be5dc0d38251a54350c462a7f4a6c70028ee05c01bde5c1974342893bf12ba5e

Analysis

max time kernel
156s
max time network
173s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 13:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be5dc0d38251a54350c462a7f4a6c70028ee05c01bde5c1974342893bf12ba5e.msi
Size

1.9MB
MD5

2bc783b5193fa2dafe58065209be31f1
SHA1

7b7f31705565570dbf095a251769f9b73c3cafb7
SHA256

be5dc0d38251a54350c462a7f4a6c70028ee05c01bde5c1974342893bf12ba5e
SHA512

b82d58793679153c54106b5dfd851926aba258c64334a4a107d91bd9feb89a91e38320cc28e628b4ea7a32efe0a2c3ce401c93d93616fed1e6325383c8cf6be6
SSDEEP

49152:ipdSHSQrakKZFl8Zm0KmDNB1zToUM2J1m:ipmSQrecIXoNB1i2J1

Score

7^/10

discovery persistence

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\browser-up.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\browser-up.exe	cmd.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2204	ICACLS.EXE

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2736	msiexec.exe
5	2096	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BraveUpdate.exe	BraveUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BraveUpdate.exe\DisableExceptionChainValidation = "0"	BraveUpdate.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\BraveUpdateSetup.exe	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\BraveUpdateBroker.exe	BraveBrowserSetup-VER979.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_mr.dll	BraveBrowserSetup-VER979.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_ru.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_ko.dll	BraveBrowserSetup-VER979.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_hr.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_ta.dll	BraveBrowserSetup-VER979.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_bn.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_gu.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_ko.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_nl.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\psuser_64.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdate.dll	BraveBrowserSetup-VER979.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_iw.dll	BraveBrowserSetup-VER979.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_fa.dll	BraveBrowserSetup-VER979.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_th.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_ml.dll	BraveBrowserSetup-VER979.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_pt-PT.dll	BraveBrowserSetup-VER979.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_zh-CN.dll	BraveUpdate.exe
File opened for modification	C:\Program Files (x86)\BraveSoftware\Temp\GUT651A.tmp	BraveBrowserSetup-VER979.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_lv.dll	BraveBrowserSetup-VER979.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_bg.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_tr.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\psmachine.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\BraveUpdateHelper.msi	BraveBrowserSetup-VER979.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_vi.dll	BraveBrowserSetup-VER979.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_cs.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_it.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_ms.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_no.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_sk.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_ta.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_nl.dll	BraveBrowserSetup-VER979.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\BraveCrashHandler.exe	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_sw.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_uk.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_ms.dll	BraveBrowserSetup-VER979.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\BraveUpdateCore.exe	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_fi.dll	BraveBrowserSetup-VER979.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_id.dll	BraveBrowserSetup-VER979.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_sv.dll	BraveBrowserSetup-VER979.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_am.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_ja.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_mr.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\BraveUpdate.exe	BraveBrowserSetup-VER979.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_es.dll	BraveBrowserSetup-VER979.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_ja.dll	BraveBrowserSetup-VER979.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\BraveUpdateSetup.exe	BraveBrowserSetup-VER979.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\BraveUpdateCore.exe	BraveBrowserSetup-VER979.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_ar.dll	BraveBrowserSetup-VER979.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_ur.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_te.dll	BraveBrowserSetup-VER979.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_pl.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_en.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_fi.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_vi.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_zh-TW.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_da.dll	BraveBrowserSetup-VER979.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_da.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_lt.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_el.dll	BraveBrowserSetup-VER979.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_fil.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_te.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_sl.dll	BraveBrowserSetup-VER979.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\f771a25.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2502.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f771a25.msi	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f771a26.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Executes dropped EXE 12 IoCs

pid	Process
904	browser-up.exe
1572	BraveBrowserSetup-VER979.exe
2568	BraveUpdate.exe
980	BraveUpdate.exe
1528	BraveUpdate.exe
880	BraveUpdateComRegisterShell64.exe
2984	BraveUpdateComRegisterShell64.exe
3016	BraveUpdateComRegisterShell64.exe
1084	BraveUpdate.exe
1892	BraveUpdate.exe
2640	BraveUpdate.exe
2180	BraveUpdate.exe

Loads dropped DLL 44 IoCs

pid	Process
896	MsiExec.exe
1992	cmd.exe
1992	cmd.exe
896	MsiExec.exe
896	MsiExec.exe
896	MsiExec.exe
896	MsiExec.exe
1572	BraveBrowserSetup-VER979.exe
2568	BraveUpdate.exe
2568	BraveUpdate.exe
2568	BraveUpdate.exe
2568	BraveUpdate.exe
980	BraveUpdate.exe
980	BraveUpdate.exe
980	BraveUpdate.exe
2568	BraveUpdate.exe
1528	BraveUpdate.exe
1528	BraveUpdate.exe
1528	BraveUpdate.exe
880	BraveUpdateComRegisterShell64.exe
1528	BraveUpdate.exe
1528	BraveUpdate.exe
2984	BraveUpdateComRegisterShell64.exe
1528	BraveUpdate.exe
1528	BraveUpdate.exe
3016	BraveUpdateComRegisterShell64.exe
1528	BraveUpdate.exe
2568	BraveUpdate.exe
2568	BraveUpdate.exe
2568	BraveUpdate.exe
2568	BraveUpdate.exe
2568	BraveUpdate.exe
1084	BraveUpdate.exe
1892	BraveUpdate.exe
1892	BraveUpdate.exe
1892	BraveUpdate.exe
2640	BraveUpdate.exe
2640	BraveUpdate.exe
2640	BraveUpdate.exe
2640	BraveUpdate.exe
1892	BraveUpdate.exe
2640	BraveUpdate.exe
2640	BraveUpdate.exe
2180	BraveUpdate.exe

Registers COM server for autorun 1 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5A27D85-3D4F-4806-933C-7B4E566E375A}\InProcServer32\ = "C:\\Program Files (x86)\\BraveSoftware\\Update\\1.3.101.0\\psmachine_64.dll"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32\ = "C:\\Program Files (x86)\\BraveSoftware\\Update\\1.3.101.0\\psmachine_64.dll"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5A27D85-3D4F-4806-933C-7B4E566E375A}\InProcServer32\ = "C:\\Program Files (x86)\\BraveSoftware\\Update\\1.3.101.0\\psmachine_64.dll"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5A27D85-3D4F-4806-933C-7B4E566E375A}\InProcServer32\ThreadingModel = "Both"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32\ = "C:\\Program Files (x86)\\BraveSoftware\\Update\\1.3.101.0\\psmachine_64.dll"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5A27D85-3D4F-4806-933C-7B4E566E375A}\InProcServer32\ = "C:\\Program Files (x86)\\BraveSoftware\\Update\\1.3.101.0\\psmachine_64.dll"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32\ThreadingModel = "Both"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5A27D85-3D4F-4806-933C-7B4E566E375A}\InProcServer32	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32\ = "C:\\Program Files (x86)\\BraveSoftware\\Update\\1.3.101.0\\psmachine_64.dll"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32\ThreadingModel = "Both"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5A27D85-3D4F-4806-933C-7B4E566E375A}\InProcServer32	BraveUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32	BraveUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32\ThreadingModel = "Both"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5A27D85-3D4F-4806-933C-7B4E566E375A}\InProcServer32\ThreadingModel = "Both"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5A27D85-3D4F-4806-933C-7B4E566E375A}\InProcServer32	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5A27D85-3D4F-4806-933C-7B4E566E375A}\InProcServer32\ThreadingModel = "Both"	BraveUpdateComRegisterShell64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{660130E8-74E4-4821-A6FD-4E9A86E06470}	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35A4470F-5EEC-4715-A2DC-6AA9F8E21183}\ProxyStubClsid32	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4842EC21-0860-45B5-99F0-A1E6E7C11561}	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48B5E6B2-9383-4B1E-AAE7-720C4779ABA6}\ProxyStubClsid32\ = "{B5A27D85-3D4F-4806-933C-7B4E566E375A}"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A147722A-5568-4B84-B401-86D744470CBF}\NumMethods	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10479D64-2C5F-46CD-9BC8-FD04FF4D02D8}\NumMethods\ = "4"	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F234546B-DACD-4374-97CF-7BADFAB76766}	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{852A0F87-D117-4B7C-ABA9-2F76D91BCB9D}\ProxyStubClsid32\ = "{B5A27D85-3D4F-4806-933C-7B4E566E375A}"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28C83F57-E4C0-4B54-B187-585C51EE8F9C}\ProgID	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5A27D85-3D4F-4806-933C-7B4E566E375A}\InProcServer32	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.PolicyStatus\ = "Google Update Policy Status Class"	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD84E356-3D21-44C8-83DD-6BEEC22FA427}\NumMethods	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.CoCreateAsync\CLSID	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4842EC21-0860-45B5-99F0-A1E6E7C11561}\NumMethods\ = "11"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C929BFE-4FA4-488D-B1E2-82ECD6F076C8}\ProxyStubClsid32	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10479D64-2C5F-46CD-9BC8-FD04FF4D02D8}\ = "IGoogleUpdateCore"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4842EC21-0860-45B5-99F0-A1E6E7C11561}\ = "IAppCommand"	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A147722A-5568-4B84-B401-86D744470CBF}\ProxyStubClsid32\ = "{B5A27D85-3D4F-4806-933C-7B4E566E375A}"	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91B050A9-5A49-4249-A8C8-B4390961A912}\NumMethods	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.OnDemandCOMClassMachineFallback	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FB43AAD0-DDBA-4D01-A3E0-FAB100E7926B}\NumMethods\ = "17"	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.CredentialDialogMachine\CurVer\ = "BraveSoftwareUpdate.CredentialDialogMachine.1.0"	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C11C073F-E6D0-4EF7-897B-AAF52498CD2F}\ = "IAppCommand2"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10479D64-2C5F-46CD-9BC8-FD04FF4D02D8}\NumMethods	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C663DEBB-F082-4971-9F6E-35DE45C96F4E}\ = "IPackage"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A147722A-5568-4B84-B401-86D744470CBF}\ProxyStubClsid32\ = "{B5A27D85-3D4F-4806-933C-7B4E566E375A}"	BraveUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F65EDCA-A4BF-47E9-9200-DA0CE4F413F2}\InprocHandler32	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70E5ECF5-2CA7-4019-9B23-916789A13C2C}	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C663DEBB-F082-4971-9F6E-35DE45C96F4E}\ = "IPackage"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A24060E-533F-4962-9E15-34BD82555FA7}\ = "ICoCreateAsyncStatus"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A24060E-533F-4962-9E15-34BD82555FA7}\NumMethods	BraveUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70E5ECF5-2CA7-4019-9B23-916789A13C2C}\ = "IProcessLauncher"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48B5E6B2-9383-4B1E-AAE7-720C4779ABA6}\ProxyStubClsid32	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F234546B-DACD-4374-97CF-7BADFAB76766}\NumMethods\ = "10"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B9AEB1CC-DF9B-45CB-B70B-084D2E869A1C}\VersionIndependentProgID	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19F4616B-B7DD-4B3F-8084-C81C5C77AAA4}\ProxyStubClsid32	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7CB305B1-4D45-4668-AD91-677F87BED305}\NumMethods	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5A27D85-3D4F-4806-933C-7B4E566E375A}\ = "PSFactoryBuffer"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD84E356-3D21-44C8-83DD-6BEEC22FA427}\NumMethods\ = "4"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10479D64-2C5F-46CD-9BC8-FD04FF4D02D8}\NumMethods	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1985533F-9B0F-490A-85C5-24F316E66FB2}\ProxyStubClsid32\ = "{B5A27D85-3D4F-4806-933C-7B4E566E375A}"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.PolicyStatus	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C929BFE-4FA4-488D-B1E2-82ECD6F076C8}\ProxyStubClsid32	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FB43AAD0-DDBA-4D01-A3E0-FAB100E7926B}\ProxyStubClsid32\ = "{B5A27D85-3D4F-4806-933C-7B4E566E375A}"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C663DEBB-F082-4971-9F6E-35DE45C96F4E}	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3282EB12-D954-4FD2-A2E1-C942C8745C65}\ProgID\ = "BraveSoftwareUpdate.OnDemandCOMClassMachineFallback.1.0"	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B9AEB1CC-DF9B-45CB-B70B-084D2E869A1C}\VersionIndependentProgID\ = "BraveSoftwareUpdate.PolicyStatus"	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35A4470F-5EEC-4715-A2DC-6AA9F8E21183}	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D5627FC9-E2F0-484B-89A4-5DACFE7FAAD3}\ProxyStubClsid32\ = "{B5A27D85-3D4F-4806-933C-7B4E566E375A}"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FB43AAD0-DDBA-4D01-A3E0-FAB100E7926B}	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9190589-ECEC-43F8-8AEC-62496BB87B26}\ProxyStubClsid32\ = "{B5A27D85-3D4F-4806-933C-7B4E566E375A}"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.OnDemandCOMClassMachine\CurVer	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{70E5ECF5-2CA7-4019-9B23-916789A13C2C}\ProxyStubClsid32\ = "{B5A27D85-3D4F-4806-933C-7B4E566E375A}"	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A147722A-5568-4B84-B401-86D744470CBF}\NumMethods\ = "43"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.Update3COMClassService\ = "Update3COMClass"	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A24060E-533F-4962-9E15-34BD82555FA7}\ProxyStubClsid32\ = "{B5A27D85-3D4F-4806-933C-7B4E566E375A}"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BFA9CB0F-987A-4E8A-A3BE-5988F315F35E}\ProxyStubClsid32	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4BCDF52-2179-4C77-8C5F-B8095712B563}\ProxyStubClsid32	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7CB305B1-4D45-4668-AD91-677F87BED305}\ = "IGoogleUpdate3"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{35A4470F-5EEC-4715-A2DC-6AA9F8E21183}\NumMethods\ = "10"	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAE4AD28-500D-43BA-9F54-730CA146C190}	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.Update3WebMachine.1.0\CLSID	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A24060E-533F-4962-9E15-34BD82555FA7}\NumMethods	BraveUpdateComRegisterShell64.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	BraveUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	BraveUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	BraveUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	BraveUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	BraveUpdate.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2096	msiexec.exe
2096	msiexec.exe
2568	BraveUpdate.exe
2568	BraveUpdate.exe
2568	BraveUpdate.exe
2568	BraveUpdate.exe
2568	BraveUpdate.exe
2568	BraveUpdate.exe
2180	BraveUpdate.exe
2180	BraveUpdate.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2736	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2736	msiexec.exe
Token: SeRestorePrivilege	2096	msiexec.exe
Token: SeTakeOwnershipPrivilege	2096	msiexec.exe
Token: SeSecurityPrivilege	2096	msiexec.exe
Token: SeCreateTokenPrivilege	2736	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2736	msiexec.exe
Token: SeLockMemoryPrivilege	2736	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2736	msiexec.exe
Token: SeMachineAccountPrivilege	2736	msiexec.exe
Token: SeTcbPrivilege	2736	msiexec.exe
Token: SeSecurityPrivilege	2736	msiexec.exe
Token: SeTakeOwnershipPrivilege	2736	msiexec.exe
Token: SeLoadDriverPrivilege	2736	msiexec.exe
Token: SeSystemProfilePrivilege	2736	msiexec.exe
Token: SeSystemtimePrivilege	2736	msiexec.exe
Token: SeProfSingleProcessPrivilege	2736	msiexec.exe
Token: SeIncBasePriorityPrivilege	2736	msiexec.exe
Token: SeCreatePagefilePrivilege	2736	msiexec.exe
Token: SeCreatePermanentPrivilege	2736	msiexec.exe
Token: SeBackupPrivilege	2736	msiexec.exe
Token: SeRestorePrivilege	2736	msiexec.exe
Token: SeShutdownPrivilege	2736	msiexec.exe
Token: SeDebugPrivilege	2736	msiexec.exe
Token: SeAuditPrivilege	2736	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2736	msiexec.exe
Token: SeChangeNotifyPrivilege	2736	msiexec.exe
Token: SeRemoteShutdownPrivilege	2736	msiexec.exe
Token: SeUndockPrivilege	2736	msiexec.exe
Token: SeSyncAgentPrivilege	2736	msiexec.exe
Token: SeEnableDelegationPrivilege	2736	msiexec.exe
Token: SeManageVolumePrivilege	2736	msiexec.exe
Token: SeImpersonatePrivilege	2736	msiexec.exe
Token: SeCreateGlobalPrivilege	2736	msiexec.exe
Token: SeBackupPrivilege	2564	vssvc.exe
Token: SeRestorePrivilege	2564	vssvc.exe
Token: SeAuditPrivilege	2564	vssvc.exe
Token: SeBackupPrivilege	2096	msiexec.exe
Token: SeRestorePrivilege	2096	msiexec.exe
Token: SeRestorePrivilege	2496	DrvInst.exe
Token: SeRestorePrivilege	2496	DrvInst.exe
Token: SeRestorePrivilege	2496	DrvInst.exe
Token: SeRestorePrivilege	2496	DrvInst.exe
Token: SeRestorePrivilege	2496	DrvInst.exe
Token: SeRestorePrivilege	2496	DrvInst.exe
Token: SeRestorePrivilege	2496	DrvInst.exe
Token: SeLoadDriverPrivilege	2496	DrvInst.exe
Token: SeLoadDriverPrivilege	2496	DrvInst.exe
Token: SeLoadDriverPrivilege	2496	DrvInst.exe
Token: SeRestorePrivilege	2096	msiexec.exe
Token: SeTakeOwnershipPrivilege	2096	msiexec.exe
Token: SeRestorePrivilege	2096	msiexec.exe
Token: SeTakeOwnershipPrivilege	2096	msiexec.exe
Token: SeDebugPrivilege	2568	BraveUpdate.exe
Token: SeDebugPrivilege	2568	BraveUpdate.exe
Token: SeDebugPrivilege	2568	BraveUpdate.exe
Token: SeDebugPrivilege	2180	BraveUpdate.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2736	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
904	browser-up.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 896	2096	msiexec.exe	33
PID 2096 wrote to memory of 896	2096	msiexec.exe	33
PID 2096 wrote to memory of 896	2096	msiexec.exe	33
PID 2096 wrote to memory of 896	2096	msiexec.exe	33
PID 2096 wrote to memory of 896	2096	msiexec.exe	33
PID 2096 wrote to memory of 896	2096	msiexec.exe	33
PID 2096 wrote to memory of 896	2096	msiexec.exe	33
PID 896 wrote to memory of 2204	896	MsiExec.exe	34
PID 896 wrote to memory of 2204	896	MsiExec.exe	34
PID 896 wrote to memory of 2204	896	MsiExec.exe	34
PID 896 wrote to memory of 2204	896	MsiExec.exe	34
PID 896 wrote to memory of 276	896	MsiExec.exe	36
PID 896 wrote to memory of 276	896	MsiExec.exe	36
PID 896 wrote to memory of 276	896	MsiExec.exe	36
PID 896 wrote to memory of 276	896	MsiExec.exe	36
PID 896 wrote to memory of 1992	896	MsiExec.exe	38
PID 896 wrote to memory of 1992	896	MsiExec.exe	38
PID 896 wrote to memory of 1992	896	MsiExec.exe	38
PID 896 wrote to memory of 1992	896	MsiExec.exe	38
PID 1992 wrote to memory of 904	1992	cmd.exe	40
PID 1992 wrote to memory of 904	1992	cmd.exe	40
PID 1992 wrote to memory of 904	1992	cmd.exe	40
PID 1992 wrote to memory of 904	1992	cmd.exe	40
PID 896 wrote to memory of 1572	896	MsiExec.exe	41
PID 896 wrote to memory of 1572	896	MsiExec.exe	41
PID 896 wrote to memory of 1572	896	MsiExec.exe	41
PID 896 wrote to memory of 1572	896	MsiExec.exe	41
PID 896 wrote to memory of 1572	896	MsiExec.exe	41
PID 896 wrote to memory of 1572	896	MsiExec.exe	41
PID 896 wrote to memory of 1572	896	MsiExec.exe	41
PID 1572 wrote to memory of 2568	1572	BraveBrowserSetup-VER979.exe	42
PID 1572 wrote to memory of 2568	1572	BraveBrowserSetup-VER979.exe	42
PID 1572 wrote to memory of 2568	1572	BraveBrowserSetup-VER979.exe	42
PID 1572 wrote to memory of 2568	1572	BraveBrowserSetup-VER979.exe	42
PID 1572 wrote to memory of 2568	1572	BraveBrowserSetup-VER979.exe	42
PID 1572 wrote to memory of 2568	1572	BraveBrowserSetup-VER979.exe	42
PID 1572 wrote to memory of 2568	1572	BraveBrowserSetup-VER979.exe	42
PID 2568 wrote to memory of 980	2568	BraveUpdate.exe	43
PID 2568 wrote to memory of 980	2568	BraveUpdate.exe	43
PID 2568 wrote to memory of 980	2568	BraveUpdate.exe	43
PID 2568 wrote to memory of 980	2568	BraveUpdate.exe	43
PID 2568 wrote to memory of 980	2568	BraveUpdate.exe	43
PID 2568 wrote to memory of 980	2568	BraveUpdate.exe	43
PID 2568 wrote to memory of 980	2568	BraveUpdate.exe	43
PID 2568 wrote to memory of 1528	2568	BraveUpdate.exe	45
PID 2568 wrote to memory of 1528	2568	BraveUpdate.exe	45
PID 2568 wrote to memory of 1528	2568	BraveUpdate.exe	45
PID 2568 wrote to memory of 1528	2568	BraveUpdate.exe	45
PID 2568 wrote to memory of 1528	2568	BraveUpdate.exe	45
PID 2568 wrote to memory of 1528	2568	BraveUpdate.exe	45
PID 2568 wrote to memory of 1528	2568	BraveUpdate.exe	45
PID 1528 wrote to memory of 880	1528	BraveUpdate.exe	46
PID 1528 wrote to memory of 880	1528	BraveUpdate.exe	46
PID 1528 wrote to memory of 880	1528	BraveUpdate.exe	46
PID 1528 wrote to memory of 880	1528	BraveUpdate.exe	46
PID 1528 wrote to memory of 2984	1528	BraveUpdate.exe	47
PID 1528 wrote to memory of 2984	1528	BraveUpdate.exe	47
PID 1528 wrote to memory of 2984	1528	BraveUpdate.exe	47
PID 1528 wrote to memory of 2984	1528	BraveUpdate.exe	47
PID 1528 wrote to memory of 3016	1528	BraveUpdate.exe	48
PID 1528 wrote to memory of 3016	1528	BraveUpdate.exe	48
PID 1528 wrote to memory of 3016	1528	BraveUpdate.exe	48
PID 1528 wrote to memory of 3016	1528	BraveUpdate.exe	48
PID 2568 wrote to memory of 1084	2568	BraveUpdate.exe	49

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\be5dc0d38251a54350c462a7f4a6c70028ee05c01bde5c1974342893bf12ba5e.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2736

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A3DB0EDC5DD49F0378AA4633022E175E
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-93e92aed-3951-48d8-9a47-81fce0bc84a4\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:2204
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:276
- - C:\Windows\syswow64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\MW-93e92aed-3951-48d8-9a47-81fce0bc84a4\files\copy.bat" "
    3⤵
    - Drops startup file
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\browser-up.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\browser-up.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:904
- - C:\Users\Admin\AppData\Local\Temp\MW-93e92aed-3951-48d8-9a47-81fce0bc84a4\files\BraveBrowserSetup-VER979.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-93e92aed-3951-48d8-9a47-81fce0bc84a4\files\BraveBrowserSetup-VER979.exe" /install
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\BraveUpdate.exe
      "C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\BraveUpdate.exe" /install "appguid={AFE6A462-C574-4B8A-AF43-4CC60DF4563B}&appname=Brave-Release&needsadmin=prefers&ap=x64-rel&referral=none"
      4⤵
      Sets file execution options in registry
      Drops file in Program Files directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
        
        "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /regsvc
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:980
    - - C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
        
        "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /regserver
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1528
      - C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\BraveUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\BraveUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:880
      - C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\BraveUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\BraveUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:2984
      - C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\BraveUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\BraveUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:3016
    - - C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
        
        "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xMDEuMCIgc2hlbGxfdmVyc2lvbj0iMS4zLjEwMS4wIiBpc21hY2hpbmU9IjEiIHNlc3Npb25pZD0iezk5QzBEMDUzLUY0NjctNERFRi04ODVDLTBGODg0RTlGOEYwN30iIGluc3RhbGxzb3VyY2U9Im90aGVyaW5zdGFsbGNtZCIgdGVzdHNvdXJjZT0iYXV0byIgcmVxdWVzdGlkPSJ7N0RFMkIzM0UtOTZENy00RDYwLUIwOTgtRTlDNkNCRjRFMkE1fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBwaHlzbWVtb3J5PSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjEuNzYwMS4wIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9IntCMTMxQzkzNS05QkU2LTQxREEtOTU5OS0xRjc3NkJFQjgwMTl9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxLjMuMTAxLjAiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iMjI3OTIiLz48L2FwcD48L3JlcXVlc3Q-
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        
        PID:1084
    - - C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
        
        "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /handoff "appguid={AFE6A462-C574-4B8A-AF43-4CC60DF4563B}&appname=Brave-Release&needsadmin=prefers&ap=x64-rel&referral=none" /installsource otherinstallcmd /sessionid "{99C0D053-F467-4DEF-885C-0F884E9F8F07}"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1892

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005C8" "00000000000003B8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
"C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:2640
- C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
  "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xMDEuMCIgc2hlbGxfdmVyc2lvbj0iMS4zLjEwMS4wIiBpc21hY2hpbmU9IjEiIHNlc3Npb25pZD0iezk5QzBEMDUzLUY0NjctNERFRi04ODVDLTBGODg0RTlGOEYwN30iIGluc3RhbGxzb3VyY2U9Im90aGVyaW5zdGFsbGNtZCIgdGVzdHNvdXJjZT0iYXV0byIgcmVxdWVzdGlkPSJ7N0JGMjY4MjQtRTlCRC00NEYxLUFEMTEtMDk4MEUxNjkwRjcyfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBwaHlzbWVtb3J5PSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjEuNzYwMS4wIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9IntBRkU2QTQ2Mi1DNTc0LTRCOEEtQUY0My00Q0M2MERGNDU2M0J9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIiIGFwPSJ4NjQtcmVsIiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSItMSIgaW5zdGFsbGRhdGU9Ii0xIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMCIgZXJyb3Jjb2RlPSItMjE0NzIxOTQ0NyIgZXh0cmFjb2RlMT0iMjY4NDM1NDU5IiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iNDA0MCIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\BraveCrashHandler.exe

Filesize
291KB

MD5
063d8f06fc1a3fa72778ecda5049c48e

SHA1
a3d29ce1e5903d10f678be50427d5b7f6cdb7d30

SHA256
728d340a78658a2968b34d8d5f8f4ace2ef198b7bbcbf338fc7c33652742d634

SHA512
14a3527409412e81e5d07548d2ea55c3d11e7907342ed8c2323fe2fe997a8724861808f19b5117ac3060de5069fed5a80471ade23f259f995852a2b79ac09158

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\BraveCrashHandler64.exe

Filesize
365KB

MD5
6df2f69f038354091734bee903ffb8b6

SHA1
13d77fea20151606cf8ee9a939d3c4a17d729be8

SHA256
956d9ea3ede39de0b158eee857d1a459ee4d041daad75263024fc43197f64329

SHA512
7d0daaa6889284015fd4fc73958c061ecf2563cf015160398cbcdf4dfc2b7f4bd9d359e61220efef3a8f8d796b0344089461e6a491e7304e2c3f4d7795ec9015

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\BraveUpdateComRegisterShell64.exe

Filesize
176KB

MD5
2a3bb8908f002799f194a26e048933a2

SHA1
517a2e82385797c05c47e7c34aa891a8850b8563

SHA256
b1d4b8a40eeecab0399e16e6fb8e4dfa1b21509742bfacb949533c893da07bd3

SHA512
891244d5a8647532a11d008ce24d9a09d3ce9c175e0d8452006fbdfb1c8443b2ddce05662928e3f18395bb3f4ea30798a977029b2066aed734e66ab6ec3957ca

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\BraveUpdateCore.exe

Filesize
208KB

MD5
c2d6c88423171cc951e794e18e394cd7

SHA1
5cc4823aed0c0d3e1b0109f5dcd91ec5105cfa9a

SHA256
b272f392934334d4e6c2a6526a3f274f43b96f51322b4bef37f59c438787b646

SHA512
52b0f9ad19e9938c0ef1cd112ced73f89abdbccb339b734988e702f7c684a0d2dbac4275ef67658b43c5c32ba4dc981d56f0e6b800c40973e2622375ae8d506d

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdate.dll

Filesize
1.0MB

MD5
0ea93d250715a225f334faff13b32e86

SHA1
0e3e44d4d9a21cfa6b47a734ce30266ae5e7bb04

SHA256
a00d5baf5fe3aed1d864e56c7ac847cf06ad2b02c63e0ea33c77a0d254311695

SHA512
13aa7e3e0a07e3b39b1ea591ee5757910a70d7204a9e9bfc9eb0cfe78e70ea08f8c11d4e6a33f69ead86b544f18677b38c2de9134b7ef9230a1a55cdb0058919

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_am.dll

Filesize
45KB

MD5
459cc5bdc5c12e1c709b5d134327122b

SHA1
eca0b45f61a7d4f3a897345d27577e58217c35fb

SHA256
99702a5df6e94ceca75dbae44edf1b99f3eb668062ab21f775851f121125adc0

SHA512
a2913e884c8cad52f01973a811dc16a97b0d79b1aa7691ae353bb476a0c1203d2c1c6ebbf37253f2a674a9f5ff3a69df4d589be1f4946f4ff210e6c9fffc7fa1

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_ar.dll

Filesize
44KB

MD5
0c64b2b0eaef9cf0822e7ae9325efc27

SHA1
1b65b3d50481e003d2efbb4e35e231bc5529eb70

SHA256
d11c3fa05de102e9d47e1602217ca8e00d4832fa5b275eee16e4161b8863b018

SHA512
5b0c9857801cf909eadde3c698847fdc17d21eea971a435b119e040406f37ee27c1b5a1658fdb0fdf48acd7fb1f9a4cbb04e1eb1059ee16a115ed83b35f86aab

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_bg.dll

Filesize
47KB

MD5
f4fae110b3fa38ec03a47cf7a0977bac

SHA1
e693ab743e77789ea768dba0b9f8cfc7863997fd

SHA256
9fed950cbb4a5f9acadb24bca75b09eeaa37cb58e5c594bb06357c495dd81e1e

SHA512
dfe106f5322b846f29e8ef0ada2f65920f52732c96e7018a671bd3ea68aee025ff29c34ca79f2ff759df31e260edcc502d747cc42da5a6ae8e65a59791fb0c9e

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_bn.dll

Filesize
47KB

MD5
d257ac31a2c008eb474f102c4fe1a525

SHA1
80244cf1cf076b0c4375744e3cc6624b67a06e95

SHA256
8622a1f768a812ee351802e286f7ece1fc8327e0e04e53d5bc39c00b3189b8f7

SHA512
40c8705c4ab04abd7f92be3112d97a1d3d21008c0da48267e01b9335decfa27d9c7313c8447ff89b02066b30d434daa2c748b950b5872ba73114d543f4b268bf

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_ca.dll

Filesize
47KB

MD5
19dbd0d44e7f68f7a63f8fd77013ad0e

SHA1
73a7ab2e5051fdfd6103144389f69eaf9b2ae3a5

SHA256
700d43e8703cd6d8dd4b0bba57eeabd743174e86102f7207267ba3ed7e9bc04b

SHA512
9cebde40eeadfb87afc5be3d4939b864b5fd06e322aeb79ed1f365828314fc58e5ce56a0d2bea32792707b980579fb097d2879f435d80892dadbd2b2f63e2112

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_cs.dll

Filesize
46KB

MD5
9888f7c09e0660f4a30e776306c9e375

SHA1
0f2251cd44242bbdc6725cde2a730c466ef61568

SHA256
ff2819eaef8634c8b800bac452b2d078dc92306aa030bc887d6bc0b542783917

SHA512
b9147512b15332c9970fef3071f56f38143b1a27ff4446e52aba60fdc4e2daf40dff2b0e5b5824925530356747226b467d1e1a6e353697ff226baad39c2fb828

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_da.dll

Filesize
46KB

MD5
5ed546f1887746e4dc16497fada602b2

SHA1
4cbd9bbff07e5657dfa8c598ef27085ae60b289d

SHA256
07931d750c760fc026b1e508c9f2ad428ef56054e8d3b1856e15947747d22bd3

SHA512
e2c99f262f235c39d3505855b099c9a5913ec14baf03352e72e64da6b80de107f5d79abea85370b243bc5ae57229289db2e8b73521408e203eee841dd1954c72

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_de.dll

Filesize
48KB

MD5
ef002d9d7e93d598f7f0a90fdc2a3ef4

SHA1
3bb49c87a555ab8094cff09f4c02d5a8293d5007

SHA256
87b71c421f40184f964f14689eb32557eddd094a02e13ea3d08e2bb7a57a3828

SHA512
60b33096d89577aba0cf2965b87e6a7e8fd8496cae9f58a4b1501f49f3a93b75eb2c62dc9a0a5b5ee4232943c873f82a78b6425dd71c4d208037369c10e826d9

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_el.dll

Filesize
47KB

MD5
ceb401f9e6193038518df82ef58ce4c4

SHA1
d2db5b55bba82900529abfd2a47722fe39d78340

SHA256
7f2c9ef3ba263909dd59d3d33483cd10054a219a91d38be79356edda5a23fcaf

SHA512
e1ef05ca19e3cfab565760d1c3ad0d66e392aa1e3b445455df51262f88e73148ab6de6deb798a1e7e338d74b9530a612a860f5d134e694fba2b46d76530d0e50

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_en-GB.dll

Filesize
45KB

MD5
907e7166f59a8f4c7434532cdd4362c3

SHA1
6f836bfa84fdf87129082990f377e69dade01c91

SHA256
184f753d0ca1759043b5b4be6a7ab22f39f13c97b39d39e8a847ff64a0f75619

SHA512
9823549e5e334f6b0d980c6a3a37353443b29e5ecb306f8b1988c91076bb1835f4d9e25560b846564cd24c9f96029f0a706977b9b4b99ddfa62d5d7506cab06d

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_es-419.dll

Filesize
46KB

MD5
664ed8f5e1141f526062576e57a6b839

SHA1
81bcd3711bd4659c5fc98703f27b911641febdc3

SHA256
2902de20c7a6e715a9b761b231508bbbc4cec06d288a659a04b545b26051417e

SHA512
165e80294c4766fe5afb655fb55701502b93da2c8e330bdb54e05108d02513ae7fee569470193db97f6e50bbfd5fbc236f35d2b8a633a9d54aa08e9b77259cca

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_es.dll

Filesize
48KB

MD5
7475e2b5143b2f15e282569584cada5d

SHA1
00b174bed42fe12de34f74a40d4e4477e332f228

SHA256
e34e45d8a05c3398b3be4f67f082ca76f0d35d93d97ad9f261ad225f886a4b7a

SHA512
d68501bca95633855686b2d701975df7c695dccf87235bce40495c46326528a959e1318bc93edaf95d22b5d8290e6ce2f8715afe7c555470c60294feaf4c7754

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_et.dll

Filesize
45KB

MD5
fb5c0ee7ef213a77cd494621f2e2bc1c

SHA1
f185f4b77cdb95afca30e0e7047b0d79f98eddd2

SHA256
65079a6993fdc26cb99cb97fec0cdb1fe953728da629206c79d3e0e33b5fe4eb

SHA512
d828003a50bfa93927b5867eb4c00912c2bd762def0a51358af35f9aed0aa3bf95848388eddf46da0ab221576d4c0c15f76d633ffdc570d7bc8de57d77a4ac42

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_fa.dll

Filesize
45KB

MD5
66a54e75fa330d6f2d83e779dbaed4a3

SHA1
4366abd29eef6538d033bbb20afebbec856e87d7

SHA256
cbce95090f5a3aedffde646474855b4f99ff9ebe009b41159eebb84d934c0f70

SHA512
d231178ccfff0c21f587e782f0a4b69ebb062ada89637cdc122c54225f602b1917db16bfe8f46db0e6853408a569516d552680b894c757798b17f791789f0b82

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_fi.dll

Filesize
46KB

MD5
c7aec16828236f0542a5feef7a335289

SHA1
9d91047bc27dcbfbea62790235f91d6601851432

SHA256
3f395c1ddcf679d6ace0b3399ed8a583c0e0555d5b744f76a773341d3d61e6e1

SHA512
8084a35b476a8420e40d7afe11c74a67523ac61c2628614d20e2e0d9ac5fcde37b11a84ace660ba1fc6a61bfb23c310a58a99d6caabea348e5e887629d8f9a39

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_fil.dll

Filesize
47KB

MD5
7642ceb2c3b0228d2fcf5a09e26a7b51

SHA1
bf3e6d68e5074b1c3176861eb1abd4e380f47c6f

SHA256
5ad881b74069050b4a4106337fae283cf11033fa7c143999f225451053c4d326

SHA512
08dca94a2f04edb1f97bf0461407f9e83125bc1856d1a466ece4c291b6463c8bcdc534eea7d7929b426264f0ae1eb10b0745760200cddedbf97bbef71f854cb0

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_fr.dll

Filesize
47KB

MD5
feb29b940fea60cafa7b943b20dd1dc3

SHA1
9d0eb6e22af93b229665cbd16f1152805f7e9ea6

SHA256
f0ef061bcf86b2edb7518c42cbc059960c5cb7786589028f5f6e433bdcf27341

SHA512
091792da752b2b10d2af72cfdcdd1a26a73ded8d2af40e946bd7d77db0af61be725991cd79da603d0d42e01c5fa86cb3122e93e806fd9842d1dc2706b2c8a617

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_gu.dll

Filesize
47KB

MD5
7318bae423f57ec1874bb88e67bb1033

SHA1
b9f57803a80b21dd2a4728f9027a8e144c360b8d

SHA256
2d7cba572aeb8eea6f2b074ffd44fad28c1570dee968aba79f47613ba7cb8d9c

SHA512
5f929f8e8096534dd15bf6a25bc163bb0c10ec92831e128c1466f59c1ca03a743c1b031548f799c16624d956473dcea7d2ba19a0b81e30a3f27d7736b0d6bcc5

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_hi.dll

Filesize
46KB

MD5
e39ebff3af584d2ec925cca1aff90347

SHA1
47449d2cb7f80803f6319de31aaa4caf4919a97c

SHA256
5c85ded9c6615da3d3a6e37c934b4f067a7b6d54810e0b26678658ad4fa0c69f

SHA512
72796510fda15f84b620dcd9de262059336413ad2b278102daea8f79e1e057f75baa2ff2bf3120b505f7a640b5a10cbaa2d36ed85144b7087f18547d97722354

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_hr.dll

Filesize
46KB

MD5
5ba35641bcb53efb5c78f0f3f8944ecf

SHA1
ddd96edc00dbce6f1ab21b38f4f7f88a5dfcee84

SHA256
5ac86db141d968b952753d5dcbf39483de9f34f9eda895cc752dd1e3110a9250

SHA512
05614aba3dab6c2db1505011619da3537a1bd4fc1030e216884b1741bf057190f17b6fb7a6a57bfcfa1a9c8826da7a055d95a00aed39d8a7b2935ccfd417d84d

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_hu.dll

Filesize
46KB

MD5
4ef567fb95af4d46d67dd319ee05dd0b

SHA1
fa920ba29f1571b3cad54f9a9e52baa8b89ce0ce

SHA256
5e8f3e00ca8170c125a3dbcdc887154b24aeb3b8bc9e23d6960acea163c3e40e

SHA512
4d6cc7bafe945893f37ae57362e49ae573df994bada8c5507678524bdd3c4a47ed4abfc2a255142451df767577b7139687556045d5a46c841a7d579acbe58cc5

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_id.dll

Filesize
45KB

MD5
7e921609b4281090ccddee4bd0198ecd

SHA1
2ad50c2ad23ebdf047d15a0b85ebec32d2cf4194

SHA256
295646c23e3a389c81498971e5580e5bcdded3c783508c976998a1c95715c002

SHA512
9487d846aeac1f9b2435ef05612b9a8bf630a460c14e1cb8b8bfc3229e64c0b8108c6901a1a2fe4dee9a9dcfc19558665f5aa25a1525f7eb4bcee4bd1e432d45

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_is.dll

Filesize
45KB

MD5
e0a97258dd76f335b7c61af4005ee8fd

SHA1
4856fa8eed75f88ba80323451ead1f1b94718416

SHA256
29a93bac3351b2331bc4c367b1c539abb7ca66ae0ada3a5977420deddad96593

SHA512
8042c665affaba97bab230e24cfe7c582e72a91700ad6d962aa61034b44669f3dec9411a7de88055bbd3a6fd98ee67f8b21e6af6a535d29608e21dcdc6f9abb5

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_it.dll

Filesize
47KB

MD5
69d8a5bf42a8146a59a81939098a6f76

SHA1
ef9c25ecfef768533907529e7e563deeca0fca70

SHA256
cfaafa811b73ef124e49a7510244ec8f304ae5cbd956cd8fd7fd39d0a18b3cc8

SHA512
8abb4028d92a0ed32fa1c12406da741a9f59bb18442bf506ca934fa81ba18004ac473f31c036f4d0f681f242638b523fc26e75c1dfb39ac5d55a3006c4c5d868

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_iw.dll

Filesize
43KB

MD5
b57bb819c0778b7e9c72735001826bf2

SHA1
2d605bf1fe832276e3b782e84c60415f0874fbd1

SHA256
4a8b187d4cf189e2cc276008ba7cce8fec769b45272e25caafd8c62890615674

SHA512
4bc5570d1d338d025f77527395994c13913fe65bbd8389bfb2b5016b101c1cf25ba61c41a59afe46b0512d54c5464c32baab2b60cab974a0357e908bcd2ba109

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_ja.dll

Filesize
42KB

MD5
da0b0719fcbd0876f3df569fbaafedb6

SHA1
c54a135864bfe4483b70d6630aeef40e98ce0280

SHA256
32d0c766ed731ff8f14d0faceaf4dae00947dde607e6d554dee3bd6c732973b8

SHA512
c85e1ff78adee90af523ff8a9168fc43a9e05ee4e925241c8b6fcc13f06466330293377e340cd42361cdacad44c2abaee3808b21f0a9f99893c543bbe217891d

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_kn.dll

Filesize
47KB

MD5
ecc4908186ff9fa7fc5698f43caa4f1f

SHA1
2a899699d134a59041c3d123860753adbc093be8

SHA256
fa1ac2c9d68546ae96c545d7663428c845d3ccf278d9b0468443343a3d395122

SHA512
ce06e6b8f22ff98830f63e71c896aaa9a1bf312495b2a4912963e37baea7d061d3a07d12fdf07e1edc3881575c9b51bbe54a8e370aa4d5c6aa361c1b9346e685

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_ko.dll

Filesize
41KB

MD5
66ef8d10713aba71338feec4795bae18

SHA1
715c5962c47dea045e546e60ab95ffb30e27733e

SHA256
9e7b5f5764fd303413d14ad3644aa4bae3e165d86e57b3a75d79e159385b1155

SHA512
3211a99224f4b243ff3cfb6b4ba61c69102a64527d8bd41211fd94a3de27b6ddc9269fd313927a16fd945318738e8d4908c682de3ca271d32a33da0dcd684d21

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_lt.dll

Filesize
45KB

MD5
7df8ad8a6020a995d6dec6dac526493b

SHA1
cd03591e155e80d465c4bf90c087c11d40a39daa

SHA256
dd1dee2f146d8e252819af2f888863b07557f5f622c310f8512ea21933eb6d2b

SHA512
804fe2ea4fa6069a195457f2752f9cfa8d695c86507ce782c530a8199c8c7b4671a0460503d8740bcbeb35114a6077b36b3c29decc96df22e874fe1e51254923

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_lv.dll

Filesize
46KB

MD5
4fefd8b661639eb356618dce060f028a

SHA1
883dbd0c246ad91e14efa3fc38b9929f0f3d4d2d

SHA256
cd21b825ba6479e67f00c031d0e052795d13a2be4b9c0299d8e1ac1eef558e62

SHA512
7bcc001e3087a90fbabee902b7ec8cc6a8ae09c0fbe7e298b79a1bd25d0c58ee576731dc9cc1c8c9ffde7066c5ad02a37feac8b6bf4e6186ba87704eb5224ec8

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_ml.dll

Filesize
49KB

MD5
506b807f58fb1d691fb66cf94dee9521

SHA1
398f0d9a128957ae264b896e724fefe167099e61

SHA256
286ffe35c55a28562996003428789362ee83d2922f1eb718b42ed3c84e7a8052

SHA512
f20fb552b1f4f1dfa4dda5ff9e2c1771c1d731aa254bd0bcc886ef8ad7ed77538a536b409a1513b7f92d3f81f410e4b754910c66cbfe37da38f11ab8f2025968

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_mr.dll

Filesize
47KB

MD5
8946192390b804b2298f6cf6dc5194be

SHA1
b1fdf7d159516fa8c7eafa404a4bc3e841773019

SHA256
7913de660c6f87df576337b0bccf1f3da66ceffda4aaec49cc23f1312e715ca9

SHA512
df631b927ca6d6bedc2bdb460e10cedac72975ab249f6451dddfcabcf3b41f57fbae995efd3d2ad4eb8b8d235244454b9a67b3f25c29b4a4287bc62fe25e8d47

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_ms.dll

Filesize
45KB

MD5
74e2a47d925669c86ee5527216c6e558

SHA1
5ffe411d0600ce867f0c5e287b49fb861616935d

SHA256
bda87e8b4a353e6e74b2d500303991306624ea4f13a86f370c1ed2ac21184daf

SHA512
403f50d0578ac5c85b01552ac439a9ad2d29641d7fce5d9b04d46bd08c3409313662195b7b84dceb4f282d85b0e52c0ce5bdaf89dad24b7336410215bc47eb2e

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_nl.dll

Filesize
47KB

MD5
e8a935a73c3ab63a5a34d0d70a990d76

SHA1
71e1d16c2a91e4f4ab1364f70d227e22c608f4f9

SHA256
5884ef775deecf19642fc4a9ee1414077afc3665d3584eadd03057c6f7623131

SHA512
b3b81ef1118b3fc128599c727518eafe49972cd74147f5cccbd60629a7924368f88f1a1b91a70c79412cb80cfcd387d5068f17309ae8e6912c50d7d30f7e8075

Download Submit
C:\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_no.dll

Filesize
46KB

MD5
9121b0fef20b7627184c64ddfac947e3

SHA1
90caa41d7d4b47830975bd673f45e68d2cebcd9f

SHA256
78a882229ca5f5a8cb5ca2b5eb920c4021ea153e09d304870e8c4ebbf598c5e2

SHA512
e02bdd71e4af3afb1710b32d8ec1860ad5e1682ba58d66aa02eeb57ec5b36ea238b0bf2cab7e9f10f44e7da21d2d08d4ea357621638d577ac5e73f5a0ad8c8fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2d6bb4af6b707d87f3fdbac9253f038c

SHA1
98a0580ccff838f13c4f458dfcaa47bd435fa55c

SHA256
a0b08cb1da194a05920036f092e32efafc8c99c61fa2b6a031043bf65ea7ab57

SHA512
77242d0882560514ec516e6dd70b59a89cd1a3f70a4bb0eae3d1d34cbfc06c27afcd91d77d7595fdb4da17d882047e6253be35243643ed94f9ce1cc2b0272ff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1A54.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-93e92aed-3951-48d8-9a47-81fce0bc84a4\files.cab

Filesize
1.6MB

MD5
d24074f9a357fe5a58eccff4f9bcabd6

SHA1
a808b1a5b71d9279e45ea36f2a91c103c9daa756

SHA256
fcbceca8ee83a2603cc8a06d8466c44f2cc317102522775c053b2f185e092e6e

SHA512
7fc6b156652e282391dabf89e4468424574347ba55e93ae7cc632c1b5af81ac31d1bdf7d415d20a12c22e7f44bf8aed88911277ec6c6e89f819618282bcb118b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-93e92aed-3951-48d8-9a47-81fce0bc84a4\files\BraveBrowserSetup-VER979.exe

Filesize
1.2MB

MD5
42eb61652cab74e10a299c1e131bd411

SHA1
9ab7df40383cbd27f015ef45cac22e7009a6f595

SHA256
23e3ce03feb8101b0593e2cdcc922a8c6e857c3d96766ee3259d2a0e89c0e494

SHA512
fa8b2ba22defdc080abe8093b676a11addbb6b16c42fae08349f7b333cf1fdef1c3fbf87f84a8e993eb7e8ce4c8dcd16a91cf6b4ea680fae21900144085b338b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-93e92aed-3951-48d8-9a47-81fce0bc84a4\files\browser-up.exe

Filesize
421KB

MD5
008eef0c6451d5dfaee2b1e702ae347c

SHA1
3c46394e7b321b894b7665b6b4839c5aa16e9fa9

SHA256
90406d0fc975f342f0e20b49e7946e891392eb06bfc8cc5f3b9b8c86b7c1b17a

SHA512
c133f7203d1647a3e0ebd533a0c9e616f1e50e5e7fa0925313e41da42fecb1063f63dacd59e9c69c0dbaeb887d78dae9a386993a618a926d34dde7d9ec98286f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-93e92aed-3951-48d8-9a47-81fce0bc84a4\files\copy.bat

Filesize
239B

MD5
6d9565a140a38c01e286b7fe70bd9407

SHA1
75b2acc663522a9b604064d9d15ac1a9ff4586b1

SHA256
e829155df8e444ed96a60c9da849bc3ae80a4756760b69bb4bb28330140eb460

SHA512
7d0f55facccddac24c45cfff4fe030effc177408db4ba1d08726b36b6ef2240a95890d2ffe966f0083dc53406d7ca4a354836669eb10a2d48dc8ad19dc450a6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-93e92aed-3951-48d8-9a47-81fce0bc84a4\msiwrapper.ini

Filesize
1KB

MD5
b7c9bf7e208fcaed216b0d8c405684e1

SHA1
ac11ee38ee4e07935da77665020aa7f0a1a2a590

SHA256
cd5aa773b492679590992fd98a30ea90f95ced70bd4fa2358ac03e076f1a4c02

SHA512
03bee473f39c15733aede82ea14c5c63a68116e9690341df5be44dbc6da443a42df8246a92d33581ec25457483489012f07eca3238ac37a42ded836cda06c877

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2031.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Windows\Installer\MSI2502.tmp

Filesize
208KB

MD5
4caaa03e0b59ca60a3d34674b732b702

SHA1
ee80c8f4684055ac8960b9720fb108be07e1d10c

SHA256
d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

SHA512
25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

Download Submit
\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\BraveUpdate.exe

Filesize
158KB

MD5
ba13bd1318d0ae1b441bab405d051ac0

SHA1
7887b25a4a5a3764d466537aac0b4ed2cfc61fec

SHA256
e204bc6ddc8a0c7cc24349aceea633baf46d315db172f153c1a1b4d059caa2e7

SHA512
218104921ffc0008ba5ecb6c88e41e2caad4c68eb74970a858555d82288c28beb987cf66812bcb2488a803cdcdc3887f319661723385b0c5bd11f7098cad6ce0

Download Submit
\Program Files (x86)\BraveSoftware\Temp\GUM6519.tmp\goopdateres_en.dll

Filesize
45KB

MD5
e7cb8a13169f572f1e727fbc79b2bc8b

SHA1
c8f920c371100dafc23370235b4071a8c91f6028

SHA256
80fbbb89ea2f89dbe35fb36707f82abe479c9de60d105db5e9258b88d5e85d5c

SHA512
2c92b99c8fab3b5f90d78ddf92ca6ba6634ae19117ddf5ecc6854719ee391edb7bc2d91ee7b5767c7a87d98e1517aa2cda18ed867e4a61f41771af97734308b7

Download Submit
memory/1892-401-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2568-208-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download