be5dc0d38251a54350c462a7f4a6c70028ee05c01bde5c1974342893bf12ba5e

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Modifies Installed Components in the registry 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}\StubPath = "\"C:\\Program Files\\BraveSoftware\\Brave-Browser\\Application\\123.1.64.116\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}\Localized Name = "Brave"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}\ = "Brave"	setup.exe

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BraveUpdate.exe	BraveUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BraveUpdate.exe\DisableExceptionChainValidation = "0"	BraveUpdate.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	BraveUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	brave.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	brave.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	brave.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	brave.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	brave.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMA009.tmp\goopdateres_cs.dll	BraveBrowserSetup-VER979.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_en.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_is.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\Install\{F606966A-E73B-4CDF-8FB1-888ACF4975F5}\CR_3347E.tmp\setup.exe	brave_installer-x64.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1144_988605026\Chrome-bin\123.1.64.116\Locales\cs.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1144_988605026\Chrome-bin\123.1.64.116\VisualElements\Logo.png	setup.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\BraveUpdateComRegisterShell64.exe	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1144_988605026\Chrome-bin\123.1.64.116\Locales\fa.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1144_988605026\Chrome-bin\123.1.64.116\Locales\sk.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1144_988605026\Chrome-bin\123.1.64.116\mojo_core.dll	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1144_988605026\Chrome-bin\123.1.64.116\resources\brave_extension\_locales\cs\messages.json	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1144_988605026\Chrome-bin\123.1.64.116\resources\brave_extension\_locales\hr\messages.json	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_1608942565\1\scripts\brave_rewards\publisher\reddit\redditBase.bundle.js	brave.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMA009.tmp\goopdateres_ru.dll	BraveBrowserSetup-VER979.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMA009.tmp\goopdateres_te.dll	BraveBrowserSetup-VER979.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_pl.dll	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1144_988605026\Chrome-bin\123.1.64.116\Locales\ms.pak	setup.exe
File created	C:\Program Files\chrome_url_fetcher_2072_1112775058\extension_1_0_14.crx	brave.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\Install\{F606966A-E73B-4CDF-8FB1-888ACF4975F5}\CR_3347E.tmp\CHROME.PACKED.7Z	brave_installer-x64.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1144_988605026\Chrome-bin\123.1.64.116\chrome.dll.sig	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1144_988605026\Chrome-bin\123.1.64.116\resources\brave_extension\_locales\ar\messages.json	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1144_988605026\Chrome-bin\123.1.64.116\resources\brave_extension\_locales\fr\messages.json	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1144_988605026\Chrome-bin\123.1.64.116\resources\brave_extension\_locales\hi\messages.json	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_224323555\resources.json	brave.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_1833743262\list_catalog.json	brave.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1144_988605026\Chrome-bin\123.1.64.116\resources\brave_extension\_locales\th\messages.json	setup.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMA009.tmp\goopdateres_sw.dll	BraveBrowserSetup-VER979.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1144_988605026\Chrome-bin\123.1.64.116\libEGL.dll	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1144_988605026\Chrome-bin\123.1.64.116\Locales\ja.pak	setup.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_lt.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_sr.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_ta.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\BraveUpdateOnDemand.exe	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1144_988605026\Chrome-bin\123.1.64.116\eventlog_provider.dll	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1144_988605026\Chrome-bin\123.1.64.116\Locales\sw.pak	setup.exe
File opened for modification	C:\Program Files\BraveSoftware\Brave-Browser\Application\SetupMetrics\20240410135858.pma	chrmstp.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Application\SetupMetrics\ad0af5da-b4b7-42f3-9793-749d81579023.tmp	chrmstp.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMA009.tmp\goopdate.dll	BraveBrowserSetup-VER979.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_es-419.dll	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1144_988605026\Chrome-bin\123.1.64.116\resources\brave_extension\_locales\am\messages.json	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1144_988605026\Chrome-bin\123.1.64.116\resources\brave_extension\_locales\ja\messages.json	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Application\SetupMetrics\6672f464-f2d4-4569-8d40-44c6e14ae3ac.tmp	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_1608942565\1\scripts\brave_rewards\publisher\twitter\twitterBase.bundle.js	brave.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMA009.tmp\goopdateres_gu.dll	BraveBrowserSetup-VER979.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_id.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_th.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\psmachine_64.dll	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1144_988605026\Chrome-bin\123.1.64.116\Locales\id.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1144_988605026\Chrome-bin\123.1.64.116\resources\brave_extension\_locales\de\messages.json	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1144_988605026\Chrome-bin\123.1.64.116\resources\brave_extension\_locales\sk\messages.json	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_1608942565\1\scripts\brave_rewards\publisher\twitter\twitterAutoContribution.bundle.js	brave.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_1608942565\1\scripts\brave_rewards\publisher\twitch\twitchAutoContribution.bundle.js	brave.exe
File created	C:\Program Files\chrome_url_fetcher_2072_1234456321\khaoiebndkojlmppeemjhbpbandiljpe_63_win_pz5ggrx6ddtwepg55hf2663jnu.crx3	brave.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMA009.tmp\goopdateres_ml.dll	BraveBrowserSetup-VER979.exe
File opened for modification	C:\Program Files (x86)\BraveSoftware\Temp\GUMA009.tmp\BraveUpdateSetup.exe	BraveBrowserSetup-VER979.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_bn.dll	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1144_988605026\Chrome-bin\123.1.64.116\Locales\ko.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1144_988605026\Chrome-bin\123.1.64.116\Locales\th.pak	setup.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMA009.tmp\goopdateres_sr.dll	BraveBrowserSetup-VER979.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\goopdateres_fil.dll	BraveUpdate.exe
File created	C:\Program Files\chrome_url_fetcher_2072_955544689\extension_1_0_696.crx	brave.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_1608942565\1\scripts\brave_talk\confabs\oneOnOneMeetings.bundle.js	brave.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_674588644\photo.json	brave.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMA009.tmp\goopdateres_nl.dll	BraveBrowserSetup-VER979.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSI750D.tmp	msiexec.exe
File created	C:\Windows\Installer\e579163.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e579163.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI926C.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSI751D.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EC86CB51-7016-4AB4-97A7-A6A4AFBFC4EB}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Executes dropped EXE 37 IoCs

