darkcloud | hxxps://gofile[.]io/d/YHZWCx

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}\ = "Brave"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}\StubPath = "\"C:\\Program Files\\BraveSoftware\\Brave-Browser\\Application\\131.1.73.105\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}\Localized Name = "Brave"	setup.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2736	powershell.exe
1620	powershell.exe

Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BraveUpdate.exe	BraveUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BraveUpdate.exe\DisableExceptionChainValidation = "0"	BraveUpdate.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 64 IoCs

pid	Process
4252	Ninite Brave WinRAR Installer.exe
2756	Ninite.exe
4928	BraveBrowserStandaloneSetup.exe
2560	BraveUpdate.exe
3020	BraveUpdate.exe
764	BraveUpdate.exe
2432	BraveUpdateComRegisterShell64.exe
1532	BraveUpdateComRegisterShell64.exe
1512	BraveUpdateComRegisterShell64.exe
1620	BraveUpdate.exe
3268	BraveUpdate.exe
456	BraveUpdate.exe
2804	brave_installer.exe
1956	setup.exe
3780	setup.exe
4996	setup.exe
5040	setup.exe
3216	BraveUpdate.exe
4608	target.exe
3060	uninstall.exe
3096	RarExtInstaller.exe
4872	WinRAR.exe
3976	RarExtInstaller.exe
2740	systeminformer-3.2.25011-release-setup.exe
1020	SystemInformer.exe
1540	RarExtInstaller.exe
788	00580380c811027c799634812e6f785df11f2f2eb3fa1718ac8c4ff47fd6ef2d.exe
5224	00580380c811027c799634812e6f785df11f2f2eb3fa1718ac8c4ff47fd6ef2d.exe
2928	brave.exe
4752	brave.exe
4532	brave.exe
5744	brave.exe
5108	brave.exe
1624	brave.exe
3740	elevation_service.exe
5820	brave.exe
4692	brave.exe
5212	brave.exe
5232	brave.exe
1556	brave.exe
1900	brave.exe
4944	chrmstp.exe
4416	brave.exe
2328	chrmstp.exe
764	chrmstp.exe
5416	chrmstp.exe
5288	brave.exe
5192	brave.exe
3108	brave.exe
3260	brave.exe
5996	brave.exe
5356	brave.exe
5672	brave.exe
572	brave.exe
3336	brave.exe
3704	brave.exe
5684	brave.exe
5604	brave.exe
1032	elevation_service.exe
5288	brave.exe
5172	brave.exe
2512	brave.exe
5412	brave.exe
4440	brave.exe

Loads dropped DLL 64 IoCs

pid	Process
2560	BraveUpdate.exe
3020	BraveUpdate.exe
764	BraveUpdate.exe
2432	BraveUpdateComRegisterShell64.exe
764	BraveUpdate.exe
1532	BraveUpdateComRegisterShell64.exe
764	BraveUpdate.exe
1512	BraveUpdateComRegisterShell64.exe
764	BraveUpdate.exe
1620	BraveUpdate.exe
3268	BraveUpdate.exe
456	BraveUpdate.exe
456	BraveUpdate.exe
3268	BraveUpdate.exe
3216	BraveUpdate.exe
3080	Process not Found
3300	Process not Found
2620	Process not Found
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
3020	Process not Found
2928	brave.exe
4752	brave.exe
2928	brave.exe
4532	brave.exe
5744	brave.exe
4532	brave.exe
5108	brave.exe
5744	brave.exe
5108	brave.exe
4532	brave.exe
4532	brave.exe
4532	brave.exe
1624	brave.exe
1624	brave.exe
4532	brave.exe
4532	brave.exe
4532	brave.exe
5820	brave.exe
5820	brave.exe
4692	brave.exe
4692	brave.exe
5212	brave.exe
5212	brave.exe
5232	brave.exe
5232	brave.exe
1556	brave.exe
1556	brave.exe
1900	brave.exe
1900	brave.exe
4416	brave.exe
4416	brave.exe
5288	brave.exe
5288	brave.exe
5192	brave.exe

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Checks system information in the registry 2 TTPs 4 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	brave.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	brave.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	brave.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	brave.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 788 set thread context of 5224	788	00580380c811027c799634812e6f785df11f2f2eb3fa1718ac8c4ff47fd6ef2d.exe	185

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1956_1913032907\Chrome-bin\131.1.73.105\resources\brave_extension\_locales\lt\messages.json	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1956_1913032907\Chrome-bin\131.1.73.105\resources\brave_extension\_locales\ms\messages.json	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1956_1913032907\Chrome-bin\131.1.73.105\resources\brave_extension\_locales\sr\messages.json	setup.exe
File created	C:\Program Files\WinRAR\Uninstall.exe	target.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_iw.dll	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1956_1913032907\Chrome-bin\131.1.73.105\brave_100_percent.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1956_1913032907\Chrome-bin\131.1.73.105\resources\brave_extension\_locales\gu\messages.json	setup.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_en.dll	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1956_1913032907\Chrome-bin\131.1.73.105\BraveVpnWireguardService\tunnel.dll	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1956_1913032907\Chrome-bin\131.1.73.105\Locales\ar.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1956_1913032907\Chrome-bin\131.1.73.105\Locales\tr.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1956_1913032907\Chrome-bin\131.1.73.105\resources\brave_extension\_locales\es\messages.json	setup.exe
File opened for modification	C:\Program Files\BraveSoftware\Brave-Browser\Application\debug.log	brave.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_cs.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\psmachine_64.dll	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1956_1913032907\Chrome-bin\131.1.73.105\resources\brave_extension\_locales\ru\messages.json	setup.exe
File opened for modification	C:\Program Files\WinRAR\RarExtInstaller.exe	target.exe
File created	C:\Program Files\SystemInformer\peview.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_ja.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateBroker.exe	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1956_1913032907\Chrome-bin\131.1.73.105\chrome_elf.dll	setup.exe
File created	C:\Program Files\WinRAR\RarExt.dll	target.exe
File created	C:\Program Files\SystemInformer\plugins\Updater.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\UserNotes.dll	systeminformer-3.2.25011-release-setup.exe
File opened for modification	C:\Program Files\WinRAR\RarExtPackage.msix	target.exe
File created	C:\Program Files\SystemInformer\SystemInformer.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\psuser_arm64.dll	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1956_1913032907\chrome.7z	setup.exe
File created	C:\Program Files\SystemInformer\plugins\OnlineChecks.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_lt.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_pt-PT.dll	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1956_1913032907\Chrome-bin\131.1.73.105\MEIPreload\manifest.json	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1956_1913032907\Chrome-bin\131.1.73.105\resources\brave_extension\_locales\am\messages.json	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1956_1913032907\Chrome-bin\131.1.73.105\resources.pak	setup.exe
File created	C:\Program Files\WinRAR\Default32.SFX	target.exe
File opened for modification	C:\Program Files\WinRAR\RarExt32.dll	target.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_et.dll	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1956_1913032907\Chrome-bin\131.1.73.105\Locales\pl.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1956_1913032907\Chrome-bin\131.1.73.105\Locales\fil.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1956_1913032907\Chrome-bin\131.1.73.105\Locales\kn.pak	setup.exe
File opened for modification	C:\Program Files\WinRAR\Descript.ion	target.exe
File created	C:\Program Files\WinRAR\Rar.txt	target.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveCrashHandlerArm64.exe	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\Offline\{49AA5901-A6D2-48AE-8A00-1960F539E018}\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}\brave_installer.exe	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_am.dll	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1956_1913032907\Chrome-bin\131.1.73.105\resources\brave_extension\_locales\ko\messages.json	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1956_1913032907\Chrome-bin\131.1.73.105\chrome_100_percent.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1956_1913032907\Chrome-bin\131.1.73.105\Locales\de.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1956_1913032907\Chrome-bin\131.1.73.105\Locales\fi.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1956_1913032907\Chrome-bin\131.1.73.105\resources\brave_extension\_locales\ar\messages.json	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1956_1913032907\Chrome-bin\131.1.73.105\resources\brave_extension\_locales\es_419\messages.json	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1956_1913032907\Chrome-bin\131.1.73.105\resources\brave_extension\_locales\pl\messages.json	setup.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_ar.dll	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1956_1913032907\Chrome-bin\131.1.73.105\chrome.dll.sig	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1956_1913032907\Chrome-bin\131.1.73.105\Locales\af.pak	setup.exe
File opened for modification	C:\Program Files\WinRAR\Rar.txt	target.exe
File created	C:\Program Files\WinRAR\zipnew.dat	uninstall.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_pt-BR.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_tr.dll	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1956_1913032907\Chrome-bin\131.1.73.105\resources\brave_extension\_locales\nb\messages.json	setup.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	target.exe
File opened for modification	C:\Program Files\WinRAR\Default.SFX	target.exe
File created	C:\Program Files\SystemInformer\plugins\ExtendedServices.dll	systeminformer-3.2.25011-release-setup.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2928_1302286547\StudentNTP_Erin-Gottschalk_v2_x1295.jpg	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5684_2068636554\ct_config.pb	brave.exe
File created	C:\Windows\SystemTemp\GUM823C.tmp\psmachine_arm64.dll	BraveBrowserStandaloneSetup.exe
File created	C:\Windows\SystemTemp\GUM823C.tmp\goopdateres_vi.dll	BraveBrowserStandaloneSetup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2928_655150253\list.txt	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2928_1302286547\mohammad-usaid-abbasi.jpg	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2928_1302286547\spencer-moore-4.jpg	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5684_262769780\hyph-hr.hyb	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5684_262769780\manifest.fingerprint	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2928_1159198894\1\scripts\brave_rewards\publisher\youtube\youtubeAutoContribution.bundle.js	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2928_282781726\manifest.fingerprint	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5684_262769780\hyph-bn.hyb	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5684_822017438\manifest.json	brave.exe
File created	C:\Windows\SystemTemp\GUM823C.tmp\psmachine.dll	BraveBrowserStandaloneSetup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2928_332535682\list.txt	brave.exe
File opened for modification	C:\Windows\SystemTemp	chrmstp.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2928_1302286547\manifest.json	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2928_1302286547\spencer-moore-2.jpg	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5684_262769780\hyph-gl.hyb	brave.exe
File created	C:\Windows\SystemTemp\GUM823C.tmp\psmachine_64.dll	BraveBrowserStandaloneSetup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2928_1159198894\1\request-otr.json	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2928_1159198894\1\clean-urls.json	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5684_1870566170\manifest.json	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5684_1870566170\_metadata\verified_contents.json	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5684_262769780\hyph-sq.hyb	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5684_262769780\hyph-cs.hyb	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5684_389819420\manifest.fingerprint	brave.exe
File created	C:\Windows\SystemTemp\GUM823C.tmp\goopdateres_hi.dll	BraveBrowserStandaloneSetup.exe
File created	C:\Windows\SystemTemp\chrome_url_fetcher_2928_333294514\extension_1_0_69.crx	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2928_1302286547\minkyeong-shin.jpg	brave.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	chrmstp.exe
File created	C:\Windows\SystemTemp\chrome_url_fetcher_2928_1257162095\extension_1_0_10676.crx	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2928_1707891130\photo.json	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2928_1468106105\manifest.json	brave.exe
File created	C:\Windows\SystemTemp\chrome_url_fetcher_5684_1860710999\jamhcnnkihinmdlkakkaopbjbbcngflc_120.0.6050.0_all_dgzfpknn7v3zslsbhrwu6bt44e.crx3	brave.exe
File created	C:\Windows\SystemTemp\GUM823C.tmp\goopdateres_sr.dll	BraveBrowserStandaloneSetup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2928_1302286547\StudentNTP_Sam-Richter_x0825_WINNER.jpg	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5684_262769780\hyph-eu.hyb	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5684_262769780\hyph-en-us.hyb	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5684_262769780\hyph-cu.hyb	brave.exe
File created	C:\Windows\SystemTemp\GUM823C.tmp\goopdateres_ml.dll	BraveBrowserStandaloneSetup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2928_1159198894\1\debounce.json	brave.exe
File created	C:\Windows\SystemTemp\GUM823C.tmp\goopdateres_it.dll	BraveBrowserStandaloneSetup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2928_1159198894\manifest.json	brave.exe
File created	C:\Windows\SystemTemp\chrome_url_fetcher_5684_1738565598\7_all_sslErrorAssistant.crx3	brave.exe
File created	C:\Windows\SystemTemp\GUM823C.tmp\goopdateres_el.dll	BraveBrowserStandaloneSetup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2928_1302286547\gordon-ross-1.jpg	brave.exe
File created	C:\Windows\SystemTemp\GUM823C.tmp\goopdateres_sv.dll	BraveBrowserStandaloneSetup.exe
File created	C:\Windows\SystemTemp\GUM823C.tmp\goopdateres_zh-CN.dll	BraveBrowserStandaloneSetup.exe
File created	C:\Windows\SystemTemp\chrome_url_fetcher_2928_1411759748\extension_1_0_15.crx	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2928_1159198894\1\scripts\brave_rewards\publisher\twitter\twitterBase.bundle.js	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2928_1159198894\manifest.fingerprint	brave.exe
File opened for modification	C:\Windows\SystemTemp\chromium_installer.log	chrmstp.exe
File created	C:\Windows\SystemTemp\GUM823C.tmp\BraveUpdateCore.exe	BraveBrowserStandaloneSetup.exe
File created	C:\Windows\SystemTemp\GUM823C.tmp\goopdateres_sk.dll	BraveBrowserStandaloneSetup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5684_262769780\hyph-es.hyb	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5684_1710041916\dnryisldmaqljgwaxeqbuuhuvrbboqlf	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2928_1159198894\1\scripts\brave_rewards\publisher\twitch\twitchAutoContribution.bundle.js	brave.exe
File opened for modification	C:\Windows\SystemTemp	brave.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5684_262769780\hyph-mn-cyrl.hyb	brave.exe
File created	C:\Windows\SystemTemp\GUM823C.tmp\psuser_64.dll	BraveBrowserStandaloneSetup.exe
File created	C:\Windows\SystemTemp\GUM823C.tmp\goopdateres_tr.dll	BraveBrowserStandaloneSetup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2928_655150253\manifest.json	brave.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 3 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Ninite Brave WinRAR Installer.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\systeminformer-3.2.25011-release-setup.exe:Zone.Identifier	chrome.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$DRb4872.38412.rartemp\00580380c811027c799634812e6f785df11f2f2eb3fa1718ac8c4ff47fd6ef2d.exe:Zone.Identifier	WinRAR.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminformer-3.2.25011-release-setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00580380c811027c799634812e6f785df11f2f2eb3fa1718ac8c4ff47fd6ef2d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ninite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveBrowserStandaloneSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00580380c811027c799634812e6f785df11f2f2eb3fa1718ac8c4ff47fd6ef2d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveCrashHandler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ninite Brave WinRAR Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1620	BraveUpdate.exe
3216	BraveUpdate.exe
1972	msedgewebview2.exe
3216	msedgewebview2.exe
2784	msedgewebview2.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SystemInformer.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SystemInformer.exe

Enumerates system info in registry 2 TTPs 18 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	brave.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	brave.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	brave.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	brave.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	brave.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	brave.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	Ninite.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\WinRAR	Ninite.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\WinRAR\Interface	Ninite.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\WinRAR\Interface\Misc\RemShown = "1"	Ninite.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	brave.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	brave.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\WinRAR\Interface\Misc	Ninite.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133814235690632775"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT	Ninite.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32\ThreadingModel = "Both"	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32\ThreadingModel = "Both"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zipx	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAE4AD28-500D-43BA-9F54-730CA146C190}\NumMethods	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19F4616B-B7DD-4B3F-8084-C81C5C77AAA4}\NumMethods	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{598BBE98-5919-4392-B62A-50D7115F10A3}\VersionIndependentProgID	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uu\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A9D7221-2278-41DD-930B-C2356B7D3725}	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8504FB26-FC3E-4C1C-9C94-46EC93E6BA63}\NumMethods	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19F4616B-B7DD-4B3F-8084-C81C5C77AAA4}\NumMethods\ = "11"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9190589-ECEC-43F8-8AEC-62496BB87B26}\ = "IGoogleUpdate3Web"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{852A0F87-D117-4B7C-ABA9-2F76D91BCB9D}\ProxyStubClsid32	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5D1924F-CB80-47AA-8DEC-5E0854A42A73}\ProgID\ = "BraveSoftwareUpdate.CredentialDialogMachine.1.0"	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD84E356-3D21-44C8-83DD-6BEEC22FA427}\NumMethods	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.PolicyStatusMachine.1.0	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35A4470F-5EEC-4715-A2DC-6AA9F8E21183}	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{852A0F87-D117-4B7C-ABA9-2F76D91BCB9D}\NumMethods\ = "24"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAE4AD28-500D-43BA-9F54-730CA146C190}	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{70E5ECF5-2CA7-4019-9B23-916789A13C2C}	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C11C073F-E6D0-4EF7-897B-AAF52498CD2F}\ = "IAppCommand2"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D5627FC9-E2F0-484B-89A4-5DACFE7FAAD3}\ProxyStubClsid32	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7A24060E-533F-4962-9E15-34BD82555FA7}\ProxyStubClsid32	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\ = "WinRAR ZIP archive"	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.OnDemandCOMClassSvc	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.ProcessLauncher\CLSID\ = "{4C3BA8F3-1264-4BDB-BB2D-CA44734AD00D}"	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66CE3D6C-0B35-4F78-AC77-39728A75CB75}\ProgID	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10479D64-2C5F-46CD-9BC8-FD04FF4D02D8}\NumMethods\ = "4"	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10479D64-2C5F-46CD-9BC8-FD04FF4D02D8}\NumMethods\ = "4"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.shtml\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6836CFF-5949-44BC-B6BE-9C8C48DD8D97}\ProxyStubClsid32	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveHTML\DefaultIcon\ = "C:\\Program Files\\BraveSoftware\\Brave-Browser\\Application\\brave.exe,0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tar	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A9D7221-2278-41DD-930B-C2356B7D3725}\ = "BraveUpdate Update3Web"	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{70E5ECF5-2CA7-4019-9B23-916789A13C2C}\NumMethods	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3AD2D487-D166-4160-8E36-1AE505233A55}	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{852A0F87-D117-4B7C-ABA9-2F76D91BCB9D}\ProxyStubClsid32\ = "{F1EDC3F5-36CA-4251-A6ED-42DC6006AFC1}"	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10DB7BD5-BD0B-4886-9705-174203FE0ADA}\NumMethods\ = "16"	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.webp	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext32.dll"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F234546B-DACD-4374-97CF-7BADFAB76766}\NumMethods	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4C3BA8F3-1264-4BDB-BB2D-CA44734AD00D}\ProgID	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{576B31AF-6369-4B6B-8560-E4B203A97A8B}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C929BFE-4FA4-488D-B1E2-82ECD6F076C8}\ProxyStubClsid32\ = "{F1EDC3F5-36CA-4251-A6ED-42DC6006AFC1}"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{660130E8-74E4-4821-A6FD-4E9A86E06470}\ProxyStubClsid32\ = "{F1EDC3F5-36CA-4251-A6ED-42DC6006AFC1}"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\BraveFile	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cab\ = "WinRAR"	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EFF9CA12-4CD3-474B-B881-CDE1D92F1996}	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FB43AAD0-DDBA-4D01-A3E0-FAB100E7926B}\ProxyStubClsid32\ = "{F1EDC3F5-36CA-4251-A6ED-42DC6006AFC1}"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBDA5D88-AA7D-4A8C-A20C-C01FADB43EDA}\InprocServer32\ThreadingModel = "Both"	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4842EC21-0860-45B5-99F0-A1E6E7C11561}\ProxyStubClsid32\ = "{F1EDC3F5-36CA-4251-A6ED-42DC6006AFC1}"	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F396861E-0C8E-4C71-8256-2FAE6D759CE9}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	WinRAR.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A147722A-5568-4B84-B401-86D744470CBF}\NumMethods\ = "43"	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.OnDemandCOMClassMachineFallback\ = "Google Update Legacy On Demand"	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV	WinRAR.exe
Key created	\REGISTRY\MACHINE\Software\Classes\BraveHTML\shell\open\command	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BravePDF\Application\ApplicationIcon = "C:\\Program Files\\BraveSoftware\\Brave-Browser\\Application\\brave.exe,0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lzh\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	WinRAR.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Ninite Brave WinRAR Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1	Ninite Brave WinRAR Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd1200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	Ninite Brave WinRAR Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 5c000000010000000400000000100000190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd10400000001000000100000004fdd07e4d42264391e0c3742ead1c6ae200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	Ninite Brave WinRAR Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Ninite Brave WinRAR Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 0400000001000000100000004fdd07e4d42264391e0c3742ead1c6ae0300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd17e00000001000000080000000080c82b6886d7017a000000010000000c000000300a06082b060105050703091d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a07f0000000100000016000000301406082b0601050507030306082b060105050703096200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf690b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520036000000090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff1190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	Ninite Brave WinRAR Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	Ninite Brave WinRAR Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Ninite Brave WinRAR Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd1200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	Ninite Brave WinRAR Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	Ninite Brave WinRAR Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Ninite Brave WinRAR Installer.exe

NTFS ADS 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Ninite Brave WinRAR Installer.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\DarkCloud.zip:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\systeminformer-3.2.25011-release-setup.exe:Zone.Identifier	chrome.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$DRb4872.38412.rartemp\00580380c811027c799634812e6f785df11f2f2eb3fa1718ac8c4ff47fd6ef2d.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Roaming\OdoiXyuXnaQN.exe\:Zone.Identifier:$DATA	00580380c811027c799634812e6f785df11f2f2eb3fa1718ac8c4ff47fd6ef2d.exe
File opened for modification	C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.zip:Zone.Identifier	brave.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4828	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5824	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2948	chrome.exe
2948	chrome.exe
2756	Ninite.exe
2756	Ninite.exe
2560	BraveUpdate.exe
2560	BraveUpdate.exe
2560	BraveUpdate.exe
2560	BraveUpdate.exe
2560	BraveUpdate.exe
2560	BraveUpdate.exe
2560	BraveUpdate.exe
2560	BraveUpdate.exe
2560	BraveUpdate.exe
2560	BraveUpdate.exe
2560	BraveUpdate.exe
2560	BraveUpdate.exe
3216	BraveUpdate.exe
3216	BraveUpdate.exe
992	msedgewebview2.exe
992	msedgewebview2.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe
1020	SystemInformer.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
4872	WinRAR.exe
5824	explorer.exe
1760	WinRAR.exe
5936	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 43 IoCs

pid	Process
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
880	msedgewebview2.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
2928	brave.exe
2928	brave.exe
2928	brave.exe
2928	brave.exe
2928	brave.exe
5684	brave.exe
5684	brave.exe
5684	brave.exe
5684	brave.exe
5684	brave.exe
5684	brave.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeTcbPrivilege	2756	Ninite.exe
Token: SeCreateTokenPrivilege	2756	Ninite.exe
Token: SeAssignPrimaryTokenPrivilege	2756	Ninite.exe
Token: SeLoadDriverPrivilege	2756	Ninite.exe
Token: SeBackupPrivilege	2756	Ninite.exe
Token: SeRestorePrivilege	2756	Ninite.exe
Token: SeDebugPrivilege	2756	Ninite.exe
Token: SeTakeOwnershipPrivilege	2756	Ninite.exe
Token: SeLockMemoryPrivilege	2756	Ninite.exe
Token: SeIncreaseQuotaPrivilege	2756	Ninite.exe
Token: SeMachineAccountPrivilege	2756	Ninite.exe
Token: SeTcbPrivilege	2756	Ninite.exe
Token: SeSecurityPrivilege	2756	Ninite.exe
Token: SeSystemProfilePrivilege	2756	Ninite.exe
Token: SeSystemtimePrivilege	2756	Ninite.exe
Token: SeProfSingleProcessPrivilege	2756	Ninite.exe
Token: SeIncBasePriorityPrivilege	2756	Ninite.exe
Token: SeCreatePagefilePrivilege	2756	Ninite.exe
Token: SeCreatePermanentPrivilege	2756	Ninite.exe
Token: SeShutdownPrivilege	2756	Ninite.exe
Token: SeAuditPrivilege	2756	Ninite.exe
Token: SeSystemEnvironmentPrivilege	2756	Ninite.exe
Token: SeChangeNotifyPrivilege	2756	Ninite.exe
Token: SeRemoteShutdownPrivilege	2756	Ninite.exe
Token: SeUndockPrivilege	2756	Ninite.exe
Token: SeSyncAgentPrivilege	2756	Ninite.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe

Suspicious use of SendNotifyMessage 46 IoCs

pid	Process
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
5824	explorer.exe
5824	explorer.exe
5824	explorer.exe
5824	explorer.exe
2928	brave.exe
2928	brave.exe
5684	brave.exe
5684	brave.exe
5684	brave.exe
5684	brave.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
3060	uninstall.exe
3096	RarExtInstaller.exe
5224	00580380c811027c799634812e6f785df11f2f2eb3fa1718ac8c4ff47fd6ef2d.exe
5824	explorer.exe
5824	explorer.exe
5824	explorer.exe
5824	explorer.exe
5824	explorer.exe
5824	explorer.exe
5784	MiniSearchHost.exe
3692	brave.exe
5936	OpenWith.exe
5936	OpenWith.exe
5936	OpenWith.exe
5936	OpenWith.exe
5936	OpenWith.exe
5936	OpenWith.exe
5936	OpenWith.exe
5936	OpenWith.exe
5936	OpenWith.exe
5936	OpenWith.exe
5936	OpenWith.exe
5936	OpenWith.exe
5936	OpenWith.exe
5936	OpenWith.exe
5936	OpenWith.exe
5936	OpenWith.exe
5936	OpenWith.exe
5936	OpenWith.exe
5936	OpenWith.exe
5936	OpenWith.exe
5936	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 2404	2948	chrome.exe	77
PID 2948 wrote to memory of 2404	2948	chrome.exe	77
PID 2948 wrote to memory of 2788	2948	chrome.exe	78
PID 2948 wrote to memory of 2788	2948	chrome.exe	78
PID 2948 wrote to memory of 2788	2948	chrome.exe	78
PID 2948 wrote to memory of 2788	2948	chrome.exe	78
PID 2948 wrote to memory of 2788	2948	chrome.exe	78
PID 2948 wrote to memory of 2788	2948	chrome.exe	78
PID 2948 wrote to memory of 2788	2948	chrome.exe	78
PID 2948 wrote to memory of 2788	2948	chrome.exe	78
PID 2948 wrote to memory of 2788	2948	chrome.exe	78
PID 2948 wrote to memory of 2788	2948	chrome.exe	78
PID 2948 wrote to memory of 2788	2948	chrome.exe	78
PID 2948 wrote to memory of 2788	2948	chrome.exe	78
PID 2948 wrote to memory of 2788	2948	chrome.exe	78
PID 2948 wrote to memory of 2788	2948	chrome.exe	78
PID 2948 wrote to memory of 2788	2948	chrome.exe	78
PID 2948 wrote to memory of 2788	2948	chrome.exe	78
PID 2948 wrote to memory of 2788	2948	chrome.exe	78
PID 2948 wrote to memory of 2788	2948	chrome.exe	78
PID 2948 wrote to memory of 2788	2948	chrome.exe	78
PID 2948 wrote to memory of 2788	2948	chrome.exe	78
PID 2948 wrote to memory of 2788	2948	chrome.exe	78
PID 2948 wrote to memory of 2788	2948	chrome.exe	78
PID 2948 wrote to memory of 2788	2948	chrome.exe	78
PID 2948 wrote to memory of 2788	2948	chrome.exe	78
PID 2948 wrote to memory of 2788	2948	chrome.exe	78
PID 2948 wrote to memory of 2788	2948	chrome.exe	78
PID 2948 wrote to memory of 2788	2948	chrome.exe	78
PID 2948 wrote to memory of 2788	2948	chrome.exe	78
PID 2948 wrote to memory of 2788	2948	chrome.exe	78
PID 2948 wrote to memory of 2788	2948	chrome.exe	78
PID 2948 wrote to memory of 3832	2948	chrome.exe	79
PID 2948 wrote to memory of 3832	2948	chrome.exe	79
PID 2948 wrote to memory of 3552	2948	chrome.exe	80
PID 2948 wrote to memory of 3552	2948	chrome.exe	80
PID 2948 wrote to memory of 3552	2948	chrome.exe	80
PID 2948 wrote to memory of 3552	2948	chrome.exe	80
PID 2948 wrote to memory of 3552	2948	chrome.exe	80
PID 2948 wrote to memory of 3552	2948	chrome.exe	80
PID 2948 wrote to memory of 3552	2948	chrome.exe	80
PID 2948 wrote to memory of 3552	2948	chrome.exe	80
PID 2948 wrote to memory of 3552	2948	chrome.exe	80
PID 2948 wrote to memory of 3552	2948	chrome.exe	80
PID 2948 wrote to memory of 3552	2948	chrome.exe	80
PID 2948 wrote to memory of 3552	2948	chrome.exe	80
PID 2948 wrote to memory of 3552	2948	chrome.exe	80
PID 2948 wrote to memory of 3552	2948	chrome.exe	80
PID 2948 wrote to memory of 3552	2948	chrome.exe	80
PID 2948 wrote to memory of 3552	2948	chrome.exe	80
PID 2948 wrote to memory of 3552	2948	chrome.exe	80
PID 2948 wrote to memory of 3552	2948	chrome.exe	80
PID 2948 wrote to memory of 3552	2948	chrome.exe	80
PID 2948 wrote to memory of 3552	2948	chrome.exe	80
PID 2948 wrote to memory of 3552	2948	chrome.exe	80
PID 2948 wrote to memory of 3552	2948	chrome.exe	80
PID 2948 wrote to memory of 3552	2948	chrome.exe	80
PID 2948 wrote to memory of 3552	2948	chrome.exe	80
PID 2948 wrote to memory of 3552	2948	chrome.exe	80
PID 2948 wrote to memory of 3552	2948	chrome.exe	80
PID 2948 wrote to memory of 3552	2948	chrome.exe	80
PID 2948 wrote to memory of 3552	2948	chrome.exe	80
PID 2948 wrote to memory of 3552	2948	chrome.exe	80
PID 2948 wrote to memory of 3552	2948	chrome.exe	80

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/YHZWCx
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa626dcc40,0x7ffa626dcc4c,0x7ffa626dcc58
  2⤵
  PID:2404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1960,i,16995951070926414166,3470864428709726980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1956 /prefetch:2
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1796,i,16995951070926414166,3470864428709726980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  PID:3832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2000,i,16995951070926414166,3470864428709726980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2204 /prefetch:8
  2⤵
  PID:3552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,16995951070926414166,3470864428709726980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,16995951070926414166,3470864428709726980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3564,i,16995951070926414166,3470864428709726980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4416 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4636,i,16995951070926414166,3470864428709726980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:3320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4656,i,16995951070926414166,3470864428709726980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4676 /prefetch:1
  2⤵
  PID:3108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4760,i,16995951070926414166,3470864428709726980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4776 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4916,i,16995951070926414166,3470864428709726980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4300 /prefetch:8
  2⤵
  PID:3080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4292,i,16995951070926414166,3470864428709726980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:2520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5440,i,16995951070926414166,3470864428709726980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4712 /prefetch:1
  2⤵
  PID:256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4372,i,16995951070926414166,3470864428709726980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4752 /prefetch:1
  2⤵
  PID:2728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5700,i,16995951070926414166,3470864428709726980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5704 /prefetch:8
  2⤵
  PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5708,i,16995951070926414166,3470864428709726980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5848 /prefetch:8
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5580,i,16995951070926414166,3470864428709726980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5420 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1308
- C:\Users\Admin\Downloads\Ninite Brave WinRAR Installer.exe
  "C:\Users\Admin\Downloads\Ninite Brave WinRAR Installer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  PID:4252
- - C:\Users\Admin\AppData\Local\Temp\e5cb0797-d349-11ef-9a5e-f26cf61fc21a\Ninite.exe
    Ninite.exe "3e840ab11af62713c011f1b1eee2252b26ffca1c" /fullpath "C:\Users\Admin\Downloads\Ninite Brave WinRAR Installer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2756
  - - C:\Users\Admin\AppData\Local\Temp\E7AC5B~1\BraveBrowserStandaloneSetup.exe
      BraveBrowserStandaloneSetup.exe /silent /install
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:4928
    - - C:\Windows\SystemTemp\GUM823C.tmp\BraveUpdate.exe
        
        C:\Windows\SystemTemp\GUM823C.tmp\BraveUpdate.exe /silent /install "appguid={AFE6A462-C574-4B8A-AF43-4CC60DF4563B}&appname=Brave-Release&needsadmin=prefers&ap=release&referral=none"
        5⤵
        Event Triggered Execution: Image File Execution Options Injection
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2560
      - C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
        
        "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /regsvc
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3020
      - C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
        
        "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /regserver
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:764
        
        C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShell64.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2432
        
        C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShell64.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1532
        
        C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShell64.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1512
      - C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
        
        "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNjEuMTUxIiBzaGVsbF92ZXJzaW9uPSIxLjMuMzYxLjE1MSIgaXNtYWNoaW5lPSIxIiBzZXNzaW9uaWQ9IntERjcyQzQwRi1DMzQyLTQwNzgtOUVFRS1EQ0FCRjhBNEVDMzR9IiBpbnN0YWxsc291cmNlPSJvdGhlcmluc3RhbGxjbWQiIHRlc3Rzb3VyY2U9ImF1dG8iIHJlcXVlc3RpZD0iezAwMTc2QzgyLTcyREUtNDcyNi1BNkRDLTEyN0Y2REM0RjdFMn0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iOCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9IntCMTMxQzkzNS05QkU2LTQxREEtOTU5OS0xRjc3NkJFQjgwMTl9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxLjMuMzYxLjE1MSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgaW5zdGFsbF90aW1lX21zPSI1OTkiLz48L2FwcD48L3JlcXVlc3Q-
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1620
      - C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
        
        "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /handoff "appguid={AFE6A462-C574-4B8A-AF43-4CC60DF4563B}&appname=Brave-Release&needsadmin=prefers&ap=release&referral=none" /installsource offline /sessionid "{DF72C40F-C342-4078-9EEE-DCABF8A4EC34}" /silent /offlinedir "{49AA5901-A6D2-48AE-8A00-1960F539E018}"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3268
  - - C:\Users\Admin\AppData\Local\Temp\FA2248~1\target.exe
      "C:\Users\Admin\AppData\Local\Temp\FA2248~1\target.exe" /S
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:4608
    - - C:\Program Files\WinRAR\uninstall.exe
        
        "C:\Program Files\WinRAR\uninstall.exe" /setup
        5⤵
        Executes dropped EXE
        Modifies system executable filetype association
        Drops file in Program Files directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:3060
      - C:\Program Files\WinRAR\RarExtInstaller.exe
        
        "C:\Program Files\WinRAR\RarExtInstaller.exe" -install
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4720,i,16995951070926414166,3470864428709726980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:1984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4996,i,16995951070926414166,3470864428709726980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3776 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=4492,i,16995951070926414166,3470864428709726980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:4048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=6836,i,16995951070926414166,3470864428709726980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6824 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=6796,i,16995951070926414166,3470864428709726980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4416 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=6788,i,16995951070926414166,3470864428709726980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6784 /prefetch:1
  2⤵
  PID:1412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=5352,i,16995951070926414166,3470864428709726980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6932 /prefetch:1
  2⤵
  PID:3408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=740,i,16995951070926414166,3470864428709726980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=3480,i,16995951070926414166,3470864428709726980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=3516,i,16995951070926414166,3470864428709726980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5116 /prefetch:1
  2⤵
  PID:1864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=4752,i,16995951070926414166,3470864428709726980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4300 /prefetch:1
  2⤵
  PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=6620,i,16995951070926414166,3470864428709726980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:3640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=7076,i,16995951070926414166,3470864428709726980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7084 /prefetch:1
  2⤵
  PID:384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6724,i,16995951070926414166,3470864428709726980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4936 /prefetch:8
  2⤵
  PID:1884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7132,i,16995951070926414166,3470864428709726980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4836 /prefetch:8
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=6464,i,16995951070926414166,3470864428709726980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6420 /prefetch:1
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --field-trial-handle=6532,i,16995951070926414166,3470864428709726980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6448 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --field-trial-handle=7216,i,16995951070926414166,3470864428709726980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6592 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4820,i,16995951070926414166,3470864428709726980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7412 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --field-trial-handle=7396,i,16995951070926414166,3470864428709726980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6432 /prefetch:1
  2⤵
  PID:3968

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5048

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2684

C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
"C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:456
- C:\Program Files (x86)\BraveSoftware\Update\Install\{E4094915-7A85-4728-97C2-9D7E3F173D9A}\brave_installer.exe
  "C:\Program Files (x86)\BraveSoftware\Update\Install\{E4094915-7A85-4728-97C2-9D7E3F173D9A}\brave_installer.exe" --do-not-launch-chrome
  2⤵
  - Executes dropped EXE
  PID:2804
- - C:\Program Files (x86)\BraveSoftware\Update\Install\{E4094915-7A85-4728-97C2-9D7E3F173D9A}\CR_F67D5.tmp\setup.exe
    "C:\Program Files (x86)\BraveSoftware\Update\Install\{E4094915-7A85-4728-97C2-9D7E3F173D9A}\CR_F67D5.tmp\setup.exe" --install-archive="C:\Program Files (x86)\BraveSoftware\Update\Install\{E4094915-7A85-4728-97C2-9D7E3F173D9A}\CR_F67D5.tmp\CHROME.PACKED.7Z" --do-not-launch-chrome
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    PID:1956
  - - C:\Program Files (x86)\BraveSoftware\Update\Install\{E4094915-7A85-4728-97C2-9D7E3F173D9A}\CR_F67D5.tmp\setup.exe
      "C:\Program Files (x86)\BraveSoftware\Update\Install\{E4094915-7A85-4728-97C2-9D7E3F173D9A}\CR_F67D5.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://cr.brave.com --annotation=plat=Win64 --annotation=prod=Brave --annotation=ver=131.1.73.105 --initial-client-data=0x294,0x298,0x29c,0x270,0x2a0,0x7ff7050e9498,0x7ff7050e94a4,0x7ff7050e94b0
      4⤵
      Executes dropped EXE
      PID:3780
  - - C:\Program Files (x86)\BraveSoftware\Update\Install\{E4094915-7A85-4728-97C2-9D7E3F173D9A}\CR_F67D5.tmp\setup.exe
      "C:\Program Files (x86)\BraveSoftware\Update\Install\{E4094915-7A85-4728-97C2-9D7E3F173D9A}\CR_F67D5.tmp\setup.exe" --system-level --verbose-logging --create-shortcuts=0 --install-level=1
      4⤵
      Executes dropped EXE
      PID:4996
    - - C:\Program Files (x86)\BraveSoftware\Update\Install\{E4094915-7A85-4728-97C2-9D7E3F173D9A}\CR_F67D5.tmp\setup.exe
        
        "C:\Program Files (x86)\BraveSoftware\Update\Install\{E4094915-7A85-4728-97C2-9D7E3F173D9A}\CR_F67D5.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://cr.brave.com --annotation=plat=Win64 --annotation=prod=Brave --annotation=ver=131.1.73.105 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff7050e9498,0x7ff7050e94a4,0x7ff7050e94b0
        5⤵
        Executes dropped EXE
        
        PID:5040
- C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
  "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNjEuMTUxIiBzaGVsbF92ZXJzaW9uPSIxLjMuMzYxLjE1MSIgaXNtYWNoaW5lPSIxIiBzZXNzaW9uaWQ9IntERjcyQzQwRi1DMzQyLTQwNzgtOUVFRS1EQ0FCRjhBNEVDMzR9IiBpbnN0YWxsc291cmNlPSJvZmZsaW5lIiB0ZXN0c291cmNlPSJhdXRvIiByZXF1ZXN0aWQ9Ins1ODBEOEZCQi1GNDAzLTQzODgtQTkwQy0xMkQ2NTY5MDNFQkN9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IHBoeXNtZW1vcnk9IjgiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMjIwMDAuNDkzIiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7QUZFNkE0NjItQzU3NC00QjhBLUFGNDMtNENDNjBERjQ1NjNCfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTMxLjEuNzMuMTA1IiBhcD0icmVsZWFzZSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iLTEiIGluc3RhbGxkYXRlPSItMSI-PGV2ZW50IGV2ZW50dHlwZT0iOSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5NjcwNyIgdG90YWw9IjEzMDk5MjY1NiIgaW5zdGFsbF90aW1lX21zPSIzMTMxNiIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3216

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\DarkCloud.zip"
1⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Modifies registry class
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
PID:4872
- C:\Program Files\WinRAR\RarExtInstaller.exe
  "C:\Program Files\WinRAR\RarExtInstaller.exe" -install
  2⤵
  - Executes dropped EXE
  PID:3976
- C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=WinRAR.exe --webview-exe-version=7.1.0 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\WinRAR.exe.WebView2\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --mojo-named-platform-channel-pipe=4872.4972.12329872948398849066
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:880
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\WinRAR.exe.WebView2\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\WinRAR.exe.WebView2\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\WinRAR.exe.WebView2\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x12c,0x130,0x134,0xfc,0x1c4,0x7ffa4f733cb8,0x7ffa4f733cc8,0x7ffa4f733cd8
    3⤵
    PID:3340
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1352,15601108084612350245,3361035937168696275,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\WinRAR.exe.WebView2\EBWebView" --webview-exe-name=WinRAR.exe --webview-exe-version=7.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1976 /prefetch:2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1972
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1352,15601108084612350245,3361035937168696275,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\WinRAR.exe.WebView2\EBWebView" --webview-exe-name=WinRAR.exe --webview-exe-version=7.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2104 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:992
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1352,15601108084612350245,3361035937168696275,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\WinRAR.exe.WebView2\EBWebView" --webview-exe-name=WinRAR.exe --webview-exe-version=7.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2496 /prefetch:8
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3216
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1352,15601108084612350245,3361035937168696275,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\WinRAR.exe.WebView2\EBWebView" --webview-exe-name=WinRAR.exe --webview-exe-version=7.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3104 /prefetch:1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2784
- C:\Program Files\WinRAR\RarExtInstaller.exe
  "C:\Program Files\WinRAR\RarExtInstaller.exe" -install
  2⤵
  - Executes dropped EXE
  PID:1540

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3924

C:\Users\Admin\Downloads\systeminformer-3.2.25011-release-setup.exe
"C:\Users\Admin\Downloads\systeminformer-3.2.25011-release-setup.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2740
- C:\Program Files\SystemInformer\SystemInformer.exe
  "C:\Program Files\SystemInformer\SystemInformer.exe" -channel release
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1020
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe" /select,"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"
    3⤵
    PID:5796

