sw6t5vElBVmnrFNiteka8B/Untitled-(Copy)?node-id=0-1&p=f&t=x9aFU3FgLH1rkKBK-0	Get hash	malicious	Unknown	Browse	199.232.188.157

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	ZipThis.exe	Get hash	malicious	Unknown	Browse	199.232.192.193
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	199.232.192.193
	https://sendbot.me/mousse-w0fysl7	Get hash	malicious	Unknown	Browse	199.232.192.193
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	199.232.192.193
	anrek.mp4.hta	Get hash	malicious	LummaC Stealer	Browse	199.232.192.193
	title.mp4.hta	Get hash	malicious	LummaC, PureLog Stealer, zgRAT	Browse	199.232.192.193
	Agent381.msi	Get hash	malicious	Unknown	Browse	199.232.192.193
	Setup.exe	Get hash	malicious	Unknown	Browse	199.232.192.193
	Setup.exe	Get hash	malicious	Unknown	Browse	199.232.192.193
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	199.232.192.193

Process:	C:\Users\user\Desktop\setup-avast-premium-x64.exe
File Type:	PGP Secret Sub-key -
Category:	dropped
Size (bytes):	249
Entropy (8bit):	7.0987861569226345
Encrypted:	false
SSDEEP:	6:+KObTr6A4AEOya6PlBY5N4NMWKKrewBDOJypd7c3bt7a9dPEEOjv2:1O/mdVNlCz4GWx1hOJqO3bgH8EOz2
MD5:	AD4B7DFD8F9D8C8BE140E360F8297150
SHA1:	9EBB2F242932DD1A13038F4B6663A5019DC24596
SHA-256:	2E7DE416F3162B9E3F45C04FA98C0858E022A7A107FB04DF88B5C823A559348D
SHA-512:	136A340B3330FE1E6AB96D615A508CAF2EA247F2C993CE69607BD6E1B6E4A4537CFB66A499925E2E37831F53BAD6AE2B1831F63F2FF553CFCBE7352804BC2C0E
Malicious:	true
Preview:	.A.......>..h\.....>.f...3^.....!R..!........8.~..k..G&.@.?.o..qiq..TN'....$I.........o1.K..a.TE.J,.....a...j.TM....Q..:=...4....@...X.....!^S......5.d.N..MnX.Z3w.+...M..s...pB.b....-t.V..F.t.........Y..Z..........BF&.:..`.JT.3..ih.2.

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllulbnolz:NllUc
MD5:	F23953D4A58E404FCB67ADD0C45EB27A
SHA1:	2D75B5CACF2916C66E440F19F6B3B21DFD289340
SHA-256:	16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
SHA-512:	B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
Malicious:	false
Preview:	@...e................................................@..........

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.239621597157414
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	setup-avast-premium-x64.exe
File size:	5'485'056 bytes
MD5:	e099255ea4aa8eb41e26e5d94737fc26
SHA1:	2c13d842e788e6c981b2fae65834b1220d55f5a8
SHA256:	89b9f7499d59d0d308f5ad02cd6fddd55b368190c37f6c5413c4cfcd343eeff3
SHA512:	45963f430cdde2c63cb4ed8660fd76ed193ae0bd4ea4012654e459f0c2e761d4eb724dcba810d4d1144e78a03e752ea53880884dee956ebf1a81f2b6eab35766
SSDEEP:	49152:gNrjLXqz4aEXEMvTR4CY6C74bC6xxXjWe/l+XYq7p4BFt277t19sJpoc74P8TKWQ:dMvTRdxAG5/TuIx5f3
TLSH:	3E462922BB5A99ADC49AC0B083564B72697134CB0B35B9FF44C446783E6DAF42F3C758
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........<...o...o...o...o...o.G.n...o.G.n...o.G.n...o.G.n...ok..n...o...o...o...o...o/G.n...oRich...o........PE..d.....{g.........."

Entrypoint:	0x14036b55c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x677B011F [Sun Jan 5 22:01:03 2025 UTC]
TLS Callbacks:	0x40352510, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	de46efa2ebc1886f978c8fb5ad471f48

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x508374	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x53e000	0x968	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x50e000	0x28d28	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x537000	0x614c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x477a90	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x477b00	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x477950	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x37e000	0x660	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x37c44f	0x37c600	3cdde8ad736cadc7039e4157f0c0fe4c	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x37e000	0x18bb00	0x18bc00	335d454e8d9a0d332e3231970c7ea839	False	0.26264781072331017	DIY-Thermocam raw data (Lepton 2.x), scale 10757-14400, spot sensor temperature 0.000000, unit celsius, color scheme 7, calibration: offset 512.000000, slope 3250994570218613914771524346183680.000000	5.394928298151681	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x50a000	0x3310	0x3200	e60990d6d7b6eb8bba2215cafa78a1ff	False	0.1609375	data	2.37717939628913	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x50e000	0x28d28	0x28e00	4f7f16fc2ad7661ce5aa9b4bbc34086d	False	0.49999402714067276	data	6.413335908883142	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x537000	0x614c	0x6200	e39eed23d057020af7ca276a61a11d9d	False	0.4321986607142857	data	5.452874903711012	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x53e000	0x968	0xa00	2c3807f0c8a9080031e0919bb5c31f1a	False	0.316015625	data	2.9436328937029965	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x53e0ac	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors			0.33212996389891697
RT_GROUP_ICON	0x53e954	0x14	data			1.15

DLL	Import
api-ms-win-core-synch-l1-2-0.dll	WaitOnAddress, WakeByAddressAll, WakeByAddressSingle
bcryptprimitives.dll	ProcessPrng
kernel32.dll	GetOverlappedResult, ReadFile, SetFileCompletionNotificationModes, Sleep, GetModuleHandleA, GetCurrentThreadId, FreeEnvironmentStringsW, DeleteProcThreadAttributeList, CompareStringOrdinal, GetLastError, AddVectoredExceptionHandler, SetThreadStackGuarantee, GetCurrentThread, SwitchToThread, PostQueuedCompletionStatus, SetWaitableTimer, WaitForSingleObject, QueryPerformanceCounter, GetSystemInfo, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetLastError, GetCurrentDirectoryW, GetEnvironmentStringsW, GetEnvironmentVariableW, GetQueuedCompletionStatusEx, GetCommandLineW, SetFileInformationByHandle, SetFilePointerEx, CreateIoCompletionPort, IsProcessorFeaturePresent, GetStdHandle, GetCurrentProcessId, WriteFileEx, SleepEx, GetExitCodeProcess, GetModuleHandleW, QueryPerformanceFrequency, GetProcAddress, HeapFree, HeapReAlloc, ReleaseMutex, FindNextFileW, FindClose, CreateFileW, GetFileInformationByHandle, GetFileInformationByHandleEx, FindFirstFileW, DeleteFileW, GetFinalPathNameByHandleW, CopyFileExW, CreateEventW, CancelIo, GetConsoleMode, FormatMessageW, GetModuleFileNameW, ExitProcess, CreateNamedPipeW, ReadFileEx, WaitForMultipleObjects, GetFullPathNameW, GetSystemDirectoryW, GetWindowsDirectoryW, CreateProcessW, GetFileAttributesW, InitializeProcThreadAttributeList, UpdateProcThreadAttribute, MultiByteToWideChar, WriteConsoleW, WideCharToMultiByte, CreateThread, GetProcessHeap, HeapAlloc, WaitForSingleObjectEx, LoadLibraryA, CreateMutexA, SetHandleInformation, GetSystemTimeAsFileTime, InitializeSListHead, lstrlenW, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, DuplicateHandle, CreateWaitableTimerExW
ws2_32.dll	send, recv, shutdown, ioctlsocket, connect, bind, WSASocketW, getsockname, getpeername, getsockopt, setsockopt, WSAIoctl, WSAGetLastError, WSAStartup, WSACleanup, getaddrinfo, closesocket, WSASend, freeaddrinfo
user32.dll	SystemParametersInfoW
shell32.dll	SHGetKnownFolderPath
ole32.dll	CoTaskMemFree
advapi32.dll	RegOpenKeyExW, RegCloseKey, RegQueryValueExW, SystemFunction036
secur32.dll	AcquireCredentialsHandleA, DeleteSecurityContext, DecryptMessage, QueryContextAttributesW, FreeContextBuffer, AcceptSecurityContext, InitializeSecurityContextW, ApplyControlToken, EncryptMessage, FreeCredentialsHandle
crypt32.dll	CertDuplicateCertificateContext, CertVerifyCertificateChainPolicy, CertFreeCertificateContext, CertFreeCertificateChain, CertDuplicateCertificateChain, CertEnumCertificatesInStore, CertAddCertificateContextToStore, CertDuplicateStore, CertGetCertificateChain, CertCloseStore, CertOpenStore
ntdll.dll	NtCancelIoFileEx, NtCreateFile, NtReadFile, NtDeviceIoControlFile, RtlNtStatusToDosError, NtWriteFile
bcrypt.dll	BCryptGenRandom
VCRUNTIME140.dll	memcmp, __current_exception_context, memmove, __current_exception, memset, __CxxFrameHandler3, memcpy, _CxxThrowException, __C_specific_handler
api-ms-win-crt-math-l1-1-0.dll	roundf, pow, round, exp2f, truncf, ceil, powf, __setusermatherr
api-ms-win-crt-runtime-l1-1-0.dll	_crt_atexit, _initialize_narrow_environment, _get_initial_narrow_environment, _configure_narrow_argv, _set_app_type, _initterm, _initterm_e, _register_onexit_function, terminate, _initialize_onexit_table, exit, _exit, _seh_filter_exe, __p___argc, __p___argv, _cexit, _c_exit, _register_thread_local_exe_atexit_callback
api-ms-win-crt-stdio-l1-1-0.dll	__p__commode, _set_fmode
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale
api-ms-win-crt-heap-l1-1-0.dll	free, _set_new_mode

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 06:07:28.970623970 CET	49730	443	192.168.2.4	199.232.192.193
Jan 7, 2025 06:07:28.970673084 CET	443	49730	199.232.192.193	192.168.2.4
Jan 7, 2025 06:07:28.970742941 CET	49730	443	192.168.2.4	199.232.192.193
Jan 7, 2025 06:07:28.981736898 CET	49730	443	192.168.2.4	199.232.192.193
Jan 7, 2025 06:07:28.981751919 CET	443	49730	199.232.192.193	192.168.2.4
Jan 7, 2025 06:07:29.533725977 CET	443	49730	199.232.192.193	192.168.2.4
Jan 7, 2025 06:07:29.533842087 CET	49730	443	192.168.2.4	199.232.192.193
Jan 7, 2025 06:07:29.539329052 CET	49730	443	192.168.2.4	199.232.192.193
Jan 7, 2025 06:07:29.539359093 CET	443	49730	199.232.192.193	192.168.2.4
Jan 7, 2025 06:07:29.539633989 CET	443	49730	199.232.192.193	192.168.2.4
Jan 7, 2025 06:07:29.665486097 CET	49730	443	192.168.2.4	199.232.192.193
Jan 7, 2025 06:07:29.711334944 CET	443	49730	199.232.192.193	192.168.2.4
Jan 7, 2025 06:07:29.766741037 CET	443	49730	199.232.192.193	192.168.2.4
Jan 7, 2025 06:07:29.767080069 CET	443	49730	199.232.192.193	192.168.2.4
Jan 7, 2025 06:07:29.767112017 CET	443	49730	199.232.192.193	192.168.2.4
Jan 7, 2025 06:07:29.767139912 CET	49730	443	192.168.2.4	199.232.192.193
Jan 7, 2025 06:07:29.767152071 CET	443	49730	199.232.192.193	192.168.2.4
Jan 7, 2025 06:07:29.767175913 CET	443	49730	199.232.192.193	192.168.2.4
Jan 7, 2025 06:07:29.767194033 CET	49730	443	192.168.2.4	199.232.192.193
Jan 7, 2025 06:07:29.767726898 CET	443	49730	199.232.192.193	192.168.2.4
Jan 7, 2025 06:07:29.767759085 CET	443	49730	199.232.192.193	192.168.2.4
Jan 7, 2025 06:07:29.767776012 CET	49730	443	192.168.2.4	199.232.192.193
Jan 7, 2025 06:07:29.767790079 CET	443	49730	199.232.192.193	192.168.2.4
Jan 7, 2025 06:07:29.767827034 CET	49730	443	192.168.2.4	199.232.192.193
Jan 7, 2025 06:07:29.768186092 CET	443	49730	199.232.192.193	192.168.2.4
Jan 7, 2025 06:07:29.768254042 CET	443	49730	199.232.192.193	192.168.2.4
Jan 7, 2025 06:07:29.768282890 CET	443	49730	199.232.192.193	192.168.2.4
Jan 7, 2025 06:07:29.768285036 CET	49730	443	192.168.2.4	199.232.192.193
Jan 7, 2025 06:07:29.768295050 CET	443	49730	199.232.192.193	192.168.2.4
Jan 7, 2025 06:07:29.768325090 CET	49730	443	192.168.2.4	199.232.192.193
Jan 7, 2025 06:07:29.780710936 CET	443	49730	199.232.192.193	192.168.2.4
Jan 7, 2025 06:07:29.847471952 CET	49730	443	192.168.2.4	199.232.192.193
Jan 7, 2025 06:07:29.853492022 CET	443	49730	199.232.192.193	192.168.2.4
Jan 7, 2025 06:07:29.853646994 CET	443	49730	199.232.192.193	192.168.2.4
Jan 7, 2025 06:07:29.853682995 CET	443	49730	199.232.192.193	192.168.2.4
Jan 7, 2025 06:07:29.853691101 CET	49730	443	192.168.2.4	199.232.192.193
Jan 7, 2025 06:07:29.853724003 CET	443	49730	199.232.192.193	192.168.2.4
Jan 7, 2025 06:07:29.853765965 CET	49730	443	192.168.2.4	199.232.192.193
Jan 7, 2025 06:07:29.853775024 CET	443	49730	199.232.192.193	192.168.2.4
Jan 7, 2025 06:07:29.854305029 CET	443	49730	199.232.192.193	192.168.2.4
Jan 7, 2025 06:07:29.854338884 CET	443	49730	199.232.192.193	192.168.2.4
Jan 7, 2025 06:07:29.854363918 CET	49730	443	192.168.2.4	199.232.192.193
Jan 7, 2025 06:07:29.854401112 CET	443	49730	199.232.192.193	192.168.2.4
Jan 7, 2025 06:07:29.854440928 CET	49730	443	192.168.2.4	199.232.192.193
Jan 7, 2025 06:07:29.854444981 CET	443	49730	199.232.192.193	192.168.2.4
Jan 7, 2025 06:07:29.854458094 CET	443	49730	199.232.192.193	192.168.2.4
Jan 7, 2025 06:07:29.854499102 CET	49730	443	192.168.2.4	199.232.192.193
Jan 7, 2025 06:07:29.854506969 CET	443	49730	199.232.192.193	192.168.2.4
Jan 7, 2025 06:07:29.854533911 CET	443	49730	199.232.192.193	192.168.2.4
Jan 7, 2025 06:07:29.854579926 CET	49730	443	192.168.2.4	199.232.192.193
Jan 7, 2025 06:07:29.855751038 CET	49730	443	192.168.2.4	199.232.192.193
Jan 7, 2025 06:07:29.855783939 CET	443	49730	199.232.192.193	192.168.2.4
Jan 7, 2025 06:08:00.589387894 CET	52532	53	192.168.2.4	162.159.36.2
Jan 7, 2025 06:08:00.594719887 CET	53	52532	162.159.36.2	192.168.2.4
Jan 7, 2025 06:08:00.594816923 CET	52532	53	192.168.2.4	162.159.36.2
Jan 7, 2025 06:08:00.599687099 CET	53	52532	162.159.36.2	192.168.2.4
Jan 7, 2025 06:08:01.055195093 CET	52532	53	192.168.2.4	162.159.36.2
Jan 7, 2025 06:08:01.062843084 CET	53	52532	162.159.36.2	192.168.2.4
Jan 7, 2025 06:08:01.062922955 CET	52532	53	192.168.2.4	162.159.36.2

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 06:07:28.959347010 CET	59145	53	192.168.2.4	1.1.1.1
Jan 7, 2025 06:07:28.966667891 CET	53	59145	1.1.1.1	192.168.2.4
Jan 7, 2025 06:08:00.588577032 CET	53	63167	162.159.36.2	192.168.2.4
Jan 7, 2025 06:08:01.077204943 CET	53	58748	1.1.1.1	192.168.2.4

Timestamp	Bytes transferred	Direction	Data
2025-01-07 05:07:29 UTC	62	OUT	GET /HCYQoVR.jpeg HTTP/1.1 accept: / host: i.imgur.com
2025-01-07 05:07:29 UTC	762	IN	HTTP/1.1 200 OK Connection: close Content-Length: 28864 Content-Type: image/jpeg Last-Modified: Mon, 30 Dec 2024 19:23:51 GMT ETag: "70f83e99427ac54b92283eaecb69c5df" x-amz-server-side-encryption: AES256 X-Amz-Cf-Pop: IAD89-P1 X-Amz-Cf-Id: w1veLHWiaEcBL8caleHyCc4jlmIU2__N_q7NNoWzZBqTAalmsqn0vA== cache-control: public, max-age=31536000 Accept-Ranges: bytes Age: 591012 Date: Tue, 07 Jan 2025 05:07:29 GMT X-Served-By: cache-iad-kjyo7100042-IAD, cache-ewr-kewr1740028-EWR X-Cache: Miss from cloudfront, HIT, MISS X-Cache-Hits: 41, 0 X-Timer: S1736226450.712807,VS0,VE8 Strict-Transport-Security: max-age=300 Access-Control-Allow-Methods: GET, OPTIONS Access-Control-Allow-Origin: * Server: cat factory 1.0 X-Content-Type-Options: nosniff
2025-01-07 05:07:29 UTC	1371	IN	Data Raw: ff d8 ff db 00 43 00 02 01 01 01 01 01 02 01 01 01 02 02 02 02 02 04 03 02 02 02 02 05 04 04 03 04 06 05 06 06 06 05 06 06 06 07 09 08 06 07 09 07 06 06 08 0b 08 09 0a 0a 0a 0a 0a 06 08 0b 0c 0b 0a 0c 09 0a 0a 0a ff db 00 43 01 02 02 02 02 02 02 05 03 03 05 0a 07 06 07 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a ff c0 00 11 08 02 04 02 b8 03 01 22 00 02 11 01 03 11 01 ff c4 00 1d 00 01 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 08 09 06 07 0a 05 04 02 03 ff c4 00 49 10 00 01 03 02 05 03 03 02 03 06 03 06 03 05 09 00 00 02 03 04 05 06 01 07 08 09 12 0a 13 22 11 14 32 23 42 15 21 52 16 31 33 41 62 72 24 43 82 17 34 51 53 61 63 19 25 73 18 44 92 93 Data Ascii: CC"I"2#B!R13Abr$C4QSac%sD
2025-01-07 05:07:29 UTC	1371	IN	Data Raw: a2 55 8f 88 1a d4 13 43 74 ed 90 35 3f b4 3d bb 67 dc 3a 97 cd ac b0 ac 2a f7 9d 32 35 12 97 65 56 a7 c9 95 8a 62 b6 da 9e 79 69 97 06 3a 70 6d 3d e6 53 c9 2a 56 3c 9c 4f 89 0b c0 00 00 02 43 ed b5 b6 f6 7c ee 99 a8 c7 34 c7 a7 6a ed b1 4e ae 31 6f ca ad 3f 50 bb a6 c8 8f 09 a8 b1 d4 d3 6a e4 a8 f1 de 73 96 2a 79 b4 a7 c3 ee fb 4f bb 73 ad b0 f3 c3 6a 3c f6 a4 e9 e3 50 57 f5 95 5e af 56 2d 76 6b ed 2e c7 9f 32 4b 11 e2 bb 22 44 74 25 c5 4a 8b 1d 5d cc 55 19 cc 78 a5 2a f1 e3 e5 e4 04 6a 05 89 eb 17 a6 9b 5d 5a 19 d1 8d 63 5c 59 df 9b 19 4c 9b 62 87 06 9e fc da 3d 2a bd 54 76 a9 ca 64 88 f1 da 65 2d aa 9c 96 54 e2 5c 90 8e 5f 57 8a 78 ab c9 5c 7f 3a ec 00 00 00 00 00 01 23 76 d4 db 1b 53 5b a8 e7 a4 ac 86 d3 23 34 36 27 52 e8 8e 55 ab 35 ab a2 6b d1 a9 d4 Data Ascii: UCt5?=g:25eVbyi:pm=SV<OC\|4jN1o?PjsyOsj<PW^V-vk.2K"Dt%J]Uxj]Zc\YLb=*Tvde-T\_Wx\:#vS[#46'RU5k
2025-01-07 05:07:29 UTC	1371	IN	Data Raw: 1c 85 c7 5c 97 54 a7 1f e2 b7 b9 27 b9 8a 94 9e e7 1e 5c 78 a5 3c e6 6e 63 4c b6 e8 7b 8e 67 fd 0a cd 8c cc 7a 3c 3c ec ba d8 a4 b1 1b 0f 46 9b 8a 8a c4 a4 b4 94 7f 4e 09 c1 3e 80 62 1a 61 d3 bd fd ab 4d 43 d9 3a 67 ca e5 42 45 c1 7d dc 90 e8 b4 a7 aa 4e ad 11 a3 b9 21 c4 b7 de 7d 4d a5 6a 4b 2d f2 c5 6b 52 52 a5 71 4a b8 a5 58 f8 93 e3 39 3a 4e f7 44 ca 5c c6 b1 72 ae 9b 54 cb 4b c2 ab 7d 4c 94 dc 7f d9 4b 82 76 2d 52 22 c6 4b 4a 7e 74 e7 25 c1 8e 96 63 a3 bc d2 7d 53 dc 71 4a 71 29 4b 6a 52 92 93 cc e9 42 c8 c7 b3 8b 79 5b 32 e5 71 cf 48 f9 79 6d 56 6e 69 6d e2 9f 5e e6 18 46 f6 0d e1 ff 00 4e 2f 4f 65 5f e9 2c 53 aa ff 00 79 8d 45 e9 32 ef b4 f4 29 a4 6c c6 a9 d9 75 9a d5 b5 fb 41 7b dd b4 45 a9 8a 82 22 bc f3 8c c4 87 16 4a 55 ce 32 95 8c 77 dc 71 4d Data Ascii: \T'\x<ncL{gz<<FN>baMC:gBE}N!}MjK-kRRqJX9:ND\rTK}LKv-R"KJ~t%c}SqJq)KjRBy[2qHymVnim^FN/Oe_,SyE2)luA{E"JU2wqM
2025-01-07 05:07:29 UTC	1371	IN	Data Raw: 6a 90 69 c8 b3 99 b8 5f 7e b6 d4 a9 29 52 d2 ca 90 98 be db 15 25 2d b8 a5 60 99 0a e2 96 d5 f2 f4 3a 3f cc 9c ef a1 ec 9f b2 4d 12 f7 bb 29 0d d5 a6 65 26 52 d1 28 b1 29 98 f2 69 35 4a d7 b6 8f 0d a6 d5 c5 3c 92 87 25 2f 93 8a f9 25 3d c5 7f 23 99 0d 7f ef 65 b8 0e e6 76 13 79 55 aa dc c9 a4 54 ed a8 77 62 6e 1a 3d 16 95 6d 45 82 dd 3a 4a 63 bd 1d 2d b6 b6 93 dc 71 b4 b6 fb bf c6 5b 8a f2 f9 01 11 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0e 9c 76 09 d6 ae df 1a 01 d9 46 83 1f 30 f5 8d 93 b4 cb e9 e8 55 db b6 e0 b4 55 98 b4 b4 d5 1c 94 b7 9e c6 34 75 c5 ef 25 e5 4a 54 56 22 37 db e3 dc e5 c5 1f a4 e6 38 01 64 fd Data Ascii: ji_~)R%-`:?M)e&R()i5J<%/%=#evyUTwbn=mE:Jc-q[vF0UU4u%JTV"78d
2025-01-07 05:07:29 UTC	1371	IN	Data Raw: 4e b0 ab 7b 2f 5e af 52 e8 a8 a6 23 17 1c 5d 0e d3 6a 67 27 11 8a 98 4a 9c 71 ce db d2 5f 57 6d 2a 57 71 e5 76 f0 f8 a4 b7 bc dc db 47 a4 cb 55 d9 87 1f 51 94 7d 74 d8 56 0c 79 cf fb fa 8d a5 69 e7 55 22 8d 06 72 95 c5 6a 4b 90 66 a5 52 22 27 d3 fc b8 fe df 8f 25 78 a5 5f 10 9b fb 19 e4 9e dd b9 23 a6 ab 92 df db 42 35 52 af 64 33 79 3b 06 7e 63 d6 a4 f7 df bc 2a 11 d9 6d 2f 4a 6d de db 69 76 3b 6a 57 65 2b 69 b6 d9 52 9b 77 b6 9f de a5 51 66 50 6f 41 6f e9 c3 a8 df 32 37 02 bc 5d c2 ab 60 dc d7 95 6a da ad c9 a2 a3 17 dc 5d b7 dc 4c 58 52 98 f2 fa 8a 42 61 c0 79 5f bf 9a 5b 5a 52 9f 24 f1 9d 1b 99 75 04 6d fb a0 cd 11 bd b7 f6 cf 95 5a 55 56 b6 dd 09 da 0d 22 ad 69 a1 c5 d1 ad 58 af 60 ae f4 a6 e5 ab fd f6 62 bb 8b 52 54 da 9c 4f 79 6a 71 c7 31 52 78 39 Data Ascii: N{/^R#]jg'Jq_WmWqvGUQ}tVyiU"rjKfR"'%x_#B5Rd3y;~cm/Jmiv;jWe+iRwQfPoAo27]`j]LXRBay_[ZR$umZUV"iX`bRTOyjq1Rx9
2025-01-07 05:07:29 UTC	1371	IN	Data Raw: ae 5d bf 2f 15 25 5a 1f 79 7d 20 e9 df 41 1b 86 5e ba 43 d3 45 c1 75 d5 a8 36 5b 34 f6 24 54 af 2a 84 59 32 9e 9a f4 36 65 3b e8 a8 cc 32 df 6d 3d f4 b7 c7 b7 cb 93 6a 02 2a 03 d6 b3 2d 4b 8a fd bb 29 76 3d a1 4a 5c ea ad 6a a2 cc 0a 5c 26 d4 9c 15 22 43 ce 25 b6 db 4f 2f cb 92 94 a4 a7 ff 00 d4 ba 2d ed fa 73 f6 f1 da df 6f 4a 96 a5 ec 8c ee cd 29 f7 c2 ab 74 aa 35 bb 02 e6 b8 29 6b a7 4d 99 21 dc 14 fa 7b 4c d3 59 79 7e 91 5a 96 e2 52 97 30 c5 3d be 58 f2 c1 2a 4a 82 91 c0 00 00 00 01 b7 b4 1b a6 99 3a c9 d6 8e 57 69 71 9c 26 60 cd ef 7b d3 e9 55 47 e9 ee b6 db f1 e0 b9 21 3e ee 43 6a 71 2a 4f 26 e3 f7 9c f2 4a bf 87 f1 57 c4 b1 0e a2 2d 8f 34 17 b4 56 46 65 fd d1 90 19 b5 99 55 7b c6 f6 bb 1f 88 9a 5d ef 5d a6 c8 63 1a 64 58 aa 54 97 9b 6e 3c 18 ee 77 Data Ascii: ]/%Zy} A^CEu6[4$TY26e;2m=j-K)v=J\j\&"C%O/-soJ)t5)kM!{LYy~ZR0=XJ:Wiq&`{UG!>CjqO&JW-4VFeU{]]cdXTn<w
2025-01-07 05:07:29 UTC	1371	IN	Data Raw: 2e 1b b2 24 c9 75 2d 47 8e c3 78 ad c7 16 ac 70 4a 52 94 e1 f2 56 38 ff 00 20 3b 49 db 53 49 ba 1d db 0f 42 df b3 da 66 ce 56 2a 59 59 8b b3 2f 09 f9 91 71 dc d0 1f 62 63 2e b6 95 39 50 7a 7c 66 d9 8a a6 51 1d 86 d3 dd e2 94 a5 a6 53 c9 5e 3c 8a 67 b8 36 49 da ff 00 56 db ba 58 1a 7a d2 9e bc ee ec d4 a4 5d 96 dd cb 7d 67 75 e7 44 cc 4a 15 5e 64 37 12 e2 53 17 db 49 83 07 db b3 21 c9 8f 72 71 0e 25 c5 76 d4 95 27 06 fd 53 8a ac 3b 7c 39 8c ed f9 d3 a7 5e c8 eb 19 d6 a2 2e 15 81 6e 65 dd 31 0f 2b 97 26 56 a8 b0 e4 a7 d7 d7 c9 4a 86 89 3e 5f ab cb 1e 5f 99 05 ba 22 72 2a 2c fc cb cf 6d 4b d4 68 e9 c5 da 55 0e 93 6c 52 2a 38 e3 f9 f1 94 f3 d2 a5 b6 9c 3f fd a4 25 2b fb 93 fd 40 46 4e a8 2d 32 5b 3a 32 d4 3e 59 e9 d6 91 ac 5c f9 cd 99 c8 b2 5d ad cd 56 76 66 Data Ascii: .$u-GxpJRV8 ;ISIBfVYY/qbc.9Pz\|fQS^<g6IVXz]}guDJ^d7SI!rq%v'S;\|9^.ne1+&VJ>__"r,mKhUlR*8?%+@FN-2[:2>Y\]Vvf
2025-01-07 05:07:29 UTC	1371	IN	Data Raw: 61 ac 70 6d aa b5 d7 5b a7 fd fe 4a 6a 1c 27 3f a5 3e 35 04 ff 00 d7 fd 25 03 16 49 d5 6b 9e 92 73 9b 79 7b de db 4b 7f e1 32 f2 dd a3 db 10 1c e5 8e 3c d2 98 b8 4e 7b 1f 4c 70 f1 f4 91 3d f4 ff 00 a7 97 dc 56 d8 16 91 b2 c7 4d 4e 68 ee 5b 97 ec ea 87 3f b3 12 46 5c e5 1b b2 1d 45 2e 44 38 69 76 ab 70 25 95 29 2e b9 1b b9 f4 e3 47 4a 92 a4 fb 87 12 e7 aa 9b 52 52 da b0 f2 27 2c 6e 91 cd a7 75 0b 97 d7 0a 34 59 b8 6d e1 5c b8 68 92 9c a6 cc aa 35 74 d0 ae 1a 7d 36 a6 94 f9 47 96 c4 08 ac b8 da d3 f7 36 a7 92 a4 e0 a2 7f ee 31 52 d1 46 85 f6 95 7e c5 d4 5e 4c de 97 4e 46 db f6 ed 22 d7 ac db 99 65 50 5c 69 4a a6 f2 66 3b 3c 9e 6a 6c 37 3d ba 94 96 d0 e7 17 b0 ee 25 dc 52 a4 a9 2a 52 4a b2 b3 3a 92 b4 8d a5 ac 8d b9 72 bb 64 3d a6 eb b4 67 9b a5 c8 ab dc 15 Data Ascii: apm[Jj'?>5%Iksy{K2<N{Lp=VMNh[?F\E.D8ivp%).GJRR',nu4Ym\h5t}6G61RF~^LNF"eP\iJf;<jl7=%R*RJ:rd=g
2025-01-07 05:07:29 UTC	1371	IN	Data Raw: bf 61 1d 31 d6 f7 53 cd cd 00 ee 27 a9 e8 b4 69 59 65 2a 9a c5 9d 4b a1 dc b4 fa 54 eb e2 44 ce 33 22 e2 c3 13 52 f3 8f 36 a8 3e 8e 3d 1d 94 a9 c6 d5 21 b4 f7 3c 7c a4 bf 44 fe 99 73 56 8a f6 70 6a d6 bd 42 99 06 d0 ad 40 81 6e db f2 de 47 16 aa d2 9a 79 c7 a4 a9 bf 5f 92 59 fa 48 e5 87 8f 27 54 9f 92 55 c7 dc d3 f5 46 d3 d7 77 59 05 eb 99 36 cd 4a 3d 42 89 92 d6 dc bf 6c f4 54 7a a1 e7 a0 53 a3 d1 df c1 cc 71 f9 76 ea 13 de e2 a4 f1 fe 0b 7f 2f b8 2c 93 78 8c 9f d0 1e a4 b4 cd 0f 4b ba fe d6 2d 3f 27 2d 8b 92 b2 cc d8 72 5c bf a8 f4 09 15 65 41 52 55 8b 2d ae a8 db 8d ba db 6a 75 97 16 96 d3 c9 2a ed f9 27 d7 cb 9f 5d bb 3a 79 6e 2d cf 75 37 99 93 32 1b 34 5f b7 b4 ed 64 66 1d 46 8d 46 cc 7a c6 0d d4 66 d7 22 b3 25 58 30 98 b8 32 96 59 90 f2 a3 f6 5c 71 Data Ascii: a1S'iYeKTD3"R6>=!<\|DsVpjB@nGy_YH'TUFwY6J=BlTzSqv/,xK-?'-r\eARU-ju']:yn-u724_dfFFzf"%X02Y\q
2025-01-07 05:07:29 UTC	1371	IN	Data Raw: c9 c8 df 97 15 7d 4a 11 3a 0d e8 86 c8 d9 b1 ed 8c f8 d4 b5 42 0b 58 b1 36 7d 1a d9 a4 c8 f4 f3 4a 99 44 89 52 d3 fd b8 f7 e1 7f f0 ff 00 d0 09 31 d4 a1 92 1b 60 ea 3f 29 26 d6 f5 7f ad e5 5b 17 f6 4f 58 75 ca d5 8d 95 54 5c cc a2 d3 a6 d6 a6 48 8e 97 18 4a e0 cb 65 e9 0f 29 e7 22 32 d3 6a 6f 8f 8a 95 c4 83 f9 f9 d3 4d a1 8d 32 ec bf 27 70 2c e5 cd 7c d5 a5 e6 35 3f 27 29 f5 e9 b4 47 2b f4 b4 d2 d9 b8 a6 47 65 2c c1 52 30 a7 a9 cc 59 f7 92 5b 67 8e 0f 72 57 af f1 3e e2 21 ee 9d 54 8d b8 7f 51 6d d9 96 88 ac 49 f6 37 46 79 52 72 f1 87 b9 62 af 6e 88 f2 22 d1 56 a6 bf e0 9e e3 4e 38 9e 3f 2e 5c be e2 e2 fa c2 f3 8f fd 95 6d 39 4c ca 4a 2c 54 60 9b f3 32 69 54 97 9a 4e 3c 70 66 1c 56 64 4e f5 4f e5 fc 9d 89 19 3c 7f e0 a5 7e 90 2a 97 a7 4f 64 ac 8a dd ee b3 Data Ascii: }J:BX6}JDR1`?)&[OXuT\HJe)"2joM2'p,\|5?')G+Ge,R0Y[grW>!TQmI7FyRrbn"VN8?.\m9LJ,T`2iTN<pfVdNO<~*Od

Target ID:	0
Start time:	00:07:16
Start date:	07/01/2025
Path:	C:\Users\user\Desktop\setup-avast-premium-x64.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\setup-avast-premium-x64.exe"
Imagebase:	0x7ff62bd30000
File size:	5'485'056 bytes
MD5 hash:	E099255EA4AA8EB41E26E5D94737FC26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	4
Start time:	00:07:17
Start date:	07/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	"tasklist" /fi "IMAGENAME eq vmware"
Imagebase:	0x7ff6b4970000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	8
Start time:	00:07:18
Start date:	07/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	11
Start time:	00:07:24
Start date:	07/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report setup-avast-premium-x64.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.funksec

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini.funksec

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini.funksec

C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.1.xml.funksec

C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\DeploymentConfiguration.xml.funksec

C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml.funksec

C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserDeploymentConfiguration.xml.funksec

C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserManifest.xml.funksec

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\VirtualRegistry.dat.funksec

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\MasterDescriptor.en-us.xml.funksec

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\stream.x86.en-us.db.funksec

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\stream.x86.en-us.man.dat.funksec

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\operations.db.funksec

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\MasterDescriptor.x-none.xml.funksec

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\stream.x86.x-none.db.funksec

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\stream.x86.x-none.man.dat.funksec

C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Access.Access.x-none.msi.16.x-none.xml.funksec

C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.funksec

C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.funksec

C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml.funksec

C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml.funksec

C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml.funksec

Windows Analysis Report
setup-avast-premium-x64.exe

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre