Edit tour

Windows Analysis Report
setup-avast-premium-x64.exe

Overview

General Information

Sample name:	setup-avast-premium-x64.exe
Analysis ID:	1585136
MD5:	e099255ea4aa8eb41e26e5d94737fc26
SHA1:	2c13d842e788e6c981b2fae65834b1220d55f5a8
SHA256:	89b9f7499d59d0d308f5ad02cd6fddd55b368190c37f6c5413c4cfcd343eeff3
Tags:	exefunklockerfunksecransomwareuser-TheRavenFile
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Bypasses PowerShell execution policy

Creates files in the recycle bin to hide itself

Disables Windows Defender (via service or powershell)

Loading BitLocker PowerShell Module

Modifies Windows Defender protection settings

Sigma detected: Disable of ETW Trace

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Powershell Defender Disable Scan Feature

Sigma detected: Suspicious Eventlog Clear or Configuration Change

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Drops PE files

Enables debug privileges

Enables security privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sigma detected: Change PowerShell Policies to an Insecure Level

Classification

Process Tree

System is w10x64

setup-avast-premium-x64.exe (PID: 5732 cmdline: "C:\Users\user\Desktop\setup-avast-premium-x64.exe" MD5: E099255EA4AA8EB41E26E5D94737FC26)

conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 2656 cmdline: "net" session MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

net1.exe (PID: 3160 cmdline: C:\Windows\system32\net1 session MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)

tasklist.exe (PID: 3724 cmdline: "tasklist" /fi "IMAGENAME eq vmware" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

powershell.exe (PID: 3220 cmdline: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true" MD5: 04029E121A0CFA5991749937DD22A1D9)

WmiPrvSE.exe (PID: 2952 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 3200 cmdline: "powershell" -Command "wevtutil sl Security /e:false" MD5: 04029E121A0CFA5991749937DD22A1D9)

wevtutil.exe (PID: 3876 cmdline: "C:\Windows\system32\wevtutil.exe" sl Security /e:false MD5: 1AAE26BD68B911D0420626A27070EB8D)

powershell.exe (PID: 1996 cmdline: "powershell" -Command "wevtutil sl Application /e:false" MD5: 04029E121A0CFA5991749937DD22A1D9)

wevtutil.exe (PID: 5840 cmdline: "C:\Windows\system32\wevtutil.exe" sl Application /e:false MD5: 1AAE26BD68B911D0420626A27070EB8D)

powershell.exe (PID: 5700 cmdline: "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force" MD5: 04029E121A0CFA5991749937DD22A1D9)

cleanup

Sigma Signatures

System Summary

Sigma detected: Disable of ETW Trace

Source: Process started

Author: @neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community: Data: Command: "powershell" -Command "wevtutil sl Security /e:false", CommandLine: "powershell" -Command "wevtutil sl Security /e:false", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\setup-avast-premium-x64.exe", ParentImage: C:\Users\user\Desktop\setup-avast-premium-x64.exe, ParentProcessId: 5732, ParentProcessName: setup-avast-premium-x64.exe, ProcessCommandLine: "powershell" -Command "wevtutil sl Security /e:false", ProcessId: 3200, ProcessName: powershell.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", CommandLine: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\setup-avast-premium-x64.exe", ParentImage: C:\Users\user\Desktop\setup-avast-premium-x64.exe, ParentProcessId: 5732, ParentProcessName: setup-avast-premium-x64.exe, ProcessCommandLine: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", ProcessId: 3220, ProcessName: powershell.exe

Sigma detected: Powershell Defender Disable Scan Feature

Source: Process started

Sigma detected: Suspicious Eventlog Clear or Configuration Change

Source: Process started

Author: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105: Data: Command: "C:\Windows\system32\wevtutil.exe" sl Application /e:false, CommandLine: "C:\Windows\system32\wevtutil.exe" sl Application /e:false, CommandLine|base64offset|contains: , Image: C:\Windows\System32\wevtutil.exe, NewProcessName: C:\Windows\System32\wevtutil.exe, OriginalFileName: C:\Windows\System32\wevtutil.exe, ParentCommandLine: "powershell" -Command "wevtutil sl Application /e:false", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1996, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\wevtutil.exe" sl Application /e:false, ProcessId: 5840, ProcessName: wevtutil.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force", CommandLine: "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\setup-avast-premium-x64.exe", ParentImage: C:\Users\user\Desktop\setup-avast-premium-x64.exe, ParentProcessId: 5732, ParentProcessName: setup-avast-premium-x64.exe, ProcessCommandLine: "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force", ProcessId: 5700, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", CommandLine: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\setup-avast-premium-x64.exe", ParentImage: C:\Users\user\Desktop\setup-avast-premium-x64.exe, ParentProcessId: 5732, ParentProcessName: setup-avast-premium-x64.exe, ProcessCommandLine: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", ProcessId: 3220, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: setup-avast-premium-x64.exe

Virustotal: Detection: 9%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 92.9% probability

Source: unknown

HTTPS traffic detected: 199.232.192.193:443 -> 192.168.2.5:49704 version: TLS 1.2

Source: setup-avast-premium-x64.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: dev.pdbw source: setup-avast-premium-x64.exe, I5iANwxNsA.exe.0.dr
Source:	Binary string: dev.pdb source: setup-avast-premium-x64.exe, I5iANwxNsA.exe.0.dr

Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\AcroCef\DC\	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\336a045b-df12-4067-9f71-93ee2edb038d\	Jump to behavior

Source: global traffic

HTTP traffic detected: GET /HCYQoVR.jpeg HTTP/1.1accept: */*host: i.imgur.com

Source: Joe Sandbox View

IP Address: 199.232.192.193 199.232.192.193

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /HCYQoVR.jpeg HTTP/1.1accept: */*host: i.imgur.com

Source: global traffic

DNS traffic detected: DNS query: i.imgur.com

Source: I5iANwxNsA.exe.0.dr	String found in binary or memory: http://ns.adobe.
Source: powershell.exe, 00000009.00000002.2158229069.000001E981973000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2176656219.000001E990070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000009.00000002.2158229069.000001E980228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000009.00000002.2158229069.000001E980DC3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2158229069.000001E980228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000009.00000002.2158229069.000001E980001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000009.00000002.2158229069.000001E980DC3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2158229069.000001E980228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000009.00000002.2158229069.000001E980228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000009.00000002.2158229069.000001E980001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000009.00000002.2158229069.000001E980228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2158229069.000001E98162B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2158229069.000001E981312000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000009.00000002.2158229069.000001E98162B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
Source: powershell.exe, 00000009.00000002.2176656219.000001E990070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000009.00000002.2176656219.000001E990070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000009.00000002.2176656219.000001E990070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: setup-avast-premium-x64.exe, I5iANwxNsA.exe.0.dr	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: setup-avast-premium-x64.exe, README-I7PHWsRfJK.md.0.dr, I5iANwxNsA.exe.0.dr	String found in binary or memory: https://getsession.org/
Source: powershell.exe, 00000009.00000002.2158229069.000001E980228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000009.00000002.2158229069.000001E98162B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: I5iANwxNsA.exe.0.dr	String found in binary or memory: https://i.imgur.com/HCYQoVR.jpeg
Source: powershell.exe, 00000009.00000002.2158229069.000001E981973000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2176656219.000001E990070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: setup-avast-premium-x64.exe, README-I7PHWsRfJK.md.0.dr, I5iANwxNsA.exe.0.dr	String found in binary or memory: https://www.blockchain.com/)
Source: setup-avast-premium-x64.exe, README-I7PHWsRfJK.md.0.dr, I5iANwxNsA.exe.0.dr	String found in binary or memory: https://www.coinbase.com/)
Source: setup-avast-premium-x64.exe, README-I7PHWsRfJK.md.0.dr, I5iANwxNsA.exe.0.dr	String found in binary or memory: https://www.torproject.org/

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown

HTTPS traffic detected: 199.232.192.193:443 -> 192.168.2.5:49704 version: TLS 1.2

Source: C:\Windows\System32\wevtutil.exe

Process token adjusted: Security

Jump to behavior

Source: I5iANwxNsA.exe.0.dr	Binary string: Failed to open \Device\Afd\Mio: X
Source: I5iANwxNsA.exe.0.dr	Binary string: 0\Device\Afd\Mio

Source: classification engine

Classification label: mal88.evad.winEXE@21/34@1/1

Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe

File created: C:\Users\user\Desktop\README-I7PHWsRfJK.md

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tjcvkg2z.cox.ps1

Jump to behavior

Source: setup-avast-premium-x64.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\tasklist.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE'

Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe

File read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: setup-avast-premium-x64.exe, 00000000.00000003.2187160569.0000022C3A3A6000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE [Activity_PackageId]([ActivityId] GUID NOT NULL, [Platform] TEXT NOT NULL COLLATE NOCASE, [PackageName] TEXT NOT NULL COLLATE NOCASE, [ExpirationTime] DATETIME NOT NULL);

Source: setup-avast-premium-x64.exe

Virustotal: Detection: 9%

Source: setup-avast-premium-x64.exe

String found in binary or memory: /load_hpack; header malformed -- pseudo not at head of block

Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe

File read: C:\Users\user\Desktop\setup-avast-premium-x64.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\setup-avast-premium-x64.exe "C:\Users\user\Desktop\setup-avast-premium-x64.exe"
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\net.exe "net" session
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 session
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmware"
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Security /e:false"
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Application /e:false"
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Application /e:false
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Security /e:false
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\net.exe "net" session	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmware"	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Security /e:false"	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Application /e:false"	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force"	Jump to behavior
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 session	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Security /e:false	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Application /e:false	Jump to behavior

Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\wevtutil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wevtutil.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\wevtutil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wevtutil.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Windows\System32\tasklist.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe

Process created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmware"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: setup-avast-premium-x64.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: setup-avast-premium-x64.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: setup-avast-premium-x64.exe

Static file information: File size 5485056 > 1048576

Source: setup-avast-premium-x64.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x37c600
Source: setup-avast-premium-x64.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x18bc00

Source: setup-avast-premium-x64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: setup-avast-premium-x64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: setup-avast-premium-x64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: setup-avast-premium-x64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: setup-avast-premium-x64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: setup-avast-premium-x64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: setup-avast-premium-x64.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: setup-avast-premium-x64.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: dev.pdbw source: setup-avast-premium-x64.exe, I5iANwxNsA.exe.0.dr
Source:	Binary string: dev.pdb source: setup-avast-premium-x64.exe, I5iANwxNsA.exe.0.dr

Source: setup-avast-premium-x64.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: setup-avast-premium-x64.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: setup-avast-premium-x64.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: setup-avast-premium-x64.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: setup-avast-premium-x64.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe

File created: C:\Users\user\Desktop\I5iANwxNsA.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Creates files in the recycle bin to hide itself

Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe

File created: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.funksec

Jump to behavior

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7074	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1549	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1501	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1598	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6616	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 504	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1988	Thread sleep count: 7074 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 368	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3228	Thread sleep count: 1549 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1520	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5548	Thread sleep count: 1501 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1788	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6544	Thread sleep count: 1598 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5020	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6160	Thread sleep count: 6616 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3224	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6160	Thread sleep count: 504 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3408	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\AcroCef\DC\	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\336a045b-df12-4067-9f71-93ee2edb038d\	Jump to behavior

Source: tasklist.exe, 00000004.00000003.2031882860.000002451BD9C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasklist/fiIMAGENAME eq vmware
Source: tasklist.exe, 00000004.00000003.2031882860.000002451BD9C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE'
Source: tasklist.exe, 00000004.00000003.2031882860.000002451BD9C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.ExecQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE');
Source: tasklist.exe, 00000004.00000003.2031882860.000002451BD9C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IMAGENAME eq vmware
Source: tasklist.exe, 00000004.00000003.2031992408.000002451BDAC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE'ER=Intel64 Family 6 Mo
Source: setup-avast-premium-x64.exe, 00000000.00000002.2192752865.00007FF6A6F9E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: *Set-MpPreference -DisableRealtimeMonitoring $truewevtutil sl Security /e:falsewevtutil sl Application /e:falsevboxserviceqemuhypervvmwaretasklist/fiIMAGENAME eq LB
Source: tasklist.exe, 00000004.00000002.2032847726.000002451BFC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasklist/fiIMAGENAME eq vmware\Users
Source: I5iANwxNsA.exe.0.dr	Binary or memory string: *Set-MpPreference -DisableRealtimeMonitoring $truewevtutil sl Security /e:falsewevtutil sl Application /e:falsevboxserviceqemuhypervvmwaretasklist/fiIMAGENAME eq LB8@
Source: tasklist.exe, 00000004.00000002.2032847726.000002451BFC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE'E
Source: I5iANwxNsA.exe.0.dr	Binary or memory string: Set-MpPreference -DisableRealtimeMonitoring $truewevtutil sl Security /e:falsewevtutil sl Application /e:falsevboxserviceqemuhypervvmwaretasklist/fiIMAGENAME eq
Source: tasklist.exe, 00000004.00000002.2032267369.000002451BD60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\tasklist.exe"tasklist" /fi "IMAGENAME eq vmware"C:\Windows\system32\tasklist.exeWinsta0\Default
Source: tasklist.exe, 00000004.00000002.2032740341.000002451BD9C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE'
Source: tasklist.exe, 00000004.00000002.2032847726.000002451BFC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: > WHERE Caption = 'VMWARE'2\Wbem;C:\Windows\System32\WindowsPoerShell
Source: tasklist.exe, 00000004.00000002.2032740341.000002451BD9C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE');
Source: tasklist.exe, 00000004.00000003.2031992408.000002451BD97000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE'0
Source: tasklist.exe, 00000004.00000002.2032740341.000002451BDAC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE'ER=Intel64 Family 6 Mo((
Source: tasklist.exe, 00000004.00000002.2032267369.000002451BD60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "tasklist" /fi "IMAGENAME eq vmware"
Source: setup-avast-premium-x64.exe, 00000000.00000002.2191932585.0000022C38707000.00000004.00000020.00020000.00000000.sdmp, setup-avast-premium-x64.exe, 00000000.00000003.2191129962.0000022C38707000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force"

Disables Windows Defender (via service or powershell)

Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"			Jump to behavior

Modifies Windows Defender protection settings

Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"			Jump to behavior

Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\net.exe "net" session	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmware"	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Security /e:false"	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Application /e:false"	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force"	Jump to behavior
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 session	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Security /e:false	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Application /e:false	Jump to behavior

Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\$Recycle.Bin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\$WinREAgent VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\$WinREAgent\Scratch VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\3D Objects\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\3D Objects\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\3D Objects\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\336a045b-df12-4067-9f71-93ee2edb038d VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\index VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\72d9f526d2e2e7c8_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\CURRENT VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOCK VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LocalPrefs.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LOCK VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\CURRENT VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\CURRENT VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOCK VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOCK VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\MANIFEST-000001 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\MANIFEST-000001 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cookie VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\ARM\S VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\000003.log.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\000003.log.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\336a045b-df12-4067-9f71-93ee2edb038d VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\index VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\index VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\05349744be1ad4ad_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\05349744be1ad4ad_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0998db3a32ab3f41_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0f25049d69125b1e_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\230e5fe3e6f82b2c_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2798067b152b83c7_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2a426f11fd8ebe18_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4ca3cb58378aaa3f_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4ca3cb58378aaa3f_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\560e9c8bff5008d8_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\56c4cd218555ae2b_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\56c4cd218555ae2b_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\71febec55d5c75cd_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\72d9f526d2e2e7c8_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\78bff3512887b83d_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c159cc5880890bc_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c159cc5880890bc_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8e417e79df3bf0e9_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8e417e79df3bf0e9_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\91cec06bb2836fa5_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\927a1596c37ebe5e_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\927a1596c37ebe5e_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\92c56fa2a6c4d5ba_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\92c56fa2a6c4d5ba_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\946896ee27df7947_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\aba6710fde0876af_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\aba6710fde0876af_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\b6d5deb4812ac6e9_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bba29d2e6197e2f4_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\cf3e34002cde7e9c_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\cf3e34002cde7e9c_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f941376b2efdd6e6_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\fd17b2d8331c91e8_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\CURRENT VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\CURRENT VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\000003.log.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\CURRENT VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LocalPrefs.json.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LocalPrefs.json.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LOCK VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\MANIFEST-000001 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies-journal VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies-journal VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\NetworkDataMigrated VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\NetworkDataMigrated VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Reporting and NEL VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Reporting and NEL VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\CURRENT VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\CURRENT VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\MANIFEST-000001 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cookie VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\index VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\index VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\05349744be1ad4ad_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\05349744be1ad4ad_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0998db3a32ab3f41_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0998db3a32ab3f41_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0f25049d69125b1e_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2798067b152b83c7_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2798067b152b83c7_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2a426f11fd8ebe18_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2a426f11fd8ebe18_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4a0e94571d979b3c_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4ca3cb58378aaa3f_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4ca3cb58378aaa3f_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\560e9c8bff5008d8_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\560e9c8bff5008d8_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\56c4cd218555ae2b_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\6fb6d030c4ebbc21_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\72d9f526d2e2e7c8_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\78bff3512887b83d_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\86b8040b7132b608_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c84d92a9dbce3e0_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\927a1596c37ebe5e_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\92c56fa2a6c4d5ba_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\983b7a3da8f39a46_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\aba6710fde0876af_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\aba6710fde0876af_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bba29d2e6197e2f4_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\febb41df4ea2b63a_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\CURRENT VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\000003.log.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\000003.log.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\CURRENT VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\CURRENT VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\MANIFEST-000001 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LocalPrefs.json.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LocalPrefs.json.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\MANIFEST-000001 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\MANIFEST-000001 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies-journal VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\NetworkDataMigrated VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Reporting and NEL VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Reporting and NEL VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\CURRENT VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\CURRENT VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Color VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\index VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\index VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\05349744be1ad4ad_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\05349744be1ad4ad_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0998db3a32ab3f41_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0f25049d69125b1e_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\230e5fe3e6f82b2c_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\230e5fe3e6f82b2c_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2798067b152b83c7_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2798067b152b83c7_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2a426f11fd8ebe18_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2a426f11fd8ebe18_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4a0e94571d979b3c_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4ca3cb58378aaa3f_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4ca3cb58378aaa3f_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\560e9c8bff5008d8_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\560e9c8bff5008d8_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\56c4cd218555ae2b_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\6fb6d030c4ebbc21_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\7120c35b509b0fae_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\72d9f526d2e2e7c8_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\86b8040b7132b608_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c84d92a9dbce3e0_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\91cec06bb2836fa5_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\927a1596c37ebe5e_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bba29d2e6197e2f4_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\cf3e34002cde7e9c_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\d5dedf551f4d1592_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f0cf6dfa8a1afa3d_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\fd17b2d8331c91e8_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\CURRENT VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\CURRENT VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\CURRENT VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOCK VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\MANIFEST-000001 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Reporting and NEL VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\CURRENT VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\CURRENT VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOCK VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\ARM\S VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\000003.log.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\index VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\index VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\05349744be1ad4ad_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0998db3a32ab3f41_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0998db3a32ab3f41_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0f25049d69125b1e_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0f25049d69125b1e_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\230e5fe3e6f82b2c_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2a426f11fd8ebe18_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2a426f11fd8ebe18_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4a0e94571d979b3c_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4ca3cb58378aaa3f_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\560e9c8bff5008d8_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\56c4cd218555ae2b_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\7120c35b509b0fae_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\71febec55d5c75cd_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\72d9f526d2e2e7c8_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\86b8040b7132b608_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c84d92a9dbce3e0_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8e417e79df3bf0e9_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\91cec06bb2836fa5_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\91cec06bb2836fa5_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\92c56fa2a6c4d5ba_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\946896ee27df7947_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\cf3e34002cde7e9c_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f0cf6dfa8a1afa3d_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f941376b2efdd6e6_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\fd17b2d8331c91e8_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOCK VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOCK VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\NetworkDataMigrated VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Reporting and NEL-journal VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Color\Profiles VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\000003.log.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\000003.log.funksec VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\336a045b-df12-4067-9f71-93ee2edb038d VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\index VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\index VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\05349744be1ad4ad_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\05349744be1ad4ad_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0f25049d69125b1e_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0f25049d69125b1e_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\230e5fe3e6f82b2c_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2798067b152b83c7_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4a0e94571d979b3c_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4ca3cb58378aaa3f_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\6fb6d030c4ebbc21_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\6fb6d030c4ebbc21_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\72d9f526d2e2e7c8_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\72d9f526d2e2e7c8_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\78bff3512887b83d_0 VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe

Code function: 0_2_00007FF6A6F8B7B8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF6A6F8B7B8

Source: C:\Users\user\Desktop\setup-avast-premium-x64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	21 Disable or Modify Tools	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	14 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
setup-avast-premium-x64.exe	10%	Virustotal		Browse
setup-avast-premium-x64.exe	3%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Desktop\I5iANwxNsA.exe	3%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://getsession.org/	0%	Avira URL Cloud	safe
http://ns.adobe.	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipv4.imgur.map.fastly.net	199.232.192.193	true	false		high
i.imgur.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000009.00000002.2158229069.000001E981973000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2176656219.000001E990070000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000009.00000002.2158229069.000001E980228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2158229069.000001E98162B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2158229069.000001E981312000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.coinbase.com/)	setup-avast-premium-x64.exe, README-I7PHWsRfJK.md.0.dr, I5iANwxNsA.exe.0.dr	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000009.00000002.2158229069.000001E980228000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000009.00000002.2158229069.000001E980DC3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2158229069.000001E980228000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000009.00000002.2158229069.000001E980228000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000009.00000002.2158229069.000001E98162B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000009.00000002.2158229069.000001E980DC3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2158229069.000001E980228000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000009.00000002.2176656219.000001E990070000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000009.00000002.2158229069.000001E981973000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2176656219.000001E990070000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000009.00000002.2176656219.000001E990070000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000009.00000002.2176656219.000001E990070000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.rs/getrandom#nodejs-es-module-support	setup-avast-premium-x64.exe, I5iANwxNsA.exe.0.dr	false		high
https://aka.ms/winsvr-2022-pshelpX	powershell.exe, 00000009.00000002.2158229069.000001E98162B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://i.imgur.com/HCYQoVR.jpeg	I5iANwxNsA.exe.0.dr	false		high
https://aka.ms/pscore68	powershell.exe, 00000009.00000002.2158229069.000001E980001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.torproject.org/	setup-avast-premium-x64.exe, README-I7PHWsRfJK.md.0.dr, I5iANwxNsA.exe.0.dr	false		high
http://ns.adobe.	I5iANwxNsA.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000009.00000002.2158229069.000001E980001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000009.00000002.2158229069.000001E980228000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.blockchain.com/)	setup-avast-premium-x64.exe, README-I7PHWsRfJK.md.0.dr, I5iANwxNsA.exe.0.dr	false		high
https://getsession.org/	setup-avast-premium-x64.exe, README-I7PHWsRfJK.md.0.dr, I5iANwxNsA.exe.0.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
199.232.192.193	ipv4.imgur.map.fastly.net	United States		54113	FASTLYUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585136
Start date and time:	2025-01-07 06:14:44 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	setup-avast-premium-x64.exe
Detection:	MAL
Classification:	mal88.evad.winEXE@21/34@1/1
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 5700 because it is empty
Execution Graph export aborted for target setup-avast-premium-x64.exe, PID 5732 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
199.232.192.193	https://report-scam.malwarebouncer.com/XcUR2TnV2VTlXT0s0Z0NYa01KSGt3dUtWMWNiblBrc29mMlpZUU1WdThBSjdDdTlRQTVDV1ZZd0pDeWRmUU5rQ1QvVDNiSlBNYWd2bTd0eTRkZW5jT0hrYTBKWHFiVUc4TVZBOGpiNkh4VG9OTm9zNTVUWHNmNWVydHpqbzhIc1llSzdzTHZ0dENVNWRLZy9BbCsyVDRMSGRHOThUWnV5QUxPU0RZL1dPalNYTmUzMTVoRzl5bmk1ZVZRPT0tLUdVYnJkMC9GazI3MWlxYmotLUpFOURyOWkzK1l6Vy9BYTVOVDBVNkE9PQ==?cid=2346401253	Get hash	malicious	KnowBe4	Browse
	https://pwv95gp5r-xn--r3h9jdud-xn----c1a2cj-xn----p1ai.translate.goog/sIQKSvTC/b8KvU/uoTt6?ZFhObGNpNXBiblp2YkhabGJXVnVkRUJ6YjNWMGFHVnliblJ5ZFhOMExtaHpZMjVwTG01bGRBPT06c1JsOUE+&_x_tr_sch=http&_x_tr_sl=hrLWHGLm&_x_tr_tl=bTtllyql	Get hash	malicious	HTMLPhisher	Browse
	https://covid19.protected-forms.com/XQTNkY0hwMkttOEdiZmZ0V2RRTHpDdDNqUTROanhES0NBYmdFOG1KTGRSTUtrK3VMMzlEN1JKVVFXNUxaNGJOQmd1YzQ3ajJMeVdZUDU3TytRbGtIaFhWRkxnT0lkeTZhdy9xWEhjeFBoRXRTb2hxdjlVbi9iSk1qZytLQ0JxRjd4UmpOS3VUQ2lpOEZneTRoVmpzY2dyekR1WlhYOWVteVcrUXg0a2Y2aEU2ZEZwMVNId3R0U01RK3N3PT0tLVR0bDl1WEFUelg3K2VzTystLUxaMkFrZnU0UmJXRkR3aE5NRE9BOEE9PQ==?cid=2351432832	Get hash	malicious	KnowBe4	Browse
	https://employeeportal.net-login.com/XL0pFWEloTnBYUmM5TnBUSmVpbWxiSUpWb3BBL1lPY1hwYU5uYktNWkd5ME82bWJMcUhoRklFUWJiVmFOUi9uUS81dGZ4dnJZYkltK2NMZG5BV1pmbFhqMXNZcm1QeXBXTXI4R090NHo5NWhuL2l4TXdxNlY4VlZxWHVPNTdnc1M3aU4xWjhFTmJiTEJWVUYydWVqZjNPbnFkM3M5T0FNQ2lRL3EySjhvdVVDNzZ2UHJQb0xQdlhZbTZRPT0tLTJaT0Z2TlJ3S0NMTTZjc2ktLTZGNUIwRnVkbFRTTHR2dUFITkcxVFE9PQ==?cid=2341891188	Get hash	malicious	KnowBe4	Browse
	https://en.newsnowbangla.com/archives/69912	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse
	https://gmail.net-login.com/Xb1Rnb3pKRC9CUEdpbldIVTREbHhIK1Vza1NvaWlrblBIbkN4aUdCZUt0Y2NlSGJiWmZ2d0M1dTB5dEpRbnRoVDdBVkFTcEJqWGowNVZycWJNWHlIUHlLOG1qS0FvemVPSXpFRFhGcUhmaVU1ekQwMklrVmM0QjVpNmhLaDdoY1I4UlhMcFo1TTJaSFhtaWpiWWFqWGZ5WEg4TnBiOUl4MDI1RFMyWStQRFoyNFo5UFZNUUpmWXBtaUg0Y0FjUG1jejdSVnFVOXJQL2VzdmNLM1lEaWtmRkZnZEk2Vi0tVHFIeU0vOWxTN01YVEtXbS0tTTh5Skh1eEtsc0xTT0J5Rzg2Q2ZJQT09?cid=2330416057%3EOpen	Get hash	malicious	KnowBe4	Browse
	https://www.asda.com@hnvs.xyz/asda-christmas-prizes	Get hash	malicious	Unknown	Browse
	Ball - Temp.data for GCMs.doc	Get hash	malicious	HTMLPhisher	Browse
	https://mail.donotreply.biz/XWW04VVZpU2JyWTFmVy96T2RUOUEvcEhyMWhFSm5uZElnVUlmb2dTZEdMRFdGSU1UV2V3S3RUNGdrNmNQRFJ4WTFPRHdYYlkraDV3S1YyVVpuU3E3K2p1bWowcEt3M24ySVBLanRDUkwyYitYWExuYTB5YlhVTUhySWZKbGJCTE9oRHl2RCtjR29BbEk3ZEwxZFJaNmNoK29ESk0vTGcxSmtyK0FWTExLWTdxYlQ1Yys1bjNiTUczY0RnPT0tLTU2R0pFM1VwZFRnVndZSWktLXptU2lWOHlQdjR0eGI1K09OQVZtRnc9PQ==?cid=2315575162	Get hash	malicious	KnowBe4	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipv4.imgur.map.fastly.net	https://report-scam.malwarebouncer.com/XcUR2TnV2VTlXT0s0Z0NYa01KSGt3dUtWMWNiblBrc29mMlpZUU1WdThBSjdDdTlRQTVDV1ZZd0pDeWRmUU5rQ1QvVDNiSlBNYWd2bTd0eTRkZW5jT0hrYTBKWHFiVUc4TVZBOGpiNkh4VG9OTm9zNTVUWHNmNWVydHpqbzhIc1llSzdzTHZ0dENVNWRLZy9BbCsyVDRMSGRHOThUWnV5QUxPU0RZL1dPalNYTmUzMTVoRzl5bmk1ZVZRPT0tLUdVYnJkMC9GazI3MWlxYmotLUpFOURyOWkzK1l6Vy9BYTVOVDBVNkE9PQ==?cid=2346401253	Get hash	malicious	KnowBe4	Browse	199.232.192.193
	https://pwv95gp5r-xn--r3h9jdud-xn----c1a2cj-xn----p1ai.translate.goog/sIQKSvTC/b8KvU/uoTt6?ZFhObGNpNXBiblp2YkhabGJXVnVkRUJ6YjNWMGFHVnliblJ5ZFhOMExtaHpZMjVwTG01bGRBPT06c1JsOUE+&_x_tr_sch=http&_x_tr_sl=hrLWHGLm&_x_tr_tl=bTtllyql	Get hash	malicious	HTMLPhisher	Browse	199.232.192.193
	https://covid19.protected-forms.com/XQTNkY0hwMkttOEdiZmZ0V2RRTHpDdDNqUTROanhES0NBYmdFOG1KTGRSTUtrK3VMMzlEN1JKVVFXNUxaNGJOQmd1YzQ3ajJMeVdZUDU3TytRbGtIaFhWRkxnT0lkeTZhdy9xWEhjeFBoRXRTb2hxdjlVbi9iSk1qZytLQ0JxRjd4UmpOS3VUQ2lpOEZneTRoVmpzY2dyekR1WlhYOWVteVcrUXg0a2Y2aEU2ZEZwMVNId3R0U01RK3N3PT0tLVR0bDl1WEFUelg3K2VzTystLUxaMkFrZnU0UmJXRkR3aE5NRE9BOEE9PQ==?cid=2351432832	Get hash	malicious	KnowBe4	Browse	199.232.192.193
	https://employeeportal.net-login.com/XL0pFWEloTnBYUmM5TnBUSmVpbWxiSUpWb3BBL1lPY1hwYU5uYktNWkd5ME82bWJMcUhoRklFUWJiVmFOUi9uUS81dGZ4dnJZYkltK2NMZG5BV1pmbFhqMXNZcm1QeXBXTXI4R090NHo5NWhuL2l4TXdxNlY4VlZxWHVPNTdnc1M3aU4xWjhFTmJiTEJWVUYydWVqZjNPbnFkM3M5T0FNQ2lRL3EySjhvdVVDNzZ2UHJQb0xQdlhZbTZRPT0tLTJaT0Z2TlJ3S0NMTTZjc2ktLTZGNUIwRnVkbFRTTHR2dUFITkcxVFE9PQ==?cid=2341891188	Get hash	malicious	KnowBe4	Browse	199.232.192.193
	https://en.newsnowbangla.com/archives/69912	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	199.232.192.193
	https://gmail.net-login.com/Xb1Rnb3pKRC9CUEdpbldIVTREbHhIK1Vza1NvaWlrblBIbkN4aUdCZUt0Y2NlSGJiWmZ2d0M1dTB5dEpRbnRoVDdBVkFTcEJqWGowNVZycWJNWHlIUHlLOG1qS0FvemVPSXpFRFhGcUhmaVU1ekQwMklrVmM0QjVpNmhLaDdoY1I4UlhMcFo1TTJaSFhtaWpiWWFqWGZ5WEg4TnBiOUl4MDI1RFMyWStQRFoyNFo5UFZNUUpmWXBtaUg0Y0FjUG1jejdSVnFVOXJQL2VzdmNLM1lEaWtmRkZnZEk2Vi0tVHFIeU0vOWxTN01YVEtXbS0tTTh5Skh1eEtsc0xTT0J5Rzg2Q2ZJQT09?cid=2330416057%3EOpen	Get hash	malicious	KnowBe4	Browse	199.232.196.193
	https://www.asda.com@hnvs.xyz/asda-christmas-prizes	Get hash	malicious	Unknown	Browse	199.232.196.193
	Ball - Temp.data for GCMs.doc	Get hash	malicious	HTMLPhisher	Browse	199.232.196.193
	Ball - Temp.data for GCMs.doc	Get hash	malicious	HTMLPhisher	Browse	199.232.192.193

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	https://u896278.ct.sendgrid.net/ls/click?upn=u001.qpi-2F0q-2FpcJZ7AGoG9N-2BrxLxoGn8scq-2BedBfmGHFAiwRCk-2Fciku7nsS3YfQMNNJI09mLo_nYx4-2F6dkZkjW10KMIp5mXhxys1ng1sBiI-2Bi9ROMYt6d5xhIh5rIqEUIaIxVHh8-2Ftz-2FouCgfXZk6mMUe2uKm92SOgBLlBdhjnRJuhENZnIuGoEoPqnROi7OCzdabJBBnGjEwd2iK-2BngR2RyIIgM3XrJQ7wQhHrfqScifSW3iAsv3H5nGFK9ntcSdChvkxj0yXdE-2FQ0ICDszl57i6aZSB-2Fow-3D-3D	Get hash	malicious	Unknown	Browse	151.101.192.176
	https://report-scam.malwarebouncer.com/XcUR2TnV2VTlXT0s0Z0NYa01KSGt3dUtWMWNiblBrc29mMlpZUU1WdThBSjdDdTlRQTVDV1ZZd0pDeWRmUU5rQ1QvVDNiSlBNYWd2bTd0eTRkZW5jT0hrYTBKWHFiVUc4TVZBOGpiNkh4VG9OTm9zNTVUWHNmNWVydHpqbzhIc1llSzdzTHZ0dENVNWRLZy9BbCsyVDRMSGRHOThUWnV5QUxPU0RZL1dPalNYTmUzMTVoRzl5bmk1ZVZRPT0tLUdVYnJkMC9GazI3MWlxYmotLUpFOURyOWkzK1l6Vy9BYTVOVDBVNkE9PQ==?cid=2346401253	Get hash	malicious	KnowBe4	Browse	199.232.196.193
	https://bs32c.golfercaps.com/vfd23ced/#sean@virtualintelligencebriefing.com	Get hash	malicious	HTMLPhisher	Browse	151.101.66.137
	https://app.saner.ai/shared/notes/7353e5ae-dd5f-410b-92c3-210c9e88052a	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
	https://u43161309.ct.sendgrid.net/ls/click?upn=u001.L9-2FCbhkaoUACh7As3yZ8i4iABGphfl-2FJgS6Xiu1aw6I-3DgXpA_qO4VbBWAKg4gLfGs-2BfuSyZki3gKzG4I1DrYN15Q8fD7JV1twLeLo1AFs1GBSG3ZgA22dFJdXJloKc56aXDeV3olJKTBJd8NprednZ2LeXdX-2BkcSQE-2F2FRwgBng5RbUCLfjS8-2FI3mrpwyYu9lRatIB62qUwPSax-2Fhh2c7R-2B7pT3Kos0wK0SEJGj4ZMkgOGYhEniKYT7Kn7jN25xFz2sFdtPlVQkIdCFKwDNWmq-2BrAxerZE2GuKgfkuf3l1UY4J42sOOltybAAVyLhV-2BXfmbuQpN4NpshXRIuhta8ho3ChcTA5NtgjludQThyLtwhGns-2ByLqSbpO1Bhhc-2FCgdgP-2BAOxYrGHvKHjVYRr6-2BiryADxfM-3D	Get hash	malicious	HTMLPhisher	Browse	151.101.1.229
	Vernales Restaurant-encrypted.pdf	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
	ZipThis.exe	Get hash	malicious	Unknown	Browse	151.101.65.229
	https://sign.zoho.com/zsguest?locale=en&sign_id=234b4d535f4956235d3ed2bb80da1204238e412cdfe561cf1e7cff409a79a97da8a2d431ccef9065ebae57f03416d61f0971abb897fde199a21f0da5d9085251df31eb6747d99920190103a51a045e3e309308fa5f3a1ca3&action_type=SIGN	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
	http://click.pstmrk.it	Get hash	malicious	Unknown	Browse	151.101.1.140

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	ZipThis.exe	Get hash	malicious	Unknown	Browse	199.232.192.193
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	199.232.192.193
	https://sendbot.me/mousse-w0fysl7	Get hash	malicious	Unknown	Browse	199.232.192.193
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	199.232.192.193
	anrek.mp4.hta	Get hash	malicious	LummaC Stealer	Browse	199.232.192.193
	title.mp4.hta	Get hash	malicious	LummaC, PureLog Stealer, zgRAT	Browse	199.232.192.193
	Agent381.msi	Get hash	malicious	Unknown	Browse	199.232.192.193
	Setup.exe	Get hash	malicious	Unknown	Browse	199.232.192.193
	Setup.exe	Get hash	malicious	Unknown	Browse	199.232.192.193

Process:	C:\Users\user\Desktop\setup-avast-premium-x64.exe
File Type:	data
Category:	dropped
Size (bytes):	249
Entropy (8bit):	7.139347865637937
Encrypted:	false
SSDEEP:	6:6zVqaFDy5VInzvcwLaM12dptmwaK0PsSONkYHQKgjCiW8cEx5Qc:KEas5VIzvcwh8dptm17sSiRSCUc0H
MD5:	ED4ACD9F2962A7FB28E73467336946B0
SHA1:	5790836E46AFB7CC2BDC285B257078794E2A42BB
SHA-256:	FF3372303B5B117568114FE91D2958565BACB615C2A629FFB4B2196687F826B7
SHA-512:	132BF0B20B743CA90A85A78D08FA909AF2639E3E32CACEF88FA8A3E441CB9AD5CC196CF750CEA309BDC9E12C998123C9B4A4DAFE5D9107B36DB6BD48CB7384EB
Malicious:	true
Preview:	.C.....3D.Zx...Q.8. .8......'..D.F.f...s.H&..(......a{.B...zM..wnI.Y..u..H.....I._}.g...V..<....j...f.#.y.......].9\|.".N..S......$..\|c...1.TtP.......U..g..O........lkv..e..$........X...c....fw.4_G=8.....',Ie...\|...@..... ...e.u...$

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1628158735648508
Encrypted:	false
SSDEEP:	3:Nlllulzh8//h:NllUu
MD5:	2D936C9957097D6631C64386010C648E
SHA1:	AD0125A442F7BD53E9959CB996B58A685B09B85E
SHA-256:	C93CB35DFCB4C1F5BD3B665C67D749E585887E56B9081D0E9FC47F54909E7119
SHA-512:	27B07DBB385D27EF522ED09079877C6EBE9444FBE1E4401AF8BABB4B2EE4FC1CF7BC1A09B31A3A52ACA217B40E2B8207A5441D04F1C6D9A44C05E51C4D49E4AB
Malicious:	false
Preview:	@...e................................................@..........

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.239621597157414
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	setup-avast-premium-x64.exe
File size:	5'485'056 bytes
MD5:	e099255ea4aa8eb41e26e5d94737fc26
SHA1:	2c13d842e788e6c981b2fae65834b1220d55f5a8
SHA256:	89b9f7499d59d0d308f5ad02cd6fddd55b368190c37f6c5413c4cfcd343eeff3
SHA512:	45963f430cdde2c63cb4ed8660fd76ed193ae0bd4ea4012654e459f0c2e761d4eb724dcba810d4d1144e78a03e752ea53880884dee956ebf1a81f2b6eab35766
SSDEEP:	49152:gNrjLXqz4aEXEMvTR4CY6C74bC6xxXjWe/l+XYq7p4BFt277t19sJpoc74P8TKWQ:dMvTRdxAG5/TuIx5f3
TLSH:	3E462922BB5A99ADC49AC0B083564B72697134CB0B35B9FF44C446783E6DAF42F3C758
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........<...o...o...o...o...o.G.n...o.G.n...o.G.n...o.G.n...ok..n...o...o...o...o...o/G.n...oRich...o........PE..d.....{g.........."

Entrypoint:	0x14036b55c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x677B011F [Sun Jan 5 22:01:03 2025 UTC]
TLS Callbacks:	0x40352510, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	de46efa2ebc1886f978c8fb5ad471f48

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x508374	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x53e000	0x968	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x50e000	0x28d28	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x537000	0x614c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x477a90	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x477b00	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x477950	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x37e000	0x660	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x37c44f	0x37c600	3cdde8ad736cadc7039e4157f0c0fe4c	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x37e000	0x18bb00	0x18bc00	335d454e8d9a0d332e3231970c7ea839	False	0.26264781072331017	DIY-Thermocam raw data (Lepton 2.x), scale 10757-14400, spot sensor temperature 0.000000, unit celsius, color scheme 7, calibration: offset 512.000000, slope 3250994570218613914771524346183680.000000	5.394928298151681	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x50a000	0x3310	0x3200	e60990d6d7b6eb8bba2215cafa78a1ff	False	0.1609375	data	2.37717939628913	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x50e000	0x28d28	0x28e00	4f7f16fc2ad7661ce5aa9b4bbc34086d	False	0.49999402714067276	data	6.413335908883142	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x537000	0x614c	0x6200	e39eed23d057020af7ca276a61a11d9d	False	0.4321986607142857	data	5.452874903711012	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x53e000	0x968	0xa00	2c3807f0c8a9080031e0919bb5c31f1a	False	0.316015625	data	2.9436328937029965	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x53e0ac	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors			0.33212996389891697
RT_GROUP_ICON	0x53e954	0x14	data			1.15

DLL	Import
api-ms-win-core-synch-l1-2-0.dll	WaitOnAddress, WakeByAddressAll, WakeByAddressSingle
bcryptprimitives.dll	ProcessPrng
kernel32.dll	GetOverlappedResult, ReadFile, SetFileCompletionNotificationModes, Sleep, GetModuleHandleA, GetCurrentThreadId, FreeEnvironmentStringsW, DeleteProcThreadAttributeList, CompareStringOrdinal, GetLastError, AddVectoredExceptionHandler, SetThreadStackGuarantee, GetCurrentThread, SwitchToThread, PostQueuedCompletionStatus, SetWaitableTimer, WaitForSingleObject, QueryPerformanceCounter, GetSystemInfo, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetLastError, GetCurrentDirectoryW, GetEnvironmentStringsW, GetEnvironmentVariableW, GetQueuedCompletionStatusEx, GetCommandLineW, SetFileInformationByHandle, SetFilePointerEx, CreateIoCompletionPort, IsProcessorFeaturePresent, GetStdHandle, GetCurrentProcessId, WriteFileEx, SleepEx, GetExitCodeProcess, GetModuleHandleW, QueryPerformanceFrequency, GetProcAddress, HeapFree, HeapReAlloc, ReleaseMutex, FindNextFileW, FindClose, CreateFileW, GetFileInformationByHandle, GetFileInformationByHandleEx, FindFirstFileW, DeleteFileW, GetFinalPathNameByHandleW, CopyFileExW, CreateEventW, CancelIo, GetConsoleMode, FormatMessageW, GetModuleFileNameW, ExitProcess, CreateNamedPipeW, ReadFileEx, WaitForMultipleObjects, GetFullPathNameW, GetSystemDirectoryW, GetWindowsDirectoryW, CreateProcessW, GetFileAttributesW, InitializeProcThreadAttributeList, UpdateProcThreadAttribute, MultiByteToWideChar, WriteConsoleW, WideCharToMultiByte, CreateThread, GetProcessHeap, HeapAlloc, WaitForSingleObjectEx, LoadLibraryA, CreateMutexA, SetHandleInformation, GetSystemTimeAsFileTime, InitializeSListHead, lstrlenW, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, DuplicateHandle, CreateWaitableTimerExW
ws2_32.dll	send, recv, shutdown, ioctlsocket, connect, bind, WSASocketW, getsockname, getpeername, getsockopt, setsockopt, WSAIoctl, WSAGetLastError, WSAStartup, WSACleanup, getaddrinfo, closesocket, WSASend, freeaddrinfo
user32.dll	SystemParametersInfoW
shell32.dll	SHGetKnownFolderPath
ole32.dll	CoTaskMemFree
advapi32.dll	RegOpenKeyExW, RegCloseKey, RegQueryValueExW, SystemFunction036
secur32.dll	AcquireCredentialsHandleA, DeleteSecurityContext, DecryptMessage, QueryContextAttributesW, FreeContextBuffer, AcceptSecurityContext, InitializeSecurityContextW, ApplyControlToken, EncryptMessage, FreeCredentialsHandle
crypt32.dll	CertDuplicateCertificateContext, CertVerifyCertificateChainPolicy, CertFreeCertificateContext, CertFreeCertificateChain, CertDuplicateCertificateChain, CertEnumCertificatesInStore, CertAddCertificateContextToStore, CertDuplicateStore, CertGetCertificateChain, CertCloseStore, CertOpenStore
ntdll.dll	NtCancelIoFileEx, NtCreateFile, NtReadFile, NtDeviceIoControlFile, RtlNtStatusToDosError, NtWriteFile
bcrypt.dll	BCryptGenRandom
VCRUNTIME140.dll	memcmp, __current_exception_context, memmove, __current_exception, memset, __CxxFrameHandler3, memcpy, _CxxThrowException, __C_specific_handler
api-ms-win-crt-math-l1-1-0.dll	roundf, pow, round, exp2f, truncf, ceil, powf, __setusermatherr
api-ms-win-crt-runtime-l1-1-0.dll	_crt_atexit, _initialize_narrow_environment, _get_initial_narrow_environment, _configure_narrow_argv, _set_app_type, _initterm, _initterm_e, _register_onexit_function, terminate, _initialize_onexit_table, exit, _exit, _seh_filter_exe, __p___argc, __p___argv, _cexit, _c_exit, _register_thread_local_exe_atexit_callback
api-ms-win-crt-stdio-l1-1-0.dll	__p__commode, _set_fmode
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale
api-ms-win-crt-heap-l1-1-0.dll	free, _set_new_mode

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 06:15:46.111948013 CET	49704	443	192.168.2.5	199.232.192.193
Jan 7, 2025 06:15:46.111977100 CET	443	49704	199.232.192.193	192.168.2.5
Jan 7, 2025 06:15:46.112055063 CET	49704	443	192.168.2.5	199.232.192.193
Jan 7, 2025 06:15:46.121006966 CET	49704	443	192.168.2.5	199.232.192.193
Jan 7, 2025 06:15:46.121021986 CET	443	49704	199.232.192.193	192.168.2.5
Jan 7, 2025 06:15:46.672075987 CET	443	49704	199.232.192.193	192.168.2.5
Jan 7, 2025 06:15:46.672185898 CET	49704	443	192.168.2.5	199.232.192.193
Jan 7, 2025 06:15:46.685480118 CET	49704	443	192.168.2.5	199.232.192.193
Jan 7, 2025 06:15:46.685503006 CET	443	49704	199.232.192.193	192.168.2.5
Jan 7, 2025 06:15:46.685856104 CET	443	49704	199.232.192.193	192.168.2.5
Jan 7, 2025 06:15:46.735074997 CET	49704	443	192.168.2.5	199.232.192.193
Jan 7, 2025 06:15:46.735913038 CET	49704	443	192.168.2.5	199.232.192.193
Jan 7, 2025 06:15:46.779335022 CET	443	49704	199.232.192.193	192.168.2.5
Jan 7, 2025 06:15:46.829464912 CET	443	49704	199.232.192.193	192.168.2.5
Jan 7, 2025 06:15:46.829551935 CET	443	49704	199.232.192.193	192.168.2.5
Jan 7, 2025 06:15:46.829596043 CET	49704	443	192.168.2.5	199.232.192.193
Jan 7, 2025 06:15:46.829608917 CET	443	49704	199.232.192.193	192.168.2.5
Jan 7, 2025 06:15:46.829900980 CET	443	49704	199.232.192.193	192.168.2.5
Jan 7, 2025 06:15:46.829936981 CET	443	49704	199.232.192.193	192.168.2.5
Jan 7, 2025 06:15:46.829942942 CET	49704	443	192.168.2.5	199.232.192.193
Jan 7, 2025 06:15:46.829948902 CET	443	49704	199.232.192.193	192.168.2.5
Jan 7, 2025 06:15:46.829988956 CET	49704	443	192.168.2.5	199.232.192.193
Jan 7, 2025 06:15:46.830467939 CET	443	49704	199.232.192.193	192.168.2.5
Jan 7, 2025 06:15:46.830522060 CET	443	49704	199.232.192.193	192.168.2.5
Jan 7, 2025 06:15:46.830560923 CET	49704	443	192.168.2.5	199.232.192.193
Jan 7, 2025 06:15:46.830564022 CET	443	49704	199.232.192.193	192.168.2.5
Jan 7, 2025 06:15:46.830576897 CET	443	49704	199.232.192.193	192.168.2.5
Jan 7, 2025 06:15:46.830615044 CET	49704	443	192.168.2.5	199.232.192.193
Jan 7, 2025 06:15:46.831366062 CET	443	49704	199.232.192.193	192.168.2.5
Jan 7, 2025 06:15:46.843317986 CET	443	49704	199.232.192.193	192.168.2.5
Jan 7, 2025 06:15:46.843370914 CET	49704	443	192.168.2.5	199.232.192.193
Jan 7, 2025 06:15:46.843378067 CET	443	49704	199.232.192.193	192.168.2.5
Jan 7, 2025 06:15:46.891423941 CET	49704	443	192.168.2.5	199.232.192.193
Jan 7, 2025 06:15:46.916076899 CET	443	49704	199.232.192.193	192.168.2.5
Jan 7, 2025 06:15:46.916136980 CET	443	49704	199.232.192.193	192.168.2.5
Jan 7, 2025 06:15:46.916178942 CET	49704	443	192.168.2.5	199.232.192.193
Jan 7, 2025 06:15:46.916188002 CET	443	49704	199.232.192.193	192.168.2.5
Jan 7, 2025 06:15:46.916588068 CET	443	49704	199.232.192.193	192.168.2.5
Jan 7, 2025 06:15:46.916618109 CET	443	49704	199.232.192.193	192.168.2.5
Jan 7, 2025 06:15:46.916640997 CET	49704	443	192.168.2.5	199.232.192.193
Jan 7, 2025 06:15:46.916646957 CET	443	49704	199.232.192.193	192.168.2.5
Jan 7, 2025 06:15:46.916690111 CET	49704	443	192.168.2.5	199.232.192.193
Jan 7, 2025 06:15:46.916695118 CET	443	49704	199.232.192.193	192.168.2.5
Jan 7, 2025 06:15:46.917211056 CET	443	49704	199.232.192.193	192.168.2.5
Jan 7, 2025 06:15:46.917253017 CET	443	49704	199.232.192.193	192.168.2.5
Jan 7, 2025 06:15:46.917262077 CET	49704	443	192.168.2.5	199.232.192.193
Jan 7, 2025 06:15:46.917267084 CET	443	49704	199.232.192.193	192.168.2.5
Jan 7, 2025 06:15:46.917303085 CET	49704	443	192.168.2.5	199.232.192.193
Jan 7, 2025 06:15:46.917309999 CET	443	49704	199.232.192.193	192.168.2.5
Jan 7, 2025 06:15:46.917350054 CET	49704	443	192.168.2.5	199.232.192.193
Jan 7, 2025 06:15:46.917664051 CET	49704	443	192.168.2.5	199.232.192.193
Jan 7, 2025 06:15:46.917676926 CET	443	49704	199.232.192.193	192.168.2.5

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 06:15:46.096992016 CET	53651	53	192.168.2.5	1.1.1.1
Jan 7, 2025 06:15:46.104598999 CET	53	53651	1.1.1.1	192.168.2.5

Timestamp	Bytes transferred	Direction	Data
2025-01-07 05:15:46 UTC	62	OUT	GET /HCYQoVR.jpeg HTTP/1.1 accept: / host: i.imgur.com
2025-01-07 05:15:46 UTC	761	IN	HTTP/1.1 200 OK Connection: close Content-Length: 28864 Content-Type: image/jpeg Last-Modified: Mon, 30 Dec 2024 19:23:51 GMT ETag: "70f83e99427ac54b92283eaecb69c5df" x-amz-server-side-encryption: AES256 X-Amz-Cf-Pop: IAD89-P1 X-Amz-Cf-Id: w1veLHWiaEcBL8caleHyCc4jlmIU2__N_q7NNoWzZBqTAalmsqn0vA== cache-control: public, max-age=31536000 Accept-Ranges: bytes Date: Tue, 07 Jan 2025 05:15:46 GMT Age: 591509 X-Served-By: cache-iad-kjyo7100042-IAD, cache-ewr-kewr1740052-EWR X-Cache: Miss from cloudfront, HIT, HIT X-Cache-Hits: 41, 2 X-Timer: S1736226947.785473,VS0,VE0 Strict-Transport-Security: max-age=300 Access-Control-Allow-Methods: GET, OPTIONS Access-Control-Allow-Origin: * Server: cat factory 1.0 X-Content-Type-Options: nosniff
2025-01-07 05:15:46 UTC	1371	IN	Data Raw: ff d8 ff db 00 43 00 02 01 01 01 01 01 02 01 01 01 02 02 02 02 02 04 03 02 02 02 02 05 04 04 03 04 06 05 06 06 06 05 06 06 06 07 09 08 06 07 09 07 06 06 08 0b 08 09 0a 0a 0a 0a 0a 06 08 0b 0c 0b 0a 0c 09 0a 0a 0a ff db 00 43 01 02 02 02 02 02 02 05 03 03 05 0a 07 06 07 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a ff c0 00 11 08 02 04 02 b8 03 01 22 00 02 11 01 03 11 01 ff c4 00 1d 00 01 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 08 09 06 07 0a 05 04 02 03 ff c4 00 49 10 00 01 03 02 05 03 03 02 03 06 03 06 03 05 09 00 00 02 03 04 05 06 01 07 08 09 12 0a 13 22 11 14 32 23 42 15 21 52 16 31 33 41 62 72 24 43 82 17 34 51 53 61 63 19 25 73 18 44 92 93 Data Ascii: CC"I"2#B!R13Abr$C4QSac%sD
2025-01-07 05:15:46 UTC	1371	IN	Data Raw: a2 55 8f 88 1a d4 13 43 74 ed 90 35 3f b4 3d bb 67 dc 3a 97 cd ac b0 ac 2a f7 9d 32 35 12 97 65 56 a7 c9 95 8a 62 b6 da 9e 79 69 97 06 3a 70 6d 3d e6 53 c9 2a 56 3c 9c 4f 89 0b c0 00 00 02 43 ed b5 b6 f6 7c ee 99 a8 c7 34 c7 a7 6a ed b1 4e ae 31 6f ca ad 3f 50 bb a6 c8 8f 09 a8 b1 d4 d3 6a e4 a8 f1 de 73 96 2a 79 b4 a7 c3 ee fb 4f bb 73 ad b0 f3 c3 6a 3c f6 a4 e9 e3 50 57 f5 95 5e af 56 2d 76 6b ed 2e c7 9f 32 4b 11 e2 bb 22 44 74 25 c5 4a 8b 1d 5d cc 55 19 cc 78 a5 2a f1 e3 e5 e4 04 6a 05 89 eb 17 a6 9b 5d 5a 19 d1 8d 63 5c 59 df 9b 19 4c 9b 62 87 06 9e fc da 3d 2a bd 54 76 a9 ca 64 88 f1 da 65 2d aa 9c 96 54 e2 5c 90 8e 5f 57 8a 78 ab c9 5c 7f 3a ec 00 00 00 00 00 01 23 76 d4 db 1b 53 5b a8 e7 a4 ac 86 d3 23 34 36 27 52 e8 8e 55 ab 35 ab a2 6b d1 a9 d4 Data Ascii: UCt5?=g:25eVbyi:pm=SV<OC\|4jN1o?PjsyOsj<PW^V-vk.2K"Dt%J]Uxj]Zc\YLb=*Tvde-T\_Wx\:#vS[#46'RU5k
2025-01-07 05:15:46 UTC	1371	IN	Data Raw: 1c 85 c7 5c 97 54 a7 1f e2 b7 b9 27 b9 8a 94 9e e7 1e 5c 78 a5 3c e6 6e 63 4c b6 e8 7b 8e 67 fd 0a cd 8c cc 7a 3c 3c ec ba d8 a4 b1 1b 0f 46 9b 8a 8a c4 a4 b4 94 7f 4e 09 c1 3e 80 62 1a 61 d3 bd fd ab 4d 43 d9 3a 67 ca e5 42 45 c1 7d dc 90 e8 b4 a7 aa 4e ad 11 a3 b9 21 c4 b7 de 7d 4d a5 6a 4b 2d f2 c5 6b 52 52 a5 71 4a b8 a5 58 f8 93 e3 39 3a 4e f7 44 ca 5c c6 b1 72 ae 9b 54 cb 4b c2 ab 7d 4c 94 dc 7f d9 4b 82 76 2d 52 22 c6 4b 4a 7e 74 e7 25 c1 8e 96 63 a3 bc d2 7d 53 dc 71 4a 71 29 4b 6a 52 92 93 cc e9 42 c8 c7 b3 8b 79 5b 32 e5 71 cf 48 f9 79 6d 56 6e 69 6d e2 9f 5e e6 18 46 f6 0d e1 ff 00 4e 2f 4f 65 5f e9 2c 53 aa ff 00 79 8d 45 e9 32 ef b4 f4 29 a4 6c c6 a9 d9 75 9a d5 b5 fb 41 7b dd b4 45 a9 8a 82 22 bc f3 8c c4 87 16 4a 55 ce 32 95 8c 77 dc 71 4d Data Ascii: \T'\x<ncL{gz<<FN>baMC:gBE}N!}MjK-kRRqJX9:ND\rTK}LKv-R"KJ~t%c}SqJq)KjRBy[2qHymVnim^FN/Oe_,SyE2)luA{E"JU2wqM
2025-01-07 05:15:46 UTC	1371	IN	Data Raw: 6a 90 69 c8 b3 99 b8 5f 7e b6 d4 a9 29 52 d2 ca 90 98 be db 15 25 2d b8 a5 60 99 0a e2 96 d5 f2 f4 3a 3f cc 9c ef a1 ec 9f b2 4d 12 f7 bb 29 0d d5 a6 65 26 52 d1 28 b1 29 98 f2 69 35 4a d7 b6 8f 0d a6 d5 c5 3c 92 87 25 2f 93 8a f9 25 3d c5 7f 23 99 0d 7f ef 65 b8 0e e6 76 13 79 55 aa dc c9 a4 54 ed a8 77 62 6e 1a 3d 16 95 6d 45 82 dd 3a 4a 63 bd 1d 2d b6 b6 93 dc 71 b4 b6 fb bf c6 5b 8a f2 f9 01 11 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0e 9c 76 09 d6 ae df 1a 01 d9 46 83 1f 30 f5 8d 93 b4 cb e9 e8 55 db b6 e0 b4 55 98 b4 b4 d5 1c 94 b7 9e c6 34 75 c5 ef 25 e5 4a 54 56 22 37 db e3 dc e5 c5 1f a4 e6 38 01 64 fd Data Ascii: ji_~)R%-`:?M)e&R()i5J<%/%=#evyUTwbn=mE:Jc-q[vF0UU4u%JTV"78d
2025-01-07 05:15:46 UTC	1371	IN	Data Raw: 4e b0 ab 7b 2f 5e af 52 e8 a8 a6 23 17 1c 5d 0e d3 6a 67 27 11 8a 98 4a 9c 71 ce db d2 5f 57 6d 2a 57 71 e5 76 f0 f8 a4 b7 bc dc db 47 a4 cb 55 d9 87 1f 51 94 7d 74 d8 56 0c 79 cf fb fa 8d a5 69 e7 55 22 8d 06 72 95 c5 6a 4b 90 66 a5 52 22 27 d3 fc b8 fe df 8f 25 78 a5 5f 10 9b fb 19 e4 9e dd b9 23 a6 ab 92 df db 42 35 52 af 64 33 79 3b 06 7e 63 d6 a4 f7 df bc 2a 11 d9 6d 2f 4a 6d de db 69 76 3b 6a 57 65 2b 69 b6 d9 52 9b 77 b6 9f de a5 51 66 50 6f 41 6f e9 c3 a8 df 32 37 02 bc 5d c2 ab 60 dc d7 95 6a da ad c9 a2 a3 17 dc 5d b7 dc 4c 58 52 98 f2 fa 8a 42 61 c0 79 5f bf 9a 5b 5a 52 9f 24 f1 9d 1b 99 75 04 6d fb a0 cd 11 bd b7 f6 cf 95 5a 55 56 b6 dd 09 da 0d 22 ad 69 a1 c5 d1 ad 58 af 60 ae f4 a6 e5 ab fd f6 62 bb 8b 52 54 da 9c 4f 79 6a 71 c7 31 52 78 39 Data Ascii: N{/^R#]jg'Jq_WmWqvGUQ}tVyiU"rjKfR"'%x_#B5Rd3y;~cm/Jmiv;jWe+iRwQfPoAo27]`j]LXRBay_[ZR$umZUV"iX`bRTOyjq1Rx9
2025-01-07 05:15:46 UTC	1371	IN	Data Raw: ae 5d bf 2f 15 25 5a 1f 79 7d 20 e9 df 41 1b 86 5e ba 43 d3 45 c1 75 d5 a8 36 5b 34 f6 24 54 af 2a 84 59 32 9e 9a f4 36 65 3b e8 a8 cc 32 df 6d 3d f4 b7 c7 b7 cb 93 6a 02 2a 03 d6 b3 2d 4b 8a fd bb 29 76 3d a1 4a 5c ea ad 6a a2 cc 0a 5c 26 d4 9c 15 22 43 ce 25 b6 db 4f 2f cb 92 94 a4 a7 ff 00 d4 ba 2d ed fa 73 f6 f1 da df 6f 4a 96 a5 ec 8c ee cd 29 f7 c2 ab 74 aa 35 bb 02 e6 b8 29 6b a7 4d 99 21 dc 14 fa 7b 4c d3 59 79 7e 91 5a 96 e2 52 97 30 c5 3d be 58 f2 c1 2a 4a 82 91 c0 00 00 00 01 b7 b4 1b a6 99 3a c9 d6 8e 57 69 71 9c 26 60 cd ef 7b d3 e9 55 47 e9 ee b6 db f1 e0 b9 21 3e ee 43 6a 71 2a 4f 26 e3 f7 9c f2 4a bf 87 f1 57 c4 b1 0e a2 2d 8f 34 17 b4 56 46 65 fd d1 90 19 b5 99 55 7b c6 f6 bb 1f 88 9a 5d ef 5d a6 c8 63 1a 64 58 aa 54 97 9b 6e 3c 18 ee 77 Data Ascii: ]/%Zy} A^CEu6[4$TY26e;2m=j-K)v=J\j\&"C%O/-soJ)t5)kM!{LYy~ZR0=XJ:Wiq&`{UG!>CjqO&JW-4VFeU{]]cdXTn<w
2025-01-07 05:15:46 UTC	1371	IN	Data Raw: 2e 1b b2 24 c9 75 2d 47 8e c3 78 ad c7 16 ac 70 4a 52 94 e1 f2 56 38 ff 00 20 3b 49 db 53 49 ba 1d db 0f 42 df b3 da 66 ce 56 2a 59 59 8b b3 2f 09 f9 91 71 dc d0 1f 62 63 2e b6 95 39 50 7a 7c 66 d9 8a a6 51 1d 86 d3 dd e2 94 a5 a6 53 c9 5e 3c 8a 67 b8 36 49 da ff 00 56 db ba 58 1a 7a d2 9e bc ee ec d4 a4 5d 96 dd cb 7d 67 75 e7 44 cc 4a 15 5e 64 37 12 e2 53 17 db 49 83 07 db b3 21 c9 8f 72 71 0e 25 c5 76 d4 95 27 06 fd 53 8a ac 3b 7c 39 8c ed f9 d3 a7 5e c8 eb 19 d6 a2 2e 15 81 6e 65 dd 31 0f 2b 97 26 56 a8 b0 e4 a7 d7 d7 c9 4a 86 89 3e 5f ab cb 1e 5f 99 05 ba 22 72 2a 2c fc cb cf 6d 4b d4 68 e9 c5 da 55 0e 93 6c 52 2a 38 e3 f9 f1 94 f3 d2 a5 b6 9c 3f fd a4 25 2b fb 93 fd 40 46 4e a8 2d 32 5b 3a 32 d4 3e 59 e9 d6 91 ac 5c f9 cd 99 c8 b2 5d ad cd 56 76 66 Data Ascii: .$u-GxpJRV8 ;ISIBfVYY/qbc.9Pz\|fQS^<g6IVXz]}guDJ^d7SI!rq%v'S;\|9^.ne1+&VJ>__"r,mKhUlR*8?%+@FN-2[:2>Y\]Vvf
2025-01-07 05:15:46 UTC	1371	IN	Data Raw: 61 ac 70 6d aa b5 d7 5b a7 fd fe 4a 6a 1c 27 3f a5 3e 35 04 ff 00 d7 fd 25 03 16 49 d5 6b 9e 92 73 9b 79 7b de db 4b 7f e1 32 f2 dd a3 db 10 1c e5 8e 3c d2 98 b8 4e 7b 1f 4c 70 f1 f4 91 3d f4 ff 00 a7 97 dc 56 d8 16 91 b2 c7 4d 4e 68 ee 5b 97 ec ea 87 3f b3 12 46 5c e5 1b b2 1d 45 2e 44 38 69 76 ab 70 25 95 29 2e b9 1b b9 f4 e3 47 4a 92 a4 fb 87 12 e7 aa 9b 52 52 da b0 f2 27 2c 6e 91 cd a7 75 0b 97 d7 0a 34 59 b8 6d e1 5c b8 68 92 9c a6 cc aa 35 74 d0 ae 1a 7d 36 a6 94 f9 47 96 c4 08 ac b8 da d3 f7 36 a7 92 a4 e0 a2 7f ee 31 52 d1 46 85 f6 95 7e c5 d4 5e 4c de 97 4e 46 db f6 ed 22 d7 ac db 99 65 50 5c 69 4a a6 f2 66 3b 3c 9e 6a 6c 37 3d ba 94 96 d0 e7 17 b0 ee 25 dc 52 a4 a9 2a 52 4a b2 b3 3a 92 b4 8d a5 ac 8d b9 72 bb 64 3d a6 eb b4 67 9b a5 c8 ab dc 15 Data Ascii: apm[Jj'?>5%Iksy{K2<N{Lp=VMNh[?F\E.D8ivp%).GJRR',nu4Ym\h5t}6G61RF~^LNF"eP\iJf;<jl7=%R*RJ:rd=g
2025-01-07 05:15:46 UTC	1371	IN	Data Raw: bf 61 1d 31 d6 f7 53 cd cd 00 ee 27 a9 e8 b4 69 59 65 2a 9a c5 9d 4b a1 dc b4 fa 54 eb e2 44 ce 33 22 e2 c3 13 52 f3 8f 36 a8 3e 8e 3d 1d 94 a9 c6 d5 21 b4 f7 3c 7c a4 bf 44 fe 99 73 56 8a f6 70 6a d6 bd 42 99 06 d0 ad 40 81 6e db f2 de 47 16 aa d2 9a 79 c7 a4 a9 bf 5f 92 59 fa 48 e5 87 8f 27 54 9f 92 55 c7 dc d3 f5 46 d3 d7 77 59 05 eb 99 36 cd 4a 3d 42 89 92 d6 dc bf 6c f4 54 7a a1 e7 a0 53 a3 d1 df c1 cc 71 f9 76 ea 13 de e2 a4 f1 fe 0b 7f 2f b8 2c 93 78 8c 9f d0 1e a4 b4 cd 0f 4b ba fe d6 2d 3f 27 2d 8b 92 b2 cc d8 72 5c bf a8 f4 09 15 65 41 52 55 8b 2d ae a8 db 8d ba db 6a 75 97 16 96 d3 c9 2a ed f9 27 d7 cb 9f 5d bb 3a 79 6e 2d cf 75 37 99 93 32 1b 34 5f b7 b4 ed 64 66 1d 46 8d 46 cc 7a c6 0d d4 66 d7 22 b3 25 58 30 98 b8 32 96 59 90 f2 a3 f6 5c 71 Data Ascii: a1S'iYeKTD3"R6>=!<\|DsVpjB@nGy_YH'TUFwY6J=BlTzSqv/,xK-?'-r\eARU-ju']:yn-u724_dfFFzf"%X02Y\q
2025-01-07 05:15:46 UTC	1371	IN	Data Raw: c9 c8 df 97 15 7d 4a 11 3a 0d e8 86 c8 d9 b1 ed 8c f8 d4 b5 42 0b 58 b1 36 7d 1a d9 a4 c8 f4 f3 4a 99 44 89 52 d3 fd b8 f7 e1 7f f0 ff 00 d0 09 31 d4 a1 92 1b 60 ea 3f 29 26 d6 f5 7f ad e5 5b 17 f6 4f 58 75 ca d5 8d 95 54 5c cc a2 d3 a6 d6 a6 48 8e 97 18 4a e0 cb 65 e9 0f 29 e7 22 32 d3 6a 6f 8f 8a 95 c4 83 f9 f9 d3 4d a1 8d 32 ec bf 27 70 2c e5 cd 7c d5 a5 e6 35 3f 27 29 f5 e9 b4 47 2b f4 b4 d2 d9 b8 a6 47 65 2c c1 52 30 a7 a9 cc 59 f7 92 5b 67 8e 0f 72 57 af f1 3e e2 21 ee 9d 54 8d b8 7f 51 6d d9 96 88 ac 49 f6 37 46 79 52 72 f1 87 b9 62 af 6e 88 f2 22 d1 56 a6 bf e0 9e e3 4e 38 9e 3f 2e 5c be e2 e2 fa c2 f3 8f fd 95 6d 39 4c ca 4a 2c 54 60 9b f3 32 69 54 97 9a 4e 3c 70 66 1c 56 64 4e f5 4f e5 fc 9d 89 19 3c 7f e0 a5 7e 90 2a 97 a7 4f 64 ac 8a dd ee b3 Data Ascii: }J:BX6}JDR1`?)&[OXuT\HJe)"2joM2'p,\|5?')G+Ge,R0Y[grW>!TQmI7FyRrbn"VN8?.\m9LJ,T`2iTN<pfVdNO<~*Od

Target ID:	0
Start time:	00:15:34
Start date:	07/01/2025
Path:	C:\Users\user\Desktop\setup-avast-premium-x64.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\setup-avast-premium-x64.exe"
Imagebase:	0x7ff6a6c20000
File size:	5'485'056 bytes
MD5 hash:	E099255EA4AA8EB41E26E5D94737FC26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	00:15:35
Start date:	07/01/2025
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	"net" session
Imagebase:	0x7ff7dacb0000
File size:	59'904 bytes
MD5 hash:	0BD94A338EEA5A4E1F2830AE326E6D19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	10
Start time:	00:15:37
Start date:	07/01/2025
Path:	C:\Windows\System32\wevtutil.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\wevtutil.exe" sl Application /e:false
Imagebase:	0x7ff6498b0000
File size:	278'016 bytes
MD5 hash:	1AAE26BD68B911D0420626A27070EB8D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	12
Start time:	00:15:39
Start date:	07/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report setup-avast-premium-x64.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.funksec

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini.funksec

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini.funksec

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\desktop.ini.funksec

C:\Users\user\3D Objects\desktop.ini.funksec

C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\000003.log.funksec

C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\000003.log.funksec

C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LocalPrefs.json.funksec

C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log.funksec

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst.funksec

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst.funksec

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst.funksec

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat.funksec

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json.funksec

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin.funksec

C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst.funksec

C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db.funksec

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3n4lgsnc.ct4.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5fqcxjge.haz.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5pxmktjd.00s.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_avd0jzrl.oxj.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fttbb3jy.jn2.ps1

Windows Analysis Report
setup-avast-premium-x64.exe

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre