4b6cc676769de04acf4936a5a395349cb779616c0621c5921bf07c3e405b51ee

max time kernel
211s
max time network
210s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
28/12/2023, 08:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

avast_secure_browser_setup.exe
Size

5.8MB
MD5

3ad1c03d333da86a47884f01b8ae7664
SHA1

9feb944a823a0374f6db7bfd5abf78b494e49782
SHA256

4b6cc676769de04acf4936a5a395349cb779616c0621c5921bf07c3e405b51ee
SHA512

121c6bd0150ecde57e379a62a19583c1412cd6f411ef46533a3d3241c59613905e56ae58943bc685ba7f892bbf37018ec34d3e6f6fdb36efd39220b2db60cb1f
SSDEEP

98304:R8PxEloFJNcSmf0UH/Z10hTSYPHnyJLhNr1/K9O6oTCA+iGGps74a4:RSvFJyBsucZ74hNxKDiG/4a

Score

8^/10

bootkit discovery persistence spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Modifies Installed Components in the registry 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A8504530-742B-42BC-895D-2BAD6406F698}\ = "Avast Secure Browser"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A8504530-742B-42BC-895D-2BAD6406F698}\StubPath = "\"C:\\Program Files\\AVAST Software\\Browser\\Application\\120.0.23480.129\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A8504530-742B-42BC-895D-2BAD6406F698}\Localized Name = "Avast Secure Browser"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A8504530-742B-42BC-895D-2BAD6406F698}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A8504530-742B-42BC-895D-2BAD6406F698}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{A8504530-742B-42BC-895D-2BAD6406F698}	setup.exe

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastBrowserUpdate.exe	AvastBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastBrowserUpdate.exe\DisableExceptionChainValidation = "0"	AvastBrowserUpdate.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ajB029.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ajB029.exe

Executes dropped EXE 25 IoCs

pid	Process
2632	ajB029.exe
1584	AvastBrowserUpdateSetup.exe
4412	AvastBrowserUpdate.exe
4564	AvastBrowserUpdate.exe
2688	AvastBrowserUpdate.exe
3092	AvastBrowserUpdateComRegisterShell64.exe
1592	AvastBrowserUpdateComRegisterShell64.exe
2460	AvastBrowserUpdateComRegisterShell64.exe
1500	AvastBrowserUpdate.exe
5076	AvastBrowserUpdate.exe
1344	AvastBrowserUpdate.exe
1560	AvastBrowserInstaller.exe
4608	setup.exe
4144	setup.exe
3808	AvastBrowserCrashHandler.exe
2420	AvastBrowserCrashHandler64.exe
1964	AvastBrowserUpdateSetup.exe
2444	AvastBrowserUpdate.exe
3528	AvastBrowserUpdate.exe
1856	AvastBrowserUpdate.exe
3568	AvastBrowserUpdate.exe
3060	AvastBrowserUpdate.exe
3108	AvastBrowserInstaller.exe
4232	setup.exe
1140	setup.exe

Loads dropped DLL 40 IoCs

pid	Process
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
2632	ajB029.exe
2632	ajB029.exe
2632	ajB029.exe
2632	ajB029.exe
2632	ajB029.exe
2632	ajB029.exe
2632	ajB029.exe
2632	ajB029.exe
4412	AvastBrowserUpdate.exe
4564	AvastBrowserUpdate.exe
2688	AvastBrowserUpdate.exe
3092	AvastBrowserUpdateComRegisterShell64.exe
2688	AvastBrowserUpdate.exe
1592	AvastBrowserUpdateComRegisterShell64.exe
2688	AvastBrowserUpdate.exe
2460	AvastBrowserUpdateComRegisterShell64.exe
2688	AvastBrowserUpdate.exe
4412	AvastBrowserUpdate.exe
4412	AvastBrowserUpdate.exe
1500	AvastBrowserUpdate.exe
5076	AvastBrowserUpdate.exe
1344	AvastBrowserUpdate.exe
1344	AvastBrowserUpdate.exe
5076	AvastBrowserUpdate.exe
1344	AvastBrowserUpdate.exe
2444	AvastBrowserUpdate.exe
3528	AvastBrowserUpdate.exe
2444	AvastBrowserUpdate.exe
1856	AvastBrowserUpdate.exe
3568	AvastBrowserUpdate.exe
3060	AvastBrowserUpdate.exe
3060	AvastBrowserUpdate.exe
3568	AvastBrowserUpdate.exe
3060	AvastBrowserUpdate.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 23 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CEA41856-DAAB-4EE7-9731-0DB1BCD5E0F4}\LocalServer32\ServerExecutable = "C:\\Program Files\\AVAST Software\\Browser\\Application\\120.0.23480.129\\notification_helper.exe"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99F8769E-4FE9-3A40-9D6D-5424B8AC9F57}\InprocServer32	AvastBrowserUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99F8769E-4FE9-3A40-9D6D-5424B8AC9F57}\InprocServer32	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A6CE939-10CE-42FC-BDEF-A77E6DEB610F}\InProcServer32\ = "C:\\Program Files (x86)\\AVAST Software\\Browser\\Update\\1.8.1631.4\\psmachine_64.dll"	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99F8769E-4FE9-3A40-9D6D-5424B8AC9F57}\InprocServer32\ThreadingModel = "Both"	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A6CE939-10CE-42FC-BDEF-A77E6DEB610F}\InProcServer32\ = "C:\\Program Files (x86)\\AVAST Software\\Browser\\Update\\1.8.1631.4\\psmachine_64.dll"	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CEA41856-DAAB-4EE7-9731-0DB1BCD5E0F4}\LocalServer32\ = "\"C:\\Program Files\\AVAST Software\\Browser\\Application\\120.0.23480.129\\notification_helper.exe\""	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A6CE939-10CE-42FC-BDEF-A77E6DEB610F}\InProcServer32\ = "C:\\Program Files (x86)\\AVAST Software\\Browser\\Update\\1.8.1631.4\\psmachine_64.dll"	AvastBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99F8769E-4FE9-3A40-9D6D-5424B8AC9F57}\InprocServer32	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A6CE939-10CE-42FC-BDEF-A77E6DEB610F}\InProcServer32\ThreadingModel = "Both"	AvastBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A6CE939-10CE-42FC-BDEF-A77E6DEB610F}\InProcServer32	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A6CE939-10CE-42FC-BDEF-A77E6DEB610F}\InProcServer32\ThreadingModel = "Both"	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99F8769E-4FE9-3A40-9D6D-5424B8AC9F57}\InprocServer32\ThreadingModel = "Both"	AvastBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A6CE939-10CE-42FC-BDEF-A77E6DEB610F}\InProcServer32	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A6CE939-10CE-42FC-BDEF-A77E6DEB610F}\InProcServer32\ThreadingModel = "Both"	AvastBrowserUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99F8769E-4FE9-3A40-9D6D-5424B8AC9F57}\InprocServer32	AvastBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{CEA41856-DAAB-4EE7-9731-0DB1BCD5E0F4}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99F8769E-4FE9-3A40-9D6D-5424B8AC9F57}\InprocServer32\ = "C:\\Program Files (x86)\\AVAST Software\\Browser\\Update\\1.8.1631.4\\psmachine_64.dll"	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99F8769E-4FE9-3A40-9D6D-5424B8AC9F57}\InprocServer32\ = "C:\\Program Files (x86)\\AVAST Software\\Browser\\Update\\1.8.1631.4\\psmachine_64.dll"	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99F8769E-4FE9-3A40-9D6D-5424B8AC9F57}\InprocServer32\ThreadingModel = "Both"	AvastBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A6CE939-10CE-42FC-BDEF-A77E6DEB610F}\InProcServer32	AvastBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99F8769E-4FE9-3A40-9D6D-5424B8AC9F57}\InprocServer32	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99F8769E-4FE9-3A40-9D6D-5424B8AC9F57}\InprocServer32\ = "C:\\Program Files (x86)\\AVAST Software\\Browser\\Update\\1.8.1631.4\\psmachine_64.dll"	AvastBrowserUpdateComRegisterShell64.exe

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	avast_secure_browser_setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-175642277-3213633112-3688900201-1000\SOFTWARE\AVAST Software\Avast	avast_secure_browser_setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	ajB029.exe
Key opened	\REGISTRY\USER\S-1-5-21-175642277-3213633112-3688900201-1000\SOFTWARE\AVAST Software\Avast	ajB029.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	AvastBrowserUpdate.exe
File opened for modification	\??\PhysicalDrive0	AvastBrowserUpdate.exe
File opened for modification	\??\PhysicalDrive0	ajB029.exe
File opened for modification	\??\PhysicalDrive0	AvastBrowserUpdate.exe
File opened for modification	\??\PhysicalDrive0	AvastBrowserUpdate.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\AVAST Software\Browser\Temp\source4608_1876240636\Safer-bin\120.0.23480.129\chrome.dll.sig	setup.exe
File created	C:\Program Files\AVAST Software\Browser\Temp\source4608_1876240636\Safer-bin\120.0.23480.129\Locales\it.pak	setup.exe
File created	C:\Program Files (x86)\GUM3B00.tmp\goopdateres_iw.dll	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM3B00.tmp\goopdateres_pt-BR.dll	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM3B00.tmp\goopdateres_ta.dll	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1631.4\goopdateres_es.dll	AvastBrowserUpdate.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1631.4\psmachine_64.dll	AvastBrowserUpdate.exe
File created	C:\Program Files\AVAST Software\Browser\Temp\source4608_1876240636\secure.7z	setup.exe
File created	C:\Program Files (x86)\GUM3B00.tmp\goopdateres_gu.dll	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM3B00.tmp\goopdateres_it.dll	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1631.4\goopdateres_th.dll	AvastBrowserUpdate.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Update\Download\{A8504530-742B-42BC-895D-2BAD6406F698}\120.0.23480.129\AvastBrowserInstaller.exe	AvastBrowserUpdate.exe
File opened for modification	C:\Program Files (x86)\AVAST Software\Browser\Update\Install\{2450BA65-CAF8-4A4F-A1C6-7264D860879D}\AvastBrowserInstaller.exe	AvastBrowserUpdate.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Update\Install\{2450BA65-CAF8-4A4F-A1C6-7264D860879D}\CR_DFE6F.tmp\SETUP.EX_	AvastBrowserInstaller.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1631.4\goopdateres_gu.dll	AvastBrowserUpdate.exe
File created	C:\Program Files\AVAST Software\Browser\Temp\source4608_1876240636\Safer-bin\120.0.23480.129\aswEngineConnector.dll	setup.exe
File created	C:\Program Files\AVAST Software\Browser\Temp\source4608_1876240636\Safer-bin\120.0.23480.129\Locales\hu.pak	setup.exe
File created	C:\Program Files\AVAST Software\Browser\Temp\source4608_1876240636\Safer-bin\120.0.23480.129\Locales\pt-PT.pak	setup.exe
File created	C:\Program Files (x86)\GUM40E3.tmp\goopdateres_fi.dll	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM40E3.tmp\goopdateres_ja.dll	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM3B00.tmp\goopdateres_da.dll	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1631.4\goopdateres_pt-BR.dll	AvastBrowserUpdate.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Update\Install\{D1FAD2A7-ED82-4A67-915E-6DD1AFE5DD2F}\AvastBrowserInstaller.exe	AvastBrowserUpdate.exe
File created	C:\Program Files (x86)\GUM40E3.tmp\goopdateres_fr.dll	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM40E3.tmp\goopdateres_pl.dll	AvastBrowserUpdateSetup.exe
File created	C:\Program Files\AVAST Software\Browser\Temp\source4232_1464487241\Safer-bin\120.0.23480.129\120.0.23480.129.manifest	setup.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1631.4\goopdateres_de.dll	AvastBrowserUpdate.exe
File created	C:\Program Files\AVAST Software\Browser\Temp\source4608_1876240636\Safer-bin\120.0.23480.129\Locales\es-419.pak	setup.exe
File created	C:\Program Files\AVAST Software\Browser\Temp\source4608_1876240636\Safer-bin\120.0.23480.129\Locales\hr.pak	setup.exe
File created	C:\Program Files\AVAST Software\Browser\Temp\source4608_1876240636\Safer-bin\120.0.23480.129\notification_helper.exe	setup.exe
File created	C:\Program Files (x86)\GUM40E3.tmp\AvastBrowserCrashHandler.exe	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM40E3.tmp\goopdateres_es-419.dll	AvastBrowserUpdateSetup.exe
File created	C:\Program Files\AVAST Software\Browser\Temp\source4608_1876240636\Safer-bin\120.0.23480.129\resources.pak	setup.exe
File created	C:\Program Files\AVAST Software\Browser\Temp\source4608_1876240636\Safer-bin\AvastBrowserProtect.exe	setup.exe
File created	C:\Program Files (x86)\GUM3B00.tmp\goopdateres_lv.dll	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM3B00.tmp\goopdateres_pl.dll	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1631.4\goopdateres_hr.dll	AvastBrowserUpdate.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1631.4\goopdateres_uk.dll	AvastBrowserUpdate.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Update\Install\{D1FAD2A7-ED82-4A67-915E-6DD1AFE5DD2F}\CR_6CFB9.tmp\setup.exe	AvastBrowserInstaller.exe
File created	C:\Program Files\AVAST Software\Browser\Temp\source4608_1876240636\Safer-bin\120.0.23480.129\Locales\sr.pak	setup.exe
File created	C:\Program Files\AVAST Software\Browser\Temp\source4608_1876240636\Safer-bin\AvastBrowserQHelper.exe	setup.exe
File created	C:\Program Files\AVAST Software\Browser\Temp\source4232_1464487241\Safer-bin\120.0.23480.129\AvastBrowser.exe.sig	setup.exe
File created	C:\Program Files (x86)\GUM3B00.tmp\goopdateres_en.dll	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM3B00.tmp\goopdateres_sl.dll	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1631.4\goopdateres_sv.dll	AvastBrowserUpdate.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1631.4\goopdateres_te.dll	AvastBrowserUpdate.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1631.4\AvastBrowserUpdateBroker.exe	AvastBrowserUpdate.exe
File created	C:\Program Files\AVAST Software\Browser\Temp\source4608_1876240636\Safer-bin\AvastBrowserUninstall.exe	setup.exe
File created	C:\Program Files (x86)\GUM40E3.tmp\npAvastBrowserUpdate3.dll	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM40E3.tmp\goopdateres_zh-CN.dll	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM3B00.tmp\goopdateres_fil.dll	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1631.4\goopdate.dll	AvastBrowserUpdate.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1631.4\goopdateres_hi.dll	AvastBrowserUpdate.exe
File created	C:\Program Files\AVAST Software\Browser\Temp\source4608_1876240636\Safer-bin\120.0.23480.129\Locales\fr.pak	setup.exe
File created	C:\Program Files\AVAST Software\Browser\Temp\source4608_1876240636\Safer-bin\120.0.23480.129\Locales\ml.pak	setup.exe
File created	C:\Program Files\AVAST Software\Browser\Temp\source4608_1876240636\Safer-bin\120.0.23480.129\Locales\vi.pak	setup.exe
File created	C:\Program Files (x86)\GUM40E3.tmp\AvastBrowserUpdateOnDemand.exe	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM40E3.tmp\goopdateres_ca.dll	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM3B00.tmp\psuser_64.dll	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM3B00.tmp\goopdateres_de.dll	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1631.4\acuapi.dll	AvastBrowserUpdate.exe
File created	C:\Program Files\AVAST Software\Browser\Temp\source4608_1876240636\Safer-bin\120.0.23480.129\chrome_elf.dll	setup.exe
File created	C:\Program Files\AVAST Software\Browser\Application\initial_preferences	setup.exe
File created	C:\Program Files (x86)\GUM40E3.tmp\AvastBrowserUpdateHelper.msi	AvastBrowserUpdateSetup.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File created	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 2 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ajB029.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ajB029.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{62593C70-ACF0-44CC-8716-990919D46A85}	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{62593C70-ACF0-44CC-8716-990919D46A85}\AppName = "AvastBrowserUpdateBroker.exe"	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{62593C70-ACF0-44CC-8716-990919D46A85}\AppPath = "C:\\Program Files (x86)\\AVAST Software\\Browser\\Update\\1.8.1631.4"	AvastBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{62593C70-ACF0-44CC-8716-990919D46A85}\Policy = "3"	AvastBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4424021B-831C-4F50-A74F-1AF30ADA650C}	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4424021B-831C-4F50-A74F-1AF30ADA650C}\AppName = "AvastBrowserUpdateWebPlugin.exe"	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4424021B-831C-4F50-A74F-1AF30ADA650C}\AppPath = "C:\\Program Files (x86)\\AVAST Software\\Browser\\Update\\1.8.1631.4"	AvastBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4424021B-831C-4F50-A74F-1AF30ADA650C}\Policy = "3"	AvastBrowserUpdate.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\AVAST Software\Browser\Update\	AvastBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AVAST Software\Browser\Update	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AVAST Software\Browser\Update\hostprefix = "beta-"	AvastBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	AvastBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AVAST Software	AvastBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AVAST Software\Browser	AvastBrowserUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\AVAST Software\Browser\Update\devmode = "0"	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AVAST Software\Browser\Update\endpoint = "update.avastbrowser.com"	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AVAST Software\Browser\Update\MachineId = "000058d4b27a012b9e3e4541471e6c69"	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AVAST Software\Browser\Update\MachineIdDate = "20231228"	AvastBrowserUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DD8E03F-6BE1-41E2-B931-A37C7D1C0317}\ProxyStubClsid32\ = "{3A6CE939-10CE-42FC-BDEF-A77E6DEB610F}"	AvastBrowserUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\AvastBrowserUpdate.exe	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastUpdate.CoreClass\ = "Google Update Core Class"	AvastBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2DAE1732-F855-42A3-9D28-B7F6E291ECCD}\NumMethods	AvastBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C0BAA6C-52FD-4A3F-8731-F588C5E8F191}	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99F8769E-4FE9-3A40-9D6D-5424B8AC9F57}\InprocServer32\ThreadingModel = "Both"	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB785069-B832-4423-B813-47F7422BA6E5}\ProxyStubClsid32\ = "{3A6CE939-10CE-42FC-BDEF-A77E6DEB610F}"	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BD612F-9EB6-4392-80D8-D54DE870EF42}\VersionIndependentProgID\ = "AvastUpdate.MiscUtils"	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{620A093F-79D3-4CAB-8CAD-EB1A39A8C0A2}\LocalService = "AvastSecureBrowserElevationService"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastUpdate.Update3WebSvc.1.0	AvastBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{67F69D86-C3AA-4CBF-A536-C73B5D785FFC}	AvastBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59577BB5-F97B-4880-B785-510238C5C5CE}\ProxyStubClsid32	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastUpdate.CoreMachineClass\CLSID\ = "{493E9335-D965-3F74-9338-05A59D304768}"	AvastBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59577BB5-F97B-4880-B785-510238C5C5CE}\ProxyStubClsid32\ = "{3A6CE939-10CE-42FC-BDEF-A77E6DEB610F}"	AvastBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3700FAF-2DC2-4322-99B1-D6A51203AF77}\NumMethods	AvastBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastUpdate.OnDemandCOMClassMachineFallback\CurVer	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DD8E03F-6BE1-41E2-B931-A37C7D1C0317}\ProxyStubClsid32\ = "{3A6CE939-10CE-42FC-BDEF-A77E6DEB610F}"	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3A708F91-06A3-409E-83BC-4A5CF10C8025}\ = "IAppVersionWeb"	AvastBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DD8E03F-6BE1-41E2-B931-A37C7D1C0317}	AvastBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{493E9335-D965-3F74-9338-05A59D304768}\ProgID	AvastBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9E6B2FC-34C6-435F-BC66-1EA330DB1270}\NumMethods\ = "13"	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C2033652-2F07-34CC-9416-76BC5C9AD5F7}\ProgID\ = "AvastUpdate.ProcessLauncher.1.0"	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastUpdate.CoreMachineClass.1\ = "Google Update Core Class"	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7DE1DAAE-30B4-3140-9BE6-40A47E9D3588}\ProgID\ = "AvastUpdate.CredentialDialogMachine.1.0"	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{5AB71627-A1C4-35E8-975E-327931339608}\LocalService = "avastm"	AvastBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7B73E65-20BA-407F-8A89-DF649EF82559}\ProxyStubClsid32	AvastBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastUpdate.OnDemandCOMClassMachine.1.0	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3700FAF-2DC2-4322-99B1-D6A51203AF77}\ = "IMiscUtils"	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6DD8E03F-6BE1-41E2-B931-A37C7D1C0317}\ = "ICredentialDialog"	AvastBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5781D843-96CD-3DC4-8935-4CDE51C315E1}\Elevation\Enabled = "1"	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2DAE1732-F855-42A3-9D28-B7F6E291ECCD}\ProxyStubClsid32\ = "{3A6CE939-10CE-42FC-BDEF-A77E6DEB610F}"	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-vnd.beta-update.avastbrowser.com.oneclickctrl.9\CLSID = "{4424021B-831C-4F50-A74F-1AF30ADA650C}"	AvastBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{CD12DA4E-0EDF-4193-9764-C4704AB9DEEE}\1.0\0\win64	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{079CAB07-5001-4E71-9D5A-B412842E5178}\ProxyStubClsid32	AvastBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45F7CBA5-258D-4852-AD0A-B18F3FB214F4}\ProxyStubClsid32	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastUpdate.CoreMachineClass.1\CLSID\ = "{493E9335-D965-3F74-9338-05A59D304768}"	AvastBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C50E3A4-12A8-41FB-9941-E8EEB222E07E}	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9E6B2FC-34C6-435F-BC66-1EA330DB1270}\NumMethods\ = "13"	AvastBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2DAE1732-F855-42A3-9D28-B7F6E291ECCD}\ProxyStubClsid32	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6972DB5C-E9D6-4A81-B352-B415A3A61CA6}\ProxyStubClsid32\ = "{3A6CE939-10CE-42FC-BDEF-A77E6DEB610F}"	AvastBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7BA03866-1403-40EA-81A9-23FCD97810E2}\NumMethods	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastUpdate.CredentialDialogMachine.1.0\CLSID\ = "{7DE1DAAE-30B4-3140-9BE6-40A47E9D3588}"	AvastBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastUpdate.CredentialDialogMachine\CLSID	AvastBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62593C70-ACF0-44CC-8716-990919D46A85}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastHTML\Application\ApplicationIcon = "C:\\Program Files\\AVAST Software\\Browser\\Application\\AvastBrowser.exe,0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9E6B2FC-34C6-435F-BC66-1EA330DB1270}\NumMethods	AvastBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastUpdate.CoreMachineClass\CurVer	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B02B2F29-8637-4B78-892A-CFD7CCE793EC}\NumMethods\ = "4"	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A012A499-D8A6-4F6C-9E05-B02D58E3781A}\ProxyStubClsid32\ = "{3A6CE939-10CE-42FC-BDEF-A77E6DEB610F}"	AvastBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7BA03866-1403-40EA-81A9-23FCD97810E2}\NumMethods	AvastBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6CEBE594-0680-4815-86E1-615A6BE65E0E}	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{804EC8ED-BF49-41ED-BCD0-CA1D716D3E98}\ProxyStubClsid32\ = "{3A6CE939-10CE-42FC-BDEF-A77E6DEB610F}"	AvastBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D37D106C-CDD2-4821-BC7A-F08990DDCA74}	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6972DB5C-E9D6-4A81-B352-B415A3A61CA6}\NumMethods\ = "24"	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastUpdate.Update3WebMachineFallback.1.0\ = "GoogleUpdate Update3Web"	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastUpdate.CredentialDialogMachine\ = "goopdate CredentialDialog"	AvastBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B02B2F29-8637-4B78-892A-CFD7CCE793EC}\ProxyStubClsid32	AvastBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D1FB6CD-9205-365A-907A-8AB76BC52400}\VersionIndependentProgID	AvastBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A708F91-06A3-409E-83BC-4A5CF10C8025}\ProxyStubClsid32	AvastBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CCD3788-C8CC-4EE9-8DF7-944B7D9674F2}	AvastBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A012A499-D8A6-4F6C-9E05-B02D58E3781A}	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB785069-B832-4423-B813-47F7422BA6E5}\NumMethods\ = "4"	AvastBrowserUpdateComRegisterShell64.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
2632	ajB029.exe
2632	ajB029.exe
4476	avast_secure_browser_setup.exe
4476	avast_secure_browser_setup.exe
2632	ajB029.exe
2632	ajB029.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4412	AvastBrowserUpdate.exe
Token: SeDebugPrivilege	4412	AvastBrowserUpdate.exe
Token: SeDebugPrivilege	4412	AvastBrowserUpdate.exe
Token: 33	1560	AvastBrowserInstaller.exe
Token: SeIncBasePriorityPrivilege	1560	AvastBrowserInstaller.exe
Token: SeDebugPrivilege	4412	AvastBrowserUpdate.exe
Token: 33	3108	AvastBrowserInstaller.exe
Token: SeIncBasePriorityPrivilege	3108	AvastBrowserInstaller.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4476	avast_secure_browser_setup.exe
2632	ajB029.exe

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 4476 wrote to memory of 2632	4476	avast_secure_browser_setup.exe	76
PID 4476 wrote to memory of 2632	4476	avast_secure_browser_setup.exe	76
PID 4476 wrote to memory of 2632	4476	avast_secure_browser_setup.exe	76
PID 2632 wrote to memory of 1584	2632	ajB029.exe	77
PID 2632 wrote to memory of 1584	2632	ajB029.exe	77
PID 2632 wrote to memory of 1584	2632	ajB029.exe	77
PID 1584 wrote to memory of 4412	1584	AvastBrowserUpdateSetup.exe	78
PID 1584 wrote to memory of 4412	1584	AvastBrowserUpdateSetup.exe	78
PID 1584 wrote to memory of 4412	1584	AvastBrowserUpdateSetup.exe	78
PID 4412 wrote to memory of 4564	4412	AvastBrowserUpdate.exe	79
PID 4412 wrote to memory of 4564	4412	AvastBrowserUpdate.exe	79
PID 4412 wrote to memory of 4564	4412	AvastBrowserUpdate.exe	79
PID 4412 wrote to memory of 2688	4412	AvastBrowserUpdate.exe	80
PID 4412 wrote to memory of 2688	4412	AvastBrowserUpdate.exe	80
PID 4412 wrote to memory of 2688	4412	AvastBrowserUpdate.exe	80
PID 2688 wrote to memory of 3092	2688	AvastBrowserUpdate.exe	81
PID 2688 wrote to memory of 3092	2688	AvastBrowserUpdate.exe	81
PID 2688 wrote to memory of 1592	2688	AvastBrowserUpdate.exe	82
PID 2688 wrote to memory of 1592	2688	AvastBrowserUpdate.exe	82
PID 2688 wrote to memory of 2460	2688	AvastBrowserUpdate.exe	83
PID 2688 wrote to memory of 2460	2688	AvastBrowserUpdate.exe	83
PID 4412 wrote to memory of 1500	4412	AvastBrowserUpdate.exe	84
PID 4412 wrote to memory of 1500	4412	AvastBrowserUpdate.exe	84
PID 4412 wrote to memory of 1500	4412	AvastBrowserUpdate.exe	84
PID 4412 wrote to memory of 5076	4412	AvastBrowserUpdate.exe	85
PID 4412 wrote to memory of 5076	4412	AvastBrowserUpdate.exe	85
PID 4412 wrote to memory of 5076	4412	AvastBrowserUpdate.exe	85
PID 1344 wrote to memory of 1560	1344	AvastBrowserUpdate.exe	87
PID 1344 wrote to memory of 1560	1344	AvastBrowserUpdate.exe	87
PID 1560 wrote to memory of 4608	1560	AvastBrowserInstaller.exe	88
PID 1560 wrote to memory of 4608	1560	AvastBrowserInstaller.exe	88
PID 4608 wrote to memory of 4144	4608	setup.exe	89
PID 4608 wrote to memory of 4144	4608	setup.exe	89
PID 1344 wrote to memory of 3808	1344	AvastBrowserUpdate.exe	91
PID 1344 wrote to memory of 3808	1344	AvastBrowserUpdate.exe	91
PID 1344 wrote to memory of 3808	1344	AvastBrowserUpdate.exe	91
PID 1344 wrote to memory of 2420	1344	AvastBrowserUpdate.exe	92
PID 1344 wrote to memory of 2420	1344	AvastBrowserUpdate.exe	92
PID 2632 wrote to memory of 1964	2632	ajB029.exe	93
PID 2632 wrote to memory of 1964	2632	ajB029.exe	93
PID 2632 wrote to memory of 1964	2632	ajB029.exe	93
PID 1964 wrote to memory of 2444	1964	AvastBrowserUpdateSetup.exe	94
PID 1964 wrote to memory of 2444	1964	AvastBrowserUpdateSetup.exe	94
PID 1964 wrote to memory of 2444	1964	AvastBrowserUpdateSetup.exe	94
PID 2444 wrote to memory of 3528	2444	AvastBrowserUpdate.exe	95
PID 2444 wrote to memory of 3528	2444	AvastBrowserUpdate.exe	95
PID 2444 wrote to memory of 3528	2444	AvastBrowserUpdate.exe	95
PID 2444 wrote to memory of 1856	2444	AvastBrowserUpdate.exe	96
PID 2444 wrote to memory of 1856	2444	AvastBrowserUpdate.exe	96
PID 2444 wrote to memory of 1856	2444	AvastBrowserUpdate.exe	96
PID 2444 wrote to memory of 3568	2444	AvastBrowserUpdate.exe	97
PID 2444 wrote to memory of 3568	2444	AvastBrowserUpdate.exe	97
PID 2444 wrote to memory of 3568	2444	AvastBrowserUpdate.exe	97
PID 3060 wrote to memory of 3108	3060	AvastBrowserUpdate.exe	99
PID 3060 wrote to memory of 3108	3060	AvastBrowserUpdate.exe	99
PID 3108 wrote to memory of 4232	3108	AvastBrowserInstaller.exe	100
PID 3108 wrote to memory of 4232	3108	AvastBrowserInstaller.exe	100
PID 4232 wrote to memory of 1140	4232	setup.exe	101
PID 4232 wrote to memory of 1140	4232	setup.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\avast_secure_browser_setup.exe
"C:\Users\Admin\AppData\Local\Temp\avast_secure_browser_setup.exe"
1⤵
- Loads dropped DLL
- Checks for any installed AV software in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Users\Admin\AppData\Local\Temp\ajB029.exe
  "C:\Users\Admin\AppData\Local\Temp\ajB029.exe" /relaunch=8 /was_elevated=1 /tagdata
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Writes to the Master Boot Record (MBR)
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Users\Admin\AppData\Local\Temp\nshB22B.tmp\AvastBrowserUpdateSetup.exe
    AvastBrowserUpdateSetup.exe /silent /install "bundlename=Avast Secure Browser&appguid={A8504530-742B-42BC-895D-2BAD6406F698}&appname=Avast Secure Browser&needsadmin=true&lang=en-US&brand=9998&installargs=--no-create-user-shortcuts --host-prefix%3Dbeta- --reset-default-win10 --auto-import-data%3Dsafezone&hostprefix=beta-"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1584
  - - C:\Program Files (x86)\GUM3B00.tmp\AvastBrowserUpdate.exe
      "C:\Program Files (x86)\GUM3B00.tmp\AvastBrowserUpdate.exe" /silent /install "bundlename=Avast Secure Browser&appguid={A8504530-742B-42BC-895D-2BAD6406F698}&appname=Avast Secure Browser&needsadmin=true&lang=en-US&brand=9998&installargs=--no-create-user-shortcuts --host-prefix%3Dbeta- --reset-default-win10 --auto-import-data%3Dsafezone&hostprefix=beta-"
      4⤵
      Sets file execution options in registry
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Drops file in Program Files directory
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4412
    - - C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe" /regsvc
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4564
    - - C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe" /regserver
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2688
      - C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1631.4\AvastBrowserUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1631.4\AvastBrowserUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:3092
      - C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1631.4\AvastBrowserUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1631.4\AvastBrowserUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:1592
      - C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1631.4\AvastBrowserUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1631.4\AvastBrowserUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:2460
    - - C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgb21haGFpZD0iezZEMzdDNzYwLThGRUQtNDhBNS1BNEE0LUNFQzA5NUIyRDhERH0iIHVwZGF0ZXJ2ZXJzaW9uPSIxLjguMTYzMS40IiBzaGVsbF92ZXJzaW9uPSIxLjguMTYzMS40IiBpc21hY2hpbmU9IjEiIGlzX29tYWhhNjRiaXQ9IjAiIGlzX29zNjRiaXQ9IjEiIHNlc3Npb25pZD0ie0Q3NjI1RUM0LTk1ODEtNEMwOC1CRUIwLUU0MTNEN0FBRjI5QX0iIGNlcnRfZXhwX2RhdGU9IjIwMjUwOTE3IiB1c2VyaWQ9IntGMEZENjk0OS01MDQ4LTQyMzktOTg0Ni0xOTgxNDA5RTY4ODV9IiB1c2VyaWRfZGF0ZT0iMjAyMzEyMjgiIG1hY2hpbmVpZD0iezAwMDA1OEQ0LUIyN0EtMDEyQi05RTNFLTQ1NDE0NzFFNkM2OX0iIG1hY2hpbmVpZF9kYXRlPSIyMDIzMTIyOCIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiB0ZXN0c291cmNlPSJhdXRvIiByZXF1ZXN0aWQ9Ins0ODgxNDE5OC0xNjhCLTRBOEMtQUY2OS0wQUM5QkU5OTZFMkF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IHBoeXNtZW1vcnk9IjgiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMjIwMDAuNDkzIiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NkQzN0M3NjAtOEZFRC00OEE1LUE0QTQtQ0VDMDk1QjJEOEREfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS44LjE2MzEuNCIgbGFuZz0iZW4tVVMiIGJyYW5kPSI5OTk4IiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgaW5zdGFsbF90aW1lX21zPSI4MjA1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1500
    - - C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe" /handoff "bundlename=Avast Secure Browser&appguid={A8504530-742B-42BC-895D-2BAD6406F698}&appname=Avast Secure Browser&needsadmin=true&lang=en-US&brand=9998&installargs=--no-create-user-shortcuts --host-prefix%3Dbeta- --reset-default-win10 --auto-import-data%3Dsafezone&hostprefix=beta-" /installsource otherinstallcmd /sessionid "{D7625EC4-9581-4C08-BEB0-E413D7AAF29A}" /silent
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5076
- - C:\Users\Admin\AppData\Local\Temp\nshB22B.tmp\AvastBrowserUpdateSetup.exe
    AvastBrowserUpdateSetup.exe /silent /install "bundlename=Avast Secure Browser&appguid={A8504530-742B-42BC-895D-2BAD6406F698}&appname=Avast Secure Browser&needsadmin=true&lang=en-US&brand=9998&installargs=--no-create-user-shortcuts --host-prefix%3Dbeta- --reset-default-win10 --auto-import-data%3Dsafezone&hostprefix=beta2-"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1964
  - - C:\Program Files (x86)\GUM40E3.tmp\AvastBrowserUpdate.exe
      "C:\Program Files (x86)\GUM40E3.tmp\AvastBrowserUpdate.exe" /silent /install "bundlename=Avast Secure Browser&appguid={A8504530-742B-42BC-895D-2BAD6406F698}&appname=Avast Secure Browser&needsadmin=true&lang=en-US&brand=9998&installargs=--no-create-user-shortcuts --host-prefix%3Dbeta- --reset-default-win10 --auto-import-data%3Dsafezone&hostprefix=beta2-"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Suspicious use of WriteProcessMemory
      PID:2444
    - - C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe" /healthcheck
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3528
    - - C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgb21haGFpZD0iezZEMzdDNzYwLThGRUQtNDhBNS1BNEE0LUNFQzA5NUIyRDhERH0iIHVwZGF0ZXJ2ZXJzaW9uPSIxLjguMTYzMS40IiBzaGVsbF92ZXJzaW9uPSIxLjguMTYzMS40IiBpc21hY2hpbmU9IjEiIGlzX29tYWhhNjRiaXQ9IjAiIGlzX29zNjRiaXQ9IjEiIHNlc3Npb25pZD0iezZCMDIxRDNBLUI2MTEtNEMzOC1CNTM3LTlCRjAzNDBDODhEQ30iIGNlcnRfZXhwX2RhdGU9IjIwMjUwOTE3IiB1c2VyaWQ9Int7RjBGRDY5NC05LTUwLTQ4LTQtMjM5LS05ODQ2LTE5ODE0MDl9IiB1c2VyaWRfZGF0ZT0iMjAyMzEyMjgiIG1hY2hpbmVpZD0ie3swMDAwNThELTQtQjItN0EtMC0xMkItLTlFM0UtNDU0MTQ3MX0iIG1hY2hpbmVpZF9kYXRlPSIyMDIzMTIyOCIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiB0ZXN0c291cmNlPSJhdXRvIiByZXF1ZXN0aWQ9InswM0E3QzA5MC0yQzcxLTREMDItQTEwNi1FQURDQUIxMkNEQzB9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IHBoeXNtZW1vcnk9IjgiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMjIwMDAuNDkzIiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NkQzN0M3NjAtOEZFRC00OEE1LUE0QTQtQ0VDMDk1QjJEOEREfSIgdmVyc2lvbj0iMS44LjE2MzEuNCIgbmV4dHZlcnNpb249IjEuOC4xNjMxLjQiIGxhbmc9ImVuLVVTIiBicmFuZD0iOTk5OCIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iMTI1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1856
    - - C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe" /handoff "bundlename=Avast Secure Browser&appguid={A8504530-742B-42BC-895D-2BAD6406F698}&appname=Avast Secure Browser&needsadmin=true&lang=en-US&brand=9998&installargs=--no-create-user-shortcuts --host-prefix%3Dbeta- --reset-default-win10 --auto-import-data%3Dsafezone&hostprefix=beta2-" /installsource otherinstallcmd /sessionid "{6B021D3A-B611-4C38-B537-9BF0340C88DC}" /silent
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3568

C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe
"C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Program Files (x86)\AVAST Software\Browser\Update\Install\{D1FAD2A7-ED82-4A67-915E-6DD1AFE5DD2F}\AvastBrowserInstaller.exe
  "C:\Program Files (x86)\AVAST Software\Browser\Update\Install\{D1FAD2A7-ED82-4A67-915E-6DD1AFE5DD2F}\AvastBrowserInstaller.exe" --chrome --do-not-launch-chrome --hide-browser-override --host-prefix=beta- --show-developer-mode --suppress-first-run-bubbles --adblock-mode-default=2 --default-search-id=3 --default-search=bing.com --no-create-user-shortcuts --host-prefix=beta- --reset-default-win10 --auto-import-data=safezone --system-level
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Program Files (x86)\AVAST Software\Browser\Update\Install\{D1FAD2A7-ED82-4A67-915E-6DD1AFE5DD2F}\CR_6CFB9.tmp\setup.exe
    "C:\Program Files (x86)\AVAST Software\Browser\Update\Install\{D1FAD2A7-ED82-4A67-915E-6DD1AFE5DD2F}\CR_6CFB9.tmp\setup.exe" --install-archive="C:\Program Files (x86)\AVAST Software\Browser\Update\Install\{D1FAD2A7-ED82-4A67-915E-6DD1AFE5DD2F}\CR_6CFB9.tmp\SECURE.PACKED.7Z" --chrome --do-not-launch-chrome --hide-browser-override --host-prefix=beta- --show-developer-mode --suppress-first-run-bubbles --adblock-mode-default=2 --default-search-id=3 --default-search=bing.com --no-create-user-shortcuts --host-prefix=beta- --reset-default-win10 --auto-import-data=safezone --system-level
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Registers COM server for autorun
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4608
  - - C:\Program Files (x86)\AVAST Software\Browser\Update\Install\{D1FAD2A7-ED82-4A67-915E-6DD1AFE5DD2F}\CR_6CFB9.tmp\setup.exe
      "C:\Program Files (x86)\AVAST Software\Browser\Update\Install\{D1FAD2A7-ED82-4A67-915E-6DD1AFE5DD2F}\CR_6CFB9.tmp\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=fake_url --annotation=plat=Win64 --annotation=prod=Avast --annotation=ver=120.0.23480.129 --initial-client-data=0x280,0x284,0x288,0x264,0x28c,0x7ff79f647f00,0x7ff79f647f0c,0x7ff79f647f18
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:4144
- C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1631.4\AvastBrowserCrashHandler.exe
  "C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1631.4\AvastBrowserCrashHandler.exe"
  2⤵
  - Executes dropped EXE
  PID:3808
- C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1631.4\AvastBrowserCrashHandler64.exe
  "C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1631.4\AvastBrowserCrashHandler64.exe"
  2⤵
  - Executes dropped EXE
  PID:2420

C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe
"C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Program Files (x86)\AVAST Software\Browser\Update\Install\{2450BA65-CAF8-4A4F-A1C6-7264D860879D}\AvastBrowserInstaller.exe
  "C:\Program Files (x86)\AVAST Software\Browser\Update\Install\{2450BA65-CAF8-4A4F-A1C6-7264D860879D}\AvastBrowserInstaller.exe" --chrome --do-not-launch-chrome --hide-browser-override --host-prefix=beta- --show-developer-mode --suppress-first-run-bubbles --adblock-mode-default=2 --default-search-id=3 --default-search=bing.com --no-create-user-shortcuts --host-prefix=beta- --reset-default-win10 --auto-import-data=safezone --system-level
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3108
- - C:\Program Files (x86)\AVAST Software\Browser\Update\Install\{2450BA65-CAF8-4A4F-A1C6-7264D860879D}\CR_DFE6F.tmp\setup.exe
    "C:\Program Files (x86)\AVAST Software\Browser\Update\Install\{2450BA65-CAF8-4A4F-A1C6-7264D860879D}\CR_DFE6F.tmp\setup.exe" --install-archive="C:\Program Files (x86)\AVAST Software\Browser\Update\Install\{2450BA65-CAF8-4A4F-A1C6-7264D860879D}\CR_DFE6F.tmp\SECURE.PACKED.7Z" --chrome --do-not-launch-chrome --hide-browser-override --host-prefix=beta- --show-developer-mode --suppress-first-run-bubbles --adblock-mode-default=2 --default-search-id=3 --default-search=bing.com --no-create-user-shortcuts --host-prefix=beta- --reset-default-win10 --auto-import-data=safezone --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:4232
  - - C:\Program Files (x86)\AVAST Software\Browser\Update\Install\{2450BA65-CAF8-4A4F-A1C6-7264D860879D}\CR_DFE6F.tmp\setup.exe
      "C:\Program Files (x86)\AVAST Software\Browser\Update\Install\{2450BA65-CAF8-4A4F-A1C6-7264D860879D}\CR_DFE6F.tmp\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=fake_url --annotation=plat=Win64 --annotation=prod=Avast --annotation=ver=120.0.23480.129 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff66fca7f00,0x7ff66fca7f0c,0x7ff66fca7f18
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:1140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe

Filesize
128KB

MD5
2c1a9afb07c65f3a2fe4ada68207953e

SHA1
31a67b9f76cdbbcbbbb6e65e502a60d16dba2ea9

SHA256
49304f851d3990cf2f364f54cb3b34d5cc4aca5147764205542f183997adbc34

SHA512
8681137d31a59c1f84118698a9a8a42c968ab873c2cce9a50c818fb2f763781ad4f8bb8eeaaa4f49017f4867cd11f1e24d4e1ee9a93f3a2835f28c61f324a9f7

Download Submit
C:\Program Files (x86)\AVAST Software\Browser\Update\Download\{A8504530-742B-42BC-895D-2BAD6406F698}\120.0.23480.129\AvastBrowserInstaller.exe

Filesize
3.2MB

MD5
7856bb99759ef42112e7132dcb927f33

SHA1
a7e5db5b442ffe3d882c960650cce437b535f028

SHA256
374e90d3068ca76abdd5b64c1cb5f5029b9104861544c9a5ac47d14a1f5d46b6

SHA512
4849913eaed3f7c44bf6b6a55b1562ef91ee18b656432cc0cf00f69f2b04305d08fd501bbdb35df4935e2c536d115fa2fe29582053fc4a5956b2ab1f76c176e5

Download Submit
C:\Program Files (x86)\AVAST Software\Browser\Update\Install\{2450BA65-CAF8-4A4F-A1C6-7264D860879D}\CR_DFE6F.tmp\SETUP.EX_

Filesize
1.6MB

MD5
1fcb9800483cbea2e28c9cb75463f963

SHA1
52ec4d2866ed6178c467fb7357a14ea418e242e5

SHA256
f17b53462b1359a57c5f09e7072e73e751a5478b71b47c79cd056ee275fa7f39

SHA512
5aa7dbbf9223ba0635a8b8ae1518f0f67ce20a596f369c9e821eed0aa1e194454566df07fafaa984e4be800e3595ca64ceb03fb0d550f70fb3dc98d9de5cf5ea

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\@PaxHeader

Filesize
28B

MD5
7ecd45e1307162298db37815be3888d7

SHA1
f097f7dd0392c8473b31af3a9431621fd453bd0c

SHA256
b2aec448896dad5e5c63a540b7d05ce02e1671701eef70eed477d9690a2ec72b

SHA512
ee85bfcb0d5e847a9c1001218095acab567584c00a71b117f052c7c8e07b222ca34dd060b95de888476b4cb6eb33ada8d5f9069b6589c1c041542807d876a7c3

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\@PaxHeader

Filesize
28B

MD5
7d0a6f7d0198b691fd741740c22f48a8

SHA1
f0d3fe0d2197f8550fda876c06da19310137da33

SHA256
8f4f7086ff2bf4816a6f1d4b71ecdb997020b7e8873fed61bf298b49a9a6ba88

SHA512
0ed4968937b19381addcdef423f74d0322791712cbd867ce458e1a8e0e913f92e6030f29a6f41734a71e140f4f0ad88308994c01ecd05cb4760f9ad3228aecb0

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\@PaxHeader

Filesize
28B

MD5
5d526716203e6d05f0e4156501fc6d36

SHA1
523d5caf24994e79fb0c533f4309cd7ed2845333

SHA256
70be3e739444a863ec21e8660c2a0a7e02663bab621d153800abcc1ff4fb7af1

SHA512
944627768ea12932f089e72417e68e48947663fdeb94890dde9bf28ac3ceaf2e9c2f84988f97d68b9064b6c66c1014ef125c303731c1c30e96fc8ef75e90a851

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\@PaxHeader

Filesize
28B

MD5
a77a5c7f12ad3918d6ae5890c7721d07

SHA1
f2c0722011d03bc5778e3021911ddc970b2923d7

SHA256
3d63be14aa205362609bcf9b4d664ba286d033d0d588df5288c996c2d055ad97

SHA512
2f30f5cbaca723bead15f7d7e42fc4e217135eac057c12243f85b0754b93c9b513aca4995963c3c260ee98a9ec919d246bf56d902e0c3ed31d33e4f7a5544b1a

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\AvastBrowserCrashHandler.exe

Filesize
37KB

MD5
85038448a8931793ade983ae723063e2

SHA1
e1be082218a7605b634352dac75a81a018213af1

SHA256
56899976b21e263305625918e673cc3a0258e693b257b4406bc77c43fec7c239

SHA512
9fedff146fa85bbc4c3e91941691527187acc24b003e8f6ef865c419cd639c0474b519ac850dc53beb9de53a98a68baef97244ffab37411fae8e199006f457e1

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\AvastBrowserCrashHandler64.exe

Filesize
45KB

MD5
e0dd025f79005c4c52f7f7774e276872

SHA1
5f8c2ff20badf30b79f211edf7d1caf81b25b107

SHA256
366003041351d3c14ce5df92adbb9954bb7f5d331d8c4aa31edda545f3d87277

SHA512
31249070a069a8b97e41454e2aa9e3cb9771c1f6e7ca3851bd03fb9bd9fa69466879d39d0a9ff5632121d4f0ad81e1430f8b0c6bec1aef5d3dd4d9dacb0bb275

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\AvastBrowserUpdate.exe

Filesize
147KB

MD5
6f437f3a5ba04a82f87bede959d6ab5b

SHA1
e5056d1c77f5d218010379685bcf5641a6aa8e6b

SHA256
40aa3d58a19c6c3c5fb18cdc5733a010df93139ef7db4e3fac8f33caefce2efb

SHA512
afefcdcdf584bddbfb8b013280495e616f79221ed4f088d13d30067f3e7add4c8de33ce3df0f77eae6d8430622d6019783d20c021d426171c2b1913a70100749

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\AvastBrowserUpdate.exe

Filesize
120KB

MD5
d89505eaf30642ac9f0c568eda029206

SHA1
139a5f7b928540992e896e4a6706918a52b936a3

SHA256
570b4a4b1e07944f9e43331a38f8d8eff7d37044c2d208930105a2738318a816

SHA512
5cd670bb0714a05ac11ede8a5fd159ab5fd1b6b125d38598b88d48b708ce4ee2e1e0ed3518ac9ca3ff837630fbcd6d7b1709c3f999034affec8512f2d94df6ed

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\AvastBrowserUpdateComRegisterShell64.exe

Filesize
64KB

MD5
5bf34f703bb4ce96ef9ab9ce7a651096

SHA1
cc4d285d2e98375e4b788416abe28a9841435b0c

SHA256
c454e4513e0c1091784c89456b8244bcc549e8d188178edbd7f7a921771cb922

SHA512
96eb50816fde039f404d4b22842847d892441ff66420c717c54e63f4421223def9f176cfbeed0009292b137baab11f64b681d8a38116df03d730255d159b196b

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\AvastBrowserUpdateCore.exe

Filesize
57KB

MD5
8640e538fe623b0cd6377be85017cc73

SHA1
4cd8917ae07b54cde1d2a5a4a3ea8d2ed1615ca3

SHA256
0b8b3ccab41391e107a363ec150d617dec9ed13db654c7ab61e72b9ea206d217

SHA512
ee8cadf7fe99bea8b6ac0d5b398dcc95a5880f034c0265ac82cf242e668a9167fa708e29eca43685ecea7e3078b600b999fc264fb69652c884f68a2ba537c878

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\goopdate.dll

Filesize
230KB

MD5
d09292cb6ac444d9b4a0ffc007bb9f30

SHA1
fbd612181cd81e8169f0b00bec3bcbed88fa346d

SHA256
0b9c8da4944ea6c22b37705ebd21c041e627b054034d1e5d141ced477b2c0100

SHA512
67fd2f8b6369d799ae295d4531df0551992f8792ad47c6d03fe16ff0eaaa030b4006f6437f73060af459b5755341f1ffb18c95cd9e164c94faa79c15642fde9c

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\goopdate.dll

Filesize
132KB

MD5
387619eb034ea6bc3980bc6e82945888

SHA1
bf119031d68373442ac50b775d2de11471e1f7b1

SHA256
a68df05c51281272adab649465a1a131244811dd64933b1d9a7ef53f4426e6b7

SHA512
081c6f1e6edaec7c5598b3d5ce66d7ef9a782e9d4fe89c0601f56f8f209cb22e39844516c72366c3be7f9849ab13baad367a8c435a3369653b9e72ccfd26b702

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\goopdateres_am.dll

Filesize
42KB

MD5
1f38fac4bea77244ba8e5f867e8c43e9

SHA1
a81515c4eba7ae5bd6195c4ac17605fc0263efb8

SHA256
da8ad629ad5ab0037a5deb146a0ae46a6896dfc3db475ecc9813a4b13ff2832d

SHA512
06c2bcc9546a849c63cc7345320528f16ac7bab267d258883e52d8a55ccc997e13f1ebe765b50cf16ea28a534c94f97b5074369c1b496e18313d3662073701a5

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\goopdateres_ar.dll

Filesize
41KB

MD5
6e446b5cb462880b13e965594ded6bed

SHA1
a30f72f36d9d390780017e0fef8719d9fa04f214

SHA256
17b730aaa18b3739dc32b2642c9c9c37eef851814fd88062a3b74bbcc391df0f

SHA512
820753be644c66a8cb18632dfda202621a529e8a4bcabc95ba8422ca0a117cd385659552edf57c99b0c39ab79cbd13c0f9bc3d275e929118587ddd6092b0b826

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\goopdateres_bg.dll

Filesize
44KB

MD5
92df1a264f92c0a04a62e9174fa4bf5b

SHA1
9141f94fba8c7ee0f9be2875a918fd95b3ad7b30

SHA256
0e7f9cf7756498f891b3630f3eb812ca6ecc1e30cf42da5cf90a3bd3afbb3a56

SHA512
37befeed94a63bbe262e7b37b4f5bfbcbf51a58155d0a63d27e5d379f1e1ea136dd5f7d45f4dcdc93b9b8bef5b4804de9f425925ba7cdcf4649a764303c0be6c

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\goopdateres_bn.dll

Filesize
44KB

MD5
e333fd3cd6e94e2e1ff6ce4c502ce1c7

SHA1
a6aa89ed5c4fc072251fac1d9b95c115dcc7bdaa

SHA256
286ec415f3675d0351fe18f2236616eb69bf362960fbc0d3a470753e9b416f6c

SHA512
abfed8c216e93867ef840105be2e39c2db409c89e8b6bcd4c7e53a5f5f399c5bddfca0ccee4a098e0255412bfe14fb6681ef9ea9e1a6c259ee7bc94aba69dd96

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\goopdateres_ca.dll

Filesize
44KB

MD5
fd0e1242e4265cb1fda0bc4d860e492e

SHA1
e978caec71098bd5bb157ba6745a476aed181ed3

SHA256
2aaf74829e904912ac6e8cae5e8371a5ec4038a8fcd5213f4e9a97e4b44981c5

SHA512
ed9a132e19751ad0f4914d51fb353d05f655ddbaed84e2ec07c3e9fe13e0c4351ae8de78e7b4893479ec5fb899227f3fb0d5af0a08638b11887404228fb70e7a

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\goopdateres_cs.dll

Filesize
43KB

MD5
028057962779e6290eefac48edc99976

SHA1
460434fb3007be992ef15f9ce344f00ac2b7bc7e

SHA256
6f18b8f74bc4f2e2b732b09162e5e12a90fbdedc8d44ca67bf57f6e9c60ce472

SHA512
d3ec806bad5090057667e0bc372e62c10c4ecd2784667e0b1a15224c7e7655e34c9c29739b5c2ee03e1debed8662686b706cfd5e455480344a4ae511b45a9106

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\goopdateres_da.dll

Filesize
43KB

MD5
ed7c7e9d4088ececb9f7bc3822f1ffc8

SHA1
52e457856b058e870c0c376f4238a9d3a598737c

SHA256
7931405cc305e2d236e1d26b4a5e03d478d2137afe1b5ca78da667dd1bb77dc7

SHA512
4612ff47e27e44d800aba4f0198aa6dc349b677bffdac58cdf1204d834e0fe24bf463455d1e5c5b7c5a875c6201ee425ea63e41a6f60afccc018be5e446f90a0

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\goopdateres_de.dll

Filesize
45KB

MD5
7d31ac4e5ed0724aa79558ac86e6c35a

SHA1
a6b19545874904f1cf52bcf405a50af95ea5b9a6

SHA256
b2184751aabb9dad80bbbf5e981ef9d7737ff48199d9e210df86d5c50f3f5df8

SHA512
7a1058c7f176cfb5ce2c9e816173cc6af1fa218571016b0cd274a2bc9044a4e1db1dc102aaddfb623d6627a144c52d27990fe1a7942c8a3555b415f09c67ceb4

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\goopdateres_el.dll

Filesize
38KB

MD5
110da35f9546583bc29e8ddb0ce81876

SHA1
c42a066bdcb669b262d7c898e2e675c3faecb37c

SHA256
7c8b292bd4e4786b116715750430aa8affc1e7d07ce0257ed13bcd6b5b1566db

SHA512
b51691cef0fc768138c24c64483129bfd252b8740d26c199c9ce25e0521e026a231610dba795865aec58e5b62fc9df2d60bd26170321b68abb37276f0d665301

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\goopdateres_en-GB.dll

Filesize
39KB

MD5
26662ed0e89d9a15079633f6cbb41188

SHA1
9d8074dd590204a90c09d413d9e755f187e68261

SHA256
fe3b2a21ea67019cd7dfe7a3a174034f5b1ac8aaf4161c7e8a0666721df55a2d

SHA512
b208f617cd7776a7419afaf978cb1eecd2691eeacb27d40930bb5a96430cd2863723947082e4b4762d994afc979fba59e21eb1c86ade933d04e1c14f5ab8d96e

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\goopdateres_en.dll

Filesize
42KB

MD5
dab9fd7c77f73c8a7a0201fecbe3e882

SHA1
7c8836d026d4b5feb2e64141f2567218f8fe6edc

SHA256
efba6c4686bdd2021e1a6e03b109e955cc1fcdd0d36036bd9a66c78eef5c9fcd

SHA512
e687bae81fc2c536197dc95edbfa70f013a7a3f19aee3b8b0b18325a8110a33b92213e082757295192a4f66e0b1e6ab4362fcc2a70da105ff1f469528748b3c0

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\goopdateres_es-419.dll

Filesize
44KB

MD5
1857a1a05852d0aad09e3b7f27bccc45

SHA1
3afaad8daa9a019cf32fac6b82d5641a4247b591

SHA256
c634e56c9b9c165a3b230ec94d02ae4aa4725b7aaae57dad8f17c2be58d15fc3

SHA512
962db68f1fce9de892847df558dbb8fddabd1bd4d5a3c3b5cedb97681fb315b4d0366a41fee32877a96a34d60dcdc721b5b3fd221418f63f6acbd8d56e579728

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\goopdateres_es.dll

Filesize
45KB

MD5
72ea3bdc5d4f0f951518d03aeccd2bf6

SHA1
01156af60ca96f6f5b29a773a89930ee188318b4

SHA256
53d3839dd7f3e9a12fc192667bcf9d721034a0a7c1940dbe540fe841cd4ed3ea

SHA512
b7ccde88474d3849c3d55bb3209f6938fdfaf343dc44f4a26bc195b4abe9c476a8fdae1133ebad9a5a852c3908bf828f1ea8d7e51c92000833b6892f0c6db1a3

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\goopdateres_et.dll

Filesize
43KB

MD5
ebf1ab8035e5d22d748fbfe58ad5b569

SHA1
525d1a6fa85a147a0bc46ecb536019aca54c23d6

SHA256
ef5325ccf0a97fb550030e0fadce9349039d124cee390226fbb30296205d49a8

SHA512
7cfbd9bd54a56c333e78b35e38390f5207e0d17777ba2d28742e4cb413e10c17851ebe3e88a34ae8ab8807d6092057b600ecf0a9e9dbd52de40549418e6c7d12

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\goopdateres_fa.dll

Filesize
42KB

MD5
40aa4e15b44245d0320c2d6cd85bb42a

SHA1
b06b1ff202ba5332ee5a65d011414f0e8969ce2b

SHA256
277979b950dea3372ac9df4c95ec9c8f7e8549e714b6a78a8d77be141d53c007

SHA512
4ced0c4198305f8dcb71ead6520d7962ded65c033696df29311f20b677bcde3e62e25de890cb0a6c4dee6ceb1cfe41b2b61a08663beb57eb6d3873edfde4162b

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\goopdateres_fi.dll

Filesize
43KB

MD5
501cbb4a49ddd3abfb8929b44213dd54

SHA1
073c9619c1d7eb7b893eba3e2065470d373ac292

SHA256
902cd4b195c0fa1f58d83ff2b7b7e85237f6fdb7cee06d593393422eb1cfaa0d

SHA512
6585e2616817a91a70696a51849d08ea34c582b6a3fffd95d9de9ba0a5b8560e2684c049856106b6dbfe50ea9ea1c29c31dc8e197559e4863b89731bd7dcd38d

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\goopdateres_fil.dll

Filesize
44KB

MD5
3875ba78fb49cbbd8ea8a258e3dc53d3

SHA1
62fdc568d19aaf3b3537464acc356946b85c2ed0

SHA256
a07e9b984284d8a3b8d948393364299f87565e45e8003583e32f2670b085442a

SHA512
3516f9994cb8c957c7967cb1276cd9929f2b410ebcab428c02d6b4abe20e13bc8717f148d7f59236e75b171946dc7ab38c568299f47f8dadf4f7739aefd71268

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\goopdateres_fr.dll

Filesize
45KB

MD5
552d2a7da0b056d6e8db9f8e143c5f97

SHA1
7d88e63e6d8ba3224902a40dba0293b727010f37

SHA256
9c29f6536e064f753f8fba0b26efe32f80a83f48daa416ef53d3b55cbce02aa5

SHA512
c48cf4cb54001a8a3490f45500fdc81806da1a663139814452fc8d952ccb4b1caa3d38fcddeb1be772d1f65d455537a62e1db41083dc9d9763f109857224dc80

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\goopdateres_gu.dll

Filesize
45KB

MD5
0dde60e0de5ade02a339b76fadd5ed33

SHA1
4ef9d16e772388101f02757b18faa2082e67234d

SHA256
0f4b68558b910436c1184b9e8e682a7183a748a9a0ee99631336be9a71e9956b

SHA512
e1f2f8772ce6ab329069eaddce9f710009425465892eb059c83a87b4c9fc9c49e353c20521d93692da48bb4af586b7a9782f16a17f32d07762e712da33460cdd

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\goopdateres_hi.dll

Filesize
43KB

MD5
550a2dff384afe5e4b8339e48a43dcaa

SHA1
69e2e67340e13191567af9625771fadf25878ae5

SHA256
3df2afd18c225d6ea7400c4a8b5f2412a02265a98b2f258b969e276a5bf23c94

SHA512
6530d98d42d01d83f2493df213cffbd72cb06341cec640bc0303e8d80f7e8cc176899bb9dc3a7cdd790d71301af301ac78db17f7774665ed7036ca070d9eb13a

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\goopdateres_hr.dll

Filesize
44KB

MD5
36a21d299298d7c0709f7bfe0bf0cad8

SHA1
baad265e2bf82fc21d1f363d7e61ba81fec1d701

SHA256
ed27ebc725fc07129ddefa4932eb1cfbf77cdc8617f0c37ccb9104eb2379b57f

SHA512
38b65be12d96d40840471680cc7a28c9647205155436eae2247981830ea6a5375f2e377dbf9b1e79ddc19dd65522f44f7a6b6d8cdf4178e91bc1c59eaba6cf60

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\goopdateres_hu.dll

Filesize
44KB

MD5
16e63288e7d55c8880f30860d43410f5

SHA1
668fe406ed6977d6d689ea24e21b55a62280efde

SHA256
035af5641b1751c78b1c626d16bc103654be5eefe9e8d15b53bd24f5313d8a5e

SHA512
28ff6c3416f6012cf8beeb72a740efd32df463f6d26ecd54d9046580325267f1537756d37b9d07f0c247746199727550b5af365f0262f221d35d200a27c2253c

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\goopdateres_id.dll

Filesize
43KB

MD5
250ecd64822e2a3b86523469dda45c36

SHA1
e94ccfa2de0b1f69576c2183eec57994542ac544

SHA256
dd530fdcd7a5bff02c217ec409852a33455c7bc3dab13e1380bbde5af188bfcb

SHA512
544a46500e5e89077e91298c032a7222c2cb5867b33fc6749486ee59bcfdd24db61aa617ffc9f0e62235b0cb191904118235e31be7a5fc6740630749ab8e2915

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\goopdateres_is.dll

Filesize
43KB

MD5
46c2f35b5a91501a671fc3ce63a8c202

SHA1
1fc33e0faa71dcd7e7c8068f8e268a1b117fb0ce

SHA256
82255b1acd999198e4116796ad94b3f1e31a95666a52319fd27b390f5dca516f

SHA512
a8cc15c12415b490624a993453cf23288c6a40dbe8d7e6b133f363881f60ae47ce0e412bcebb60c433134740be94d83a03169f68d835d5079ebc5192cf47b0f3

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\goopdateres_it.dll

Filesize
45KB

MD5
902f5c4add30b9665df17c46849cb20b

SHA1
0a4a086c9e9da4225445bf52376a38f748f3af47

SHA256
bc3c543182ccacc02ddd1706719961745767206a4468d8685cd00a4279c12328

SHA512
cbd0c475a37b5eaca040e0e7943f84a90e3c24995bd4b61ae7220cd9562aea3b83593b7a8e3d22b586dfae67bcfec1d531ca3924cf77170f41e539313f99763e

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\goopdateres_iw.dll

Filesize
41KB

MD5
5315b828cb27f4b142eb3770c77d600f

SHA1
0582c18fcb5a0214e58c404713a3699319fa7385

SHA256
2780d95b9f649e6df20d7afa65f6f4193f07fea877333d96807ad0d8b7cb17a0

SHA512
73d452890df20bbc61eaf73e800cbe1a7cc014da7fb4e8bfec90ecde4e523b35804c436a737ffe21d8fef569edbfbd819bdc667ffecb46636cceede9c5e10082

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\goopdateres_ja.dll

Filesize
40KB

MD5
64895710fa9f8b5cf9703e8e4bec6d25

SHA1
4e29b6fa9ee435a046e618a95302c04662a0bafb

SHA256
53402867e91a018160e35b027f3266bb364f6072ad641d8f583cef0ee3255986

SHA512
354e5a39d1bec4a436a217f296044dcb2025cc75eefb961822a59a12624043fa6c9d873a834fba8fc8ad9a9bdc7fefd3616dae98c7302819f579c7cdfb7a871d

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\goopdateres_kn.dll

Filesize
45KB

MD5
29d26e1da2cd11575ba121aa36f0a638

SHA1
abf359f445ea199ad8773586e72fd660036e8c84

SHA256
252c0acb781ceab837f7ec927cc41dc09c2d0d57ac6975c111d0b561ed3cd1ac

SHA512
e482ff4094368c3055daf5b69e1215e7d41719c1f4789785d05baf4a49c28d4ad142ab9aedab37c7df69d14234e9ba79331f51fa644db671f2b7394c3ba000fb

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\goopdateres_ko.dll

Filesize
39KB

MD5
e9f5c3854fcd642f23ce4c4ab659ec28

SHA1
63c29acc295dccb38be5746e48902328bbc3e9df

SHA256
fa4ecaa06a8d0df5bd60c056946b63650497bf6a853ea0bdd93cbe411b96c26d

SHA512
167edc03400da59a06878ab3a8c27b5ac9498b28973345a483abeacfaca10884f34eb739d423058ebda50c4afc5a94bce57d6ca606e84a84cbe482b331409112

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\goopdateres_lt.dll

Filesize
43KB

MD5
e105561482f05e65eaf98c2814400c5c

SHA1
f68a0f610dd48746f9a4a0e835528426d6fad47a

SHA256
a5595bb4278165894446433c27bfebf78231570ad53b0c69e5d0df86e4724aa7

SHA512
7aa61a8b4e012b79243f7328f7fb572b6e8be4382251dc2ee27c282b3d0347d274ca4f553b0e0184dcbfb369feacb5991718e9abefb85e57655384e0c1126cec

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\goopdateres_lv.dll

Filesize
44KB

MD5
73745046a61605f22b9eddc34629a81a

SHA1
d8181ed29b3df33788eced0adb72178f7deacfb4

SHA256
5e790d8a5ea811c4f5fcd90f0820e8bcef1202f3f5e98d820e529ec47f875fca

SHA512
106ddedaab46e3322401437ed842225b1cdacd1fc4d01a79eb6195ae4d449f4f20569def23aeb0a28c23199af5e95c49abb8c69d7db9906395818592ce6095d7

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\goopdateres_ml.dll

Filesize
46KB

MD5
c9091349771b6ee27024e49afe316cf2

SHA1
7adb311a5cfc584c717e6f1957842dfbf69a7cf1

SHA256
890cf80909d652ed6e220f5809880ba796b9d0981e16cb69b0e245c7c30a2082

SHA512
3cbf605462ffc847418009c41b9f526ff40774054bba92a2fc510c8823e268454023114ca5685a5b94a5246e6019acffb92902d031399fa2ac50bca9bac094ca

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\goopdateres_mr.dll

Filesize
44KB

MD5
e9eaf89a970341e8a588fc7b5d31f411

SHA1
52d94df567d1353db5ffc44ccf2ba5224831a0b5

SHA256
f1c134607740645f05111944f1a860143af8cbfd828d0a439f8d5bf8888ec975

SHA512
4fadc8a6841efbadc52a790174dde437dd125b56fa8bd1ed929bd8b2ddbe18a6dd2591edbcf5ace6d0ae5700fe82cfb6d85700cf993e8bd5a94a9c070f3c0683

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\goopdateres_ms.dll

Filesize
43KB

MD5
61fe0b035cab068a1e89bafe0bd73629

SHA1
dccb630c3d7a2dbec283f87bc966ee96b11e6ccd

SHA256
03464e5e7808aa74d8f24f395b29b75c56abdf750cfe671a7ce388f0299de63f

SHA512
ee3de599b059db1f7888052e573f447d92970b7ea6c9db1c09f8df3339d2191be21a766e56369f667b75f7b26f770d3dc8adcb920eebcd8316530edf506ffcdf

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\goopdateres_nl.dll

Filesize
44KB

MD5
6b426996c9d7a6b5c7b83d09e9b9a6b3

SHA1
e3f3137cceee850132e302c7f67c691f018428bb

SHA256
73650e199c53eda546a2f342e7d19fae3c5de4252a71e0044f461db796519629

SHA512
ae66ca8cc9cd16d934226f9d1962659e8de6a400b978ea1793a035c6729c0ad648bca47e036bbeeb56c02ccb0b08832879f2f451b814264b828d514f3cf47d2a

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\goopdateres_no.dll

Filesize
43KB

MD5
e163b26a7a806ef48774ffad0067bc24

SHA1
b1883272d34abf3bb5654aecce8439950cf6fcac

SHA256
348bc8bed07c3625236399e9d5762f432bb9539a21fc969dd63b275ba7c9d31f

SHA512
924c038de6f1f6a87dcdec3b32a1ccd766344186c88a1945a9684b0e0f12f346787da84c38a7a538a9153e62ca46ea7a30f0776ec09a0dae978fc2613c7d432c

Download Submit
C:\Program Files (x86)\GUM3B00.tmp\goopdateres_pl.dll

Filesize
44KB

MD5
c3d9b238ed70b3de4692e32b5bb7bacf

SHA1
90733f68e13d927d338927fee3bb02d1a47831fd

SHA256
0d8eff876be13900aa77ff340c8a224ff606c1d204a01f09a0bfcf754ec9b0b5

SHA512
e17936184cfbd9cdbe9dc2d6abd5590646557a2e1f396c2d2900d381c471e68fb651ab1b7c4131adcbe409746d548d341f72eb402315122f5c1d6afbad09215c

Download Submit
C:\Program Files (x86)\GUM40E3.tmp\@PaxHeader

Filesize
28B

MD5
d9d4de6a09704832a1b9fe57a8c73dda

SHA1
0d641a5937eea89c6b1a10635db77d3501c854de

SHA256
d5b315adaf255daee8f6bae3e78e204e1151838b37340da45ca1c28669e07d39

SHA512
5803ec574cc011a6a0c762ddab5f2196b226689ad11befb2695f23bb84c4053801b0a5fbb20e222031541c5c2b996934a3e45e06983594a313b1ee27e52cb326

Download Submit
C:\Program Files (x86)\GUM40E3.tmp\@PaxHeader

Filesize
28B

MD5
8730dcc07715231472fab2b85eb66494

SHA1
abf2c4faecd86ae788eaa0d912a0d6b6fcd1a9df

SHA256
089784a82ba0ffdd71bdacebbf8ca45824bf3c7fd8d0a39d6f1b176cb01aec84

SHA512
eae97e2a088be40b7cd78de4d4df28294e15253d8bc42dd21663bb0e9fd74f14becc2d233491397e1bd93f61eaacac5bcf2fbfc9d0819e83cdca8e612d7fceaa

Download Submit
C:\Program Files (x86)\GUM40E3.tmp\AvastBrowserCrashHandler.exe

Filesize
131KB

MD5
50cc978f72dacfec8e1f61acea2d12da

SHA1
a0d7dd0e6f6eec6f0c56e260778238dc3a5fb705

SHA256
2c7af2eb48f51a42f93824a2022fce7ad0b2df1a348560c76aabef5d666da2e8

SHA512
efd27a7aca756d0c4e4e5e1d34f55e2c255bfc75296ae270ba7b6f75a0d221cba2fa38e4c7439ddda3bc7a339f07c961fc6e47a949084dc57299ba3ce2026683

Download Submit
C:\Program Files (x86)\GUM40E3.tmp\AvastBrowserCrashHandler64.exe

Filesize
152KB

MD5
bab0e5fc48a37c6d18e2aea27007746a

SHA1
8be3f947b183aed390f0c7daf3c40b6bc451322f

SHA256
62dde1ae0cf875694fa0cd748685f4615ccfe8d146a2f57ebd5dcedee4782ca2

SHA512
3228a1806935e35e42a190c4a23e229337388ecb59b213d513733109472a0f20a4cd8da827ddf9d2ae1b1b8613fd044ed02a7027052a3f1ce8e475ec88bcb2c7

Download Submit
C:\Program Files (x86)\GUM40E3.tmp\AvastBrowserUpdateComRegisterShell64.exe

Filesize
428KB

MD5
5702ce24eff2ce37e98ce9f12b515e5f

SHA1
fca6790be58360c0d165f2290e2f1f615a904b13

SHA256
f9b34dbb670de6bd85b50e6682bcdc97275737fa8478cf444db21bd04c45b0ee

SHA512
55059606985caf27a3bef331ec4e7593e2ed702123cc3094fb2f907ac2e692c878a11ea01e006b8f70c30cbd8f0bd6245018061765e7c169523633e021d7a968

Download Submit
C:\Program Files (x86)\GUM40E3.tmp\npAvastBrowserUpdate3.dll

Filesize
507KB

MD5
115e188ea0c8549c84524909bacdb03d

SHA1
f9de18c3d691a36d980b5c5678b1592a6b276f89

SHA256
26071c0c9cabd9ff2d55ee2abddfcaac3e877cb0da8ff1bb2db226d63b6371f2

SHA512
879f202782602c2867cc71f5cd0c674e7df4b85989ec2b57386362fe3a1a8c953a8b291c7a54a1c46d69001265947dc391d8e1a76e0a88dbcd282e103f76c70c

Download Submit
C:\Program Files\AVAST Software\Browser\Application\120.0.23480.129\Installer\setup.exe

Filesize
908KB

MD5
c196dd85dd899c160a444ced3d61ccd2

SHA1
4d4c998a7f83c1dad525083235500384425db5ae

SHA256
0e54c8a441cc27a293b826652a35453a8c7cbcffce8a82490c07dc447da7d2a8

SHA512
3ee777605f69430181f7dcc93fc1179412fc0f84e7a0cf289f6104183f4d32ec45185b2833ee326f866951458b5bd22af39a0b4f3af800c86484931a13660016

Download Submit
C:\Users\Admin\AppData\Local\Temp\ajB029.exe

Filesize
53KB

MD5
4765d17d9c6215aed3e82497e88f4dee

SHA1
944738ce2071ae76cd4e79203c7ebe7f2afa6656

SHA256
74b6350ff8b547475f20374874238ffdcb7ef00d04e8c3eaa750dffa6229092c

SHA512
9da54014726deef4143d303b3d59b52747f000a036d920907557c5d901af632e6ce5be62c002c73e11688a654726e52719bc0ca271e5435fd16983a7eca19240

Download Submit
C:\Users\Admin\AppData\Local\Temp\ajB029.exe

Filesize
85KB

MD5
f7f886994efc1c6c5997ea53884baff7

SHA1
b2ea10c8603f88c55daed7b0aacbf0ab4dc11cf8

SHA256
282cfa773b8dd60e44e58456faf35c9e65f7a2ba8e47fee392f3b340e55270b2

SHA512
3c709a5ed093bf352407a128a3bb0e98d11cec6a00d93a9e7900077a89bedb6d28061516c953aa296fcd4e6b97283470acd4e8e668221c68823df343d39a29a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\avast-securebrowser-main-tags

Filesize
44B

MD5
2ec65a257499e518b624e07fa5a6bec7

SHA1
6fda961264c69d30c1db21e72d07c4cc7c73ffb5

SHA256
fac1758f6f77b68e6590cb530c84091c308b96475118bf9c0f9d9aead73f7d7d

SHA512
b56cd3ba7c5a16fa736c2b746854024fd18b83ef64be3b9aa2a1c1b370e33837d44d9373522ea8f465a6e46c522ae589cd936d74151abda577749e982841a734

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB22B.tmp\AvastBrowserUpdateSetup.exe

Filesize
644KB

MD5
9e14662747e87dd780ad041026045b4a

SHA1
ecb97c1ed8054fe6c1b8699a8b9d47c03ad61a33

SHA256
8fd92bec7048ea9ac34619fa6cfceae0bcc72ac25aaba87f92be1dbe7850db21

SHA512
a122054dbe8793885ad354c3fee07c6d300f9652f7694d4489af5a01742c3e81418af782d19ee509dbee528f23289328db9c8668b9e79988982c49a3082d1250

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB22B.tmp\AvastBrowserUpdateSetup.exe

Filesize
384KB

MD5
f11d6fbed963c557281f2ffe8155c883

SHA1
5ca4d41410a85ae7db1482d50d5d92fda81d8428

SHA256
0db6ab46c23a437162e69d20a792c9c25c8f0d7430fbd1db16ba84b529f614d1

SHA512
006fd0f0b1c71106b4b812946247992f6393c4e85840c9c10344529eae543701bb5e58c7115690bfd86ee550d66081f12aab4839690a35db2b45aad123deec16

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB22B.tmp\AvastBrowserUpdateSetup.exe

Filesize
107KB

MD5
0da147c00c2b90ff880f1ba21073c148

SHA1
fc997eeb60208e2ae362d5bceb54426b23011c8c

SHA256
545eb707e18c5ab3d62276f1b32bff693195951517de49a71c3c1a095e3a4e1c

SHA512
16ff3f7c431bbeb9b3377fc247250c9b99f4dd66d9f83b955af6ba3e45f9308591de38a4fb7785d0742b5ffc71ac9b51c2075416acc87d6407b528620012f119

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB22B.tmp\CR.History.tmp

Filesize
33KB

MD5
ba022f4c3056c3c22bab1895accb0081

SHA1
658aaabfff850c6c8873b291472f643e8bd8cb69

SHA256
1f6c764c02dc1b8d28265eb401473f94251c826281ddde605e1901aeec4a6372

SHA512
65cd392daf052272b4aeae792159e1c219b74f8adf8e6ec7c64e1c30d5c13b4b6e9e8676ccb704f8200e12b6a3cd9bb210693486604736d51bbf62b27ade1346

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB22B.tmp\CR.History.tmp

Filesize
90KB

MD5
88f40defcb4408abddaefc99a39be80f

SHA1
e243ffaa73025ef1cb77a012612a4cf39296f42c

SHA256
95b4be157c200560d66f0cfe6c7ff30e228e8834c79a85db7c9a0604bf5b158b

SHA512
7e84e95aed5a0ef52279ac3698de6bca4f7253bbc7b725f36d454992d6ceb5e6e4f941162f0370060b61fc3dc14388bb31574f0aa379763921debfe17e5ef926

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB22B.tmp\JsisPlugins.dll

Filesize
22KB

MD5
ff7e5cc025f6cd349cf4a981b2e260e7

SHA1
e10322970dfe5f1303d496a0280c99a7141048d0

SHA256
696e71f1665424ea639b9d89005b63ac9de21cc9a437c12605c4906ba7726ef0

SHA512
4bdc6dddacbe8137203cddb6ee0ca7ff06c17ab866b3639b3418369e78c186df6704f345c1bd24b5a6c4947a9b8dc330ae69cd7d8c581a6ebb866b1a2a8a1d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB22B.tmp\JsisPlugins.dll

Filesize
58KB

MD5
1bbce6c20be53847be0b5020399163da

SHA1
90c892c5a725943c57313cf617333ef9bdddff5e

SHA256
d8f3e2f299304ebd51a1df96a34e53f8880926f78c50ec45cbd5ac7550053144

SHA512
df45f40bebaf149e08c16dc6718c630bf8fab150a808c0024b293ea3ebba222c2b1ce043ed5f7f8c5811bc8f47f0e21b72a817589c58cfde3f647a7a8a0d2bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB22B.tmp\Midex.dll

Filesize
38KB

MD5
5a8d2ef3d9e2f75602a984c1b7d04777

SHA1
ab1b20edfb0f1e1880c393fa36b96aec0fd2315f

SHA256
62462970a2f260d174efe8b4aa2566c072b56432f7a7f871b2c93c6b469e683c

SHA512
df6d3f6d2c8a8a2ed324d9c5decee3601074346c6666bc833b84391c706b4eebfc79013f5ddb051c4fd3ef173509d398c329c4676f67d922752b40560061112d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB22B.tmp\Midex.dll

Filesize
16KB

MD5
b21afd6289b69b21da75f785d7e21f2b

SHA1
eac94054c83a6a29bf4b37887168f019732709ed

SHA256
7ee6e1aa8e919d07a02296382b68968e4477b1408455c61cd7a4ab1945e64f99

SHA512
57e0b59f6ca93d5008154d587a15a170c18503e6e7d757b6cfc26d4f0ce78c8726f97cfe83363575e42b1c3f923c3b1c99b62a1af9796b4316cbfa00168a5aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB22B.tmp\Midex.dll

Filesize
1KB

MD5
23563242c89a3601e8e37160e55aa795

SHA1
005e89c21d756b62b3658e2289edd21c018c6b16

SHA256
933548f9355d54188fd19d3feaa1a4ee53aea242ee3ddbbf97106994fd17e94b

SHA512
4f3a3b4ecb09d45723e6537757e812950b89594b88e30c0df51c3c210b12f02dad7dbef91ffec0de72903e1fb0ec4e107f64989b8393801fd5e251af1543ef63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB22B.tmp\StdUtils.dll

Filesize
18KB

MD5
17268a91a5269ada4a3a2cff0a22849a

SHA1
c2c025fd6fedfb5afb160004f38d0f7a29f0786b

SHA256
91ce51cdc6843ad9ef38886b0d4015fd73c5ab24dc8ec5aa32a5c54d57abe0dc

SHA512
3a9b00eea1ef43317c87576b7b5913fdd54b11fe2f60f0926b3a7e448cd245f599f2fa040640194861dafe853bfa37e538fb05448f0654a6bf1d549a73ae2e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB22B.tmp\StdUtils.dll

Filesize
5KB

MD5
4ff548a63b6292956e6cb6c61717b8d6

SHA1
32bc4193abc6c9e0108521b18ab92f3f8db96f62

SHA256
ce22bb8b31ce7dd902b117503369df623b5cc042a4b0115314e34a8731b04ce3

SHA512
a627aeaf65095bf071ab0aa7bafae0cb8d91acd8814f494f548d0797164afb0998ee7b216be740e0bf7d209d071e5eb3b29aac0a36a9a9dd37a0b2e511f39a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB22B.tmp\jsis.dll

Filesize
10KB

MD5
a661b64ca048be42662e6585ff3728d6

SHA1
c23e54dc02b312f635d9361d95e73b7116577919

SHA256
77305b51548ebc495443b7e8cb925bb5ceee6773296ebf1ce751a91f2a79052b

SHA512
040db31aead1ebc6f0d08eb9d2ccd6963061382ccffe95fe6ceff659cfaafcbca692719f2889c166d536be282bf3555da5b5804ef1b7e4c0c5aebed502101afe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB22B.tmp\jsis.dll

Filesize
50KB

MD5
f154213dca554491b3e151b356c61947

SHA1
61d4965f3202458dc22997e65a14ef519c5e84be

SHA256
65520f2cf5b05cd764fcc02739f07d49edcce7cf727abed28ad2d123b13f4665

SHA512
433675e7c87cae6a609e7284ff11fc10d3370517fb1f7713a24ff41d27266d6ad91c33ef72b62f439baa83adf9bf95c1d03aae5dbbed7495557e6b8dd30dcc12

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB22B.tmp\thirdparty.dll

Filesize
57KB

MD5
800e1b409ed45310c7ccf24e27c8c73c

SHA1
30eabf498c161d458aa9b6a7b6a4e04b4c7056df

SHA256
f6aa99f4a32a3e0da15de1364d4b39b37cfa4704a3ad3f67725604920cb509d5

SHA512
29c55de924462b0b9624642ee5ef1d64487e21841f499abc37d75b5c8b6cd2a8930b1451fd2e9741d86279c34305bca9380cef3970210114fd32a1739ce858de

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB22B.tmp\thirdparty.dll

Filesize
44KB

MD5
ffb15e2aaba4ec3c0ea7845dcc75412e

SHA1
b845bfb0a6c1e5508079e1d478bdbc66d7e8fbf2

SHA256
a8aec83596bd006cf1ef2dd6bcdf524a0109f4ff7b80a5cc0c0e94238fd9d21e

SHA512
3a93debe0a1642bc5963e0e49066b6e710365e8f9d968334f46a7ab891d33778073739ababf9db131e08f7793fab310ec8f7ffa632099629ca4c0ff1ca3b0eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7DEC.tmp\JsisPlugins.dll

Filesize
41KB

MD5
63c0848c07d44a4d90409f47ad4e1d65

SHA1
0100738312e7514238281a57c7900b123a80e4b5

SHA256
6b8adf3a75c08a2eadd01367951c0f4e1e29f9c5442e0853c90f99235850e0cc

SHA512
2b9d10aa63abf2cb6419b24ad181853a3715b6521f3c7ccab5d0a836b1ebe2417e30b3dbb55d009ac491c1475d09ecf5576ccc50ff05c09b0755e4cef56452ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7DEC.tmp\StdUtils.dll

Filesize
43KB

MD5
1501d0829bb2e155f0fc31c4989e6c01

SHA1
41a2a23f0bc8836a76abb674a83752b4871b96bc

SHA256
b96c0b03a1c645321634d3e3f83c7db47200810aeb0f1b495a7f66c2ce61f1ad

SHA512
4167f2131f268ec6f1a3206d832b484210cb8d7f891b095044094915f1de94a5af4a243c7ff16b808c0eb38f5d700ec7c15dccbeb0133a959704c9ebbb5b7664

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7DEC.tmp\jsis.dll

Filesize
27KB

MD5
090c534e74abbd996efa4ce94815fa52

SHA1
c47ae2feef7453d2d5aa762f6996a54c029899d4

SHA256
1c685e2eb353922f135d9dc6fed97aeb24d569e3d769a44274c6f19618750806

SHA512
d341f7b0fce23aac58e31773ac5b08edc6b5d5e1be1695944806d72d5ff92d84511d19fda4fd305f58cc6c3d7bfd91f81c17b1c4ea5668082505e86bf8a15561

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7DEC.tmp\nsJSON.dll

Filesize
36KB

MD5
0acda819bacbed7d368f036847960ae3

SHA1
8a4367182e41076e28870ef60efa8630ecdf846c

SHA256
2508170aa8ed183c2dba984cb22c0d622359963b4ee0099c734875b862b17800

SHA512
d501737aa62fae54552f382ab87e749ef9f3bc1349fd0945fa3eca9ebbcd6c690961a5f764aafe994f396bc303fa44d9670969b84810fa5fcadd1a20a469d321

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7DEC.tmp\thirdparty.dll

Filesize
61KB

MD5
c4f2dba68f005df9a37560e790f71f08

SHA1
be12f41978330f2950c275aae2598d6ae8befef8

SHA256
834adb9d6328c6c08f875f3f988465862895c71716f0365852d5f59dc378c775

SHA512
1baac7ddcb2bd4d3022f6c11892d91a3b006d88fec86648ca0eeb1005f208d4bffe6fa68f0cc650517df7c1f00123d4d241d3408bb832a5033a3b3c649033e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\{886B2298-A281-417A-BA01-7E155F958078}\scrt.dll

Filesize
66KB

MD5
21270a2283402e33d06dc0b0155fd1e4

SHA1
2e99111f6c360834c29c7a0e3e70c89439fdaf25

SHA256
50ed5a2b3dce924e89cba8788cb52d94e731314e8132457f02a85018ca553d24

SHA512
eab217554dcfc08f784f8f0374c792792be9f89e71c5495372917ca3b1bc83227b44de581f7e7efef935d2bfe8d36613a545693caa5516f48fdd7e35399948f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E79F1107-DB55-4858-A020-27125B636ED6}\scrt.dll

Filesize
143KB

MD5
3baf8d55e264c97454c40df926740958

SHA1
3b8e8e62edca9197bd03cf1dd35a04f906e54eea

SHA256
147400012fb5e1843ce682afe37898465d48e5c7e557510af7b99f073c3d35f2

SHA512
c3bd804c8b2b918e9d1eb17c4b23f75e9002b292c501104cc6d60285caa987dc23552e389385c39aa4bdddef1114ebf2aab8a8b8472b1da599cbda202f5f484b

Download Submit