pid	Process
5000	browser-up.exe
592	BraveBrowserSetup-VER979.exe
1612	BraveUpdate.exe
3020	BraveUpdate.exe
2960	BraveUpdate.exe
3496	BraveUpdateComRegisterShell64.exe
688	BraveUpdateComRegisterShell64.exe
3312	BraveUpdateComRegisterShell64.exe
2392	BraveUpdate.exe
820	BraveUpdate.exe
1088	BraveUpdate.exe
4360	brave_installer-x64.exe
1144	setup.exe
1284	setup.exe
3472	setup.exe
2676	setup.exe
4968	BraveUpdateOnDemand.exe
2424	BraveUpdate.exe
2092	BraveUpdate.exe
2072	brave.exe
3816	brave.exe
3084	brave.exe
3888	brave.exe
2552	brave.exe
4640	brave.exe
3288	brave.exe
5104	brave.exe
4496	brave.exe
368	brave.exe
2944	brave.exe
4920	brave.exe
1116	chrmstp.exe
1148	chrmstp.exe
3600	brave.exe
4384	chrmstp.exe
4600	chrmstp.exe
5168	brave.exe

Loads dropped DLL 52 IoCs

pid	Process
4748	MsiExec.exe
1612	BraveUpdate.exe
3020	BraveUpdate.exe
2960	BraveUpdate.exe
3496	BraveUpdateComRegisterShell64.exe
2960	BraveUpdate.exe
688	BraveUpdateComRegisterShell64.exe
2960	BraveUpdate.exe
3312	BraveUpdateComRegisterShell64.exe
2960	BraveUpdate.exe
2392	BraveUpdate.exe
820	BraveUpdate.exe
1088	BraveUpdate.exe
1088	BraveUpdate.exe
820	BraveUpdate.exe
2424	BraveUpdate.exe
2424	BraveUpdate.exe
2072	brave.exe
2092	BraveUpdate.exe
3816	brave.exe
2072	brave.exe
4748	MsiExec.exe
3084	brave.exe
3888	brave.exe
3888	brave.exe
3084	brave.exe
2552	brave.exe
3084	brave.exe
3084	brave.exe
3084	brave.exe
2552	brave.exe
3084	brave.exe
3084	brave.exe
3084	brave.exe
4640	brave.exe
4640	brave.exe
3288	brave.exe
3288	brave.exe
5104	brave.exe
5104	brave.exe
4496	brave.exe
4496	brave.exe
368	brave.exe
368	brave.exe
2944	brave.exe
2944	brave.exe
4920	brave.exe
4920	brave.exe
3600	brave.exe
3600	brave.exe
5168	brave.exe
5168	brave.exe

Registers COM server for autorun 1 TTPs 23 IoCs

persistence

Registry Run Keys / Startup Folder

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5A27D85-3D4F-4806-933C-7B4E566E375A}\InProcServer32\ = "C:\\Program Files (x86)\\BraveSoftware\\Update\\1.3.101.0\\psmachine_64.dll"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5A27D85-3D4F-4806-933C-7B4E566E375A}\InProcServer32	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32\ = "C:\\Program Files (x86)\\BraveSoftware\\Update\\1.3.101.0\\psmachine_64.dll"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5A27D85-3D4F-4806-933C-7B4E566E375A}\InProcServer32\ = "C:\\Program Files (x86)\\BraveSoftware\\Update\\1.3.101.0\\psmachine_64.dll"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{06C9646D-2807-44C0-97D2-6DA0DB623DB4}\LocalServer32\ServerExecutable = "C:\\Program Files\\BraveSoftware\\Brave-Browser\\Application\\123.1.64.116\\notification_helper.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32\ = "C:\\Program Files (x86)\\BraveSoftware\\Update\\1.3.101.0\\psmachine_64.dll"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5A27D85-3D4F-4806-933C-7B4E566E375A}\InProcServer32\ = "C:\\Program Files (x86)\\BraveSoftware\\Update\\1.3.101.0\\psmachine_64.dll"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32\ = "C:\\Program Files (x86)\\BraveSoftware\\Update\\1.3.101.0\\psmachine_64.dll"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5A27D85-3D4F-4806-933C-7B4E566E375A}\InProcServer32\ThreadingModel = "Both"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32\ThreadingModel = "Both"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5A27D85-3D4F-4806-933C-7B4E566E375A}\InProcServer32	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5A27D85-3D4F-4806-933C-7B4E566E375A}\InProcServer32\ThreadingModel = "Both"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32\ThreadingModel = "Both"	BraveUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32\ThreadingModel = "Both"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5A27D85-3D4F-4806-933C-7B4E566E375A}\InProcServer32	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{06C9646D-2807-44C0-97D2-6DA0DB623DB4}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5A27D85-3D4F-4806-933C-7B4E566E375A}\InProcServer32\ThreadingModel = "Both"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{06C9646D-2807-44C0-97D2-6DA0DB623DB4}\LocalServer32\ = "\"C:\\Program Files\\BraveSoftware\\Brave-Browser\\Application\\123.1.64.116\\notification_helper.exe\""	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000007667065a040ee7130000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800007667065a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809007667065a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d7667065a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007667065a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	brave.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	brave.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	brave.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	brave.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133572311382897586"	brave.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	svchost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C663DEBB-F082-4971-9F6E-35DE45C96F4E}\ = "IPackage"	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C663DEBB-F082-4971-9F6E-35DE45C96F4E}\ = "IPackage"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7FF255A-A593-41BD-A69B-E05D72B72756}\VersionIndependentProgID	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD84E356-3D21-44C8-83DD-6BEEC22FA427}\NumMethods	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C929BFE-4FA4-488D-B1E2-82ECD6F076C8}\NumMethods\ = "5"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19F4616B-B7DD-4B3F-8084-C81C5C77AAA4}\NumMethods	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.svg	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.OnDemandCOMClassSvc\CLSID	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAE4AD28-500D-43BA-9F54-730CA146C190}\ProxyStubClsid32	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C929BFE-4FA4-488D-B1E2-82ECD6F076C8}\ProxyStubClsid32\ = "{B5A27D85-3D4F-4806-933C-7B4E566E375A}"	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19F4616B-B7DD-4B3F-8084-C81C5C77AAA4}\ = "IAppCommandWeb"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7CB305B1-4D45-4668-AD91-677F87BED305}\ProxyStubClsid32\ = "{B5A27D85-3D4F-4806-933C-7B4E566E375A}"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F396861E-0C8E-4C71-8256-2FAE6D759CE9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveFile\AppUserModelId = "Brave"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A9D7221-2278-41DD-930B-C2356B7D3725}\ = "BraveUpdate Update3Web"	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1985533F-9B0F-490A-85C5-24F316E66FB2}\NumMethods\ = "41"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FB43AAD0-DDBA-4D01-A3E0-FAB100E7926B}\NumMethods\ = "17"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D5627FC9-E2F0-484B-89A4-5DACFE7FAAD3}\ProxyStubClsid32	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91B050A9-5A49-4249-A8C8-B4390961A912}\ProxyStubClsid32\ = "{B5A27D85-3D4F-4806-933C-7B4E566E375A}"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7D7525F-5DF4-4C9D-8781-C02F39F973E6}\ = "Google Update Legacy On Demand"	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{852A0F87-D117-4B7C-ABA9-2F76D91BCB9D}\ProxyStubClsid32\ = "{B5A27D85-3D4F-4806-933C-7B4E566E375A}"	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{852A0F87-D117-4B7C-ABA9-2F76D91BCB9D}\ = "IAppBundleWeb"	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{852A0F87-D117-4B7C-ABA9-2F76D91BCB9D}\NumMethods\ = "24"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70E5ECF5-2CA7-4019-9B23-916789A13C2C}	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4BCDF52-2179-4C77-8C5F-B8095712B563}\NumMethods	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.ProcessLauncher\CurVer	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveFile\Application\ApplicationName = "Brave"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAE4AD28-500D-43BA-9F54-730CA146C190}\NumMethods	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19F4616B-B7DD-4B3F-8084-C81C5C77AAA4}\ProxyStubClsid32	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A147722A-5568-4B84-B401-86D744470CBF}\ProxyStubClsid32\ = "{B5A27D85-3D4F-4806-933C-7B4E566E375A}"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9190589-ECEC-43F8-8AEC-62496BB87B26}\ProxyStubClsid32\ = "{B5A27D85-3D4F-4806-933C-7B4E566E375A}"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D5627FC9-E2F0-484B-89A4-5DACFE7FAAD3}\ProxyStubClsid32\ = "{B5A27D85-3D4F-4806-933C-7B4E566E375A}"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.CoreMachineClass\ = "Google Update Core Class"	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9190589-ECEC-43F8-8AEC-62496BB87B26}\ProxyStubClsid32	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C663DEBB-F082-4971-9F6E-35DE45C96F4E}\ProxyStubClsid32\ = "{B5A27D85-3D4F-4806-933C-7B4E566E375A}"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3282EB12-D954-4FD2-A2E1-C942C8745C65}\ProgID	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B9AEB1CC-DF9B-45CB-B70B-084D2E869A1C}\LocalServer32	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.OnDemandCOMClassSvc.1.0	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35A4470F-5EEC-4715-A2DC-6AA9F8E21183}\NumMethods	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD84E356-3D21-44C8-83DD-6BEEC22FA427}\NumMethods\ = "4"	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{19F4616B-B7DD-4B3F-8084-C81C5C77AAA4}\ = "IAppCommandWeb"	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6836CFF-5949-44BC-B6BE-9C8C48DD8D97}\NumMethods\ = "24"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D5627FC9-E2F0-484B-89A4-5DACFE7FAAD3}\ProxyStubClsid32\ = "{B5A27D85-3D4F-4806-933C-7B4E566E375A}"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{660130E8-74E4-4821-A6FD-4E9A86E06470}	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C663DEBB-F082-4971-9F6E-35DE45C96F4E}\ProxyStubClsid32	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A147722A-5568-4B84-B401-86D744470CBF}	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4BCDF52-2179-4C77-8C5F-B8095712B563}\ProxyStubClsid32\ = "{B5A27D85-3D4F-4806-933C-7B4E566E375A}"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91B050A9-5A49-4249-A8C8-B4390961A912}	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10479D64-2C5F-46CD-9BC8-FD04FF4D02D8}	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F234546B-DACD-4374-97CF-7BADFAB76766}	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A24060E-533F-4962-9E15-34BD82555FA7}\NumMethods\ = "10"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1985533F-9B0F-490A-85C5-24F316E66FB2}\NumMethods\ = "41"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F65EDCA-A4BF-47E9-9200-DA0CE4F413F2}	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C11C073F-E6D0-4EF7-897B-AAF52498CD2F}	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1985533F-9B0F-490A-85C5-24F316E66FB2}\ProxyStubClsid32	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.CredentialDialogMachine.1.0	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{24D704AD-AC42-49F2-BB4F-68BA77C98E91}\ProxyStubClsid32	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C929BFE-4FA4-488D-B1E2-82ECD6F076C8}	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C929BFE-4FA4-488D-B1E2-82ECD6F076C8}\ = "IGoogleUpdate"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.OnDemandCOMClassMachine\CLSID\ = "{28C83F57-E4C0-4B54-B187-585C51EE8F9C}"	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F396861E-0C8E-4C71-8256-2FAE6D759CE9}\ = "Interface {F396861E-0C8E-4C71-8256-2FAE6D759CE9}"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\BraveHTML\shell\open\command	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xhtml	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A147722A-5568-4B84-B401-86D744470CBF}\ = "IApp2"	BraveUpdate.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2768	msiexec.exe
2768	msiexec.exe
1612	BraveUpdate.exe
1612	BraveUpdate.exe
1612	BraveUpdate.exe
1612	BraveUpdate.exe
1612	BraveUpdate.exe
1612	BraveUpdate.exe
820	BraveUpdate.exe
820	BraveUpdate.exe
2092	BraveUpdate.exe
2092	BraveUpdate.exe
1612	BraveUpdate.exe
1612	BraveUpdate.exe
1612	BraveUpdate.exe
1612	BraveUpdate.exe
2072	brave.exe
2072	brave.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2072	brave.exe
2072	brave.exe
2072	brave.exe
2072	brave.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2004	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2004	msiexec.exe
Token: SeSecurityPrivilege	2768	msiexec.exe
Token: SeCreateTokenPrivilege	2004	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2004	msiexec.exe
Token: SeLockMemoryPrivilege	2004	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2004	msiexec.exe
Token: SeMachineAccountPrivilege	2004	msiexec.exe
Token: SeTcbPrivilege	2004	msiexec.exe
Token: SeSecurityPrivilege	2004	msiexec.exe
Token: SeTakeOwnershipPrivilege	2004	msiexec.exe
Token: SeLoadDriverPrivilege	2004	msiexec.exe
Token: SeSystemProfilePrivilege	2004	msiexec.exe
Token: SeSystemtimePrivilege	2004	msiexec.exe
Token: SeProfSingleProcessPrivilege	2004	msiexec.exe
Token: SeIncBasePriorityPrivilege	2004	msiexec.exe
Token: SeCreatePagefilePrivilege	2004	msiexec.exe
Token: SeCreatePermanentPrivilege	2004	msiexec.exe
Token: SeBackupPrivilege	2004	msiexec.exe
Token: SeRestorePrivilege	2004	msiexec.exe
Token: SeShutdownPrivilege	2004	msiexec.exe
Token: SeDebugPrivilege	2004	msiexec.exe
Token: SeAuditPrivilege	2004	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2004	msiexec.exe
Token: SeChangeNotifyPrivilege	2004	msiexec.exe
Token: SeRemoteShutdownPrivilege	2004	msiexec.exe
Token: SeUndockPrivilege	2004	msiexec.exe
Token: SeSyncAgentPrivilege	2004	msiexec.exe
Token: SeEnableDelegationPrivilege	2004	msiexec.exe
Token: SeManageVolumePrivilege	2004	msiexec.exe
Token: SeImpersonatePrivilege	2004	msiexec.exe
Token: SeCreateGlobalPrivilege	2004	msiexec.exe
Token: SeBackupPrivilege	3128	vssvc.exe
Token: SeRestorePrivilege	3128	vssvc.exe
Token: SeAuditPrivilege	3128	vssvc.exe
Token: SeBackupPrivilege	2768	msiexec.exe
Token: SeRestorePrivilege	2768	msiexec.exe
Token: SeRestorePrivilege	2768	msiexec.exe
Token: SeTakeOwnershipPrivilege	2768	msiexec.exe
Token: SeRestorePrivilege	2768	msiexec.exe
Token: SeTakeOwnershipPrivilege	2768	msiexec.exe
Token: SeBackupPrivilege	4312	srtasks.exe
Token: SeRestorePrivilege	4312	srtasks.exe
Token: SeSecurityPrivilege	4312	srtasks.exe
Token: SeTakeOwnershipPrivilege	4312	srtasks.exe
Token: SeBackupPrivilege	4312	srtasks.exe
Token: SeRestorePrivilege	4312	srtasks.exe
Token: SeSecurityPrivilege	4312	srtasks.exe
Token: SeTakeOwnershipPrivilege	4312	srtasks.exe
Token: SeDebugPrivilege	1612	BraveUpdate.exe
Token: SeDebugPrivilege	1612	BraveUpdate.exe
Token: SeDebugPrivilege	1612	BraveUpdate.exe
Token: 33	4360	brave_installer-x64.exe
Token: SeIncBasePriorityPrivilege	4360	brave_installer-x64.exe
Token: SeDebugPrivilege	820	BraveUpdate.exe
Token: SeDebugPrivilege	2092	BraveUpdate.exe
Token: SeDebugPrivilege	1612	BraveUpdate.exe
Token: SeRestorePrivilege	2768	msiexec.exe
Token: SeTakeOwnershipPrivilege	2768	msiexec.exe
Token: SeRestorePrivilege	2768	msiexec.exe
Token: SeTakeOwnershipPrivilege	2768	msiexec.exe
Token: SeShutdownPrivilege	2072	brave.exe
Token: SeCreatePagefilePrivilege	2072	brave.exe
Token: SeShutdownPrivilege	2072	brave.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2004	msiexec.exe
3472	setup.exe
2004	msiexec.exe
2072	brave.exe
2072	brave.exe
2072	brave.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5000	browser-up.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 4312	2768	msiexec.exe	100
PID 2768 wrote to memory of 4312	2768	msiexec.exe	100
PID 2768 wrote to memory of 4748	2768	msiexec.exe	102
PID 2768 wrote to memory of 4748	2768	msiexec.exe	102
PID 2768 wrote to memory of 4748	2768	msiexec.exe	102
PID 4748 wrote to memory of 4868	4748	MsiExec.exe	103
PID 4748 wrote to memory of 4868	4748	MsiExec.exe	103
PID 4748 wrote to memory of 4868	4748	MsiExec.exe	103
PID 4748 wrote to memory of 4848	4748	MsiExec.exe	105
PID 4748 wrote to memory of 4848	4748	MsiExec.exe	105
PID 4748 wrote to memory of 4848	4748	MsiExec.exe	105
PID 4748 wrote to memory of 4668	4748	MsiExec.exe	107
PID 4748 wrote to memory of 4668	4748	MsiExec.exe	107
PID 4748 wrote to memory of 4668	4748	MsiExec.exe	107
PID 4668 wrote to memory of 5000	4668	cmd.exe	109
PID 4668 wrote to memory of 5000	4668	cmd.exe	109
PID 4668 wrote to memory of 5000	4668	cmd.exe	109
PID 4748 wrote to memory of 592	4748	MsiExec.exe	110
PID 4748 wrote to memory of 592	4748	MsiExec.exe	110
PID 4748 wrote to memory of 592	4748	MsiExec.exe	110
PID 592 wrote to memory of 1612	592	BraveBrowserSetup-VER979.exe	111
PID 592 wrote to memory of 1612	592	BraveBrowserSetup-VER979.exe	111
PID 592 wrote to memory of 1612	592	BraveBrowserSetup-VER979.exe	111
PID 1612 wrote to memory of 3020	1612	BraveUpdate.exe	112
PID 1612 wrote to memory of 3020	1612	BraveUpdate.exe	112
PID 1612 wrote to memory of 3020	1612	BraveUpdate.exe	112
PID 1612 wrote to memory of 2960	1612	BraveUpdate.exe	113
PID 1612 wrote to memory of 2960	1612	BraveUpdate.exe	113
PID 1612 wrote to memory of 2960	1612	BraveUpdate.exe	113
PID 2960 wrote to memory of 3496	2960	BraveUpdate.exe	114
PID 2960 wrote to memory of 3496	2960	BraveUpdate.exe	114
PID 2960 wrote to memory of 688	2960	BraveUpdate.exe	115
PID 2960 wrote to memory of 688	2960	BraveUpdate.exe	115
PID 2960 wrote to memory of 3312	2960	BraveUpdate.exe	116
PID 2960 wrote to memory of 3312	2960	BraveUpdate.exe	116
PID 1612 wrote to memory of 2392	1612	BraveUpdate.exe	117
PID 1612 wrote to memory of 2392	1612	BraveUpdate.exe	117
PID 1612 wrote to memory of 2392	1612	BraveUpdate.exe	117
PID 1612 wrote to memory of 820	1612	BraveUpdate.exe	118
PID 1612 wrote to memory of 820	1612	BraveUpdate.exe	118
PID 1612 wrote to memory of 820	1612	BraveUpdate.exe	118
PID 1088 wrote to memory of 4360	1088	BraveUpdate.exe	122
PID 1088 wrote to memory of 4360	1088	BraveUpdate.exe	122
PID 4360 wrote to memory of 1144	4360	brave_installer-x64.exe	123
PID 4360 wrote to memory of 1144	4360	brave_installer-x64.exe	123
PID 1144 wrote to memory of 1284	1144	setup.exe	124
PID 1144 wrote to memory of 1284	1144	setup.exe	124
PID 1144 wrote to memory of 3472	1144	setup.exe	125
PID 1144 wrote to memory of 3472	1144	setup.exe	125
PID 3472 wrote to memory of 2676	3472	setup.exe	126
PID 3472 wrote to memory of 2676	3472	setup.exe	126
PID 4968 wrote to memory of 2424	4968	BraveUpdateOnDemand.exe	129
PID 4968 wrote to memory of 2424	4968	BraveUpdateOnDemand.exe	129
PID 4968 wrote to memory of 2424	4968	BraveUpdateOnDemand.exe	129
PID 1088 wrote to memory of 2092	1088	BraveUpdate.exe	131
PID 1088 wrote to memory of 2092	1088	BraveUpdate.exe	131
PID 1088 wrote to memory of 2092	1088	BraveUpdate.exe	131
PID 2424 wrote to memory of 2072	2424	BraveUpdate.exe	130
PID 2424 wrote to memory of 2072	2424	BraveUpdate.exe	130
PID 2072 wrote to memory of 3816	2072	brave.exe	132
PID 2072 wrote to memory of 3816	2072	brave.exe	132
PID 4748 wrote to memory of 3088	4748	MsiExec.exe	133
PID 4748 wrote to memory of 3088	4748	MsiExec.exe	133
PID 4748 wrote to memory of 3088	4748	MsiExec.exe	133

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\be5dc0d38251a54350c462a7f4a6c70028ee05c01bde5c1974342893bf12ba5e.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2004

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4312
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E58F3CC8E263E093E58485402A23FEF2
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-ea4271a8-713d-4099-987a-85975499cc5c\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:4868
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:4848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MW-ea4271a8-713d-4099-987a-85975499cc5c\files\copy.bat" "
    3⤵
    - Drops startup file
    - Suspicious use of WriteProcessMemory
    PID:4668
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\browser-up.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\browser-up.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5000
- - C:\Users\Admin\AppData\Local\Temp\MW-ea4271a8-713d-4099-987a-85975499cc5c\files\BraveBrowserSetup-VER979.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-ea4271a8-713d-4099-987a-85975499cc5c\files\BraveBrowserSetup-VER979.exe" /install
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:592
  - - C:\Program Files (x86)\BraveSoftware\Temp\GUMA009.tmp\BraveUpdate.exe
      "C:\Program Files (x86)\BraveSoftware\Temp\GUMA009.tmp\BraveUpdate.exe" /install "appguid={AFE6A462-C574-4B8A-AF43-4CC60DF4563B}&appname=Brave-Release&needsadmin=prefers&ap=x64-rel&referral=none"
      4⤵
      Sets file execution options in registry
      Checks computer location settings
      Drops file in Program Files directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1612
    - - C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
        
        "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /regsvc
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:3020
    - - C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
        
        "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /regserver
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
      - C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\BraveUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\BraveUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:3496
      - C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\BraveUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\BraveUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:688
      - C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\BraveUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\BraveUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:3312
    - - C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
        
        "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xMDEuMCIgc2hlbGxfdmVyc2lvbj0iMS4zLjEwMS4wIiBpc21hY2hpbmU9IjEiIHNlc3Npb25pZD0iezU0NzQxNjQzLTZBMjktNDNDQy1CQ0FBLUIyQkY4RkIxQjM1Nn0iIGluc3RhbGxzb3VyY2U9Im90aGVyaW5zdGFsbGNtZCIgdGVzdHNvdXJjZT0iYXV0byIgcmVxdWVzdGlkPSJ7MjQ3MTU2RTUtN0Q0OS00NDExLTg4REYtMDdFRjBGQTcwQzQ2fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBwaHlzbWVtb3J5PSI4IiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9IntCMTMxQzkzNS05QkU2LTQxREEtOTU5OS0xRjc3NkJFQjgwMTl9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxLjMuMTAxLjAiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iOTg1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2392
    - - C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
        
        "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /handoff "appguid={AFE6A462-C574-4B8A-AF43-4CC60DF4563B}&appname=Brave-Release&needsadmin=prefers&ap=x64-rel&referral=none" /installsource otherinstallcmd /sessionid "{54741643-6A29-43CC-BCAA-B2BF8FB1B356}"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:820
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-ea4271a8-713d-4099-987a-85975499cc5c\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:3088

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3128

C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
"C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Program Files (x86)\BraveSoftware\Update\Install\{F606966A-E73B-4CDF-8FB1-888ACF4975F5}\brave_installer-x64.exe
  "C:\Program Files (x86)\BraveSoftware\Update\Install\{F606966A-E73B-4CDF-8FB1-888ACF4975F5}\brave_installer-x64.exe" --do-not-launch-chrome
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4360
- - C:\Program Files (x86)\BraveSoftware\Update\Install\{F606966A-E73B-4CDF-8FB1-888ACF4975F5}\CR_3347E.tmp\setup.exe
    "C:\Program Files (x86)\BraveSoftware\Update\Install\{F606966A-E73B-4CDF-8FB1-888ACF4975F5}\CR_3347E.tmp\setup.exe" --install-archive="C:\Program Files (x86)\BraveSoftware\Update\Install\{F606966A-E73B-4CDF-8FB1-888ACF4975F5}\CR_3347E.tmp\CHROME.PACKED.7Z" --do-not-launch-chrome
    3⤵
    - Modifies Installed Components in the registry
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Registers COM server for autorun
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1144
  - - C:\Program Files (x86)\BraveSoftware\Update\Install\{F606966A-E73B-4CDF-8FB1-888ACF4975F5}\CR_3347E.tmp\setup.exe
      "C:\Program Files (x86)\BraveSoftware\Update\Install\{F606966A-E73B-4CDF-8FB1-888ACF4975F5}\CR_3347E.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://cr.brave.com --annotation=plat=Win64 --annotation=prod=Brave --annotation=ver=123.1.64.116 --initial-client-data=0x274,0x278,0x27c,0x250,0x280,0x7ff7c563efc0,0x7ff7c563efcc,0x7ff7c563efd8
      4⤵
      Executes dropped EXE
      PID:1284
  - - C:\Program Files (x86)\BraveSoftware\Update\Install\{F606966A-E73B-4CDF-8FB1-888ACF4975F5}\CR_3347E.tmp\setup.exe
      "C:\Program Files (x86)\BraveSoftware\Update\Install\{F606966A-E73B-4CDF-8FB1-888ACF4975F5}\CR_3347E.tmp\setup.exe" --system-level --verbose-logging --create-shortcuts=0 --install-level=1
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3472
    - - C:\Program Files (x86)\BraveSoftware\Update\Install\{F606966A-E73B-4CDF-8FB1-888ACF4975F5}\CR_3347E.tmp\setup.exe
        
        "C:\Program Files (x86)\BraveSoftware\Update\Install\{F606966A-E73B-4CDF-8FB1-888ACF4975F5}\CR_3347E.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://cr.brave.com --annotation=plat=Win64 --annotation=prod=Brave --annotation=ver=123.1.64.116 --initial-client-data=0x274,0x278,0x27c,0x250,0x280,0x7ff7c563efc0,0x7ff7c563efcc,0x7ff7c563efd8
        5⤵
        Executes dropped EXE
        
        PID:2676
- C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
  "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xMDEuMCIgc2hlbGxfdmVyc2lvbj0iMS4zLjEwMS4wIiBpc21hY2hpbmU9IjEiIHNlc3Npb25pZD0iezU0NzQxNjQzLTZBMjktNDNDQy1CQ0FBLUIyQkY4RkIxQjM1Nn0iIGluc3RhbGxzb3VyY2U9Im90aGVyaW5zdGFsbGNtZCIgdGVzdHNvdXJjZT0iYXV0byIgcmVxdWVzdGlkPSJ7MDBBNzUxODctRTA3Ni00RDY1LTlCMjYtMDg3MUMyRUQ4NTVEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBwaHlzbWVtb3J5PSI4IiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9IntBRkU2QTQ2Mi1DNTc0LTRCOEEtQUY0My00Q0M2MERGNDU2M0J9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxMjMuMS42NC4xMTYiIGFwPSJ4NjQtcmVsIiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSItMSIgaW5zdGFsbGRhdGU9Ii0xIj48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cHM6Ly91cGRhdGVzLWNkbi5icmF2ZXNvZnR3YXJlLmNvbS9idWlsZC9CcmF2ZS1SZWxlYXNlL3g2NC1yZWwvd2luLzEyMy4xLjY0LjExNi9icmF2ZV9pbnN0YWxsZXIteDY0LmV4ZSIgZG93bmxvYWRlZD0iMTI2MzA0NzkyIiB0b3RhbD0iMTI2MzA0NzkyIiBkb3dubG9hZF90aW1lX21zPSIxMTc5NyIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI2IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc291cmNlX3VybF9pbmRleD0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9Ijc5NyIgZG93bmxvYWRfdGltZV9tcz0iMTI4MjkiIGRvd25sb2FkZWQ9IjEyNjMwNDc5MiIgdG90YWw9IjEyNjMwNDc5MiIgaW5zdGFsbF90aW1lX21zPSIzMjM0NCIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2092

C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\BraveUpdateOnDemand.exe
"C:\Program Files (x86)\BraveSoftware\Update\1.3.101.0\BraveUpdateOnDemand.exe" -Embedding
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
  "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /ondemand
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
    "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --from-installer
    3⤵
    - Checks computer location settings
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Crashpad" --url=https://cr.brave.com --annotation=plat=Win64 --annotation=prod=Brave --annotation=ver=123.1.64.116 --initial-client-data=0xf4,0xf8,0xfc,0xd0,0x100,0x7ffca4f9ec50,0x7ffca4f9ec5c,0x7ffca4f9ec68
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3816
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=gpu-process --no-appcompat-clear --start-stack-profiler --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1948,i,16766281494124116145,2863530273270169692,262144 --variations-seed-version --mojo-platform-channel-handle=1836 /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3084
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --start-stack-profiler --field-trial-handle=2136,i,16766281494124116145,2863530273270169692,262144 --variations-seed-version --mojo-platform-channel-handle=1992 /prefetch:3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3888
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2352,i,16766281494124116145,2863530273270169692,262144 --variations-seed-version --mojo-platform-channel-handle=2524 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2552
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --no-appcompat-clear --start-stack-profiler --brave_session_token=5124794315489563505 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3372,i,16766281494124116145,2863530273270169692,262144 --variations-seed-version --mojo-platform-channel-handle=3412 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:4640
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --no-appcompat-clear --brave_session_token=5124794315489563505 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3400,i,16766281494124116145,2863530273270169692,262144 --variations-seed-version --mojo-platform-channel-handle=3472 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:3288
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --extension-process --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --no-appcompat-clear --brave_session_token=5124794315489563505 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=4092,i,16766281494124116145,2863530273270169692,262144 --variations-seed-version --mojo-platform-channel-handle=4108 /prefetch:2
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:5104
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --extension-process --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --no-appcompat-clear --brave_session_token=5124794315489563505 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4516,i,16766281494124116145,2863530273270169692,262144 --variations-seed-version --mojo-platform-channel-handle=3368 /prefetch:2
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:4496
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4156,i,16766281494124116145,2863530273270169692,262144 --variations-seed-version --mojo-platform-channel-handle=3376 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:368
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\123.1.64.116\Installer\chrmstp.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\123.1.64.116\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      PID:1116
    - - C:\Program Files\BraveSoftware\Brave-Browser\Application\123.1.64.116\Installer\chrmstp.exe
        
        "C:\Program Files\BraveSoftware\Brave-Browser\Application\123.1.64.116\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://cr.brave.com --annotation=plat=Win64 --annotation=prod=Brave --annotation=ver=123.1.64.116 --initial-client-data=0x274,0x278,0x27c,0x250,0x280,0x7ff77a27efc0,0x7ff77a27efcc,0x7ff77a27efd8
        5⤵
        Executes dropped EXE
        
        PID:1148
    - - C:\Program Files\BraveSoftware\Brave-Browser\Application\123.1.64.116\Installer\chrmstp.exe
        
        "C:\Program Files\BraveSoftware\Brave-Browser\Application\123.1.64.116\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\BraveSoftware\Brave-Browser\Application\master_preferences" --create-shortcuts=1 --install-level=0
        5⤵
        Drops file in Program Files directory
        Executes dropped EXE
        
        PID:4384
      - C:\Program Files\BraveSoftware\Brave-Browser\Application\123.1.64.116\Installer\chrmstp.exe
        
        "C:\Program Files\BraveSoftware\Brave-Browser\Application\123.1.64.116\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://cr.brave.com --annotation=plat=Win64 --annotation=prod=Brave --annotation=ver=123.1.64.116 --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x7ff77a27efc0,0x7ff77a27efcc,0x7ff77a27efd8
        6⤵
        Executes dropped EXE
        
        PID:4600
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5012,i,16766281494124116145,2863530273270169692,262144 --variations-seed-version --mojo-platform-channel-handle=5280 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2944
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5252,i,16766281494124116145,2863530273270169692,262144 --variations-seed-version --mojo-platform-channel-handle=5424 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4920
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4988,i,16766281494124116145,2863530273270169692,262144 --variations-seed-version --mojo-platform-channel-handle=5416 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3600
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5576,i,16766281494124116145,2863530273270169692,262144 --variations-seed-version --mojo-platform-channel-handle=5740 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5168
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2424,i,16766281494124116145,2863530273270169692,262144 --variations-seed-version --mojo-platform-channel-handle=5752 /prefetch:8
      4⤵
      PID:5336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
- Modifies data under HKEY_USERS
PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery