Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04-02-2023 05:39
Static task
static1
Behavioral task
behavioral1
Sample
BraveBrowserSetup-KMP840.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
BraveBrowserSetup-KMP840.exe
Resource
win10v2004-20221111-en
General
-
Target
BraveBrowserSetup-KMP840.exe
-
Size
1.3MB
-
MD5
0cc96db68a2c8ac22f8b9c04643b9536
-
SHA1
055181333fafc1e528b4bc21e763d2c86ddaa3cf
-
SHA256
ecc5104b96c45e5d6be078f582c42df0f6421d9f8e0e4e851764cc6f643c49e4
-
SHA512
843ac0a944d7673cff95e9e9afe6c64a87084411d5eb050eadc19779b968b65c756081000c92a79a3fbad896e246b0f766e045abd8a267bcb2b433ff93f7c747
-
SSDEEP
24576:7ahOAxa1I/3evD4ivg9otp2naFe53is7yscRG/BwPhZAsIrEDE3ePTZO8xMACQn7:2hOZC/eb4io+pSaFW3iuyhUwpZAzgDEI
Malware Config
Signatures
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}\Version = "43,0,0,0" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}\ = "Brave" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}\StubPath = "\"C:\\Program Files\\BraveSoftware\\Brave-Browser\\Application\\109.1.47.186\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}\Localized Name = "Brave" setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}\IsInstalled = "1" setup.exe -
Sets file execution options in registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BraveUpdate.exe BraveUpdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BraveUpdate.exe\DisableExceptionChainValidation = "0" BraveUpdate.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation brave.exe -
Executes dropped EXE 25 IoCs
pid Process 1900 BraveUpdate.exe 820 BraveUpdate.exe 1284 BraveUpdate.exe 1700 BraveUpdateComRegisterShell64.exe 1908 BraveUpdateComRegisterShell64.exe 1180 BraveUpdateComRegisterShell64.exe 1804 BraveUpdate.exe 1480 BraveUpdate.exe 1108 BraveUpdate.exe 1412 brave_installer-x64.exe 1644 setup.exe 1584 setup.exe 1892 setup.exe 1468 setup.exe 972 BraveUpdate.exe 832 BraveUpdateOnDemand.exe 1640 BraveUpdate.exe 384 brave.exe 1564 brave.exe 1460 brave.exe 852 brave.exe 996 chrmstp.exe 1876 chrmstp.exe 1492 chrmstp.exe 1640 chrmstp.exe -
Loads dropped DLL 64 IoCs
pid Process 1976 BraveBrowserSetup-KMP840.exe 1900 BraveUpdate.exe 1900 BraveUpdate.exe 1900 BraveUpdate.exe 1900 BraveUpdate.exe 820 BraveUpdate.exe 820 BraveUpdate.exe 820 BraveUpdate.exe 1900 BraveUpdate.exe 1284 BraveUpdate.exe 1284 BraveUpdate.exe 1284 BraveUpdate.exe 1700 BraveUpdateComRegisterShell64.exe 1284 BraveUpdate.exe 1284 BraveUpdate.exe 1908 BraveUpdateComRegisterShell64.exe 1284 BraveUpdate.exe 1284 BraveUpdate.exe 1180 BraveUpdateComRegisterShell64.exe 1284 BraveUpdate.exe 1900 BraveUpdate.exe 1900 BraveUpdate.exe 1900 BraveUpdate.exe 1804 BraveUpdate.exe 1900 BraveUpdate.exe 1480 BraveUpdate.exe 1480 BraveUpdate.exe 1480 BraveUpdate.exe 1108 BraveUpdate.exe 1108 BraveUpdate.exe 1108 BraveUpdate.exe 1108 BraveUpdate.exe 1480 BraveUpdate.exe 1108 BraveUpdate.exe 1412 brave_installer-x64.exe 1644 setup.exe 1644 setup.exe 1892 setup.exe 1892 setup.exe 1892 setup.exe 1268 Process not Found 1268 Process not Found 1892 setup.exe 1268 Process not Found 1268 Process not Found 1268 Process not Found 1644 setup.exe 1644 setup.exe 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1108 BraveUpdate.exe 832 BraveUpdateOnDemand.exe 972 BraveUpdate.exe 1640 BraveUpdate.exe 1640 BraveUpdate.exe 1640 BraveUpdate.exe 1640 BraveUpdate.exe 384 brave.exe 1564 brave.exe 384 brave.exe 852 brave.exe 1460 brave.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Registers COM server for autorun 1 TTPs 34 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EBDA5D88-AA7D-4A8C-A20C-C01FADB43EDA}\InprocServer32\ThreadingModel = "Both" BraveUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32 BraveUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32\ = "C:\\Program Files (x86)\\BraveSoftware\\Update\\1.3.361.135\\psmachine_64.dll" BraveUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A51DFEE5-1FBE-4EF8-B751-1C5FECA423B6}\InProcServer32\ThreadingModel = "Both" BraveUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EBDA5D88-AA7D-4A8C-A20C-C01FADB43EDA}\InprocServer32 BraveUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A51DFEE5-1FBE-4EF8-B751-1C5FECA423B6}\InProcServer32\ = "C:\\Program Files (x86)\\BraveSoftware\\Update\\1.3.361.135\\psmachine_64.dll" BraveUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32 BraveUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A51DFEE5-1FBE-4EF8-B751-1C5FECA423B6}\InProcServer32 BraveUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EBDA5D88-AA7D-4A8C-A20C-C01FADB43EDA}\InprocServer32\ = "C:\\Program Files (x86)\\BraveSoftware\\Update\\1.3.361.135\\psmachine_64.dll" BraveUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EBDA5D88-AA7D-4A8C-A20C-C01FADB43EDA}\InprocServer32\ = "C:\\Program Files (x86)\\BraveSoftware\\Update\\1.3.361.135\\psmachine_64.dll" BraveUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A51DFEE5-1FBE-4EF8-B751-1C5FECA423B6}\InProcServer32\ThreadingModel = "Both" BraveUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32\ = "C:\\Program Files (x86)\\BraveSoftware\\Update\\1.3.361.135\\psmachine_64.dll" BraveUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EBDA5D88-AA7D-4A8C-A20C-C01FADB43EDA}\InprocServer32 BraveUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EBDA5D88-AA7D-4A8C-A20C-C01FADB43EDA}\InprocServer32 BraveUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32\ThreadingModel = "Both" BraveUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{06C9646D-2807-44C0-97D2-6DA0DB623DB4}\LocalServer32 setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{06C9646D-2807-44C0-97D2-6DA0DB623DB4}\LocalServer32\ServerExecutable = "C:\\Program Files\\BraveSoftware\\Brave-Browser\\Application\\109.1.47.186\\notification_helper.exe" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EBDA5D88-AA7D-4A8C-A20C-C01FADB43EDA}\InprocServer32\ = "C:\\Program Files (x86)\\BraveSoftware\\Update\\1.3.361.135\\psmachine_64.dll" BraveUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A51DFEE5-1FBE-4EF8-B751-1C5FECA423B6}\InProcServer32\ = "C:\\Program Files (x86)\\BraveSoftware\\Update\\1.3.361.135\\psmachine_64.dll" BraveUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32 BraveUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EBDA5D88-AA7D-4A8C-A20C-C01FADB43EDA}\InprocServer32 BraveUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32 BraveUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A51DFEE5-1FBE-4EF8-B751-1C5FECA423B6}\InProcServer32 BraveUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A51DFEE5-1FBE-4EF8-B751-1C5FECA423B6}\InProcServer32\ThreadingModel = "Both" BraveUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32\ = "C:\\Program Files (x86)\\BraveSoftware\\Update\\1.3.361.135\\psmachine_64.dll" BraveUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EBDA5D88-AA7D-4A8C-A20C-C01FADB43EDA}\InprocServer32 BraveUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A51DFEE5-1FBE-4EF8-B751-1C5FECA423B6}\InProcServer32 BraveUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32\ThreadingModel = "Both" BraveUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A51DFEE5-1FBE-4EF8-B751-1C5FECA423B6}\InProcServer32\ = "C:\\Program Files (x86)\\BraveSoftware\\Update\\1.3.361.135\\psmachine_64.dll" BraveUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{06C9646D-2807-44C0-97D2-6DA0DB623DB4}\LocalServer32\ = "\"C:\\Program Files\\BraveSoftware\\Brave-Browser\\Application\\109.1.47.186\\notification_helper.exe\"" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EBDA5D88-AA7D-4A8C-A20C-C01FADB43EDA}\InprocServer32\ThreadingModel = "Both" BraveUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EBDA5D88-AA7D-4A8C-A20C-C01FADB43EDA}\InprocServer32\ThreadingModel = "Both" BraveUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32 BraveUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32\ThreadingModel = "Both" BraveUpdateComRegisterShell64.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\BraveSoftware\Update\1.3.361.135\BraveUpdateSetup.exe BraveUpdate.exe File created C:\Program Files (x86)\BraveSoftware\Temp\GUMF384.tmp\BraveUpdate.exe BraveBrowserSetup-KMP840.exe File created C:\Program Files (x86)\BraveSoftware\Update\1.3.361.135\goopdateres_ca.dll BraveUpdate.exe File created C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1644_1377640612\Chrome-bin\109.1.47.186\Locales\am.pak setup.exe File created C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1644_1377640612\Chrome-bin\109.1.47.186\resources\brave_extension\_locales\nl\messages.json setup.exe File created C:\Program Files (x86)\BraveSoftware\Update\1.3.361.135\psmachine_arm64.dll BraveUpdate.exe File created C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1644_1377640612\Chrome-bin\109.1.47.186\Locales\gu.pak setup.exe File created C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1644_1377640612\Chrome-bin\109.1.47.186\Locales\pt-PT.pak setup.exe File created C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1644_1377640612\Chrome-bin\brave.exe setup.exe File created C:\Program Files (x86)\BraveSoftware\Update\1.3.361.135\goopdateres_hu.dll BraveUpdate.exe File created C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1644_1377640612\Chrome-bin\109.1.47.186\libGLESv2.dll setup.exe File created C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1644_1377640612\Chrome-bin\109.1.47.186\Locales\sl.pak setup.exe File created C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1644_1377640612\Chrome-bin\109.1.47.186\resources\brave_extension\_locales\sv\messages.json setup.exe File created C:\Program Files (x86)\BraveSoftware\Temp\GUMF384.tmp\goopdateres_sk.dll BraveBrowserSetup-KMP840.exe File created C:\Program Files (x86)\BraveSoftware\Update\1.3.361.135\goopdateres_ar.dll BraveUpdate.exe File created C:\Program Files (x86)\BraveSoftware\Update\1.3.361.135\goopdateres_cs.dll BraveUpdate.exe File created C:\Program Files (x86)\BraveSoftware\Update\1.3.361.135\goopdateres_fa.dll BraveUpdate.exe File created C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1644_1377640612\Chrome-bin\109.1.47.186\resources\brave_extension\_locales\zh_CN\messages.json setup.exe File created C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1644_1377640612\Chrome-bin\chrome_proxy.exe setup.exe File created C:\Program Files (x86)\BraveSoftware\Temp\GUMF384.tmp\goopdateres_es.dll BraveBrowserSetup-KMP840.exe File created C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1644_1377640612\Chrome-bin\109.1.47.186\Locales\de.pak setup.exe File created C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1644_1377640612\Chrome-bin\109.1.47.186\resources\brave_extension\_locales\es_419\messages.json setup.exe File created C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1644_1377640612\Chrome-bin\109.1.47.186\Locales\nb.pak setup.exe File created C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1644_1377640612\Chrome-bin\109.1.47.186\resources\brave_extension\_locales\af\messages.json setup.exe File created C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1644_1377640612\Chrome-bin\109.1.47.186\resources\brave_extension\_locales\he\messages.json setup.exe File created C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1644_1377640612\Chrome-bin\109.1.47.186\resources\brave_extension\_locales\ur\messages.json setup.exe File created C:\Program Files\BraveSoftware\Brave-Browser\Application\109.1.47.186\Installer\setup.exe setup.exe File created C:\Program Files (x86)\BraveSoftware\Temp\GUMF384.tmp\BraveCrashHandler64.exe BraveBrowserSetup-KMP840.exe File created C:\Program Files (x86)\BraveSoftware\Temp\GUMF384.tmp\goopdateres_kn.dll BraveBrowserSetup-KMP840.exe File created C:\Program Files (x86)\BraveSoftware\Temp\GUMF384.tmp\goopdateres_sr.dll BraveBrowserSetup-KMP840.exe File created C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1644_1377640612\Chrome-bin\109.1.47.186\Locales\sv.pak setup.exe File created C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1644_1377640612\Chrome-bin\109.1.47.186\109.1.47.186.manifest setup.exe File created C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1644_1377640612\Chrome-bin\109.1.47.186\resources\brave_extension\_locales\ar\messages.json setup.exe File created C:\Program Files\chrome_url_fetcher_384_451195030\extension_1_0_22.crx brave.exe File created C:\Program Files (x86)\BraveSoftware\Temp\GUMF384.tmp\BraveCrashHandlerArm64.exe BraveBrowserSetup-KMP840.exe File created C:\Program Files (x86)\BraveSoftware\Temp\GUMF384.tmp\goopdateres_de.dll BraveBrowserSetup-KMP840.exe File created C:\Program Files (x86)\BraveSoftware\Update\1.3.361.135\goopdateres_iw.dll BraveUpdate.exe File opened for modification C:\Program Files (x86)\BraveSoftware\Update\Install\{051977B8-2E25-4D9A-98F4-D2F17AFC2255}\brave_installer-x64.exe BraveUpdate.exe File created C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1644_1377640612\Chrome-bin\109.1.47.186\Locales\ms.pak setup.exe File created C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1644_1377640612\Chrome-bin\109.1.47.186\resources\brave_extension\_locales\mr\messages.json setup.exe File created C:\Program Files (x86)\BraveSoftware\Temp\GUMF384.tmp\goopdateres_lt.dll BraveBrowserSetup-KMP840.exe File created C:\Program Files (x86)\BraveSoftware\Temp\GUMF384.tmp\goopdateres_pt-PT.dll BraveBrowserSetup-KMP840.exe File created C:\Program Files (x86)\BraveSoftware\Temp\GUMF384.tmp\goopdateres_te.dll BraveBrowserSetup-KMP840.exe File created C:\Program Files (x86)\BraveSoftware\Update\1.3.361.135\goopdateres_ko.dll BraveUpdate.exe File created C:\Program Files (x86)\BraveSoftware\Temp\GUMF384.tmp\goopdateres_it.dll BraveBrowserSetup-KMP840.exe File created C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1644_1377640612\Chrome-bin\109.1.47.186\Locales\es.pak setup.exe File created C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1644_1377640612\Chrome-bin\109.1.47.186\Locales\hr.pak setup.exe File created C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1644_1377640612\Chrome-bin\109.1.47.186\Locales\hu.pak setup.exe File created C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1644_1377640612\Chrome-bin\109.1.47.186\Locales\mr.pak setup.exe File created C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1644_1377640612\Chrome-bin\109.1.47.186\Locales\pl.pak setup.exe File created C:\Program Files (x86)\BraveSoftware\Temp\GUMF384.tmp\goopdateres_am.dll BraveBrowserSetup-KMP840.exe File created C:\Program Files (x86)\BraveSoftware\Temp\GUMF384.tmp\goopdateres_vi.dll BraveBrowserSetup-KMP840.exe File created C:\Program Files (x86)\BraveSoftware\Update\1.3.361.135\goopdateres_ms.dll BraveUpdate.exe File created C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1644_1377640612\Chrome-bin\109.1.47.186\brave_200_percent.pak setup.exe File created C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1644_1377640612\Chrome-bin\109.1.47.186\Locales\ur.pak setup.exe File created C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1644_1377640612\Chrome-bin\109.1.47.186\resources\brave_extension\_locales\de\messages.json setup.exe File created C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1644_1377640612\Chrome-bin\109.1.47.186\vk_swiftshader.dll setup.exe File created C:\Program Files (x86)\BraveSoftware\Update\1.3.361.135\goopdateres_pt-PT.dll BraveUpdate.exe File created C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1644_1377640612\Chrome-bin\109.1.47.186\chrome_wer.dll setup.exe File created C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1644_1377640612\Chrome-bin\109.1.47.186\Locales\ta.pak setup.exe File created C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1644_1377640612\Chrome-bin\109.1.47.186\resources\brave_extension\_locales\en_GB\messages.json setup.exe File created C:\Program Files (x86)\BraveSoftware\Update\1.3.361.135\goopdateres_uk.dll BraveUpdate.exe File created C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1644_1377640612\Chrome-bin\109.1.47.186\Locales\kn.pak setup.exe File created C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1644_1377640612\Chrome-bin\109.1.47.186\resources\brave_extension\_locales\fr\messages.json setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS brave.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName brave.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer brave.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.PolicyStatusMachineFallback\CurVer BraveUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32 BraveUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3282EB12-D954-4FD2-A2E1-C942C8745C65}\ProgID\ = "BraveSoftwareUpdate.OnDemandCOMClassMachineFallback.1.0" BraveUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.PolicyStatusMachineFallback\CLSID\ = "{652886FF-517B-4F23-A14F-F99563A04BCC}" BraveUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8F6D9FE5-6ED3-43A3-80D2-EA8766D65352} BraveUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4842EC21-0860-45B5-99F0-A1E6E7C11561} BraveUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4842EC21-0860-45B5-99F0-A1E6E7C11561}\NumMethods BraveUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C11C073F-E6D0-4EF7-897B-AAF52498CD2F} BraveUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C9190589-ECEC-43F8-8AEC-62496BB87B26} BraveUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A147722A-5568-4B84-B401-86D744470CBF}\ = "IApp2" BraveUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.ProcessLauncher.1.0 BraveUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48B5E6B2-9383-4B1E-AAE7-720C4779ABA6}\NumMethods BraveUpdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00B16F95-319A-4F01-AC81-CE69B8F4E387}\Elevation\Enabled = "1" BraveUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48B5E6B2-9383-4B1E-AAE7-720C4779ABA6}\ProxyStubClsid32 BraveUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BraveHTML\Application\ApplicationName = "Brave" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C11C073F-E6D0-4EF7-897B-AAF52498CD2F}\NumMethods BraveUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F234546B-DACD-4374-97CF-7BADFAB76766}\ProxyStubClsid32\ = "{A51DFEE5-1FBE-4EF8-B751-1C5FECA423B6}" BraveUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D5627FC9-E2F0-484B-89A4-5DACFE7FAAD3}\ProxyStubClsid32 BraveUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19F4616B-B7DD-4B3F-8084-C81C5C77AAA4}\NumMethods BraveUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{B7965C30-7D58-4D86-9E18-4794256409EE} setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.Update3COMClassService.1.0\CLSID BraveUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A147722A-5568-4B84-B401-86D744470CBF}\ProxyStubClsid32\ = "{A51DFEE5-1FBE-4EF8-B751-1C5FECA423B6}" BraveUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C11C073F-E6D0-4EF7-897B-AAF52498CD2F}\ProxyStubClsid32 BraveUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FB43AAD0-DDBA-4D01-A3E0-FAB100E7926B}\NumMethods\ = "17" BraveUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.CoreClass\CurVer\ = "BraveSoftwareUpdate.CoreClass.1" BraveUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A147722A-5568-4B84-B401-86D744470CBF} BraveUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D5627FC9-E2F0-484B-89A4-5DACFE7FAAD3} BraveUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.OnDemandCOMClassMachineFallback BraveUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\OpenWithProgids\BraveFile setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{19F4616B-B7DD-4B3F-8084-C81C5C77AAA4}\NumMethods\ = "11" BraveUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{931E73FD-D487-4458-AA08-1FF41413377B}\ProxyStubClsid32 BraveUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A51DFEE5-1FBE-4EF8-B751-1C5FECA423B6}\ = "PSFactoryBuffer" BraveUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8504FB26-FC3E-4C1C-9C94-46EC93E6BA63}\NumMethods\ = "9" BraveUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10479D64-2C5F-46CD-9BC8-FD04FF4D02D8} BraveUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DB7BD5-BD0B-4886-9705-174203FE0ADA}\ProxyStubClsid32 BraveUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F7FF255A-A593-41BD-A69B-E05D72B72756}\LocalServer32\ = "\"C:\\Program Files (x86)\\BraveSoftware\\Update\\1.3.361.135\\BraveUpdateOnDemand.exe\"" BraveUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{13B35483-DF37-4603-97F8-9504E48B49BF}\VersionIndependentProgID BraveUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F234546B-DACD-4374-97CF-7BADFAB76766}\NumMethods\ = "10" BraveUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48B5E6B2-9383-4B1E-AAE7-720C4779ABA6}\ = "IRegistrationUpdateHook" BraveUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9190589-ECEC-43F8-8AEC-62496BB87B26}\NumMethods\ = "8" BraveUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A51DFEE5-1FBE-4EF8-B751-1C5FECA423B6}\InProcServer32\ = "C:\\Program Files (x86)\\BraveSoftware\\Update\\1.3.361.135\\psmachine_64.dll" BraveUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C663DEBB-F082-4971-9F6E-35DE45C96F4E}\ = "IPackage" BraveUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C11C073F-E6D0-4EF7-897B-AAF52498CD2F}\ProxyStubClsid32 BraveUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C11C073F-E6D0-4EF7-897B-AAF52498CD2F}\ProxyStubClsid32\ = "{A51DFEE5-1FBE-4EF8-B751-1C5FECA423B6}" BraveUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10479D64-2C5F-46CD-9BC8-FD04FF4D02D8}\ProxyStubClsid32 BraveUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C929BFE-4FA4-488D-B1E2-82ECD6F076C8} BraveUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1985533F-9B0F-490A-85C5-24F316E66FB2}\NumMethods BraveUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00B16F95-319A-4F01-AC81-CE69B8F4E387}\LocalServer32 BraveUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AAC778E0-4BE5-421E-949C-9F7E4AE6D479}\InprocHandler32 BraveUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{660130E8-74E4-4821-A6FD-4E9A86E06470}\ProxyStubClsid32\ = "{A51DFEE5-1FBE-4EF8-B751-1C5FECA423B6}" BraveUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A51DFEE5-1FBE-4EF8-B751-1C5FECA423B6}\ = "PSFactoryBuffer" BraveUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{35A4470F-5EEC-4715-A2DC-6AA9F8E21183}\ProxyStubClsid32 BraveUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EFF9CA12-4CD3-474B-B881-CDE1D92F1996}\NumMethods\ = "23" BraveUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5D1924F-CB80-47AA-8DEC-5E0854A42A73}\LocalServer32 BraveUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EBDA5D88-AA7D-4A8C-A20C-C01FADB43EDA} BraveUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAE4AD28-500D-43BA-9F54-730CA146C190} BraveUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{852A0F87-D117-4B7C-ABA9-2F76D91BCB9D} BraveUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7CB305B1-4D45-4668-AD91-677F87BED305}\NumMethods\ = "10" BraveUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7CFC4E00-1C9D-443D-B5BE-CEEEAC1443AF}\ = "IJobObserver" BraveUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C663DEBB-F082-4971-9F6E-35DE45C96F4E}\NumMethods BraveUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C929BFE-4FA4-488D-B1E2-82ECD6F076C8}\NumMethods BraveUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F234546B-DACD-4374-97CF-7BADFAB76766} BraveUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10DB7BD5-BD0B-4886-9705-174203FE0ADA} BraveUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6836CFF-5949-44BC-B6BE-9C8C48DD8D97}\ProxyStubClsid32 BraveUpdate.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd BraveUpdate.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd BraveUpdate.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd BraveUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A BraveUpdate.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 BraveUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 BraveUpdate.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 1900 BraveUpdate.exe 1900 BraveUpdate.exe 1900 BraveUpdate.exe 1900 BraveUpdate.exe 1480 BraveUpdate.exe 1480 BraveUpdate.exe 972 BraveUpdate.exe 972 BraveUpdate.exe 1900 BraveUpdate.exe 1900 BraveUpdate.exe 1900 BraveUpdate.exe 384 brave.exe 384 brave.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1900 BraveUpdate.exe Token: SeDebugPrivilege 1900 BraveUpdate.exe Token: SeDebugPrivilege 1900 BraveUpdate.exe Token: SeDebugPrivilege 1900 BraveUpdate.exe Token: 33 1412 brave_installer-x64.exe Token: SeIncBasePriorityPrivilege 1412 brave_installer-x64.exe Token: SeDebugPrivilege 1480 BraveUpdate.exe Token: SeDebugPrivilege 972 BraveUpdate.exe Token: SeDebugPrivilege 1900 BraveUpdate.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe Token: SeShutdownPrivilege 384 brave.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 384 brave.exe 384 brave.exe 384 brave.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1976 wrote to memory of 1900 1976 BraveBrowserSetup-KMP840.exe 28 PID 1976 wrote to memory of 1900 1976 BraveBrowserSetup-KMP840.exe 28 PID 1976 wrote to memory of 1900 1976 BraveBrowserSetup-KMP840.exe 28 PID 1976 wrote to memory of 1900 1976 BraveBrowserSetup-KMP840.exe 28 PID 1976 wrote to memory of 1900 1976 BraveBrowserSetup-KMP840.exe 28 PID 1976 wrote to memory of 1900 1976 BraveBrowserSetup-KMP840.exe 28 PID 1976 wrote to memory of 1900 1976 BraveBrowserSetup-KMP840.exe 28 PID 1900 wrote to memory of 820 1900 BraveUpdate.exe 29 PID 1900 wrote to memory of 820 1900 BraveUpdate.exe 29 PID 1900 wrote to memory of 820 1900 BraveUpdate.exe 29 PID 1900 wrote to memory of 820 1900 BraveUpdate.exe 29 PID 1900 wrote to memory of 820 1900 BraveUpdate.exe 29 PID 1900 wrote to memory of 820 1900 BraveUpdate.exe 29 PID 1900 wrote to memory of 820 1900 BraveUpdate.exe 29 PID 1900 wrote to memory of 1284 1900 BraveUpdate.exe 30 PID 1900 wrote to memory of 1284 1900 BraveUpdate.exe 30 PID 1900 wrote to memory of 1284 1900 BraveUpdate.exe 30 PID 1900 wrote to memory of 1284 1900 BraveUpdate.exe 30 PID 1900 wrote to memory of 1284 1900 BraveUpdate.exe 30 PID 1900 wrote to memory of 1284 1900 BraveUpdate.exe 30 PID 1900 wrote to memory of 1284 1900 BraveUpdate.exe 30 PID 1284 wrote to memory of 1700 1284 BraveUpdate.exe 31 PID 1284 wrote to memory of 1700 1284 BraveUpdate.exe 31 PID 1284 wrote to memory of 1700 1284 BraveUpdate.exe 31 PID 1284 wrote to memory of 1700 1284 BraveUpdate.exe 31 PID 1284 wrote to memory of 1908 1284 BraveUpdate.exe 32 PID 1284 wrote to memory of 1908 1284 BraveUpdate.exe 32 PID 1284 wrote to memory of 1908 1284 BraveUpdate.exe 32 PID 1284 wrote to memory of 1908 1284 BraveUpdate.exe 32 PID 1284 wrote to memory of 1180 1284 BraveUpdate.exe 33 PID 1284 wrote to memory of 1180 1284 BraveUpdate.exe 33 PID 1284 wrote to memory of 1180 1284 BraveUpdate.exe 33 PID 1284 wrote to memory of 1180 1284 BraveUpdate.exe 33 PID 1900 wrote to memory of 1804 1900 BraveUpdate.exe 34 PID 1900 wrote to memory of 1804 1900 BraveUpdate.exe 34 PID 1900 wrote to memory of 1804 1900 BraveUpdate.exe 34 PID 1900 wrote to memory of 1804 1900 BraveUpdate.exe 34 PID 1900 wrote to memory of 1804 1900 BraveUpdate.exe 34 PID 1900 wrote to memory of 1804 1900 BraveUpdate.exe 34 PID 1900 wrote to memory of 1804 1900 BraveUpdate.exe 34 PID 1900 wrote to memory of 1480 1900 BraveUpdate.exe 35 PID 1900 wrote to memory of 1480 1900 BraveUpdate.exe 35 PID 1900 wrote to memory of 1480 1900 BraveUpdate.exe 35 PID 1900 wrote to memory of 1480 1900 BraveUpdate.exe 35 PID 1900 wrote to memory of 1480 1900 BraveUpdate.exe 35 PID 1900 wrote to memory of 1480 1900 BraveUpdate.exe 35 PID 1900 wrote to memory of 1480 1900 BraveUpdate.exe 35 PID 1108 wrote to memory of 1412 1108 BraveUpdate.exe 37 PID 1108 wrote to memory of 1412 1108 BraveUpdate.exe 37 PID 1108 wrote to memory of 1412 1108 BraveUpdate.exe 37 PID 1108 wrote to memory of 1412 1108 BraveUpdate.exe 37 PID 1412 wrote to memory of 1644 1412 brave_installer-x64.exe 38 PID 1412 wrote to memory of 1644 1412 brave_installer-x64.exe 38 PID 1412 wrote to memory of 1644 1412 brave_installer-x64.exe 38 PID 1644 wrote to memory of 1584 1644 setup.exe 39 PID 1644 wrote to memory of 1584 1644 setup.exe 39 PID 1644 wrote to memory of 1584 1644 setup.exe 39 PID 1644 wrote to memory of 1892 1644 setup.exe 40 PID 1644 wrote to memory of 1892 1644 setup.exe 40 PID 1644 wrote to memory of 1892 1644 setup.exe 40 PID 1892 wrote to memory of 1468 1892 setup.exe 41 PID 1892 wrote to memory of 1468 1892 setup.exe 41 PID 1892 wrote to memory of 1468 1892 setup.exe 41 PID 1108 wrote to memory of 972 1108 BraveUpdate.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\BraveBrowserSetup-KMP840.exe"C:\Users\Admin\AppData\Local\Temp\BraveBrowserSetup-KMP840.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Program Files (x86)\BraveSoftware\Temp\GUMF384.tmp\BraveUpdate.exe"C:\Program Files (x86)\BraveSoftware\Temp\GUMF384.tmp\BraveUpdate.exe" /installsource taggedmi /install "appguid={AFE6A462-C574-4B8A-AF43-4CC60DF4563B}&appname=Brave-Release&needsadmin=prefers&ap=x64-rel&referral=none"2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe"C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /regsvc3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:820
-
-
C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe"C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /regserver3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Program Files (x86)\BraveSoftware\Update\1.3.361.135\BraveUpdateComRegisterShell64.exe"C:\Program Files (x86)\BraveSoftware\Update\1.3.361.135\BraveUpdateComRegisterShell64.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:1700
-
-
C:\Program Files (x86)\BraveSoftware\Update\1.3.361.135\BraveUpdateComRegisterShell64.exe"C:\Program Files (x86)\BraveSoftware\Update\1.3.361.135\BraveUpdateComRegisterShell64.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:1908
-
-
C:\Program Files (x86)\BraveSoftware\Update\1.3.361.135\BraveUpdateComRegisterShell64.exe"C:\Program Files (x86)\BraveSoftware\Update\1.3.361.135\BraveUpdateComRegisterShell64.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:1180
-
-
-
C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe"C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNjEuMTM1IiBzaGVsbF92ZXJzaW9uPSIxLjMuMzYxLjEzNSIgaXNtYWNoaW5lPSIxIiBzZXNzaW9uaWQ9InszOTEyQkM1MC1DRTU2LTRCMDQtQTQzRS0zNENDNDMyMjhDNTR9IiBpbnN0YWxsc291cmNlPSJ0YWdnZWRtaSIgdGVzdHNvdXJjZT0iYXV0byIgcmVxdWVzdGlkPSJ7OEU5MDUwNjktQTEzMi00RTM4LTk2NTItNzlENzYzQ0IzMUQzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBwaHlzbWVtb3J5PSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjEuNzYwMS4wIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9IntCMTMxQzkzNS05QkU2LTQxREEtOTU5OS0xRjc3NkJFQjgwMTl9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxLjMuMzYxLjEzNSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgaW5zdGFsbF90aW1lX21zPSIyNzEwIi8-PC9hcHA-PC9yZXF1ZXN0Pg3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1804
-
-
C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe"C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /handoff "appguid={AFE6A462-C574-4B8A-AF43-4CC60DF4563B}&appname=Brave-Release&needsadmin=prefers&ap=x64-rel&referral=none" /installsource taggedmi /sessionid "{3912BC50-CE56-4B04-A43E-34CC43228C54}"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480
-
-
-
C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe"C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /svc1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Program Files (x86)\BraveSoftware\Update\Install\{051977B8-2E25-4D9A-98F4-D2F17AFC2255}\brave_installer-x64.exe"C:\Program Files (x86)\BraveSoftware\Update\Install\{051977B8-2E25-4D9A-98F4-D2F17AFC2255}\brave_installer-x64.exe" --do-not-launch-chrome2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Program Files (x86)\BraveSoftware\Update\Install\{051977B8-2E25-4D9A-98F4-D2F17AFC2255}\CR_51CB7.tmp\setup.exe"C:\Program Files (x86)\BraveSoftware\Update\Install\{051977B8-2E25-4D9A-98F4-D2F17AFC2255}\CR_51CB7.tmp\setup.exe" --install-archive="C:\Program Files (x86)\BraveSoftware\Update\Install\{051977B8-2E25-4D9A-98F4-D2F17AFC2255}\CR_51CB7.tmp\CHROME.PACKED.7Z" --do-not-launch-chrome --brave-referral-code="KMP840"3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Program Files (x86)\BraveSoftware\Update\Install\{051977B8-2E25-4D9A-98F4-D2F17AFC2255}\CR_51CB7.tmp\setup.exe"C:\Program Files (x86)\BraveSoftware\Update\Install\{051977B8-2E25-4D9A-98F4-D2F17AFC2255}\CR_51CB7.tmp\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://cr.brave.com --annotation=plat=Win64 --annotation=prod=Brave --annotation=ver=109.1.47.186 --initial-client-data=0x144,0x148,0x14c,0x118,0x150,0x140279710,0x140279720,0x1402797304⤵
- Executes dropped EXE
PID:1584
-
-
C:\Program Files (x86)\BraveSoftware\Update\Install\{051977B8-2E25-4D9A-98F4-D2F17AFC2255}\CR_51CB7.tmp\setup.exe"C:\Program Files (x86)\BraveSoftware\Update\Install\{051977B8-2E25-4D9A-98F4-D2F17AFC2255}\CR_51CB7.tmp\setup.exe" --system-level --verbose-logging --create-shortcuts=0 --install-level=14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Program Files (x86)\BraveSoftware\Update\Install\{051977B8-2E25-4D9A-98F4-D2F17AFC2255}\CR_51CB7.tmp\setup.exe"C:\Program Files (x86)\BraveSoftware\Update\Install\{051977B8-2E25-4D9A-98F4-D2F17AFC2255}\CR_51CB7.tmp\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://cr.brave.com --annotation=plat=Win64 --annotation=prod=Brave --annotation=ver=109.1.47.186 --initial-client-data=0x13c,0x140,0x144,0x110,0x148,0x140279710,0x140279720,0x1402797305⤵
- Executes dropped EXE
PID:1468
-
-
-
-
-
C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe"C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNjEuMTM1IiBzaGVsbF92ZXJzaW9uPSIxLjMuMzYxLjEzNSIgaXNtYWNoaW5lPSIxIiBzZXNzaW9uaWQ9InszOTEyQkM1MC1DRTU2LTRCMDQtQTQzRS0zNENDNDMyMjhDNTR9IiBpbnN0YWxsc291cmNlPSJ0YWdnZWRtaSIgdGVzdHNvdXJjZT0iYXV0byIgcmVxdWVzdGlkPSJ7NjBGQ0Q3MUYtQjNBMC00NDg2LUIwNTctNDEzMzkyMEQyQ0U1fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBwaHlzbWVtb3J5PSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjEuNzYwMS4wIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9IntBRkU2QTQ2Mi1DNTc0LTRCOEEtQUY0My00Q0M2MERGNDU2M0J9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxMDkuMS40Ny4xODYiIGFwPSJ4NjQtcmVsIiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSItMSIgaW5zdGFsbGRhdGU9Ii0xIj48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cHM6Ly91cGRhdGVzLWNkbi5icmF2ZXNvZnR3YXJlLmNvbS9idWlsZC9CcmF2ZS1SZWxlYXNlL3g2NC1yZWwvd2luLzEwOS4xLjQ3LjE4Ni9icmF2ZV9pbnN0YWxsZXIteDY0LmV4ZSIgZG93bmxvYWRlZD0iMTA1NzY2NzA0IiB0b3RhbD0iMTA1NzY2NzA0IiBkb3dubG9hZF90aW1lX21zPSIxODkzOSIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI2IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NjA4IiBzb3VyY2VfdXJsX2luZGV4PSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iNzI4NSIgZG93bmxvYWRfdGltZV9tcz0iMjAyODAiIGRvd25sb2FkZWQ9IjEwNTc2NjcwNCIgdG90YWw9IjEwNTc2NjcwNCIgaW5zdGFsbF90aW1lX21zPSIxNTI3MyIvPjwvYXBwPjwvcmVxdWVzdD42⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:972
-
-
C:\Program Files (x86)\BraveSoftware\Update\1.3.361.135\BraveUpdateOnDemand.exe"C:\Program Files (x86)\BraveSoftware\Update\1.3.361.135\BraveUpdateOnDemand.exe" -Embedding1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:832 -
C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe"C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /ondemand2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1640 -
C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe"C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --from-installer3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:384 -
C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe"C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Crashpad" --url=https://cr.brave.com --annotation=plat=Win64 --annotation=prod=Brave --annotation=ver=109.1.47.186 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef6117b68,0x7fef6117b78,0x7fef6117b884⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1564
-
-
C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe"C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=gpu-process --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1200 --field-trial-handle=1212,i,18034783604099838724,409249294170951662,131072 /prefetch:24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1460
-
-
C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe"C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --start-stack-profiler --mojo-platform-channel-handle=1444 --field-trial-handle=1212,i,18034783604099838724,409249294170951662,131072 /prefetch:84⤵
- Executes dropped EXE
- Loads dropped DLL
PID:852
-
-
C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe"C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1848 --field-trial-handle=1212,i,18034783604099838724,409249294170951662,131072 /prefetch:84⤵PID:1984
-
-
C:\Program Files\BraveSoftware\Brave-Browser\Application\109.1.47.186\Installer\chrmstp.exe"C:\Program Files\BraveSoftware\Brave-Browser\Application\109.1.47.186\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings4⤵
- Executes dropped EXE
PID:996 -
C:\Program Files\BraveSoftware\Brave-Browser\Application\109.1.47.186\Installer\chrmstp.exe"C:\Program Files\BraveSoftware\Brave-Browser\Application\109.1.47.186\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://cr.brave.com --annotation=plat=Win64 --annotation=prod=Brave --annotation=ver=109.1.47.186 --initial-client-data=0x13c,0x140,0x144,0x110,0x148,0x13fe19710,0x13fe19720,0x13fe197305⤵
- Executes dropped EXE
PID:1876
-
-
C:\Program Files\BraveSoftware\Brave-Browser\Application\109.1.47.186\Installer\chrmstp.exe"C:\Program Files\BraveSoftware\Brave-Browser\Application\109.1.47.186\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\BraveSoftware\Brave-Browser\Application\master_preferences" --create-shortcuts=1 --install-level=05⤵
- Executes dropped EXE
PID:1492 -
C:\Program Files\BraveSoftware\Brave-Browser\Application\109.1.47.186\Installer\chrmstp.exe"C:\Program Files\BraveSoftware\Brave-Browser\Application\109.1.47.186\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://cr.brave.com --annotation=plat=Win64 --annotation=prod=Brave --annotation=ver=109.1.47.186 --initial-client-data=0x13c,0x140,0x144,0x110,0x148,0x13fe19710,0x13fe19720,0x13fe197306⤵
- Executes dropped EXE
PID:1640
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
293KB
MD5db89409db176786d18f45894b8b72873
SHA1aa0cb571cd5d0930b548296c14f36c5e04a200ea
SHA256acad5f8918b6494660c3ecaf9ceb503ba420276cdd62faca99acf94c070deb41
SHA5127cc4634cc5857f60b3a8444290a78445465b663cf363df51d3e0f9c40e96cd2fd8b6b3932a73b50fbc51a25c7f6214864fdcf9ab573e46a345a544ad46f33389
-
Filesize
386KB
MD508eed6e22611effe2cf5ffeff4bb98e1
SHA1498101ed1c2220154e3cadc32763361ffb96c239
SHA2563a2a7c041504680b55e0fb1b4661152da982d79b3c36e4afd93ced407ffb4813
SHA5127e5940a4cabcc562c6ebaa279725f63c2e26b30c794b641d3dcb64978037becf253a93479011d6b78e557763287d383ad1ac2f4aeb773d7f848319c34bf1b6fa
-
Filesize
360KB
MD509808928330c3cad3c5e6d38487d275a
SHA1aad98f2555045176d51aa92cd8e73254e5d703be
SHA256c5ecbd3eda4bd90030e88180833594632c1be495933bb072508633c839fb832c
SHA51291a13d69a49f179ddea9f8acbe9b4c78cc994d43e434781c46cb58f944b1d7267fb1216542cf6000066c14ecaac10482747d1f30f8b28005a4b7d9876b1e5696
-
Filesize
170KB
MD56abcc089198580990bf0cfe5fc600c76
SHA1cb513561d1f592888c94a79f62b1969d3f36f468
SHA256e85d021214b468d49ebad516a6bd483342c1fd373ebd8a65f28a62de80dc4168
SHA5128e3f99088e67bcdbe30591acd56342e55a84707d7978e44fb4f719bfb103eb8c9457a166218e8d0eab60f7c9eb60df877c0c1dd88c3cdb0995d29de220360b31
-
Filesize
170KB
MD56abcc089198580990bf0cfe5fc600c76
SHA1cb513561d1f592888c94a79f62b1969d3f36f468
SHA256e85d021214b468d49ebad516a6bd483342c1fd373ebd8a65f28a62de80dc4168
SHA5128e3f99088e67bcdbe30591acd56342e55a84707d7978e44fb4f719bfb103eb8c9457a166218e8d0eab60f7c9eb60df877c0c1dd88c3cdb0995d29de220360b31
-
Filesize
188KB
MD51c56fe66948040b8851ff1687f3ff07b
SHA12fcac761af9c7f25966a5131f458c99308f20ebd
SHA2564b6dd93ec34b62ae963292573e6ea5ed9f560b75c0249c582fcc44e8fa0a073d
SHA51244b87eb81be617a02844603160eb6deb94f5cf973879c32af02450534c9ab7e9405f8a843a0edc83d9db56f2d5f3a268acfc298b85ef8cb5157b714ae121ee99
-
Filesize
148KB
MD5ef6712f6be099491c35f4e91bfd4e873
SHA1d7f7480e8bce889d5f63f2e428ab11f70520a04a
SHA2561138c0d6d2495a2c9400380e923b6f53d1ab932f67303e2a5a11bde8bde5301f
SHA512096d11fa19bfb9322af0bd8cf0eb48e086fd4f0eeba3943e1ff87615aa0d314f7c30785a54dc4ca0a8e2720b4f5f20f01ce52787bc6e9871fa3315c70e67718a
-
Filesize
217KB
MD521821145c6e06dd24f9c4c8257d24824
SHA17eb05ed16a6db68563459095d0ba348209e7e9a2
SHA256ff50b7756468cf2074aa41bda8d46082871df615dbfa7306440ace783aab2c46
SHA512556d7d30a169048b8dd8f7efc33a42f29b45847a6d51560c50dd6c6d09dd62ffb86573d1a3e99141202ee7f66172471fa0fb84c34cfb902f38f837c41c03332d
-
Filesize
1.1MB
MD51452daef18c7b988e6fda9606ff6cb60
SHA14818c9f3d47ec9736ba83474ebd2b0dedec0fb3b
SHA256e48f273c5bdd68518cf2c2400b15939e16f2cd86b13977546510388f38ee0534
SHA512b9894b865d603c35c4e513f5c6002a48b4309fe773a5164ae15891ac1dae9fabd01591e8c9da3d56a4bf063e8d022b9665c1d9f0a1176b8cea36650dfb4a1c85
-
Filesize
51KB
MD5948915c8c5b64680c824bb5108defe48
SHA1f0d5d54e3b9afb336fa9939f450c4148b40c1b3f
SHA2568f8696c7e9ba3245ebd4b9de193e42fd68e4d7603edd2a36fcb3f34927550047
SHA5125b74fc6885cd602d30695a3d9afaaf07739d2033e39c1a4377e27a949ce8dbc5b9465cce4af51536c6a73bf224a98cbd20a9f1ab6b8eb171ce3d8833da3c9d6b
-
Filesize
50KB
MD5b911aea1af9fdffc00a7686a5c400972
SHA1f1724286cc64e43db22c93e131ef3f32d04538b7
SHA256a35afbbfcb8cb8a417501153fe831167950dd0329118100a583b3959d922e3c3
SHA51227b723eddb27abbf8a33a35a2acb1406807719a8fbc9a3d463e48ecac5c16db7e5226174d7b132d4ac5d5e59983444364a8480b384d8a0cbf2068f377ad12d8c
-
Filesize
53KB
MD5569b8b4ffc1c0a92c3a3e8ba976b1196
SHA12d1debcc900b2f2db3ed6cc96e88918ed544b473
SHA2560ad7c95a22edcaa1b3a6bfdebfe3d47dd7341371b7a3b7b0bce37e400ff64c48
SHA51281297bc2df8ce9d0c03deecf7eaee94476a9a36e31060855202326e86161f969653b1a467b766afac9eb5dbd4464f2873d4d38af60b82d36b496aeeeaa4e1038
-
Filesize
53KB
MD5fd64e8b4926a07963505cd3a862229c2
SHA1ff8012c29ce16f9537096d02289bcd52bd2e6044
SHA25653ffe362b6197f9d9598653681cb07cb9b5146c574b9ab75d7e9957ec85da924
SHA512f6d300840c8343fb688fc98be56720b05535dc13d35ecbfe0e2580ea8b612ce0a2535facd21ef5293ae9da9b3ae831452b36e5aa8f307c8cc86cf107399a9d40
-
Filesize
53KB
MD5b320e6d7b7b1acd8ddaede3d64e194e3
SHA1e6cd22884727fa7024e0ed194e458f331c7e820c
SHA256897d54428955bf8d644bfc366ffdd0bec5b23b7a850293dfa9ad1678c78c6aac
SHA5128d1c4c0d644a27cd111297f1440cfa34ec92748540055981f4bd93e420f7c35d8660b44a907d58f3ae8704b07b536e65a54ba795ba9e2ad61fb5fb8c9dc021b7
-
Filesize
52KB
MD5bafb2fa982d543086f7f4a088d6d1f68
SHA1769bc83f4cd27b23f9eeb30a628ac91cdab65eb6
SHA256d2f983d2fbb4d0439367864f0d08447deb245e9fa8f761251ec089d642821152
SHA51264eb2d12185660701108faf5e452501fa3a9505e84a530a78e7ca14420be2d3a21014b1e06d5b44e7ed2c54017b02f7c5104ad541dfb8115317beebfce71b59d
-
Filesize
52KB
MD54e3fea264768cee809b2b21f6467b1b7
SHA19cd2cfc1321c817706a74edcb2614a5d4e97369b
SHA256b89285ff1fe7b7de4e82cd93a26e36f9f93761e0a65e56c6b6ba82148b4a14fe
SHA512b333046d12ebfa096f146757401fb6bd8a5881226b7a05ac90cbbd51cc2164ea595610e2d478a0d0042174b10a5dd291f8c9017cb35ccbe18732178345e2830d
-
Filesize
54KB
MD5408515b21cf56b8741fc87bc836f6619
SHA1686dcfc632fdfd06254ec5b04bf7717b76a6a154
SHA256654050bbee8c4db832f3a1cf3403b992e546bd7391b0705c72a097050132f7e1
SHA512ca177230a9066d5a629b1ba931a8b68448db11ac3a3028b35bdf88a67c531c78f93fe2fae50a9a006adf6ebbb5c124b0e7b6f4893fe51b41e52b3a9978100752
-
Filesize
54KB
MD5f131ba39cec9fb05c1304997480c35d0
SHA1956fde48ba92cce758eb21cb3ac290093e5c06b7
SHA256b99c9ee1b8667ae52ecf2b380b7dd8c4d85e36fbac1ec75ef53fb02cb2530e00
SHA51297cf070f606141842ff7e036b942f2543a5da508152c9bda5ed76901369ce806c97f59636aa27b2c41738f829012613dc0d6c09ffde6fa753c121f70b1f6c086
-
Filesize
51KB
MD556061871a166ddeef9257c1f00906466
SHA18e9dcf13247c0e44376e63e8e2eade453445a5ef
SHA2560cc8534b0d99d3d7f1f5e9ab3c8d80922ff5d0454a6f585cb896aaeacb415301
SHA5121f49378d9b839368dc0a6c23c5bec3f27c85ca97344067d136bfa58ab2ec60a3913a283f0e1c245dac0b51916fb1e07691307724b84d033c305ebc302ebc4d7a
-
Filesize
52KB
MD5c6f1751102f65017663d8304b4cf0f68
SHA1d55ed42b5db1f6903ec409ad91b0c8f0c0c1562f
SHA256247f7e784e0f19cc05512b49916172c7ca6aae4748ddcd32628044202a4177df
SHA512ddbb947fc4b4c96f3c7a0145cd385e25d5cd3345b47f0d3033e569882e22d1b8fc47d3f20792f6eef48bd316eda25f3140f8f093e6eda07e43abfe915db379a0
-
Filesize
53KB
MD51b36d1b8733d82796367639a8674fe69
SHA159a7e731050cf2ee6608ed35c914deb62927d67e
SHA256394775ced93b7f402dbda2c3372439301a65ff1fd272d185cbe023065e822c49
SHA512b03c077b9b382c6e14468fb9b68bb58f1fba8a0c7d6fa7c8aac1aa402f7c870e41c0c9c8aa8844e8c308d2fe7665a8df9ca154dd63ee57a024360c7a620ce705
-
Filesize
54KB
MD5f0c44dac26949e960b0a3ed49608cdf2
SHA138fb50765a0a055a84fbd9bc20690131d8e36d75
SHA256a5a2c6997b5df5e450d5f378357be20de57edaa230a601ada00c9d01cd3bac2d
SHA512f8301ca483ab7b113dc99800a1bc9cc5e418e73b82fa63cb766449d4a1e808ea990a2cb8509b29848d87edd7d59c99ebda16d4840d70e93e210d4dcabc851fd8
-
Filesize
52KB
MD51ff390c918faeab0a550916b03ebf4fe
SHA16676a08d481936dda7198a44b646cd2c2d69cc1d
SHA2566e116710bacbdc6c1455bce2c7b28003ef19bd5dffe5478c1b91657fdc11051f
SHA512c640322e409280f5cddaa4d401a25ccd9a5d1e9bdf25e4bb9426aa130e5d49999ad67932d44dcc2c21771ee4f5da70604a261860d2f9f16ed25f0f5114c5e741
-
Filesize
51KB
MD5c798fb4dde3751032eb0b73574461d17
SHA11a98da3c305d107952caea19f3f38d98a6b8a9bb
SHA25661ef36f51fc031029be29709fcc22882bdf5e4922dbd6bed97b68f3ea9f23c70
SHA5126d44ec0de06f76d5fb4b3ecc1a5d54419dbb0e4cd0338e036fb8defcf6d8c0f21f103d1c24c4f2ea5c92cdf23453f0e0c4e4982db5da5898bd2f9be3269fec00
-
Filesize
52KB
MD5c908a8d6525a99edc3b41b0dbbdafaa0
SHA1db0b3589c6d00a6afdedf3c84216db7a75a73bf6
SHA25620b2689d1bc6ba043a5ce244aba13a4fde54cdca12234c8f156d9d024dec2c93
SHA51271e8bb26ed82c3447fa44a9b2093027571df48549580763fdee8846c740b796d870da43610130aaaee88f16cebbaac995aee69ec416a292fe918b701ecc088e1
-
Filesize
53KB
MD5d591065cc99df47d71b9b1dff441da24
SHA1ffabb6834245bb5e1ea1182f8f21daa55e28e7e6
SHA256f1037b2231ebc340c3c5eace6b9769cd6265cab1cecb49628c48b135f09c968a
SHA512b6835766df4a4acb760f8aa779012dcb6d4478689113532e7ffdb67712e09871636dd055e4139ce6f1d6d77ed2189ddb7c486413d26fb2339a626f936b353039
-
Filesize
54KB
MD533099f9ef0839e6e429a316e8de126d8
SHA1ca3eed9fcb72bf59dd1e001754cdaae300fe0896
SHA2568e8580358d8b91a86e17ab6030c833c57d81f128f1c906fd09801b7a5f82465b
SHA5128354c5aad39bc9c86c60883bbe3c8bbf0271b3444c6fc17d989d1a15e523f9d27a93a318b6fba2ea5757964bef6e3cb01dd846dcc571a2a4646afc5c19a37a90
-
Filesize
54KB
MD52443075d64a8411111246316d7ad3839
SHA13c2bf816820e79566ff75ecb80a0f4430cab97c8
SHA256b7cdb2c0b776e221954dbc20528dd7f4a2b2314cfa36a7e36fdb54157b94c8f6
SHA512005ac0ebb4c97b881ecd2c8d491b1082b141230f1336b06a1537a8e6a6481277255a47aa1074f825b84be04070f7690fdf6c6988b6954187602f0862fc82985b
-
Filesize
52KB
MD5bcb46913b7dd3aca9ef932861fb1098c
SHA1f6873cf6949cece7a30ad239b493577102520067
SHA25679443f6d2b04f4f121b04568d8a5765f2bb3e1e7d3516ab4e021b55b736b165e
SHA512ce0ab53f4dd563b7dfe67b52b449f75fbdbeb88a5040e8f87786dac087064a26ac76149407c17b42a6371cdaf8aeea4e0954b309a0a2bdd0292f2b1068257b67
-
Filesize
53KB
MD567cfb658bac4b9f99eb5c3e99fc83284
SHA1a6acae1d1becc84f0f7caf86a195248a0b031fce
SHA25689fed94300ec129f979d52ccdc5f7976038aa815d9ed1c33789bd5f8efba8536
SHA512047d84d8f3ce8b2e17ad647f76f4c77d9d2908c750c8c164702d0e0748629f534dcbc01ad3dd7d7ad2218914652ea11b91a718f3998f0788ff694981f7bdb9df
-
Filesize
53KB
MD5408d4c9ecbaa8afc8ebbf3188e6ba2ed
SHA1afeb078988e927928969bacf081eb848f214cac8
SHA256dc7c89024f6065afe7e9d4e44074d4abb09062410d96ef12bfa19274178722dc
SHA5125dc34bdc63f7f4090e9976c03180e672e92990723db192c4337867d035bee8d0b80c1dbdd24509c3c10225d4796822b0bedf661932d4a58dbad0529c8fe63911
-
Filesize
52KB
MD50b0fe2afa7a85782afdb367c83775528
SHA16535f278eb7c6a1da01c208dc9ce505ab7efe3d4
SHA256cb3bca2c48b54c55b9079b23d2b0ccce463d537594e11f2a4f77d7ec193351af
SHA5124d8ad71a5e20f30433564cfd6a3a9e910e914e6d9ada92515dc05723a6471c26a029c5c138c44f1cbcfb8462b26b366376c172a2620065ec3a69612856b558d4
-
Filesize
52KB
MD504e54d2ddf9c511d305d764eb4d2dfbe
SHA178fcb6c7dfed1af62211d8d056fa51c4b9adc3a0
SHA2568c5e16c7ff2416ba3058c92ffc03f7afd7da774a4dceb486379746c2b4b1d3ed
SHA512f58b4d7ee891798c535b5bc0407e42d65360923d3e1717de9376ac14be9793089744f607651d47bbfa4e2cb6f5b720cc4cc484aaff788399fe60aa45dd8bab37
-
Filesize
54KB
MD5350e6b48172f1d5cc341519511ac315d
SHA1c4e83443c96e891e25d9176fb6d0a4a727a46b3d
SHA2565cbaa21adae4a8ef6523a307169caa0a1048ae7c356a0767d898aab0dfbb6274
SHA5121e2ee755706510a687c2213c9ea9f878a58bd06af5b527dfff727e8d7ea4b33bae876274890e39bb0191dad7a105fbdb732dbdf6eb3ee8e8d2f4aecdc3f22a2b
-
Filesize
50KB
MD5a10f4d266d90ac4ee4662230888baf91
SHA137cc6188374a75b3a102cee929ddb8b79b14e97f
SHA256b3f692f08e294cdeae4d01c6dd9f44c0d507debd8bfbdf7c290b16a053e58383
SHA512d2daf2743b5e13a3bd714b94bc090bba0f742c9e65ef1443c824200cd02d0025dc938de09445504fe94de5a3053bb1f0b5336bb0d2e444d55071ffeb11ac4d43
-
Filesize
49KB
MD5daa4eb7aed66a4b41d6abac30e5f24d1
SHA172b4074c52d3f5690986078c3a1317475c152184
SHA256fedcdcbc60fe2283725d5005c7de16535aa6626477b1ac18459ad252c9a35af2
SHA5125decfa608efd6cfe67754d2376cb2c980d48b73d9c18a0d0d421120640795a1e6b901ed0ec7adc0440d41f658680d1be7a27a43131c55c5f4c8e07f97bdec9ea
-
Filesize
54KB
MD50f19493215ed4833be45d1c148ee7e71
SHA130d31bd0a867325a0762d3739477c9cd473ea997
SHA256bb7c8c1dd35444a616952bd8f6638dc70f04b85f8c7bacdf22ce45c08a1a0c31
SHA512f180cf63187b9fdeddbd6620f7880478507234744a941815252052612c1f6495d136b5b8390b7be7d728f7b662c40f759f1ca5e4857af5e489432ea3dcdb977b
-
Filesize
48KB
MD531ddaab73040e9113b8a49e43f4fc995
SHA10116cc534ba722159b53f1d102877815237bf80d
SHA256ad310fd3851c71c4b195fed4e6ea952f5581695e98cd3d2ecd3f6bf1bec0f583
SHA5126217db3a110fe2c993e0119ea372bf022b4f8335a9a3245b731b52ef0a4c571be60af267877579d73137216e5b8905dc9344ff85681bbf4f364f0a402c0a630b
-
Filesize
52KB
MD54c6c7eeb6395e9602b4176df5aef58d7
SHA14ab26e9643feababb7b5902339b87155050f685a
SHA2567136dba9ed72ffed1ffca0a22afbae03cfe91be94c96a3f4d1a955f37d46fb25
SHA512e9e835d16c77289e3c2fc095b318ce1e74b54958bb93981200195590841d558c79058448f116b7023a4824d1fc050bec11749e024fb29c593c94e61e6a1a06b8
-
Filesize
53KB
MD569c35c538c7ccf6b6fe6dbb82659f069
SHA1f5bc8106c0f90d707c9983fc4e51bf34fba63731
SHA2561d895e984cdde52b75693d0b3de6938c00903f0297cbeaa3ed18c54c36486bb0
SHA5121bf0c42cba0d9fe4b59933bd9361aa6af0aafbd795037fe08ccbaa070781c10a8089e799cbba7faa719859d6243fe8892b0fdc0473e3c1005f1cfe5b02155796
-
Filesize
55KB
MD5e110e6eb5aca39aad7907fd2e3bd9192
SHA12b218f921ad82b7c4b3fb54ba9a9c45e19c160ef
SHA256e2123e680bf1e8307034c46479d3eb52d87b3df88c426b0f821aefabf42fcbc1
SHA512988de6e55e69823b0a933d08e01edf00735da2a89a0e697aa6eccb9d5d1d72ea8ac5b488429b4c6118a81e159e963bcba714abdb0ce689724a705d928de1d9cb
-
Filesize
53KB
MD5246e09135f7ef21c247b122b3dd3466c
SHA166d4fe4fd71e825a4c9f8bce4cafcc26cc19ebfa
SHA256a03a746136a6465874968a14e55bfb5667d3c0046dbeb9c74955db0887544e39
SHA51269f14e652df6eae63f894e59937cfc8a512779bd4ac92200f69902969640aa2b4f415202007f6f171d203594cc329c8daf0f2c81899eb2e87433b9572c75a2b4
-
Filesize
52KB
MD5edcedd3c0afa1d6e14b9dba7acf0cf30
SHA10bae8d11857e198250cb05f855583097903e553a
SHA256474a2972d6579c8c4a5dd54614614a0935a15a00aa9ba9665f9409c2ec1c935b
SHA512acc6f552cd53cce1eb19590d6d53854c70f29ce6af3e96c961fe67b8bcff482cc50b07e3374e1ace8b367a126f8de5b4c3e4e8e380577fe029d9ffd6afa437e3
-
Filesize
53KB
MD5e7231f649598f07a6ad4251fca85601f
SHA18a40f02cc39e1e17d2116c78ebb8c56617863f04
SHA2562af5a0f38f6f4196cb48340e43b6235e59d87697ab583ab2bcba0cf3f4073622
SHA51267eaef815d2749eb4a04300229e287a7cb61c9ac0e37fb8c6ba0bc5344b4ca915819e096ec1f48f8ad585b8dc4332497dcb9ccccbe912e43f51d567a51151fb0
-
Filesize
52KB
MD5aad5502200ce7b8588a508a64e399d49
SHA12a4c4129368d1f31db495b5424a0b0cc06d8c515
SHA2562caa730ae53e0421af80e6a0d4046082afdb6005e0e6212628beae094ec22b28
SHA512abc7acd0031e723f918dc79b8e9130da999a07f5f708d29a8c8fc55488d74fe13b6d96f524058c950bf3215c431a6ce7f64f40cfe45a1d930c9dcf0ce1d0c43d
-
Filesize
53KB
MD55b3aa9e2bdc3efcdbb88c3db7ccb2855
SHA1bbc84669373c44e51c4323bca41981f5fcc4264d
SHA25646c0e18fc08d12b82ecf156c6cff7fe630cb1df7165cf708174a4c5e05ea4bec
SHA512b3e2908deaffb6abdb7980037d1f34a7aa54cd29172dd9ec2465d96d99c2e78c39413ab2dc25850fa233f7cb7b66411dd5d7eb4e45bcefd08723bc07377033eb
-
Filesize
52KB
MD546b26686a673ce82595c569099d069a8
SHA10eac7d54fa4f19409008fc8c7e34bc03a37e7e5f
SHA256c35e5001513d544201ceaf27980d54121ac654fabb550b691a48c6c71de79e6b
SHA5129b56cd229b119b7253dbfae1470e9a04e4890cc2940a97a5eac4ae0197494261a658c18eec417f8109e296eab3ed6289d9ccbd4f4bffa383d22323bef6f852b6
-
Filesize
53KB
MD5f1b0f3f50847da2eb58190008162610d
SHA1c2f659e4c59a44f1eec8c4e77de44609db690a1c
SHA2567f803f3b56e025a7fd00572f4a4e946c92e8943b7c7bee249226da6f2c8158ab
SHA512d3a3a6f88d2823acea48f37d8b4191efd4b1fc5dce6f2012f35231e69586fbf0387b5e6e438bb51b8dd9655f030c1d71ca47e5bb690e94791fb5303bcd6f8685
-
Filesize
53KB
MD52e490c811bd769e8a0bc8bc56570c09b
SHA1c78c3b35cf2c389e22fcb99e15860383f79582bb
SHA256f24f53d14151e0ac6831c202c120754ce06546a8c6d07b7217213a60c82477af
SHA512ea469e675ad20fce1ca4d2b5b1d8aa90cea0820cd45b71c91c088d01f8a4f67d0c59e9b78a518cc1a06bfb865c251aadc2137dcd68cc7f932805898c2d15eeef
-
Filesize
52KB
MD5a189242d34c581d5274940098c99c665
SHA17aec5fe4932ddecb6ea321958f916c66f2247c76
SHA256d6246a271f03fb604e542f8eda249d4c76aa6702a70cdba3f37fb7c9db8ac8e6
SHA5123592c1213f9c5ea33c4b90440d4cd36f22dddab5c04bb01cd71e406e54a76ae65ea1106729030b922d493bd2f9e98054ff40e337e102ff199040e6b10bcc9711
-
Filesize
52KB
MD5602aa23939506fd30a37b3cbbfabce56
SHA14473343be19ea775cdec857e89a447dd10aaefa4
SHA25651893f3c045d7f6bb5d44b1e819052d7314391cf97bad0646e036aadddce0aab
SHA5121c06ca23a05d1b3ed4ee1b46b8cf6a2464432141ae6ec5346eb8d6b24a06e9acc86ccd99fecc495dc1122aa6a12d68cb1510e229cfa35484bafef64c81aba28d
-
Filesize
53KB
MD5eea667678530fa7f69b725bdbac262ee
SHA17660d9cd7cff857b09dc15282b6eaa1f2c50e5d5
SHA256016a684bd5da477d3374c9e32ad70bff6d41dee00169b1cfe276dae2461d4080
SHA51269c568b0045608432bb0aba21a55db11def2020e619ac42e72905e36b684cc86798cb562bbc115d501c2ecc8169151f7e03e125a3a97cf34199ecef29787d0aa
-
Filesize
52KB
MD5480a6594f2736b69d41afedb998ddc03
SHA1009b1c18c37467077e16bba504ce53094a5221b1
SHA2566beeaf6d174ae5ca5cdaa593df7b1f5d622f02de7c443e4263abef6f4e3f127f
SHA5121c00468d3ce1030eb3d222cde37ea6674a1e3e0ee2b391928c6bd51aaf98957f05be3256618fa6eba18c18330f8be6d1a0231faab033bcbddcc0c55b43c1b3fc
-
Filesize
52KB
MD535c0c3f3bbc7edac9dce520603baa703
SHA1a65c9a0761a09d496c5519b69e92efdbc05c64c5
SHA25696ecce49349764d676dc8dbfd0da87d058849dce999607120618709143486273
SHA512d1c5caf2b34eade3bfcff693273b99439fa0673a6131d25e20700265827a17f3a337f1fbe50efa4014a95a19ca312c6fd8be52c3f63aeacdef57035d2e12baab
-
Filesize
54KB
MD5ad12dc26fb5190c765e6e569a6842a80
SHA1c32f3b26da63e3810916fa87cf566ca6cc1d0ef0
SHA256aff4b2df57d09e7458c14251136cea753f6daa6e651080762067f09ab33cccf3
SHA51226cc67fb204c7ae118230234319a77940b2e40836b79e0f783a7576aecf4ce9072ca55b15ef6b049df7ed64e03647fe685e2166b2a62493bebfeaa528a51a887
-
Filesize
54KB
MD59d0b288a53c2999b70ea7face9e447c8
SHA12b4aa47f7b3e555d21adbcd184b48f28f7a35a2f
SHA25679bdf8eeaedba0009f4b327c2bc32d5ca1452f40e8156bc0d9fd440bbd8eb75b
SHA512d21fc606f2c9b2294de5323641b8e12959597023e7ba124bb57adc40743d9b2f4333a5330ac0c248089373d1175d4f1d8ecf68977bd7f4e66e8c6b0ed139cc51
-
Filesize
54KB
MD5fb9f6b05f19ba7836c5eec3c0dad7d19
SHA123aacaaaad4b038276ad11895d16a37011c5201f
SHA2563aff60f23ed204adbd9f87d80fa816807e933884bc8032287fca750939823681
SHA512e054b44599eb23df857b2f581bcef21be4b4583284b97d4c813dd473cab74823ef834c680040ff7d68b2b9f9dbf65470d1316d52c124525a2ea98408608a10ea
-
Filesize
51KB
MD50f5f9a4faecf4ee5aff1ad434a29023e
SHA1f72292009d2a851fa8d3121d591d8614c6189809
SHA2564668b98bc6a3392b2f85b1b6b4e4d0bc7358ab99617d96854fb5e07872ef9a7d
SHA5127dbd79564632da44a17df9a5ef103198bc482dc8e62ddd9306ba9cb1338be674689cfb997726a44f2b3028489e5c9c963ff7cad7b32b15c0330fed6cc3f30415
-
Filesize
52KB
MD546624b14b7c82d0479355d1632841754
SHA17f32cafc018883e1e46ecb89ba8b9d20769e0c63
SHA25668fe3ee680d0352ca43eb75fe8949ba5fb19aa542954900bb5ef75a31b405630
SHA5129275918bc7afc477ec8573afcec9521fa188c094d5bdc9a1944dcb14cf5394106d4b38f25b514c27b3c0997addbe1615721222b7e5ce26852cda17d00e934db3
-
Filesize
52KB
MD5d807f29adb258232f1d5ca8a47920b8a
SHA161a74fcd9b8984308f6e0c42471c1cf0387418ad
SHA256d2862dacd79f211cc36f9202113d026b4231ff7d2c62d9b4332c0b32f191f93e
SHA512422532a337fee8bd15f7578237b48e8ebd1e8854784e954c5bd91727af99fba1a1439c648ce2c2f5232bde7b842967e8539b43b938d593aabccf8f480943106b
-
Filesize
170KB
MD56abcc089198580990bf0cfe5fc600c76
SHA1cb513561d1f592888c94a79f62b1969d3f36f468
SHA256e85d021214b468d49ebad516a6bd483342c1fd373ebd8a65f28a62de80dc4168
SHA5128e3f99088e67bcdbe30591acd56342e55a84707d7978e44fb4f719bfb103eb8c9457a166218e8d0eab60f7c9eb60df877c0c1dd88c3cdb0995d29de220360b31
-
Filesize
1.1MB
MD51452daef18c7b988e6fda9606ff6cb60
SHA14818c9f3d47ec9736ba83474ebd2b0dedec0fb3b
SHA256e48f273c5bdd68518cf2c2400b15939e16f2cd86b13977546510388f38ee0534
SHA512b9894b865d603c35c4e513f5c6002a48b4309fe773a5164ae15891ac1dae9fabd01591e8c9da3d56a4bf063e8d022b9665c1d9f0a1176b8cea36650dfb4a1c85
-
Filesize
52KB
MD5c6f1751102f65017663d8304b4cf0f68
SHA1d55ed42b5db1f6903ec409ad91b0c8f0c0c1562f
SHA256247f7e784e0f19cc05512b49916172c7ca6aae4748ddcd32628044202a4177df
SHA512ddbb947fc4b4c96f3c7a0145cd385e25d5cd3345b47f0d3033e569882e22d1b8fc47d3f20792f6eef48bd316eda25f3140f8f093e6eda07e43abfe915db379a0
-
Filesize
52KB
MD5c6f1751102f65017663d8304b4cf0f68
SHA1d55ed42b5db1f6903ec409ad91b0c8f0c0c1562f
SHA256247f7e784e0f19cc05512b49916172c7ca6aae4748ddcd32628044202a4177df
SHA512ddbb947fc4b4c96f3c7a0145cd385e25d5cd3345b47f0d3033e569882e22d1b8fc47d3f20792f6eef48bd316eda25f3140f8f093e6eda07e43abfe915db379a0