Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Canvas of Kings_N6xC-S2.exe

Overview

General Information

Sample name:Canvas of Kings_N6xC-S2.exe
Analysis ID:1580374
MD5:af45bc08a07f1ba16abe59f29072ebcc
SHA1:66edea40ba7b38a45bd856e6889bba12384c458f
SHA256:e555c06879ed4eda6277e1fa8a4985590e70d8fa81421103048803e386daaf28
Tags:exeuser-zach
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:48
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Checks if browser processes are running
Checks if the current machine is a virtual machine (disk enumeration)
Contain functionality to detect virtual machines
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to infect the boot sector
Creates an undocumented autostart registry key
Found stalling execution ending in API Sleep call
Modifies the windows firewall
Possible COM Object hijacking
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses netsh to modify the Windows network and firewall settings
Writes many files with high entropy
Yara detected QueryWinSAT ClassID
AV process strings found (often used to terminate AV products)
Changes image file execution options
Checks for available system drives (often done to infect USB drives)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Disables exception chain validation (SEHOP)
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
OS version to string mapping found (often used in BOTs)
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file contains strange resources
PE file does not import any functions
PE file overlay found
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
query blbeacon for getting browser version

Classification

Process Tree

  • System is w10x64
  • Canvas of Kings_N6xC-S2.exe (PID: 6796 cmdline: "C:\Users\user\Desktop\Canvas of Kings_N6xC-S2.exe" MD5: AF45BC08A07F1BA16ABE59F29072EBCC)
    • Canvas of Kings_N6xC-S2.tmp (PID: 6836 cmdline: "C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmp" /SL5="$20416,13566766,780800,C:\Users\user\Desktop\Canvas of Kings_N6xC-S2.exe" MD5: 49312C19FA9B298CA2AE71E14F07CCF3)
      • saBSI.exe (PID: 3844 cmdline: "C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exe" /affid 91088 PaidDistribution=true CountryCode=US MD5: 143255618462A577DE27286A272584E1)
      • avg_antivirus_free_setup.exe (PID: 6032 cmdline: "C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exe" /silent /ws /psh:92pTu5hwBbM7D8YdixE5HhZyLyta7SFjWzBoCRk5knOtfwaHxtSx8W5YVAbWE4FqjuMlqeXqa53IPQ MD5: 26816AF65F2A3F1C61FB44C682510C97)
        • avg_antivirus_free_online_setup.exe (PID: 2124 cmdline: "C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exe" /silent /ws /psh:92pTu5hwBbM7D8YdixE5HhZyLyta7SFjWzBoCRk5knOtfwaHxtSx8W5YVAbWE4FqjuMlqeXqa53IPQ /cookie:mmm_irs_ppi_902_451_o /ga_clientid:729de4ae-763f-4df7-a043-5659222e822a /edat_dir:C:\Windows\Temp\asw.d8c2b19fc2277941 MD5: 6EBB043BC04784DBC6DF3F4C52391CD0)
          • icarus.exe (PID: 7032 cmdline: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\icarus-info.xml /install /silent /ws /psh:92pTu5hwBbM7D8YdixE5HhZyLyta7SFjWzBoCRk5knOtfwaHxtSx8W5YVAbWE4FqjuMlqeXqa53IPQ /cookie:mmm_irs_ppi_902_451_o /edat_dir:C:\Windows\Temp\asw.d8c2b19fc2277941 /track-guid:729de4ae-763f-4df7-a043-5659222e822a MD5: A1FFFE3E9589CCFE629EB653F704A659)
      • norton_secure_browser_setup.exe (PID: 2724 cmdline: "C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exe" /s /make-default /run_source="norton_ppi_is" MD5: F269C5140CBC0E376CC7354A801DDD16)
        • NortonBrowserUpdateSetup.exe (PID: 1544 cmdline: NortonBrowserUpdateSetup.exe /silent /install "bundlename=Norton Private Browser&appguid={3A3642E6-DE46-4F68-9887-AA017EEFE426}&appname=Norton Private Browser&needsadmin=true&lang=en-GB&brand=29239&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data%3Dchrome --import-cookies --auto-launch-chrome" MD5: 2B07E26D3C33CD96FA825695823BBFA7)
          • NortonBrowserUpdate.exe (PID: 3060 cmdline: "C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exe" /silent /install "bundlename=Norton Private Browser&appguid={3A3642E6-DE46-4F68-9887-AA017EEFE426}&appname=Norton Private Browser&needsadmin=true&lang=en-GB&brand=29239&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data%3Dchrome --import-cookies --auto-launch-chrome" MD5: BF8FE62DBCD949547AF37EEE4ECE61FC)
            • NortonBrowserUpdate.exe (PID: 5268 cmdline: "C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe" /regsvc MD5: BF8FE62DBCD949547AF37EEE4ECE61FC)
            • NortonBrowserUpdate.exe (PID: 1184 cmdline: "C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe" /regserver MD5: BF8FE62DBCD949547AF37EEE4ECE61FC)
            • NortonBrowserUpdate.exe (PID: 1344 cmdline: "C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgb21haGFpZD0iezU4MzdCMUE1LUI3MkEtNDU2QS1CMDlGLUY2ODBFOUFCNUUwMn0iIHVwZGF0ZXJ2ZXJzaW9uPSIxLjguMTY0OS41IiBzaGVsbF92ZXJzaW9uPSIxLjguMTY0OS41IiBpc21hY2hpbmU9IjEiIGlzX29tYWhhNjRiaXQ9IjAiIGlzX29zNjRiaXQ9IjEiIHNlc3Npb25pZD0ie0NDMDExQUU3LUFBRTUtNDU0My04NERCLUU0RDQ4MTM1ODMzRH0iIHVzZXJpZD0iezA4MDIwMkM2LTAzOTEtNDM2MC04OUUxLUMzQjg2Nzc2RDEyNX0iIHVzZXJpZF9kYXRlPSIyMDI0MTIyNCIgbWFjaGluZWlkPSJ7MDAwMEE1QkYtREU0OC1DNDM5LTg3RjAtNkQ4MTJBQUJFMDk3fSIgbWFjaGluZWlkX2RhdGU9IjIwMjQxMjI0IiBpbnN0YWxsc291cmNlPSJvdGhlcmluc3RhbGxjbWQiIHRlc3Rzb3VyY2U9ImF1dG8iIHJlcXVlc3RpZD0ie0JBMTMwMjRFLUQ1QUYtNDgxNi05OTQ1LTA4Mzk0NzkxMEY5Rn0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iOCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NS4yMDA2IiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NTgzN0IxQTUtQjcyQS00NTZBLUIwOUYtRjY4MEU5QUI1RTAyfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS44LjE2NDkuNSIgbGFuZz0iZW4tR0IiIGJyYW5kPSIyOTIzOSIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iNjA5NCIvPjwvYXBwPjwvcmVxdWVzdD4 MD5: BF8FE62DBCD949547AF37EEE4ECE61FC)
            • NortonBrowserUpdate.exe (PID: 5824 cmdline: "C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe" /handoff "bundlename=Norton Private Browser&appguid={3A3642E6-DE46-4F68-9887-AA017EEFE426}&appname=Norton Private Browser&needsadmin=true&lang=en-GB&brand=29239&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data%3Dchrome --import-cookies --auto-launch-chrome" /installsource otherinstallcmd /sessionid "{CC011AE7-AAE5-4543-84DB-E4D48135833D}" /silent MD5: BF8FE62DBCD949547AF37EEE4ECE61FC)
      • netsh.exe (PID: 3164 cmdline: "netsh" firewall add allowedprogramC:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exe "qBittorrent" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 6572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • qbittorrent.exe (PID: 4900 cmdline: "C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exe" magnet:?xt=urn:btih:BFF18AF5608F9196CF05BF0C1F0B54A18C3F0A77 MD5: 22A34900ADA67EAD7E634EB693BD3095)
      • WerFault.exe (PID: 4444 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6836 -s 2516 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 6752 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6836 -s 2516 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 4336 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 6196 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 3344 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 6836 -ip 6836 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 6744 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 6836 -ip 6836 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • NortonBrowserUpdate.exe (PID: 7084 cmdline: "C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe" /c MD5: BF8FE62DBCD949547AF37EEE4ECE61FC)
    • NortonBrowserUpdate.exe (PID: 2448 cmdline: "C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe" /cr MD5: BF8FE62DBCD949547AF37EEE4ECE61FC)
    • NortonBrowserCrashHandler.exe (PID: 5576 cmdline: "C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\NortonBrowserCrashHandler.exe" MD5: 1694092D5DE0E0DAEF4C5EA13EA84CAB)
    • NortonBrowserCrashHandler64.exe (PID: 5544 cmdline: "C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\NortonBrowserCrashHandler64.exe" MD5: 09621280025727AB4CB39BD6F6B2C69E)
  • NortonBrowserUpdate.exe (PID: 4856 cmdline: "C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe" /ua /installsource scheduler MD5: BF8FE62DBCD949547AF37EEE4ECE61FC)
    • NortonBrowserUpdate.exe (PID: 1856 cmdline: "C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe" /registermsihelper MD5: BF8FE62DBCD949547AF37EEE4ECE61FC)
    • NortonBrowserUpdate.exe (PID: 6188 cmdline: "C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe" /uninstall MD5: BF8FE62DBCD949547AF37EEE4ECE61FC)
  • msiexec.exe (PID: 2312 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
  • NortonBrowserUpdate.exe (PID: 2908 cmdline: "C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe" /svc MD5: BF8FE62DBCD949547AF37EEE4ECE61FC)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\GUTC558.tmpPlugXStringsPlugX Identifying StringsSeth Hardy
  • 0x1f88a8:$Dwork: D:\work
  • 0x1fac58:$Dwork: D:\work
  • 0x1faedc:$Dwork: D:\work
  • 0x2019f8:$Dwork: D:\work
  • 0x201ba0:$Dwork: D:\work
  • 0x201d08:$Dwork: D:\work
  • 0x201de0:$Dwork: D:\work
  • 0x202040:$Dwork: D:\work
  • 0x202160:$Dwork: D:\work
  • 0x202280:$Dwork: D:\work
  • 0x202330:$Dwork: D:\work
  • 0x2db910:$Dwork: D:\work
  • 0x2dba38:$Dwork: D:\work
  • 0x2dbba0:$Dwork: D:\work
  • 0x2dbd88:$Dwork: D:\work
  • 0x2dbe78:$Dwork: D:\work
  • 0x2dbff8:$Dwork: D:\work
  • 0x2dc118:$Dwork: D:\work
  • 0x2dc1c8:$Dwork: D:\work
  • 0x4ed054:$Dwork: D:\work
  • 0x4ed0b0:$Dwork: D:\work

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.2233964889.0000000000734000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_QueryWinSATClassIDYara detected QueryWinSAT ClassIDJoe Security
    00000001.00000003.2233909651.0000000000734000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_QueryWinSATClassIDYara detected QueryWinSAT ClassIDJoe Security
      Process Memory Space: Canvas of Kings_N6xC-S2.tmp PID: 6836JoeSecurity_QueryWinSATClassIDYara detected QueryWinSAT ClassIDJoe Security
        Process Memory Space: NortonBrowserUpdateSetup.exe PID: 1544PlugXStringsPlugX Identifying StringsSeth Hardy
        • 0x244f1:$Dwork: D:\work
        • 0x263ed:$Dwork: D:\work
        • 0x2a081:$Dwork: D:\work
        • 0x2a19c:$Dwork: D:\work
        • 0x2a2f3:$Dwork: D:\work
        • 0x2a5ee:$Dwork: D:\work
        • 0x2a706:$Dwork: D:\work
        • 0x2a85a:$Dwork: D:\work
        • 0x2aa01:$Dwork: D:\work
        • 0x2aaeb:$Dwork: D:\work
        • 0x2acd9:$Dwork: D:\work
        • 0x2adbf:$Dwork: D:\work
        • 0x2af1d:$Dwork: D:\work
        • 0x2b035:$Dwork: D:\work
        • 0x2b0df:$Dwork: D:\work
        • 0x2b1da:$Dwork: D:\work
        • 0x2b2ef:$Dwork: D:\work
        • 0x2b397:$Dwork: D:\work
        • 0x39543:$Dwork: D:\work
        • 0x3ea56:$Dwork: D:\work
        • 0x3eba4:$Dwork: D:\work

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Windows Processes Suspicious Parent Directory
        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 4336, ProcessName: svchost.exe

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-12-24T12:05:07.412675+010020283713Unknown Traffic192.168.2.44973365.9.108.223443TCP
        2024-12-24T12:05:10.931298+010020283713Unknown Traffic192.168.2.44973465.9.108.223443TCP
        2024-12-24T12:05:13.316916+010020283713Unknown Traffic192.168.2.44973565.9.108.223443TCP
        2024-12-24T12:05:15.044082+010020283713Unknown Traffic192.168.2.44973665.9.108.223443TCP
        2024-12-24T12:05:17.934719+010020283713Unknown Traffic192.168.2.44973765.9.108.223443TCP
        2024-12-24T12:05:20.603691+010020283713Unknown Traffic192.168.2.44974065.9.108.223443TCP
        2024-12-24T12:05:37.502033+010020283713Unknown Traffic192.168.2.44974565.9.108.223443TCP
        2024-12-24T12:05:41.070960+010020283713Unknown Traffic192.168.2.44974665.9.108.223443TCP
        2024-12-24T12:05:43.974596+010020283713Unknown Traffic192.168.2.44974765.9.108.223443TCP
        2024-12-24T12:06:02.333608+010020283713Unknown Traffic192.168.2.44975565.9.108.223443TCP
        2024-12-24T12:06:03.135653+010020283713Unknown Traffic192.168.2.44975644.228.210.164443TCP
        2024-12-24T12:06:05.321072+010020283713Unknown Traffic192.168.2.44976265.9.108.223443TCP
        2024-12-24T12:06:05.668153+010020283713Unknown Traffic192.168.2.44976344.228.210.164443TCP
        2024-12-24T12:06:08.293482+010020283713Unknown Traffic192.168.2.44977265.9.108.105443TCP
        2024-12-24T12:06:10.938967+010020283713Unknown Traffic192.168.2.44978334.117.223.223443TCP
        2024-12-24T12:06:12.737133+010020283713Unknown Traffic192.168.2.44978644.228.210.164443TCP
        2024-12-24T12:06:12.767531+010020283713Unknown Traffic192.168.2.44979234.117.223.223443TCP
        2024-12-24T12:06:13.851146+010020283713Unknown Traffic192.168.2.44979465.9.108.105443TCP
        2024-12-24T12:06:28.531857+010020283713Unknown Traffic192.168.2.449846104.20.86.8443TCP
        2024-12-24T12:06:28.967250+010020283713Unknown Traffic192.168.2.44984544.228.210.164443TCP
        2024-12-24T12:06:48.949653+010020283713Unknown Traffic192.168.2.44990734.117.223.223443TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: Canvas of Kings_N6xC-S2.exeAvira: detected
        Multi AV Scanner detection for submitted file
        Source: Canvas of Kings_N6xC-S2.exeReversingLabs: Detection: 18%
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_00085870 GetCurrentProcessId,GetCurrentThreadId,CreateFileW,CreateFileW,CreateFileW,CreateFileW,CreateFileW,CreateFileW,UuidCreate,UuidCreate,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,5_2_00085870
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_00086220 GetCurrentProcessId,GetCurrentThreadId,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,DeviceIoControl,DeviceIoControl,5_2_00086220
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_000867B0 GetCurrentProcessId,GetCurrentThreadId,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,DeviceIoControl,DeviceIoControl,5_2_000867B0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCode function: 6_2_0047B0E0 CryptDestroyHash,CryptDestroyHash,6_2_0047B0E0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCode function: 6_2_00479250 CryptGenRandom,GetLastError,__CxxThrowException@8,6_2_00479250
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCode function: 6_2_004782F0 CryptDestroyHash,6_2_004782F0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCode function: 6_2_00479450 CryptCreateHash,CryptDestroyHash,GetLastError,__CxxThrowException@8,6_2_00479450
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCode function: 6_2_00478DC0 lstrcatA,CryptAcquireContextA,CryptReleaseContext,GetLastError,__CxxThrowException@8,CryptReleaseContext,6_2_00478DC0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCode function: 6_2_00479020 CryptCreateHash,CryptDestroyHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,GetLastError,__CxxThrowException@8,GetLastError,__CxxThrowException@8,GetLastError,__CxxThrowException@8,GetLastError,__CxxThrowException@8,6_2_00479020
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCode function: 6_2_00478260 CryptDestroyHash,6_2_00478260
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCode function: 6_2_00479340 CryptGetHashParam,CryptGetHashParam,GetLastError,__CxxThrowException@8,GetLastError,__CxxThrowException@8,6_2_00479340
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCode function: 6_2_004794D0 CryptHashData,GetLastError,__CxxThrowException@8,6_2_004794D0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCode function: 6_2_00492660 CryptReleaseContext,6_2_00492660
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCode function: 6_2_00478EF0 CryptReleaseContext,6_2_00478EF0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AF1617F LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,7_2_6AF1617F
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_008309E0 CryptProtectData,GetLastError,Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error,CryptUnprotectData,GetLastError,Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error,GetLastError,Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error,8_2_008309E0
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_007FDF30 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GlobalMemoryStatusEx,GetDiskFreeSpaceExW,GetSystemTimes,QueryPerformanceCounter,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,8_2_007FDF30
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2477324143.000000000562F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_0e0360d0-9

        Compliance

        barindex
        Uses 32bit PE files
        Source: Canvas of Kings_N6xC-S2.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
        PE / OLE file has a valid certificate
        Source: Canvas of Kings_N6xC-S2.exeStatic PE information: certificate valid
        Uses secure TLS version for HTTPS connections
        Source: unknownHTTPS traffic detected: 65.9.108.223:443 -> 192.168.2.4:49733 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 65.9.108.223:443 -> 192.168.2.4:49734 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 65.9.108.223:443 -> 192.168.2.4:49736 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 65.9.108.223:443 -> 192.168.2.4:49737 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 65.9.108.223:443 -> 192.168.2.4:49740 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 65.9.108.223:443 -> 192.168.2.4:49745 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 65.9.108.223:443 -> 192.168.2.4:49746 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 65.9.108.223:443 -> 192.168.2.4:49747 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 65.9.108.223:443 -> 192.168.2.4:49755 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 44.228.210.164:443 -> 192.168.2.4:49756 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 65.9.108.223:443 -> 192.168.2.4:49762 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 65.9.108.105:443 -> 192.168.2.4:49772 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.4:49783 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.4:49792 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 104.20.86.8:443 -> 192.168.2.4:49791 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 65.9.108.105:443 -> 192.168.2.4:49794 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 104.20.86.8:443 -> 192.168.2.4:49846 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 104.20.86.8:443 -> 192.168.2.4:49849 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 104.20.86.8:443 -> 192.168.2.4:49848 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 104.20.86.8:443 -> 192.168.2.4:49863 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.4:49907 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.4:49910 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 34.160.176.28:443 -> 192.168.2.4:49912 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 34.160.176.28:443 -> 192.168.2.4:49923 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.4:49989 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.4:49995 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 34.160.176.28:443 -> 192.168.2.4:49996 version: TLS 1.2
        Contains modern PE file flags such as dynamic base (ASLR) or NX
        Source: Canvas of Kings_N6xC-S2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Binary contains paths to debug symbols
        Source: Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x86\icarus_mod.pdb source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2413219491.00000000053B2000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_ms.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.00000000042E1000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: D:\work\3db0bf373ac3fc9b\Release Midex\Midex.pdb source: norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_fa.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003676000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: NortonBrowserUpdateBroker_unsigned.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.000000000307F000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_ru.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.000000000379E000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_lt.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003720000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_el.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003630000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_tr.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000004399000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.00000000027F5000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_de.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.0000000002614000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: NortonBrowserCrashHandler_unsigned.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: D:\work\c6a7e165ce7a986c\Unicode\Plugins\inetc.pdb source: norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: NortonBrowserUpdateCore_unsigned.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.00000000040AF000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003525000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: NortonBrowserCrashHandler64_unsigned.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000031FA000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000003D50000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_mr.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.00000000042D5000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003742000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_bg.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.00000000025DB000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_gu.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.0000000002692000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_sr.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000004353000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_th.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.000000000438D000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\BUILD\work\8b0ebd312dc47f30\projects\avast\microstub\x86\Release\microstub.pdb source: avg_antivirus_free_setup.exe, 00000006.00000000.2308794053.0000000000493000.00000002.00000001.01000000.0000000E.sdmp, avg_antivirus_free_setup.exe, 00000006.00000002.2921459091.0000000000493000.00000002.00000001.01000000.0000000E.sdmp
        Source: Binary string: psmachine_unsigned.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000031FA000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000003D50000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\icarus_ui.pdb source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2573330023.000000000579F000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: D:\work\7c64e6304ba228bc\Plugins\nsJSON.pdb source: norton_secure_browser_setup.exe, 00000007.00000002.2978405681.000000006F6F6000.00000002.00000001.01000000.00000011.sdmp
        Source: Binary string: psmachine_unsigned_64.pdbT source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000031FA000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000003D50000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\Win32\Release\SaBsi.pdb source: saBSI.exe, 00000005.00000002.2921628143.000000000012E000.00000002.00000001.01000000.0000000D.sdmp, saBSI.exe, 00000005.00000000.2279002766.000000000012E000.00000002.00000001.01000000.0000000D.sdmp
        Source: Binary string: psuser_unsigned.pdbX source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000031FA000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000003D50000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: psuser_unsigned_64.pdbT source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000031FA000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000003D50000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_am.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000004164000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.00000000025C0000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_lv.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.000000000271A000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.00000000042BE000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_cs.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.00000000025FD000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.00000000041A1000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdate_unsigned.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.00000000039A1000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000002E82000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_hi.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000036AF000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000004242000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_es-419.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.000000000365E000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: G:\QBITTORRENT\build-qbittorrent442-Qt5_msvc2017_x32-Release\src\release\qbittorrent.pdb source: qbittorrent.exe, 0000000B.00000000.2393333564.0000000001546000.00000002.00000001.01000000.00000018.sdmp
        Source: Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\AvBugReport.pdb source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2678619778.0000000005579000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: mi_exe_stub.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000000.2413429268.0000000000098000.00000002.00000001.01000000.0000001C.sdmp
        Source: Binary string: goopdateres_unsigned_pt-BR.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.000000000276B000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\icarus.pdb source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2477324143.000000000562F000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_hr.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.00000000026AA000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_id.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000036D2000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000004265000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: psuser_unsigned_64.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000031FA000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000003D50000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\sciter\sciter\sdk\bin.win\x32\sciter.pdb source: norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000030BB000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_zh-TW.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000002.2924855060.00000000006FF000.00000004.00000010.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.000000000282D000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\icarus.pdb} source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2477324143.000000000562F000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: psmachine_unsigned.pdbX source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000031FA000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000003D50000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: D:\work\ed1c64258fb55966\build\Release\thirdparty.pdb source: norton_secure_browser_setup.exe, 00000007.00000002.2976316348.000000006AE2E000.00000002.00000001.01000000.00000014.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_sw.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.000000000436A000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.00000000027C6000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_pt-PT.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.000000000431A000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.0000000002776000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: NortonBrowserUpdateOnDemand_unsigned.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.00000000028CB000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\sciter\sciter\sdk\bin.win\x32\sciter.pdb[ source: norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000030BB000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: npNortonBrowserUpdate3_unsigned.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000003B2B000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_vi.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.00000000043BB000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.0000000002817000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_bn.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.00000000025E6000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: D:\work\9bf849bab5260311\Plugins\Release_Mini\StdUtils.pdb source: norton_secure_browser_setup.exe, 00000007.00000002.2976705531.000000006AE63000.00000002.00000001.01000000.00000013.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: D:\work\f369f300b8043bce\plugins\src\jsis\build\Release Unicode\jsis.pdb source: norton_secure_browser_setup.exe, 00000007.00000002.2977983655.000000006B0C2000.00000002.00000001.01000000.00000010.sdmp
        Source: Binary string: acuapi_64_unsigned.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000031FA000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000003D50000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_ja.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000036FF000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_sv.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.00000000027BB000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_es.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.00000000041E6000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003653000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_is.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000004270000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_ro.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003793000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_fr.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.0000000002687000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_uk.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.0000000002800000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.00000000043A4000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: D:\work\893f00f663353e48\bin\x86\MinSizeRel\JsisPlugins.pdb source: norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2977306249.000000006B00E000.00000002.00000001.01000000.00000012.sdmp
        Source: Binary string: goopdateres_unsigned_ca.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000004196000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003602000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_nl.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.00000000042ED000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_ko.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.0000000002704000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_et.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.0000000002659000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_iw.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000036F4000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000004287000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_no.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.0000000002754000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.00000000042F8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x86\icarus_sfx.pdb source: avg_antivirus_free_online_setup.exe, 00000008.00000000.2362106863.00000000008B4000.00000002.00000001.01000000.00000016.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000002.2935892477.0000000004CD0000.00000002.00000001.00040000.00000016.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000002.2929833021.00000000008B4000.00000002.00000001.01000000.00000016.sdmp
        Source: Binary string: goopdateres_unsigned_fil.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.000000000368C000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_pl.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000004303000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_en-GB.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.00000000041DB000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003648000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: psuser_unsigned.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000031FA000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000003D50000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_ml.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003736000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_fi.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000004214000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_hu.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000036C6000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000004259000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\avDump.pdbM source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2624207025.00000000054BE000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_en.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.000000000363C000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\avDump.pdb source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2624207025.00000000054BE000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: psmachine_unsigned_64.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000031FA000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000003D50000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_ar.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.00000000025D0000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000004174000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_sl.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.00000000027A4000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_zh-CN.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.0000000002822000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_kn.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.00000000026F9000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: acuapi_unsigned.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000031FA000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000003D50000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: D:\work\21e9bc5e69dd57f1\build\Release Unicode\jsisdl.pdb source: norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmp
        Source: C:\Windows\System32\msiexec.exeFile opened: z:
        Source: C:\Windows\System32\msiexec.exeFile opened: x:
        Source: C:\Windows\System32\msiexec.exeFile opened: v:
        Source: C:\Windows\System32\msiexec.exeFile opened: t:
        Source: C:\Windows\System32\msiexec.exeFile opened: r:
        Source: C:\Windows\System32\msiexec.exeFile opened: p:
        Source: C:\Windows\System32\msiexec.exeFile opened: n:
        Source: C:\Windows\System32\msiexec.exeFile opened: l:
        Source: C:\Windows\System32\msiexec.exeFile opened: j:
        Source: C:\Windows\System32\msiexec.exeFile opened: h:
        Source: C:\Windows\System32\msiexec.exeFile opened: f:
        Source: C:\Windows\System32\msiexec.exeFile opened: b:
        Source: C:\Windows\System32\msiexec.exeFile opened: y:
        Source: C:\Windows\System32\msiexec.exeFile opened: w:
        Source: C:\Windows\System32\msiexec.exeFile opened: u:
        Source: C:\Windows\System32\msiexec.exeFile opened: s:
        Source: C:\Windows\System32\msiexec.exeFile opened: q:
        Source: C:\Windows\System32\msiexec.exeFile opened: o:
        Source: C:\Windows\System32\msiexec.exeFile opened: m:
        Source: C:\Windows\System32\msiexec.exeFile opened: k:
        Source: C:\Windows\System32\msiexec.exeFile opened: i:
        Source: C:\Windows\System32\msiexec.exeFile opened: g:
        Source: C:\Windows\System32\msiexec.exeFile opened: e:
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeFile opened: c:
        Source: C:\Windows\System32\msiexec.exeFile opened: a:
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_00405B6C CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,7_2_00405B6C
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_004028D5 FindFirstFileW,7_2_004028D5
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_0040679D FindFirstFileW,FindClose,7_2_0040679D
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6B0B7010 lstrlenW,lstrcpyW,lstrcpyW,lstrcpyW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrlenW,lstrcpyW,FindNextFileW,FindClose,7_2_6B0B7010
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_007F6F60 FindFirstFileExW,GetLastError,PathMatchSpecW,FindNextFileW,GetLastError,FindClose,UnlockFileEx,8_2_007F6F60
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_007EE180 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,SetLastError,8_2_007EE180
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_007F4590 FindFirstFileW,FindNextFileW,FindClose,GetFileAttributesW,GetFileAttributesW,SetFileAttributesW,RemoveDirectoryW,Sleep,GetFileAttributesW,8_2_007F4590
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_00820AC0 FindFirstFileW,MoveFileExW,GetLastError,FindNextFileW,GetFileAttributesW,GetLastError,MoveFileExW,GetLastError,FindClose,8_2_00820AC0
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpFile opened: C:\Users\userJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpFile opened: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extractJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpFile opened: C:\Users\user\AppDataJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpFile opened: C:\Users\user\AppData\Local\TempJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpFile opened: C:\Users\user\AppData\LocalJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpFile opened: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmpJump to behavior
        Source: Joe Sandbox ViewIP Address: 34.160.176.28 34.160.176.28
        Source: Joe Sandbox ViewIP Address: 34.117.223.223 34.117.223.223
        Source: Joe Sandbox ViewIP Address: 34.117.223.223 34.117.223.223
        Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
        Source: Joe Sandbox ViewJA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
        Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 65.9.108.223:443
        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 65.9.108.223:443
        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 65.9.108.223:443
        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 65.9.108.223:443
        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 65.9.108.223:443
        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49745 -> 65.9.108.223:443
        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 65.9.108.223:443
        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49746 -> 65.9.108.223:443
        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49747 -> 65.9.108.223:443
        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49756 -> 44.228.210.164:443
        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49763 -> 44.228.210.164:443
        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49755 -> 65.9.108.223:443
        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49762 -> 65.9.108.223:443
        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49772 -> 65.9.108.105:443
        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49794 -> 65.9.108.105:443
        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49792 -> 34.117.223.223:443
        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49786 -> 44.228.210.164:443
        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49783 -> 34.117.223.223:443
        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49846 -> 104.20.86.8:443
        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49845 -> 44.228.210.164:443
        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49907 -> 34.117.223.223:443
        Source: global trafficHTTP traffic detected: POST /o HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 128Host: d3ben4sjdmrs9v.cloudfront.net
        Source: global trafficHTTP traffic detected: POST /zbd HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*Authorization: Signature=66c807ad3803012585cdea4992ef6b005dda8cf3863b9f1c5ce9cd6f798ad443User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 289Host: d3ben4sjdmrs9v.cloudfront.net
        Source: global trafficHTTP traffic detected: POST /zbd HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*Authorization: Signature=66c807ad3803012585cdea4992ef6b005dda8cf3863b9f1c5ce9cd6f798ad443User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 379Host: d3ben4sjdmrs9v.cloudfront.net
        Source: global trafficHTTP traffic detected: POST /zbd HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*Authorization: Signature=66c807ad3803012585cdea4992ef6b005dda8cf3863b9f1c5ce9cd6f798ad443User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 369Host: d3ben4sjdmrs9v.cloudfront.net
        Source: global trafficHTTP traffic detected: POST /zbd HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*Authorization: Signature=66c807ad3803012585cdea4992ef6b005dda8cf3863b9f1c5ce9cd6f798ad443User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 377Host: d3ben4sjdmrs9v.cloudfront.net
        Source: global trafficHTTP traffic detected: POST /zbd HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*Authorization: Signature=66c807ad3803012585cdea4992ef6b005dda8cf3863b9f1c5ce9cd6f798ad443User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 367Host: d3ben4sjdmrs9v.cloudfront.net
        Source: global trafficHTTP traffic detected: POST /zbd HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*Authorization: Signature=66c807ad3803012585cdea4992ef6b005dda8cf3863b9f1c5ce9cd6f798ad443User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 319Host: d3ben4sjdmrs9v.cloudfront.net
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6B0B91E0 lstrlenW,HttpQueryInfoW,GlobalAlloc,GlobalAlloc,GlobalAlloc,lstrlenW,CreateFileW,GetLastError,InternetReadFile,lstrcpynA,WriteFile,InternetReadFile,GetLastError,InternetQueryOptionW,InternetQueryOptionW,InternetQueryOptionW,wsprintfW,GetLastError,MultiByteToWideChar,GetLastError,wsprintfW,GlobalFree,CloseHandle,DeleteFileW,7_2_6B0B91E0
        Source: global trafficHTTP traffic detected: GET /f/AVG_AV/images/1509/EN.png HTTP/1.1Connection: Keep-AliveUser-Agent: Inno Setup 6.1.2Host: d3ben4sjdmrs9v.cloudfront.net
        Source: global trafficHTTP traffic detected: GET /f/NORTON_BRW/images/1494/547x280/EN.png HTTP/1.1Connection: Keep-AliveUser-Agent: Inno Setup 6.1.2Host: d3ben4sjdmrs9v.cloudfront.net
        Source: global trafficHTTP traffic detected: GET /f/WebAdvisor/files/1489/saBSI.zip HTTP/1.1Connection: Keep-AliveUser-Agent: Inno Setup 6.1.2Host: d3ben4sjdmrs9v.cloudfront.net
        Source: global trafficHTTP traffic detected: GET /f/AVG_AV/files/1319/avg.zip HTTP/1.1Connection: Keep-AliveUser-Agent: Inno Setup 6.1.2Host: d3ben4sjdmrs9v.cloudfront.net
        Source: global trafficHTTP traffic detected: GET /f/NORTON_BRW/files/1506/norton_secure_browser_setup.zip HTTP/1.1Connection: Keep-AliveUser-Agent: Inno Setup 6.1.2Host: d3ben4sjdmrs9v.cloudfront.net
        Source: global trafficHTTP traffic detected: GET /service/check2&appid=%7B5837B1A5-B72A-456A-B09F-F680E9AB5E02%7D&appversion=1.8.1649.5&applang=&machine=1&version=1.8.1649.5&userid=%7B080202C6-0391-4360-89E1-C3B86776D125%7D&osversion=10.0&servicepack= HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Google Update/1.8.1649.5;winhttpX-Last-HR: 0x0X-Last-HTTP-Status-Code: 0X-Retry-Count: 0X-HTTP-Attempts: 1Host: update.norton.securebrowser.com
        Source: global trafficHTTP traffic detected: GET /service/check2&appid=%7B5837B1A5-B72A-456A-B09F-F680E9AB5E02%7D&appversion=1.8.1649.5&applang=&machine=1&version=1.8.1649.5&userid=%7B080202C6-0391-4360-89E1-C3B86776D125%7D&osversion=10.0&servicepack= HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Google Update/1.8.1649.5;winhttpX-Old-UID: age=-1; cnt=0X-Last-HR: 0x0X-Last-HTTP-Status-Code: 0X-Retry-Count: 0X-HTTP-Attempts: 1Host: update.norton.securebrowser.com
        Source: global trafficHTTP traffic detected: GET /?p_age=0&p_bld=mmm_irs_ppi_902_451_o&p_cpua=x64&p_edi=15&p_icar=1&p_lng=en&p_midex=3F5C7CD44D1F6AC769934CADA267B4DFCEA62DE7E764D162133E6CAEDE356FD0&p_ost=0&p_osv=10.0&p_pro=111&p_prod=avg-av&p_ram=8191&p_vbd=9725&p_vep=24&p_ves=12&p_vre=2390&repoid=release& HTTP/1.1Host: shepherd.avcdn.netUser-Agent: libcurl/8.7.0-DEV Schannel zlib/1.3.1 c-ares/1.28.1 nghttp2/1.48.0Accept: */*Accept-Encoding: deflate, gzip
        Source: global trafficHTTP traffic detected: GET /?p_age=0&p_bld=mmm_irs_ppi_902_451_o&p_cpua=x64&p_icar=1&p_lng=en&p_midex=3F5C7CD44D1F6AC769934CADA267B4DFCEA62DE7E764D162133E6CAEDE356FD0&p_ost=0&p_osv=10.0&p_pro=111&p_prod=avg-av-vps&p_ram=8191&p_vbd=2402&p_vep=24&p_ves=12&p_vre=8785&repoid=release& HTTP/1.1Host: shepherd.avcdn.netUser-Agent: libcurl/8.7.0-DEV Schannel zlib/1.3.1 c-ares/1.28.1 nghttp2/1.48.0Accept: */*Accept-Encoding: deflate, gzip
        Source: qbittorrent.exe, 0000000B.00000002.2937120417.0000000001314000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: www.google.comf5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06login.yahoo.comd7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3mail.google.com04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1eaddons.mozilla.org92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43login.live.comb0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c03e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:7139:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:29login.skype.come9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47DigiNotar Root CA0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4cDigiNotar Services CAf1:4a:13:f4:87:2b:56:dc:39:df:84:ca:7a:a1:06:49global trusteed8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0*.google.com05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56CertiID Enterprise Certificate Authoritya4:b6:ce:e3:2e:d3:35:46:26:3c:b3:55:3a:a8:92:21DigiNotar Qualified CA5b:d5:60:9c:64:17:68:cf:21:0e:35:fd:fb:05:ad:41DigiNotar Services 1024 CA36:16:71:55:43:42:1b:9d:e6:cb:a3:64:41:df:24:38DigiNotar Root CA G20a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3e27:b1NIC CA 2011NIC CA 201401:31:69:b007:27:10:0301:31:34:bfDigiNotar PKIoverheid CA Overheid en Bedrijven07:27:10:0d46:9c:2c:b007:27:0f:f9DigiNotar Cyber CA46:9c:2c:afDigiNotar Public CA 202507:27:14:a946:9c:3c:c9d6:d0:29:77:f1:49:fd:1a:83:f2:b9:ea:94:8c:5c:b4DigiNotar PKIoverheid CA Organisatie - G21e:7d:7a:53:3d:45:30:41:96:40:0f:71:48:1f:45:04DigiNotar Extended Validation CA41UTN-USERFirst-Hardware08:27MD5 Collisions Inc. (http://www.phreedom.org/md5)4c:0e:63:6aDigisign Server ID (Enrich)72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0Digisign Server ID - (Enrich)27:83AC DG Tr equals www.yahoo.com (Yahoo)
        Source: global trafficDNS traffic detected: DNS query: d3ben4sjdmrs9v.cloudfront.net
        Source: global trafficDNS traffic detected: DNS query: analytics.apis.mcafee.com
        Source: global trafficDNS traffic detected: DNS query: v7event.stats.avast.com
        Source: global trafficDNS traffic detected: DNS query: honzik.avcdn.net
        Source: global trafficDNS traffic detected: DNS query: sadownload.mcafee.com
        Source: global trafficDNS traffic detected: DNS query: analytics.avcdn.net
        Source: global trafficDNS traffic detected: DNS query: stats.securebrowser.com
        Source: global trafficDNS traffic detected: DNS query: update.norton.securebrowser.com
        Source: global trafficDNS traffic detected: DNS query: cdn-update.norton.securebrowser.com
        Source: global trafficDNS traffic detected: DNS query: shepherd.avcdn.net
        Source: unknownHTTP traffic detected: POST /o HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 128Host: d3ben4sjdmrs9v.cloudfront.net
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 24 Dec 2024 11:06:32 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closex-powered-by: Expresscontent-security-policy: default-src 'none'x-content-type-options: nosniffcf-cache-status: DYNAMICServer: cloudflareCF-RAY: 8f701f5e08dc4258-EWR
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 24 Dec 2024 11:06:34 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closex-powered-by: Expresscontent-security-policy: default-src 'none'x-content-type-options: nosniffcf-cache-status: DYNAMICServer: cloudflareCF-RAY: 8f701f6b1d60c329-EWR
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000030BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://%s:%d;https=https://%s:%dContent-EncodingHTTP/1.0deflate:
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2573330023.000000000579F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://%s:%d;https=https://%s:%dHTTP/1.0
        Source: qbittorrent.exe, 0000000B.00000002.2937120417.0000000001314000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: http://bugreports.qt.io/
        Source: qbittorrent.exe, 0000000B.00000002.2937120417.0000000001314000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: http://bugreports.qt.io/1_q_preSharedKeyAuthenticationRequired(QSslPreSharedKeyAuthenticator
        Source: Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1679328506.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1677182877.0000000002640000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2276250845.0000000004EA4000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2306117384.0000000004ED9000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2337317835.0000000004E9E000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2972949516.0000000003E35000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000003.2412179424.0000000004A21000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2921730208.000000000040A000.00000004.00000001.01000000.0000000F.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000030BB000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000003.2412311308.0000000004A2B000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2975944804.0000000004A2C000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003676000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.00000000026AA000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.0000000002704000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000036AF000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.000000000276B000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.000000000431A000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000004242000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003793000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.000000000379E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2337317835.0000000004E9E000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2931737359.0000000000819000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2973825907.00000000046E0000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2972949516.0000000003E35000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000003.2412179424.0000000004A21000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2921730208.000000000040A000.00000004.00000001.01000000.0000000F.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000030BB000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003676000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.00000000026AA000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.0000000002704000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000036AF000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.000000000276B000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.000000000431A000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000004242000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003793000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.000000000379E000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.0000000002687000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000036FF000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003630000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000036C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA2562021CA1.crt0
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2306117384.0000000004ED9000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2359729651.0000000004BEC000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2359696407.0000000004C7D000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2573330023.000000000579F000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2624207025.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2477324143.000000000562F000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2413219491.00000000053B2000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000002.2935892477.0000000004CD0000.00000002.00000001.00040000.00000016.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2678619778.0000000005579000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
        Source: Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1679328506.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1677182877.0000000002640000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2276250845.0000000004EA4000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2306117384.0000000004ED9000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2337317835.0000000004E9E000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2972949516.0000000003E35000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2973825907.0000000004706000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000003.2412179424.0000000004A21000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2921730208.000000000040A000.00000004.00000001.01000000.0000000F.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000030BB000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000003.2412311308.0000000004A2B000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003676000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.00000000026AA000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.0000000002704000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000036AF000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.000000000276B000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.000000000431A000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000004242000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003793000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.000000000379E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
        Source: Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1679328506.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1677182877.0000000002640000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2276250845.0000000004EA4000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2306117384.0000000004ED9000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2337317835.0000000004E9E000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2359696407.0000000004C7D000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2973825907.00000000046E0000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2972949516.0000000003E35000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2973825907.0000000004706000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000003.2412179424.0000000004A21000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2921730208.000000000040A000.00000004.00000001.01000000.0000000F.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000030BB000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000003.2412311308.0000000004A2B000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2972949516.0000000003E7C000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2573330023.000000000579F000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2624207025.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2477324143.000000000562F000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2413219491.00000000053B2000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000002.2935892477.0000000004CD0000.00000002.00000001.00040000.00000016.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2678619778.0000000005579000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
        Source: saBSI.exe, saBSI.exe, 00000005.00000002.2928526983.000000000284E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2921628143.000000000012E000.00000002.00000001.01000000.0000000D.sdmp, saBSI.exe, 00000005.00000000.2279002766.000000000012E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://clients2.google.com/service/update2/crx
        Source: saBSI.exe, 00000005.00000002.2928526983.000000000284E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://clients2.google.com/service/update2/crx:
        Source: saBSI.exe, 00000005.00000002.2928526983.000000000284E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://clients2.google.com/service/update2/crxb
        Source: saBSI.exe, 00000005.00000002.2928526983.000000000284E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://clients2.google.com/service/update2/crxv
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2747472940.00000000053B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cnx.conceptsheartranch.com/
        Source: Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1679328506.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1677182877.0000000002640000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1764336975.000000000090E000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1763438947.00000000008EB000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.00000000008F7000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2309485072.00000000028CA000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2928526983.00000000028B8000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000002.2929702891.0000000004C3A000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2369853017.0000000004C3A000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2360180609.0000000004C3A000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2972949516.0000000003E7C000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2676967364.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2486968413.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2390745818.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000002.2921422224.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2749131788.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2569408847.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2622976283.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2412880620.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2714616486.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2580970462.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2412180856.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2406771349.00000000006CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2276250845.0000000004EA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2276250845.0000000004EA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
        Source: Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1679328506.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1677182877.0000000002640000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
        Source: Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1679328506.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1677182877.0000000002640000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
        Source: avg_antivirus_free_setup.exe, 00000006.00000002.2928141299.0000000004BEE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2359729651.0000000004BEC000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2369853017.0000000004BEC000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2359696407.0000000004C7D000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2573330023.000000000579F000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2624207025.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2477324143.000000000562F000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2413219491.00000000053B2000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000002.2935892477.0000000004CD0000.00000002.00000001.00040000.00000016.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2678619778.0000000005579000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
        Source: avg_antivirus_free_setup.exe, 00000006.00000002.2928141299.0000000004BEE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2359729651.0000000004BEC000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2369853017.0000000004BEC000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2359696407.0000000004C7D000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2573330023.000000000579F000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2624207025.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2477324143.000000000562F000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2413219491.00000000053B2000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000002.2935892477.0000000004CD0000.00000002.00000001.00040000.00000016.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2678619778.0000000005579000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
        Source: svchost.exe, 0000000C.00000002.2976152871.0000022F67C00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
        Source: Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1679328506.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1677182877.0000000002640000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2276250845.0000000004EA4000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2306117384.0000000004ED9000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2337317835.0000000004E9E000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2972949516.0000000003E35000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000003.2412179424.0000000004A21000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2921730208.000000000040A000.00000004.00000001.01000000.0000000F.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000030BB000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000003.2412311308.0000000004A2B000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2975944804.0000000004A2C000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003676000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.00000000026AA000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.0000000002704000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000036AF000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.000000000276B000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.000000000431A000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000004242000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003793000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.000000000379E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2337317835.0000000004E9E000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2931737359.0000000000819000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2973825907.00000000046E0000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2972949516.0000000003E35000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000003.2412179424.0000000004A21000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2921730208.000000000040A000.00000004.00000001.01000000.0000000F.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000030BB000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003676000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.00000000026AA000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.0000000002704000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000036AF000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.000000000276B000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.000000000431A000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000004242000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003793000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.000000000379E000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.0000000002687000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000036FF000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003630000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000036C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA2562021CA1.crl0S
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2306117384.0000000004ED9000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000002.2928141299.0000000004BEE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2359729651.0000000004BEC000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2369853017.0000000004BEC000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2359696407.0000000004C7D000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2573330023.000000000579F000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2624207025.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2477324143.000000000562F000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2413219491.00000000053B2000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000002.2935892477.0000000004CD0000.00000002.00000001.00040000.00000016.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2678619778.0000000005579000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
        Source: Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1679328506.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1677182877.0000000002640000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2276250845.0000000004EA4000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2306117384.0000000004ED9000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2337317835.0000000004E9E000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2972949516.0000000003E35000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2973825907.0000000004706000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000003.2412179424.0000000004A21000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2921730208.000000000040A000.00000004.00000001.01000000.0000000F.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000030BB000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000003.2412311308.0000000004A2B000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003676000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.00000000026AA000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.0000000002704000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000036AF000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.000000000276B000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.000000000431A000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000004242000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003793000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.000000000379E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
        Source: NortonBrowserUpdate.exe, 00000012.00000002.2492111577.0000000001495000.00000002.00000001.00040000.00000023.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2337317835.0000000004E9E000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2931737359.0000000000819000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2973825907.00000000046E0000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2972949516.0000000003E35000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000003.2412179424.0000000004A21000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2921730208.000000000040A000.00000004.00000001.01000000.0000000F.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000030BB000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003676000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.00000000026AA000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.0000000002704000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000036AF000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.000000000276B000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.000000000431A000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000004242000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003793000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.000000000379E000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.0000000002687000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000036FF000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003630000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000036C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA2562021CA1.crl0
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2306117384.0000000004ED9000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2359696407.0000000004C7D000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2573330023.000000000579F000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2624207025.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2477324143.000000000562F000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2413219491.00000000053B2000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000002.2935892477.0000000004CD0000.00000002.00000001.00040000.00000016.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2678619778.0000000005579000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
        Source: Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1679328506.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1677182877.0000000002640000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
        Source: Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1679328506.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1677182877.0000000002640000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
        Source: avg_antivirus_free_setup.exe, 00000006.00000002.2928141299.0000000004BEE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2359729651.0000000004BEC000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2369853017.0000000004BEC000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2359696407.0000000004C7D000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2573330023.000000000579F000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2624207025.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2477324143.000000000562F000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2413219491.00000000053B2000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000002.2935892477.0000000004CD0000.00000002.00000001.00040000.00000016.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2678619778.0000000005579000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
        Source: avg_antivirus_free_setup.exe, 00000006.00000002.2928141299.0000000004BEE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2359729651.0000000004BEC000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2369853017.0000000004BEC000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2359696407.0000000004C7D000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2573330023.000000000579F000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2624207025.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2477324143.000000000562F000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2413219491.00000000053B2000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000002.2935892477.0000000004CD0000.00000002.00000001.00040000.00000016.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2678619778.0000000005579000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2747472940.00000000053B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://doubleclick-proxy.ff.avast.com/v1/gclid
        Source: svchost.exe, 0000000C.00000003.2398013421.0000022F67E18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
        Source: svchost.exe, 0000000C.00000003.2398013421.0000022F67E18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
        Source: svchost.exe, 0000000C.00000003.2398013421.0000022F67E18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
        Source: svchost.exe, 0000000C.00000003.2398013421.0000022F67E18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
        Source: svchost.exe, 0000000C.00000003.2398013421.0000022F67E18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
        Source: svchost.exe, 0000000C.00000003.2398013421.0000022F67E18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
        Source: svchost.exe, 0000000C.00000003.2398013421.0000022F67E4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
        Source: svchost.exe, 0000000C.00000003.2398013421.0000022F67F07000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2747472940.00000000053B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://gf.tools.avast.com/tools/gf/
        Source: avg_antivirus_free_setup.exe, 00000006.00000000.2308794053.0000000000493000.00000002.00000001.01000000.0000000E.sdmp, avg_antivirus_free_setup.exe, 00000006.00000002.2921459091.0000000000493000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: http://https://:allow_fallback/installer.exe
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2747472940.00000000053B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://median-a1.iavs9x.u.avast.com/iavs9x/avast_one_essential_setup_online.exe
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2747472940.00000000053B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://median-free.iavs9x.u.avast.com/iavs9x/avast_free_antivirus_setup_online.exe
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2921730208.000000000040A000.00000004.00000001.01000000.0000000F.sdmp, norton_secure_browser_setup.exe, 00000007.00000000.2338313762.000000000040A000.00000008.00000001.01000000.0000000F.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
        Source: Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1679328506.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1677182877.0000000002640000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2306117384.0000000004ED9000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2337317835.0000000004E9E000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2359729651.0000000004BEC000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2359696407.0000000004C7D000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2931737359.0000000000819000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2973825907.00000000046E0000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2972949516.0000000003E35000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000003.2412179424.0000000004A21000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2921730208.000000000040A000.00000004.00000001.01000000.0000000F.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000030BB000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2573330023.000000000579F000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2624207025.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2477324143.000000000562F000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2413219491.00000000053B2000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000002.2935892477.0000000004CD0000.00000002.00000001.00040000.00000016.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2678619778.0000000005579000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003676000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.00000000026AA000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.0000000002704000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000036AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
        Source: Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1679328506.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1677182877.0000000002640000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2276250845.0000000004EA4000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2306117384.0000000004ED9000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2337317835.0000000004E9E000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2359696407.0000000004C7D000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2973825907.00000000046E0000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2972949516.0000000003E35000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2973825907.0000000004706000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000003.2412179424.0000000004A21000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2921730208.000000000040A000.00000004.00000001.01000000.0000000F.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000030BB000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000003.2412311308.0000000004A2B000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2972949516.0000000003E7C000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2573330023.000000000579F000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2624207025.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2477324143.000000000562F000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2413219491.00000000053B2000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000002.2935892477.0000000004CD0000.00000002.00000001.00040000.00000016.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2678619778.0000000005579000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
        Source: Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1679328506.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1677182877.0000000002640000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2276250845.0000000004EA4000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2306117384.0000000004ED9000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2337317835.0000000004E9E000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2972949516.0000000003E35000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000003.2412179424.0000000004A21000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2921730208.000000000040A000.00000004.00000001.01000000.0000000F.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000030BB000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000003.2412311308.0000000004A2B000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2975944804.0000000004A2C000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003676000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.00000000026AA000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.0000000002704000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000036AF000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.000000000276B000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.000000000431A000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000004242000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003793000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.000000000379E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
        Source: Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1679328506.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1677182877.0000000002640000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2276250845.0000000004EA4000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2306117384.0000000004ED9000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2337317835.0000000004E9E000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2972949516.0000000003E35000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2973825907.0000000004706000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000003.2412179424.0000000004A21000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2921730208.000000000040A000.00000004.00000001.01000000.0000000F.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000030BB000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000003.2412311308.0000000004A2B000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003676000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.00000000026AA000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.0000000002704000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000036AF000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.000000000276B000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.000000000431A000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000004242000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003793000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.000000000379E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2276250845.0000000004EA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2276250845.0000000004EA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
        Source: Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1679328506.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1677182877.0000000002640000.00000004.00001000.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000002.2928141299.0000000004BEE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2359729651.0000000004BEC000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2369853017.0000000004BEC000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2359696407.0000000004C7D000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2573330023.000000000579F000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2624207025.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2477324143.000000000562F000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2413219491.00000000053B2000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000002.2935892477.0000000004CD0000.00000002.00000001.00040000.00000016.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2678619778.0000000005579000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.thawte.com0
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2747472940.00000000053B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://push.ff.avast.com
        Source: qbittorrent.exe, 0000000B.00000002.2937120417.0000000001314000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: http://qt-project.org/xml/features/report-start-end-entity
        Source: qbittorrent.exe, 0000000B.00000002.2937120417.0000000001314000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: http://qt-project.org/xml/features/report-whitespace-only-CharData
        Source: qbittorrent.exe, 0000000B.00000002.2937120417.0000000001314000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: http://qt-project.org/xml/features/report-whitespace-only-CharDatahttp://trolltech.com/xml/features/
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2276250845.0000000004EA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2276250845.0000000004EA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2747472940.00000000053B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://submit.sb.avast.com/V1/MD/
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2747472940.00000000053B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://submit.sb.avast.com/V1/PD/
        Source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.000000000307F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0f
        Source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.000000000307F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
        Source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.000000000307F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com0&
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://t2.symcb.com0
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://tl.symcb.com/tl.crl0
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://tl.symcb.com/tl.crt0
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://tl.symcd.com0&
        Source: qbittorrent.exe, 0000000B.00000002.2937120417.0000000001314000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: http://trolltech.com/xml/features/report-start-end-entity
        Source: qbittorrent.exe, 0000000B.00000002.2937120417.0000000001314000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: http://trolltech.com/xml/features/report-whitespace-only-CharData
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
        Source: avg_antivirus_free_setup.exe, 00000006.00000002.2926152112.0000000004BA8000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2370757024.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000002.2929702891.0000000004C15000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://v7event.stats.avast.com/
        Source: avg_antivirus_free_setup.exe, 00000006.00000002.2926152112.0000000004BA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://v7event.stats.avast.com/b
        Source: avg_antivirus_free_setup.exe, 00000006.00000002.2929702891.0000000004C3A000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2360032414.0000000004BE2000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2369853017.0000000004C3A000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000002.2926152112.0000000004BA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi
        Source: avg_antivirus_free_setup.exe, 00000006.00000002.2929702891.0000000004C3A000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2369853017.0000000004C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://v7event.stats.avast.com:80/cgi-bin/iavsevents.cgi
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2747472940.00000000053B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wtu.d.avcdn.net/avg/wtu/95b029cd737ea13a32d791d4e211fde568448486e62646a07992c7e57969ecf0/WTUI
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2747472940.00000000053B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wtu.d.avcdn.net/avg/wtu/95b029cd737ea13a32d791d4e211fde568448486e62646a07992c7e57969ecf0/wtu.
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2306117384.0000000004ED9000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2359729651.0000000004BEC000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2359696407.0000000004C7D000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2573330023.000000000579F000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2624207025.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2477324143.000000000562F000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2413219491.00000000053B2000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000002.2935892477.0000000004CD0000.00000002.00000001.00040000.00000016.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2678619778.0000000005579000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.avast.com0/
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2306117384.0000000004ED9000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2337317835.0000000004E9E000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2359729651.0000000004BEC000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2359696407.0000000004C7D000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2931737359.0000000000819000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2973825907.00000000046E0000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2972949516.0000000003E35000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000003.2412179424.0000000004A21000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2921730208.000000000040A000.00000004.00000001.01000000.0000000F.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000030BB000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2573330023.000000000579F000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2624207025.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2477324143.000000000562F000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2413219491.00000000053B2000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000002.2935892477.0000000004CD0000.00000002.00000001.00040000.00000016.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2678619778.0000000005579000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003676000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.00000000026AA000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.0000000002704000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000036AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
        Source: Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1674680368.0000000002500000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.exe, 00000000.00000003.2755978022.0000000002266000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1681931594.0000000003460000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2751722372.0000000007586000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.dk-soft.org/
        Source: avg_antivirus_free_setup.exe, 00000006.00000002.2929702891.0000000004C3A000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2360032414.0000000004BE2000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2369853017.0000000004C3A000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000002.2926152112.0000000004BDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.google-analytics.com/
        Source: avg_antivirus_free_setup.exe, 00000006.00000002.2926152112.0000000004BA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.google-analytics.com/collect
        Source: avg_antivirus_free_setup.exe, 00000006.00000002.2929702891.0000000004C3A000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2369853017.0000000004C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.google-analytics.com:80/collect
        Source: qbittorrent.exe, 0000000B.00000002.3032016622.0000000004459000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Microsof
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2276250845.0000000004EA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mcafee.com
        Source: qbittorrent.exe, 0000000B.00000002.2937120417.0000000001314000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: http://www.phreedom.org/md5)
        Source: qbittorrent.exe, 0000000B.00000002.2937120417.0000000001314000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: http://www.phreedom.org/md5)4c:0e:63:6aDigisign
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2573330023.000000000579F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2573330023.000000000579F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibDllDELETEPUTCONNECTTRACECOPYLOCKMKCOLMOVEPROPFINDPROPPATCHSEARCHUNLOCKBI
        Source: qbittorrent.exe, 0000000B.00000002.3032016622.000000000444F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: qbittorrent.exe, 0000000B.00000002.2937120417.0000000001314000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: http://xml.org/sax/features/namespace-prefixes
        Source: qbittorrent.exe, 0000000B.00000002.2937120417.0000000001314000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: http://xml.org/sax/features/namespace-prefixeshttp://trolltech.com/xml/features/report-whitespace-on
        Source: qbittorrent.exe, 0000000B.00000002.2937120417.0000000001314000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: http://xml.org/sax/features/namespaces
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2937175414.0000000002799000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://%HOST_PREFIX%installer.norton.securebrowser.com/policies/license/?l=%LOCALE%licenseAgreement
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2937175414.0000000002799000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://%HOST_PREFIX%installer.norton.securebrowser.com/policies/privacy/?l=%LOCALE%privacyPolicyLin
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2937175414.0000000002799000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://%HOST_PREFIX%installer.norton.securebrowser.com/uninstall-survey/
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2747472940.00000000053B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addons.opera.com/extensions/details/avg-online-security
        Source: saBSI.exe, 00000005.00000002.2928526983.0000000002881000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.apis.mcafee.com/
        Source: saBSI.exe, 00000005.00000003.2538412417.0000000002901000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2928526983.0000000002881000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2493478584.0000000002900000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.apis.mcafee.com/mosaic/2.0/product-web/am/v1/record
        Source: saBSI.exe, 00000005.00000003.2538412417.0000000002901000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2928526983.00000000028B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.apis.mcafee.com/mosaic/2.0/product-web/am/v1/recordXr
        Source: saBSI.exe, 00000005.00000002.2928526983.00000000028B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.apis.mcafee.com/mosaic/2.0/product-web/am/v1/recordons:Nov:November:Dec:December
        Source: saBSI.exe, 00000005.00000002.2928526983.000000000284E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.apis.mcafee.com/mosaic/2.0/product-web/am/v1/records
        Source: saBSI.exe, 00000005.00000002.2928526983.00000000028B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.apis.mcafee.com:443/mosaic/2.0/product-web/am/v1/record
        Source: saBSI.exe, 00000005.00000002.2921628143.000000000012E000.00000002.00000001.01000000.0000000D.sdmp, saBSI.exe, 00000005.00000000.2279002766.000000000012E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://analytics.apis.mcafee.comhttps://analytics.qa.apis.mcafee.com/mosaic/2.0/product-web/am/v1/r
        Source: saBSI.exe, 00000005.00000002.2928526983.000000000284E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.apis.mcafee.comse
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000002.2921422224.000000000068E000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2390745818.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000002.2921422224.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2412880620.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2412180856.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2406771349.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2406445183.00000000006BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.avcdn.net/
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2406445183.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000002.2921422224.000000000066D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.avcdn.net/v4/receive/json/25
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000002.2921422224.000000000066D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.avcdn.net/v4/receive/json/25.ic
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2413891741.000000000069E000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2390745818.000000000069D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.avcdn.net/v4/receive/json/25A-F5;
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2390745818.00000000006BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.avcdn.net/v4/receive/json/25q
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000002.2921422224.0000000000647000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.avcdn.net:443/v4/receive/json/25
        Source: saBSI.exe, 00000005.00000002.2928526983.000000000284E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.qa.apis.mcafee.comn
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.0000000000920000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1763438947.00000000008EB000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1764336975.0000000000920000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.razerzone.com/downloads/software/RazerEndUserLicenseAgreement.pdf
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2747472940.00000000053B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bloatware.ff.avast.com/avast/ss/
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2937175414.0000000002799000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn-%HOST_PREFIX%update.norton.securebrowser.com/installer/%VERSION%/norton-securebrowser%ED
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2747472940.00000000053B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn-download.avastbrowser.com/avg_secure_browser_setup.exe
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2931737359.0000000000875000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2747472940.00000000053B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore/detail/avg-online-security/nbmoafcmbajniiapeidgficgifbfmjfo?utm_s
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2931737359.0000000000875000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2715273606.00000000053EE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2477324143.000000000562F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crx
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2477324143.000000000562F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxdelaytimeout-elapsedterminatecontinueargumentsshow-wi
        Source: saBSI.exe, 00000005.00000002.2928526983.0000000002922000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2538412417.0000000002922000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2537672509.0000000004D7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://confluence.int.mcafee.com/pages/viewpage.action?pageId=35264328
        Source: Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1674680368.0000000002500000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.exe, 00000000.00000003.2755978022.00000000022CD000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2745827697.00000000035B5000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2742327506.0000000002420000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1681931594.0000000003460000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2744532528.00000000034AC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://control.kochava.com/v1/cpi/click?campaign_id=kohotspot-shield-2oo5a3058127822662&network_id=
        Source: avg_antivirus_free_setup.exe, 00000006.00000003.2369853017.0000000004BEC000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2360180609.0000000004C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/scaffolding/ascnsrsgac:163:0
        Source: avg_antivirus_free_setup.exe, 00000006.00000002.2929702891.0000000004C3A000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2360180609.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000002.2928141299.0000000004BEE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2369853017.0000000004C3A000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2369853017.0000000004BEC000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2360180609.0000000004C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/scaffolding/ascnsrsgac:163:0
        Source: avg_antivirus_free_setup.exe, 00000006.00000003.2360180609.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000002.2928141299.0000000004BEE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2369853017.0000000004BEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/scaffolding/ascnsrsgac:163:0Cross-Origin-Resource-Policycross-originX
        Source: saBSI.exe, 00000005.00000002.2928526983.000000000284E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cu1pehnswad01.servicebus.windows.net/wadp32h02/messages?timeout=60&api-version=2014-01
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2477324143.000000000562F000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2678619778.0000000005579000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2477324143.000000000562F000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2678619778.0000000005579000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2477324143.000000000562F000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2678619778.0000000005579000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
        Source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.000000000307F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
        Source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.000000000307F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2433301720.0000000004EF6000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2749782006.0000000004EF6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2433301720.0000000004EF6000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2749782006.0000000004EF6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/X
        Source: Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1674680368.0000000002500000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.exe, 00000000.00000003.2755978022.00000000022CD000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2742327506.0000000002420000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1681931594.0000000003460000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2751722372.0000000007460000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2744532528.00000000034AC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/f
        Source: Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1674680368.0000000002500000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.exe, 00000000.00000003.2755978022.00000000022CD000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2745827697.000000000358A000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2742327506.0000000002420000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1681931594.0000000003460000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2744532528.00000000034AC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/f/
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2277783422.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2747353590.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.00000000008A7000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2337317835.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2276250845.0000000004E77000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2308120511.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2433556335.0000000004E8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/f/AVG_AV/files/1319/avg.zip
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2308120511.0000000004E8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/f/AVG_AV/files/1319/avg.zipI.zi
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2433556335.0000000004E8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/f/AVG_AV/files/1319/avg.zipI.zi#Lr=
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2277783422.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2747353590.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.00000000008A7000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2337317835.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2276250845.0000000004E77000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2308120511.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2433556335.0000000004E8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/f/AVG_AV/images/1509/EN.pngd
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2308120511.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2433556335.0000000004E8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/f/AVG_AV/images/1509/EN.pngng0
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2337317835.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2276250845.0000000004E77000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2308120511.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2433556335.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2277783422.0000000004E8D000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2747353590.0000000004E8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/f/NORTON_BRW/files/1506/norton_secure_browser_setup.zip
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2736036551.0000000000930000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.0000000000920000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/f/NORTON_BRW/files/1506/norton_secure_browser_setup.zip%;
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2433556335.0000000004E8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/f/NORTON_BRW/files/1506/norton_secure_browser_setup.zip&Bl?
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2337317835.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2433556335.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2747353590.0000000004E8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/f/NORTON_BRW/files/1506/norton_secure_browser_setup.zipTB
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2742327506.00000000024E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/f/NORTON_BRW/files/1506/norton_secure_browser_setup.zipu
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2431828115.0000000004EBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/f/NORTON_BRW/images/1494/547x280/EN.png
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2337088518.0000000004EC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/f/NORTON_BRW/images/1494/547x280/EN.pngA
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2431828115.0000000004EBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/f/NORTON_BRW/images/1494/547x280/EN.pngE
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.0000000000920000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/f/NORTON_BRW/images/1494/547x280/EN.pngl
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2431828115.0000000004EBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/f/NORTON_BRW/images/1494/547x280/EN.pngz
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2742327506.00000000024A8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zip
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.0000000000920000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2431828115.0000000004EBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zipSOR
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2307998102.0000000004ECB000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2306117384.0000000004EBE000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2306878132.0000000004ED3000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2337088518.0000000004EC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zipSORE
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2276250845.0000000004E77000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2277783422.0000000004E8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zipure_browser_setup.zip
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2277783422.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2747353590.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2337317835.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2276250845.0000000004E77000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2308120511.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2433556335.0000000004E8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/f/WebAdvisor/images/NEW/EN.png
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.00000000008A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/f/WebAdvisor/images/NEW/EN.png.
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2277783422.0000000004E44000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2276250845.0000000004E43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/f/WebAdvisor/images/NEW/EN.png0/EN.png4FqjuMlqeXqa53IPQ
        Source: Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1674680368.0000000002500000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.exe, 00000000.00000003.2755978022.00000000022CD000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2751722372.0000000007466000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2742327506.0000000002420000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1681931594.0000000003460000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2744532528.00000000034AC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/o
        Source: Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1674680368.0000000002500000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.exe, 00000000.00000003.2755978022.00000000022CD000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2747353590.0000000004E9E000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2306878132.0000000004EC0000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2306117384.0000000004EBE000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2742327506.0000000002420000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2742327506.000000000254A000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1681931594.0000000003460000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2433556335.0000000004E9A000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2745827697.00000000035CE000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2744532528.00000000034AC000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2431828115.0000000004EDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/zbd
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.00000000008A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/zbd.tmp
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2431828115.0000000004EDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/zbdR
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2306878132.0000000004EC0000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2306117384.0000000004EBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/zbddl-
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2736036551.00000000008D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net:443/zbd
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.00000000008CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net:443/zbd9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2931737359.0000000000875000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/
        Source: qbittorrent.exe, 0000000B.00000002.2994444060.0000000001647000.00000004.00000001.01000000.00000018.sdmpString found in binary or memory: https://download.db-ip.com/free/dbip-country-lite-%1.mmdb.gz
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2931737359.0000000000875000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-autopush.corp.google.com/
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2931737359.0000000000875000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-0.corp.google.com/
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2931737359.0000000000875000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-1.corp.google.com/
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2931737359.0000000000875000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-2.corp.google.com/
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2931737359.0000000000875000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-3.corp.google.com/
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2931737359.0000000000875000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-4.corp.google.com/
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2931737359.0000000000875000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-5.corp.google.com/
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2931737359.0000000000875000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-6.corp.google.com/
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2931737359.0000000000875000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-preprod.corp.google.com/
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2931737359.0000000000875000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-staging.corp.google.com/
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2931737359.0000000000875000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2715273606.00000000053EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://firefoxextension.avast.com/aos/update.json
        Source: svchost.exe, 0000000C.00000003.2398013421.0000022F67EC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
        Source: svchost.exe, 0000000C.00000003.2398013421.0000022F67E72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
        Source: svchost.exe, 0000000C.00000003.2398013421.0000022F67EC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
        Source: svchost.exe, 0000000C.00000003.2398013421.0000022F67EA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
        Source: svchost.exe, 0000000C.00000003.2398013421.0000022F67EC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2678619778.0000000005579000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hns.sb.avast.com
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.0000000000920000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1763417695.0000000000925000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://home.mcafee.com/Root/AboutUs.aspx?id=eula
        Source: avg_antivirus_free_setup.exe, 00000006.00000003.2360032414.0000000004BE2000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2676967364.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2486968413.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000002.2921422224.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2749131788.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2569408847.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2622976283.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2714616486.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2580970462.00000000006BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2569408847.00000000006BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/6m
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2676967364.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000002.2921422224.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2749131788.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2714616486.00000000006BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/Y
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2390745818.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2390745818.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2412880620.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2412180856.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2406771349.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2406445183.00000000006BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/defs/avg-av/release.xml.lzma
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2676967364.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000002.2921422224.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2749131788.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2714616486.00000000006BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/fmO
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2676967364.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000002.2921422224.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2749131788.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2714616486.00000000006BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/nmW
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2747472940.00000000053B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/setup/avg-atrk/release/avg_antitrack_online_setup.exe
        Source: avg_antivirus_free_setup.exe, 00000006.00000003.2360180609.0000000004BF9000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2360180609.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2359729651.0000000004BEC000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000002.2928141299.0000000004BF9000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2369853017.0000000004BF9000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2747472940.00000000053B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/setup/avg-av/release/avg_antivirus_free_online_setup.exe
        Source: avg_antivirus_free_setup.exe, 00000006.00000003.2359729651.0000000004BEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/setup/avg-av/release/avg_antivirus_free_online_setup.exeO
        Source: avg_antivirus_free_setup.exe, 00000006.00000003.2360180609.0000000004BF9000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000002.2928141299.0000000004BF9000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2369853017.0000000004BF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/setup/avg-av/release/avg_antivirus_free_online_setup.exed-?t$
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2747472940.00000000053B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/setup/avg-bg/release/avg_breach_guard_online_setup.exe
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2747472940.00000000053B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/setup/avg-bs/release/avg_battery_saver_online_setup.exe
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2747472940.00000000053B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/setup/avg-du/release/avg_driver_updater_online_setup.exe
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2747472940.00000000053B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/setup/avg-tu/release/avg_tuneup_online_setup.exe
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2747472940.00000000053B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/setup/avg-vpn/release/avg_vpn_online_setup.exe
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2622976283.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2714616486.00000000006BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/universe/2f8a/779d/1460/2f8a779d146017868e5dd4e67083675da9aa5b94a174d8b56c3
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000002.2921422224.000000000066D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/universe/3ba8/fbac/3885/3ba8fbac3885aa994b335c77d2f1544c6a87420edc8b0f047b3
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2406445183.00000000006BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/universe/48c1/d01f/6234/48c1d01f6234e7c129b31a0c2388de0f102f718721fedf18edb
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2714616486.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000002.2921422224.000000000066D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/universe/6b80/fa1f/8221/6b80fa1f82216a58bdc872de1a8e2cf9d2c485d135cf3414b79
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2676967364.00000000006BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/universe/aa90/1643/995c/aa901643995c786c0598ce59c6edc19d0202ef4a3a8a0cb0c1a
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000002.2921422224.000000000066D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/universe/e9e9/a93a/90fd/e9e9a93a90fdacb5677472fbfeb58dfcea5047e1d044cae69fe
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000002.2921422224.000000000066D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/universe/f6c2/9c47/0a75/f6c29c470a756f71f14ad40453e27aa8e141bd3443b84483c73
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2412880620.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2412180856.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2406771349.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2406445183.00000000006BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/vm?
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000002.2921422224.0000000000647000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net:443/defs/avg-av/release.xml.lzma
        Source: avg_antivirus_free_setup.exe, 00000006.00000003.2360180609.0000000004BFF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net:443/setup/avg-av/release/avg_antivirus_free_online_setup.exe
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000002.2921422224.0000000000647000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net:443/universe/e9e9/a93a/90fd/e9e9a93a90fdacb5677472fbfeb58dfcea5047e1d044cae
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000002.2921422224.0000000000647000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net:443/universe/f6c2/9c47/0a75/f6c29c470a756f71f14ad40453e27aa8e141bd3443b8448
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2747472940.00000000053B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.avast.com/inAvastium
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2747472940.00000000053B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.avg.com
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2747472940.00000000053B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://identityprotection.avg.com
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2747472940.00000000053B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipm-provider.ff.avast.com/
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2747472940.00000000053B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipm.avcdn.net/
        Source: Canvas of Kings_N6xC-S2.exe, 00000000.00000000.1674279002.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
        Source: norton_secure_browser_setup.exe, 00000007.00000003.2374354528.0000000003E66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2747472940.00000000053B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://my.avast.com
        Source: svchost.exe, 0000000C.00000003.2398013421.0000022F67EC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
        Source: svchost.exe, 0000000C.00000003.2398013421.0000022F67E72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2678619778.0000000005579000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://packet-responder.ff.avast.com:8443Vaar-VersionVaar-Header-Content-Type0Failed
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2747472940.00000000053B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pair.ff.avast.com
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2747472940.00000000053B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://prod1-fe-basic-auth-breach.prod.aws.lifelock.com
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1763329826.000000000092E000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1764181804.0000000000934000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reasonlabs.c
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2745537272.0000000003572000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1763438947.00000000008EB000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.00000000008F7000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2736036551.0000000000919000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reasonlabs.com/policies
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2747472940.00000000053B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s-nuistatic.avcdn.net/nui/avg/1.0.761/updatefile.json
        Source: saBSI.exe, 00000005.00000003.2538412417.0000000002901000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2493478584.0000000002900000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2928526983.00000000028B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/
        Source: saBSI.exe, 00000005.00000002.2928526983.00000000028B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/J
        Source: saBSI.exe, saBSI.exe, 00000005.00000002.2928526983.00000000028B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/
        Source: saBSI.exe, 00000005.00000003.2380332434.0000000002906000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2380009561.0000000002906000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2538412417.0000000002901000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2493478584.0000000002900000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2379943913.0000000002902000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2928526983.00000000028B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/Win/binary/3.7.2/update_bsi_product.xml
        Source: saBSI.exe, 00000005.00000003.2493478584.0000000002922000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2928526983.0000000002922000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2379943913.0000000002922000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2380332434.0000000002922000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2538412417.0000000002922000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/Win/binary/3.7.2/update_bsi_product.xml/
        Source: saBSI.exe, 00000005.00000003.2380332434.0000000002906000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2380009561.0000000002906000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2538412417.0000000002901000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2493478584.0000000002900000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2379943913.0000000002902000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2928526983.00000000028B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/Win/binary/4.1.0/update_bsi_self.xml
        Source: saBSI.exe, 00000005.00000003.2493478584.0000000002922000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2928526983.0000000002922000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2379943913.0000000002922000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2380332434.0000000002922000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2538412417.0000000002922000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/Win/binary/4.1.0/update_bsi_self.xml/
        Source: saBSI.exe, 00000005.00000002.2928526983.000000000284E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_DistributionRules.xml
        Source: saBSI.exe, 00000005.00000003.2380246086.0000000004D0C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_DistributionRules.xml/
        Source: saBSI.exe, 00000005.00000003.2538412417.0000000002901000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2493478584.0000000002900000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2928526983.00000000028B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_DistributionRules.xmlXu
        Source: saBSI.exe, 00000005.00000002.2928526983.000000000284E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2380332434.0000000002906000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2380009561.0000000002906000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2538412417.0000000002901000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2928526983.00000000028AA000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2493478584.0000000002900000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2379943913.0000000002902000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2928526983.00000000028B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_PaidDistribution.xml
        Source: saBSI.exe, 00000005.00000003.2493478584.0000000002922000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2928526983.0000000002922000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2379943913.0000000002922000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2380332434.0000000002922000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2538412417.0000000002922000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_PaidDistribution.xml/
        Source: saBSI.exe, 00000005.00000003.2380332434.0000000002906000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2380009561.0000000002906000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2538412417.0000000002901000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2493478584.0000000002900000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2379943913.0000000002902000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2928526983.00000000028B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_PartnerDistribution.xml
        Source: saBSI.exe, 00000005.00000003.2493478584.0000000002922000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2928526983.0000000002922000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2379943913.0000000002922000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2380332434.0000000002922000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2538412417.0000000002922000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_PartnerDistribution.xml/
        Source: saBSI.exe, 00000005.00000003.2538412417.0000000002901000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2493478584.0000000002900000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2928526983.00000000028B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_abtest.
        Source: saBSI.exe, 00000005.00000003.2493478584.0000000002900000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2379943913.0000000002902000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2928526983.00000000028B8000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2935450892.0000000004D1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_abtest.xml
        Source: saBSI.exe, 00000005.00000003.2493478584.0000000002922000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2928526983.0000000002922000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2379943913.0000000002922000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2380332434.0000000002922000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2538412417.0000000002922000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2935450892.0000000004D33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_abtest.xml/
        Source: saBSI.exe, saBSI.exe, 00000005.00000002.2921628143.000000000012E000.00000002.00000001.01000000.0000000D.sdmp, saBSI.exe, 00000005.00000000.2279002766.000000000012E000.00000002.00000001.01000000.0000000D.sdmp, saBSI.exe, 00000005.00000002.2928526983.00000000028B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_main.xml
        Source: saBSI.exe, 00000005.00000003.2380332434.0000000002906000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2380009561.0000000002906000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2538412417.0000000002901000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2493478584.0000000002900000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2379943913.0000000002902000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2928526983.00000000028B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_vars.xml
        Source: saBSI.exe, 00000005.00000003.2493478584.0000000002922000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2928526983.0000000002922000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2379943913.0000000002922000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2380332434.0000000002922000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2538412417.0000000002922000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_vars.xml/
        Source: saBSI.exe, 00000005.00000002.2921628143.000000000012E000.00000002.00000001.01000000.0000000D.sdmp, saBSI.exe, 00000005.00000000.2279002766.000000000012E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/UPDATER_VERSIONaffidosplatSELF_UPDATE_ALLOWEDMAIN_XMLSTORE
        Source: saBSI.exe, saBSI.exe, 00000005.00000002.2928526983.000000000284E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/Win/xpi/webadvisor/update.json
        Source: saBSI.exe, 00000005.00000002.2928526983.000000000284E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/Win/xpi/webadvisor/update.json4
        Source: saBSI.exe, 00000005.00000002.2928526983.000000000284E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/Win/xpi/webadvisor/update.jsonPROCESS
        Source: saBSI.exe, 00000005.00000002.2928526983.000000000284E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/Win/xpi/webadvisor/update.jsonRS=2On
        Source: saBSI.exe, 00000005.00000002.2928526983.000000000284E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/Win/xpi/webadvisor/update.jsonW
        Source: saBSI.exe, 00000005.00000002.2935450892.0000000004D1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/bsi
        Source: saBSI.exe, 00000005.00000002.2935450892.0000000004D33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/bsi/
        Source: saBSI.exe, 00000005.00000002.2928526983.00000000028B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/bsi/4.1.1/install.xml
        Source: saBSI.exe, 00000005.00000003.2493478584.0000000002922000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2928526983.0000000002922000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2379943913.0000000002922000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2380332434.0000000002922000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2538412417.0000000002922000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/bsi/4.1.1/install.xml/
        Source: saBSI.exe, 00000005.00000003.2493478584.0000000002900000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/bsi/4.1.1/install.xmlember
        Source: saBSI.exe, 00000005.00000002.2928526983.00000000028B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/bsi/binary
        Source: saBSI.exe, 00000005.00000002.2928526983.00000000028B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/installer/4.1.1/995/
        Source: saBSI.exe, 00000005.00000002.2928526983.000000000288D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/installer/4.1.1/995/64/installer.exe
        Source: saBSI.exe, 00000005.00000002.2928526983.00000000028B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/installer/4.1.1/995/64/installer.exeexe
        Source: saBSI.exe, 00000005.00000002.2928526983.00000000028B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/installer/4.1.1/995/64/installer.exem
        Source: saBSI.exe, 00000005.00000002.2928526983.00000000028B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/pc/partner_custom_bsi.xml
        Source: saBSI.exe, 00000005.00000003.2493478584.0000000002922000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2928526983.0000000002922000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2538412417.0000000002922000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2928526983.00000000028B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/update/post_install.xml
        Source: saBSI.exe, 00000005.00000002.2928526983.000000000284E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/sa
        Source: saBSI.exe, 00000005.00000002.2935450892.0000000004D1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/sa/bsi/win/binary
        Source: saBSI.exe, 00000005.00000002.2935450892.0000000004D33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/sa/bsi/win/binary/
        Source: saBSI.exe, 00000005.00000002.2928526983.00000000028B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/sa/v1/p
        Source: saBSI.exe, 00000005.00000002.2935450892.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2935450892.0000000004D73000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2538412417.0000000002901000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2567314138.0000000004D73000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2928526983.00000000028B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/sa/v1/pc/partner_custom_vars.xml
        Source: saBSI.exe, 00000005.00000003.2538412417.0000000002901000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2928526983.00000000028B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/sa/v1/pc/partner_custom_vars.xml7
        Source: saBSI.exe, 00000005.00000003.2538412417.0000000002901000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/sa/v1/pc/partner_custom_vars.xmln
        Source: saBSI.exe, 00000005.00000002.2928526983.000000000284E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/saLOCALA
        Source: saBSI.exe, 00000005.00000002.2921628143.000000000012E000.00000002.00000001.01000000.0000000D.sdmp, saBSI.exe, 00000005.00000000.2279002766.000000000012E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/saUPDATER_URLupdater.exeWebAdvisor_Updaterheron_hostthreat.ap
        Source: saBSI.exe, 00000005.00000002.2928526983.00000000028B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/t?
        Source: saBSI.exe, 00000005.00000003.2493478584.0000000002900000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com:443/products/SA/BSI/bsi_abtest.xmlATE
        Source: saBSI.exe, 00000005.00000003.2538412417.0000000002901000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2493478584.0000000002900000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com:443/products/SA/v1/bsi/4.1.1/install.xmlE
        Source: saBSI.exe, 00000005.00000002.2928526983.00000000028B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com:443/products/SA/v1/installer/4.1.1/995/64/installer.exeTION
        Source: saBSI.exe, 00000005.00000003.2538412417.0000000002901000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com:443/products/SA/v1/pc/partner_custom_bsi.xml
        Source: saBSI.exe, 00000005.00000003.2538412417.0000000002901000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2928526983.00000000028B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com:443/products/sa/v1/pc/partner_custom_vars.xml
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sciter.com0/
        Source: Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1679328506.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1677182877.0000000002640000.00000004.00001000.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000002.2928141299.0000000004BEE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2359729651.0000000004BEC000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2369853017.0000000004BEC000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2359696407.0000000004C7D000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2573330023.000000000579F000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2624207025.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2477324143.000000000562F000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2413219491.00000000053B2000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000002.2935892477.0000000004CD0000.00000002.00000001.00040000.00000016.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2678619778.0000000005579000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2715273606.00000000053EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shepherd.avcdn.net
        Source: avg_antivirus_free_setup.exe, 00000006.00000003.2359696407.0000000004C7D000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000002.2921422224.0000000000647000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000002.2935892477.0000000004CD0000.00000002.00000001.00040000.00000016.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000002.2921422224.000000000066D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shepherd.avcdn.net/
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1763572224.00000000008B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shield.reasonsecurity.com/rsStubActi
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.000000000094D000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2745537272.0000000003572000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.0000000000920000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2736036551.0000000000929000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1763417695.0000000000925000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shield.reasonsecurity.com/rsStubActivator.exe
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2931737359.0000000000819000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stats.securebrowser.com
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2972949516.0000000003E35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stats.securebrowser.com/
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2931737359.0000000000898000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stats.securebrowser.com/?_=1735038370653&retry_tracking_count=0&last_request_error_code=0&la
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2931737359.0000000000849000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stats.securebrowser.com?_=1735038370653
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2937175414.0000000002799000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stats.securebrowser.comnsSetFatalTrackingUrlnorton.installer.fataleventnsAddFatalTrackingPar
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2747472940.00000000053B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stream-production.avcdn.net
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2678619778.0000000005579000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://submit.sb.avast.com
        Source: norton_secure_browser_setup.exe, 00000007.00000003.2367095116.0000000003E1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
        Source: norton_secure_browser_setup.exe, 00000007.00000003.2364873290.0000000003E0E000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000003.2367095116.0000000003E1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2678619778.0000000005579000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://viruslab-samples.sb.avast.com
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2678619778.0000000005579000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://viruslab-samples.sb.avast.comhttps://submit.sb.avast.comhttps://hns.sb.avast.comhttps://winq
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1764336975.0000000000919000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1763438947.00000000008EB000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.00000000008F7000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2736036551.0000000000919000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://webcompanion.com/privacy
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1764336975.0000000000919000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1763438947.00000000008EB000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.00000000008F7000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2736036551.0000000000919000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://webcompanion.com/privacy-k&
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1764336975.0000000000919000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1763438947.00000000008EB000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.00000000008F7000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2736036551.0000000000919000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://webcompanion.com/terms
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2678619778.0000000005579000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://winqual.sb.avast.com
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.000000000094D000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2745537272.0000000003572000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.avast.com/eula
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.0000000000920000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2736036551.0000000000929000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1763417695.0000000000925000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.avast.com/eula-avast-consumer-products
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2747091095.0000000004E10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.avast.com/eula:v
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2742327506.00000000024B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.avast.com/prVersion
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.000000000094D000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2745537272.0000000003572000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2747091095.0000000004E10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.avast.com/privacy
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1764336975.0000000000919000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1763438947.00000000008EB000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.00000000008F7000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2736036551.0000000000919000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.avast.com/privacy-policy
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1764336975.0000000000919000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1763438947.00000000008EB000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.00000000008F7000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2736036551.0000000000919000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.avast.com/privacy-policyLk
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2337317835.0000000004E32000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2736036551.0000000000919000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.avg.com/ww-en/eula
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2307959551.0000000004EF2000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2306878132.0000000004EF1000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2306117384.0000000004EF1000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2433301720.0000000004EF6000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2749782006.0000000004EF6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.avg.com/ww-en/eula/en-us/
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2433301720.0000000004EF6000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2749782006.0000000004EF6000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2276250845.0000000004E2D000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2277783422.0000000004E32000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2308120511.0000000004E2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.avg.com/ww-en/eulacyet
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2433485584.00000000068C5000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2336433829.00000000068C8000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2337001514.00000000068CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.avg.com/ww-en/eulacyetg
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1764336975.0000000000919000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2433556335.0000000004E2C000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2307998102.0000000004EDA000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2747353590.0000000004E34000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1763438947.00000000008EB000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.00000000008C0000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2276250845.0000000004E2D000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.00000000008F7000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2337317835.0000000004E32000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2736036551.0000000000919000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.avg.com/ww-en/privacy
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2307959551.0000000004EF2000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2306878132.0000000004EF1000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2306117384.0000000004EF1000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2433301720.0000000004EF6000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2749782006.0000000004EF6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.avg.com/ww-en/privacy-us/
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2433301720.0000000004EF6000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2749782006.0000000004EF6000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2433485584.00000000068C5000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2336433829.00000000068C8000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2337001514.00000000068CA000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2276250845.0000000004E2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.avg.com/ww-en/privacy4Xb8
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.00000000008A7000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1763572224.00000000008B4000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1764863031.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2736036551.00000000008B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ccleaner.com/about/privacy-policy
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1763438947.00000000008EB000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.00000000008EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ccleaner.com/legal/end-user-license-agreement
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2276250845.0000000004EA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2931737359.0000000000875000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
        Source: Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1679328506.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1677182877.0000000002640000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000000.1680500669.0000000000401000.00000020.00000001.01000000.00000004.sdmpString found in binary or memory: https://www.innosetup.com/
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.00000000008A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/global/legal.html
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1764181804.0000000000936000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/legal.html
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2276250845.0000000004E77000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2277783422.0000000004E8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/legal.html/1506/norton_secure_browser_setup.zip&Bl?
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2431828115.0000000004EBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/legal.html1c5ce9cd6f798ad443
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2747091095.0000000004E10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/legal.htmlJ
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2736036551.0000000000930000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.0000000000920000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/legal.htmlces-agreement/EN.pngowser_setup.zip
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.0000000000920000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/legal.htmlces-agreement/f.ng
        Source: saBSI.exe, 00000005.00000002.2928526983.000000000284E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2921628143.000000000012E000.00000002.00000001.01000000.0000000D.sdmp, saBSI.exe, 00000005.00000000.2279002766.000000000012E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://www.mcafee.com/consumer/v/wa-how.html
        Source: saBSI.exe, 00000005.00000002.2928526983.000000000284E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mcafee.com/consumer/v/wa-how.htmlW
        Source: saBSI.exe, 00000005.00000002.2928526983.000000000284E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mcafee.com/consumer/v/wa-how.htmln
        Source: norton_secure_browser_setup.exe, 00000007.00000003.2412179424.0000000004A21000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2921730208.000000000040A000.00000004.00000001.01000000.0000000F.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000030BB000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000003.2412311308.0000000004A2B000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003676000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.00000000026AA000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.0000000002704000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000036AF000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.000000000276B000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.000000000431A000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000004242000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003793000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.000000000379E000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.0000000002687000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000036FF000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003630000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000036C6000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000004164000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000003B2B000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.00000000042D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.nortonlifelock.com/
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2751722372.0000000007471000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.nortonlifelock.com/us/en/leg
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2751722372.00000000074D8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.nortonlifelock.com/us/en/legal/license-services-agreement/
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.0000000000920000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2431828115.0000000004EBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.nortonlifelock.com/us/en/legal/license-services-agreement/2.tmp
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2431828115.0000000004EBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.nortonlifelock.com/us/en/legal/license-services-agreement/A
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2751722372.0000000007561000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.nortonlifelock.com/us/en/p
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2751722372.0000000007561000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.nortonlifelock.com/us/en/pr
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2751722372.00000000074D8000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1764863031.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2736036551.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2308120511.0000000004E2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.nortonlifelock.com/us/en/privacy/
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.00000000008A7000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1763572224.00000000008B4000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1764863031.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2736036551.00000000008B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.opera.com/he/eula/computers
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.00000000008A7000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1763572224.00000000008B4000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1764863031.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2736036551.00000000008B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.opera.com/he/eula/computers=)X
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1764336975.0000000000919000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1763438947.00000000008EB000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.00000000008F7000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2736036551.0000000000919000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.opera.com/he/privacy
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1764336975.00000000008F4000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1763438947.00000000008EB000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.00000000008EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.premieropinion.com/common/termsofservice-v1
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.00000000008A7000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1763572224.00000000008B4000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1764863031.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2736036551.00000000008B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.premieropinion.com/privacy-policy
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.0000000000920000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1763417695.0000000000925000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.razer.com/legal/customer-privacy-policy
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.0000000000920000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1763417695.0000000000925000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.razer.com/legal/customer-privacy-policy9
        Source: Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1679328506.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1677182877.0000000002640000.00000004.00001000.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000000.1680500669.0000000000401000.00000020.00000001.01000000.00000004.sdmpString found in binary or memory: https://www.remobjects.com/ps
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.thawte.com/cps0/
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.thawte.com/repository0W
        Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49863
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
        Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49912 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49845 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
        Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49849 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
        Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
        Source: unknownNetwork traffic detected: HTTP traffic on port 49996 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
        Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49849
        Source: unknownNetwork traffic detected: HTTP traffic on port 49848 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49848
        Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49846
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49923
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49845
        Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
        Source: unknownNetwork traffic detected: HTTP traffic on port 49863 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49995 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
        Source: unknownNetwork traffic detected: HTTP traffic on port 49989 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49912
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
        Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49910
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
        Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49996
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49995
        Source: unknownNetwork traffic detected: HTTP traffic on port 49923 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
        Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49910 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49907
        Source: unknownNetwork traffic detected: HTTP traffic on port 49907 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49846 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49989
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
        Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
        Source: unknownHTTPS traffic detected: 65.9.108.223:443 -> 192.168.2.4:49733 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 65.9.108.223:443 -> 192.168.2.4:49734 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 65.9.108.223:443 -> 192.168.2.4:49736 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 65.9.108.223:443 -> 192.168.2.4:49737 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 65.9.108.223:443 -> 192.168.2.4:49740 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 65.9.108.223:443 -> 192.168.2.4:49745 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 65.9.108.223:443 -> 192.168.2.4:49746 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 65.9.108.223:443 -> 192.168.2.4:49747 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 65.9.108.223:443 -> 192.168.2.4:49755 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 44.228.210.164:443 -> 192.168.2.4:49756 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 65.9.108.223:443 -> 192.168.2.4:49762 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 65.9.108.105:443 -> 192.168.2.4:49772 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.4:49783 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.4:49792 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 104.20.86.8:443 -> 192.168.2.4:49791 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 65.9.108.105:443 -> 192.168.2.4:49794 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 104.20.86.8:443 -> 192.168.2.4:49846 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 104.20.86.8:443 -> 192.168.2.4:49849 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 104.20.86.8:443 -> 192.168.2.4:49848 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 104.20.86.8:443 -> 192.168.2.4:49863 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.4:49907 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.4:49910 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 34.160.176.28:443 -> 192.168.2.4:49912 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 34.160.176.28:443 -> 192.168.2.4:49923 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.4:49989 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.4:49995 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 34.160.176.28:443 -> 192.168.2.4:49996 version: TLS 1.2
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_00405601 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,7_2_00405601

        E-Banking Fraud

        barindex
        Checks if browser processes are running
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: lstrcpyW,lstrcpyW,lstrcmpW,lstrcpyW,lstrlenW,lstrcpyW,GetFileAttributesW,CreateFileW,GetFileSize,GlobalAlloc,ReadFile,MultiByteToWideChar,GlobalAlloc,MultiByteToWideChar,GlobalFree,CloseHandle,StrStrW,StrStrW,StrStrW,StrStrW,GlobalAlloc,lstrcpynW,GlobalFree,CloseHandle,GlobalFree, \SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppxManifest.xml7_2_6AE22050

        Spam, unwanted Advertisements and Ransom Demands

        barindex
        Writes many files with high entropy
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0 (copy) entropy: 7.99597518735Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1 (copy) entropy: 7.99668482326Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2 (copy) entropy: 7.99994992874Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0.zip (copy) entropy: 7.99597518735Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1.zip (copy) entropy: 7.99668482326Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2.zip (copy) entropy: 7.99994992874Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeFile created: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\installer.exe entropy: 7.99774389448Jump to dropped file
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\38c5c893-8e0d-4032-96a7-5f0fdffaba37 entropy: 7.99982131586Jump to dropped file
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\484d38e6-6bc7-41bd-bb9d-2e557c63a54e entropy: 7.99990414125Jump to dropped file
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\e5752873-542b-4414-940a-117ab556e630 entropy: 7.99866005103Jump to dropped file
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\setupui.cont entropy: 7.99945456192Jump to dropped file
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\10460286-666d-43b7-924e-404997778a2c entropy: 7.99949886139Jump to dropped file
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\7cc1ae5c-206b-4137-94e9-860f31962ff3 entropy: 7.9999260316Jump to dropped file
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\9c8a6547-ee3b-45b9-a388-ae4a211904c1 entropy: 7.99995124837Jump to dropped file
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeFile created: C:\Users\user\AppData\Local\Temp\{01288569-79D1-4166-8789-EAD05C40E973}-NortonBrowserInstaller.exe entropy: 7.99993981636Jump to dropped file
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\avg-av\setupui.cont entropy: 7.99945456192Jump to dropped file
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\avg-av-vps\icarus_product.dll.lzma entropy: 7.99946367131Jump to dropped file
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\avg-av-vps\icarus_rvrt.exe.lzma entropy: 7.99325569022Jump to dropped file
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\avg-av\icarus_rvrt.exe.lzma entropy: 7.99325569022Jump to dropped file
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\avg-av\icarus_product.dll.lzma entropy: 7.99990334673Jump to dropped file

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: Process Memory Space: NortonBrowserUpdateSetup.exe PID: 1544, type: MEMORYSTRMatched rule: PlugX Identifying Strings Author: Seth Hardy
        Source: C:\Program Files (x86)\GUTC558.tmp, type: DROPPEDMatched rule: PlugX Identifying Strings Author: Seth Hardy
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_007CC610 NtQueryInformationProcess,GetModuleHandleW,GetProcAddress,GetLastError,GetLastError,NtQueryInformationProcess,Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error,8_2_007CC610
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_007CFDD0 GetModuleHandleW,GetProcAddress,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,NtQueryInformationProcess,GetCurrentProcess,NtQueryInformationProcess,8_2_007CFDD0
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_007CC6D0 NtQueryInformationProcess,8_2_007CC6D0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_00086220: GetCurrentProcessId,GetCurrentThreadId,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,DeviceIoControl,DeviceIoControl,5_2_00086220
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6B0B9B40 GetFileAttributesW,CloseHandle,lstrlenW,lstrlenW,lstrlenW,GetFileAttributesW,CloseHandle,GlobalAlloc,CloseHandle,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,GlobalAlloc,CloseHandle,lstrcpyW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,WTSGetActiveConsoleSessionId,CloseHandle,LoadLibraryW,LoadLibraryW,CloseHandle,LoadLibraryW,CloseHandle,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,DuplicateTokenEx,GetTokenInformation,GetTokenInformation,GetTokenInformation,CloseHandle,CreateProcessAsUserW,CloseHandle,CloseHandle,ShellExecuteExW,CloseHandle,CloseHandle,CreateProcessW,CloseHandle,AllowSetForegroundWindow,GlobalFree,CloseHandle,CloseHandle,7_2_6B0B9B40
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_0040350D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,7_2_0040350D
        Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches
        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6ff020.msi
        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipi
        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{469D3039-E8BB-40CB-9989-158443EEA4EB}
        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF178.tmp
        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6ff023.msi
        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6ff023.msi
        Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\6ff023.msi
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_00084F505_2_00084F50
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_00088FB05_2_00088FB0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_000870D95_2_000870D9
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_0008F1105_2_0008F110
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_000A73B05_2_000A73B0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_000BD5405_2_000BD540
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_000C18405_2_000C1840
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_000A3AC05_2_000A3AC0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_000B81905_2_000B8190
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_000C83A05_2_000C83A0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_000BA5405_2_000BA540
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_0006A6105_2_0006A610
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_001086095_2_00108609
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_000D06605_2_000D0660
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_000C47C05_2_000C47C0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_000C28A05_2_000C28A0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_001168E05_2_001168E0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_000F09195_2_000F0919
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_001109925_2_00110992
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_00110AB25_2_00110AB2
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_00062B005_2_00062B00
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_000F0B4B5_2_000F0B4B
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_000C6D435_2_000C6D43
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_000F0DB05_2_000F0DB0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_000EADD05_2_000EADD0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_00098EA05_2_00098EA0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_0006CF405_2_0006CF40
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_000BF1505_2_000BF150
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_000AD2C05_2_000AD2C0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_000F933A5_2_000F933A
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_000FB3405_2_000FB340
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_000654005_2_00065400
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_001014AF5_2_001014AF
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_000CB4F05_2_000CB4F0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_000C76025_2_000C7602
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_0006F8305_2_0006F830
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_0010D8E05_2_0010D8E0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_000F390B5_2_000F390B
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_000C3A305_2_000C3A30
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_0009FB405_2_0009FB40
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_00093C505_2_00093C50
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_0008BCB05_2_0008BCB0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_00067D105_2_00067D10
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_000BFFE05_2_000BFFE0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCode function: 6_2_004752F06_2_004752F0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCode function: 6_2_0047BB706_2_0047BB70
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCode function: 6_2_0048C9D06_2_0048C9D0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCode function: 6_2_0049126C6_2_0049126C
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCode function: 6_2_0047D3406_2_0047D340
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCode function: 6_2_0047EDE06_2_0047EDE0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCode function: 6_2_0048CE7E6_2_0048CE7E
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCode function: 6_2_004866E46_2_004866E4
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_00406B647_2_00406B64
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AE2C7717_2_6AE2C771
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AE5DAF17_2_6AE5DAF1
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AE5D20E7_2_6AE5D20E
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AE492197_2_6AE49219
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AE5C3CA7_2_6AE5C3CA
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AE420FA7_2_6AE420FA
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AE5D82A7_2_6AE5D82A
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AE446E27_2_6AE446E2
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AE4C78B7_2_6AE4C78B
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AE4E7907_2_6AE4E790
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AE41C867_2_6AE41C86
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AE5A47D7_2_6AE5A47D
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AE4944B7_2_6AE4944B
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AE5DDAC7_2_6AE5DDAC
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AE5D5807_2_6AE5D580
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AE5A59D7_2_6AE5A59D
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AE58D2E7_2_6AE58D2E
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AEC6AF07_2_6AEC6AF0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AE9E75B7_2_6AE9E75B
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AEBA44A7_2_6AEBA44A
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AF7B3B07_2_6AF7B3B0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AE9336A7_2_6AE9336A
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AFB80C97_2_6AFB80C9
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AE95A597_2_6AE95A59
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AE95B9D7_2_6AE95B9D
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AE958F97_2_6AE958F9
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AE9DEEF7_2_6AE9DEEF
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AEC1EF47_2_6AEC1EF4
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AE99C747_2_6AE99C74
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AE95DC17_2_6AE95DC1
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AF1D38B7_2_6AF1D38B
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AE993277_2_6AE99327
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AFE91407_2_6AFE9140
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AFA552D7_2_6AFA552D
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6B0B97307_2_6B0B9730
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6F6F2F077_2_6F6F2F07
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_008302B08_2_008302B0
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_008223208_2_00822320
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_008085208_2_00808520
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_008269508_2_00826950
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_00828DF08_2_00828DF0
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_0080B4508_2_0080B450
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_008197B08_2_008197B0
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_008218608_2_00821860
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_008479B08_2_008479B0
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_007DF9108_2_007DF910
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_0088A0908_2_0088A090
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_008180B08_2_008180B0
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_0088C0408_2_0088C040
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_007BE1708_2_007BE170
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_007F81208_2_007F8120
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_007C21008_2_007C2100
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_0080A1308_2_0080A130
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_007DA1B08_2_007DA1B0
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_007AC2608_2_007AC260
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_0086A2008_2_0086A200
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_0088221D8_2_0088221D
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_008462408_2_00846240
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_007FE2A08_2_007FE2A0
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_008964838_2_00896483
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_007C04608_2_007C0460
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_008A04A98_2_008A04A9
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_008784568_2_00878456
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_0086C4708_2_0086C470
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_008825AB8_2_008825AB
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_007C25808_2_007C2580
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_0080A7E08_2_0080A7E0
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_008468108_2_00846810
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_007AC8808_2_007AC880
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_008249C08_2_008249C0
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_007E29108_2_007E2910
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_008769408_2_00876940
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_007E8B408_2_007E8B40
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_007BEB308_2_007BEB30
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_007CAB108_2_007CAB10
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_007C2BC08_2_007C2BC0
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_007AAC008_2_007AAC00
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_007C4CB08_2_007C4CB0
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_00812DF08_2_00812DF0
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_008510908_2_00851090
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_007A10008_2_007A1000
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_007BD0008_2_007BD000
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_007E10B08_2_007E10B0
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_007C35108_2_007C3510
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_008716308_2_00871630
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_008496508_2_00849650
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_008957E48_2_008957E4
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_0086F8008_2_0086F800
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_0086D8408_2_0086D840
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_0082D9008_2_0082D900
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_007FB9B08_2_007FB9B0
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_007BDB408_2_007BDB40
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_00869B408_2_00869B40
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_007EBCD08_2_007EBCD0
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_007C5CA08_2_007C5CA0
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_00869EB08_2_00869EB0
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_007EFED08_2_007EFED0
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_0081BF108_2_0081BF10
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: String function: 007B8930 appears 52 times
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: String function: 007C81F0 appears 36 times
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: String function: 007C7650 appears 62 times
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: String function: 00855E80 appears 38 times
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: String function: 6AF7C191 appears 75 times
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: String function: 6AE9C7B4 appears 518 times
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: String function: 6AF06AC0 appears 114 times
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: String function: 6AEAF8D7 appears 91 times
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: String function: 6AE9B025 appears 99 times
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: String function: 6AE9C4DD appears 303 times
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: String function: 6AE9C5E1 appears 80 times
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: String function: 6AE9C6E4 appears 77 times
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: String function: 6AF06772 appears 33 times
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: String function: 6AE925C6 appears 241 times
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: String function: 6AE5F420 appears 34 times
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: String function: 6AE9AD14 appears 276 times
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: String function: 6AF06A1B appears 216 times
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: String function: 6AEAF913 appears 77 times
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: String function: 6AE9AE1C appears 116 times
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: String function: 6AE9B0CE appears 34 times
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: String function: 6AF069E8 appears 310 times
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: String function: 6AF06A51 appears 114 times
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: String function: 6AF06A87 appears 176 times
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: String function: 6B0B5170 appears 83 times
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: String function: 6AEEC485 appears 34 times
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: String function: 6B0B2930 appears 34 times
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: String function: 000EA3A0 appears 32 times
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: String function: 000E9600 appears 61 times
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: String function: 00104231 appears 31 times
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: String function: 000E85BF appears 71 times
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: String function: 000E8E31 appears 79 times
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: String function: 000A8650 appears 192 times
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: String function: 000E8DFE appears 111 times
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: String function: 00071BE0 appears 67 times
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: String function: 000E8713 appears 374 times
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 6836 -ip 6836
        Source: Canvas of Kings_N6xC-S2.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
        Source: norton_secure_browser_setup.exe.1.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
        Source: norton_secure_browser_setup.exe.1.drStatic PE information: Resource name: RT_VERSION type: TTComp archive data, binary, 4K dictionary
        Source: norton_secure_browser_setup.exe.1.drStatic PE information: Resource name: RT_VERSION type: TTComp archive data, binary, 4K dictionary
        Source: norton_secure_browser_setup.exe.1.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
        Source: norton_secure_browser_setup.exe.1.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
        Source: norton_secure_browser_setup.exe.1.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
        Source: norton_secure_browser_setup.exe.1.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
        Source: norton_secure_browser_setup.exe.1.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
        Source: installer.exe.5.drStatic PE information: Resource name: PAYLOAD type: Microsoft Cabinet archive data, many, 23003272 bytes, 135 files, at 0x2c +A "analyticsmanager.cab" +A "analyticstelemetry.cab", number 1, 845 datablocks, 0x1 compression
        Source: sciterui.dll.7.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
        Source: goopdateres_th.dll.13.drStatic PE information: Resource name: RT_STRING type: PDP-11 overlaid pure executable not stripped
        Source: goopdateres_tr.dll.13.drStatic PE information: Resource name: RT_STRING type: 370 XA sysV pure executable not stripped
        Source: goopdateres_vi.dll.13.drStatic PE information: Resource name: RT_STRING type: iAPX 286 executable small model (COFF) not stripped
        Source: goopdateres_ca.dll.13.drStatic PE information: Resource name: RT_STRING type: MIPSEB-LE MIPS-II ECOFF executable not stripped - version 0.114
        Source: goopdateres_fil.dll.13.drStatic PE information: Resource name: RT_STRING type: VAX COFF executable, sections 80, created Wed Mar 25 10:31:05 1970, not stripped, version 108
        Source: goopdateres_hu.dll.13.drStatic PE information: Resource name: RT_STRING type: MIPSEL MIPS-II ECOFF executable not stripped - version 0.101
        Source: goopdateres_ms.dll.13.drStatic PE information: Resource name: RT_STRING type: 370 sysV executable not stripped
        Source: goopdateres_ca.dll.14.drStatic PE information: Resource name: RT_STRING type: MIPSEB-LE MIPS-II ECOFF executable not stripped - version 0.114
        Source: goopdateres_fil.dll.14.drStatic PE information: Resource name: RT_STRING type: VAX COFF executable, sections 80, created Wed Mar 25 10:31:05 1970, not stripped, version 108
        Source: goopdateres_hu.dll.14.drStatic PE information: Resource name: RT_STRING type: MIPSEL MIPS-II ECOFF executable not stripped - version 0.101
        Source: norton_secure_browser_setup.exe.1.drStatic PE information: Resource name: RT_VERSION type: TTComp archive data, binary, 4K dictionary
        Source: norton_secure_browser_setup.exe.1.drStatic PE information: Resource name: RT_VERSION type: TTComp archive data, binary, 4K dictionary
        Source: sciterui.dll.7.drStatic PE information: No import functions for PE file found
        Source: installer.exe.5.drStatic PE information: Data appended to the last section found
        Source: Canvas of Kings_N6xC-S2.exe, 00000000.00000000.1674377089.00000000004C6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs Canvas of Kings_N6xC-S2.exe
        Source: Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1679328506.000000007FB60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs Canvas of Kings_N6xC-S2.exe
        Source: Canvas of Kings_N6xC-S2.exe, 00000000.00000003.1677182877.0000000002640000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs Canvas of Kings_N6xC-S2.exe
        Source: Canvas of Kings_N6xC-S2.exe, 00000000.00000003.2755978022.0000000002328000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs Canvas of Kings_N6xC-S2.exe
        Source: Canvas of Kings_N6xC-S2.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
        Source: Process Memory Space: NortonBrowserUpdateSetup.exe PID: 1544, type: MEMORYSTRMatched rule: PlugXStrings author = Seth Hardy, description = PlugX Identifying Strings, last_modified = 2014-06-12
        Source: C:\Program Files (x86)\GUTC558.tmp, type: DROPPEDMatched rule: PlugXStrings author = Seth Hardy, description = PlugX Identifying Strings, last_modified = 2014-06-12
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpKey value queried: HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon versionJump to behavior
        Source: qbittorrent.exe.1.drStatic PE information: Section: .qtmimed ZLIB complexity 0.997458770800317
        Source: classification engineClassification label: mal64.rans.bank.troj.spyw.evad.winEXE@62/279@26/7
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_0040350D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,7_2_0040350D
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AF1A11E __EH_prolog3_catch_GS,__EH_prolog3_catch_GS,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,GetShellWindow,GetWindowThreadProcessId,OpenProcess,GetLastError,GetShellWindow,GetProcessId,OpenProcessToken,GetLastError,DuplicateTokenEx,GetLastError,CreateProcessWithTokenW,GetLastError,GetLastError,7_2_6AF1A11E
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_007CFF60 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,8_2_007CFF60
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCode function: 6_2_004752F0 InterlockedExchange,GetCurrentProcess,InterlockedExchange,InterlockedExchange,InterlockedExchange,InterlockedExchange,CreateMutexW,GetLastError,InterlockedExchange,InterlockedExchange,InterlockedExchange,InterlockedExchange,InterlockedExchange,InterlockedExchange,CoInitializeEx,CoCreateInstance,CoUninitialize,InterlockedExchange,GetLastError,InterlockedExchange,MessageBoxExW,wsprintfW,wsprintfW,MessageBoxExW,InterlockedExchange,InterlockedExchange,CreateThread,CloseHandle,InterlockedExchange,GetLastError,InterlockedExchange,MoveFileExW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileIntW,wsprintfW,CreateFileW,InterlockedExchange,GetLastError,InterlockedExchange,MoveFileExW,MoveFileExW,GetDiskFreeSpaceExW,InterlockedExchange,InterlockedExchange,MessageBoxExW,InterlockedExchange,GetLastError,InterlockedExchange,wsprintfW,wsprintfW,MessageBoxExW,CloseHandle,CreateFileW,InterlockedExchange,GetLastError,InterlockedExchange,InterlockedExchange,GetLastError,InterlockedExchange,InterlockedExchange,CreateProcessW,InterlockedExchange,GetLastError,InterlockedExchange,AllowSetForegroundWindow,ResumeThread,InterlockedExchange,GetLastError,InterlockedExchange,PostMessageW,WaitForSingleObject,GetExitCodeProcess,InterlockedExchange,InterlockedExchange,InterlockedExchange,CloseHandle,CloseHandle,CloseHandle,_wcsrchr,_wcsrchr,CreateHardLinkW,CopyFileW,ReleaseMutex,CloseHandle,___delayLoadHelper2@8,6_2_004752F0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_00074C8E GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,5_2_00074C8E
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_00075C1E CoCreateInstance,OleRun,5_2_00075C1E
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_00095318 GetModuleHandleW,FindResourceW,LoadResource,LockResource,std::ios_base::_Ios_base_dtor,GetModuleHandleW,GetProcAddress,GetCurrentProcess,Concurrency::cancel_current_task,Concurrency::cancel_current_task,SysFreeString,SysFreeString,5_2_00095318
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeMutant created: \Sessions\1\BaseNamedObjects\QtLockedFile mutex c:/users/user/appdata/roaming/qbittorrent/lockfile
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeMutant created: NULL
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeMutant created: \BaseNamedObjects\Global\NortonBrowserUpdate{C68009EA-1163-4498-8E93-D5C4E317D8CE}
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeMutant created: \Sessions\1\BaseNamedObjects\Global\NortonBrowserUpdate{D19BAF17-7C87-467E-8D63-6C4B1C836373}
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpMutant created: \Sessions\1\BaseNamedObjects\{2c958236-012f-4348-b699-6519aeb48f99}Installer
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeMutant created: \Sessions\1\BaseNamedObjects\norton-securebrowser_installer_mutex2
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeMutant created: \Sessions\1\BaseNamedObjects\Global\NortonBrowserUpdate{C68009EA-1163-4498-8E93-D5C4E317D8CE}
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{48ca68e-e4ff-43ac-a993-6d162f33de7c}
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeMutant created: \BaseNamedObjects\Global\NortonBrowserUpdate{A9A86B93-B54E-4570-BE89-42418507707B}
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeMutant created: \BaseNamedObjects\Global\NortonBrowserUpdate{D19BAF17-7C87-467E-8D63-6C4B1C836373}
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeMutant created: \Sessions\1\BaseNamedObjects\Global\NortonBrowserUpdate{A9A86B93-B54E-4570-BE89-42418507707B}
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeMutant created: \BaseNamedObjects\Global\NortonBrowserUpdate{66CC0160-ABB3-4066-AE47-1CA6AD5065C8}
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6836
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{32B25EF2-80FD-4C66-97E1-0890D9E9F87B}
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeMutant created: \BaseNamedObjects\Global\NortonBrowserUpdate{6885AE8E-C070-458d-9711-37B9BEAB65F6}
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeMutant created: \BaseNamedObjects\Global\NortonBrowserUpdate{D0BB2EF1-C183-4cdb-B218-040922092869}
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeMutant created: \BaseNamedObjects\Global\NortonBrowserUpdate{0A175FBE-AEEC-4fea-855A-2AA549A88846}
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpMutant created: \Sessions\1\BaseNamedObjects\Global\{2c958236-012f-4348-b699-6519aeb48f99}Installer
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeMutant created: \BaseNamedObjects\Global\NortonBrowserUpdate{B5665124-2B19-40e2-A7BC-B44321E72C4B}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6572:120:WilError_03
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeMutant created: \Sessions\1\BaseNamedObjects\Global\2c95dc9cb28705905cc7377bb410fd9f
        Source: C:\Users\user\Desktop\Canvas of Kings_N6xC-S2.exeFile created: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCommand line argument: /silent6_2_004752F0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCommand line argument: /cookie6_2_004752F0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCommand line argument: /ppi_icd6_2_004752F0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCommand line argument: /cust_ini6_2_004752F0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCommand line argument: Enabled6_2_004752F0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCommand line argument: ProxySettings6_2_004752F0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCommand line argument: ProxyType6_2_004752F0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCommand line argument: ProxySettings6_2_004752F0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCommand line argument: ProxySettings6_2_004752F0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCommand line argument: Port6_2_004752F0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCommand line argument: ProxySettings6_2_004752F0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCommand line argument: User6_2_004752F0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCommand line argument: ProxySettings6_2_004752F0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCommand line argument: Password6_2_004752F0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCommand line argument: ProxySettings6_2_004752F0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCommand line argument: ProxySettings6_2_004752F0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCommand line argument: Properties6_2_004752F0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCommand line argument: /smbupd6_2_004752F0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCommand line argument: enable6_2_004752F0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCommand line argument: mirror6_2_004752F0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCommand line argument: count6_2_004752F0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCommand line argument: servers6_2_004752F0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCommand line argument: urlpgm6_2_004752F0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCommand line argument: server06_2_004752F0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCommand line argument: http://6_2_004752F0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCommand line argument: https://6_2_004752F0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCommand line argument: allow_fallback6_2_004752F0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCommand line argument: mirror6_2_004752F0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCommand line argument: installer.exe6_2_004752F0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCommand line argument: {versionSwitch}6_2_004752F0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCommand line argument: stable6_2_004752F0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCommand line argument: %s\%s6_2_004752F0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCommand line argument: X>I6_2_004752F0
        Source: C:\Users\user\Desktop\Canvas of Kings_N6xC-S2.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\Desktop\Canvas of Kings_N6xC-S2.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\Canvas of Kings_N6xC-S2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2977306249.000000006B00E000.00000002.00000001.01000000.00000012.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
        Source: qbittorrent.exe, 0000000B.00000002.2937120417.0000000001314000.00000002.00000001.01000000.00000018.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
        Source: norton_secure_browser_setup.exe, norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2977306249.000000006B00E000.00000002.00000001.01000000.00000012.sdmpBinary or memory string: SELECT ((visits.visit_time/1000000)-11644473600) AS vtime FROM 'visits' ORDER BY vtime DESC LIMIT 1;
        Source: norton_secure_browser_setup.exe, norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2977306249.000000006B00E000.00000002.00000001.01000000.00000012.sdmpBinary or memory string: SELECT last_visit_date / 1000000 AS vtime FROM 'moz_places' ORDER BY vtime DESC LIMIT 1;
        Source: qbittorrent.exe, 0000000B.00000002.2937120417.0000000001314000.00000002.00000001.01000000.00000018.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
        Source: qbittorrent.exe, 0000000B.00000002.2937120417.0000000001314000.00000002.00000001.01000000.00000018.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
        Source: qbittorrent.exe, 0000000B.00000002.2937120417.0000000001314000.00000002.00000001.01000000.00000018.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2977306249.000000006B00E000.00000002.00000001.01000000.00000012.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2977306249.000000006B00E000.00000002.00000001.01000000.00000012.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
        Source: qbittorrent.exe, 0000000B.00000002.2937120417.0000000001314000.00000002.00000001.01000000.00000018.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
        Source: qbittorrent.exe, 0000000B.00000002.2937120417.0000000001314000.00000002.00000001.01000000.00000018.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2977306249.000000006B00E000.00000002.00000001.01000000.00000012.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
        Source: qbittorrent.exe, 0000000B.00000002.2937120417.0000000001314000.00000002.00000001.01000000.00000018.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
        Source: Canvas of Kings_N6xC-S2.exeReversingLabs: Detection: 18%
        Source: C:\Users\user\Desktop\Canvas of Kings_N6xC-S2.exeFile read: C:\Users\user\Desktop\Canvas of Kings_N6xC-S2.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\Canvas of Kings_N6xC-S2.exe "C:\Users\user\Desktop\Canvas of Kings_N6xC-S2.exe"
        Source: C:\Users\user\Desktop\Canvas of Kings_N6xC-S2.exeProcess created: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmp "C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmp" /SL5="$20416,13566766,780800,C:\Users\user\Desktop\Canvas of Kings_N6xC-S2.exe"
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exe "C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exe" /affid 91088 PaidDistribution=true CountryCode=US
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exe "C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exe" /silent /ws /psh:92pTu5hwBbM7D8YdixE5HhZyLyta7SFjWzBoCRk5knOtfwaHxtSx8W5YVAbWE4FqjuMlqeXqa53IPQ
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exe "C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exe" /s /make-default /run_source="norton_ppi_is"
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeProcess created: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exe "C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exe" /silent /ws /psh:92pTu5hwBbM7D8YdixE5HhZyLyta7SFjWzBoCRk5knOtfwaHxtSx8W5YVAbWE4FqjuMlqeXqa53IPQ /cookie:mmm_irs_ppi_902_451_o /ga_clientid:729de4ae-763f-4df7-a043-5659222e822a /edat_dir:C:\Windows\Temp\asw.d8c2b19fc2277941
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" firewall add allowedprogramC:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exe "qBittorrent" ENABLE
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exe "C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exe" magnet:?xt=urn:btih:BFF18AF5608F9196CF05BF0C1F0B54A18C3F0A77
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeProcess created: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exe NortonBrowserUpdateSetup.exe /silent /install "bundlename=Norton Private Browser&appguid={3A3642E6-DE46-4F68-9887-AA017EEFE426}&appname=Norton Private Browser&needsadmin=true&lang=en-GB&brand=29239&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data%3Dchrome --import-cookies --auto-launch-chrome"
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeProcess created: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exe "C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exe" /silent /install "bundlename=Norton Private Browser&appguid={3A3642E6-DE46-4F68-9887-AA017EEFE426}&appname=Norton Private Browser&needsadmin=true&lang=en-GB&brand=29239&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data%3Dchrome --import-cookies --auto-launch-chrome"
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 6836 -ip 6836
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6836 -s 2516
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeProcess created: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe "C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe" /regsvc
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeProcess created: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe "C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe" /regserver
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeProcess created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\NortonBrowserUpdateComRegisterShell64.exe "C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\NortonBrowserUpdateComRegisterShell64.exe"
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeProcess created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\NortonBrowserUpdateComRegisterShell64.exe "C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\NortonBrowserUpdateComRegisterShell64.exe"
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeProcess created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\NortonBrowserUpdateComRegisterShell64.exe "C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\NortonBrowserUpdateComRegisterShell64.exe"
        Source: unknownProcess created: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe "C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe" /c
        Source: unknownProcess created: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe "C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe" /ua /installsource scheduler
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeProcess created: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe "C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe" /cr
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeProcess created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\NortonBrowserCrashHandler.exe "C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\NortonBrowserCrashHandler.exe"
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeProcess created: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe "C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe" /registermsihelper
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeProcess created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\NortonBrowserCrashHandler64.exe "C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\NortonBrowserCrashHandler64.exe"
        Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeProcess created: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe "C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgb21haGFpZD0iezU4MzdCMUE1LUI3MkEtNDU2QS1CMDlGLUY2ODBFOUFCNUUwMn0iIHVwZGF0ZXJ2ZXJzaW9uPSIxLjguMTY0OS41IiBzaGVsbF92ZXJzaW9uPSIxLjguMTY0OS41IiBpc21hY2hpbmU9IjEiIGlzX29tYWhhNjRiaXQ9IjAiIGlzX29zNjRiaXQ9IjEiIHNlc3Npb25pZD0ie0NDMDExQUU3LUFBRTUtNDU0My04NERCLUU0RDQ4MTM1ODMzRH0iIHVzZXJpZD0iezA4MDIwMkM2LTAzOTEtNDM2MC04OUUxLUMzQjg2Nzc2RDEyNX0iIHVzZXJpZF9kYXRlPSIyMDI0MTIyNCIgbWFjaGluZWlkPSJ7MDAwMEE1QkYtREU0OC1DNDM5LTg3RjAtNkQ4MTJBQUJFMDk3fSIgbWFjaGluZWlkX2RhdGU9IjIwMjQxMjI0IiBpbnN0YWxsc291cmNlPSJvdGhlcmluc3RhbGxjbWQiIHRlc3Rzb3VyY2U9ImF1dG8iIHJlcXVlc3RpZD0ie0JBMTMwMjRFLUQ1QUYtNDgxNi05OTQ1LTA4Mzk0NzkxMEY5Rn0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iOCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NS4yMDA2IiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NTgzN0IxQTUtQjcyQS00NTZBLUIwOUYtRjY4MEU5QUI1RTAyfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS44LjE2NDkuNSIgbGFuZz0iZW4tR0IiIGJyYW5kPSIyOTIzOSIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iNjA5NCIvPjwvYXBwPjwvcmVxdWVzdD4
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeProcess created: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe "C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe" /handoff "bundlename=Norton Private Browser&appguid={3A3642E6-DE46-4F68-9887-AA017EEFE426}&appname=Norton Private Browser&needsadmin=true&lang=en-GB&brand=29239&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data%3Dchrome --import-cookies --auto-launch-chrome" /installsource otherinstallcmd /sessionid "{CC011AE7-AAE5-4543-84DB-E4D48135833D}" /silent
        Source: unknownProcess created: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe "C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe" /svc
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeProcess created: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe "C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe" /uninstall
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 6836 -ip 6836
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6836 -s 2516
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeProcess created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exe C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\icarus-info.xml /install /silent /ws /psh:92pTu5hwBbM7D8YdixE5HhZyLyta7SFjWzBoCRk5knOtfwaHxtSx8W5YVAbWE4FqjuMlqeXqa53IPQ /cookie:mmm_irs_ppi_902_451_o /edat_dir:C:\Windows\Temp\asw.d8c2b19fc2277941 /track-guid:729de4ae-763f-4df7-a043-5659222e822a
        Source: C:\Users\user\Desktop\Canvas of Kings_N6xC-S2.exeProcess created: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmp "C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmp" /SL5="$20416,13566766,780800,C:\Users\user\Desktop\Canvas of Kings_N6xC-S2.exe" Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exe "C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exe" /affid 91088 PaidDistribution=true CountryCode=USJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exe "C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exe" /silent /ws /psh:92pTu5hwBbM7D8YdixE5HhZyLyta7SFjWzBoCRk5knOtfwaHxtSx8W5YVAbWE4FqjuMlqeXqa53IPQJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exe "C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exe" /s /make-default /run_source="norton_ppi_is"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" firewall add allowedprogramC:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exe "qBittorrent" ENABLEJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exe "C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exe" magnet:?xt=urn:btih:BFF18AF5608F9196CF05BF0C1F0B54A18C3F0A77Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeProcess created: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exe "C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exe" /silent /ws /psh:92pTu5hwBbM7D8YdixE5HhZyLyta7SFjWzBoCRk5knOtfwaHxtSx8W5YVAbWE4FqjuMlqeXqa53IPQ /cookie:mmm_irs_ppi_902_451_o /ga_clientid:729de4ae-763f-4df7-a043-5659222e822a /edat_dir:C:\Windows\Temp\asw.d8c2b19fc2277941Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeProcess created: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exe NortonBrowserUpdateSetup.exe /silent /install "bundlename=Norton Private Browser&appguid={3A3642E6-DE46-4F68-9887-AA017EEFE426}&appname=Norton Private Browser&needsadmin=true&lang=en-GB&brand=29239&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data%3Dchrome --import-cookies --auto-launch-chrome"Jump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeProcess created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exe C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\icarus-info.xml /install /silent /ws /psh:92pTu5hwBbM7D8YdixE5HhZyLyta7SFjWzBoCRk5knOtfwaHxtSx8W5YVAbWE4FqjuMlqeXqa53IPQ /cookie:mmm_irs_ppi_902_451_o /edat_dir:C:\Windows\Temp\asw.d8c2b19fc2277941 /track-guid:729de4ae-763f-4df7-a043-5659222e822aJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeProcess created: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exe "C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exe" /silent /install "bundlename=Norton Private Browser&appguid={3A3642E6-DE46-4F68-9887-AA017EEFE426}&appname=Norton Private Browser&needsadmin=true&lang=en-GB&brand=29239&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data%3Dchrome --import-cookies --auto-launch-chrome"
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeProcess created: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe "C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe" /regsvc
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeProcess created: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe "C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe" /regserver
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeProcess created: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe "C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgb21haGFpZD0iezU4MzdCMUE1LUI3MkEtNDU2QS1CMDlGLUY2ODBFOUFCNUUwMn0iIHVwZGF0ZXJ2ZXJzaW9uPSIxLjguMTY0OS41IiBzaGVsbF92ZXJzaW9uPSIxLjguMTY0OS41IiBpc21hY2hpbmU9IjEiIGlzX29tYWhhNjRiaXQ9IjAiIGlzX29zNjRiaXQ9IjEiIHNlc3Npb25pZD0ie0NDMDExQUU3LUFBRTUtNDU0My04NERCLUU0RDQ4MTM1ODMzRH0iIHVzZXJpZD0iezA4MDIwMkM2LTAzOTEtNDM2MC04OUUxLUMzQjg2Nzc2RDEyNX0iIHVzZXJpZF9kYXRlPSIyMDI0MTIyNCIgbWFjaGluZWlkPSJ7MDAwMEE1QkYtREU0OC1DNDM5LTg3RjAtNkQ4MTJBQUJFMDk3fSIgbWFjaGluZWlkX2RhdGU9IjIwMjQxMjI0IiBpbnN0YWxsc291cmNlPSJvdGhlcmluc3RhbGxjbWQiIHRlc3Rzb3VyY2U9ImF1dG8iIHJlcXVlc3RpZD0ie0JBMTMwMjRFLUQ1QUYtNDgxNi05OTQ1LTA4Mzk0NzkxMEY5Rn0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iOCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NS4yMDA2IiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NTgzN0IxQTUtQjcyQS00NTZBLUIwOUYtRjY4MEU5QUI1RTAyfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS44LjE2NDkuNSIgbGFuZz0iZW4tR0IiIGJyYW5kPSIyOTIzOSIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iNjA5NCIvPjwvYXBwPjwvcmVxdWVzdD4
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeProcess created: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe "C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe" /handoff "bundlename=Norton Private Browser&appguid={3A3642E6-DE46-4F68-9887-AA017EEFE426}&appname=Norton Private Browser&needsadmin=true&lang=en-GB&brand=29239&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data%3Dchrome --import-cookies --auto-launch-chrome" /installsource otherinstallcmd /sessionid "{CC011AE7-AAE5-4543-84DB-E4D48135833D}" /silent
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 6836 -ip 6836
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6836 -s 2516
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 6836 -ip 6836
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6836 -s 2516
        Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeProcess created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\NortonBrowserUpdateComRegisterShell64.exe "C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\NortonBrowserUpdateComRegisterShell64.exe"
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeProcess created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\NortonBrowserUpdateComRegisterShell64.exe "C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\NortonBrowserUpdateComRegisterShell64.exe"
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeProcess created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\NortonBrowserUpdateComRegisterShell64.exe "C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\NortonBrowserUpdateComRegisterShell64.exe"
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeProcess created: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe "C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe" /cr
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeProcess created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\NortonBrowserCrashHandler.exe "C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\NortonBrowserCrashHandler.exe"
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeProcess created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\NortonBrowserCrashHandler64.exe "C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\NortonBrowserCrashHandler64.exe"
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeProcess created: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe "C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe" /registermsihelper
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeProcess created: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe "C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe" /uninstall
        Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\Canvas of Kings_N6xC-S2.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\Canvas of Kings_N6xC-S2.exeSection loaded: netapi32.dllJump to behavior
        Source: C:\Users\user\Desktop\Canvas of Kings_N6xC-S2.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\Canvas of Kings_N6xC-S2.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\Canvas of Kings_N6xC-S2.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: mpr.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: netapi32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: wtsapi32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: winsta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: dwmapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: shfolder.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: rstrtmgr.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: ncrypt.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: ntasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: msimg32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: oleacc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: winmm.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: winhttpcom.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: webio.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: schannel.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: gpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: dpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: msftedit.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: windows.globalization.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: bcp47mrm.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: globinputhost.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: dataexchange.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: d3d11.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: dcomp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: dxgi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: twinapi.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: windowscodecs.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: explorerframe.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: sxs.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: zipfldr.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: windows.fileexplorer.common.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: shdocvw.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: acgenral.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: samcli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: msacm32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: winmmbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: winmmbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: aclayers.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: sfc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: sfc_os.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: wtsapi32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: winsta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: webio.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeSection loaded: netprofm.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeSection loaded: npmproxy.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeSection loaded: webio.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: oleacc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: shfolder.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: wtsapi32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: winsta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: ieframe.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: netapi32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: mlang.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeSection loaded: webio.dllJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeSection loaded: iphlpapi.dll
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeSection loaded: powrprof.dll
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeSection loaded: dbghelp.dll
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeSection loaded: wtsapi32.dll
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeSection loaded: uxtheme.dll
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeSection loaded: dwmapi.dll
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeSection loaded: mpr.dll
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeSection loaded: userenv.dll
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeSection loaded: version.dll
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeSection loaded: netapi32.dll
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeSection loaded: winmm.dll
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeSection loaded: mswsock.dll
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeSection loaded: cryptbase.dll
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeSection loaded: srvcli.dll
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeSection loaded: netutils.dll
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeSection loaded: umpdc.dll
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeSection loaded: kernel.appcore.dll
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeSection loaded: windows.storage.dll
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeSection loaded: wldp.dll
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeSection loaded: profapi.dll
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeSection loaded: d3d9.dll
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeSection loaded: d3d10warp.dll
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeSection loaded: dataexchange.dll
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeSection loaded: d3d11.dll
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeSection loaded: dcomp.dll
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeSection loaded: dxgi.dll
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeSection loaded: twinapi.appcore.dll
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeSection loaded: dwrite.dll
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeSection loaded: textinputframework.dll
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeSection loaded: coreuicomponents.dll
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeSection loaded: coremessaging.dll
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeSection loaded: ntmarta.dll
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeSection loaded: wintypes.dll
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeSection loaded: wintypes.dll
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeSection loaded: wintypes.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeSection loaded: kernel.appcore.dll
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeSection loaded: uxtheme.dll
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeSection loaded: windows.storage.dll
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeSection loaded: wldp.dll
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeSection loaded: ntmarta.dll
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeSection loaded: apphelp.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: windows.storage.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: wldp.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: iphlpapi.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: msi.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: netapi32.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: version.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: userenv.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: wtsapi32.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: msimg32.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: uxtheme.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: wininet.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: wkscli.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: netutils.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: cryptbase.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: msasn1.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: profapi.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: cscapi.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: ntmarta.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: dbghelp.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: dbgcore.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: dbghelp.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: dbgcore.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: kernel.appcore.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: msxml3.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: apphelp.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: taskschd.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: sspicli.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: cryptsp.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: rsaenh.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: textinputframework.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: coreuicomponents.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: coremessaging.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: coremessaging.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: wintypes.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: wintypes.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: wintypes.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: propsys.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: edputil.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: urlmon.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: iertutil.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: srvcli.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: windows.staterepositoryps.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: appresolver.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: bcp47langs.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: slc.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: sppc.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: onecorecommonproxystub.dll
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSection loaded: onecoreuapcommonproxystub.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: wer.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dll
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}\InProcServer32Jump to behavior
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeFile written: C:\ProgramData\AVG\Icarus\settings\temporary_proxy.ini
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpWindow found: window name: TSelectLanguageFormJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpAutomated click: OK
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpAutomated click: Next
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpAutomated click: Accept
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpAutomated click: Accept
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpAutomated click: Accept
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpAutomated click: Run
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLLJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: Canvas of Kings_N6xC-S2.exeStatic PE information: certificate valid
        Source: Canvas of Kings_N6xC-S2.exeStatic file information: File size 14472984 > 1048576
        Source: Canvas of Kings_N6xC-S2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x86\icarus_mod.pdb source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2413219491.00000000053B2000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_ms.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.00000000042E1000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: D:\work\3db0bf373ac3fc9b\Release Midex\Midex.pdb source: norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_fa.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003676000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: NortonBrowserUpdateBroker_unsigned.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.000000000307F000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_ru.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.000000000379E000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_lt.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003720000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_el.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003630000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_tr.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000004399000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.00000000027F5000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_de.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.0000000002614000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: NortonBrowserCrashHandler_unsigned.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: D:\work\c6a7e165ce7a986c\Unicode\Plugins\inetc.pdb source: norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: NortonBrowserUpdateCore_unsigned.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.00000000040AF000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003525000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: NortonBrowserCrashHandler64_unsigned.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000031FA000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000003D50000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_mr.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.00000000042D5000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003742000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_bg.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.00000000025DB000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_gu.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.0000000002692000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_sr.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000004353000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_th.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.000000000438D000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\BUILD\work\8b0ebd312dc47f30\projects\avast\microstub\x86\Release\microstub.pdb source: avg_antivirus_free_setup.exe, 00000006.00000000.2308794053.0000000000493000.00000002.00000001.01000000.0000000E.sdmp, avg_antivirus_free_setup.exe, 00000006.00000002.2921459091.0000000000493000.00000002.00000001.01000000.0000000E.sdmp
        Source: Binary string: psmachine_unsigned.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000031FA000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000003D50000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\icarus_ui.pdb source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2573330023.000000000579F000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: D:\work\7c64e6304ba228bc\Plugins\nsJSON.pdb source: norton_secure_browser_setup.exe, 00000007.00000002.2978405681.000000006F6F6000.00000002.00000001.01000000.00000011.sdmp
        Source: Binary string: psmachine_unsigned_64.pdbT source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000031FA000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000003D50000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\Win32\Release\SaBsi.pdb source: saBSI.exe, 00000005.00000002.2921628143.000000000012E000.00000002.00000001.01000000.0000000D.sdmp, saBSI.exe, 00000005.00000000.2279002766.000000000012E000.00000002.00000001.01000000.0000000D.sdmp
        Source: Binary string: psuser_unsigned.pdbX source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000031FA000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000003D50000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: psuser_unsigned_64.pdbT source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000031FA000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000003D50000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_am.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000004164000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.00000000025C0000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_lv.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.000000000271A000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.00000000042BE000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_cs.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.00000000025FD000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.00000000041A1000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdate_unsigned.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.00000000039A1000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000002E82000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_hi.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000036AF000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000004242000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_es-419.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.000000000365E000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: G:\QBITTORRENT\build-qbittorrent442-Qt5_msvc2017_x32-Release\src\release\qbittorrent.pdb source: qbittorrent.exe, 0000000B.00000000.2393333564.0000000001546000.00000002.00000001.01000000.00000018.sdmp
        Source: Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\AvBugReport.pdb source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2678619778.0000000005579000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: mi_exe_stub.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000000.2413429268.0000000000098000.00000002.00000001.01000000.0000001C.sdmp
        Source: Binary string: goopdateres_unsigned_pt-BR.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.000000000276B000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\icarus.pdb source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2477324143.000000000562F000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_hr.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.00000000026AA000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_id.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000036D2000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000004265000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: psuser_unsigned_64.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000031FA000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000003D50000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\sciter\sciter\sdk\bin.win\x32\sciter.pdb source: norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000030BB000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_zh-TW.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000002.2924855060.00000000006FF000.00000004.00000010.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.000000000282D000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\icarus.pdb} source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2477324143.000000000562F000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: psmachine_unsigned.pdbX source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000031FA000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000003D50000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: D:\work\ed1c64258fb55966\build\Release\thirdparty.pdb source: norton_secure_browser_setup.exe, 00000007.00000002.2976316348.000000006AE2E000.00000002.00000001.01000000.00000014.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_sw.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.000000000436A000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.00000000027C6000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_pt-PT.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.000000000431A000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.0000000002776000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: NortonBrowserUpdateOnDemand_unsigned.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.00000000028CB000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\sciter\sciter\sdk\bin.win\x32\sciter.pdb[ source: norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000030BB000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: npNortonBrowserUpdate3_unsigned.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000003B2B000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_vi.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.00000000043BB000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.0000000002817000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_bn.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.00000000025E6000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: D:\work\9bf849bab5260311\Plugins\Release_Mini\StdUtils.pdb source: norton_secure_browser_setup.exe, 00000007.00000002.2976705531.000000006AE63000.00000002.00000001.01000000.00000013.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: D:\work\f369f300b8043bce\plugins\src\jsis\build\Release Unicode\jsis.pdb source: norton_secure_browser_setup.exe, 00000007.00000002.2977983655.000000006B0C2000.00000002.00000001.01000000.00000010.sdmp
        Source: Binary string: acuapi_64_unsigned.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000031FA000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000003D50000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_ja.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000036FF000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_sv.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.00000000027BB000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_es.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.00000000041E6000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003653000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_is.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000004270000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_ro.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003793000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_fr.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.0000000002687000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_uk.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.0000000002800000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.00000000043A4000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: D:\work\893f00f663353e48\bin\x86\MinSizeRel\JsisPlugins.pdb source: norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2977306249.000000006B00E000.00000002.00000001.01000000.00000012.sdmp
        Source: Binary string: goopdateres_unsigned_ca.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000004196000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003602000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_nl.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.00000000042ED000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_ko.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.0000000002704000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_et.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.0000000002659000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_iw.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000036F4000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000004287000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_no.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.0000000002754000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.00000000042F8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x86\icarus_sfx.pdb source: avg_antivirus_free_online_setup.exe, 00000008.00000000.2362106863.00000000008B4000.00000002.00000001.01000000.00000016.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000002.2935892477.0000000004CD0000.00000002.00000001.00040000.00000016.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000002.2929833021.00000000008B4000.00000002.00000001.01000000.00000016.sdmp
        Source: Binary string: goopdateres_unsigned_fil.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.000000000368C000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_pl.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000004303000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_en-GB.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.00000000041DB000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003648000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: psuser_unsigned.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000031FA000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000003D50000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_ml.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.0000000003736000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_fi.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000004214000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_hu.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000036C6000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000004259000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\avDump.pdbM source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2624207025.00000000054BE000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_en.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.000000000363C000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\avDump.pdb source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2624207025.00000000054BE000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: psmachine_unsigned_64.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000031FA000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000003D50000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_ar.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.00000000025D0000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000004174000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_sl.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.00000000027A4000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_zh-CN.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.0000000002822000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: goopdateres_unsigned_kn.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2416089670.00000000026F9000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: acuapi_unsigned.pdb source: NortonBrowserUpdateSetup.exe, 0000000D.00000003.2424217205.00000000031FA000.00000004.00000020.00020000.00000000.sdmp, NortonBrowserUpdateSetup.exe, 0000000D.00000003.2419925376.0000000003D50000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: D:\work\21e9bc5e69dd57f1\build\Release Unicode\jsisdl.pdb source: norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmp
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_000B2B30 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,FreeLibrary,GetLastError,5_2_000B2B30
        Source: Canvas of Kings_N6xC-S2.exeStatic PE information: section name: .didata
        Source: Canvas of Kings_N6xC-S2.tmp.0.drStatic PE information: section name: .didata
        Source: qbittorrent.exe.1.drStatic PE information: section name: .qtmetad
        Source: qbittorrent.exe.1.drStatic PE information: section name: .qtmimed
        Source: saBSI.exe.1.drStatic PE information: section name: .didat
        Source: avg_antivirus_free_setup.exe.1.drStatic PE information: section name: .didat
        Source: installer.exe.5.drStatic PE information: section name: _RDATA
        Source: avg_antivirus_free_online_setup.exe.6.drStatic PE information: section name: .didat
        Source: dump_process.exe.8.drStatic PE information: section name: .didat
        Source: dump_process.exe.8.drStatic PE information: section name: _RDATA
        Source: bug_report.exe.8.drStatic PE information: section name: _RDATA
        Source: icarus.exe.8.drStatic PE information: section name: .didat
        Source: icarus.exe.8.drStatic PE information: section name: _RDATA
        Source: icarus_ui.exe.8.drStatic PE information: section name: _RDATA
        Source: NortonBrowserUpdateComRegisterShell64.exe.13.drStatic PE information: section name: _RDATA
        Source: acuapi_64.dll.13.drStatic PE information: section name: _RDATA
        Source: psmachine.dll.13.drStatic PE information: section name: .orpc
        Source: psmachine_64.dll.13.drStatic PE information: section name: .orpc
        Source: psmachine_64.dll.13.drStatic PE information: section name: _RDATA
        Source: psuser.dll.13.drStatic PE information: section name: .orpc
        Source: psuser_64.dll.13.drStatic PE information: section name: .orpc
        Source: psuser_64.dll.13.drStatic PE information: section name: _RDATA
        Source: NortonBrowserCrashHandler64.exe.13.drStatic PE information: section name: _RDATA
        Source: NortonBrowserCrashHandler64.exe.14.drStatic PE information: section name: _RDATA
        Source: NortonBrowserUpdateComRegisterShell64.exe.14.drStatic PE information: section name: _RDATA
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_000E8DDB push ecx; ret 5_2_000E8DEE
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_00117CFD push ecx; ret 5_2_00117D12
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCode function: 6_2_00481396 push ecx; ret 6_2_004813A9
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AE267F6 push ecx; ret 7_2_6AE26809
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AE5F466 push ecx; ret 7_2_6AE5F479
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AF06B10 push ecx; ret 7_2_6AF06B23
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AF069B6 push ecx; ret 7_2_6AF069C9
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AEB66B5 push ss; retf 7_2_6AEB66B6
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AEBF5F6 push esi; ret 7_2_6AEBF605
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_00855A4C push ecx; ret 8_2_00855A5F

        Persistence and Installation Behavior

        barindex
        Contains functionality to infect the boot sector
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCode function: GetVersion,CreateFileW,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%u6_2_0047A100
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,_strncpy,CloseHandle, \\.\PhysicalDrive%u8_2_0084C0E0
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: GetVersion,CreateFileW,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%u8_2_0084BAA0
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,_strncpy,CloseHandle, \\.\PhysicalDrive%u8_2_0084BD80
        Possible COM Object hijacking
        Source: c:\program files (x86)\norton\browser\update\1.8.1649.5\psmachine_64.dllCOM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{eeb05560-ec9e-4ec0-b1ee-14b05ff48650}\inprocserver32
        Source: c:\program files (x86)\norton\browser\update\1.8.1649.5\psmachine_64.dllCOM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{93d643dc-f504-42e2-ae1c-14b2e116db0c}\inprocserver32
        Source: c:\program files (x86)\norton\browser\update\1.8.1649.5\psmachine_64.dllCOM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{eeb05560-ec9e-4ec0-b1ee-14b05ff48650}\inprocserver32
        Source: c:\program files (x86)\norton\browser\update\1.8.1649.5\psmachine_64.dllCOM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{688a291b-6132-43d5-b94b-a62949e22961}\inprochandler32
        Source: c:\program files (x86)\norton\browser\update\1.8.1649.5\psmachine_64.dllCOM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{eeb05560-ec9e-4ec0-b1ee-14b05ff48650}\inprocserver32
        Source: c:\program files (x86)\norton\browser\update\1.8.1649.5\psmachine_64.dllCOM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{688a291b-6132-43d5-b94b-a62949e22961}\inprochandler32
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeFile created: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\installer.exeJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_bn.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_en.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeFile created: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_es.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_da.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_lv.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_uk.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_gu.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_th.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_zh-TW.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_ru.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeFile created: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\NortonBrowserCrashHandler.exeJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_en-GB.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_fa.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_fil.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_lt.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_de.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_it.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_el.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_is.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_bg.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_mr.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\NortonBrowserUpdateOnDemand.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_ar.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_hu.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\NortonBrowserUpdateComRegisterShell64.exeJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_mr.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_id.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeFile created: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\AccessControl.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\_isetup\_setup64.tmpJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_ro.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_nl.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_pt-BR.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\npNortonBrowserUpdate3.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\psuser_64.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_ko.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_sl.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_vi.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_pl.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\psuser.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_tr.dllJump to dropped file
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\avg-av\icarus_product.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_ru.dllJump to dropped file
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_hr.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_kn.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_uk.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_hi.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_es.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\acuapi.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdate.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_fr.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_ro.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_te.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_sk.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\psmachine_64.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_nl.dllJump to dropped file
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus_ui.exeJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_cs.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_el.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_sw.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_am.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\NortonBrowserUpdateCore.exeJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_ar.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_hu.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_ta.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeFile created: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\jsisdl.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\acuapi_64.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_sv.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\zbShieldUtils.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\psmachine.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_es-419.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_zh-CN.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_bg.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_es-419.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_is.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_zh-TW.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_sr.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_it.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\psuser.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_ca.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdateWebPlugin.exeJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_fa.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_vi.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_id.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_pt-PT.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_en.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_tr.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_hi.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeFile created: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\Midex.dllJump to dropped file
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus_mod.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_ms.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_fr.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\acuapi.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_iw.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_sk.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_pt-PT.dllJump to dropped file
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\dump_process.exeJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_et.dllJump to dropped file
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\avg-av-vps\icarus.exeJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\NortonBrowserUpdate.exeJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_ja.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_sw.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_te.dllJump to dropped file
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\avg-av\icarus.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeFile created: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\sciterui.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeFile created: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\thirdparty.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_ta.dllJump to dropped file
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\avg-av-vps\bug_report.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_sv.dllJump to dropped file
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\avg-av-vps\dump_process.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdateComRegisterShell64.exeJump to dropped file
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeFile created: C:\Users\user\AppData\Local\Temp\{01288569-79D1-4166-8789-EAD05C40E973}-NortonBrowserInstaller.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeFile created: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\jsis.dllJump to dropped file
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\avg-av-vps\icarus_rvrt.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdate.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\npNortonBrowserUpdate3.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_fi.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\psmachine.dllJump to dropped file
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\avg-av\dump_process.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdateSetup.exeJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\NortonBrowserCrashHandler64.exeJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_sr.dllJump to dropped file
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\bug_report.exeJump to dropped file
        Source: C:\Users\user\Desktop\Canvas of Kings_N6xC-S2.exeFile created: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\acuapi_64.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_no.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_ml.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_kn.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_lv.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_ur.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeFile created: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\JsisPlugins.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_da.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\NortonBrowserUpdateSetup.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdateCore.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_bn.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_pt-BR.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeFile created: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\inetc.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_th.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeFile created: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\nsJSON.dllJump to dropped file
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\avg-av\icarus_rvrt.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeFile created: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\reboot.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_gu.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_iw.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\NortonBrowserUpdateBroker.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_ca.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_ms.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\psmachine_64.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_de.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_ja.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_lt.dllJump to dropped file
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\avg-av\icarus_ui.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeFile created: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\StdUtils.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_et.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_am.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_fil.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\psuser_64.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserCrashHandler64.exeJump to dropped file
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\avg-av\bug_report.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_cs.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_sl.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\NortonBrowserUpdateWebPlugin.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdateOnDemand.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserCrashHandler.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdateBroker.exeJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_ko.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_zh-CN.dllJump to dropped file
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\avg-av-vps\icarus_product.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_ur.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_en-GB.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_fi.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_ml.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_pl.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeFile created: C:\Program Files (x86)\GUMC557.tmp\goopdateres_hr.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeFile created: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_no.dllJump to dropped file
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\avg-av-vps\bug_report.exeJump to dropped file
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\avg-av-vps\dump_process.exeJump to dropped file
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\avg-av\bug_report.exeJump to dropped file
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\avg-av\icarus_product.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeFile created: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeJump to dropped file
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\avg-av-vps\icarus_rvrt.exeJump to dropped file
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeJump to dropped file
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\avg-av\dump_process.exeJump to dropped file
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus_mod.dllJump to dropped file
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\avg-av\icarus_rvrt.exeJump to dropped file
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\bug_report.exeJump to dropped file
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\dump_process.exeJump to dropped file
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\avg-av-vps\icarus_product.dllJump to dropped file
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\avg-av-vps\icarus.exeJump to dropped file
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus_ui.exeJump to dropped file
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\avg-av\icarus_ui.exeJump to dropped file
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeFile created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\avg-av\icarus.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCode function: 6_2_004752F0 InterlockedExchange,GetCurrentProcess,InterlockedExchange,InterlockedExchange,InterlockedExchange,InterlockedExchange,CreateMutexW,GetLastError,InterlockedExchange,InterlockedExchange,InterlockedExchange,InterlockedExchange,InterlockedExchange,InterlockedExchange,CoInitializeEx,CoCreateInstance,CoUninitialize,InterlockedExchange,GetLastError,InterlockedExchange,MessageBoxExW,wsprintfW,wsprintfW,MessageBoxExW,InterlockedExchange,InterlockedExchange,CreateThread,CloseHandle,InterlockedExchange,GetLastError,InterlockedExchange,MoveFileExW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileIntW,wsprintfW,CreateFileW,InterlockedExchange,GetLastError,InterlockedExchange,MoveFileExW,MoveFileExW,GetDiskFreeSpaceExW,InterlockedExchange,InterlockedExchange,MessageBoxExW,InterlockedExchange,GetLastError,InterlockedExchange,wsprintfW,wsprintfW,MessageBoxExW,CloseHandle,CreateFileW,InterlockedExchange,GetLastError,InterlockedExchange,InterlockedExchange,GetLastError,InterlockedExchange,InterlockedExchange,CreateProcessW,InterlockedExchange,GetLastError,InterlockedExchange,AllowSetForegroundWindow,ResumeThread,InterlockedExchange,GetLastError,InterlockedExchange,PostMessageW,WaitForSingleObject,GetExitCodeProcess,InterlockedExchange,InterlockedExchange,InterlockedExchange,CloseHandle,CloseHandle,CloseHandle,_wcsrchr,_wcsrchr,CreateHardLinkW,CopyFileW,ReleaseMutex,CloseHandle,___delayLoadHelper2@8,6_2_004752F0

        Boot Survival

        barindex
        Contains functionality to infect the boot sector
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCode function: GetVersion,CreateFileW,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%u6_2_0047A100
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,_strncpy,CloseHandle, \\.\PhysicalDrive%u8_2_0084C0E0
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: GetVersion,CreateFileW,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%u8_2_0084BAA0
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,_strncpy,CloseHandle, \\.\PhysicalDrive%u8_2_0084BD80
        Creates an undocumented autostart registry key
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NortonBrowserUpdate.exe DisableExceptionChainValidation
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NortonBrowserUpdate.exe DisableExceptionChainValidation
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NortonBrowserUpdate.exe DisableExceptionChainValidation
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\partmgr
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_000A0540 EnterCriticalSection,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LeaveCriticalSection,5_2_000A0540
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
        Source: C:\Users\user\Desktop\Canvas of Kings_N6xC-S2.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

        Malware Analysis System Evasion

        barindex
        Checks if the current machine is a virtual machine (disk enumeration)
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
        Contain functionality to detect virtual machines
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: VBoxService.exe VBoxService.exe \VMware\VMware Tools \VMware\VMware Tools QEMU_ QEMU_ VMware Ven_Red_Hat&Prod_VirtIO DiskVBOX DiskVirtual QEMU_ QEMU_ VMware Ven_Red_Hat&Prod_VirtIO DiskVBOX DiskVirtual BOCHS VBOX PRLS 7_2_6B0C0B40
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: VBoxService.exe VBoxService.exe 7_2_6B0C1840
        Contains functionality to compare user and computer (likely to detect sandboxes)
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: CreateToolhelp32Snapshot,lstrcmpiW,Process32FirstW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,Process32NextW,CloseHandle,lstrlenW,lstrcpyW,lstrcpyW,lstrcpyW,GetFileAttributesW,GetFileAttributesW,lstrcpyW,GetFileAttributesW,lstrlenW,lstrcpyW,lstrcpyW,GetFileAttributesW,GetFileAttributesW,lstrcpyW,GetFileAttributesW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,lstrcpyW,lstrlenW,lstrlenW,lstrcpyW,GetFileAttributesW,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,IsDebuggerPresent,GetCurrentProcess,CheckRemoteDebuggerPresent,GetUserNameW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,7_2_6B0C0B40
        Found stalling execution ending in API Sleep call
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeStalling execution: Execution stalls by calling Sleep
        Query firmware table information (likely to detect VMs)
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeSystem information queried: FirmwareTableInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSystem information queried: FirmwareTableInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeSystem information queried: FirmwareTableInformationJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeSystem information queried: FirmwareTableInformationJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeSystem information queried: FirmwareTableInformationJump to behavior
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeSystem information queried: FirmwareTableInformation
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeSystem information queried: FirmwareTableInformation
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeSystem information queried: FirmwareTableInformation
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeSystem information queried: FirmwareTableInformation
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
        Source: norton_secure_browser_setup.exeBinary or memory string: DIR_WATCH.DLL
        Source: norton_secure_browser_setup.exeBinary or memory string: JOEBOXSERVER.EXE
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2715273606.00000000053EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <DEST>%PRODUCT_INST%/ASWHOOK.DLL</DEST>
        Source: norton_secure_browser_setup.exe, norton_secure_browser_setup.exe, 00000007.00000002.2978218899.000000006B0CC000.00000004.00000001.01000000.00000010.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
        Source: norton_secure_browser_setup.exeBinary or memory string: SBIEDLL.DLL
        Source: norton_secure_browser_setup.exeBinary or memory string: API_LOG.DLL
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2715273606.00000000053EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <PATH>%PRODUCT_INST_32%\ASWHOOKX.DLL</PATH>
        Source: norton_secure_browser_setup.exeBinary or memory string: SNIFF_HIT.EXE
        Source: norton_secure_browser_setup.exeBinary or memory string: JOEBOXCONTROL.EXE
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2715273606.00000000053EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <DEST>%PRODUCT_INST_32%/ASWHOOK.DLL</DEST>
        Source: norton_secure_browser_setup.exeBinary or memory string: C:\MDS\WINDUMP.EXE
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2715273606.00000000053EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <DEST>%PRODUCT_INST_64%/ASWHOOK.DLL</DEST>
        Source: norton_secure_browser_setup.exeBinary or memory string: SYSANALYZER.EXE
        Source: norton_secure_browser_setup.exeBinary or memory string: WIRESHARK.EXE
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeFile opened / queried: C:\Program Files (x86)\VMware\VMware ToolsJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_007FE150 rdtsc 8_2_007FE150
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_00074C8E GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,5_2_00074C8E
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\installer.exeJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_bn.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_en.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_da.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_lv.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_uk.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_gu.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_th.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_zh-TW.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_ru.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_en-GB.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_fa.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_fil.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_lt.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_de.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_it.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_el.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_is.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_bg.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_mr.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\NortonBrowserUpdateOnDemand.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_hu.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_ar.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_mr.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_id.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\AccessControl.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_ro.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\_isetup\_setup64.tmpJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_nl.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_pt-BR.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\npNortonBrowserUpdate3.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\psuser_64.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_ko.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_vi.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_sl.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_pl.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\psuser.dllJump to dropped file
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeDropped PE file which has not been started: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\avg-av\icarus_product.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_tr.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_ru.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_hr.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_kn.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_uk.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_hi.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\acuapi.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdate.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_fr.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_ro.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_sk.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\psmachine_64.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_te.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_nl.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_el.dllJump to dropped file
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeDropped PE file which has not been started: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus_ui.exeJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_cs.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_sw.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_am.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\NortonBrowserUpdateCore.exeJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_ar.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_hu.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_ta.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\acuapi_64.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\jsisdl.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_sv.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\zbShieldUtils.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\psmachine.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_es-419.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_zh-CN.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_es-419.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_bg.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_is.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_zh-TW.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_it.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_sr.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\psuser.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_ca.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdateWebPlugin.exeJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_fa.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_vi.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_id.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_en.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_pt-PT.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_tr.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_hi.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\Midex.dllJump to dropped file
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeDropped PE file which has not been started: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus_mod.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_fr.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_ms.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\acuapi.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_iw.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_sk.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_pt-PT.dllJump to dropped file
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeDropped PE file which has not been started: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\dump_process.exeJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_et.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_ja.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_sw.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_te.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\thirdparty.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_ta.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\sciterui.dllJump to dropped file
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeDropped PE file which has not been started: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\avg-av-vps\bug_report.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_sv.dllJump to dropped file
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeDropped PE file which has not been started: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\avg-av-vps\dump_process.exeJump to dropped file
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{01288569-79D1-4166-8789-EAD05C40E973}-NortonBrowserInstaller.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\jsis.dllJump to dropped file
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeDropped PE file which has not been started: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\avg-av-vps\icarus_rvrt.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_fi.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\npNortonBrowserUpdate3.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdate.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\psmachine.dllJump to dropped file
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeDropped PE file which has not been started: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\avg-av\dump_process.exeJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_sr.dllJump to dropped file
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeDropped PE file which has not been started: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\bug_report.exeJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\acuapi_64.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_no.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_ml.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_kn.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_lv.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_ur.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\JsisPlugins.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_da.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdateCore.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_bn.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_pt-BR.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\inetc.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_th.dllJump to dropped file
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeDropped PE file which has not been started: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\avg-av\icarus_rvrt.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\nsJSON.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\reboot.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_gu.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_iw.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\NortonBrowserUpdateBroker.exeJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_ms.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_ca.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_de.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\psmachine_64.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_lt.dllJump to dropped file
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeDropped PE file which has not been started: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\avg-av\icarus_ui.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_ja.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\StdUtils.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_et.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_am.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_fil.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\psuser_64.dllJump to dropped file
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeDropped PE file which has not been started: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\avg-av\bug_report.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_cs.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_sl.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\NortonBrowserUpdateWebPlugin.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdateOnDemand.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdateBroker.exeJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_ko.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_zh-CN.dllJump to dropped file
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeDropped PE file which has not been started: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\avg-av-vps\icarus_product.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_ur.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_en-GB.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_fi.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_ml.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_pl.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\GUMC557.tmp\goopdateres_hr.dllJump to dropped file
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Norton\Browser\Update\1.8.1649.5\goopdateres_no.dllJump to dropped file
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeEvaded block: after key decision
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeEvaded block: after key decision
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_5-85059
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmp TID: 7160Thread sleep time: -180000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmp TID: 7088Thread sleep time: -30000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exe TID: 5480Thread sleep time: -30000s >= -30000sJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exe TID: 2144Thread sleep time: -30000s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 6928Thread sleep time: -30000s >= -30000s
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe TID: 6440Thread sleep time: -30000s >= -30000s
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe TID: 2108Thread sleep time: -30000s >= -30000s
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeFile opened: PhysicalDrive0Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpFile Volume queried: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp FullSizeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpFile Volume queried: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp FullSizeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpFile Volume queried: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp FullSizeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeFile Volume queried: C:\ FullSizeInformation
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_00405B6C CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,7_2_00405B6C
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_004028D5 FindFirstFileW,7_2_004028D5
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_0040679D FindFirstFileW,FindClose,7_2_0040679D
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6B0B7010 lstrlenW,lstrcpyW,lstrcpyW,lstrcpyW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrlenW,lstrcpyW,FindNextFileW,FindClose,7_2_6B0B7010
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_007F6F60 FindFirstFileExW,GetLastError,PathMatchSpecW,FindNextFileW,GetLastError,FindClose,UnlockFileEx,8_2_007F6F60
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_007EE180 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,SetLastError,8_2_007EE180
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_007F4590 FindFirstFileW,FindNextFileW,FindClose,GetFileAttributesW,GetFileAttributesW,SetFileAttributesW,RemoveDirectoryW,Sleep,GetFileAttributesW,8_2_007F4590
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_00820AC0 FindFirstFileW,MoveFileExW,GetLastError,FindNextFileW,GetFileAttributesW,GetLastError,MoveFileExW,GetLastError,FindClose,8_2_00820AC0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_000D2782 VirtualQuery,GetSystemInfo,5_2_000D2782
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpFile opened: C:\Users\userJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpFile opened: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extractJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpFile opened: C:\Users\user\AppDataJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpFile opened: C:\Users\user\AppData\Local\TempJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpFile opened: C:\Users\user\AppData\LocalJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpFile opened: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmpJump to behavior
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000002.2745537272.0000000003572000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: {"table":"zb_analytics","data":"{\"0\":\"\",\"1\":\"9e146be9-c76a-4720-bcdb-53011b87bd06\",\"2\":\"20241224060608\",\"3\":\"Zayats\",\"4\":\"Games4Win\",\"5\":\"AVG_BRW\",\"18\":\"ZB_Norton_BRW\",\"19\":\"noChGroupx3\",\"21\":\"gamefabrique\",\"6\":\"3\",\"7\":\"2.40.1.8919\",\"15\":0,\"22\":\"Canvas of Kings\",\"10\":2,\"17\":\"3\",\"16\":\"norton\",\"20}\brand\\PRFG","Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\brand\\PRFI","Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\brand\\PRFK","Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\brand\\PRUC","Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\brand\\PRUG","Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\brand\\PRUI"],"cp":"https://www.avast.com/privacy","ctu":"https://www.avast.com/eula","ov":61,"cbfo":true,"pv":"1.32","v":3}},{"ad":{"n":"","f":"ZB_RAV_Cross_Tri_NCB","o":"RAV_Cross"},"ps":{"i":"RAV_Triple_NCB/images/DOTPS-855/EN.png","dn":"RAV, VPN by RAV, Online Security, Safer Web","u":"https://shield.reasonsecurity.com/rsStubActivator.exe","p":"-ip:\"dui={userid}&dit={sessionid}&is_silent=true&oc={of}&p={pubid}&a=100&b={ispb}&se=true\" -vp:\"dui={userid}&dit={sessionid}&oc={of}&p={pubid}&a=100&oip=26&ptl=7&dta=true\" -dp:\"dui={userid}&dit={sessionid}&oc={of}&p={pubid}&a=100\" -i -v -d -se=true","r":["ReasonVPN","Microsoft\\Windows\\CurrentVersion\\Uninstall\\ReasonVPN","RAVVPN","Microsoft\\Windows\\CurrentVersion\\Uninstall\\RAVVPN","ReasonLabs\\VPN","Microsoft\\Windows\\CurrentVersion\\Uninstall\\ReasonLabs-VPN","ReasonSaferWeb","Microsoft\\Windows\\CurrentVersion\\Uninstall\\ReasonSaferWeb","SaferWeb","Microsoft\\Windows\\CurrentVersion\\Uninstall\\SaferWeb","ReasonLabs\\DNS","Microsoft\\Windows\\CurrentVersion\\Uninstall\\ReasonLabs-DNS","ReasonUP","RAVAntivirus","Reason\\Reason Antivirus","ReasonLabs\\EPP","Microsoft\\Windows\\CurrentVersion\\Uninstall\\ReasonLabs-EPP","VMware, Inc."],"rvd":["HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\\PROCESSOR_ARCHITECTURE\\ARM64"],"cmdu":[{"utr":"HKEY_CLASSES_ROOT","utk":"ReasonPersistentStorage","utvn":"AvUninstallTime","utvt":"SZ","umd":30,"utms":true}],"cp":"https://reasonlabs.com/policies","ctu":"https://reasonlabs.com/policies","win64":true,"pv":"1.26","disk":450,"fe":["{commonpf64}\\ReasonLabs\\EPP\\InstallerLib.dll","{commonpf64}\\RAVAntivirus\\AntivirusInstallerLib.dll","{commonpf64}\\RAVAntivirus\\AntivirusInstaller.exe"],"ov":100,"cbfo":true,"x":10,"v":1}}],"c":""}3~
        Source: avg_antivirus_free_setup.exe, 00000006.00000002.2926152112.0000000004BA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
        Source: norton_secure_browser_setup.exeBinary or memory string: VMware
        Source: norton_secure_browser_setup.exeBinary or memory string: VBoxService.exe
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1764181804.0000000000931000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
        Source: qbittorrent.exe, 0000000B.00000002.2990621506.0000000001623000.00000008.00000001.01000000.00000018.sdmp, qbittorrent.exe, 0000000B.00000000.2394184798.0000000001611000.00000008.00000001.01000000.00000018.sdmpBinary or memory string: .?AVQEmulationPaintEngine@@8"
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.000000000094D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AFF1-A69D9E530F96}\\brand\\PRUG","Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\brand\\PRUI"],"cp":"https://www.avast.com/privacy","ctu":"https://www.avast.com/eula","ov":61,"cbfo":true,"pv":"1.32","v":3}},{"ad":{"n":"","f":"ZB_RAV_Cross_Tri_NCB","o":"RAV_Cross"},"ps":{"i":"RAV_Triple_NCB/images/DOTPS-855/EN.png","dn":"RAV, VPN by RAV, Online Security, Safer Web","u":"https://shield.reasonsecurity.com/rsStubActivator.exe","p":"-ip:\"dui={userid}&dit={sessionid}&is_silent=true&oc={of}&p={pubid}&a=100&b={ispb}&se=true\" -vp:\"dui={userid}&dit={sessionid}&oc={of}&p={pubid}&a=100&oip=26&ptl=7&dta=true\" -dp:\"dui={userid}&dit={sessionid}&oc={of}&p={pubid}&a=100\" -i -v -d -se=true","r":["ReasonVPN","Microsoft\\Windows\\CurrentVersion\\Uninstall\\ReasonVPN","RAVVPN","Microsoft\\Windows\\CurrentVersion\\Uninstall\\RAVVPN","ReasonLabs\\VPN","Microsoft\\Windows\\CurrentVersion\\Uninstall\\ReasonLabs-VPN","ReasonSaferWeb","Microsoft\\Windows\\CurrentVersion\\Uninstall\\ReasonSaferWeb","SaferWeb","Microsoft\\Windows\\CurrentVersion\\Uninstall\\SaferWeb","ReasonLabs\\DNS","Microsoft\\Windows\\CurrentVersion\\Uninstall\\ReasonLabs-DNS","ReasonUP","RAVAntivirus","Reason\\Reason Antivirus","ReasonLabs\\EPP","Microsoft\\Windows\\CurrentVersion\\Uninstall\\ReasonLabs-EPP","VMware, Inc."],"rvd":["HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\\PROCESSOR_ARCHITECTURE\\ARM64"],"cmdu":[{"utr":"HKEY_CLASSES_ROOT","utk":"ReasonPersistentStorage","utvn":"AvUninstallTime","utvt":"SZ","umd":30,"utms":true}],"cp":"https://reasonlabs.com/policies","ctu":"https://reasonlabs.com/policies","win64":true,"pv":"1.26","disk":450,"fe":["{commonpf64}\\ReasonLabs\\EPP\\InstallerLib.dll","{commonpf64}\\RAVAntivirus\\AntivirusInstallerLib.dll","{commonpf64}\\RAVAntivirus\\AntivirusInstaller.exe"],"ov":100,"cbfo":true,"x":10,"v":1}}],"c":""}6
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2276250845.0000000004EB5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: saBSI.exe-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efD
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2362652845.000000000064E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: b\Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:44
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1763438947.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2928526983.000000000284E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2309485072.00000000028B7000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2928526983.00000000028B8000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000002.2929702891.0000000004C3A000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2369853017.0000000004C3A000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000006.00000003.2360180609.0000000004C3A000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2972949516.0000000003E35000.00000004.00000020.00020000.00000000.sdmp, norton_secure_browser_setup.exe, 00000007.00000002.2972949516.0000000003E23000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2676967364.00000000006BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: saBSI.exe, 00000005.00000003.2309485072.00000000028B7000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2928526983.00000000028B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWg
        Source: norton_secure_browser_setup.exeBinary or memory string: QEMU_
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2363484184.0000000000665000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d\Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2276250845.0000000004E77000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:f
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2366201683.000000000066A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:.
        Source: norton_secure_browser_setup.exeBinary or memory string: \VMware\VMware Tools
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.00000000008A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
        Source: Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1763438947.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.2434384539.00000000008DF000.00000004.00000020.00020000.00000000.sdmp, Canvas of Kings_N6xC-S2.tmp, 00000001.00000003.1764336975.00000000008DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWA
        Source: avg_antivirus_free_online_setup.exe, 00000008.00000003.2622976283.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2580970462.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2390745818.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2748417927.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2486318495.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2676967364.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2412180856.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2569408847.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_online_setup.exe, 00000008.00000003.2406445183.00000000006AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW!
        Source: qbittorrent.exe, 0000000B.00000002.3032016622.0000000004409000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: qbittorrent.exe, 0000000B.00000002.2990621506.0000000001623000.00000008.00000001.01000000.00000018.sdmp, qbittorrent.exe, 0000000B.00000000.2394184798.0000000001611000.00000008.00000001.01000000.00000018.sdmpBinary or memory string: .?AVQEmulationPaintEngine@@
        Source: norton_secure_browser_setup.exe, 00000007.00000003.2369325419.0000000003E4A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeAPI call chain: ExitProcess graph end node
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeAPI call chain: ExitProcess graph end node
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess information queried: ProcessInformationJump to behavior

        Anti Debugging

        barindex
        Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6B0C0B40 CreateToolhelp32Snapshot,lstrcmpiW,Process32FirstW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,Process32NextW,CloseHandle,lstrlenW,lstrcpyW,lstrcpyW,lstrcpyW,GetFileAttributesW,GetFileAttributesW,lstrcpyW,GetFileAttributesW,lstrlenW,lstrcpyW,lstrcpyW,GetFileAttributesW,GetFileAttributesW,lstrcpyW,GetFileAttributesW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,lstrcpyW,lstrlenW,lstrlenW,lstrcpyW,GetFileAttributesW,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,IsDebuggerPresent,GetCurrentProcess,CheckRemoteDebuggerPresent,GetUserNameW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,7_2_6B0C0B40
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeProcess queried: DebugPortJump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_007FE150 rdtsc 8_2_007FE150
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_001070B4 IsDebuggerPresent,OutputDebugStringW,5_2_001070B4
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_00085204 RegOpenKeyExW,RegQueryValueExW,SetLastError,RegCloseKey,RegCloseKey,GetLastError,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,LoadLibraryExW,GetLastError,5_2_00085204
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_00074C8E GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,5_2_00074C8E
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_00117BC0 VirtualProtect ?,-00000001,00000104,?,?,?,0000001C5_2_00117BC0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_000B2B30 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,FreeLibrary,GetLastError,5_2_000B2B30
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_000FE8FE mov eax, dword ptr fs:[00000030h]5_2_000FE8FE
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_00107C6A mov eax, dword ptr fs:[00000030h]5_2_00107C6A
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_00107CAE mov eax, dword ptr fs:[00000030h]5_2_00107CAE
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_00107CF2 mov eax, dword ptr fs:[00000030h]5_2_00107CF2
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_00107D23 mov eax, dword ptr fs:[00000030h]5_2_00107D23
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCode function: 6_2_00487C5A mov eax, dword ptr fs:[00000030h]6_2_00487C5A
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AE25683 mov eax, dword ptr fs:[00000030h]7_2_6AE25683
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AE4FBBF mov eax, dword ptr fs:[00000030h]7_2_6AE4FBBF
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AE514BE mov eax, dword ptr fs:[00000030h]7_2_6AE514BE
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AE5147A mov eax, dword ptr fs:[00000030h]7_2_6AE5147A
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AFB75B4 mov eax, dword ptr fs:[00000030h]7_2_6AFB75B4
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AFB7528 mov eax, dword ptr fs:[00000030h]7_2_6AFB7528
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AFA0835 mov eax, dword ptr fs:[00000030h]7_2_6AFA0835
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_00898F06 mov eax, dword ptr fs:[00000030h]8_2_00898F06
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_00898F4A mov eax, dword ptr fs:[00000030h]8_2_00898F4A
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_008935B7 mov ecx, dword ptr fs:[00000030h]8_2_008935B7
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_0007463F GetProcessHeap,5_2_0007463F
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeProcess token adjusted: Debug
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeProcess token adjusted: Debug
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeProcess token adjusted: Debug
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeProcess token adjusted: Debug
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeProcess token adjusted: Debug
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_000E9018 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_000E9018
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_000E93F2 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_000E93F2
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_000ED453 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_000ED453
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_000E9586 SetUnhandledExceptionFilter,5_2_000E9586
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCode function: 6_2_004810FF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_004810FF
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCode function: 6_2_00481292 SetUnhandledExceptionFilter,6_2_00481292
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCode function: 6_2_004813AB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_004813AB
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCode function: 6_2_00484476 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00484476
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AE26349 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_6AE26349
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AE2504A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_6AE2504A
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AE269A2 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_6AE269A2
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AE5F76F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_6AE5F76F
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AE4FCD2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_6AE4FCD2
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AE5F47B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_6AE5F47B
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AF07AD6 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_6AF07AD6
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AF07CDA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_6AF07CDA
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AF87181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_6AF87181
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6B0B58D0 lstrcmpW,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,7_2_6B0B58D0
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_0087EE56 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_0087EE56
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: 8_2_00855168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_00855168
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6B0BB610 nsExecLogonUser,7_2_6B0BB610
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exe "C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exe" /affid 91088 PaidDistribution=true CountryCode=USJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exe "C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exe" /silent /ws /psh:92pTu5hwBbM7D8YdixE5HhZyLyta7SFjWzBoCRk5knOtfwaHxtSx8W5YVAbWE4FqjuMlqeXqa53IPQJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exe "C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exe" /s /make-default /run_source="norton_ppi_is"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeProcess created: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exe "C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exe" /silent /ws /psh:92pTu5hwBbM7D8YdixE5HhZyLyta7SFjWzBoCRk5knOtfwaHxtSx8W5YVAbWE4FqjuMlqeXqa53IPQ /cookie:mmm_irs_ppi_902_451_o /ga_clientid:729de4ae-763f-4df7-a043-5659222e822a /edat_dir:C:\Windows\Temp\asw.d8c2b19fc2277941Jump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeProcess created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exe C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\icarus-info.xml /install /silent /ws /psh:92pTu5hwBbM7D8YdixE5HhZyLyta7SFjWzBoCRk5knOtfwaHxtSx8W5YVAbWE4FqjuMlqeXqa53IPQ /cookie:mmm_irs_ppi_902_451_o /edat_dir:C:\Windows\Temp\asw.d8c2b19fc2277941 /track-guid:729de4ae-763f-4df7-a043-5659222e822aJump to behavior
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeProcess created: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe "C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgb21haGFpZD0iezU4MzdCMUE1LUI3MkEtNDU2QS1CMDlGLUY2ODBFOUFCNUUwMn0iIHVwZGF0ZXJ2ZXJzaW9uPSIxLjguMTY0OS41IiBzaGVsbF92ZXJzaW9uPSIxLjguMTY0OS41IiBpc21hY2hpbmU9IjEiIGlzX29tYWhhNjRiaXQ9IjAiIGlzX29zNjRiaXQ9IjEiIHNlc3Npb25pZD0ie0NDMDExQUU3LUFBRTUtNDU0My04NERCLUU0RDQ4MTM1ODMzRH0iIHVzZXJpZD0iezA4MDIwMkM2LTAzOTEtNDM2MC04OUUxLUMzQjg2Nzc2RDEyNX0iIHVzZXJpZF9kYXRlPSIyMDI0MTIyNCIgbWFjaGluZWlkPSJ7MDAwMEE1QkYtREU0OC1DNDM5LTg3RjAtNkQ4MTJBQUJFMDk3fSIgbWFjaGluZWlkX2RhdGU9IjIwMjQxMjI0IiBpbnN0YWxsc291cmNlPSJvdGhlcmluc3RhbGxjbWQiIHRlc3Rzb3VyY2U9ImF1dG8iIHJlcXVlc3RpZD0ie0JBMTMwMjRFLUQ1QUYtNDgxNi05OTQ1LTA4Mzk0NzkxMEY5Rn0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iOCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NS4yMDA2IiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NTgzN0IxQTUtQjcyQS00NTZBLUIwOUYtRjY4MEU5QUI1RTAyfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS44LjE2NDkuNSIgbGFuZz0iZW4tR0IiIGJyYW5kPSIyOTIzOSIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iNjA5NCIvPjwvYXBwPjwvcmVxdWVzdD4
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeProcess created: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe "C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe" /handoff "bundlename=Norton Private Browser&appguid={3A3642E6-DE46-4F68-9887-AA017EEFE426}&appname=Norton Private Browser&needsadmin=true&lang=en-GB&brand=29239&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data%3Dchrome --import-cookies --auto-launch-chrome" /installsource otherinstallcmd /sessionid "{CC011AE7-AAE5-4543-84DB-E4D48135833D}" /silent
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 6836 -ip 6836
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6836 -s 2516
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 6836 -ip 6836
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6836 -s 2516
        Source: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exeProcess created: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe "C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe" /registermsihelper
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeProcess created: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exe "c:\windows\temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exe" /silent /ws /psh:92ptu5hwbbm7d8ydixe5hhzylyta7sfjwzbocrk5knotfwahxtsx8w5yvabwe4fqjumlqexqa53ipq /cookie:mmm_irs_ppi_902_451_o /ga_clientid:729de4ae-763f-4df7-a043-5659222e822a /edat_dir:c:\windows\temp\asw.d8c2b19fc2277941
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeProcess created: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exe nortonbrowserupdatesetup.exe /silent /install "bundlename=norton private browser&appguid={3a3642e6-de46-4f68-9887-aa017eefe426}&appname=norton private browser&needsadmin=true&lang=en-gb&brand=29239&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data%3dchrome --import-cookies --auto-launch-chrome"
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeProcess created: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exe "c:\program files (x86)\gumc557.tmp\nortonbrowserupdate.exe" /silent /install "bundlename=norton private browser&appguid={3a3642e6-de46-4f68-9887-aa017eefe426}&appname=norton private browser&needsadmin=true&lang=en-gb&brand=29239&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data%3dchrome --import-cookies --auto-launch-chrome"
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeProcess created: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe "c:\program files (x86)\norton\browser\update\nortonbrowserupdate.exe" /ping pd94bwwgdmvyc2lvbj0ims4wiiblbmnvzgluzz0ivvrgltgipz48cmvxdwvzdcbwcm90b2nvbd0imy4wiib1cgrhdgvypsjpbwfoysigb21hagfpzd0iezu4mzdcmue1lui3mketndu2qs1cmdlgluy2odbfoufcnuuwmn0iihvwzgf0zxj2zxjzaw9upsixljgumty0os41iibzagvsbf92zxjzaw9upsixljgumty0os41iibpc21hy2hpbmu9ijeiiglzx29tywhhnjriaxq9ijaiiglzx29znjriaxq9ijeiihnlc3npb25pzd0ie0ndmdexquu3lufbrtutndu0my04nercluu0rdq4mtm1odmzrh0iihvzzxjpzd0ieza4mdiwmkm2ltazotetndm2mc04ouuxlumzqjg2nzc2rdeynx0iihvzzxjpzf9kyxrlpsiymdi0mtiyncigbwfjagluzwlkpsj7mdawmee1qkytreu0oc1dndm5ltg3rjatnkq4mtjbqujfmdk3fsigbwfjagluzwlkx2rhdgu9ijiwmjqxmji0iibpbnn0ywxsc291cmnlpsjvdghlcmluc3rhbgxjbwqiihrlc3rzb3vyy2u9imf1dg8iihjlcxvlc3rpzd0ie0jbmtmwmjrfluq1quytndgxni05otq1lta4mzk0nzkxmey5rn0iigrlzhvwpsjjciigzg9tywluam9pbmvkpsiwij48ahcgcgh5c21lbw9yet0iocigc3nlpsixiibzc2uypsixiibzc2uzpsixiibzc3nlmz0imsigc3nlnde9ijeiihnzztqypsixiibhdng9ijeilz48b3mgcgxhdgzvcm09indpbiigdmvyc2lvbj0imtaumc4xota0ns4ymda2iibzcd0iiibhcmnopsj4njqilz48yxbwigfwcglkpsj7ntgzn0ixqtutqjcyqs00ntzbluiwouytrjy4meu5qui1rtayfsigdmvyc2lvbj0iiibuzxh0dmvyc2lvbj0ims44lje2ndkunsigbgfuzz0izw4tr0iiigjyyw5kpsiyotizosigy2xpzw50psiipjxldmvudcbldmvudhr5cgu9ijiiigv2zw50cmvzdwx0psixiiblcnjvcmnvzgu9ijaiigv4dhjhy29kzte9ijaiigluc3rhbgxfdgltzv9tcz0inja5ncivpjwvyxbwpjwvcmvxdwvzdd4
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeProcess created: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe "c:\program files (x86)\norton\browser\update\nortonbrowserupdate.exe" /handoff "bundlename=norton private browser&appguid={3a3642e6-de46-4f68-9887-aa017eefe426}&appname=norton private browser&needsadmin=true&lang=en-gb&brand=29239&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data%3dchrome --import-cookies --auto-launch-chrome" /installsource otherinstallcmd /sessionid "{cc011ae7-aae5-4543-84db-e4d48135833d}" /silent
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeProcess created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exe c:\windows\temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exe /icarus-info-path:c:\windows\temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\icarus-info.xml /install /silent /ws /psh:92ptu5hwbbm7d8ydixe5hhzylyta7sfjwzbocrk5knotfwahxtsx8w5yvabwe4fqjumlqexqa53ipq /cookie:mmm_irs_ppi_902_451_o /edat_dir:c:\windows\temp\asw.d8c2b19fc2277941 /track-guid:729de4ae-763f-4df7-a043-5659222e822a
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeProcess created: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exe "c:\windows\temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exe" /silent /ws /psh:92ptu5hwbbm7d8ydixe5hhzylyta7sfjwzbocrk5knotfwahxtsx8w5yvabwe4fqjumlqexqa53ipq /cookie:mmm_irs_ppi_902_451_o /ga_clientid:729de4ae-763f-4df7-a043-5659222e822a /edat_dir:c:\windows\temp\asw.d8c2b19fc2277941Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeProcess created: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exe nortonbrowserupdatesetup.exe /silent /install "bundlename=norton private browser&appguid={3a3642e6-de46-4f68-9887-aa017eefe426}&appname=norton private browser&needsadmin=true&lang=en-gb&brand=29239&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data%3dchrome --import-cookies --auto-launch-chrome"Jump to behavior
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeProcess created: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exe c:\windows\temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exe /icarus-info-path:c:\windows\temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\icarus-info.xml /install /silent /ws /psh:92ptu5hwbbm7d8ydixe5hhzylyta7sfjwzbocrk5knotfwahxtsx8w5yvabwe4fqjumlqexqa53ipq /cookie:mmm_irs_ppi_902_451_o /edat_dir:c:\windows\temp\asw.d8c2b19fc2277941 /track-guid:729de4ae-763f-4df7-a043-5659222e822aJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\nsdA8C9.tmp\NortonBrowserUpdateSetup.exeProcess created: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exe "c:\program files (x86)\gumc557.tmp\nortonbrowserupdate.exe" /silent /install "bundlename=norton private browser&appguid={3a3642e6-de46-4f68-9887-aa017eefe426}&appname=norton private browser&needsadmin=true&lang=en-gb&brand=29239&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data%3dchrome --import-cookies --auto-launch-chrome"
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeProcess created: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe "c:\program files (x86)\norton\browser\update\nortonbrowserupdate.exe" /ping pd94bwwgdmvyc2lvbj0ims4wiiblbmnvzgluzz0ivvrgltgipz48cmvxdwvzdcbwcm90b2nvbd0imy4wiib1cgrhdgvypsjpbwfoysigb21hagfpzd0iezu4mzdcmue1lui3mketndu2qs1cmdlgluy2odbfoufcnuuwmn0iihvwzgf0zxj2zxjzaw9upsixljgumty0os41iibzagvsbf92zxjzaw9upsixljgumty0os41iibpc21hy2hpbmu9ijeiiglzx29tywhhnjriaxq9ijaiiglzx29znjriaxq9ijeiihnlc3npb25pzd0ie0ndmdexquu3lufbrtutndu0my04nercluu0rdq4mtm1odmzrh0iihvzzxjpzd0ieza4mdiwmkm2ltazotetndm2mc04ouuxlumzqjg2nzc2rdeynx0iihvzzxjpzf9kyxrlpsiymdi0mtiyncigbwfjagluzwlkpsj7mdawmee1qkytreu0oc1dndm5ltg3rjatnkq4mtjbqujfmdk3fsigbwfjagluzwlkx2rhdgu9ijiwmjqxmji0iibpbnn0ywxsc291cmnlpsjvdghlcmluc3rhbgxjbwqiihrlc3rzb3vyy2u9imf1dg8iihjlcxvlc3rpzd0ie0jbmtmwmjrfluq1quytndgxni05otq1lta4mzk0nzkxmey5rn0iigrlzhvwpsjjciigzg9tywluam9pbmvkpsiwij48ahcgcgh5c21lbw9yet0iocigc3nlpsixiibzc2uypsixiibzc2uzpsixiibzc3nlmz0imsigc3nlnde9ijeiihnzztqypsixiibhdng9ijeilz48b3mgcgxhdgzvcm09indpbiigdmvyc2lvbj0imtaumc4xota0ns4ymda2iibzcd0iiibhcmnopsj4njqilz48yxbwigfwcglkpsj7ntgzn0ixqtutqjcyqs00ntzbluiwouytrjy4meu5qui1rtayfsigdmvyc2lvbj0iiibuzxh0dmvyc2lvbj0ims44lje2ndkunsigbgfuzz0izw4tr0iiigjyyw5kpsiyotizosigy2xpzw50psiipjxldmvudcbldmvudhr5cgu9ijiiigv2zw50cmvzdwx0psixiiblcnjvcmnvzgu9ijaiigv4dhjhy29kzte9ijaiigluc3rhbgxfdgltzv9tcz0inja5ncivpjwvyxbwpjwvcmvxdwvzdd4
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeProcess created: C:\Program Files (x86)\Norton\Browser\Update\NortonBrowserUpdate.exe "c:\program files (x86)\norton\browser\update\nortonbrowserupdate.exe" /handoff "bundlename=norton private browser&appguid={3a3642e6-de46-4f68-9887-aa017eefe426}&appname=norton private browser&needsadmin=true&lang=en-gb&brand=29239&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data%3dchrome --import-cookies --auto-launch-chrome" /installsource otherinstallcmd /sessionid "{cc011ae7-aae5-4543-84db-e4d48135833d}" /silent
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6B0BA3A0 GetVersion,GetCurrentProcess,OpenProcessToken,GetTokenInformation,CloseHandle,AllocateAndInitializeSid,CheckTokenMembership,FreeSid,7_2_6B0BA3A0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_000E9215 cpuid 5_2_000E9215
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: GetLocaleInfoW,5_2_001045DA
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: EnumSystemLocalesW,5_2_0010C907
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: EnumSystemLocalesW,5_2_0010C952
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: EnumSystemLocalesW,5_2_0010C9ED
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,5_2_0010CA80
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: GetLocaleInfoW,5_2_0010CCE0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,5_2_0010CE06
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: GetLocaleInfoW,5_2_0010CF0C
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,5_2_0010CFDB
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: GetLocaleInfoEx,5_2_000E7E28
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: EnumSystemLocalesW,5_2_00103F6D
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: GetLocaleInfoW,7_2_6AE54278
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,7_2_6AE5439E
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,7_2_6AE54025
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: GetLocaleInfoW,7_2_6AE51164
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: EnumSystemLocalesW,7_2_6AE53EFF
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: EnumSystemLocalesW,7_2_6AE53EB4
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: GetLocaleInfoW,7_2_6AE53E0D
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: EnumSystemLocalesW,7_2_6AE53F9A
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: GetLocaleInfoW,7_2_6AE544A4
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: EnumSystemLocalesW,7_2_6AE50C40
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,7_2_6AE53C12
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,7_2_6AE54573
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: GetLocaleInfoW,7_2_6AFBEA4D
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,7_2_6AFBEB75
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: EnumSystemLocalesW,7_2_6AFB2F18
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: GetLocaleInfoW,7_2_6AFBEC7D
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,7_2_6AFBED50
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,7_2_6AFBE3C3
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: GetLocaleInfoEx,7_2_6AF0637C
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: EnumSystemLocalesW,7_2_6AFBE6D2
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: EnumSystemLocalesW,7_2_6AFBE669
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,7_2_6AFBE7F8
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: EnumSystemLocalesW,7_2_6AFBE76D
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: GetLocaleInfoW,7_2_6AFBE5C0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: GetLocaleInfoW,7_2_6AFB39CC
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,GetUserDefaultUILanguage,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,wsprintfW,7_2_6B0B78C0
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: GetLocaleInfoW,GlobalAlloc,GlobalAlloc,GlobalAlloc,lstrcpyW,lstrcpyW,wsprintfW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,7_2_6B0B7510
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: nsGetLocaleInfo,GetLocaleInfoW,7_2_6B0BE580
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,8_2_0089C039
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,8_2_0089C20E
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: GetLocaleInfoW,8_2_00898C33
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: EnumSystemLocalesW,8_2_0089BB82
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: EnumSystemLocalesW,8_2_0089BB37
        Source: C:\Windows\Temp\asw.d8c2b19fc2277941\avg_antivirus_free_online_setup.exeCode function: EnumSystemLocalesW,8_2_0089BC1D
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpQueries volume information: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\AVG_AV.png VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpQueries volume information: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\AVG_BRW.png VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpQueries volume information: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0.zip VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpQueries volume information: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0.zip VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpQueries volume information: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0.zip VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpQueries volume information: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0.zip VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpQueries volume information: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0.zip VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpQueries volume information: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1.zip VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpQueries volume information: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1.zip VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpQueries volume information: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1.zip VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpQueries volume information: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1.zip VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpQueries volume information: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1.zip VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpQueries volume information: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2.zip VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpQueries volume information: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2.zip VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpQueries volume information: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2.zip VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpQueries volume information: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2.zip VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpQueries volume information: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2.zip VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpQueries volume information: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\finish.png VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeQueries volume information: C:\Users\user\AppData\Local\qBittorrent\logs\qbittorrent.log VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeQueries volume information: C:\Users\user\AppData\Local\qBittorrent\logs\qbittorrent.log VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeQueries volume information: C:\Users\user\AppData\Local\qBittorrent\logs\qbittorrent.log VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeQueries volume information: C:\Users\user\AppData\Local\qBittorrent\logs\qbittorrent.log VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
        Source: C:\Windows\Temp\asw-d762e71a-c8aa-44ab-966e-2c9540294724\common\icarus.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod0_extract\saBSI.exeCode function: 5_2_00104619 GetSystemTimeAsFileTime,5_2_00104619
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AFF79B6 __EH_prolog3_GS,LookupAccountNameW,GetLastError,7_2_6AFF79B6
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeCode function: 7_2_6AFB26E8 _free,GetTimeZoneInformation,_free,7_2_6AFB26E8
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod1_extract\avg_antivirus_free_setup.exeCode function: 6_2_0047A100 GetVersion,CreateFileW,GetLastError,DeviceIoControl,GetLastError,CloseHandle,6_2_0047A100
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Modifies the windows firewall
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" firewall add allowedprogramC:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exe "qBittorrent" ENABLE
        Uses netsh to modify the Windows network and firewall settings
        Source: C:\Users\user\AppData\Local\Temp\is-8UDBG.tmp\Canvas of Kings_N6xC-S2.tmpProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" firewall add allowedprogramC:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\qbittorrent.exe "qBittorrent" ENABLE
        Source: norton_secure_browser_setup.exeBinary or memory string: C:\virus\virus.exe
        Source: norton_secure_browser_setup.exeBinary or memory string: wireshark.exe
        Source: norton_secure_browser_setup.exeBinary or memory string: C:\Kit\procexp.exe
        Source: norton_secure_browser_setup.exeBinary or memory string: C:\virus.exe
        Source: C:\Program Files (x86)\GUMC557.tmp\NortonBrowserUpdate.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NortonBrowserUpdate.exe DisableExceptionChainValidation

        Stealing of Sensitive Information

        barindex
        Tries to harvest and steal browser information (history, passwords, etc)
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\search.json.mozlz4Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-releaseJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PreferencesJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\DefaultJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JAV1C.tmp\prod2_extract\norton_secure_browser_setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesJump to behavior
        Yara detected QueryWinSAT ClassID
        Source: Yara matchFile source: 00000001.00000003.2233964889.0000000000734000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.2233909651.0000000000734000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Canvas of Kings_N6xC-S2.tmp PID: 6836, type: MEMORYSTR
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2977306249.000000006B00E000.00000002.00000001.01000000.00000012.sdmpBinary or memory string: WIN_XP
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2977306249.000000006B00E000.00000002.00000001.01000000.00000012.sdmpBinary or memory string: j...RtlGetVersionD:\work\6641f181bd7f7928\src\acu\windows\utility\OSUtils.cppD:\work\6641f181bd7f7928\src\acu\windows\utility\OSUtils.cppSeIncreaseQuotaPrivilege{} {}WIN_XPVISTAWIN7WIN8WIN8_1WIN10WIN11UNKNOWNMicrosoft\Internet Explorer\Quick Launch\User Pinned\TaskBar.lnkrunasCreating unelevated process {} {}Attempting to execute {} as a trusted executableTrust not established so execution has been abortedunelevatedcurrentTrust has been established so executing in {} contextChecking candidate thumbprint {}no-matchmatchedVerify certificate thumbprint for {} ({}) [{}]Validate certificate thumbprint for {} failed [{:#018x}]VInv{}alid signature for {} [result({:#010x}), possiblySelfSigned({}), allowSelfSigned({})]Validate signature for {} failed [{:#018x}]Verifying trust for {}not Trust {}established BuildCmdArgsToDeleteSelf::pathToDel [{}])BuildCmdArgsToDeleteSelf::rmParentDirDepth [{}])BuildCmdArgsToDeleteSelf::timeoutSecs [{}])/c timeout /nobreak /t {} && del /F /Q {}..BuildCmdArgsToDeleteSelf::subpath [{}]) && rmdir /Q {}BuildCmdArgsToDeleteSelf::cmdargs {}cmd.exeProcessDeleteSelf::cmdexe [{}]OSUtils::ProcessDeleteSelf: {} {}D:(A;OICI;GA;;;BA)(A;OICI;GRDT;;;WD)1\/J
        Source: norton_secure_browser_setup.exe, 00000007.00000002.2942013799.00000000033A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ...RtlGetVersionD:\work\6641f181bd7f7928\src\acu\windows\utility\OSUtils.cppD:\work\6641f181bd7f7928\src\acu\windows\utility\OSUtils.cppSeIncreaseQuotaPrivilege{} {}WIN_XPVISTAWIN7WIN8WIN8_1WIN10WIN11UNKNOWNMicrosoft\Internet Explorer\Quick Launch\User Pinned\TaskBar.lnkrunasCreating unelevated process {} {}Attempting to execute {} as a trusted executableTrust not established so execution has been abortedunelevatedcurrentTrust has been established so executing in {} contextChecking candidate thumbprint {}no-matchmatchedVerify certificate thumbprint for {} ({}) [{}]Validate certificate thumbprint for {} failed [{:#018x}]VInv{}alid signature for {} [result({:#010x}), possiblySelfSigned({}), allowSelfSigned({})]Validate signature for {} failed [{:#018x}]Verifying trust for {}not Trust {}established BuildCmdArgsToDeleteSelf::pathToDel [{}])BuildCmdArgsToDeleteSelf::rmParentDirDepth [{}])BuildCmdArgsToDeleteSelf::timeoutSecs [{}])/c timeout /nobreak /t {} && del /F /Q {}..BuildCmdArgsToDeleteSelf::subpath [{}]) && rmdir /Q {}BuildCmdArgsToDeleteSelf::cmdargs {}cmd.exeProcessDeleteSelf::cmdexe [{}]OSUtils::ProcessDeleteSelf: {} {}D:(A;OICI;GA;;;BA)(A;OICI;GRDT;;;WD)1\/J

        Remote Access Functionality

        barindex
        Yara detected QueryWinSAT ClassID
        Source: Yara matchFile source: 00000001.00000003.2233964889.0000000000734000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.2233909651.0000000000734000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Canvas of Kings_N6xC-S2.tmp PID: 6836, type: MEMORYSTR

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        1
        Software        		Acquire Infrastructure2
        Valid Accounts        		4
        Native API        		1
        DLL Side-Loading        		1
        DLL Side-Loading        		22
        Disable or Modify Tools        		1
        OS Credential Dumping        		2
        System Time Discovery        		Remote Services11
        Archive Collected Data        		4
        Ingress Tool Transfer        		Exfiltration Over Other Network Medium1
        System Shutdown/Reboot
        CredentialsDomains1
        Replication Through Removable Media        		12
        Command and Scripting Interpreter        		1
        Image File Execution Options Injection        		1
        Image File Execution Options Injection        		1
        Deobfuscate/Decode Files or Information        		LSASS Memory11
        Peripheral Device Discovery        		Remote Desktop Protocol1
        Data from Local System        		21
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts1
        Scheduled Task/Job        		1
        Component Object Model Hijacking        		1
        Component Object Model Hijacking        		2
        Obfuscated Files or Information        		Security Account Manager1
        Account Discovery        		SMB/Windows Admin Shares1
        Clipboard Data        		4
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCron2
        Valid Accounts        		2
        Valid Accounts        		1
        Software Packing        		NTDS4
        File and Directory Discovery        		Distributed Component Object ModelInput Capture15
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchd1
        Windows Service        		21
        Access Token Manipulation        		1
        DLL Side-Loading        		LSA Secrets57
        System Information Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled Task1
        Scheduled Task/Job        		1
        Windows Service        		1
        File Deletion        		Cached Domain Credentials1
        Query Registry        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd Timers1
        Registry Run Keys / Startup Folder        		12
        Process Injection        		22
        Masquerading        		DCSync691
        Security Software Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration Job1
        Bootkit        		1
        Scheduled Task/Job        		2
        Valid Accounts        		Proc Filesystem24
        Virtualization/Sandbox Evasion        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAt1
        Registry Run Keys / Startup Folder        		24
        Virtualization/Sandbox Evasion        		/etc/passwd and /etc/shadow12
        Process Discovery        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron21
        Access Token Manipulation        		Network Sniffing3
        System Owner/User Discovery        		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd12
        Process Injection        		Input Capture1
        Remote System Discovery        		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
        Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
        Bootkit        		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1580374 Sample: Canvas of Kings_N6xC-S2.exe Startdate: 24/12/2024 Architecture: WINDOWS Score: 64 137 v7event.stats.avast.com 2->137 139 update.norton.securebrowser.com 2->139 141 14 other IPs or domains 2->141 161 Malicious sample detected (through community Yara rule) 2->161 163 Antivirus / Scanner detection for submitted sample 2->163 165 Multi AV Scanner detection for submitted file 2->165 167 6 other signatures 2->167 12 Canvas of Kings_N6xC-S2.exe 2 2->12         started        15 NortonBrowserUpdate.exe 2->15         started        18 NortonBrowserUpdate.exe 2->18         started        20 4 other processes 2->20 signatures3 process4 dnsIp5 117 C:\Users\user\...\Canvas of Kings_N6xC-S2.tmp, PE32 12->117 dropped 23 Canvas of Kings_N6xC-S2.tmp 5 32 12->23         started        119 {01288569-79D1-416...rowserInstaller.exe, PE32+ 15->119 dropped 197 Query firmware table information (likely to detect VMs) 15->197 27 NortonBrowserUpdate.exe 18->27         started        29 NortonBrowserCrashHandler.exe 18->29         started        31 NortonBrowserCrashHandler64.exe 18->31         started        143 127.0.0.1 unknown unknown 20->143 33 WerFault.exe 20->33         started        35 NortonBrowserUpdate.exe 20->35         started        37 NortonBrowserUpdate.exe 20->37         started        39 WerFault.exe 20->39         started        file6 signatures7 process8 dnsIp9 145 65.9.108.105, 443, 49772, 49794 AMAZON-02US United States 23->145 147 d3ben4sjdmrs9v.cloudfront.net 65.9.108.223, 443, 49733, 49734 AMAZON-02US United States 23->147 97 C:\Users\user\AppData\...\qbittorrent.exe, PE32 23->97 dropped 99 C:\Users\...\norton_secure_browser_setup.exe, PE32 23->99 dropped 101 C:\Users\...\avg_antivirus_free_setup.exe, PE32 23->101 dropped 103 9 other files (7 malicious) 23->103 dropped 41 avg_antivirus_free_setup.exe 1 3 23->41         started        46 norton_secure_browser_setup.exe 14 94 23->46         started        48 saBSI.exe 10 6 23->48         started        50 4 other processes 23->50 file10 process11 dnsIp12 149 analytics-prod-gcp.ff.avast.com 34.117.223.223, 443, 49766, 49783 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 41->149 105 C:\...\avg_antivirus_free_online_setup.exe, PE32 41->105 dropped 177 Query firmware table information (likely to detect VMs) 41->177 179 Contains functionality to infect the boot sector 41->179 52 avg_antivirus_free_online_setup.exe 6 42 41->52         started        151 stats.securebrowser.com 104.20.86.8, 443, 49791, 49846 CLOUDFLARENETUS United States 46->151 107 C:\Users\user\AppData\...\thirdparty.dll, PE32 46->107 dropped 109 C:\Users\user\AppData\Local\...\sciterui.dll, PE32 46->109 dropped 111 C:\Users\user\AppData\Local\...\reboot.dll, PE32 46->111 dropped 115 9 other files (none is malicious) 46->115 dropped 181 Contain functionality to detect virtual machines 46->181 183 Checks if browser processes are running 46->183 185 Tries to harvest and steal browser information (history, passwords, etc) 46->185 189 3 other signatures 46->189 56 NortonBrowserUpdateSetup.exe 46->56         started        153 mosaic-nova.apis.mcafee.com 44.228.210.164, 443, 49756, 49763 AMAZON-02US United States 48->153 113 C:\Users\user\AppData\Local\...\installer.exe, PE32+ 48->113 dropped 187 Writes many files with high entropy 48->187 58 conhost.exe 50->58         started        file13 signatures14 process15 file16 81 C:\Windows\Temp\...\icarus.exe, PE32+ 52->81 dropped 83 C:\Windows\Temp\...\setupui.cont, XZ 52->83 dropped 85 C:\...\e5752873-542b-4414-940a-117ab556e630, LZMA 52->85 dropped 93 9 other files (5 malicious) 52->93 dropped 169 Query firmware table information (likely to detect VMs) 52->169 171 Found stalling execution ending in API Sleep call 52->171 173 Contains functionality to infect the boot sector 52->173 175 2 other signatures 52->175 60 icarus.exe 52->60         started        87 C:\...87ortonBrowserUpdate.exe, PE32 56->87 dropped 89 C:\Program Files (x86)\...\psuser_64.dll, PE32+ 56->89 dropped 91 C:\Program Files (x86)\...\psuser.dll, PE32 56->91 dropped 95 69 other files (none is malicious) 56->95 dropped 65 NortonBrowserUpdate.exe 56->65         started        signatures17 process18 dnsIp19 155 shepherd-gcp.ff.avast.com 34.160.176.28, 443, 49912, 49923 ATGS-MMD-ASUS United States 60->155 157 shepherd.ff.avast.com 60->157 159 5 other IPs or domains 60->159 121 C:\Windows\Temp\...\icarus_rvrt.exe, PE32+ 60->121 dropped 123 C:\Windows\Temp\...\icarus_product.dll, PE32+ 60->123 dropped 125 C:\Windows\Temp\...\icarus_rvrt.exe, PE32+ 60->125 dropped 133 13 other files (6 malicious) 60->133 dropped 191 Query firmware table information (likely to detect VMs) 60->191 193 Writes many files with high entropy 60->193 127 C:\...127ortonBrowserUpdate.exe, PE32 65->127 dropped 129 C:\Program Files (x86)\...\psmachine_64.dll, PE32+ 65->129 dropped 131 C:\Program Files (x86)\...\psuser_64.dll, PE32+ 65->131 dropped 135 70 other files (none is malicious) 65->135 dropped 195 Creates an undocumented autostart registry key 65->195 67 NortonBrowserUpdate.exe 65->67         started        69 NortonBrowserUpdate.exe 65->69         started        71 NortonBrowserUpdate.exe 65->71         started        73 NortonBrowserUpdate.exe 65->73         started        file20 signatures21 process22 process23 75 NortonBrowserUpdateComRegisterShell64.exe 67->75         started        77 NortonBrowserUpdateComRegisterShell64.exe 67->77         started        79 NortonBrowserUpdateComRegisterShell64.exe 67->79         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.