lockbit | hxxps://gofile[.]io/d/YHZWCx

Analysis

max time kernel
816s
max time network
818s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
09-01-2025 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/YHZWCx

Score

10^/10

lockbit purecrypter remcos remco defense_evasion discovery downloader execution loader persistence privilege_escalation ransomware rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

Remco

87.120.116.245:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-0PJCBG
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

purecrypter

https://www.vascocorretora.com.br/PPI/Lhysknv.dat

Extracted

Path

C:\5VFg9o5tW.README.txt

Ransom Note

------Dear managers!------ If you are reading this, it means your network has been attacked. What does that mean? We hacked your network and now all your files, documents, client database, projects and other important data safely encrypted with reliable algorithms. we also have a copy of all your data. WARNING!!! You don't have to go to the POLICE, etc. Otherwise we will not be able to help you. You cannot acces the files right now. But do not worry. You can get it back! It is easy to recover in a few steps. As proof, we can decrypt any 3 files you provide. We are not interested to ruin your business. We want to get ransom and be happy. Please bring this information to your team leaders as soon as possible. In case of a successfull transaction, we will restore your systems within 4-6 hours and also provide security recommendations. -----------------------WARNING----------------------- If you modify files - our decrypt software won't able to recover data If you use third party software - you can damage/modify files (see item 1) You nedd cipher key / our decrypt software to restore you files. The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -----------------------RECOVERY----------------------- Use email: [email protected] Alternative email address: [email protected] ([email protected]) ID message: c5337115f1d1a

Emails

[email protected]

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Lockbit family
lockbit
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Purecrypter family
purecrypter
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs

resource	yara_rule
behavioral1/files/0x001a00000002ab85-170.dat	family_lockbit

Renames multiple (508) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}\Localized Name = "Brave"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}\ = "Brave"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}\StubPath = "\"C:\\Program Files\\BraveSoftware\\Brave-Browser\\Application\\131.1.73.105\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level"	setup.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1156	powershell.exe

Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BraveUpdate.exe	BraveUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BraveUpdate.exe\DisableExceptionChainValidation = "0"	BraveUpdate.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 64 IoCs

pid	Process
5112	systeminformer-3.2.25004-release-setup.exe
2140	SystemInformer.exe
1008	SheetRAT.exe
236	AsyncRAT.exe
4632	DCRat.exe
3080	RemcosRAT.exe
476	spoolsv.exe
2212	RemcosRAT.exe
2492	spoolsv.exe
2108	PureCrypter.exe
800	spoolsv.exe
3460	BlackMatter Ransomware.exe
1220	spoolsv.exe
1228	3204.tmp
3552	spoolsv.exe
4072	spoolsv.exe
4364	spoolsv.exe
748	spoolsv.exe
2528	spoolsv.exe
4288	spoolsv.exe
4588	BraveBrowserSetup-BRV002.exe
1236	BraveUpdate.exe
2756	BraveUpdate.exe
2528	BraveUpdate.exe
4000	BraveUpdateComRegisterShell64.exe
3780	BraveUpdateComRegisterShell64.exe
3264	BraveUpdateComRegisterShell64.exe
2468	BraveUpdate.exe
4348	BraveUpdate.exe
4972	BraveUpdate.exe
5800	brave_installer-x64.exe
5844	setup.exe
5864	setup.exe
5916	spoolsv.exe
6032	setup.exe
6048	setup.exe
3520	BraveUpdate.exe
4100	BraveUpdateOnDemand.exe
5196	BraveUpdate.exe
2456	brave.exe
5256	brave.exe
5392	elevation_service.exe
4808	brave.exe
2648	brave.exe
4584	brave.exe
3824	brave.exe
5460	brave.exe
6132	spoolsv.exe
4416	brave.exe
4712	brave.exe
3280	brave.exe
5456	brave.exe
5596	brave.exe
5796	brave.exe
5164	brave.exe
2344	brave.exe
5856	chrmstp.exe
5196	chrmstp.exe
4316	chrmstp.exe
3164	chrmstp.exe
424	brave.exe
480	brave.exe
1564	brave.exe
2968	brave.exe

Loads dropped DLL 64 IoCs

pid	Process
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
1236	BraveUpdate.exe
2756	BraveUpdate.exe
2528	BraveUpdate.exe
4000	BraveUpdateComRegisterShell64.exe
2528	BraveUpdate.exe
3780	BraveUpdateComRegisterShell64.exe
2528	BraveUpdate.exe
3264	BraveUpdateComRegisterShell64.exe
2528	BraveUpdate.exe
2468	BraveUpdate.exe
4348	BraveUpdate.exe
4972	BraveUpdate.exe
4972	BraveUpdate.exe
4348	BraveUpdate.exe
3520	BraveUpdate.exe
5196	BraveUpdate.exe
5196	BraveUpdate.exe
2456	brave.exe
5256	brave.exe
2456	brave.exe
4808	brave.exe
2648	brave.exe
4808	brave.exe
2648	brave.exe
4584	brave.exe
4808	brave.exe
4808	brave.exe
4808	brave.exe
4584	brave.exe
4808	brave.exe
4808	brave.exe
4808	brave.exe
3824	brave.exe
5460	brave.exe
3824	brave.exe
5460	brave.exe
4416	brave.exe
4416	brave.exe
4712	brave.exe
4712	brave.exe
3280	brave.exe
3280	brave.exe
5456	brave.exe
5596	brave.exe
5456	brave.exe
5596	brave.exe
5796	brave.exe
5796	brave.exe
5164	brave.exe
5164	brave.exe
2344	brave.exe
2344	brave.exe
424	brave.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2253712635-4068079004-3870069674-1000\desktop.ini	BlackMatter Ransomware.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2253712635-4068079004-3870069674-1000\desktop.ini	BlackMatter Ransomware.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Checks system information in the registry 2 TTPs 4 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	brave.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	brave.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	brave.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	brave.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1228	3204.tmp

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3080 set thread context of 2212	3080	RemcosRAT.exe	157

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source5844_1757562370\Chrome-bin\131.1.73.105\Locales\hr.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source5844_1757562370\Chrome-bin\chrome_proxy.exe	setup.exe
File created	C:\Program Files\SystemInformer\SystemInformer.exe	systeminformer-3.2.25004-release-setup.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_bg.dll	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source5844_1757562370\Chrome-bin\131.1.73.105\BraveVpnWireguardService\brave_vpn_wireguard_service.exe	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source5844_1757562370\Chrome-bin\131.1.73.105\Locales\da.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source5844_1757562370\Chrome-bin\131.1.73.105\resources\brave_extension\_locales\id\messages.json	setup.exe
File created	C:\Program Files\SystemInformer\ksidyn.sig	systeminformer-3.2.25004-release-setup.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_kn.dll	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source5844_1757562370\Chrome-bin\131.1.73.105\BraveVpnWireguardService\tunnel.dll	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source5844_1757562370\Chrome-bin\131.1.73.105\Locales\sk.pak	setup.exe
File created	C:\Program Files\SystemInformer\plugins\WindowExplorer.sig	systeminformer-3.2.25004-release-setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source5844_1757562370\Chrome-bin\131.1.73.105\brave.exe.sig	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source5844_1757562370\Chrome-bin\131.1.73.105\resources\brave_extension\_locales\mr\messages.json	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Application\131.1.73.105\Installer\setup.exe	setup.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveCrashHandler64.exe	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\Install\{604729C0-28D9-4D4D-ACF0-06FEC1B1CF76}\brave_installer-x64.exe	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source5844_1757562370\Chrome-bin\131.1.73.105\resources\brave_extension\_locales\de\messages.json	setup.exe
File opened for modification	C:\Program Files (x86)\BraveSoftware\Update\Install\{604729C0-28D9-4D4D-ACF0-06FEC1B1CF76}\CR_94047.tmp\setup.exe	brave_installer-x64.exe
File created	C:\Program Files\SystemInformer\plugins\ExtendedServices.sig	systeminformer-3.2.25004-release-setup.exe
File created	C:\Program Files (x86)\Windows Sidebar\csrss.exe\:Zone.Identifier:$DATA	DCRat.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdate.exe	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_th.dll	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source5844_1757562370\Chrome-bin\131.1.73.105\Locales\fa.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source5844_1757562370\Chrome-bin\131.1.73.105\Locales\fil.pak	setup.exe
File created	C:\Program Files\SystemInformer\plugins\HardwareDevices.sig	systeminformer-3.2.25004-release-setup.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_sv.dll	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source5844_1757562370\Chrome-bin\131.1.73.105\chrome_pwa_launcher.exe	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source5844_1757562370\Chrome-bin\131.1.73.105\libGLESv2.dll	setup.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_lv.dll	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source5844_1757562370\Chrome-bin\131.1.73.105\Locales\nb.pak	setup.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveCrashHandler.exe	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source5844_1757562370\Chrome-bin\131.1.73.105\resources\brave_extension\_locales\nb\messages.json	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source5844_1757562370\Chrome-bin\131.1.73.105\resources\brave_extension\_locales\pt_PT\messages.json	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source5844_1757562370\Chrome-bin\131.1.73.105\resources\brave_extension\_locales\sr\messages.json	setup.exe
File created	C:\Program Files\SystemInformer\plugins\ToolStatus.dll	systeminformer-3.2.25004-release-setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source5844_1757562370\Chrome-bin\131.1.73.105\dxcompiler.dll	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source5844_1757562370\Chrome-bin\131.1.73.105\Locales\sv.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source5844_1757562370\Chrome-bin\131.1.73.105\Locales\de.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source5844_1757562370\Chrome-bin\131.1.73.105\Locales\uk.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source5844_1757562370\Chrome-bin\131.1.73.105\resources\brave_extension\_locales\hu\messages.json	setup.exe
File created	C:\Program Files\SystemInformer\peview.exe	systeminformer-3.2.25004-release-setup.exe
File created	C:\Program Files\SystemInformer\symsrv.dll	systeminformer-3.2.25004-release-setup.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\psmachine.dll	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source5844_1757562370\Chrome-bin\131.1.73.105\131.1.73.105.manifest	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Application\initial_preferences	setup.exe
File created	C:\Program Files\SystemInformer\plugins\Updater.sig	systeminformer-3.2.25004-release-setup.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_fa.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_tr.dll	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source5844_1757562370\Chrome-bin\131.1.73.105\Locales\lt.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source5844_1757562370\Chrome-bin\131.1.73.105\Locales\ja.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source5844_1757562370\Chrome-bin\131.1.73.105\Locales\sl.pak	setup.exe
File created	C:\Program Files\SystemInformer\x86\plugins\ExtendedTools.dll	systeminformer-3.2.25004-release-setup.exe
File created	C:\Program Files (x86)\Windows Sidebar\886983d96e3d3e	DCRat.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\sysmon.exe\:Zone.Identifier:$DATA	DCRat.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source5844_1757562370\Chrome-bin\131.1.73.105\eventlog_provider.dll	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source5844_1757562370\Chrome-bin\131.1.73.105\resources\brave_extension\_locales\lt\messages.json	setup.exe
File created	C:\Program Files\SystemInformer\plugins\ExtendedTools.sig	systeminformer-3.2.25004-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\ToolStatus.sig	systeminformer-3.2.25004-release-setup.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdate.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_sr.dll	BraveUpdate.exe
File opened for modification	C:\Program Files\BraveSoftware\Brave-Browser\Application\SetupMetrics\5844_13380904829105910.pma	setup.exe
File created	C:\Program Files\SystemInformer\plugins\ExtendedNotifications.dll	systeminformer-3.2.25004-release-setup.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_nl.dll	BraveUpdate.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_1125432650\manifest.fingerprint	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_378329542\eric-patterson-2.jpg	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_41467584\metadata.pb	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_1470894394\hyph-mr.hyb	brave.exe
File created	C:\Windows\SystemTemp\GUMF377.tmp\goopdateres_ca.dll	BraveBrowserSetup-BRV002.exe
File created	C:\Windows\SystemTemp\GUMF377.tmp\goopdateres_id.dll	BraveBrowserSetup-BRV002.exe
File created	C:\Windows\SystemTemp\GUMF377.tmp\goopdateres_zh-CN.dll	BraveBrowserSetup-BRV002.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	chrmstp.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_391414349\manifest.json	brave.exe
File created	C:\Windows\SystemTemp\GUMF377.tmp\psmachine.dll	BraveBrowserSetup-BRV002.exe
File created	C:\Windows\SystemTemp\GUMF377.tmp\goopdateres_hi.dll	BraveBrowserSetup-BRV002.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_1470894394\hyph-und-ethi.hyb	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_601381073\manifest.json	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_1883073665\resources.json	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_1470894394\hyph-mul-ethi.hyb	brave.exe
File created	C:\Windows\SystemTemp\GUMF377.tmp\psuser_64.dll	BraveBrowserSetup-BRV002.exe
File created	C:\Windows\SystemTemp\GUMF377.tmp\goopdateres_de.dll	BraveBrowserSetup-BRV002.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_894493519\manifest.fingerprint	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_2131560901\ec212e13-78d0-41ce-b3f7-2edd0b7316e8.jpg	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_1569120020\manifest.fingerprint	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_620232946\manifest.json	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_1470894394\hyph-uk.hyb	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_1470894394\hyph-nb.hyb	brave.exe
File created	C:\Windows\SystemTemp\GUMF377.tmp\goopdateres_zh-TW.dll	BraveBrowserSetup-BRV002.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_396556284\1\localhost-permission-allow-list.txt	brave.exe
File created	C:\Windows\SystemTemp\chrome_url_fetcher_2456_1767510763\extension_1_0_1845.crx	brave.exe
File created	C:\Windows\SystemTemp\chrome_url_fetcher_2456_1536007181\extension_1_0_10572.crx	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_378329542\gordon-ross-1.jpg	brave.exe
File created	C:\Windows\SystemTemp\chrome_url_fetcher_2456_156160933\extension_1_0_1026.crx	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_2131560901\photo.json	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_1883073665\dnryisldmaqljgwaxeqbuuhuvrbboqlf	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_971462912\_metadata\verified_contents.json	brave.exe
File created	C:\Windows\SystemTemp\GUMF377.tmp\psuser.dll	BraveBrowserSetup-BRV002.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_396556284\1\scripts\brave_rewards\publisher\github\githubBase.bundle.js	brave.exe
File created	C:\Windows\SystemTemp\chrome_url_fetcher_2456_621692354\extension_1_0_69.crx	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_1470894394\hyph-lt.hyb	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_601381073\manifest.fingerprint	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_1470894394\hyph-gu.hyb	brave.exe
File created	C:\Windows\SystemTemp\GUMF377.tmp\goopdateres_is.dll	BraveBrowserSetup-BRV002.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	chrmstp.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_378329542\eric-patterson-1.jpg	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_1513495021\safety_tips.pb	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_1470894394\hyph-it.hyb	brave.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_1569120020\brave_metadata\verified_contents.json	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_378329542\zoltan-malovanyi.jpg	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_1869237679\manifest.json	brave.exe
File opened for modification	C:\Windows\SystemTemp	chrmstp.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_1470894394\hyph-nn.hyb	brave.exe
File created	C:\Windows\ShellComponents\spoolsv.exe	DCRat.exe
File created	C:\Windows\SystemTemp\GUMF377.tmp\goopdateres_fa.dll	BraveBrowserSetup-BRV002.exe
File created	C:\Windows\SystemTemp\GUMF377.tmp\goopdateres_ko.dll	BraveBrowserSetup-BRV002.exe
File created	C:\Windows\SystemTemp\GUMF377.tmp\goopdateres_sk.dll	BraveBrowserSetup-BRV002.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_1470894394\hyph-nl.hyb	brave.exe
File created	C:\Windows\SystemTemp\GUMF377.tmp\goopdateres_iw.dll	BraveBrowserSetup-BRV002.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_396556284\manifest.json	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_342686802\list.txt	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_1470894394\hyph-sv.hyb	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_1470894394\hyph-en-us.hyb	brave.exe
File opened for modification	C:\Windows\SystemTemp\chromium_installer.log	chrmstp.exe
File created	C:\Windows\SystemTemp\GUMF377.tmp\goopdate.dll	BraveBrowserSetup-BRV002.exe
File created	C:\Windows\SystemTemp\GUMF377.tmp\goopdateres_fil.dll	BraveBrowserSetup-BRV002.exe
File created	C:\Windows\SystemTemp\chrome_url_fetcher_2456_67693981\extension_1_0_11.crx	brave.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 8 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\RemcosRAT.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\SheetRAT.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\DCRat.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\AsyncRAT.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\BlackMatter Ransomware.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\PureCrypter.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\systeminformer-3.2.25004-release-setup.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\BraveBrowserSetup-BRV002.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1052	236	WerFault.exe	147

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdateOnDemand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RemcosRAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BlackMatter Ransomware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PureCrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveCrashHandler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3204.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveBrowserSetup-BRV002.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminformer-3.2.25004-release-setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncRAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RemcosRAT.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 11 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1236	PING.EXE
1476	PING.EXE
800	PING.EXE
3520	BraveUpdate.exe
5872	PING.EXE
1884	PING.EXE
4828	PING.EXE
3876	PING.EXE
4576	PING.EXE
2468	BraveUpdate.exe
5724	PING.EXE

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SystemInformer.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SystemInformer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SystemInformer.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SystemInformer.exe

Enumerates system info in registry 2 TTPs 18 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	brave.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	brave.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	brave.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	brave.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	brave.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	brave.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133809043275701202"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	brave.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	brave.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{24D704AD-AC42-49F2-BB4F-68BA77C98E91}\ = "IGoogleUpdate3WebSecurity"	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F234546B-DACD-4374-97CF-7BADFAB76766}\NumMethods\ = "10"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{660130E8-74E4-4821-A6FD-4E9A86E06470}	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7CB305B1-4D45-4668-AD91-677F87BED305}\ = "IGoogleUpdate3"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70E5ECF5-2CA7-4019-9B23-916789A13C2C}\NumMethods	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C929BFE-4FA4-488D-B1E2-82ECD6F076C8}	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.PolicyStatusMachine\CurVer	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A4BCDF52-2179-4C77-8C5F-B8095712B563}\NumMethods\ = "41"	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{70E5ECF5-2CA7-4019-9B23-916789A13C2C}\ = "IProcessLauncher"	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A147722A-5568-4B84-B401-86D744470CBF}\ProxyStubClsid32\ = "{F1EDC3F5-36CA-4251-A6ED-42DC6006AFC1}"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{852A0F87-D117-4B7C-ABA9-2F76D91BCB9D}\ProxyStubClsid32\ = "{F1EDC3F5-36CA-4251-A6ED-42DC6006AFC1}"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{652886FF-517B-4F23-A14F-F99563A04BCC}\Elevation\IconReference = "@C:\\Program Files (x86)\\BraveSoftware\\Update\\1.3.361.151\\goopdate.dll,-1004"	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13B35483-DF37-4603-97F8-9504E48B49BF}\ProgID\ = "BraveSoftwareUpdate.PolicyStatusSvc.1.0"	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19F4616B-B7DD-4B3F-8084-C81C5C77AAA4}\ = "IAppCommandWeb"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6836CFF-5949-44BC-B6BE-9C8C48DD8D97}\ProxyStubClsid32\ = "{F1EDC3F5-36CA-4251-A6ED-42DC6006AFC1}"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F6D9FE5-6ED3-43A3-80D2-EA8766D65352}	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F6D9FE5-6ED3-43A3-80D2-EA8766D65352}\ProgID	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{652886FF-517B-4F23-A14F-F99563A04BCC}\LocalServer32	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD84E356-3D21-44C8-83DD-6BEEC22FA427}\NumMethods\ = "4"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10479D64-2C5F-46CD-9BC8-FD04FF4D02D8}	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91B050A9-5A49-4249-A8C8-B4390961A912}\ProxyStubClsid32	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1985533F-9B0F-490A-85C5-24F316E66FB2}\ProxyStubClsid32	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{852A0F87-D117-4B7C-ABA9-2F76D91BCB9D}\ProxyStubClsid32\ = "{F1EDC3F5-36CA-4251-A6ED-42DC6006AFC1}"	BraveUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BraveUpdate.exe\AppID = "{D7D7525F-5DF4-4C9D-8781-C02F39F973E6}"	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A4BCDF52-2179-4C77-8C5F-B8095712B563}\ProxyStubClsid32	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7CB305B1-4D45-4668-AD91-677F87BED305}\ = "IGoogleUpdate3"	BraveUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBDA5D88-AA7D-4A8C-A20C-C01FADB43EDA}	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD84E356-3D21-44C8-83DD-6BEEC22FA427}\ProxyStubClsid32\ = "{F1EDC3F5-36CA-4251-A6ED-42DC6006AFC1}"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19F4616B-B7DD-4B3F-8084-C81C5C77AAA4}\ProxyStubClsid32	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7A24060E-533F-4962-9E15-34BD82555FA7}\ProxyStubClsid32	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00B16F95-319A-4F01-AC81-CE69B8F4E387}\ = "Google Update Broker Class Factory"	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9190589-ECEC-43F8-8AEC-62496BB87B26}\ = "IGoogleUpdate3Web"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveHTML\Application\ApplicationCompany = "Brave Software Inc"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.html\OpenWithProgIds\BraveHTML	setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000d3bbf1dfaf18db01f9ac62569e62db014ba7d5fb9e62db0114000000	brave.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C11C073F-E6D0-4EF7-897B-AAF52498CD2F}\NumMethods	BraveUpdateComRegisterShell64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	brave.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1985533F-9B0F-490A-85C5-24F316E66FB2}\NumMethods\ = "41"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}	BraveUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{381115E4-FA16-4C0A-A75D-A38BDDC7B684}	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4BCDF52-2179-4C77-8C5F-B8095712B563}\ = "IApp"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EFF9CA12-4CD3-474B-B881-CDE1D92F1996}\NumMethods\ = "23"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9190589-ECEC-43F8-8AEC-62496BB87B26}\NumMethods	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48B5E6B2-9383-4B1E-AAE7-720C4779ABA6}	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00B16F95-319A-4F01-AC81-CE69B8F4E387}\Elevation	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{598BBE98-5919-4392-B62A-50D7115F10A3}\Elevation\IconReference = "@C:\\Program Files (x86)\\BraveSoftware\\Update\\1.3.361.151\\goopdate.dll,-1004"	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{852A0F87-D117-4B7C-ABA9-2F76D91BCB9D}\ = "IAppBundleWeb"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DB7BD5-BD0B-4886-9705-174203FE0ADA}	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.Update3WebMachineFallback.1.0\ = "BraveUpdate Update3Web"	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{381115E4-FA16-4C0A-A75D-A38BDDC7B684}\InprocHandler32\ThreadingModel = "Both"	BraveUpdateComRegisterShell64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	brave.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveHTML\Application\ApplicationIcon = "C:\\Program Files\\BraveSoftware\\Brave-Browser\\Application\\brave.exe,0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3AD2D487-D166-4160-8E36-1AE505233A55}\VersionIndependentProgID	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32\ = "C:\\Program Files (x86)\\BraveSoftware\\Update\\1.3.361.151\\psmachine_64.dll"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAE4AD28-500D-43BA-9F54-730CA146C190}\ProxyStubClsid32\ = "{F1EDC3F5-36CA-4251-A6ED-42DC6006AFC1}"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F234546B-DACD-4374-97CF-7BADFAB76766}\ProxyStubClsid32\ = "{F1EDC3F5-36CA-4251-A6ED-42DC6006AFC1}"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings	brave.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.OnDemandCOMClassSvc\CLSID\ = "{D7D7525F-5DF4-4C9D-8781-C02F39F973E6}"	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EBDA5D88-AA7D-4A8C-A20C-C01FADB43EDA}	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9190589-ECEC-43F8-8AEC-62496BB87B26}\ProxyStubClsid32\ = "{F1EDC3F5-36CA-4251-A6ED-42DC6006AFC1}"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C663DEBB-F082-4971-9F6E-35DE45C96F4E}\ProxyStubClsid32\ = "{F1EDC3F5-36CA-4251-A6ED-42DC6006AFC1}"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5D1924F-CB80-47AA-8DEC-5E0854A42A73}\ProgID\ = "BraveSoftwareUpdate.CredentialDialogMachine.1.0"	BraveUpdate.exe

NTFS ADS 14 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\PureCrypter.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\systeminformer-3.2.25004-release-setup.exe:Zone.Identifier	chrome.exe
File created	C:\Recovery\WindowsRE\smss.exe\:Zone.Identifier:$DATA	DCRat.exe
File opened for modification	C:\Users\Admin\Downloads\BraveBrowserSetup-BRV002.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\SheetRAT.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\AsyncRAT.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\BlackMatter Ransomware.exe:Zone.Identifier	chrome.exe
File created	C:\Recovery\WindowsRE\sysmon.exe\:Zone.Identifier:$DATA	DCRat.exe
File created	C:\Windows\ShellComponents\spoolsv.exe\:Zone.Identifier:$DATA	DCRat.exe
File opened for modification	C:\Users\Admin\Downloads\RemcosRAT.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\DCRat.exe:Zone.Identifier	chrome.exe
File created	C:\Program Files (x86)\Windows Sidebar\csrss.exe\:Zone.Identifier:$DATA	DCRat.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\sysmon.exe\:Zone.Identifier:$DATA	DCRat.exe
File created	C:\Windows\SystemTemp\GUMF377.tmp\BraveUpdateSetup.exe\:Zone.Identifier:$DATA	BraveBrowserSetup-BRV002.exe

Opens file in notepad (likely ransom note) 3 IoCs

ransomware

pid	Process
2092	NOTEPAD.EXE
916	NOTEPAD.EXE
5164	NOTEPAD.EXE

Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery

T1018

pid	Process
800	PING.EXE
5724	PING.EXE
1236	PING.EXE
4828	PING.EXE
3876	PING.EXE
1884	PING.EXE
4576	PING.EXE
1476	PING.EXE
5872	PING.EXE

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
3736	WINWORD.EXE
3736	WINWORD.EXE
4476	WINWORD.EXE
4476	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3652	chrome.exe
3652	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe
2140	SystemInformer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2140	SystemInformer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 37 IoCs

pid	Process
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
2456	brave.exe
2456	brave.exe
2456	brave.exe
2456	brave.exe
2456	brave.exe
2456	brave.exe
2456	brave.exe
3852	brave.exe
3852	brave.exe
3852	brave.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
3852	brave.exe
3852	brave.exe
3852	brave.exe
3852	brave.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
3736	WINWORD.EXE
3736	WINWORD.EXE
3736	WINWORD.EXE
3736	WINWORD.EXE
3736	WINWORD.EXE
3736	WINWORD.EXE
3736	WINWORD.EXE
4476	WINWORD.EXE
4476	WINWORD.EXE
4476	WINWORD.EXE
4476	WINWORD.EXE
4476	WINWORD.EXE
4476	WINWORD.EXE
4476	WINWORD.EXE
1084	brave.exe
5384	brave.exe
4400	brave.exe
3912	brave.exe
3912	brave.exe
3912	brave.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 4588	3652	chrome.exe	77
PID 3652 wrote to memory of 4588	3652	chrome.exe	77
PID 3652 wrote to memory of 2040	3652	chrome.exe	78
PID 3652 wrote to memory of 2040	3652	chrome.exe	78
PID 3652 wrote to memory of 2040	3652	chrome.exe	78
PID 3652 wrote to memory of 2040	3652	chrome.exe	78
PID 3652 wrote to memory of 2040	3652	chrome.exe	78
PID 3652 wrote to memory of 2040	3652	chrome.exe	78
PID 3652 wrote to memory of 2040	3652	chrome.exe	78
PID 3652 wrote to memory of 2040	3652	chrome.exe	78
PID 3652 wrote to memory of 2040	3652	chrome.exe	78
PID 3652 wrote to memory of 2040	3652	chrome.exe	78
PID 3652 wrote to memory of 2040	3652	chrome.exe	78
PID 3652 wrote to memory of 2040	3652	chrome.exe	78
PID 3652 wrote to memory of 2040	3652	chrome.exe	78
PID 3652 wrote to memory of 2040	3652	chrome.exe	78
PID 3652 wrote to memory of 2040	3652	chrome.exe	78
PID 3652 wrote to memory of 2040	3652	chrome.exe	78
PID 3652 wrote to memory of 2040	3652	chrome.exe	78
PID 3652 wrote to memory of 2040	3652	chrome.exe	78
PID 3652 wrote to memory of 2040	3652	chrome.exe	78
PID 3652 wrote to memory of 2040	3652	chrome.exe	78
PID 3652 wrote to memory of 2040	3652	chrome.exe	78
PID 3652 wrote to memory of 2040	3652	chrome.exe	78
PID 3652 wrote to memory of 2040	3652	chrome.exe	78
PID 3652 wrote to memory of 2040	3652	chrome.exe	78
PID 3652 wrote to memory of 2040	3652	chrome.exe	78
PID 3652 wrote to memory of 2040	3652	chrome.exe	78
PID 3652 wrote to memory of 2040	3652	chrome.exe	78
PID 3652 wrote to memory of 2040	3652	chrome.exe	78
PID 3652 wrote to memory of 2040	3652	chrome.exe	78
PID 3652 wrote to memory of 2040	3652	chrome.exe	78
PID 3652 wrote to memory of 4188	3652	chrome.exe	79
PID 3652 wrote to memory of 4188	3652	chrome.exe	79
PID 3652 wrote to memory of 4244	3652	chrome.exe	80
PID 3652 wrote to memory of 4244	3652	chrome.exe	80
PID 3652 wrote to memory of 4244	3652	chrome.exe	80
PID 3652 wrote to memory of 4244	3652	chrome.exe	80
PID 3652 wrote to memory of 4244	3652	chrome.exe	80
PID 3652 wrote to memory of 4244	3652	chrome.exe	80
PID 3652 wrote to memory of 4244	3652	chrome.exe	80
PID 3652 wrote to memory of 4244	3652	chrome.exe	80
PID 3652 wrote to memory of 4244	3652	chrome.exe	80
PID 3652 wrote to memory of 4244	3652	chrome.exe	80
PID 3652 wrote to memory of 4244	3652	chrome.exe	80
PID 3652 wrote to memory of 4244	3652	chrome.exe	80
PID 3652 wrote to memory of 4244	3652	chrome.exe	80
PID 3652 wrote to memory of 4244	3652	chrome.exe	80
PID 3652 wrote to memory of 4244	3652	chrome.exe	80
PID 3652 wrote to memory of 4244	3652	chrome.exe	80
PID 3652 wrote to memory of 4244	3652	chrome.exe	80
PID 3652 wrote to memory of 4244	3652	chrome.exe	80
PID 3652 wrote to memory of 4244	3652	chrome.exe	80
PID 3652 wrote to memory of 4244	3652	chrome.exe	80
PID 3652 wrote to memory of 4244	3652	chrome.exe	80
PID 3652 wrote to memory of 4244	3652	chrome.exe	80
PID 3652 wrote to memory of 4244	3652	chrome.exe	80
PID 3652 wrote to memory of 4244	3652	chrome.exe	80
PID 3652 wrote to memory of 4244	3652	chrome.exe	80
PID 3652 wrote to memory of 4244	3652	chrome.exe	80
PID 3652 wrote to memory of 4244	3652	chrome.exe	80
PID 3652 wrote to memory of 4244	3652	chrome.exe	80
PID 3652 wrote to memory of 4244	3652	chrome.exe	80
PID 3652 wrote to memory of 4244	3652	chrome.exe	80

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/YHZWCx
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa9e02cc40,0x7ffa9e02cc4c,0x7ffa9e02cc58
  2⤵
  PID:4588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1804,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1800 /prefetch:2
  2⤵
  PID:2040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1556,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2096 /prefetch:3
  2⤵
  PID:4188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2148,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2344 /prefetch:8
  2⤵
  PID:4244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3060,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3080 /prefetch:1
  2⤵
  PID:4668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3076,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:3516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4456,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4140 /prefetch:1
  2⤵
  PID:340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4636,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4632 /prefetch:8
  2⤵
  PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4424,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4828 /prefetch:1
  2⤵
  PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3444,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3456 /prefetch:8
  2⤵
  PID:4740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3420,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  PID:816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3492,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  PID:2800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5416,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5556 /prefetch:8
  2⤵
  PID:3824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5696,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3432 /prefetch:8
  2⤵
  PID:992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5236,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5400 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:3588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5580,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:2932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5360,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4448 /prefetch:8
  2⤵
  PID:3752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3448,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5800,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:3468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5644,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5660 /prefetch:8
  2⤵
  PID:928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5648,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5684 /prefetch:8
  2⤵
  PID:1640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5268,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:3284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=3452,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5560 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4300,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5444,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4956 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=5544,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5588,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5596 /prefetch:8
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5280,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3384 /prefetch:8
  2⤵
  PID:3568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3648,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5692 /prefetch:8
  2⤵
  PID:3376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5784,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5500 /prefetch:8
  2⤵
  PID:2744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5780,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  PID:4180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5748,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5904 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=4508,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3736 /prefetch:1
  2⤵
  PID:2456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5228,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4352 /prefetch:8
  2⤵
  PID:3292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5736,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5536 /prefetch:8
  2⤵
  PID:2380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4448,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5600 /prefetch:8
  2⤵
  PID:3328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5196,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  PID:3392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5392,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5420 /prefetch:8
  2⤵
  PID:4040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5384,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --field-trial-handle=5880,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:1888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --field-trial-handle=5684,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:2612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --field-trial-handle=5180,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:4388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --field-trial-handle=4564,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4572 /prefetch:1
  2⤵
  PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --field-trial-handle=5768,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:3024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --field-trial-handle=4452,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --field-trial-handle=5848,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3056 /prefetch:1
  2⤵
  PID:3424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --field-trial-handle=4496,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4440 /prefetch:1
  2⤵
  PID:3496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --field-trial-handle=5332,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:2320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5640,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5628 /prefetch:8
  2⤵
  PID:4404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5132,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3136 /prefetch:8
  2⤵
  PID:3308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --field-trial-handle=6136,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6148 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --field-trial-handle=6180,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6384 /prefetch:1
  2⤵
  PID:756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --field-trial-handle=5840,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --field-trial-handle=5260,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6448,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6196 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:3328
- C:\Users\Admin\Downloads\systeminformer-3.2.25004-release-setup.exe
  "C:\Users\Admin\Downloads\systeminformer-3.2.25004-release-setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:5112
- - C:\Program Files\SystemInformer\SystemInformer.exe
    "C:\Program Files\SystemInformer\SystemInformer.exe" -channel release
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=6416,i,12305100155983446095,8347108166350527096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6236 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3736

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2716

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4508

C:\Users\Admin\Downloads\Malware\SheetRAT.exe
"C:\Users\Admin\Downloads\Malware\SheetRAT.exe"
1⤵
- Executes dropped EXE
PID:1008

C:\Users\Admin\Downloads\Malware\AsyncRAT.exe
"C:\Users\Admin\Downloads\Malware\AsyncRAT.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:236
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 236 -s 1596
  2⤵
  - Program crash
  PID:1052

C:\Users\Admin\Downloads\Malware\DCRat.exe
"C:\Users\Admin\Downloads\Malware\DCRat.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
PID:4632
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8FwRw8C8FW.bat"
  2⤵
  PID:1116
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4828
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1236
- - C:\Windows\ShellComponents\spoolsv.exe
    "C:\Windows\ShellComponents\spoolsv.exe"
    3⤵
    - Executes dropped EXE
    PID:476
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NiOMBGhh72.bat"
      4⤵
      PID:2732
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4728
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:4732
    - - C:\Windows\ShellComponents\spoolsv.exe
        
        "C:\Windows\ShellComponents\spoolsv.exe"
        5⤵
        Executes dropped EXE
        
        PID:2492
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2oGrqKSnf6.bat"
        6⤵
        
        PID:4268
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1524
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2736
        
        C:\Windows\ShellComponents\spoolsv.exe
        
        "C:\Windows\ShellComponents\spoolsv.exe"
        7⤵
        Executes dropped EXE
        
        PID:800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ghJDzcD21F.bat"
        8⤵
        
        PID:3556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1384
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4828
        
        C:\Windows\ShellComponents\spoolsv.exe
        
        "C:\Windows\ShellComponents\spoolsv.exe"
        9⤵
        Executes dropped EXE
        
        PID:1220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OwDUg2gYJx.bat"
        10⤵
        
        PID:4100
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:4624
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3876
        
        C:\Windows\ShellComponents\spoolsv.exe
        
        "C:\Windows\ShellComponents\spoolsv.exe"
        11⤵
        Executes dropped EXE
        
        PID:3552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sxRqhXCXyo.bat"
        12⤵
        
        PID:3020
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:4188
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4576
        
        C:\Windows\ShellComponents\spoolsv.exe
        
        "C:\Windows\ShellComponents\spoolsv.exe"
        13⤵
        Executes dropped EXE
        
        PID:4072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FsJwje2h9K.bat"
        14⤵
        
        PID:4320
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:4524
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1476
        
        C:\Windows\ShellComponents\spoolsv.exe
        
        "C:\Windows\ShellComponents\spoolsv.exe"
        15⤵
        Executes dropped EXE
        
        PID:4364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hPr2ldZzRL.bat"
        16⤵
        
        PID:3672
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:228
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1928
        
        C:\Windows\ShellComponents\spoolsv.exe
        
        "C:\Windows\ShellComponents\spoolsv.exe"
        17⤵
        Executes dropped EXE
        
        PID:748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1kLxRzFJtF.bat"
        18⤵
        
        PID:1412
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:4808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2044
        
        C:\Windows\ShellComponents\spoolsv.exe
        
        "C:\Windows\ShellComponents\spoolsv.exe"
        19⤵
        Executes dropped EXE
        
        PID:2528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VwerG6At1R.bat"
        20⤵
        
        PID:4680
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:3372
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:800
        
        C:\Windows\ShellComponents\spoolsv.exe
        
        "C:\Windows\ShellComponents\spoolsv.exe"
        21⤵
        Executes dropped EXE
        
        PID:4288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aRcytkisn9.bat"
        22⤵
        
        PID:5664
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:5712
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5724
        
        C:\Windows\ShellComponents\spoolsv.exe
        
        "C:\Windows\ShellComponents\spoolsv.exe"
        23⤵
        Executes dropped EXE
        
        PID:5916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B35ds8t0En.bat"
        24⤵
        
        PID:400
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:5144
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:5160
        
        C:\Windows\ShellComponents\spoolsv.exe
        
        "C:\Windows\ShellComponents\spoolsv.exe"
        25⤵
        Executes dropped EXE
        
        PID:6132
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZPsODb7c4Z.bat"
        26⤵
        
        PID:5136
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:5368
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2976
        
        C:\Windows\ShellComponents\spoolsv.exe
        
        "C:\Windows\ShellComponents\spoolsv.exe"
        27⤵
        
        PID:4512
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U9jP4iZUUm.bat"
        28⤵
        
        PID:5928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:4440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:4972
        
        C:\Windows\ShellComponents\spoolsv.exe
        
        "C:\Windows\ShellComponents\spoolsv.exe"
        29⤵
        
        PID:1704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JIL9xxMC8B.bat"
        30⤵
        
        PID:5956
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:5160
        
        C:\Windows\ShellComponents\spoolsv.exe
        
        "C:\Windows\ShellComponents\spoolsv.exe"
        31⤵
        
        PID:2304
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LsjJJiW2rn.bat"
        32⤵
        
        PID:5072
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:5928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:2516
        
        C:\Windows\ShellComponents\spoolsv.exe
        
        "C:\Windows\ShellComponents\spoolsv.exe"
        33⤵
        
        PID:6104
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dYHSyFVcIa.bat"
        34⤵
        
        PID:900
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:4416
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        35⤵
        
        PID:1868
        
        C:\Windows\ShellComponents\spoolsv.exe
        
        "C:\Windows\ShellComponents\spoolsv.exe"
        35⤵
        
        PID:5740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T5cYRg4YXy.bat"
        36⤵
        
        PID:3464
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:4192
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        37⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5872
        
        C:\Windows\ShellComponents\spoolsv.exe
        
        "C:\Windows\ShellComponents\spoolsv.exe"
        37⤵
        
        PID:4796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nE1uIQLIWX.bat"
        38⤵
        
        PID:5792
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        39⤵
        
        PID:2220
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        39⤵
        
        PID:2344
        
        C:\Windows\ShellComponents\spoolsv.exe
        
        "C:\Windows\ShellComponents\spoolsv.exe"
        39⤵
        
        PID:1492
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ShtBqUILw0.bat"
        40⤵
        
        PID:4072
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        41⤵
        
        PID:4696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        41⤵
        
        PID:3528
        
        C:\Windows\ShellComponents\spoolsv.exe
        
        "C:\Windows\ShellComponents\spoolsv.exe"
        41⤵
        
        PID:5740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aYLtGzs08v.bat"
        42⤵
        
        PID:2800
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        43⤵
        
        PID:5824
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        43⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1884
        
        C:\Windows\ShellComponents\spoolsv.exe
        
        "C:\Windows\ShellComponents\spoolsv.exe"
        43⤵
        Modifies registry class
        
        PID:5488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s5ynp54EAe.bat"
        44⤵
        
        PID:2952
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        45⤵
        
        PID:2972
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        45⤵
        
        PID:4620
        
        C:\Windows\ShellComponents\spoolsv.exe
        
        "C:\Windows\ShellComponents\spoolsv.exe"
        45⤵
        
        PID:3264

C:\Users\Admin\Downloads\Malware\RemcosRAT.exe
"C:\Users\Admin\Downloads\Malware\RemcosRAT.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3080
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads\Malware\RemcosRAT.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  PID:1156
- C:\Users\Admin\Downloads\Malware\RemcosRAT.exe
  "C:\Users\Admin\Downloads\Malware\RemcosRAT.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 236 -ip 236
1⤵
PID:2848

C:\Users\Admin\Downloads\Malware\PureCrypter.exe
"C:\Users\Admin\Downloads\Malware\PureCrypter.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2108

C:\Users\Admin\Downloads\Malware\BlackMatter Ransomware.exe
"C:\Users\Admin\Downloads\Malware\BlackMatter Ransomware.exe"
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
PID:3460
- C:\ProgramData\3204.tmp
  "C:\ProgramData\3204.tmp"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:1228
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\3204.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3600

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\5VFg9o5tW.README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2092

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Malware\5VFg9o5tW.README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:916

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\hello.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3736

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\hello.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffa9e02cc40,0x7ffa9e02cc4c,0x7ffa9e02cc58
  2⤵
  PID:3960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1952,i,8158929342310469587,9359853544952235106,262144 --variations-seed-version --mojo-platform-channel-handle=1948 /prefetch:2
  2⤵
  PID:3700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1760,i,8158929342310469587,9359853544952235106,262144 --variations-seed-version --mojo-platform-channel-handle=1984 /prefetch:3
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2148,i,8158929342310469587,9359853544952235106,262144 --variations-seed-version --mojo-platform-channel-handle=2280 /prefetch:8
  2⤵
  PID:4072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,8158929342310469587,9359853544952235106,262144 --variations-seed-version --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:2664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,8158929342310469587,9359853544952235106,262144 --variations-seed-version --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:3264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3584,i,8158929342310469587,9359853544952235106,262144 --variations-seed-version --mojo-platform-channel-handle=4440 /prefetch:1
  2⤵
  PID:740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4756,i,8158929342310469587,9359853544952235106,262144 --variations-seed-version --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  PID:3440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4972,i,8158929342310469587,9359853544952235106,262144 --variations-seed-version --mojo-platform-channel-handle=4708 /prefetch:8
  2⤵
  PID:4596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4840,i,8158929342310469587,9359853544952235106,262144 --variations-seed-version --mojo-platform-channel-handle=4968 /prefetch:8
  2⤵
  PID:3704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5012,i,8158929342310469587,9359853544952235106,262144 --variations-seed-version --mojo-platform-channel-handle=5000 /prefetch:8
  2⤵
  PID:4296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5096,i,8158929342310469587,9359853544952235106,262144 --variations-seed-version --mojo-platform-channel-handle=5076 /prefetch:8
  2⤵
  PID:4608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5092,i,8158929342310469587,9359853544952235106,262144 --variations-seed-version --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4984,i,8158929342310469587,9359853544952235106,262144 --variations-seed-version --mojo-platform-channel-handle=5248 /prefetch:2
  2⤵
  PID:2968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4216,i,8158929342310469587,9359853544952235106,262144 --variations-seed-version --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:3992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3452,i,8158929342310469587,9359853544952235106,262144 --variations-seed-version --mojo-platform-channel-handle=3464 /prefetch:8
  2⤵
  PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3276,i,8158929342310469587,9359853544952235106,262144 --variations-seed-version --mojo-platform-channel-handle=3100 /prefetch:8
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3424,i,8158929342310469587,9359853544952235106,262144 --variations-seed-version --mojo-platform-channel-handle=4836 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5552,i,8158929342310469587,9359853544952235106,262144 --variations-seed-version --mojo-platform-channel-handle=4836 /prefetch:8
  2⤵
  PID:1628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5572,i,8158929342310469587,9359853544952235106,262144 --variations-seed-version --mojo-platform-channel-handle=4728 /prefetch:8
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5036,i,8158929342310469587,9359853544952235106,262144 --variations-seed-version --mojo-platform-channel-handle=3320 /prefetch:8
  2⤵
  PID:4764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3464,i,8158929342310469587,9359853544952235106,262144 --variations-seed-version --mojo-platform-channel-handle=5804 /prefetch:8
  2⤵
  PID:3760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3216,i,8158929342310469587,9359853544952235106,262144 --variations-seed-version --mojo-platform-channel-handle=5676 /prefetch:8
  2⤵
  PID:3392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5592,i,8158929342310469587,9359853544952235106,262144 --variations-seed-version --mojo-platform-channel-handle=6084 /prefetch:8
  2⤵
  PID:2528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5568,i,8158929342310469587,9359853544952235106,262144 --variations-seed-version --mojo-platform-channel-handle=6220 /prefetch:8
  2⤵
  PID:2240
- C:\Users\Admin\Downloads\BraveBrowserSetup-BRV002.exe
  "C:\Users\Admin\Downloads\BraveBrowserSetup-BRV002.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:4588
- - C:\Windows\SystemTemp\GUMF377.tmp\BraveUpdate.exe
    C:\Windows\SystemTemp\GUMF377.tmp\BraveUpdate.exe /installsource taggedmi /install "appguid={AFE6A462-C574-4B8A-AF43-4CC60DF4563B}&appname=Brave-Release&needsadmin=prefers&ap=release&installdataindex=default&referral=none"
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1236
  - - C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
      "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /regsvc
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2756
  - - C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
      "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /regserver
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2528
    - - C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4000
    - - C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:3780
    - - C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:3264
  - - C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
      "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNjEuMTUxIiBzaGVsbF92ZXJzaW9uPSIxLjMuMzYxLjE1MSIgaXNtYWNoaW5lPSIxIiBzZXNzaW9uaWQ9IntGRERBREFGRi0yRkMzLTQyMkMtQjJDQy1FMzM1QzIxMTc0RjV9IiBpbnN0YWxsc291cmNlPSJ0YWdnZWRtaSIgdGVzdHNvdXJjZT0iYXV0byIgcmVxdWVzdGlkPSJ7OEIzM0FEODktNUU3My00QzEzLUJBM0UtMjZEQTQ0NTNGMkQyfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBwaHlzbWVtb3J5PSI4IiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0ie0IxMzFDOTM1LTlCRTYtNDFEQS05NTk5LTFGNzc2QkVCODAxOX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEuMy4zNjEuMTUxIiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBpbnN0YWxsX3RpbWVfbXM9IjYwNiIvPjwvYXBwPjwvcmVxdWVzdD4
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      PID:2468
  - - C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
      "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /handoff "appguid={AFE6A462-C574-4B8A-AF43-4CC60DF4563B}&appname=Brave-Release&needsadmin=prefers&ap=release&installdataindex=default&referral=none" /installsource taggedmi /sessionid "{FDDADAFF-2FC3-422C-B2CC-E335C21174F5}"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:4348

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4772

C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
"C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4972
- C:\Program Files (x86)\BraveSoftware\Update\Install\{604729C0-28D9-4D4D-ACF0-06FEC1B1CF76}\brave_installer-x64.exe
  "C:\Program Files (x86)\BraveSoftware\Update\Install\{604729C0-28D9-4D4D-ACF0-06FEC1B1CF76}\brave_installer-x64.exe" --do-not-launch-chrome /installerdata="C:\Program Files (x86)\BraveSoftware\Update\Install\{604729C0-28D9-4D4D-ACF0-06FEC1B1CF76}\gui44C4.tmp"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:5800
- - C:\Program Files (x86)\BraveSoftware\Update\Install\{604729C0-28D9-4D4D-ACF0-06FEC1B1CF76}\CR_94047.tmp\setup.exe
    "C:\Program Files (x86)\BraveSoftware\Update\Install\{604729C0-28D9-4D4D-ACF0-06FEC1B1CF76}\CR_94047.tmp\setup.exe" --install-archive="C:\Program Files (x86)\BraveSoftware\Update\Install\{604729C0-28D9-4D4D-ACF0-06FEC1B1CF76}\CR_94047.tmp\CHROME.PACKED.7Z" --do-not-launch-chrome /installerdata="C:\Program Files (x86)\BraveSoftware\Update\Install\{604729C0-28D9-4D4D-ACF0-06FEC1B1CF76}\gui44C4.tmp" --brave-referral-code="BRV002"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Modifies registry class
    PID:5844
  - - C:\Program Files (x86)\BraveSoftware\Update\Install\{604729C0-28D9-4D4D-ACF0-06FEC1B1CF76}\CR_94047.tmp\setup.exe
      "C:\Program Files (x86)\BraveSoftware\Update\Install\{604729C0-28D9-4D4D-ACF0-06FEC1B1CF76}\CR_94047.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://cr.brave.com --annotation=plat=Win64 --annotation=prod=Brave --annotation=ver=131.1.73.105 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x7ff610729498,0x7ff6107294a4,0x7ff6107294b0
      4⤵
      Executes dropped EXE
      PID:5864
  - - C:\Program Files (x86)\BraveSoftware\Update\Install\{604729C0-28D9-4D4D-ACF0-06FEC1B1CF76}\CR_94047.tmp\setup.exe
      "C:\Program Files (x86)\BraveSoftware\Update\Install\{604729C0-28D9-4D4D-ACF0-06FEC1B1CF76}\CR_94047.tmp\setup.exe" --system-level --verbose-logging --installerdata="C:\Program Files (x86)\BraveSoftware\Update\Install\{604729C0-28D9-4D4D-ACF0-06FEC1B1CF76}\gui44C4.tmp" --create-shortcuts=0 --install-level=1
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:6032
    - - C:\Program Files (x86)\BraveSoftware\Update\Install\{604729C0-28D9-4D4D-ACF0-06FEC1B1CF76}\CR_94047.tmp\setup.exe
        
        "C:\Program Files (x86)\BraveSoftware\Update\Install\{604729C0-28D9-4D4D-ACF0-06FEC1B1CF76}\CR_94047.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://cr.brave.com --annotation=plat=Win64 --annotation=prod=Brave --annotation=ver=131.1.73.105 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff610729498,0x7ff6107294a4,0x7ff6107294b0
        5⤵
        Executes dropped EXE
        
        PID:6048
- C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
  "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNjEuMTUxIiBzaGVsbF92ZXJzaW9uPSIxLjMuMzYxLjE1MSIgaXNtYWNoaW5lPSIxIiBzZXNzaW9uaWQ9IntGRERBREFGRi0yRkMzLTQyMkMtQjJDQy1FMzM1QzIxMTc0RjV9IiBpbnN0YWxsc291cmNlPSJ0YWdnZWRtaSIgdGVzdHNvdXJjZT0iYXV0byIgcmVxdWVzdGlkPSJ7QjA4ODQ1NzEtMjczQS00N0FGLTk1NTgtRTQyNzg3RTU5RkY2fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBwaHlzbWVtb3J5PSI4IiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0ie0FGRTZBNDYyLUM1NzQtNEI4QS1BRjQzLTRDQzYwREY0NTYzQn0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEzMS4xLjczLjEwNSIgYXA9InJlbGVhc2UiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiIGluc3RhbGxhZ2U9Ii0xIiBpbnN0YWxsZGF0ZT0iLTEiPjxldmVudCBldmVudHR5cGU9IjkiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwczovL3VwZGF0ZXMtY2RuLmJyYXZlc29mdHdhcmUuY29tL2J1aWxkL0JyYXZlLVJlbGVhc2UvcmVsZWFzZS93aW4vMTMxLjEuNzMuMTA1L3g2NC9icmF2ZV9pbnN0YWxsZXIteDY0LmV4ZSIgZG93bmxvYWRlZD0iMTMwOTkyNjU2IiB0b3RhbD0iMTMwOTkyNjU2IiBkb3dubG9hZF90aW1lX21zPSIxMjUwMCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI2IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NzA3IiBzb3VyY2VfdXJsX2luZGV4PSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iMzIzIiBkb3dubG9hZF90aW1lX21zPSIxMzQ2OCIgZG93bmxvYWRlZD0iMTMwOTkyNjU2IiB0b3RhbD0iMTMwOTkyNjU2IiBpbnN0YWxsX3RpbWVfbXM9IjI5MDc4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3520

C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateOnDemand.exe
"C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateOnDemand.exe" -Embedding
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4100
- C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
  "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /ondemand
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5196
- - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
    "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --from-installer
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks system information in the registry
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    PID:2456
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Crashpad" --url=https://cr.brave.com --annotation=plat=Win64 --annotation=prod=Brave --annotation=ver=131.1.73.105 --initial-client-data=0xf8,0xfc,0x100,0x48,0x104,0x7ffa8c991d18,0x7ffa8c991d24,0x7ffa8c991d30
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5256
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2380,i,9760468182325118791,4420734240843257440,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=2104 /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4808
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --start-stack-profiler --field-trial-handle=1936,i,9760468182325118791,4420734240843257440,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=2652 /prefetch:11
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2648
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --field-trial-handle=2144,i,9760468182325118791,4420734240843257440,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=2656 /prefetch:13
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4584
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --brave_session_token=17600025571775715192 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3484,i,9760468182325118791,4420734240843257440,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=3532 /prefetch:1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3824
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --brave_session_token=17600025571775715192 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3488,i,9760468182325118791,4420734240843257440,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=3684 /prefetch:1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5460
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4916,i,9760468182325118791,4420734240843257440,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=4912 /prefetch:14
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4416
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5000,i,9760468182325118791,4420734240843257440,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=5016 /prefetch:14
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4712
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5172,i,9760468182325118791,4420734240843257440,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=5180 /prefetch:14
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3280
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5336,i,9760468182325118791,4420734240843257440,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=5348 /prefetch:14
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5456
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4740,i,9760468182325118791,4420734240843257440,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=5208 /prefetch:14
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5596
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4792,i,9760468182325118791,4420734240843257440,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=5316 /prefetch:14
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5796
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\131.1.73.105\Installer\chrmstp.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\131.1.73.105\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:5856
    - - C:\Program Files\BraveSoftware\Brave-Browser\Application\131.1.73.105\Installer\chrmstp.exe
        
        "C:\Program Files\BraveSoftware\Brave-Browser\Application\131.1.73.105\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://cr.brave.com --annotation=plat=Win64 --annotation=prod=Brave --annotation=ver=131.1.73.105 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff69a529498,0x7ff69a5294a4,0x7ff69a5294b0
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5196
    - - C:\Program Files\BraveSoftware\Brave-Browser\Application\131.1.73.105\Installer\chrmstp.exe
        
        "C:\Program Files\BraveSoftware\Brave-Browser\Application\131.1.73.105\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\BraveSoftware\Brave-Browser\Application\initial_preferences" --create-shortcuts=1 --install-level=0
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4316
      - C:\Program Files\BraveSoftware\Brave-Browser\Application\131.1.73.105\Installer\chrmstp.exe
        
        "C:\Program Files\BraveSoftware\Brave-Browser\Application\131.1.73.105\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://cr.brave.com --annotation=plat=Win64 --annotation=prod=Brave --annotation=ver=131.1.73.105 --initial-client-data=0x250,0x254,0x258,0x228,0x25c,0x7ff69a529498,0x7ff69a5294a4,0x7ff69a5294b0
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3164
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4844,i,9760468182325118791,4420734240843257440,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=5252 /prefetch:14
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5164
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=3896,i,9760468182325118791,4420734240843257440,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=5572 /prefetch:14
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2344
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5736,i,9760468182325118791,4420734240843257440,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=4780 /prefetch:14
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:424
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5744,i,9760468182325118791,4420734240843257440,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=5072 /prefetch:14
      4⤵
      Executes dropped EXE
      PID:480
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5760,i,9760468182325118791,4420734240843257440,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=5780 /prefetch:14
      4⤵
      Executes dropped EXE
      PID:1564
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5924,i,9760468182325118791,4420734240843257440,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=5932 /prefetch:14
      4⤵
      Executes dropped EXE
      PID:2968
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5248,i,9760468182325118791,4420734240843257440,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=5192 /prefetch:14
      4⤵
      PID:4764
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5768,i,9760468182325118791,4420734240843257440,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=4180 /prefetch:14
      4⤵
      PID:4308
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --brave_session_token=17600025571775715192 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=6080,i,9760468182325118791,4420734240843257440,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=5632 /prefetch:1
      4⤵
      PID:3380
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --brave_session_token=17600025571775715192 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5288,i,9760468182325118791,4420734240843257440,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=5952 /prefetch:1
      4⤵
      PID:1172
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4540,i,9760468182325118791,4420734240843257440,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=3740 /prefetch:14
      4⤵
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:1084
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=3512,i,9760468182325118791,4420734240843257440,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=5640 /prefetch:14
      4⤵
      PID:3012
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5844,i,9760468182325118791,4420734240843257440,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=5840 /prefetch:14
      4⤵
      PID:5876
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=3476,i,9760468182325118791,4420734240843257440,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=5964 /prefetch:14
      4⤵
      PID:5760
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5912,i,9760468182325118791,4420734240843257440,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=3344 /prefetch:14
      4⤵
      PID:1388
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=3760,i,9760468182325118791,4420734240843257440,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=3564 /prefetch:14
      4⤵
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:5384
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5836,i,9760468182325118791,4420734240843257440,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=3752 /prefetch:14
      4⤵
      PID:5952
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5564,i,9760468182325118791,4420734240843257440,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=5936 /prefetch:14
      4⤵
      PID:4900
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=3344,i,9760468182325118791,4420734240843257440,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=3688 /prefetch:14
      4⤵
      PID:5796
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --brave_session_token=17600025571775715192 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=5788,i,9760468182325118791,4420734240843257440,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=4392 /prefetch:1
      4⤵
      PID:3648
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5780,i,9760468182325118791,4420734240843257440,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=5236 /prefetch:14
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:4400
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5488,i,9760468182325118791,4420734240843257440,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=3752 /prefetch:14
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:3912
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations=is-enterprise-managed=no --start-stack-profiler --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=3764,i,9760468182325118791,4420734240843257440,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=2940 /prefetch:10
      4⤵
      PID:5732
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=2148,i,9760468182325118791,4420734240843257440,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=3696 /prefetch:14
      4⤵
      PID:132
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --brave_session_token=17600025571775715192 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --field-trial-handle=5612,i,9760468182325118791,4420734240843257440,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=5228 /prefetch:1
      4⤵
      PID:1696
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --brave_session_token=17600025571775715192 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --field-trial-handle=5552,i,9760468182325118791,4420734240843257440,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=3704 /prefetch:1
      4⤵
      PID:5640

C:\Program Files\BraveSoftware\Brave-Browser\Application\131.1.73.105\elevation_service.exe
"C:\Program Files\BraveSoftware\Brave-Browser\Application\131.1.73.105\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5392

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\5VFg9o5tW.README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:5164

C:\Program Files\SystemInformer\SystemInformer.exe
"C:\Program Files\SystemInformer\SystemInformer.exe"
1⤵
- Checks processor information in registry
PID:5332

C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
"C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe"
1⤵
- Checks system information in the registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:3852
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Crashpad" --url=https://cr.brave.com --annotation=plat=Win64 --annotation=prod=Brave --annotation=ver=131.1.73.105 --initial-client-data=0x120,0x124,0x128,0xf8,0x12c,0x7ffa8c991d18,0x7ffa8c991d24,0x7ffa8c991d30
  2⤵
  PID:5968
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1940,i,4285666146373518679,10159745861659518015,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:1936
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --start-stack-profiler --field-trial-handle=2020,i,4285666146373518679,10159745861659518015,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=2004 /prefetch:11
  2⤵
  PID:1640
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --field-trial-handle=2352,i,4285666146373518679,10159745861659518015,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=2480 /prefetch:13
  2⤵
  PID:3876
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --brave_session_token=5435987238178365841 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3964,i,4285666146373518679,10159745861659518015,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=4160 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --brave_session_token=5435987238178365841 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3996,i,4285666146373518679,10159745861659518015,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=4184 /prefetch:1
  2⤵
  PID:2708
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --brave_session_token=5435987238178365841 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4840,i,4285666146373518679,10159745861659518015,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=4860 /prefetch:1
  2⤵
  PID:5708
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5036,i,4285666146373518679,10159745861659518015,262144 --variations-seed-version=main@04e6ed49f7c49b3823eff33f0e16a07f8ecae418 --mojo-platform-channel-handle=4700 /prefetch:14
  2⤵
  PID:5800

C:\Program Files\BraveSoftware\Brave-Browser\Application\131.1.73.105\elevation_service.exe
"C:\Program Files\BraveSoftware\Brave-Browser\Application\131.1.73.105\elevation_service.exe"
1⤵
PID:4292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:6040

C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
"C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /c
1⤵
- System Location Discovery: System Language Discovery
PID:4784
- C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
  "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /cr
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1412
- C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveCrashHandler.exe
  "C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveCrashHandler.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2888
- C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveCrashHandler64.exe
  "C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveCrashHandler64.exe"
  2⤵
  PID:5300
- C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
  "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /ua /installsource core
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3968

C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
"C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /ua /installsource scheduler
1⤵
- System Location Discovery: System Language Discovery
PID:2316

C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
"C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /svc
1⤵
- System Location Discovery: System Language Discovery
PID:5624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2253712635-4068079004-3870069674-1000\DDDDDDDDDDD

Filesize
129B

MD5
edb7732cfd82fbf5c4389cee8af8bb84

SHA1
9d424ca869c06fee9aa260392b2b5df0c406c3f4

SHA256
7583d98f669752029d4e7b0738ecbe76e5a0b49003d4e47b256136b7d0426e97

SHA512
3869b0946221ea1a6d78bc8819664b25a396b49c7318484e80c3623e29c3cdf65c82e36b2affa5eb3f70f5ad30429ebcd2271e1b9d37adac140e04fbd991f9e9

Download Submit
C:\5VFg9o5tW.README.txt

Filesize
1KB

MD5
17e3459297cd54cf124d089248ff395b

SHA1
617e2ddd0a69a242d4da510d32670a170ff667fa

SHA256
94aaefad5d5a9fea79e9271941a5e874951cceac46a110ef0f1de841051f6421

SHA512
280536a672423a4bf4df1cb7cd49bd0a7a3f731dfe4543359a84d3a82d734e3882386b336af62a77e2763cbe7fe9e4ff6ae852241dd61ab702cda1b0d2f02e13

Download Submit
C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe

Filesize
163KB

MD5
fe628d68a132ee5b120aaba2e6f6a468

SHA1
e4c463ae828000fd7df39005c745309363465835

SHA256
e36aced72d570056c502af0272c4cac1ce5ea9e4eba9f4c9a4aeca44e168e04d

SHA512
f44524c6aa2d829bf6220c56c19da12cd27d97d8190435de6c485856024987780e6ea8ac5ec91726c898d215c5a48f9624a1aeece00405e9ff1f530a0df94242

Download Submit
C:\Program Files\BraveSoftware\Brave-Browser\Application\131.1.73.105\Installer\setup.exe

Filesize
4.4MB

MD5
b81507f326a66b6a6b4763b241cf5f85

SHA1
17360c4dc619f231fa7f4e51af078198b78dcad8

SHA256
d7247a1fb5040b60fc36d5153bd651f89fcdd38eb75dcb0a0894e0f22f9a7766

SHA512
06b18d4fffbf9e75b0871fc9758b02813861d79265cb7e509fb783e7c0751e42966270a007ad93946773e5014838f7cce611d23b8672e9d397cee1878cfd9632

Download Submit
C:\Program Files\SystemInformer\SystemInformer.exe

Filesize
3.3MB

MD5
ad845b34379404be8224d2ac570d4f6f

SHA1
e197c7423c97cd802d67f944429e83a5bae3dac3

SHA256
0c44bc05baec15de76da5074dd96fe19c81f3aa82da628c57555addc77bb0fa8

SHA512
abc8d3b9fb90384cf4f2ff73d989227add3aa4f9686a9f7c243f2e52983349bdb92f7b700cbe5f7c27c1867b7aebd1c61f62008145087e47eee58cf2b9aebdc4

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\CertificateRevocation\9469\crl-set

Filesize
623KB

MD5
7e67b45db6ace423195d7e50f97dae87

SHA1
8597fb1c76110be5251483a42b42ce8e7a8c1acc

SHA256
cbfe61937c9eb89fb20ec336e001d9ec2f6b219d28eed7aec1adaf5bf700c35a

SHA512
0fdf0c7ad43b51d635014f36b331b3d6f406986be78dca3c0a290d27581841ea4857dd36f1e09524bb207f14b141fa526c9bef0e2a28ec8ed1479749849cc2d8

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Crashpad\settings.dat

Filesize
40B

MD5
b5af954fc588d12528efd3eb90706d78

SHA1
1ea083b7009a87e2ad38bde1b74ff80471531baf

SHA256
a9db457e1af9cf51eb87231a512d6883beacff5f66e2fc564b4d68c5a92600c9

SHA512
ce2b3f28052fe0b90ac4476a12b4e6261fe411d0ad9cebeb1592dc48ddd12c6dad7aa00da86509e412350f7aa052eed751d5ba7cdb5f6f12427fa200816f214d

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Crowd Deny\2024.12.19.1218\Preload Data

Filesize
16KB

MD5
3c97222c910c2aa1fab0c39a1c8d2b11

SHA1
c794a8758b4fa74c7aa9536effe9bfa774822e7a

SHA256
c7b91efdd09d75b47036e241eb55a238065ace2c26cd8f31328e8a9f4b4102b4

SHA512
3220065c655bf174c466d9ac03d3040e419f30d081983c23a757d2c0c5e4720aed2c71e88befc0d8b6987d6abd6a25289731d7f4fc9ed6348a1d762f67032153

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\0cb01074-e0ae-4b5b-92ee-5474f5167517.tmp

Filesize
7KB

MD5
db9e2b7ff5587d736d96cceb010c09fe

SHA1
a177d84dcab4f04bbd122c9b400343909e23aaf6

SHA256
e63126fc1c1e4e81d4bf411751440fc3da3ef9c038b823540ab3fc55237169ee

SHA512
f87bda1acf9e59f438ca19a8100458b57a8c5840b9f6f811c8e91a284eb68461ca030230fab4e7c8e0579fe802bc5c32483c64c3fa763c26930deb9e06302b2a

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\BraveWallet\Brave Wallet Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
dd36dcfd346eec59aaac948c322e54e2

SHA1
bebc96199874d52ea56936075bd4933934fe24f0

SHA256
da7744ba7e26d67b03adcd77c2ed6661437f24525b3d3aed804ca840ed7512f8

SHA512
53e4467c4d12779f743caff8a095255f3098f63bad90a18df632c6f33f11aa1b3b99d79464bb2ef36c48b2c6227bc56564132fec705edaa16072a4c38a4c87e4

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
36ffa18c247aa26c0a6367ffef1648cb

SHA1
ef45478bd6816d6574370ee6f8bbcada5ed1a71c

SHA256
46122a6bab9b1fa461295c686e09197ba40aff45e24f7cac6a5cdc5cfa5cef3a

SHA512
cc065833159b69a33936474a1e07cac72f5f6296ed2a109f9ba8b72f59f21d9b8734466e750421b60204a46c194d75c118cd22a3c16edeefcae5ca0c17a7d528

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
3a4e705fa0ce25d9d1245a1a67a62375

SHA1
80b5fb094eb08b84dc0376ab8762c939236c2298

SHA256
7caf3991c70ac84c43c51b3e2ec668b4d4e9fb1e23df4d2da1caa7467c5307bd

SHA512
c9327abebb07490834415be228e9adce8e1aec1ff28c0d8251187249a21dddf804cb093546c57762992389786bc76b2e239048dfa30df8f33b87d201358875cd

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
cc07d3e53bc3e31577b7915d52ef510d

SHA1
3d9cd299e5bbd20980c84848caf85208e4aa9b3f

SHA256
1c664dca2fe635e4a6d6b1b1fa728c5c1c587404060cb2d81c08af1057543006

SHA512
c8c34b5804070c9c055530a480bac84c5f0c6038e873577e2cb7e7d5aac783c636bde3dc274a5a4f4da6634542feb213399d142c95f0094fdf27d7abccb22fcd

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
61645386f9a7bd0285d478c6605fc1ba

SHA1
d2fba1c7eeca2e057b85b39cd290496ea9cc6d01

SHA256
6d84b8921212ebeeb44e3f6336f234bc6763f99b742c0a8830a1bef94bd95973

SHA512
caaf28a9d13eec10b69b64cb95afdab401a9387ec1a8b9543573c6e095b9e3a6f1784bf7d02d2348d0ade57c1afc0396e20198d3c5c1cc6e0f19ca7243596e2f

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
b17dd9203d19add96da4447daaaec383

SHA1
24b6bd84919d13d176224f9a012e0335e807ca1c

SHA256
916eb2cb8672be61583eda08008ae0aa586157a44f76faabab3d5d50cfd3b748

SHA512
0026cf2d792a9c20d3bf3bf7de26bd7f570359a0dea8d655b56a95dc73fc660fe83113d0f7cae18285889eccbd682df24cffec98e9552699bc2c9de66b7de1a8

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
9c5788335779b708dc2a3c5235031039

SHA1
859f8cd5bcd688d0dbdb4506364360736a5b07d9

SHA256
1b0aacbb6167d07cd73ab00cad8a6968d5e985f3016fc0e9ca5f78df6152cd62

SHA512
c8cc9cab840b8da2870ed34a2f0af88f9aa72661b0a52987b40976f6d7b5601617a39fefe69856e8c6c53d8b485b5c01873d372aca137cffd21b319bbcc9c6da

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\DawnGraphiteCache\index

Filesize
256KB

MD5
0e538d5f53babf4fd58beba104090df9

SHA1
dcf781ca847942dc12f25068145c0fe04e5fb3e2

SHA256
9d4cfa97d4e970ab40a579655bbdc8f2d8af6f71b3102980e09cc7370f5fa0e3

SHA512
1c2e926f1a318ccdedcc27aa05c62b9d42f070f550494f556e706cf0369c4d00e1932806b6393195d6797418a1b63f13eae9a05b0111c4c725f6a4e1d36cafaa

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
1814df688dd6c11839564b0d43e2927d

SHA1
b2116e9324b40bb439643f5215e5887a19c4b012

SHA256
1cfee091893695f77e8bcb792228bc2ce7adaa6fc9d93e2183b961a98951862c

SHA512
3222ab2f05d687037ba0960a39f439db2d106d799671e030bead2dddbb12bcda80625dcf309955649a9f30805aa2470c0f38e63faea887a7ca3c528c420d023e

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
fbaa15a0cd47c5e1feeffe8a5b999852

SHA1
56f7cafdb33361879c16562d8bd5ec87c24b9838

SHA256
cabefeca5683b723d22756f1a1461e7db58a37754f78e7887d1bec615268d4da

SHA512
3e5a5b715bdf10d2ffe70bfd919460c9b0631f12c796196d094fa08e9eb23ab873ee46176138db524184586d77056857582aeacecaaf9bd9b8b65e04786f8311

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
3aafffc1633c68f18d7ab9890300d919

SHA1
3770152db41d5d7e904ff6bcb75c1086ecc51acd

SHA256
73c1a27c3135a179ff296666fa7cde382821f2e7d580097214f2d978d3ab9c88

SHA512
0d82ed27aaa7fd91b970daeddb2b7a8195ce03640e27583fdb3d6f4ed5a793c7c941eefb0b2a2c55612ba853a2243e45aa3482175f5b787b50dbdb5ba6da6993

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
4d79ec0e7adfe73ac17dda0598f5e466

SHA1
a8e3ce48ca27010724885edb721d51076da4139b

SHA256
f3e172fbadde0e5e02f2cab6ff9dd3bb515037bc1055c62ef5be1eb520289d58

SHA512
9323e511ec7efd707a53c2fafdbde310f8221c617fe122989e4f79046aeb947b163564e150a259186db7e22ad08cb8e8b2071c0cfd7fbb505b3d438077f8c8f9

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Network\Network Persistent State~RFe60e033.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b5ca5c94b00bf4333dce8b542df5c1fa

SHA1
dee601cf143d007a43bb5ce8baa7094a5a8ca6ba

SHA256
59d413b77f809f23456b8ef0d94ba2cb9796920ee659e1644ddb2b7f250df5dd

SHA512
34a9f1976ab7f1e5188c91fa6f2566d20211c4dfda6ebb29f0829b5b81f7b42e428c6ac087913191e0b14fa7c96c17ea99cf046cfe04de4751cb9d3aab6e6f09

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
afceaf9b4aed85ec03dfab7441fae486

SHA1
4fe54c1bc0984a09a739dded40b3a80fb796ed98

SHA256
8276ed186e820ec26d76bcc03dca08ed348d742fd8439be272dfb7525c81ff54

SHA512
79092a657314fae0a17feb2fb2d051e32b85e5607bc9e5693810a70b67ef20817d5c9a9509021e66c489e2aa0b4e8424dfe421ef4f43e7bee0f6ddc408961c8a

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a852eca90ab6ccd4ea472e2b54bb6b25

SHA1
ce3416a04a6b2277276ecef9fd2dacf95a1f4e5b

SHA256
3cc96f8cc73d7d69cd7a2469e9ca507e1b3025f5ef86608ac0d8b202ca30ea18

SHA512
233a1ca2f482b758ad07aab45604cf1b79cb90fc9dcbf07419c920b325da56638ff96268c6fd1feaed7551172725e1fe3a84c6cfa8b2ec1412db16e83b211ba1

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
88dc0da16881ed53e2d1bd034e631ad0

SHA1
c7f7fb67a4b112f54f4ca2e6f114c8e573e47c6a

SHA256
3dae33d2e7a6470f157fea262cadb4891c53f77c41f322051ac91ef98f8302b7

SHA512
4c00ff007082dea00dd515486e299e92ad84e63b4de8ad631626b11975deebd8b23558c183ce90770591d580742640b77b9a34842154f5341348ccd7587eee20

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ed3beaae39b75a0c3da61ebc05add37f

SHA1
472cc1b46a4877a80f49619e3c34806b215c32c6

SHA256
92ab6cc8b0ef8763a85ee9f776a02daeec30caa722d76da43f089c5ad19411b4

SHA512
756007acd26d36e9b1ea52d29dd31b0d165557c2a10a240f89a4ddae5422d4c7e5a139f697098fc0fdc623d6204f2ecdd004906470f8249f78201b122ef20c80

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Network\TransportSecurity~RFe621e12.TMP

Filesize
1KB

MD5
1e3db439ed27fe04341223033095bfc0

SHA1
b164138c6ff2b3a6a7967e964157a66d5a6a8214

SHA256
0202e0f478c11f46cc64055448ed9ef729bf1080bdff81e1b38b1a45ac97be22

SHA512
101704df353256e9029c22287673300e95372e26ce1861107e018d58d47e9b53c0047f8fb2dc611dd54df58c830b57c2d74916b7d4a0dbe0f624a16759650db5

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Preferences

Filesize
19KB

MD5
473104da6e8920ea51d9972feb4639e5

SHA1
91709114ef93c1733cd6b7d8f760b721a7c14fd8

SHA256
b0f3a3c111ad5afe19723f04dacc73e76582ba4a2aca20ff62d42dcd3336bfc1

SHA512
91e8fffe5dc3789c46ff90ccb420a69bfe99679a78e749c1367cfde377139cdaa46f44f42fe288000fc1dbea99ca5bba8c10e4a2c729d603d70d1591d4650189

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Preferences

Filesize
18KB

MD5
8d186c323ac241001b9f65b337b9d49c

SHA1
6fd2ede819e8df1eb3117ea20908b68a0cbedbd6

SHA256
35944a7cd7cd46e64bf5bf356129c9fb07ce950ce8665a37a0d44a4d55b7a3ad

SHA512
a75e2d07d43a3f70602a6bdb5d4ba01adea987ed4ac2e55e405bf86e426eb1b9f2be37ce9da0677c439c03b82a4cd674a88b54a52a3a73d4684f65db9159e36f

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Preferences

Filesize
16KB

MD5
b3c34f427977714eebd52932cc06223c

SHA1
1a46db837ac10203927dea3e4644a1ee35df46e5

SHA256
bb22277d3c3a790c58e27907253a24b066eb8e90a623be694c29f5687cbe4284

SHA512
f1e823257d7281c8d3aeb71b5a37fc5b332649fb78a90eea326f1074549ee361c10d0e0c927a979ff7a42046f6dbab9bcef36974f5df0936373321e51583c1e9

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Preferences~RFe5fe160.TMP

Filesize
2KB

MD5
017c6c5fd7b06da057f17230f06b9f2a

SHA1
4ec4e762a50de25cba9b25274076c81ff051fc48

SHA256
4af78d10293be4a54231d59b720ea55b2b41a4393dba298ff146aa595b506ab3

SHA512
2bbaf5fe34b6b98d5470156d73acbc2b93e3f94e3c14c97cecb75c4abc6e78e18768b25cd4ef48ba81f4d53973185934c45c471a1c006d924e93a3b525d19832

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Secure Preferences

Filesize
7KB

MD5
cea57091c05b441e31e51013359183ed

SHA1
0dfa7d1213f8abdf126769988aa4db017ee3170d

SHA256
8ea03dcedcab18d09bb92f788f609d2192c8e6af24d923205748410556414b4a

SHA512
4d03eb6a624ef5d7f64c2a4ec59933a0fb452c6da9db6713304db62949e35c3175dd6199e684defa48f8f91383f71bf8a643a558db0deb090d49e5b0dafbad39

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Sync Data\LevelDB\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\d1c76c46-d436-41c4-a4fc-bec84de0f817.tmp

Filesize
165KB

MD5
dceb0cfa9b61effc8788488f43747572

SHA1
c43235ebfd21469a747e8a264b67f874e0400cb9

SHA256
4f6f8abe6e2a6bbfea1c79b495019e80015343160d7fd99ecd0d428c9a8fd57a

SHA512
a4f5775c654fa4f31f53cb6fbab084939bd929feb95740b904045cd1f0a52c819e90876e56e66f7d1bb38db66fa0cb49c7365511f8346eec3cdc610e32b02c6b

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\FileTypePolicies\67\download_file_types.pb

Filesize
7KB

MD5
d28b6246cba1d78930d98b7b943d4fc0

SHA1
4936ebc7dbe0c2875046cac3a4dcaa35a7434740

SHA256
239557f40c6f3a18673d220534b1a34289021142dc9ba0d438a3a678333a0ec6

SHA512
b8dbebe85e6d720c36dbdae9395fb633fb7028fecc5292498ac89276ae87bd6de36288fbf858f3476e18033a430f503acf6280596449dd0478b6ab7139f3cea6

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Local State

Filesize
50KB

MD5
e106df710928578ad7afb956c0a54a5a

SHA1
a2e8af7aac8213b71a64701d12f06ffc4903c119

SHA256
41b39d00ea9b2942b1b0a2688ae3e389bca7a9b7c31b7792a27ef99907911d0e

SHA512
19b69689115b1cb6969a27d7f938fdfea404506ca8bf6e47f33a25dbe2e9f5e59c637a3dd80eedb88fd9352d00b8a72b514de07dbdb6e497a8d92615d4538206

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Local State

Filesize
57KB

MD5
85c1475a487ce6c9c0b1098180aa50ad

SHA1
2edf1faaec5de750c6b8600dd06b5940f1af9ef7

SHA256
8388b8478cdb36f5dd7cbbf9a5a7edfd6b5065523de6a6bddc508b47313e9208

SHA512
0f9cb562fd0c4b15a0d726c646ea078533252f9e84877b5ddace7783919d386966377fe5837f31eb67d1ad4c9ee950d5ebb707eea2876fc4b6df910d9a3acfc1

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Local State

Filesize
51KB

MD5
9af44d04f5958c1dfb02b55f91cb3b27

SHA1
8f67f3f64b9a28a17725228e0b7a3080d74c1121

SHA256
7af1de38470f964204ae4233e4dc1c5b7e5dc883b4f4d59dc6a16e9ff156540e

SHA512
726be2a44f09094d7a2f7b11839e77cf7ec18afd1a6411cbe5769ad19b8ed98fc18a38fad936c58844944905301869f58cf945ac3d5511c3525af9b186abb69c

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Local State

Filesize
57KB

MD5
510930977e860f55db3698529c5447e1

SHA1
ea1aaf61ebc29ef3c09f73e6876eacafdde04ae7

SHA256
8caea602530969b77f30e30480656d7977840885a2dc3f198e3313a025c67500

SHA512
614fb53384f96eeaef82dcf3e1114f4fa5f2d4859348557e3c2eac3da37d44cd9f1b395450f8924cf02c55bd48adbb26bd0bf3ab492ba4e6f17e35f57b18fcd8

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Local State

Filesize
60KB

MD5
a4ab4e425ec5c0d326132c9f907709c1

SHA1
cdb880e7344bb71bcc1a9e5fc67ad9a1eadb0f2a

SHA256
68b24ced3817db82e47705747fd0926bc7a883bdd2be0e3337a67736316c6d01

SHA512
02705de2b603c2deef64204726e7744d830ea38992075b4c49d8340f7c7faa494f424a85dfc1864970a761e39570c119fce55783ed252e8da3aa11ccb21f1256

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Local State

Filesize
57KB

MD5
24f48393c3573b8ad8f2422f140256c1

SHA1
707bd7d07b71b3e0fee2ff1437d86b13471dcead

SHA256
3fd348c62b51ee4534be7ad9ece98269a5ebccbcda48128a0be8f444e04aae4e

SHA512
3f7e783073be889ac004d8056b19917e771f8343f65d32240e5cdfe7a93a98afba213c09ffa436c73f61f09fac497e601d7432ccb14188ede40f5f971d877fcc

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Local State

Filesize
63KB

MD5
0d6c1d853bd742d62484c4696b8394e7

SHA1
05d893256cc6edab56d7181a733fc8f1bf6fa589

SHA256
7990f92e06e844b9574e5e8579733197138041de5bd206ebf978dff4d3abb099

SHA512
95f02982b1bb123f257fafd9daf0a180ba5c6244df71294f94a32cb4baedbcb629cc0b5ce9768a448ab42d7ce7b91d1e2c565c7d0ced95a46600ba10eb50f83d

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Local State

Filesize
57KB

MD5
1052d5b04c07e0cd35412b6923ba68c1

SHA1
f35d61c71532f7bb0814c0ee085ca365077835af

SHA256
b2db2734b0f2b9759249596097c56e678b842589e4b0a912f983de43448dccbe

SHA512
8cd79faec0c0ab245bb357e45e5f47d0a09487e73961af3f02df8bc5821c4494a79b3a885bb30522543d31ea619913942ca20a3d4ef7dbb94e8f66678f553813

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Local State

Filesize
54KB

MD5
8375d7ee9fad28f3622df107f13201b2

SHA1
cfb947153e46888806cc7a280d3ca78b8ecef607

SHA256
3dce0958ac0e8eed5132b604bfb00928c8d31f64e0fcb70fdf6c2864b9b21754

SHA512
1d4a0f8a9d631353c6e416a7e4948a9d4df25e13276e1d30cdec8f6fe18ea1d85c64ae35077a405035d69126a46c7fca9c2de5466bee47900ff67afce1a2bdd9

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Local State

Filesize
51KB

MD5
02739f57b72c35d6885ba0fb423ca959

SHA1
1da99512259401a8ad5762795022d5926665c3ff

SHA256
c252983f951a80d2c89a85aec9915edf6a2964e89451df3b3a3d37f2e5b8fece

SHA512
1dc1cb6071fa373ba60b19d4da88ae1677a0869e9198dcb1de9c4db2a1049c6fbdadba653df9fd2c21a4ddd0a3df93f6de2234c029f676eeeb01b178cd3ae9dc

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Local State

Filesize
51KB

MD5
ded92799fb99bfe5a6d7a5fcfd8af76b

SHA1
3454df2eb4588f6a796b7a7e7940ece15bbe2741

SHA256
1b5edfbc452757d15b573d1b08ce9dd869c913a3555ab6706f9baf143ae45eb6

SHA512
6cc8e2dd87a0f4ebee8547972f16e03e5749009009696eabea85bd30cc1008df5b424862ffb07096dbde81a1b0c960cfe22276bc62b37cd69a3d39792794887a

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Local State

Filesize
60KB

MD5
02814bb420ddc3975b05b1197a1211f3

SHA1
d55b78194640f074c56b80d6f68a2496ba36bb9f

SHA256
6e54e1c04517ddeb6c8649076fa062b2fdbe4668b753b68be2eef76d128d32ba

SHA512
63721bf678daff5540250d5c2a1bab838f715cf8550bac240aefd72d6d6e4373d63cb8dbc57b680a13d44d6fd95d3778242f984bccad8180c39b646ae40b031f

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Local State

Filesize
57KB

MD5
5439e0557bdd50a808bfa0e1305f233e

SHA1
f0e8df8fc13209aeab0687bf8c29e1dbcca0dfe5

SHA256
9a67b955d464691fc7744011bf92f0ad0be37c4a44185daa141befc3b8d5d2b6

SHA512
7767e6e9a45c0a8b57d4e3202763c64bc464ac6703ad8eb35e23aa9fdaa9ddcba1e3fce8276d9449359512f6072902c8380c242bb37c25c44e4e7f63713385d7

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Local State

Filesize
6KB

MD5
a90820d95ab3f477010a53b863a5b093

SHA1
a1ccd36a8b009685dfc1becdefd173bd3b03eab4

SHA256
b8a608186f500faa8e8ed0621281ecb664bd1621507fe764224fd370363deac6

SHA512
67195e7fccb8e41669daa6b73b3c5c3d4c83c15c9f813382d6886e6915ced60bc1a1a06c48fd08c85d439988f27b24b9ee08ce6bae343a6a8f7c15e5960be6bd

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Local State

Filesize
60KB

MD5
a3c6774803c204d2f79228a77e7786f1

SHA1
53391659ae6fa000415c4914fcb91a7c3b5f831c

SHA256
f82650bf169685110e4d56d941630a3eb6878bc5ded0df450c38a7caff58be3f

SHA512
48aef6c53e17348b1d7a1fef1084a80919e8823e7fbb49cf487d41c57adaf8200f5bb379964262014375ad568e091aa8d3be05e4d5285b9bb12a99790c9ab3a3

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Local State

Filesize
57KB

MD5
1cf024ea07ecf5992f97cd1bc49c97f9

SHA1
9b4bebbfdf35c8cf00d6f550f73417caae06816b

SHA256
ce91e2b6244abc2168c83d74b2f786542d56eca0d499d18334b62aa64ed96f93

SHA512
afea9db78b22fcd0a7e51a2cae77e688de5dc110f8384e1ffc89fdc0d7dfb5839d7161271df92ba6595aab7ca346c5a4bc497a73a92fb6922448d59456258c4b

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Local State~RFe5fba21.TMP

Filesize
6KB

MD5
4e241ba7a90367dc5aa56c9adc411e91

SHA1
131c92e7c918bc43a11d0baaa67de322c28d84ee

SHA256
4c043fee76cc08475cac40ac66ed0d75e17d84eafb0f3f6879416b941df2f7ae

SHA512
a725ad113cca8b5fa5c992a3ad5aeb62d6d82d1799962e34eaebb31efc6bb3581d0d8eedd3108d4270f632a23c3523b858b28e28574d1eba8a1a0dc280537734

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\PKIMetadata\1189\crs.pb

Filesize
141KB

MD5
57086b02f74c3fe7b79a5e2e3d852322

SHA1
6420387225ddcd5210175de4f3fdb0ab2be8ee9c

SHA256
a1b5be8d4aab349aff58ed34e1f3bc6647cf440830da0a12a8bd5a1c976c6407

SHA512
b195eb9a9129863e75be603b00b85ecfe46360910529fb38513af6940f9d17efd56f234b47963452329cd85b16bebb5a85ab5d304743e57d33bafd5b59900468

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\PKIMetadata\1189\ct_config.pb

Filesize
50KB

MD5
54a18c83a15e002ee3044c3e61ba0e88

SHA1
f1cf872d0504568d663df9bd1c6bdb24292425fa

SHA256
65dbde60e76b9f7fd6bd21dbe99a38da98479c416521d73a618d34e16b2f84b4

SHA512
c510e757919d6e75a7fc07912240d8b19bc04171b1aa0a3b8a83a727bc6370d584cea05429428d78ea257e2fef820c8f1acfcb70b6f5aa9859e386175bf16133

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\SSLErrorAssistant\7\ssl_error_assistant.pb

Filesize
2KB

MD5
e2f792c9e2dd86f39e8286b2ead2fc70

SHA1
8a32867614d2a23e473ed642056ded8e566687f9

SHA256
ac354a4723aaa4f06bec385ddde4a4d0983ad51456f52b31a8068ec97d5b5ea7

SHA512
6a7af0ca1efa65a89a9ca3b8df0d2e24f21d91673c60cdfeeb02d33647442b01d535497249542f40e66e0d2dd3e9f8ed1f4a201fd97138d07a2b71366737e580

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\SafetyTips\3057\safety_tips.pb

Filesize
163KB

MD5
bd6846ffa7f4cf897b5323e4a5dcd551

SHA1
a6596cdc8de199492791faa39ce6096cf39295cd

SHA256
854b7eb22303ec3c920966732bc29f58140a82e1101dffe2702252af0f185666

SHA512
aa19b278f7211ffaf16b14b59d509ce6b80708e2bb5af87d98848747de4cba13b6626135dd3ec7aabd51b4c2cfb46ed96800a520d2dae8af8105054b6cd40e0b

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\TpcdMetadata\2025.1.8.1\metadata.pb

Filesize
33KB

MD5
0f83ea8aad2d94a32037e90f2812611d

SHA1
66a2879b881176df793c94f6833441fe153e5135

SHA256
628b2de57b5dde868a30e9c45ffc6ff35a820c93a90d3f4ff61a1ff5396eaf54

SHA512
e676aa774c099e43c00ecd42d2f10ae194910d9b694629abdba763aefc1d2c541cb1133ad3bf74df08fc6f8fb32b3f3047c07375977ee8d0f8bad9eddb7bc388

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\adcocjohghhfpidemphmcmlmhnfgikei\1.0.285\list.txt

Filesize
149KB

MD5
e65d3ece127d79c9c9cf3f3ac201bddb

SHA1
a128b20d45cc0561164480c96865e3bfa61f197d

SHA256
abb266e371790ac96c5b7173044cdde3a69b83a27fc35c1729ced2d40635e85f

SHA512
1094c17d1728ef28823fd5a5e4a1dae48e7e9fd4a71852971c2f65fe30261d49a1fefef256d5c422fdd9bf061daa8df26fa9993a6bc1c8ac1b4c44edd9f37670

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\afalakplffnnnlkncjhbmahjfjhmlkal\1.0.1026\1\Greaselion.json

Filesize
3KB

MD5
7a611abbb6a9a924867db6020cb190d0

SHA1
e2f19e2ef273b9f5ae247873ce3306e774961d3d

SHA256
b080bd46957a74b2d321e701237222980c202f4139bc4c33056e8b8824f64402

SHA512
6646e87023a890e63c7c7aa6b006b41dddfc7b9005a9d70fc114e45614e8bb652fcf4450f7bdf6326d31611d4d4c12f40cdd690313d56d6b214682d98a5ac898

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\afalakplffnnnlkncjhbmahjfjhmlkal\1.0.1026\1\clean-urls-permissions.json

Filesize
268B

MD5
00acb0f14b6b6c11ce80107110ead798

SHA1
2a40b0217ddea6d507234f236d3889b46ee35baa

SHA256
2e666bd0d92b08bddac4487b184c5612dc408f21fe4f3fab78a7ce1b2fa3f8ca

SHA512
c3a53397be2fcf41702524cb42c8d2b49d4cbde4c5479c6d0d6e92152cd213dd7436d7729906d76ed003d64e806cdf66dda7f3ca8dd4b9f9efabe25ffb76c2cc

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\afalakplffnnnlkncjhbmahjfjhmlkal\1.0.1026\1\clean-urls.json

Filesize
18KB

MD5
3e6714a16e04d03f205a85f2563eb1aa

SHA1
a76641cf3a4745ae2e4426fb10b73a6af4f1f272

SHA256
3c09ee2c055819d0ce5368cfcb19cd5384e2916d7a5c2332f59ed60b3545b0c0

SHA512
05062fd40cf019b7367c2cf65d2fd219fd4e602111e9bd20b76545dc890f20fc4d1ed798d630bc0821d52ef4c35bd83e63bb84971d10f162d4c6c12eda8526b0

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\afalakplffnnnlkncjhbmahjfjhmlkal\1.0.1026\1\debounce.json

Filesize
11KB

MD5
89b3c77c6b79fdf5252be739d528ab23

SHA1
bef55bbd5fe8b4d92551618391da721c1dc5ba27

SHA256
066f3b4550e5f6ebe7bc9c4a17e7b64c26a144df206d87cdf1f981634a5a76c5

SHA512
e397d5dac9662ba5185cff7af34ff8b5ee3ba89a795aad18fc1bdef90cab9e45a78b523589b8edc1a0c3fc28fef10bfb84983e0f1df06a8149f33187914f6bbe

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\afalakplffnnnlkncjhbmahjfjhmlkal\1.0.1026\1\https-upgrade-exceptions-list.txt

Filesize
86KB

MD5
b8ebe8c70e14e1bdff4bf04cee9055a4

SHA1
6a8eeeb539eb5f630091a971585bc77731c24b12

SHA256
a9c464c1aa17ec9958141c020c30badddd4801e15b9c0a0d430859df0ad1955e

SHA512
9240b1d7ae17b6d20cb21a466335471d3b62ee2866e6d07dc62c1a288def513cedb5368891e4c8beecd135140a221bf8a16e048cced31b29fff9f8d0d40c7266

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\afalakplffnnnlkncjhbmahjfjhmlkal\1.0.1026\1\webcompat-exceptions.json

Filesize
6KB

MD5
54b1343eed0640cc4b415bd1ef50dba1

SHA1
df0a9d4bc264e7c9325a9d082ddb3ff8dea528ba

SHA256
9344abffe1529919decfc08c1f171600319625ef7ec9a6d63dfac4927d6246b4

SHA512
c7689d95879d890425e95322613167cb6be9c04f207e847fa3f6da4c752413325968a667fd3044d8cf08a74537a1affaffd02dfa33397079bdc603768f757e92

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\aoojcmojmmcbpfgoecoadbdpnagfchel\1.0.15\photo.json

Filesize
6KB

MD5
a7e80c8cc5121a2febc654140e53ac32

SHA1
c3b1b578dcbf91aa19e65d0ef6974c165723828e

SHA256
a2595174656b59176071c0b79b404efa7246a9242c2bd19545155194c6b8cf99

SHA512
d7ef1e8df49956bc212388ef7a5343b9836e825c4ff066aa65bf0f3a136ecee4b63ff807dd63eb33e6e812e470d644eccaf3a7f61a816e441ffc44a982690577

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\bfpgedeaaibpoidldhjcknekahbikncb\1.0.10572\list.txt

Filesize
54KB

MD5
e5f6314f99166f4b0eb95e5b190082e2

SHA1
740e8aaebdb10131bf890a9a1eb6b09c3db9c3c2

SHA256
082f3610b02115a6004256e0536fb569e2d12ae96fa552f556760a0299905a3e

SHA512
940cf7829cda2227f072e58f0b4b261460861542c31520c05d86a52d3ea2f3dd84e294c410c29dcfc9fc2b7cf2b23062960f93ea0fe11048f6ea9368585d5e8c

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\cdbbhgbmjhfnhnmgeddbliobbofkgdhe\1.0.11758\list.txt

Filesize
1.4MB

MD5
c5b531dcb9dd28c756ce984aa90cd833

SHA1
9c69a79a02a9212af96a13dddb7ed58d92ac7a3a

SHA256
15ce44a7230caa96a1945b65db99026f859c81f41f38367096b1e625fc614462

SHA512
6a981f9b47960646e8e48158f7072dabc55d4fb7dc7520ceb0a3996b15d04f79695baddba3bc13f9da6d910cf28f87256e508baa76fcf01ecd5d0dd4124a3dba

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\component_crx_cache\adcocjohghhfpidemphmcmlmhnfgikei_a0f3af6a44600ec7f06559e7bb4fc2aaf26b50030553741535e365dc38b0d64c

Filesize
50KB

MD5
e78c720824bf6eba1372cfac629a7a26

SHA1
cd77180900379d5ec74445f79a1db3bcd8ab9fa4

SHA256
a0f3af6a44600ec7f06559e7bb4fc2aaf26b50030553741535e365dc38b0d64c

SHA512
ee613cb887beb0ea1fd1e910db8480b1f71ef472c5a8cb999edff44cba3f926ab473a57b1508799c8289980133dac233c7849665fcdd7af141bedfcef62b1a34

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\component_crx_cache\afalakplffnnnlkncjhbmahjfjhmlkal_8e5a81d3fe215b546bd945ec8abac8c6f55fd92d13851828b332c502065f712e

Filesize
71KB

MD5
09a05267f2f41413a51a999257f2a863

SHA1
df7817abc5f6b75133955d3546df37430bd3a0a1

SHA256
8e5a81d3fe215b546bd945ec8abac8c6f55fd92d13851828b332c502065f712e

SHA512
75fdd578abf1e49141091e720ce0c5520644cc408c366160b958ef203526cc04460fe56a0476fdd32b1fb770be3595202b569b761177b8d5e80038706e2e4237

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\component_crx_cache\aoojcmojmmcbpfgoecoadbdpnagfchel_9f86d8efba865ca6f98389b7c55e368191b7954cd10b872da84de0b5382a247a

Filesize
12.1MB

MD5
89c01a540e21a6012c4292eac6100dbb

SHA1
2bf600a9d372f38d37c64a9df5cb26d5cb046cf9

SHA256
9f86d8efba865ca6f98389b7c55e368191b7954cd10b872da84de0b5382a247a

SHA512
abd83f91b97c9c9bba4cb82501a6d316ef07173e4916e87a13f888ad32947b424d18bd6186a36245b2bd9f6c6cd29ccaaaf2445b3e5754c30ea53f1ab6016f25

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\component_crx_cache\bfpgedeaaibpoidldhjcknekahbikncb_4b32eae91f9ac632d91e3794a7ad66461b568424661abff1eaec06f9e6eac2a8

Filesize
18KB

MD5
194e8f48cd8e5fdf277202688fbcf8bc

SHA1
28a74886ed7a9ec93bbbf5419e39f19f490671d6

SHA256
4b32eae91f9ac632d91e3794a7ad66461b568424661abff1eaec06f9e6eac2a8

SHA512
a5990f8feef8b412e397ef3f8ff85b22db5c7cfe6512ddf8c83fd489bf0d47fcdaaa2022792ab5a9f9925c89b265bc82aac105e9b456d68138da2aa9819dfe42

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\component_crx_cache\cdbbhgbmjhfnhnmgeddbliobbofkgdhe_4e6739101e7f4a82dc2c41219f446efb1b448614347f8dfe8a2cab4abab73fb0

Filesize
414KB

MD5
299f42f4debe47a8618d826bfbddaacc

SHA1
3a0cd2436b176e81a43a02f6b4a10d075264d2a3

SHA256
4e6739101e7f4a82dc2c41219f446efb1b448614347f8dfe8a2cab4abab73fb0

SHA512
520c684376f4151ab4e30756f6acb1241db2bf1420fa7fc992632507eff421729bc85c432bf05c82f339cc8a32f1cf0089654a44b49c5e758b99a9deaf8eb3a6

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\component_crx_cache\efniojlnjndmcbiieegkicadnoecjjef_1.7f463c6c0d4f1f26afd2d2d9b0c00af7efc95e44c114801a429ac9badd3a6148

Filesize
150KB

MD5
3ce21f50b95b8ad71e6c508e7b6815a2

SHA1
a65cec8016e5578300010ec8b7ff4a4fdd5f92f1

SHA256
7f463c6c0d4f1f26afd2d2d9b0c00af7efc95e44c114801a429ac9badd3a6148

SHA512
69d79c0e3991c6173c47b83b02da57e25275ac60ac4a1f5b5a05aefa9b03e1f61e9c6f33364041e1bc8ccb1dff4a67a7c68d9ecbf3aafc73b25fc44b8c1c4d58

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\component_crx_cache\gccbbckogglekeggclmmekihdgdpdgoe_40c14b8e59efe48da794a2314aa869e20baa2af82a866f6cc1286c1b9a4534da

Filesize
1.6MB

MD5
227ae56568baf78f8822d749ca51154f

SHA1
5a75283952f0b5272546ce6369b67ea088a0c177

SHA256
40c14b8e59efe48da794a2314aa869e20baa2af82a866f6cc1286c1b9a4534da

SHA512
5c9634ae7b44f6f4ced6d0b1a2adf7e35be9086f03f24801ab8592c2fde8c364720d377d48810313b66dbf2a0fe699ab0a82fb1f52bcaf6da5f0e645abf659ac

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\component_crx_cache\ggkkehgbnfjpeggfpleeakpidbkibbmn_1.3525216abfc685f109e0efae397d7afe8bd1aec6d081fefc730947cd3e734f2f

Filesize
10KB

MD5
81c39099b5a4e221569eeec0a746af7b

SHA1
0601105a54e905370e965cbf8cf78bd6d8e300c2

SHA256
3525216abfc685f109e0efae397d7afe8bd1aec6d081fefc730947cd3e734f2f

SHA512
42011c20c52733df0116c4661efdce06d8ec70dd38cfae2cad45e4b4eb7cb24ab4061e968e4d5766e4203b8c4caaf2b6727e55bdf78402157a19eca0f2e89140

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\component_crx_cache\giekcmmlnklenlaomppkphknjmnnpneh_1.3eb16d6c28b502ac4cfee8f4a148df05f4d93229fa36a71db8b08d06329ff18a

Filesize
5KB

MD5
636c653ec2c30bb767533901a18669b2

SHA1
4b5a01cfea4c5deb62f3aafa01ef24265613b844

SHA256
3eb16d6c28b502ac4cfee8f4a148df05f4d93229fa36a71db8b08d06329ff18a

SHA512
a4128fb20a5df9e573e92b45f5bc18dcdf4be6e7e39172d08847882f17361320141e89b35deef337e40c365d6f1ccdd1b991eb4593d805dfa2e39a5257c335ee

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\component_crx_cache\gkboaolpopklhgplhaaiboijnklogmbc_9b0a6f79321f3960467e7d3e3b3e9817d3ef281c405da30852606bc8c9cc588f

Filesize
76KB

MD5
34f31f85a6b2a69a074939e4e231a047

SHA1
97f6d1a966baa94e686aef7fece23bbf099fb8c6

SHA256
9b0a6f79321f3960467e7d3e3b3e9817d3ef281c405da30852606bc8c9cc588f

SHA512
20f4d9efe5450e1f02608d382c97bd4269298c87763a4abcf63a5fe0ba62dd0c391824964084cc011ed6cd7db99c19c9b6411b04d42539081f3737dc78a2f2ed

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\component_crx_cache\heplpbhjcbmiibdlchlanmdenffpiibo_69d8f36372ec6edbfc4bdd957f954cc2aa97c9dc8c7992c1575b072632f3157f

Filesize
4KB

MD5
3a03f3ab4119a23fa6b70a32a6fcd4b0

SHA1
5d047a5da7c7f388416aa50b5fba745bf5f36eb8

SHA256
69d8f36372ec6edbfc4bdd957f954cc2aa97c9dc8c7992c1575b072632f3157f

SHA512
8caa4e94e831b25226e956a8ee87c5b369547081df863ee34e7f80d686259eb9b7bf75757043ecc5b0eda3a603198da060f9b6f30be755350ab912fdc7681819

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\component_crx_cache\hfnkpimlhhgieaddgfemjhofmfblmnib_1.65732723dd2f36bdc352bfad9a90628c703ec3363fdb2127f7f803fd0801d32f

Filesize
593KB

MD5
d48dfd158460e7869373e036936aea99

SHA1
de783eee16c8068548d79f991e3f8157c5189268

SHA256
65732723dd2f36bdc352bfad9a90628c703ec3363fdb2127f7f803fd0801d32f

SHA512
b815edcb802455ef6e43ff5620e9d30e20982354eee1490a8595b845ec623eeb8129c1f96e7bb38a716d50ffe879e50339d4e6f3079e2d6da968d8c88db6a0fd

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\component_crx_cache\iblokdlgekdjophgeonmanpnjihcjkjj_44fdfde835126a128fd9f020a2d7c388491ab5d251a107e4e10b6f24b63e7d72

Filesize
17KB

MD5
a1b36d762732f9439efa78708a40dafb

SHA1
6533b78ae795077fa711c67347eabdc88b5a6c6b

SHA256
44fdfde835126a128fd9f020a2d7c388491ab5d251a107e4e10b6f24b63e7d72

SHA512
8dbfd514f87e7b929ab9d2b61f99939b3cf687947dff980ce3378b56127785acacde7b8fb4ff034e2a31f8cec1901605c6216b6846f5d2a199a245bf6144e05d

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\component_crx_cache\iodkpdagapdfkphljnddpjlldadblomo_d00ee23388a209341ec265b51a92caa00cc49620596f598a77b9cef6888e6754

Filesize
1.6MB

MD5
34d25c8f6ad73a3dc501083d74eacf09

SHA1
a939088c8ffbbea6b6782e3e86f9eb620c452a67

SHA256
d00ee23388a209341ec265b51a92caa00cc49620596f598a77b9cef6888e6754

SHA512
bd253ec7dea70897fe140ac612521252e67105e44e7ae660569ac8502720f772f37af81a1d1a005eb8603c31bab28c9c07ae1cf9e3497e5b5eea084be6da6a1f

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\component_crx_cache\jamhcnnkihinmdlkakkaopbjbbcngflc_1.c52c62a7c50daf7d3f73ec16977cd4b0ea401710807d5dbe3850941dd1b73a70

Filesize
1.1MB

MD5
2ac309d48a054c8b1d9ea88bac4dbd6c

SHA1
7507922d88a9cb58759b5326fadae5d0c87f40b2

SHA256
c52c62a7c50daf7d3f73ec16977cd4b0ea401710807d5dbe3850941dd1b73a70

SHA512
870dbb86a67f36a43ad4c80db904e76b602bbe062cbb9fe4222d1cc69d99aa4a60aae91c094a65a481d8c62cca4942f178f1b2744ed21836a526c7ffe3409969

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\component_crx_cache\jflhchccmppkfebkiaminageehmchikm_1.5662d85e42f19b2b33bcca9ec678e6601396babaf2d5dccf488dd93b22c9103a

Filesize
9KB

MD5
8f1cec6110203d04dfd55f89f1851d67

SHA1
e1d5575fcbfd85812c6b6a46d0bcfae2a23755b5

SHA256
5662d85e42f19b2b33bcca9ec678e6601396babaf2d5dccf488dd93b22c9103a

SHA512
e0e3d86ecc3616087fc71cdac8c94502a675cfe2311cf1f3e1b0b9bb9a19a89d26fc7bcd9163b958e113da51731b5c07b7a037049df5bcfd2c8cb5129c2cb4c0

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\component_crx_cache\jflookgnkcckhobaglndicnbbgbonegd_1.e698359726dbebe13881db2d3d53856d8a3a1ffba048ac94773036cd08a60240

Filesize
77KB

MD5
1068b68cfdad67e39e13fb7b97adbdb6

SHA1
d3dac92d9c28b948ec33699ff69ae75a900de6cb

SHA256
e698359726dbebe13881db2d3d53856d8a3a1ffba048ac94773036cd08a60240

SHA512
da6c4d63d8d22e231d5101d93429a3ecc33c89d62b5fc969c7276816d79f8cbe45a16652507581480edb83b61f0e1c57f41e4432f6fdd67c878f38e0d4eef64d

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\component_crx_cache\khaoiebndkojlmppeemjhbpbandiljpe_1.44c97a8527ef50cab95a16c5e78cd321cbdf315726823afe7e0482af9eb18319

Filesize
5KB

MD5
93e97a6ae8c0cc4acaa5f960c7918511

SHA1
5d61c08dde1db8a4b27e113344edc17b2f89c415

SHA256
44c97a8527ef50cab95a16c5e78cd321cbdf315726823afe7e0482af9eb18319

SHA512
e61727a277d971467e850456fbc259dad77a331873e53e3e905605cd19b01c2dc46df7400ce8442e39cfac5ac3fbcd833ec7310c7ab1c3380d900dd676ed1679

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\component_crx_cache\mfddibmblmbccpadfndgakiopmmhebop_bdf60991017fe5e955ab0be306333b5427fac3db247bad1f24709d4c9c4b6ef3

Filesize
179KB

MD5
62af22ce07e0375e66db401f83384d5d

SHA1
468b255ebdfc24ff83db791823bca7e78b09f3b1

SHA256
bdf60991017fe5e955ab0be306333b5427fac3db247bad1f24709d4c9c4b6ef3

SHA512
54dd31001427a97665dad169b0d5f32fdb79a89eac7fa23a164bf78095be2d2e5f9195eb9ffedc2d1998f839781e32515baeae482ec74d8409b0d58fe53993e1

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\component_crx_cache\obedbbhbpmojnkanicioggnmelmoomoc_1.1205d40214a1bfd6669aca1c7cfea5ce0213344cf85e512f32af4c97697b3487

Filesize
5.1MB

MD5
648b3305c38555b890e547cc2b8b1cad

SHA1
bcc3e0301eddda1436e78abd56f3cc30ce5a591a

SHA256
1205d40214a1bfd6669aca1c7cfea5ce0213344cf85e512f32af4c97697b3487

SHA512
950a67ffc495fc3dd77d8fc99603c14e6bc4d08a34d09dc2598ba9e7ca142daf6c1fcde3d57f77a11259892e3d94140820a0d8bf704fc35287b738af3d299754

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\gccbbckogglekeggclmmekihdgdpdgoe\1.0.1845\photo.json

Filesize
1KB

MD5
75572546bf6dfbf5f1a3d2e9aaffc7b0

SHA1
328a28a9f6d43224575e9d5513c738a15d0f4624

SHA256
74250cb7680cc12e0affd9ae22edf7ada80255b03e41210946c272c440f81792

SHA512
e6be1faae3bd8518f2bf187a167d1257b9bf71eaf029bd147bde14aab297c176d8e0ed16bb97147f2d8d7e5c2f7decf2a9e49277b8f428e804325a43bd5039ac

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\gkboaolpopklhgplhaaiboijnklogmbc\1.0.69\list_catalog.json

Filesize
76KB

MD5
d1d6a9d9cc2ada3f3bad8b0da607f4eb

SHA1
1d286de6436a8a28584744f022af73077ed64601

SHA256
f1a889c0f11e2642c299774f601b72b5cc51e86bb1fa7514cfa9f4fa1a9538ad

SHA512
4c43a10995b91d2791a8274813f005feab48d83078fb8b51f026266ff524ffbc53c41d507d801101a9a7f765453ab4b08398f4e743b6beb08036b72e40b82934

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\heplpbhjcbmiibdlchlanmdenffpiibo\1.0.11\mapping-table.json

Filesize
4KB

MD5
57ff689022f2d93d2287ac3b48daec73

SHA1
937b7dc21193a27607340af7fb7b987b8ea50582

SHA256
4665c8cb39b1fd0131b72097484bd3a8309992821a21de9ee0420434cc3f7d5c

SHA512
1b81c2c9df45875c2f563b99bb2d29972408e3d449fb2e8793822dc0cf85c41cb48eb92510f4940343ae4826ec9bb4b98093d64f53de635ccf75b5307b92ca87

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\iblokdlgekdjophgeonmanpnjihcjkjj\1.0.106\manifest.json

Filesize
552B

MD5
caaeb1d76bebae56fdc7cb19b9e8c857

SHA1
3c5f1f273ca4c3dc49a46ab83f9f5cb8a184cf65

SHA256
fcd74a3383a0cb1dc9cbc54b9afc4c441cc81e2ed545fc0fe97473fde8993cbc

SHA512
4869fb8935ce305ea63e51ffd7c3045769ff32aa6be326a14a80cbae72b04a1aa613615c77cb865a25c45d33cd3066a669fee88b8ef260f6165d611ab244b687

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\iblokdlgekdjophgeonmanpnjihcjkjj\1.0.106\resources.json

Filesize
269B

MD5
20effecf10eeb0456cc6f537c802f172

SHA1
8fb3968af27ad30c639f45a6fcee99b48ef79878

SHA256
044502a67e39049b4cfe2b80295ad396fff4d1a28e7f2a1200abf21061aace8d

SHA512
6a002b205519c0fc498c139d1efcab2f26bc03f3fa795a5bee9b3358c9796088bb6419e2b95afdbb84c5ea36a328dfab01b33c148c84dd8e3b9d21fa07fb6dce

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\iodkpdagapdfkphljnddpjlldadblomo\1.0.9994\list.txt

Filesize
5.6MB

MD5
41140e3b9f18d70336b107b43d6cbfef

SHA1
5ca93c32b713add3400d9135fa5ed9da79144e6e

SHA256
fff84ad73173c073112da886471eab625baadc8e1143f410b41fd7de7d3f434e

SHA512
fe82494eed99950ad81872a946b3bdd41bea88c847ea2b27ecdf2bfbcdd0927bc936e7c4740f8ba0a1acd9b7cafc16a495dd3b281684abe9279edacf3f5ead00

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\mfddibmblmbccpadfndgakiopmmhebop\1.0.104\resources.json

Filesize
1.2MB

MD5
f7e232619fcd50a55c3df6ffbab0245f

SHA1
f26eff68192fa88acc08ed97979c258f8f534a33

SHA256
f4e1a4ce5d42af762210fc9218115a1048d3564ffbc987b4c47f1d9321dd35e7

SHA512
bbe0d62000740c6958e8630af812bc388011a225785e3f8b3b7ccdf2e033a42d63db566df030244ac22884d005f5f2048b4a506ae64a8e7062395b8bf08430f4

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
4b9ea4af25ecb81b7c54de4318965756

SHA1
7659fe1b3f1032a537b3ef1e0aca044db3d52fcb

SHA256
7b00ff2db01a512d2268772eac539792cac05d2ef89396126e01b5aaeb2f7114

SHA512
66112105e178ae00ffba4f80de67540f292b7cbb6c98fa9a9ad25182a038d963916c038b0c6f6bbc98f311fe1f6aa1f590557bba007dc0c9bdf9962a8f4e516e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\9f18b915-d9f8-49cb-8d48-04c5b23b8726.tmp

Filesize
10KB

MD5
a2cb7c511cf93bc89db7350e0e849fa7

SHA1
cbf69781e5961fb064c86336b58aba74145ed405

SHA256
b83ecd3911f410ebfd5915ce92fe3b2e26bdf088a3a9e1e61c52056471672da9

SHA512
86d4995be142f6bb67d6e112812d12bd27864a475d5ff35d37dc399780cd15fe85bd87799fcd855b8250555f5208991bfa5553ca7b0352213ccccf767ee282a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
6d13b6ca7ef5d09840b2ed5d477b437c

SHA1
52085d284e5e2445fa2ea50af4c951b40133f2f3

SHA256
4731d1606039eabc0490fd189347b494f1ce2bcb6f103c53222ec2341a7fe1df

SHA512
35119d881d603ac07bceb2012175f721bc71fcc62688c71bfe8f5873fb6d73a4f2b0406b2da934722f1f434f1aff3d94a5cf31190e3e539eba33251a83bd1e48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001a

Filesize
24KB

MD5
5366c57b20a86f1956780da5e26aac90

SHA1
927dca34817d3c42d9647a846854dad3cbcdb533

SHA256
f254eb93b015455a3c89aaf970631bc989fe2bd387f79e871b514992359651aa

SHA512
15d7127970436f2510344600f3acecc19c39a05f8e82c8a7950095386382b2e2da55883a5a9faa97b84452e67315b9ac1693b6592274c8c1c35c813dfeb543a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001b

Filesize
24KB

MD5
344ee6eaad74df6b72dec90b1b888aab

SHA1
490e2d92c7f8f3934c14e6c467d8409194bb2c9a

SHA256
a3cf4861c7d0c966f0ed6564f6aad6b28cbd3421a9ca4f60e2246848d249f196

SHA512
2a9a9162d610376512a8fae2cf9eb7e5146cc44c8ebde7a12e9a3985da1718c62ae517c25b00de7c0269efab61b4850a0becfbf04382a25730dbe9cf59825a62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001d

Filesize
41KB

MD5
b968f9e5faab98f27b0dc2a426057a4c

SHA1
987cae3e1b61beeb768563d96a57b9d673306ba5

SHA256
2be7c4562ecb9783cd56aab28bfad2929c4222d095369fd58fa9df08c9673709

SHA512
ff62c87c466aaba5517d737ecdde5bd5031e3cf998281f6966862269e492cd7c910a5784dd857deda53e6df83aeeaccdd12288fe712ebdb8ed2ae5048f659cb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001e

Filesize
71KB

MD5
4428f4fcfb59f032684fb30328015357

SHA1
74658cb3cd89981e859db3574e620af057c2870c

SHA256
ae93168fbab94d77ce32845022a86ba49652e9f16c1d1eb42c766636db0f7432

SHA512
b3356a0908020f3362554cd9f5b97219767fc818397352439afc75b4565afd2eeb426df164ab4b99f5c0925240453e4924e2fd34214c8f071d02650ea46f74a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000022

Filesize
95KB

MD5
06a863615fd1074e2466d98e80033bd5

SHA1
19a022ffa381f01262c58aa183fe7be2d9af25a8

SHA256
6855213ff419361ee06b00400b1a26f5a2ccbd5f138ff8e03c1370d4c03d3ed4

SHA512
c0d4f1c4a4771fb04d1edda65fa508f1bc7a9afc7bc3865b0fcd5207a918508018a06b044b245ee9bd3bfdab3d058f8c5fe17f780f0b431663d3162fb517429c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000023

Filesize
19KB

MD5
16ea2a01894c38666bc185757b4f1b74

SHA1
435bb15c8de2e0ef76512618ab291da1b40776a4

SHA256
16e88923203a6b50f5a1b4c2c52001720833d07f7f0b1ce1510d42d66c40db11

SHA512
e333308b517a4c647cbb36b429224390a5c1afcaedaba81a7c8d68d88bc48c60a348af07956dbf3de8c7bada355e27128ce10ba3a0aa764bd6d807dd531025d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000024

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000025

Filesize
53KB

MD5
285561f1205f8702e8320c4ec4c61338

SHA1
60d22419cc41b11567ba5449e83b8f35572182db

SHA256
d44373744d2fc08f2f44fe55adcd049d337f398016c7a4e27fe36a92dd7a4a39

SHA512
9e6194bd8555de28238a51bcaf61954b9f8f141aa297d7e5132497aec38d5b5a101659988cb78fee4b555aa56ce5ea1b5b12689176047af2017942c6c9c1692b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000026

Filesize
19KB

MD5
7e6e243c4e8611c7bc5ee9c42a492866

SHA1
f2ce654835ec77ec3cd69a772b70d7c2ac5e76ec

SHA256
000ccedbf40508d4e73c23729c6acaf847c1f9605dfec15656e3a28118934907

SHA512
6b1b82c00235aeb36caedddac9c33ec82fb6659eeb0bb6a95f221681f307a035f94ff28def0bf44c1a53491129983e3627f75a98f451dcf5b2aa5a0dc9bea68a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000027

Filesize
38KB

MD5
632616ff15825f030aab3391a58ef042

SHA1
a9435e095b8a17b6058c9d1e0c8ea53805e20d39

SHA256
d0e12af8c4e560fe89643639e0c3ed4dc76125c62adeb2879b761d73dbaecf50

SHA512
ffcb6cb7713af0499229f6316f762fe119c313e2a3810d8eccda8c005ad664adfc640915970e8d479558e627c875e4fe9e9ccef1a9e2ef3788947657916d1c2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000028

Filesize
33KB

MD5
5314a038db4f3473a796e545b341a38e

SHA1
fc5c534ec32e5b9cbe28bb706b26fde2cc0ec0ed

SHA256
d47c9d1665021ffe586c858763ba8aa059bf6f0396d8f88fb58ba4ba8e226656

SHA512
1df00a31449546061c155623ea5c4dcd45a306104677fe1990c4ae65393fa2437a423ce5ed00cb68fe26ad5a24b17660724dfd271c26f8b9b863f6ae669e0fbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002a

Filesize
16KB

MD5
bed8daded857e38161a5fca701c8bc94

SHA1
f008ffe0bc009933f2c75bced97ae624e89f6c5f

SHA256
ee9250b231f5bd23d783baab54aaa0526e0971a9ccdcd8331f61293ff37232af

SHA512
ec0b8507e71de7ae6cad732bcc124df4630b6a34ab06bcb5d76c0e619972e1c02a04981fa495efe6d2c66fb6f5aeea79b6a76f41ab7bcdf20a38e2a4f2454af7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002b

Filesize
114KB

MD5
80841598fd748bc5330f8bfddf464198

SHA1
774404903f215a7f722ae5a4996f3f03c326d691

SHA256
e34bdb252ffc2c7a4498112e00e83840a829cc49f983b2ceb1acd8ecaf4aee4b

SHA512
633c9499604b5b15c3e149ee4ccbea3f44af0092e4d3c082c7ca6caf506980f3b429e441eab21fbf12626f03eb0bdecded0c48390f5281b15fcf293c95b8aa9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002c

Filesize
18KB

MD5
ce4c7d1372a2686ca61a83a53cc53481

SHA1
1fb11b54ce19ae72cd5cc13c0fe28c9f6389a9c7

SHA256
326a1140babd8fbdde8633873c0fd56acb5bd4550f9b285a13d0a1bdc3810ac4

SHA512
79d4f9b24dc9d4b4897b4df65e3a28960bdf64c72f04d0ac565b73c18b5b8b38f6235ad9f28f2c24b698946c56084d7cd9050fce48a78a8c4ff1bafd7d2da7fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002d

Filesize
153KB

MD5
b321bfbd9e54f3edcd156988aebc4fad

SHA1
f90d7de60db3362737f0a91f5a028472b56ded30

SHA256
267c407c045a4dd46aaeb1ba0f5654e0c61eada24a9cf0911040e93cce0d1bdb

SHA512
9c6ca1134185b81ae6c9d9d4729df3f8e9655345c7d04d476a57f60d8bce61d56abdd756c0c9613a7630ef5e6a1731472033b96cad3101312b614cdaade8af1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002e

Filesize
132KB

MD5
92b7c9cb9821c5d565653f42674ccd3c

SHA1
e60c602c1fe4ce70e7cb14b5f47810fdd7fe6d6a

SHA256
f66d99268c0d3d9ddff84211588ae7954d9ba7581bd8c1ec2a520744d7b9274c

SHA512
845a81254b8a400da1b1da65240811c4ab54de847eeb952c447014abba9ecbe9ccc5509db10ee1126b284b25b6f01ac6df89b6af5f11a887dc29183b29442210

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000030

Filesize
53KB

MD5
2e6e3f563461a639a9128fe357936f1e

SHA1
b547ba10e706f0b50c9ed1947f3dcb2985630112

SHA256
dcc3b7904470c82a58777989ed9076e04f68b1440f08aa7032e5570e38f57fdb

SHA512
d60ecffa1315487a46acb39e044fe2d7d8a27ba8d19d7745b54380c58c697eca4de7ab08810a7721f2ef119c9c0333a15c7089559edf152854c94c2884340746

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000031

Filesize
29KB

MD5
79ffcf947dd8385536d2cfcdd8fcce04

SHA1
a9a43ccbbb01d15a39fac57fa05290835d81468a

SHA256
ffc11b830ad653e7a9d4257c7cd7a8056db5e7d7e89439b8fd67d1207b1729bf

SHA512
3dc82ecb2abc8c567434666a9162cc188de669927c3dada6392d8bd97d5e746f1ed350e1a02ec016ee2b1dc8a9cc5c71c553f2ef1293d6793800c276560859a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000034

Filesize
54KB

MD5
6dc2adb9251cf99395faf56b5592af44

SHA1
02683d1bf1a162d68aca57452ea1dade888aa024

SHA256
276bb1be8446c6d19307fba2a7ee6f069402b5df8fdafb8f3e6657726ec05a68

SHA512
8c32f3bf565b2621a18247d19572932fb2f5b521d0dab04b61921a1973f22e1d24bf27ed07b15c28d1248a072b0a645f1a57492b271dde6f8850aaff6b38976b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000035

Filesize
28KB

MD5
51577bdc80f1cd4235f9f3b42e8ae603

SHA1
766306cb8c6f2ecce18f09c0585fb0c8693e6950

SHA256
ca7015d2511233462c4d3617d0abb4198ba42d204396319e86a95b6c5590a2bc

SHA512
ff9d84ff03a2de3786797013fa33f60d8e14157ad027a4088ad835d23868d6c49c1ae137b8c2474287bb224067c11687c9d9f65e498584afb6de91b41f612a92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000038

Filesize
67KB

MD5
bcfda9afc202574572f0247968812014

SHA1
80f8af2d5d2f978a3969a56256aace20e893fb3f

SHA256
7c970cd163690addf4a69faf5aea65e7f083ca549f75a66d04a73cb793a00f91

SHA512
508ca6011abb2ec4345c3b80bd89979151fee0a0de851f69b7aa06e69c89f6d8c3b6144f2f4715112c896c5b8a3e3e9cd49b05c9b507602d7f0d6b10061b17bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000049

Filesize
20KB

MD5
6408c37d09ecb7370b4d61ea51a15ad0

SHA1
8fa447851c7db6c2a4e20a13d769ed926daee5d5

SHA256
38c4bb35d2dc312b0e82bf8c5098495fd12d73029dedb6014c8f3ead635e641e

SHA512
5436d6204625fcc424989776d5ceb7fbbe286bd37bf077967289ce336ecea0e1db85f064d51d4a18877cd96be0d20557c682bbf2ccc6e34d6e096557aa357311

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
8ffd03be83fca8f0e699b12d4e37a063

SHA1
6ee2aa710960c96cfb3674363e6827450258629f

SHA256
096b8e2e8649941819265b1165666a3862f13471bca9681b992161d7b699507d

SHA512
e327524131ca2b0a3ad00af2789f608968ea3350eb06ea3d5ff52fb0eefe8f74e4a4c41f23d94c78f6cded0a07810d0fd0e0829b54247d9ebdd2e9d2ea078aec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
6696c8ec61a411d87c78cea9b6707b87

SHA1
c6a6fd9f12bd45512ae7a1e0c3043845b3726a1e

SHA256
01035fbf93a89b8f5204e69732d85d28f608fb4fc169c4089722ffc6db96c6aa

SHA512
00cd6e9c92d6be36598be94894189f0f13ed975162a21bb07a5baddc36af610de4f26d6f707589124ac62d29ee53702601dbc3b3683f0c58a0e585978610d61d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
592ad9a8c8b18734b04681a6d93ecbf7

SHA1
c5e1c1d4be2da4ee413e4665292f5e368446af96

SHA256
8b0b1eb15748df0cecf66e44babda88390fc53d4f3955e67277bc255e52d19de

SHA512
c6dabea7f4d9a8c6a3e36fd12e8f78ea4c9e6da7b2829f624ee343cd8e199677ea6af674b5d200b850cd6cc57b388e75c2e278a4597dadb5802a9778e313edc8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
700816103a110506b36c4228cef69f5e

SHA1
49935f08fa951d0603d912795a589a209414a635

SHA256
d49bc1b1763d3ea76b2ea04173988c965b22c07bf9e8989bd047e2458261664e

SHA512
37b215d25d8cedecf77703e6a7d4573d0337670b51e471041b89b5bb2b936a698359fcbc386dd918d01a5a0e820fb0caa014ef77013e361394ea034cc307f0ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
a8cf54419129b874864cf206392ece0f

SHA1
2d8f78e5d6951faedba3257d5794227f34c50967

SHA256
b8a7649c907c010db609d7143f3f0601a385b9cf803f4b0bddb449c41151cc1f

SHA512
02a77857be5123636fdc44791f6cf7a4532fa53e34576be7f6ab21da51ef400fc138d7dda6a2880b2b42ddb22a803a1897e4f95ea3479487af61a199c7929a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
94099d2020bf25f30d3aa6d16423c896

SHA1
8e4c9df369975ea88d8b43e86bdcda34c1ce0343

SHA256
e659ea1830308bc87db72e3da33de099d2492a969bc3be8ac041807c6e8e2c0d

SHA512
ccb96901c4b4da13303387baead4b26cfb897a7af7da74e80d4de502a9979f7b38402f16c189bf3ac0bc546f6e3a533a9d3180e0561d8b779e534543891b6676

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
17KB

MD5
2f888a933b103aaef2406d20f9823ed8

SHA1
766612f4c58d61445b0f543db80ff6bccbe27d10

SHA256
e1b19164ee55280d3598e24e87f5877c547f24c050a473082d88a15570805cb4

SHA512
b71edc32476bd25af6271606b8187ee24be05e28597e4e1e526c9334864a9be07c3f0384196a1f13b80701283fd43ca6ed3521d0b3e7ec657bc50d363ee10d79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
18KB

MD5
5b972e72a9aa9b9a124ae685784148fe

SHA1
3bf915648ce575ed615d693cd5a93b42c4b59de2

SHA256
634af43bd5c0b0f651f435c722be590130dc04da292ce8f9e802defdd561d6a2

SHA512
b0eea2789eeee91cb4b8f688304e7021c243c36aff6ecf6b1f094a984bf84e6656223b812c80549af99bda6a42fa1ab301a7124526a4e11b73fde252155254fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
a29aec5a47e833199ad2077b147ba838

SHA1
435ed14de3a8ba4122c5fd8f58b0e30e44749980

SHA256
9dc765665e05fed6fcbdac4cba314783dd619c1d0ee32e61adedb4ee706a8055

SHA512
2f9bf85d3a5e659643c48f595d3a71fd51cf9c30d2e1df7b59aa3c2f270ec8dce8cab0f2f7474e7cd00bfc7fb88b47688d4921f95eccc064aac75eec51c246af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
0f283f72a37d2829623b98d939cd52a8

SHA1
3fa8b3ba6797d28c57d4f8fe3cb9a73d74d306a1

SHA256
db00fe602f640a8fcfd4ecf0f99aeea4118d3d785f1485318510d50b4f5f11c7

SHA512
253753f2558cf5ce7a968b24e6b65d4faf1b87c62934b7dc7e434b2e3350312ae7d19299be55911e9b8aa1746e71ebaf663ae444bd1e3726a79a796168712826

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
0c8087ff41d6da7cbebd562d538bb340

SHA1
756ee5cb9e198c005f0df2072436e3274096b7e9

SHA256
37f235338f745fbdec863b0270c9d70b21c55b9e4062646321aa44b0d51cba3c

SHA512
be43365cdde93f60276ab7381495b475a7abd92799d1c8776eb41a437a15ffe061fb63b1d124fdf48c30a6b12074344f253c3cbaa6a2168da18f0b20b64164a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9e8b9afe9404e792d818ae03fe5f4acc

SHA1
24c1da4770b28a9284aae4331687df411824db66

SHA256
96ca59c8afdb76bf75f15257cdd81d443663eec639e995f0cc50eb44d0829420

SHA512
932e74a938b001735ea74ed88f5f62d9e7ccc933073339f820557041b83f89f7de035d4df640919821782f3e29b1b90746e4764bb2fcf40cee10c53ada548989

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
3e745302778dc2744700c5e4778449c0

SHA1
a8c1ead8efa70e0e3fb2ef786a9fe447e1d1801f

SHA256
6184bc5b07cd0a316d4c866f0c7adecb3a73ce9898d3f234ccdf26224ff5c6b3

SHA512
55d0d850166c05ba46304b9fef777f04ba6bdc7c87a9b068f7f4d45ffd1587bcd4e444a03cc555dd1bbaa14327b56051698dd995e23a726f7b75259bccb41b98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
d831555d8c45fb1cc25a4f9394a7bd69

SHA1
353a8874a30c502e5e1d87fb350cec939fa0d777

SHA256
f0ddeae27160fd0a34203cdf96a43043d6b37a6b8008a76b81d75664f3848749

SHA512
d84906733c6f39b7ea898658c6e442bbf23faf8ce1bb4ad2478c8fce5993a44da6fd08d1c50a36479b696dbd0f51cf0f522e1c0ce821cf2b58009f8710aa292b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
2b85f0652375fa95bbae17d434bfe482

SHA1
8fc7cb722c73c728aff434920810304b1a2953d7

SHA256
5ac1b6357a2f10f05b6f469792a0661554be1493ad46cbf0370aed86d25ea789

SHA512
2709b7e95890e4aea87c3e5d90a4120ee193bbc5cf2f8b11daf3fc17b6d962d4d134aa0d756c69e803480056adf64c3deff0d20f6a7c1f845ca49d90b193fe23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f5ddf29d5e08b3fa7a4ef0b88a291674

SHA1
393b4451a001bb9f610be8e7f60b67e1bce62f2b

SHA256
683de35bdfc371e327a5b822f15c2518b3b2a512286c9bb7382d57ae851653b0

SHA512
dfd9b71a733373925caf2ac4e2ca059581dda741693bd3f212bb92c55aa2d645cc2547c2a5439d7471b064205d51a02112b133e0d32a82d5872f032d6c0f3ef8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f1f361ee3857ad139c252d47e68d7f63

SHA1
a393c19327dc084d33aca0500dadba756d3600fb

SHA256
ae4b0b86a2d6910d55a48de1b73bbbda0bbf47e6738e7c87d70a1bd43dd8bedb

SHA512
fd0794130970b5cadd30dd32999d5a39b7ce159e721400bbf1f848272d5b715aea715e6a6fa50c7ce7d53d2735e1cec2c1d6ced4d36ff411776867f7b8106004

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f6a8ceddc9d445070e193408774b38d7

SHA1
25cd6d965aa43c1618274f8f5e9e48a2424e3f89

SHA256
eca8be5d2814cf6b2a36f9777d8f5ff356789e15c46af58c14519b3c272b9310

SHA512
6a74f80fac335a2890b672f2e885dc31fe5351a0db345cf840887dc2a3fe92603fe3221df8e1eb2da742d6bd7fa1794a8a683c7bb1dc3540f33fe6b0aae4b7d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
64a2736507107908748c3d118f9a1f0b

SHA1
148f0b03d32dc8e24c4c3d9997c0222f2bdfe324

SHA256
c5c181e6b813a3b8e6b91ffadbcb8c7752afc23cd84ce9e73fc1ffe1fe7ad1f9

SHA512
9d3290939715a2e794adc805f67755768375d2b1b10a24356e3ddec9d6ba8f5eb21ba6a68ef9bdeff942aa3de3fc78e0e7c6e7ff1c2d4904c782225fca8d6da7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f802b2d868708e02e9d271938a7d99a4

SHA1
ccb7d2b92c1a63f69860415fc4e7b9cd41fa27f8

SHA256
f96ad03b9bbb6c0e85506aa2a6061e8be2dc8f840e51ed9372043cc8cabc7d8f

SHA512
65ada10da1711edfba53a55029a423ae37451fcbe5f192cd06820319f58e0589ca0afc85481c44ee0ee238faf8ede04d9a5adfc223b31eaab4a3695f444b6148

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
05b48337fd2f70d42e36b01a03314458

SHA1
195669bfa69bad38fe032f5b84180a642258e6d6

SHA256
29f8b628caa0f4c79db547972f26a205b16c2fe9e86c5e8334e44f342450ef47

SHA512
051d8458e93f8c110567a0e671d65cc8e30ee8a0e4c3c475800c1ca1c9e5d8303f8c3088713982d9f39e484d148c941922cff0c5204802d336a9def62bfd6b24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
a4191c20d88f9b21e616bbdefa5d53d4

SHA1
6e2ed8cd4a20cad834b502cd74dfee90d23a1456

SHA256
663bc5a863c60f8f27963a1e96807be6a68b48b889505489819205403466954f

SHA512
4961616a60fe6b62502f4fd531e126cabf12123340bafb1ff12e74ccbb677534114c5dd39348e0cf9f70151f86486a7757a89955dffaaec08a1580b17e562fa8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c16a2e253fb52448a898ee12bca07950

SHA1
ecee0f4d82069231b028c44f6fd5dc13c3b22a35

SHA256
920464d074797466f766054bdef8fc2e051e8cb3baa26c63941c7ee25e799fbb

SHA512
4609d3280491ec42f08fd4ec9c82bc710760b5242fef54bc900248d64d1deaa3c036839adb7a37e4802919d0437a73a186a3d65ed216a4ae0309242b146c8a42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
25498242c679c3efbbdaf30742a0246e

SHA1
55cfd5be56ff0a88b4caeb2b3da16efe7b23a6b8

SHA256
877508f1b42c85f3fe9e8e715f45684d94246eed5307630748b9f9a8f193bbab

SHA512
72ae9bed645bd1fc41e4c55894625fd82b086c0069326ea3c5ada23772a1da7d9d09f9dc556974a18a7cc9ba16e2a6d24d1d83632483b7d10959664599d28811

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
d5a89257a12214085c3098653f98c366

SHA1
58758d714af1247db133ca00bb3fe99945776314

SHA256
2844bc325ea323c270efd15a15451ec648f8588b1afe546a92ad25923299934e

SHA512
f2e6f9b26c5e165cdfa68bb9862c2a0fe61213ea1800ad6b761ebb1fc3680214fbe951a890bab1d55289d553b2d485c754ff038699d4beeb75995abaf490102f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f0774a8d3f53ec360216e4620c434019

SHA1
c5a8f61a550371dc2b0faae0c6ee6181e4036f9c

SHA256
eaa2665c8deaabe55196d7e6ef51cc4a0a5082470e370dc206b8f5fcd2e8aa71

SHA512
21deee980d6c86a77fad02cd5c9081cdc87a402e69459c7f337754cd01f7da2a2210c624d919e4ad75554e84b900c826d55b3029bf84c870d9f3fed645a53f7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
ec4c00b577b3f7b297d065008ca0a006

SHA1
606296bf7f4d0c821351e106f58a9feeeb64e976

SHA256
d9f641febe1191af2633a00d4b3f5a85c649caf1784772170c78aefe612d6493

SHA512
96c3b6c048002b09c76e2de5e53300643091172c30d72637cbd4a35f97fd8d63e7547fd3b1fd87823b435ac4effdb35c5f99da84fbede3c47c5bd461184c55b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
b2d6efb05fd5846e7753856897514d18

SHA1
c5ba7eef2a05f9f2a4f201c53403adc56d6aa860

SHA256
6626264457ee01e2a08c9bb04bdc7bc3b9ca969718f3c6bdf738953fe83e8991

SHA512
9b67245b4269f310487f82de6a22a03f7c5df349068226f670aff719a7a31fa23b5a2fc5437e62eaa9c01959d03ac93b5273bd6f1c05d7119296188f54dcb867

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
7872cacf28c3ffee3f22ba763e1d4f92

SHA1
8030035cf4c770dd3957989aa9e8347bbddb6290

SHA256
6f20e298001f0bedb93c643e305371819afa7787e19c7d328fd2090f0b5e2b27

SHA512
f7c6370fb4bf0a6af3775d08c15cdbdfa5a16c4719d178d885bd7c9bbbbf02189624fcbc78eee0ca2a116e7d0c43c9b78f32c20eb4c1acf18555bae376d46222

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
117KB

MD5
cd627ffa08002a079ee8bd43fc3d7d8f

SHA1
d32b917eb1f0bbe4c8c4828dc7539bf5d2728bd9

SHA256
74b5e17943cccdfe5de56712b1921eb2b38c7500a22c46a8630859fdc3236be9

SHA512
28e015b083dac8e5cac64d788b23146d3ba3bacb76457b8c729292e5d70da9b46a5b891e844b36e987520a8d610453e9ea596c2746e68cad1b00e322946afbab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
8aae801f042a511a2a61846a7a8dc7cb

SHA1
241a00ed72d517179ae0d9a882ff823666eb8d2c

SHA256
f5b7bf2865addd9ffab8b4a3d98cab3ff4c21d0219d497eb40d3c4e679db3627

SHA512
cef76ed95beba87f91ea4cde0944870bcb01f8d1db6ffeb65b48c3f7a34f1d0d4ece5b1233d74808a01c1ebf590e90e372c10291719522cf93d89f06c595d9d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
9f71c6b01f4a46b4b34a80030fe7beaa

SHA1
9f3a76a3b039472d511d44b2ca56ca2e5bd17a59

SHA256
5784a67622a973128fb238c4ed4af2515144c44eee75b405942919f35054a6e1

SHA512
7a245fcc12cac948c2da70f997fb6e82dd9d5160bec82b553c71f9415c9838b20c4beb6c33ca10f695cf8f0c85297aec6eea6c0da0e10b7b4653bf6e438d2d59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
da934a610de0f66af2498cfffa1ee631

SHA1
67e0fee5e8c1051107758d7d3ff43197dec576af

SHA256
34c6554a06697ff0542994902a8a30d0894a8dfa1f079b063aa59d18d2f76e03

SHA512
77b99e8dfd30133c977934a61358aa1e0724157b21564e037a39e4f61a0c02fcdb655b329a6ae97e9de3e07253220e666f2100abdb53420913081dfbb1261299

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
117KB

MD5
4be157fe169b74a9ac8502ea4c94ce23

SHA1
5481a2b51f9ba1592e8879815d755c13d660c06d

SHA256
0e3b7e96d80b74a8c244bda96a0a91579fec742902d2f0130cdece8987183a19

SHA512
e4e0d496b9c491b6bd1bf1b7055b295f81c0c621c5b3efa0e08c90b81446d4f622c7360333e437f74950445229a862515c89fb80dd21c7220bdfe364e3b4a7d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State~RFe5edf04.TMP

Filesize
1KB

MD5
9a279624c43252695b0777baecf81aec

SHA1
22350d850e9ca6273df8cd187141ecfd42b1d3ca

SHA256
cdb22bd8d01b7a519d291b8c4a329ef500f0d726fd5756295877a316a0be285c

SHA512
fb7cd4e3426fe05a5fd26aa95bae9f1b84479c7f37dc39e4a420fded9a2f6b2116b6ff816e19bfe54f4fe729d3ad3c2bdd5cfe790bb8b6bd61a99e78976b8bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ruwcsxzf.zhn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4e9fe28-eea1-4cb6-b6e1-687db49a1042.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir428_2089014758\0cb49762-1aee-4e07-a920-81025af28b69.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir428_2089014758\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Brave.lnk

Filesize
2KB

MD5
7e978ba50fa3a30b2feb35edde6c76ba

SHA1
0036f0d820f98b679b80d93c1ab8408a28694bbc

SHA256
40a86ea2c3d4a8104b688c6eba88715438a1ae31db078d1a471466107cf6df3e

SHA512
d5dc622e3568c4ff618ebf0b8fb3cf624018dd6760cbd39cae22a3cdfaf43b57472d9aafb503460c03710ec0bd4dceec19a981807d725d54d012ea7589b3be6a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\hello.docx.LNK

Filesize
500B

MD5
3e08c5d72eb4f8ef473c8311c8dbed43

SHA1
e50a6f2becfdb7485e897203f1ab61a0346b3dac

SHA256
bcfde59dcefb43a7d2bc1df74b452fa2d27018e8a6ec3f4e308c04a47c9ca018

SHA512
f2720c3ddc065bdd98ccfc59ea174f4f35d90cf899cdf861b0546368ce87c85d51a600fc50c056319e3e7660271495f6fc332d3ae21393114c61cee86efa4ec2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
348B

MD5
92662b8c2bc3fcbcb2a96f826be18a54

SHA1
e230022e2f66e5ef612bb12920a4a04cd5f83f35

SHA256
32ce170157c5b98498e3ebd4875bf1a6e22cd07b66c6f9fd75013ca3e0a6afeb

SHA512
5c0f4d502841518f60aff955b2fd49d41fedea7718758e6fec9b963dd6a4c6ca3889c38f91ed37b03df24d28d6b8f63c430ce141e3532e7791cfca98ce027bb1

Download Submit
C:\Users\Admin\Desktop\~WRD0000.tmp

Filesize
11KB

MD5
45c3dd8dfca8b53dd81b1e52be87e251

SHA1
8d8c564e01a9ce2797eefc5739d02e71c3e4d5e2

SHA256
fea83ba7c1204e9a339b821b422b051b35e95e7d37407a3c989a30bb9745f075

SHA512
af37128ffbc465c6715c3f0b6b3f3f6b2b0a152a7efd396099d15d357a03d1879bad07444a4c879749c82b55d99ed247b4958490b8bada337276baeddfbcd6ee

Download Submit
C:\Users\Admin\Downloads\AsyncRAT.exe:Zone.Identifier

Filesize
156B

MD5
471579290e239ff54effbc506d5624ef

SHA1
2d278f39f3afb35347be03ac194c666831eaba59

SHA256
b6c4dc70635f3152581e1930bf42c802dae560aafb423dc037ce115c7cf0cd2d

SHA512
45d1ac5e03af55268c531a80c55fa99fbede0115d54be23116387652fde754d130ae40a863e46b29f0a7f8dea1501e6738c46770416cb3eb558e141adb6783b0

Download Submit
C:\Users\Admin\Downloads\BlackMatter Ransomware.exe:Zone.Identifier

Filesize
171B

MD5
45f98479855a8a80702e08b0e64a5053

SHA1
a9a5c100cde40519022fab2712a955a2210619da

SHA256
e54b2fb5bbc5e98f1c2afb8ce8a2a26423ef841ada67aa2b109f246b7337b7ca

SHA512
2276a2ed84166eb828d3632b2bf73636f3e78d43d6e5bf013516b646d6803bf84086d1adca8d4630c99ce611b1641bc4c805131dcac337a9fe52db010c0ca906

Download Submit
C:\Users\Admin\Downloads\DCRat.exe:Zone.Identifier

Filesize
152B

MD5
d271095077f065228944ad3f6d74c39c

SHA1
8de84183396f697dd34c53bef186282ab34b4703

SHA256
d5e6b4fd90f82f1d2148f7922561ac86be2012c8937a1af8e13d13833ba7d2c6

SHA512
556791d854f402162666ded3d1545b9f35bb271f119d18edf215a292ac7212f18363e424528f22af64dc25d1dd18674651c39afb9b0ebba9e9e1073abe362a99

Download Submit
C:\Users\Admin\Downloads\Malware\DDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
147KB

MD5
aadb8c02bca30ba7b348b0f27f003cc2

SHA1
39d9bddc16aba168fb0e824b68d688f423fd4d1a

SHA256
7bc8b3358f6a3231e8b92a021451d083e8932a143b30f4db4379c5eae36c6fb8

SHA512
570325b6076dc19f1f3193bc3d2695645a54c205f9d58b47265a4316f0acd9752a3dfb6b5a4f8e6f4f5b70fd32122ab29ded5f2065cdd115d47bb468db8b33f1

Download Submit
C:\Users\Admin\Downloads\PureCrypter.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\PureCrypter.exe:Zone.Identifier

Filesize
58B

MD5
f328e184c322cba91dc3c014fe2ef3e9

SHA1
2aab1f0a70009051dcc87350e0f3b079da02fbb2

SHA256
fe25e31061b432c3a3fdd8f797c6dadad253e83dfb305ee997a7302cd70b618d

SHA512
e59501b550ea64155d134ae832812004ec298a44519eb03183542599174b7691be3225f6fa5064d45ed7ec81f0a93721eb8f401d7e2a49c4b91a70ded006c97e

Download Submit
C:\Users\Admin\Downloads\RemcosRAT.exe:Zone.Identifier

Filesize
156B

MD5
5495206caa7f71d4a7c6eea16fc3bf1f

SHA1
20fb796877526608a50a15e2528853288784f74c

SHA256
1dd664752e9df84409789c880d937c2c7e42d6562aeb0293c6b085ff5f582dad

SHA512
db0c77408270a84bb97cb572a829f9397c14e2d848bfcf8833c16efbb33078426ec8f40213c358d7a5cf54c1b452554365739f22f3742ee7c55261af0c778cf1

Download Submit
C:\Users\Admin\Downloads\SheetRAT.exe:Zone.Identifier

Filesize
155B

MD5
cfe5a5142fe38e4519c98a959f0377ee

SHA1
d8687d1189833d00d0e2c106c638e4a4b63b4a07

SHA256
e2fe4cca6237532d962926f20906bbff9eb85414237f7e9990e33b0c616ed7c0

SHA512
ac21119ff7fdc7f847659619603113fb78b01c95bab97caf03fcf1839ce085b2a406f5ba1036f497dbca907b781224e2371d17d8272dfa82972fa16bdf7ec5fe

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 334746.crdownload

Filesize
22.5MB

MD5
0ba9bddf58c9d7763f63442efb6e30af

SHA1
a5e8f717ee437118a36cde1e2d26e8dad4169622

SHA256
32fe98a9a77a656afb7dd3c39b6cad1ac5222c2fc9313a8aba6ae8546f244371

SHA512
a5637ad57f8b52ae2523d5443db9bc6255bd05e563b47a3f88903624751d1913b23b52c000cca93436b65876391da797bd25211c27027917864ac394b67c1298

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 338242.crdownload

Filesize
1.2MB

MD5
0b0bb0ec926278e3d47d21cb249c3b3e

SHA1
4256da725fb583ebca04df5fb6fbf581d964efaa

SHA256
e8d449baa01fd0134d1d8c67f28d4ec6d40d40f5395ece550093b4774f491c8d

SHA512
cd005702ffea91a50f66ef299a51a4de9de7a123fc31bcc3df11ee7f0fa893da2bd07ac8a55f9580c4b94c44b2503421f6bad90c720d01a4f7a0ea420a61292b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 338611.crdownload

Filesize
1.8MB

MD5
de020ea4df72a05a6d3850f89804167f

SHA1
33a5c198a384086b85dbfc8a9820d1758204667c

SHA256
0ce80aeb4d7735cb992efa0666b150aeb8e5bec83e5ff2389fa643c28ffd87fa

SHA512
719db18f98c4b9cac1c09954fae46def924f1e9425f863cc515c453d174c0701fbf56a7fe60a4146e7a78e3906cfbb86dd8d84e4085fb2cd2654109e1980940f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 687415.crdownload

Filesize
147KB

MD5
c09185c157831e4915c255d7002941f4

SHA1
beca597f2c2c120c3d74163501a81f56664ff4f7

SHA256
6f3d87f3dcfd248e64d26cf338a19f41a6f93affdde5fab071a631ff38637757

SHA512
a843854ca79f4d98938635612d20f3d5b79d8661ee91d1ae130b2deffe95e44d7028f76b8b221c87fab0638afe5baf3c55e8348f8aa10dddc90133167a3c17bf

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 844583.crdownload

Filesize
460KB

MD5
9929f1d8b427ad4e387de2afeab1311d

SHA1
b755ec44734a2b6473115a2d7ed8ccf4cf6bbf3e

SHA256
78c02b98c9f04761aebc5673cc234bd772a43d41c3e9a6823a37107956939942

SHA512
3a35405fa19066f404f9723341db5218aae8a1a07368ccd0d4342bdb31988025f3b709f4dbac7e17c342ef45d6fce812253e1cf233df4aa2a5d2a9767f427738

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 878239.crdownload

Filesize
947KB

MD5
b10dbc0225aac52e8ee344602847a3cc

SHA1
4bedc08167e1f21c85593c730e29d10036e0b219

SHA256
7a12e9a93cb32e622b05613c160fbbfae2d379f5c255bfca02eb1b54fe1a78a8

SHA512
579827dda319cbf9edb3d9955f27e68952f4587d73166192a68ff8609032465d892c6f08e4b19454b24c27c4cce6ddb56fce2e7df3121458c4d1f7c78d5e6156

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_1125432650\manifest.json

Filesize
76B

MD5
c08a4e8fe2334119d49ca6967c23850f

SHA1
13c566b819d8e087246c80919e938ef2828b5dc4

SHA256
5b01512276c45ecc43d4bfa9a912bdaf7afc26150881f2a0119972bffdbd8ab0

SHA512
506f9f4fa4baaa4096ce10007eb09cfa95c9188082053b9ff7f2dec65164ff57506b6a8fea28d58783700f257c982aef037afc33f62da8da281e67636430dc23

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_1286554388\manifest.json

Filesize
94B

MD5
066555d0058c6d6a189ea93224dae62d

SHA1
cc47c6a9776e0c09903a88e8731676e3830e4e5f

SHA256
c383ff7224c7b847a751e7d29e94e9e60679bfae0bfec3b9f6ca871eef529c9f

SHA512
9410cf705c9bf58996fe2dc7d09fba76754de66b9528e91071f13ac184953ee6c6bced993fbd40dfd4f2dda17f419d24db51a9aa06960d150f59753ec8c50a4a

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_1470894394\hyph-as.hyb

Filesize
703B

MD5
8961fdd3db036dd43002659a4e4a7365

SHA1
7b2fa321d50d5417e6c8d48145e86d15b7ff8321

SHA256
c2784e33158a807135850f7125a7eaabe472b3cfc7afb82c74f02da69ea250fe

SHA512
531ecec11d296a1ab3faeb2c7ac619da9d80c1054a2ccee8a5a0cd996346fea2a2fee159ac5a8d79b46a764a2aa8e542d6a79d86b3d7dda461e41b19c9bebe92

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_1470894394\hyph-hi.hyb

Filesize
687B

MD5
0807cf29fc4c5d7d87c1689eb2e0baaa

SHA1
d0914fb069469d47a36d339ca70164253fccf022

SHA256
f4df224d459fd111698dd5a13613c5bbf0ed11f04278d60230d028010eac0c42

SHA512
5324fd47c94f5804bfa1aa6df952949915896a3fc77dccaed0eeffeafe995ce087faef035aecea6b4c864a16ad32de00055f55260af974f2c41afff14dce00f3

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_1470894394\hyph-nb.hyb

Filesize
141KB

MD5
677edd1a17d50f0bd11783f58725d0e7

SHA1
98fedc5862c78f3b03daed1ff9efbe5e31c205ee

SHA256
c2771fbb1bfff7db5e267dc7a4505a9675c6b98cfe7a8f7ae5686d7a5a2b3dd0

SHA512
c368f6687fa8a2ef110fcb2b65df13f6a67feac7106014bd9ea9315f16e4d7f5cbc8b4a67ba2169c6909d49642d88ae2a0a9cd3f1eb889af326f29b379cfd3ff

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_1470894394\manifest.json

Filesize
82B

MD5
2617c38bed67a4190fc499142b6f2867

SHA1
a37f0251cd6be0a6983d9a04193b773f86d31da1

SHA256
d571ef33b0e707571f10bb37b99a607d6f43afe33f53d15b4395b16ef3fda665

SHA512
b08053050692765f172142bad7afbcd038235275c923f3cd089d556251482b1081e53c4ad7367a1fb11ca927f2ad183dc63d31ccfbf85b0160cf76a31343a6d0

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_1513495021\manifest.json

Filesize
72B

MD5
a30b19bb414d78fff00fc7855d6ed5fd

SHA1
2a6408f2829e964c578751bf29ec4f702412c11e

SHA256
9811cd3e1fbf80feb6a52ad2141fc1096165a100c2d5846dd48f9ed612c6fc9f

SHA512
66b6db60e9e6f3059d1a47db14f05d35587aa2019bc06e6cf352dfbb237d9dfe6dce7cb21c9127320a7fdca5b9d3eb21e799abe6a926ae51b5f62cf646c30490

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_1569120020\manifest.json

Filesize
584B

MD5
bf3f6b8447312c7ed331b69286962e3a

SHA1
6ece39667b3fb11b783ac592a0b139efaed7bc30

SHA256
ad3d6a89a503bbade5f857cf05f40e4bbf55fe1b52e9f4ae41d976cf9801f87d

SHA512
f5f8077053cbe8ad7076281358a029ff3231b90011c550d236d0d3c4824c8cdbd7397ec1c96663e83c158060168ce908bb52e9d3be50dfda3c711dface1406e4

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_1857848803\manifest.json

Filesize
564B

MD5
2efa37b5105fbed3014a7be8963dc2ed

SHA1
a03fd940871c3a99836f8f1c3bb2edb5e5a32339

SHA256
9961547296bbc34112d1c852fb61ada201f87230e56848c17af3df54ef8921b2

SHA512
9b0b86e7c110b5d076d67eca5848e1847a8f04de3feb4a4c71e1d00724fad701b0b0cc3f7dba7450ab3392da4ea5e2353ac9f263b81a5a186b694b5a162db69b

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_1869237679\manifest.json

Filesize
558B

MD5
f2ea88c3713fadc1cb2f57ffc5f763e5

SHA1
203adbd539223c4ea2c2f0a549dd198d46bda233

SHA256
3ecf70ef4593b2d7ff9955f6f62f656b1a3957b743972f1b615c91ad8b4acd62

SHA512
32b8508cdb2b650abf06c6e1507769cca8cbaa99bc654d6ad528872aa1606bb66773142029f78353798c1ea73a4e2ade7c76582340b85206cda0a3de857dc212

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_2018242389\manifest.json

Filesize
595B

MD5
3dcef8e61cafd6e859449be00cf9a679

SHA1
a00fbf9025d2a6b34e3886e3ebe0b2044967a162

SHA256
b222a80e10939d8171639109dfe5dd6b25f8f240b26162b245123da436eb7709

SHA512
798cc1732217f001701f799f340b2028a6d1061767f21e97dba08ee5ccff450482233a8488595f333705536be053e195c4e65ccdb9306ec2ce2fddff9110eeff

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_2127964034\manifest.json

Filesize
592B

MD5
5e2fa1a458fb3f9c53f3a2b5cffc11c4

SHA1
25294f8ebfb3863e9e77eb206e0c72290866e60f

SHA256
2ece3f61264cc9bef1a7a8afa10af1950ee178732904e0b198eb040fb4bcbe96

SHA512
643ec636df61083d3f700bd3133d8055c91764ef16fb2610d6d9b5a33ef3b716636ae2f6297c8b3306fbf25c88421a58837e06158c1d6dc2dce2469a0a1369b6

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_2131560901\manifest.json

Filesize
546B

MD5
2d8d7c0b44ea9204f9fad304dd48bdc0

SHA1
266660126f7bffc9e0edd5c59d1b1577e8e18204

SHA256
388c7db0e2dfa85a4f24945d24019e649309ccd45edc49debdae63614c2d74f0

SHA512
5c7ef04bcc566fdec1c29d72796ce5aa949cc5b725bd7581d6200e65669a5bfa221e4694dfb24eec3a49626baf0631d6d078ef4ff415d08908ffe98c1bb7e883

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_342686802\manifest.json

Filesize
578B

MD5
9dd9c1855fddc251bf2be4b307139566

SHA1
e676f12e3e4c7e5daeef53a1b92caa484fb68d7f

SHA256
04c4b17d2d9b11987c75e32d834bf4fd9e46991906352a31d016541ab4ccd15a

SHA512
6969c91c9f914f4162a6aeb7465f13a9745658bf644cca1037a808eb843abb1e37a892811b4ad558968d360085cac424a9891bc04c9d6b5a12452da198928a02

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_378329542\manifest.json

Filesize
533B

MD5
42009b4dd959e3bc13f18be4df9274fd

SHA1
587ae3aa747b57ee96f44ff231efec1cc594dc97

SHA256
c9e3cf0c31a16a1a4737fd30b166c6da0a74925590c75026af334c224c022f92

SHA512
6a667409d99bfd69b9096fe322eac756e24a96d5a1cff2ff0ef30cbdb66b3355fb00e6914aebbd2fec35107a4e89a5b9981a030e505b8d88cc4a28a6feabc3a8

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_391414349\manifest.json

Filesize
108B

MD5
fb6521a0e3b52cad6213ef6d5dc3a900

SHA1
a3b7211213d878d7c22ac5d22facef2d03b59ac6

SHA256
d4ff4a748749846a1f8c0dbac7acca99ed9f43c3f150a43063d9eb0e576278d6

SHA512
a2bdb1a78bb59c4f2db8f0386b74783ae2dccfcb6292ef5ead599af99adee97f6fdead80ed599be36f566d96c27e9777d40002f2663fa95bfe2993bf2cc99a5e

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_41467584\manifest.json

Filesize
107B

MD5
4e5b381164b4730aff89497118760770

SHA1
d0f4b8228061a1948e73b22d541eaa5c652083f6

SHA256
533b6335274240eb43d664bc9d5fafed3598abd32102c4ff85a2d3aae0d87f44

SHA512
eae88552e228ade6bd07468c1b25086f2309365a818e25d82d52e040a2ceeded4f983f3f6a1495cbe47aaf9fb56cd1134412befdef5d2f1ddef9268cbbf8a805

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_601381073\manifest.json

Filesize
111B

MD5
fecba6c3128a97f09a1173779924be7c

SHA1
41645675ff089fc6059bbe1ed4b049502241e7fa

SHA256
7ef57c6645a8d144047d276b5d41b153c4dc63cf3627c32db018ae64b4e6d92b

SHA512
c1193abe0bb4a9359e8e73332475995bd042149f62a67e67d37549993c7130589db809c53657abb7a0f9c518f975f270debeaf7fa70327a81b8bbee233035aad

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_620232946\manifest.json

Filesize
73B

MD5
5b0983e526b21ed543aafdbb4d81f6d3

SHA1
d11c1e5db6deafc214d3cf4c28ff8e967c9f54b8

SHA256
eb62a78785f12a5cd685f1e0596f21bbd3dc8ec896f6aa95998adcb4e83f71fa

SHA512
4b370580c09811d21a1f9248a0e150247c8ccec1627e6870ae7cf5a9aef580d66ef9a7a752af18aa804dcddf4cc13263c93c74945d591647f30b809ed53aff4e

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_894493519\manifest.json

Filesize
555B

MD5
32c91bf9b8f95b4b2330a1b7d8b6c359

SHA1
32589e12e041bbc42fb3a66c489b39ef380fc1fd

SHA256
cf65a918306fa7763350fd8464fd2f3a049468424b6b89b15b15d824f0796df1

SHA512
2f6582a63caf1d18298b6ff9ac65172609c3444d676c5d1988d329e2dfcca5293b6cf2838dd9a6eaa655cbff403989f47fc4811b41e9a2b4c10e7478b92f384a

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2456_971462912\manifest.json

Filesize
76B

MD5
4aaa0ed8099ecc1da778a9bc39393808

SHA1
0e4a733a5af337f101cfa6bea5ebc153380f7b05

SHA256
20b91160e2611d3159ad82857323febc906457756678ab73f305c3a1e399d18d

SHA512
dfa942c35e1e5f62dd8840c97693cdbfd6d71a1fd2f42e26cb75b98bb6a1818395ecdf552d46f07dff1e9c74f1493a39e05b14e3409963eff1ada88897152879

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2253712635-4068079004-3870069674-1000\DDDDDDDDDDD

Filesize
129B

MD5
3ce917df9f6002171f368bad39c5f456

SHA1
6ed0feb303ae9f2fd437994b9399ac06f0786f41

SHA256
0d6aff0e012f852a8974c24210175c6c5f7765116f363b524947fc3a262f00a2

SHA512
9890f243b2628cca7ad37b04086ee73a633887259c528c4e686a79c43ee2928be72c7971a040fbd4f850653e9de9bd45ce200f33138efb8b1e4a6796cc9e95ed

Download Submit
memory/236-1025-0x0000000005650000-0x000000000565A000-memory.dmp

Filesize
40KB

Download
memory/236-1024-0x0000000005710000-0x0000000005786000-memory.dmp

Filesize
472KB

Download
memory/236-1023-0x0000000005670000-0x0000000005702000-memory.dmp

Filesize
584KB

Download
memory/236-1022-0x0000000005B80000-0x0000000006126000-memory.dmp

Filesize
5.6MB

Download
memory/236-1021-0x0000000000B70000-0x0000000000B82000-memory.dmp

Filesize
72KB

Download
memory/476-1115-0x000000001BC20000-0x000000001BC8F000-memory.dmp

Filesize
444KB

Download
memory/476-1130-0x000000001BC20000-0x000000001BC8F000-memory.dmp

Filesize
444KB

Download
memory/800-1185-0x000000001C200000-0x000000001C36A000-memory.dmp

Filesize
1.4MB

Download
memory/800-1171-0x000000001BA40000-0x000000001BAAF000-memory.dmp

Filesize
444KB

Download
memory/800-1184-0x000000001BA40000-0x000000001BAAF000-memory.dmp

Filesize
444KB

Download
memory/1008-1019-0x0000000000900000-0x0000000000978000-memory.dmp

Filesize
480KB

Download
memory/1156-1104-0x0000000007370000-0x0000000007381000-memory.dmp

Filesize
68KB

Download
memory/1156-1081-0x00000000058C0000-0x0000000005926000-memory.dmp

Filesize
408KB

Download
memory/1156-1110-0x00000000074A0000-0x00000000074A8000-memory.dmp

Filesize
32KB

Download
memory/1156-1087-0x0000000005EB0000-0x0000000005EFC000-memory.dmp

Filesize
304KB

Download
memory/1156-1086-0x0000000005E10000-0x0000000005E2E000-memory.dmp

Filesize
120KB

Download
memory/1156-1106-0x00000000073A0000-0x00000000073AE000-memory.dmp

Filesize
56KB

Download
memory/1156-1085-0x0000000005930000-0x0000000005C87000-memory.dmp

Filesize
3.3MB

Download
memory/1156-1088-0x00000000063D0000-0x0000000006404000-memory.dmp

Filesize
208KB

Download
memory/1156-1107-0x00000000073B0000-0x00000000073C5000-memory.dmp

Filesize
84KB

Download
memory/1156-1108-0x00000000074B0000-0x00000000074CA000-memory.dmp

Filesize
104KB

Download
memory/1156-1080-0x00000000057A0000-0x0000000005806000-memory.dmp

Filesize
408KB

Download
memory/1156-1089-0x0000000070330000-0x000000007037C000-memory.dmp

Filesize
304KB

Download
memory/1156-1074-0x0000000005080000-0x00000000050A2000-memory.dmp

Filesize
136KB

Download
memory/1156-1103-0x00000000073F0000-0x0000000007486000-memory.dmp

Filesize
600KB

Download
memory/1156-1073-0x0000000005170000-0x000000000579A000-memory.dmp

Filesize
6.2MB

Download
memory/1156-1102-0x00000000071E0000-0x00000000071EA000-memory.dmp

Filesize
40KB

Download
memory/1156-1101-0x0000000007160000-0x000000000717A000-memory.dmp

Filesize
104KB

Download
memory/1156-1072-0x0000000002610000-0x0000000002646000-memory.dmp

Filesize
216KB

Download
memory/1156-1100-0x00000000077A0000-0x0000000007E1A000-memory.dmp

Filesize
6.5MB

Download
memory/1156-1099-0x0000000007020000-0x00000000070C4000-memory.dmp

Filesize
656KB

Download
memory/1156-1098-0x0000000006E00000-0x0000000006E1E000-memory.dmp

Filesize
120KB

Download
memory/2108-1145-0x00000000009D0000-0x00000000009D8000-memory.dmp

Filesize
32KB

Download
memory/2212-1170-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1188-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1187-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1186-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1182-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1177-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1176-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1175-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1174-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1173-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1172-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1169-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1168-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1167-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1166-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1165-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1161-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1160-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1159-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1158-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1151-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1150-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1149-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1148-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1147-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1146-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1143-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1142-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1141-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1140-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1139-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1138-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1137-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1133-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1132-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1131-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1124-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1122-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1121-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1120-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1119-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1118-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1117-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1116-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1114-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1113-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1109-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1105-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1069-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1071-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1070-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1067-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-1065-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2492-1157-0x000000001B700000-0x000000001B76F000-memory.dmp

Filesize
444KB

Download
memory/2492-1144-0x000000001B700000-0x000000001B76F000-memory.dmp

Filesize
444KB

Download
memory/3080-1064-0x000000000A060000-0x000000000A122000-memory.dmp

Filesize
776KB

Download
memory/3080-1063-0x00000000078B0000-0x00000000078C6000-memory.dmp

Filesize
88KB

Download
memory/3080-1062-0x0000000005DF0000-0x0000000005DFE000-memory.dmp

Filesize
56KB

Download
memory/3080-1057-0x0000000007890000-0x00000000078A8000-memory.dmp

Filesize
96KB

Download
memory/3080-1054-0x0000000004E90000-0x0000000004F2C000-memory.dmp

Filesize
624KB

Download
memory/3080-1038-0x0000000000100000-0x00000000001F2000-memory.dmp

Filesize
968KB

Download
memory/4632-1034-0x000000001AF90000-0x000000001AFA8000-memory.dmp

Filesize
96KB

Download
memory/4632-1032-0x000000001B110000-0x000000001B160000-memory.dmp

Filesize
320KB

Download
memory/4632-1031-0x0000000002460000-0x000000000247C000-memory.dmp

Filesize
112KB

Download
memory/4632-1030-0x0000000002410000-0x000000000242C000-memory.dmp

Filesize
112KB

Download
memory/4632-1028-0x0000000000C20000-0x0000000000C2E000-memory.dmp

Filesize
56KB

Download
memory/4632-1026-0x0000000000070000-0x0000000000246000-memory.dmp

Filesize
1.8MB

Download