neshta | 12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe
Size

1.3MB
MD5

b9a4f271af9f1486241b1d1977ec0670
SHA1

0b87e60d2f871b20750d7b98b0551ee66186b2fb
SHA256

12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030
SHA512

991cd569cb0de467f09d76877174af63f6b9f5c46faca5f3719a9a16ecea2bf650a562860f70c25d2404edb63dc9ea9192ee22c3894f98ff79e5b831fbb27025
SSDEEP

24576:tr/0ox0HyFZi6tVNpXrXjHgaAWm3U8ufe4N8zZF+HgM1S9emr:tr/506ZNjNtrXjD8E8uWSAkED

Score

10^/10

neshta defense_evasion discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Detect Neshta payload 13 IoCs

resource	yara_rule
behavioral2/files/0x000700000002029a-311.dat	family_neshta
behavioral2/memory/4088-464-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1156-465-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4088-466-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1156-467-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4088-468-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1156-470-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4088-471-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1156-472-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1156-474-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4088-475-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3004-485-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2352-491-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BraveUpdate.exe	BraveUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BraveUpdate.exe\DisableExceptionChainValidation = "0"	BraveUpdate.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	BraveUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	BraveUpdate.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 14 IoCs

pid	Process
2372	12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe
4940	BraveUpdate.exe
448	BraveUpdate.exe
2240	BraveUpdate.exe
3028	BraveUpdateComRegisterShell64.exe
3664	BraveUpdateComRegisterShell64.exe
3520	BraveUpdateComRegisterShell64.exe
2248	BraveUpdate.exe
1156	svchost.com
3376	BRAVEU~1.EXE
3004	BraveUpdate.exe
2352	svchost.com
1684	BRAVEU~1.EXE
1776	BraveUpdate.exe

Loads dropped DLL 11 IoCs

pid	Process
4940	BraveUpdate.exe
448	BraveUpdate.exe
2240	BraveUpdate.exe
3028	BraveUpdateComRegisterShell64.exe
2240	BraveUpdate.exe
3664	BraveUpdateComRegisterShell64.exe
2240	BraveUpdate.exe
3520	BraveUpdateComRegisterShell64.exe
2240	BraveUpdate.exe
2248	BraveUpdate.exe
1776	BraveUpdate.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

remove IFEO.

defense_evasion

Clear Persistence

T1070.009

description	ioc	Process
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BraveUpdate.exe\DisableExceptionChainValidation	BraveUpdate.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\BraveUpdateComRegisterShell64.exe	12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\psuser_64.dll	BraveUpdate.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_fa.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_pl.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_pt-BR.dll	BraveUpdate.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	svchost.com
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_hu.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_ml.dll	BraveUpdate.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\BRAVES~1\Update\13361~1.151\BRAVEC~1.EXE	12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe
File opened for modification	C:\PROGRA~2\BRAVES~1\Update\13361~1.151\BRC18E~1.EXE	12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	svchost.com
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_am.dll	BraveUpdate.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\BraveUpdateCore.exe	12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_te.dll	12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_th.dll	BraveUpdate.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_cs.dll	12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\psuser.dll	BraveUpdate.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	svchost.com
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\psuser_64.dll	12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_uk.dll	12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_ar.dll	BraveUpdate.exe
File opened for modification	C:\PROGRA~2\BRAVES~1\Update\13361~1.151\BRAVEU~4.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	svchost.com
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\BraveCrashHandler.exe	12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\BraveUpdateBroker.exe	12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShellArm64.exe	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_bn.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_gu.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_pt-PT.dll	12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_sw.dll	12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_ur.dll	12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_cs.dll	BraveUpdate.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	svchost.com
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\psuser.dll	12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_vi.dll	12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShell64.exe	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\psmachine_64.dll	BraveUpdate.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe
File opened for modification	C:\Program Files (x86)\BraveSoftware\Temp\GUT925F.tmp	12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_fr.dll	12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_hi.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_ro.dll	BraveUpdate.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_no.dll	12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_is.dll	BraveUpdate.exe
File opened for modification	C:\PROGRA~2\BRAVES~1\Temp\GUM925E.tmp\BRAVEU~3.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE	svchost.com

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\directx.sys	BraveUpdate.exe
File opened for modification	C:\Windows\svchost.com	BraveUpdate.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BRAVEU~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BRAVEU~1.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2248	BraveUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.Update3WebMachineFallback	BraveUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{08F15E98-0442-45D3-82F1-F67495CC51EB}	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F234546B-DACD-4374-97CF-7BADFAB76766}\ = "IAppVersion"	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24D704AD-AC42-49F2-BB4F-68BA77C98E91}\ProxyStubClsid32	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4842EC21-0860-45B5-99F0-A1E6E7C11561}\NumMethods	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70E5ECF5-2CA7-4019-9B23-916789A13C2C}\ = "IProcessLauncher"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C929BFE-4FA4-488D-B1E2-82ECD6F076C8}\ProxyStubClsid32\ = "{6EF610EC-1F5B-474C-B1C4-A78E59E550E9}"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7CFC4E00-1C9D-443D-B5BE-CEEEAC1443AF}\ProxyStubClsid32	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A147722A-5568-4B84-B401-86D744470CBF}\ProxyStubClsid32	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.CoreClass.1\CLSID\ = "{3AD2D487-D166-4160-8E36-1AE505233A55}"	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EFF9CA12-4CD3-474B-B881-CDE1D92F1996}	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24D704AD-AC42-49F2-BB4F-68BA77C98E91}\ProxyStubClsid32\ = "{6EF610EC-1F5B-474C-B1C4-A78E59E550E9}"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70E5ECF5-2CA7-4019-9B23-916789A13C2C}\ProxyStubClsid32\ = "{6EF610EC-1F5B-474C-B1C4-A78E59E550E9}"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7FF255A-A593-41BD-A69B-E05D72B72756}\Elevation\IconReference = "@C:\\Program Files (x86)\\BraveSoftware\\Update\\1.3.361.151\\goopdate.dll,-1004"	BraveUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13B35483-DF37-4603-97F8-9504E48B49BF}	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C11C073F-E6D0-4EF7-897B-AAF52498CD2F}\ = "IAppCommand2"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{598BBE98-5919-4392-B62A-50D7115F10A3}\VersionIndependentProgID\ = "BraveSoftwareUpdate.PolicyStatusMachine"	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{598BBE98-5919-4392-B62A-50D7115F10A3}\Elevation	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.Update3COMClassService.1.0	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{931E73FD-D487-4458-AA08-1FF41413377B}\NumMethods\ = "12"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28C83F57-E4C0-4B54-B187-585C51EE8F9C}\LocalizedString = "@C:\\Program Files (x86)\\BraveSoftware\\Update\\1.3.361.151\\goopdate.dll,-3000"	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{660130E8-74E4-4821-A6FD-4E9A86E06470}\ProxyStubClsid32	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4BCDF52-2179-4C77-8C5F-B8095712B563}\NumMethods	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD84E356-3D21-44C8-83DD-6BEEC22FA427}\ProxyStubClsid32\ = "{6EF610EC-1F5B-474C-B1C4-A78E59E550E9}"	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{19F4616B-B7DD-4B3F-8084-C81C5C77AAA4}\ProxyStubClsid32	BraveUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.Update3WebSvc	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EF610EC-1F5B-474C-B1C4-A78E59E550E9}	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70E5ECF5-2CA7-4019-9B23-916789A13C2C}\ProxyStubClsid32	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A147722A-5568-4B84-B401-86D744470CBF}\ProxyStubClsid32\ = "{6EF610EC-1F5B-474C-B1C4-A78E59E550E9}"	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70E5ECF5-2CA7-4019-9B23-916789A13C2C}\ = "IProcessLauncher"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35A4470F-5EEC-4715-A2DC-6AA9F8E21183}\NumMethods	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{660130E8-74E4-4821-A6FD-4E9A86E06470}\ProxyStubClsid32	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.CredentialDialogMachine.1.0\ = "BraveUpdate CredentialDialog"	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{852A0F87-D117-4B7C-ABA9-2F76D91BCB9D}\NumMethods\ = "24"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6836CFF-5949-44BC-B6BE-9C8C48DD8D97}\NumMethods\ = "24"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24D704AD-AC42-49F2-BB4F-68BA77C98E91}\NumMethods	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66CE3D6C-0B35-4F78-AC77-39728A75CB75}\ProgID\ = "BraveSoftwareUpdate.Update3WebMachineFallback.1.0"	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.Update3COMClassService.1.0\CLSID\ = "{08F15E98-0442-45D3-82F1-F67495CC51EB}"	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7CB305B1-4D45-4668-AD91-677F87BED305}\ProxyStubClsid32\ = "{6EF610EC-1F5B-474C-B1C4-A78E59E550E9}"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{660130E8-74E4-4821-A6FD-4E9A86E06470}	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70E5ECF5-2CA7-4019-9B23-916789A13C2C}\ProxyStubClsid32	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7D7525F-5DF4-4C9D-8781-C02F39F973E6}	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A24060E-533F-4962-9E15-34BD82555FA7}\ProxyStubClsid32\ = "{6EF610EC-1F5B-474C-B1C4-A78E59E550E9}"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C663DEBB-F082-4971-9F6E-35DE45C96F4E}\ = "IPackage"	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24D704AD-AC42-49F2-BB4F-68BA77C98E91}\NumMethods	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91B050A9-5A49-4249-A8C8-B4390961A912}	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48B5E6B2-9383-4B1E-AAE7-720C4779ABA6}\NumMethods	BraveUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7D7525F-5DF4-4C9D-8781-C02F39F973E6}\ProgID	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.Update3WebSvc\CurVer\ = "BraveSoftwareUpdate.Update3WebSvc.1.0"	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.CoreClass\CLSID\ = "{3AD2D487-D166-4160-8E36-1AE505233A55}"	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A24060E-533F-4962-9E15-34BD82555FA7}\ProxyStubClsid32	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35A4470F-5EEC-4715-A2DC-6AA9F8E21183}\ProxyStubClsid32	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8504FB26-FC3E-4C1C-9C94-46EC93E6BA63}	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28C83F57-E4C0-4B54-B187-585C51EE8F9C}\VersionIndependentProgID	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7D7525F-5DF4-4C9D-8781-C02F39F973E6}\VersionIndependentProgID	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EFF9CA12-4CD3-474B-B881-CDE1D92F1996}\ProxyStubClsid32\ = "{6EF610EC-1F5B-474C-B1C4-A78E59E550E9}"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7A24060E-533F-4962-9E15-34BD82555FA7}\ProxyStubClsid32\ = "{6EF610EC-1F5B-474C-B1C4-A78E59E550E9}"	BraveUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F234546B-DACD-4374-97CF-7BADFAB76766}\NumMethods\ = "10"	BraveUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13B35483-DF37-4603-97F8-9504E48B49BF}\ProgID	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{19F4616B-B7DD-4B3F-8084-C81C5C77AAA4}\NumMethods\ = "11"	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EFF9CA12-4CD3-474B-B881-CDE1D92F1996}\NumMethods\ = "23"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91B050A9-5A49-4249-A8C8-B4390961A912}\NumMethods\ = "4"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EFF9CA12-4CD3-474B-B881-CDE1D92F1996}\ProxyStubClsid32	BraveUpdateComRegisterShell64.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4940	BraveUpdate.exe
4940	BraveUpdate.exe
4940	BraveUpdate.exe
4940	BraveUpdate.exe
4940	BraveUpdate.exe
4940	BraveUpdate.exe
4940	BraveUpdate.exe
4940	BraveUpdate.exe
4940	BraveUpdate.exe
4940	BraveUpdate.exe
4940	BraveUpdate.exe
4940	BraveUpdate.exe
4940	BraveUpdate.exe
4940	BraveUpdate.exe
4940	BraveUpdate.exe
4940	BraveUpdate.exe
4940	BraveUpdate.exe
4940	BraveUpdate.exe
4940	BraveUpdate.exe
4940	BraveUpdate.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	4940	BraveUpdate.exe
Token: SeDebugPrivilege	4940	BraveUpdate.exe
Token: SeDebugPrivilege	4940	BraveUpdate.exe
Token: SeDebugPrivilege	4940	BraveUpdate.exe
Token: SeDebugPrivilege	4940	BraveUpdate.exe
Token: SeDebugPrivilege	4940	BraveUpdate.exe
Token: SeDebugPrivilege	4940	BraveUpdate.exe
Token: SeDebugPrivilege	4940	BraveUpdate.exe
Token: SeDebugPrivilege	4940	BraveUpdate.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 2372	4088	12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe	82
PID 4088 wrote to memory of 2372	4088	12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe	82
PID 4088 wrote to memory of 2372	4088	12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe	82
PID 2372 wrote to memory of 4940	2372	12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe	83
PID 2372 wrote to memory of 4940	2372	12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe	83
PID 2372 wrote to memory of 4940	2372	12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe	83
PID 4940 wrote to memory of 448	4940	BraveUpdate.exe	84
PID 4940 wrote to memory of 448	4940	BraveUpdate.exe	84
PID 4940 wrote to memory of 448	4940	BraveUpdate.exe	84
PID 4940 wrote to memory of 2240	4940	BraveUpdate.exe	85
PID 4940 wrote to memory of 2240	4940	BraveUpdate.exe	85
PID 4940 wrote to memory of 2240	4940	BraveUpdate.exe	85
PID 2240 wrote to memory of 3028	2240	BraveUpdate.exe	86
PID 2240 wrote to memory of 3028	2240	BraveUpdate.exe	86
PID 2240 wrote to memory of 3664	2240	BraveUpdate.exe	87
PID 2240 wrote to memory of 3664	2240	BraveUpdate.exe	87
PID 2240 wrote to memory of 3520	2240	BraveUpdate.exe	88
PID 2240 wrote to memory of 3520	2240	BraveUpdate.exe	88
PID 4940 wrote to memory of 2248	4940	BraveUpdate.exe	89
PID 4940 wrote to memory of 2248	4940	BraveUpdate.exe	89
PID 4940 wrote to memory of 2248	4940	BraveUpdate.exe	89
PID 4940 wrote to memory of 1156	4940	BraveUpdate.exe	90
PID 4940 wrote to memory of 1156	4940	BraveUpdate.exe	90
PID 4940 wrote to memory of 1156	4940	BraveUpdate.exe	90
PID 1156 wrote to memory of 3376	1156	svchost.com	91
PID 1156 wrote to memory of 3376	1156	svchost.com	91
PID 1156 wrote to memory of 3376	1156	svchost.com	91
PID 4940 wrote to memory of 3004	4940	BraveUpdate.exe	101
PID 4940 wrote to memory of 3004	4940	BraveUpdate.exe	101
PID 4940 wrote to memory of 3004	4940	BraveUpdate.exe	101
PID 3004 wrote to memory of 2352	3004	BraveUpdate.exe	102
PID 3004 wrote to memory of 2352	3004	BraveUpdate.exe	102
PID 3004 wrote to memory of 2352	3004	BraveUpdate.exe	102
PID 2352 wrote to memory of 1684	2352	svchost.com	103
PID 2352 wrote to memory of 1684	2352	svchost.com	103
PID 2352 wrote to memory of 1684	2352	svchost.com	103
PID 4940 wrote to memory of 1776	4940	BraveUpdate.exe	104
PID 4940 wrote to memory of 1776	4940	BraveUpdate.exe	104
PID 4940 wrote to memory of 1776	4940	BraveUpdate.exe	104

C:\Users\Admin\AppData\Local\Temp\12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe
"C:\Users\Admin\AppData\Local\Temp\12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Users\Admin\AppData\Local\Temp\3582-490\12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\BraveUpdate.exe
    "C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\BraveUpdate.exe" /installsource taggedmi /install "appguid={AFE6A462-C574-4B8A-AF43-4CC60DF4563B}&appname=Brave-Release&needsadmin=prefers&ap=release&installdataindex=default&referral=none"
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Indicator Removal: Clear Persistence
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
      "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /regsvc
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:448
  - - C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
      "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /regserver
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2240
    - - C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:3028
    - - C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:3664
    - - C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:3520
  - - C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
      "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNjEuMTUxIiBzaGVsbF92ZXJzaW9uPSIxLjMuMzYxLjE1MSIgaXNtYWNoaW5lPSIxIiBzZXNzaW9uaWQ9Ins1QTVFNkM3MC0zNTZGLTRFQUQtODQ3Qi1GMjU5NzdFQTFFMjd9IiBpbnN0YWxsc291cmNlPSJ0YWdnZWRtaSIgdGVzdHNvdXJjZT0iYXV0byIgcmVxdWVzdGlkPSJ7MEZCODY4RTktQ0MyMy00OEZDLTgxRUYtMzM3Q0I5OUY2M0NGfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBwaHlzbWVtb3J5PSI4IiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9IntCMTMxQzkzNS05QkU2LTQxREEtOTU5OS0xRjc3NkJFQjgwMTl9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxLjMuMzYxLjE1MSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgaW5zdGFsbF90aW1lX21zPSI3ODEiLz48L2FwcD48L3JlcXVlc3Q-
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      PID:2248
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\PROGRA~2\BRAVES~1\Update\BRAVEU~1.EXE" /handoff "appguid={AFE6A462-C574-4B8A-AF43-4CC60DF4563B}&appname=Brave-Release&needsadmin=prefers&ap=release&installdataindex=default&referral=none" /installsource taggedmi /sessionid "{5A5E6C70-356F-4EAD-847B-F25977EA1E27}"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1156
    - - C:\PROGRA~2\BRAVES~1\Update\BRAVEU~1.EXE
        
        C:\PROGRA~2\BRAVES~1\Update\BRAVEU~1.EXE /handoff appguid={AFE6A462-C574-4B8A-AF43-4CC60DF4563B}&appname=Brave-Release&needsadmin=prefers&ap=release&installdataindex=default&referral=none /installsource taggedmi /sessionid {5A5E6C70-356F-4EAD-847B-F25977EA1E27}
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3376
  - - C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
      "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /unregserver
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3004
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BRAVEU~1.EXE" /unregserver
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2352
      - C:\Users\Admin\AppData\Local\Temp\3582-490\BRAVEU~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BRAVEU~1.EXE /unregserver
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1684
  - - C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\BraveUpdate.exe
      "C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\BraveUpdate.exe" /unregsvc
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Defense Evasion

Indicator Removal

T1070

Clear Persistence

T1070.009

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe

Filesize
9.4MB

MD5
58f9bc16408d4db56519691315bb8a75

SHA1
ac94543044371e3ea49918eb0f114a29ab303004

SHA256
5562973f2b3aa9d0c6184143360f7861b4129605f5e63b896ad815f381e6475b

SHA512
e1884456f86bb7cf7d268942f6fc1bacaa550eac31aaf186d9e95c15bdc41d05638cfdea1762c92681225af72008d251b101e8f291e3a74f382832336b82d39d

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\BraveCrashHandler.exe

Filesize
270KB

MD5
e9048bbaaa22ef93f5935e5b1c464c44

SHA1
77b2707a2666dd0d3cf6625093138118dd548fec

SHA256
e7599ed810d971fb1884ecf9f6e7f23fb2bc1c8b99d6601ea8ea3bb71f92319d

SHA512
1081b2b521e20dbec02a77357141d7b3efd261eeb20fd4ab56814f8850919798d2c54cfd30dcf6d8e3c228301395ddf1ef7d4898ed52e07f1c17c177d893d18b

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\BraveCrashHandler64.exe

Filesize
355KB

MD5
751e4353a13eb7a38c215d0f72a75382

SHA1
7b4032ca1f9d4c990068a8da60f73c59d315a3cd

SHA256
c3b1498018931c14f7fca23220cf067198c51d0603ed700c7f16de28e977d836

SHA512
670f39b3282ab1758dccd90768f3d3682daecef487c9262a5c800e2f70c066a851720a5c6338f896fb32b14068a369f7ed992078c5e54178ed5af931a4df4369

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\BraveCrashHandlerArm64.exe

Filesize
353KB

MD5
936b5c899adda5e7e76cecd70fb7eb00

SHA1
e9af34cfb40b0f5ee73810fd54f1d50ea9a71195

SHA256
1e0a47ebff3339a8f18fd361495d7dc092e58b3b6ab9ad0fad8f0b984eb715bf

SHA512
d41ff607087fab2ee5fd704a5b72c1277770d26198f343fc9b4a413830eb3e90ffcae3d993d4e396c3dc25926c77a509aa0576a145acf774ff5ec956f575bf8f

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\BraveUpdate.exe

Filesize
163KB

MD5
d26a18fe90c92bc8e5b4070ec13b95b3

SHA1
f62b78aa7b9fee7e91696da66581d037becde215

SHA256
2f3a2cd5c0fd0ab8e0d8877469eab4500b827fdc5bf350a33afc54f4a7e0fc3f

SHA512
b9170e1e496b32764921d00b1bf8812c073c85c5fd50817310b1d9edc63f8deefa6f7cab3c8e9cd8d5af765a5f7eda85f37e623fcff7de6df87be4d31e5c6b85

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\BraveUpdateComRegisterShell64.exe

Filesize
170KB

MD5
3b0731fc221d3565ccfe63ad6f4ca883

SHA1
582a34535e43af72b4a7a0e69a60093aebec8e99

SHA256
9ba9afef99ce54eb313cffe59bcc6ee59537a7fa2063ca7a9dd9df76c08430d1

SHA512
274c8b3d8bf2ad25394ca51f4b28d4d9da13685935d77d6dfd4b05d778d19965f10f3f9ecd3c8ffb71f58f64ff924a1b2dd49fac5d7911d8b613c791ca447f54

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\BraveUpdateComRegisterShellArm64.exe

Filesize
154KB

MD5
bccb30ce593b7736b33e5782ff455ed6

SHA1
bd2d5693a6051baeb9ddb3adcfef454804afe6ac

SHA256
e3b2901131fb687ea4cdea66df44373d75795552b7165b117962b5d6a91ecd2a

SHA512
ef7e23734b5398332213c977efe878d40f40cb3043f3978ff6a5dd90f40304139db3567c081e4d164f9d279dbc6a54e708c618c3fda3654a63188dbd9251e26c

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\BraveUpdateCore.exe

Filesize
195KB

MD5
47267b74774aa63506bf030127e199f3

SHA1
49bf6724b410a511dcdbb71a2a6e8989b54cd2e3

SHA256
5609d50bc29b16ae9e2a34f53feb2862be23e3c88e3db6866b3bb73a97233ac7

SHA512
9794fef54cbf3f50a51ff86825dfc0591baabc9f2da00fe23e31e441f5ccf3be6873988b204d7f19a64aada211aaf502de36640817ebebdd09bbf09715bd4abe

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdate.dll

Filesize
1.0MB

MD5
163ba62a364d0b68b7b0b6c923830a6a

SHA1
d345656b3c2fc89979914ea5797f1c3e5e07c4fd

SHA256
ed31cdec8f20cb4d5d03a5ff738a7df0bb34c7b41ff901b5379ff256409a1c69

SHA512
d448d7db667b557b7a426c84e3116a257a3df33804d5b7d4da62ee0ca4441a3f9d06561e7c24eb401ab6cd5b83755a1892fa80a19764a321e82b0b1d14cd8b8f

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_am.dll

Filesize
42KB

MD5
a465ef2e55b76b36cf7b96c36c5ef697

SHA1
76a20e4ed2e94341dda3b9fa44c0ca794d732e9a

SHA256
de6e250f4924bc782174b425256375a245cefa47c10acd1d5dc8fbe54fc2bf9e

SHA512
68bf7ca7b7c8d70cfd7da60b5bfcae5667a57fb68a3b57d4237eb18084403b948d27cac5f7f7adcdf628f456fb564bb58ea56c4a8e9b675b782d7377560c1e04

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_ar.dll

Filesize
41KB

MD5
ff2123180a661545d93757c3b6df7f00

SHA1
caa2e3314ac61e96cbde56add8e706a7c65afd83

SHA256
2202beca38866f5dc1d1ce6507b7ee85057b4c47ee74fe0bc162352d00a19c4b

SHA512
ae75f6c2ddefb00f62895c36a9864ec06d97538b4393a25cf2ad58227f4e6e22135787f3f08e80272d6c94ddc6a7ec0c696b96b36666570affea7bdd97f78e30

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_bg.dll

Filesize
44KB

MD5
e2b7125e7e32bf95751b7fa678da3a82

SHA1
1e5f42fb4ce19049ff6f37c6716ec1cb2b4ed6cf

SHA256
9667f9e2715228a676037b03ab5da99fe7a3c708046565a87fc3ef34335de01b

SHA512
d103ba4b5c05ffb7bd9397fd06392be7d08f771d31b724f624e7bf5a159025f85affa5da69fc45982fc73c938070aa5b9bb80019cb09b218a3df86abe364f861

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_bn.dll

Filesize
44KB

MD5
8b7e41b644e7a8366ca600941e89bb87

SHA1
1446317675c0238455114db648e9e29eeed0d933

SHA256
7feef64d16d17ce286fa9da8b888b901659edc567c537066833b52c01ea2e5ff

SHA512
270ce1d8f268abf0f016caa3adf7d6b08df747f3f2997e01f49f56f0002b5df609b17350c07901beeccb91a551b6fad0286784590bf47ce4031da442d350d3d1

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_ca.dll

Filesize
44KB

MD5
08fdb4f4e04cef85d8c983ffd1b4c9a2

SHA1
691e48eb212b2e51d24a6bf4372c7499340181c0

SHA256
a34d942327e912a8309ac8a8588b4c0be521ee5aad6447935b4adbd50c3f3494

SHA512
bfadc358182e49e7968ec1c3248d946e5caf8886a6da60618c298330ed6f68763dc4a9654e55d8dfb2de2231a69870ee46be562ae9033b8c793ada547e22a63b

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_cs.dll

Filesize
43KB

MD5
81d429a02dfe855800afa9e4c23d3003

SHA1
4255b3894b20ed0b3e77b387259d2a59b5987139

SHA256
173f1ff3751f2ae33012f97517fc031e55e6cb97440dc7548f34b644740561cf

SHA512
5f4877021c8fe64b088bf7b7fcc7347114c71cadd922c504dc174854ea0bc9bbe7ddbb8a7ce2de1840bef6155028fe08918d69cc3f13afc9d9c2dfa38ff9d1ee

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_da.dll

Filesize
43KB

MD5
7ca76cc89ea33f1308d01cb6c22a09cc

SHA1
d0241e869059efcce0f4dd967e7e017acb08b737

SHA256
2477f108a2b558a4a7a9c822530b7b6e659767fbd22e49f7bce1161ca6387fd5

SHA512
4e95239d59e9565bf447503217ea11af44ad6898e724ded5aaae5dfe2fa392eae849cc24945f6fc61afc3099c6ed85ad575de818f58ff76d05ce7e22c71554b3

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_de.dll

Filesize
45KB

MD5
05b93c5377aec759b64563b0b85ace93

SHA1
d5dc85fa1b2959707800648baeef3a81c4a83dc4

SHA256
b6a5d10ae36f1f3da322fa0c3b7ee3951ce5bc4a6289f438616c0e3f49d8f28d

SHA512
bea73fce880c0a75924cf82bf5de571a75416cc87157f52090de7d7077f9233fe8e784eec70317852098e9857f8b8208a4f11f4f879ef5611f0c2873f83efc21

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_el.dll

Filesize
44KB

MD5
c1ea2301ebb46eb395a0441716622274

SHA1
64566c33cb6b395311a0f8afdb067df37dd90038

SHA256
f66d376bd3e7bae114f5760270715277b374cf96c1940a32386ef44e46633189

SHA512
6600da579b45041af8849f14dc9756b9ef7bca1b13804f882200a85b55f0d6620ebd42dbf42d27614a29f1134c58fb755a332538a919553ada6e8d0159a3cf14

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_en-GB.dll

Filesize
42KB

MD5
40153e13e5d79891a5e7006f1757d84d

SHA1
9f5a78e7718387c73d209e5979dae81428268f4a

SHA256
ba49df758479b3b1f2a0d7dfa1a3ee3c81b9fd2bf4e699c522424a61c50b4e3d

SHA512
db42221413a4383fedf8628fd8196c6587ea414b598833e90bbf9c2972241750bc5949cb895f5832b4f6424006d89af68641904056216052b6de162d6984bca2

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_en.dll

Filesize
42KB

MD5
075bbd657ad3321f2c9d800cdd4480dd

SHA1
3d4f6422dfcfdadab858e9eb234332bc98812f25

SHA256
3e9b3b76829de49f0b6ad605edf57f4246a529c6af77f086963593fdac990ff6

SHA512
c9f53c040fbf71d5e5cb8aaf61194027cd6be46d4e0bff97174c7afbe5737444d32e7c64e09dc50b81189f3a02fe7dae73a622509d33dc227bb03bcabc422e5f

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_es-419.dll

Filesize
43KB

MD5
67fd41cbfec08d4ad5cac8be261be6ca

SHA1
311fb62871dfeedff72bdae86cb450cb369646a1

SHA256
fd0f727aad9157c50d54bbe7635fac7b64e4b5c583f7ca6145e3b7c4d5fcf8df

SHA512
71f3925e8bc7f9229893400a88f9b9f998361e4890a7a1279af5e59f531d9520076e8fdae15691ffc5a6cbc1e8042be9588361156170252a37b49211daf6df27

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_es.dll

Filesize
45KB

MD5
973234362a0692cb992ba8d47e625f92

SHA1
ccb8cb6ba6d4e77ffc50b5b2b2edc80497d56048

SHA256
e6b5bf7cb741705ec49083ea14cddb58f8d2af473cc0faffb56a53d87b0b442b

SHA512
2b39029b8cc98e01ca9029ac3131a99cb3f2b05b3381fdce2a055ae1f42679c13e0bc6b1ee6e88bc2c84d09324c13cd34cc11a8a67f470e6df71d811e8c67409

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_et.dll

Filesize
42KB

MD5
8a6ee09685070064caca6896ad94fd8a

SHA1
38d255ca8cabda111f891e48245010a6609e96c2

SHA256
264705b4aeef89e4c101835e47e4671a2f412171e6fcedc65afc851b55778abd

SHA512
b7a7376537048b0e432290e00473bf83b27e7b05c83e7639904f0fdfbe27a1bafa980c78673118734c87e199080a95cdcd335e32dfab1acd3ddf2f38f6b44ccf

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_fa.dll

Filesize
42KB

MD5
13a30d00203baee2b1ca46c0873f3abd

SHA1
eb83817bd1a78f97266d8cdb30c9e2671eb1a016

SHA256
eb99db123f90ea1c02415439781d3d42a13890640f2128af9c293ba43af1967d

SHA512
67d639bee4822d7715f64db91357cfce19ed9f1e79d99152c5534186c01b3ebab1ec9d5c67543db2a6ea3d8a43d4d7bff7b500e43917100845bacb0439ef90b6

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_fi.dll

Filesize
43KB

MD5
7fd1cae9da9ccb4751bc7bf10dd148dd

SHA1
c73cecacc22b39f6574736c4c48973efcb26d7f4

SHA256
b4949a86bf9e99417b6a9fdd8d7dfe86309e899ca263526a578146ef2e681040

SHA512
691100079af03c4b0d241fddec7d7163e73a2e30303c92b753cf2d3b5c455564f40c78550c56db57a7494c841d78ee4bd0ebe0d33ed3d0d42c06695d685d1a35

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_fil.dll

Filesize
44KB

MD5
cd20a625d82bdfe58375a7588a57c3e2

SHA1
528ef7eff8ace21250aa4fa03edd0dd638f4433f

SHA256
538794a7d86c06559d5e5537b69f72735684fba47879d56a24cd9f620a479763

SHA512
143e5ca4f06d7d20dd0e74860b2aff67109d8b6e233fa47acd8586d0550487d6aa1c5ffd151800d2f65ca7c95a1211b8eb58378a806e1d9892205b93e85e312d

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_fr.dll

Filesize
44KB

MD5
e03b6d3c361f76978aa7495c15eeb6c8

SHA1
441f21c964dc96a276dd158a845fd403f536dbb5

SHA256
d00191cbce2bb62546680047a784aa42ec641d8b574e41d5f65c5baa3997deb2

SHA512
c98b60c9895158c165df52a30974e7d25d140ad494ef63cd37b72521e7f8392fcc75631d8db7039c29f242dbdcc59911bc0e10c7aa885ddce84f0888232867ac

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_gu.dll

Filesize
44KB

MD5
0d34194f7206427fc29f4c5b69e08b5b

SHA1
e24dfe788a4eb1a354811479e254a7d13300cd45

SHA256
b20d70d78a571afcb2f3846ac639fe46cd92f213c91cff3f34fc9f7681a68783

SHA512
b7d9400cca178c09b55d2913b900dd36701a619ee36e21b6b88c4f4a5dba0eaaf3a4544d8caba1c9c0df47c11b4b409cc2ffaa70e8ec41cf6b65ef952f0a0f51

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_hi.dll

Filesize
43KB

MD5
e7728982f396ba2201aea78a6d2fdceb

SHA1
75c1d736564b7e1875353a72ad699d3ba97e3b1e

SHA256
6d2aa3e43ecdb9a4efebfe4c31e86dbc5552128a196d35511c8f7182ec68365a

SHA512
bc51bed5c4b23d9e51ff731a485b959f7ef7b086e1911e93121aa2fdc4bc1d2bd54794c205ff0edf33dd11e5d8018b210bae93d7de194dca743763368a7a5dcf

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_hr.dll

Filesize
43KB

MD5
912f906411e98ecb011df7af71d6621f

SHA1
91233e2c93c8fccec86e92eca9bef36b5a90acd8

SHA256
da93ced813a5ded52550d089d4e7277c4ea322686387a17dc02e4b88672f75c5

SHA512
379a9aaa805d5a279a3e1040633524cb1392ebdec1b69f95c5cc6773a8ed31b44efc22aceec27145ffa1e0c7d63acb1c516ca806af1df04d6cf80fd9c6e4a38b

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_hu.dll

Filesize
43KB

MD5
8fcc5782ba8b4893286392ab8d5aa0d5

SHA1
58ae40b0d7f94af6360d4f620645b7c9977a9674

SHA256
a2ae9e89d846984e7a5787995eb58b7a2c0fe472216af5419041699cf0fbcaec

SHA512
f17236b6631463cd4e47098f7532d7dc0d8a09841020a5b7990ed3f6a6a093568cdf3b65be82e5399b560df402504d29df914bd0419432c2bd16f926775a69d9

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_id.dll

Filesize
42KB

MD5
e21ff4b4cb2d1c3309926b44a29c4771

SHA1
48d1bcde5169a1354aa25fa89e0018f7b294bed6

SHA256
fa01b281a1f2414ffb0b927bc35fa25db3294c69c72ce8cff49061a13815d7a5

SHA512
17096f8879d5f3e8aeeaad6766eceb285fec2eb550d63323b3c85fbee90b8229e3faf772a7324dd25f368aeefca8a92b82bb26e25b0037b42af6ac79a881c9d3

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_is.dll

Filesize
42KB

MD5
e77483714965f728e58bac49b9af9dfe

SHA1
770596f69c5615d28c9a309133d90d98d385d08a

SHA256
84744ce50e353aee5319f1f896580a6c9643ed0e1965dda4b99d36b668f3310e

SHA512
6fa9431e231ff79245c0b09a2b44f5a6d7090722d6b9feb606d12b83546ef362dd5cdb865f53f1f240d69b5fb9f8d5ec90e255a7172e780b66e180e2f4cb25be

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_it.dll

Filesize
44KB

MD5
28cdb7cd5912dae0442981157a18baf8

SHA1
9ef3b44eebfefce68c8b2e6714483a9e3c439699

SHA256
e73555ba7d7db1c2399a44d30fa2b653620b8608f903f26007069c95ecdb62e6

SHA512
29506ccda3d316d9c416376b725ad680ea89c8af0cff5d4e971ee49294886ac5c29ff50987cc9082938b44409cfc369fec13536619aefa714d638f4798c04bab

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_iw.dll

Filesize
40KB

MD5
4d50323ff5d3376374d257adb25cf62c

SHA1
20f2a997628c1c3d3274d42b8748f1122fbfbf12

SHA256
687d4304acc4b2736be194b6fa91145d742dc96f61362810599328598bf1a1da

SHA512
d89f96f9cefeb6e382dd8281105d709caec7ca33d28d700ed68fdc8154dab0f885ddd2cb6371e3ed597857b51683db985769abc4afb9a872a91066b3f41fe729

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_ja.dll

Filesize
39KB

MD5
7153e27fef838aa838b16aece382c144

SHA1
256727f196ed2318000fa9256900e7d82414a2cb

SHA256
0c4aecdf38a1d9c7e6eb575bfa8edc543e99dad45886c89ebde7eed2ba440029

SHA512
1bb9eb6e258d56b62c4a5794da998926f01c9872a846c5821927108938dd61378f70d77fb995972b59d251e996f95a3c3ca64614be7b50ec2b95515d6b666cfc

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_kn.dll

Filesize
44KB

MD5
784a9c7be13e16eb9a7986ad278595e1

SHA1
1d3eafa09d794a65a2db288266675cf4d5338774

SHA256
36a412c311af667c4eef4b79d395eae2f64b4968b79c6b34f372c91013538503

SHA512
b68e24070da7191b16c552b869e3998dd38a296b849487606bbab7b9c8efa5f4d1f65e8b41af2c8256a2d51305afbac16e21cd03d0f8786d1a954cfd5f10c82d

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_ko.dll

Filesize
39KB

MD5
8534f81d8a8499b804fdc6cf6b90c39a

SHA1
6705972b30f9bcfd488ff8dbc6e44ce5dcb4eba7

SHA256
e9fa3505a979a90139db5a5f7d6f15e03934c49f265da1ac1553925d880e7fdf

SHA512
b2919cc0f9238dcc7b92382fe6afec937dfa9680dbfd07e08f0a1d3fabae926a50557a99094bfe2e9bdd9d1c7eeba70eb8124d386fd47ff64b56a8a3397c027d

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_lt.dll

Filesize
42KB

MD5
d58f6ef7666231386aa308fce30640f2

SHA1
39622e6fcb6bc01541313ae07fe12c1224eb82e5

SHA256
60faf26b34de062b0b1721905c8e5fa97fa979d176a8219d1d792caf845d6990

SHA512
cb0caa55286e024f18963f3aa43e68dedf4c804da26c26952c2e5431836dd8423571d5eaa3086aee5e62d507a19f4ca69478e9afd9ce54bcdb22f3c89430c9d1

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_lv.dll

Filesize
43KB

MD5
8585c18804931057bad07cfba34a2339

SHA1
1ec66ed50a6890404c44090bb08472ce88150226

SHA256
ffe25598a8805884d2090c867816f4afa1c1ceda5b08241f07d55440eacb09bf

SHA512
3a67a89227ed6ce83d1facc8e5e33e72a9c87ebe115d27b80acd1685875d8e23c1c8a395941f93bb7b63746858171c8b20be7121f89371de225773454a561b2b

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_ml.dll

Filesize
46KB

MD5
bf2a0a3e1a44faf3b319cacb8b158aaa

SHA1
d592b1b2d94e3b0c5bef790feeaa72c634598be6

SHA256
a439db3478eb7584d6b889d63fe7c2d84fb5ee9f7e2b3b27779bda3ec8ec272b

SHA512
4485c24ed8fe8edd0e05340f683bb8cde79d266e4fd8e895cfc962859008dfd2ad893c4f651fca9f058d3c26c19f0cd049d0abec5648cc30baedafea302387d4

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_mr.dll

Filesize
44KB

MD5
073301c1d7090bb2c98cc901330bda47

SHA1
0b9c4e058acd04bc027cbaa11c8bda851b4b6eb3

SHA256
04a879b0cce0ce23b00c60489b816bdb39ab5b354a9567a51e3169c06181498c

SHA512
2b75167235f128d5f9e8b2faaa6c01725ab5e8f1296b2d44bdef48a1a7be5f59b6785433a706c4b1fe4026c92955536cf0bada0e74d80c9f6de1894e4c127e0c

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_ms.dll

Filesize
42KB

MD5
a4ad859ac1f15c53ef83d6ec7ad197d7

SHA1
ab06c6e924918b2d7e323b68163622dde75fd3ad

SHA256
0f8effcdf7e364cdc364b0e68885f276ef1d2a8c46674b4d2c38cc42765917b2

SHA512
b44d13d86b03e0344222af60612a9590cf8e7374d61a76a6ade59e30d014efef791a4f8e1f1f01aed41632de3c0d7bfb00db6adb6ec823535fb2660c6639f06b

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_nl.dll

Filesize
44KB

MD5
593153a5ad54ce6d412958ac153d17db

SHA1
063cbf5aa9fd3588800101b650ed035a9b2d5929

SHA256
c79e0fde6eb414432582d223053ec662e174ccc0b67f962e8af38cfccba791ad

SHA512
930a7fb1df0a20a4fe194c060d395148ba325d8f05eabd0b33e8ad0104c63a182c08d12884f5225494a08d7eed52260a14e29d3d413d9366338435b05f706d84

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_no.dll

Filesize
43KB

MD5
820cccdcb4d2905ea552a7ac99607dd5

SHA1
8f4087ee2333b1a8a4b10e0a16eb4b494b30b24b

SHA256
ec7e7837c34a40f1d6e9022f82e112f44d4c1e793e64af47ec358b89174cbcc3

SHA512
8e41129f34c76fd45fd9cb2b48a9c1b7fced0d6d52bc3035444c8c5a48ba22cc5fcd9bdabe0175e3f0494460386e289df1ff950a855870905676c2e704e80ca1

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_pl.dll

Filesize
43KB

MD5
6cdb7d1b81cd67154a5455b8bb80ffc1

SHA1
a3f7e28619b46acd659b332f8f1022377df78c2f

SHA256
11b5837857504470826d69b7d03603d51f426096fcc5bd8382e6c5ec8370de58

SHA512
e0ad7a439a37c4e07e0bc50dcc6f8984525cf12a14fbd407a1b7b7d7b2bdbcba61a10c048587965cc463dcd72129426e02e215518b1e4841efe224a844b2e172

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_pt-BR.dll

Filesize
43KB

MD5
540ee5bbcf70fbc322509d8f05d7f6e8

SHA1
c3ce28b022ca219e379663bc6f6c05cd54417843

SHA256
6d3360cbf77b7b2055c36552b75513009e61d688735b7259d524808abc462f61

SHA512
711158bdc2191afc6930eb92e6eca0bef5306916f81fe9aa1d94582565e3b7faf9eb683332077d9e08c56bbfff62bac90901e936a41f63eedcd9d5d96476b877

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_pt-PT.dll

Filesize
43KB

MD5
ea2c8bdcb8f233e3c32de04658cbe45b

SHA1
8472badd11fb5f801d46b463e7c84fba4863a44b

SHA256
a63f24f984184f97d1a5b76cc91da17d2c725e5275345a70632b8d4605187a46

SHA512
12d28f171a9c3a5d7884f4aa85ba61970dfc8705ef2b14ce4fa0bf2fc65d003dde0228a3ccf42790a11df637be9d9504cc0389dfbc1a549a3f4cfbfa535c8f4c

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_ro.dll

Filesize
43KB

MD5
77c1edccf5574968af84b9828ab98513

SHA1
5e42e6d2aad10e6e4502f1de2f7e7f3d893a8029

SHA256
ac486e9754f8f9b69c70525e4650de065f889b876d1014e15cddd42bcfc869e7

SHA512
ab26d221235b332306ec7f92c98cde37f90ff535a3281852e360951f4983bca7bdd69bdc6aa19d5e6785dfcf2179a7cbb9570e477d1bdf8ee5d4fd236b746624

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_ru.dll

Filesize
42KB

MD5
592c2066cbd1bfe9cf24c7f7dcd24be4

SHA1
774fef8166b380a52de915039ebc3150d81467e0

SHA256
a75aa5ed3496f1cbd0985c66674d0957af40e69923cf83b7daebbf44edc06f20

SHA512
3850c9f36360bee82e372de5c3da51d8f4e8bb2d1eb05071074ccad2ead68e6d74e853a3e4d76cc471b83d40442eb1659d6e7e42c15e3da8fd464765bbbbe352

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_sk.dll

Filesize
43KB

MD5
9e678f2dbcf7d285df1b5dfeade1ac82

SHA1
f4d2630ec79d23a52aad5b9aab5d4db4557f590a

SHA256
c1400c9c8dcff0aa3cca66bf39e1a2d602d293ab136d1ae10c7ffcaec7f512da

SHA512
1d2a99fe1ba5889aee419120fcd0aff43bbee36199b5dd7d2508614339ac2ac199aaade87b3dc2149102ef58c481faa80bcdb0bb7d3db3052462601696722206

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_sl.dll

Filesize
43KB

MD5
532a59cd9370e3de3e10d5c2b859c068

SHA1
8f1139c981b345182278deb4d60e07628eea6906

SHA256
14176719d676a1afe49ada3e9a9f3818956710254a8583fa354f92c839d1d111

SHA512
6c48066dc34eea19347ca6fe1f0d1474b63ecbc0ba2d974c0b3dfc472b6d1e6dfa687bd9040c5b810bc026e9993f3a106d7c049ba4d54283f2722288958556b7

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_sr.dll

Filesize
43KB

MD5
c547966a1aa4bd3435f360e745f4d59d

SHA1
4b2b1e7ea00f3ff398daf42935f6ec7f68a45fa9

SHA256
26910a3efe8a63e8ca0deac77106683356567384b599bfa9aed21d8cc43e9e14

SHA512
47628545f46bb595d214a5d0521760ffac059abb10f8e224f631c7307f6c27f1de2bd17bd1acbcf80b28e3d97a20203ab5ca8996dc86a038cf90fdf5d14db000

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_sv.dll

Filesize
43KB

MD5
c03cc8e6adcdba4fc527469b58d08c07

SHA1
267f35b165ec85effc91a1be623c91816386be02

SHA256
9cbb96395899980ccffed9044a65a3c6c1cf5142dc969b68f74ca4da11395845

SHA512
95079c47af4c00e66565dfb11bf1a87b5c494d9144ebbafb85597de216fb77eba1c77c8771705b2fb20955b0bc74ee040c13a41ccdc17d428aa265e5caa344db

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_sw.dll

Filesize
44KB

MD5
f05cd54a68248bcf104f371608326894

SHA1
f6af20fcfd6ed7ca3aa1bd5cc6250790470701cf

SHA256
02fc308d918970a7cd5e56dc1409ac5b895c59952afef702388cc60f401756c7

SHA512
070f8c0247a3b35266c3685eed1389d9709c756c76728831f65b7a28f3cff4fa19c19568c1199b99a4aa97566576b0479f7e29beb8acf47d5345461e162803cb

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_ta.dll

Filesize
45KB

MD5
83c1981f4f6cd2ac07ca769294adc523

SHA1
50a562d4f392d1c497ca93195bb5d2f8e1489424

SHA256
c95519b8b708a5e72f4ad95ac6268a7b01618a22da50666e1c5f2f230ad40202

SHA512
0c0f566be42b1a5dcd4b22d37ac83cf737fd1690938f40847ea9d65f3f90ca51c2cd68394432d3df77dabdd785a490f08c42ef2fc4b1c9071f2cbb6b229db8d8

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_te.dll

Filesize
44KB

MD5
90be6223d958d763c5145a0138b364ac

SHA1
780d8f5dfde065e4dd62fe0d6d815063b3a0f17c

SHA256
a37236ebfefeb21fdd87ad581a23528ae54c3fbe7219551c41dbf583d4120370

SHA512
cc343ffc672aa85396333b52e03e59e4cf86452888a950ad7a793ef121ddbea1c2eb9fe8d5e6fad2396a66c6f0988630a619155771390b2b17ef133b110baf10

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_th.dll

Filesize
42KB

MD5
08c22bf48c4568a0be4d5b8f7ece86cb

SHA1
74661a7ed02271f3223065948e068cfceb81737c

SHA256
1c6400ca199a4f3ecbc3a4e9154d01f97989c6d94d1ec26743fa7d96826d5a51

SHA512
bea53b1b864a9bac8a3dd3573ce073c2081895663d1dc6805740ea68d10c0c6483649ecbcb8d6b6180cb50d337d998d7ccf3d6ae8d74758d7bd2734dc1a7f3c7

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_tr.dll

Filesize
43KB

MD5
5092e2d4c98d24e67cdb5bd068eeb651

SHA1
b5d013404c9944248ca2456f726921b0754632bf

SHA256
2f8e0799ed71556a2595252895a5c63de52a2da45a30aaef4cfad5e25eaf6c3e

SHA512
6c226ee8c6305a9210e147563eb5389a0ce396c946d119aed0f804cdd8f18fc63339790dc02862fcc8f8d36225c13d46bdfd46145eabf82644f975679374079d

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_uk.dll

Filesize
43KB

MD5
f2812d6a161dc6ded6d925b63f62484c

SHA1
5cf16ac795163d68f6ce27ddfcd80e938af099a8

SHA256
18484017926565411e3b11906f4a0746f7867f735d17c214f8d7e7848f2c6460

SHA512
886c039990f1038fb3d817ed42a02bc3b794f6068be8e7ed34b6995135f6c46832e3c1cd62f6d1e16e00946deaf7e1dd70beb9ec5f67fe0126574a5edec564fb

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM925E.tmp\goopdateres_ur.dll

Filesize
42KB

MD5
2b09375874a853f6458eda94eeff6a28

SHA1
2b72690785af13753ddaaba1665f3dc82fa9c076

SHA256
a4b6cb00a355dccf9a581e291c8ee7325c68841781aac5db4e1b47eef026523c

SHA512
5efb3a759abb445e9980588edda448c4e5924a08237a2eb46edc665955d32f8d66d030702aff6dcb8eb2f4df4d0aaeb9248ef20c8ff81e5ff0b5a34a0d97ae94

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\12d4e66a4298c003bd266b22c1e6a3878972ca678fd0ef404e1a1b115d6c7030N.exe

Filesize
1.2MB

MD5
967fd7996f7cc6298fd200513117e34d

SHA1
b1e0c08185c59ee33f8654743a671bfdf54a18fe

SHA256
fd32aa63bb8293b9a1067fdb03afc574e64cda11fcd2e36a53b1fc9a64263d5a

SHA512
1da767fc1e0805b76c9e11f8dcf5adb9a51aea3562579b8d515cbfb512d292f4f1cd03c0f61e60b9efa22326233de1bf2b8619a2aa2837cf89c03293b58fa205

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
5ca9abc04f9f95810f2fcae1ccbaaa38

SHA1
58b282bda6e107c73a305e65cd6521fe6e5fffcd

SHA256
1a01cdfcda8f3d28e2e98f0af16705780b021c99d7b2734c409847b8d187d061

SHA512
a41aaf17870a85d916c9d16c51336d39ff5f1733116e44b554fcb4fdb28987ba3911f4b401056dc634ed669df88bc5af3869a261204d02a58811d7d9e1a394a6

Download Submit
memory/1156-467-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1156-470-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1156-472-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1156-474-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1156-465-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2352-491-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3004-485-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4088-475-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4088-471-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4088-468-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4088-466-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4088-464-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download