C:\Users\Admin\Downloads\00580380c811027c799634812e6f785df11f2f2eb3fa1718ac8c4ff47fd6ef2d.exe
"C:\Users\Admin\Downloads\00580380c811027c799634812e6f785df11f2f2eb3fa1718ac8c4ff47fd6ef2d.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:788
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads\00580380c811027c799634812e6f785df11f2f2eb3fa1718ac8c4ff47fd6ef2d.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  PID:2736
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\OdoiXyuXnaQN.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  PID:1620
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OdoiXyuXnaQN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5EBB.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4828
- C:\Users\Admin\Downloads\00580380c811027c799634812e6f785df11f2f2eb3fa1718ac8c4ff47fd6ef2d.exe
  "C:\Users\Admin\Downloads\00580380c811027c799634812e6f785df11f2f2eb3fa1718ac8c4ff47fd6ef2d.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa626dcc40,0x7ffa626dcc4c,0x7ffa626dcc58
  2⤵
  PID:3416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1772,i,11004476810724683810,3063354666770264784,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1764 /prefetch:2
  2⤵
  PID:3316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1816,i,11004476810724683810,3063354666770264784,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1936 /prefetch:3
  2⤵
  PID:1284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,11004476810724683810,3063354666770264784,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2164 /prefetch:8
  2⤵
  PID:252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3084,i,11004476810724683810,3063354666770264784,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:1780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,11004476810724683810,3063354666770264784,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4472,i,11004476810724683810,3063354666770264784,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4504 /prefetch:1
  2⤵
  PID:4020

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2848

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:6044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x104,0x108,0x10c,0xd8,0x110,0x7ffa626dcc40,0x7ffa626dcc4c,0x7ffa626dcc58
  2⤵
  PID:6060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1804,i,8173598586965918784,9052319170812420096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1800 /prefetch:2
  2⤵
  PID:5196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2052,i,8173598586965918784,9052319170812420096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2132 /prefetch:3
  2⤵
  PID:5172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2204,i,8173598586965918784,9052319170812420096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2220 /prefetch:8
  2⤵
  PID:3120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,8173598586965918784,9052319170812420096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:5392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3144,i,8173598586965918784,9052319170812420096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4536,i,8173598586965918784,9052319170812420096,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4520 /prefetch:1
  2⤵
  PID:328

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5424

C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
"C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:2928
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Crashpad" --url=https://cr.brave.com --annotation=plat=Win64 --annotation=prod=Brave --annotation=ver=131.1.73.105 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffa61ca1d18,0x7ffa61ca1d24,0x7ffa61ca1d30
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4752
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2080,i,8970425293485910818,12509477359653316453,262144 --variations-seed-version --mojo-platform-channel-handle=2076 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4532
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --start-stack-profiler --field-trial-handle=1964,i,8970425293485910818,12509477359653316453,262144 --variations-seed-version --mojo-platform-channel-handle=2088 /prefetch:11
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5744
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --field-trial-handle=2412,i,8970425293485910818,12509477359653316453,262144 --variations-seed-version --mojo-platform-channel-handle=2576 /prefetch:13
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5108
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --brave_session_token=14768783063066929045 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3508,i,8970425293485910818,12509477359653316453,262144 --variations-seed-version --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5820
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --brave_session_token=14768783063066929045 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3532,i,8970425293485910818,12509477359653316453,262144 --variations-seed-version --mojo-platform-channel-handle=3872 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1624
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4948,i,8970425293485910818,12509477359653316453,262144 --variations-seed-version --mojo-platform-channel-handle=4676 /prefetch:14
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4692
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4780,i,8970425293485910818,12509477359653316453,262144 --variations-seed-version --mojo-platform-channel-handle=5020 /prefetch:14
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5212
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4120,i,8970425293485910818,12509477359653316453,262144 --variations-seed-version --mojo-platform-channel-handle=5172 /prefetch:14
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5232
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4728,i,8970425293485910818,12509477359653316453,262144 --variations-seed-version --mojo-platform-channel-handle=5132 /prefetch:14
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1556
- C:\Program Files\BraveSoftware\Brave-Browser\Application\131.1.73.105\Installer\chrmstp.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\131.1.73.105\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:4944
- - C:\Program Files\BraveSoftware\Brave-Browser\Application\131.1.73.105\Installer\chrmstp.exe
    "C:\Program Files\BraveSoftware\Brave-Browser\Application\131.1.73.105\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://cr.brave.com --annotation=plat=Win64 --annotation=prod=Brave --annotation=ver=131.1.73.105 --initial-client-data=0x26c,0x270,0x274,0x268,0x278,0x7ff78d989498,0x7ff78d9894a4,0x7ff78d9894b0
    3⤵
    - Executes dropped EXE
    PID:2328
- - C:\Program Files\BraveSoftware\Brave-Browser\Application\131.1.73.105\Installer\chrmstp.exe
    "C:\Program Files\BraveSoftware\Brave-Browser\Application\131.1.73.105\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\BraveSoftware\Brave-Browser\Application\master_preferences" --create-shortcuts=1 --install-level=0
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:764
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\131.1.73.105\Installer\chrmstp.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\131.1.73.105\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://cr.brave.com --annotation=plat=Win64 --annotation=prod=Brave --annotation=ver=131.1.73.105 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ff78d989498,0x7ff78d9894a4,0x7ff78d9894b0
      4⤵
      Executes dropped EXE
      PID:5416
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5068,i,8970425293485910818,12509477359653316453,262144 --variations-seed-version --mojo-platform-channel-handle=4856 /prefetch:14
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1900
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4916,i,8970425293485910818,12509477359653316453,262144 --variations-seed-version --mojo-platform-channel-handle=5244 /prefetch:14
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4416
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4912,i,8970425293485910818,12509477359653316453,262144 --variations-seed-version --mojo-platform-channel-handle=5340 /prefetch:14
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5288
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5260,i,8970425293485910818,12509477359653316453,262144 --variations-seed-version --mojo-platform-channel-handle=5220 /prefetch:14
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5192
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5748,i,8970425293485910818,12509477359653316453,262144 --variations-seed-version --mojo-platform-channel-handle=5756 /prefetch:14
  2⤵
  - Executes dropped EXE
  PID:3108
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5752,i,8970425293485910818,12509477359653316453,262144 --variations-seed-version --mojo-platform-channel-handle=5780 /prefetch:14
  2⤵
  - Executes dropped EXE
  PID:3260
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5128,i,8970425293485910818,12509477359653316453,262144 --variations-seed-version --mojo-platform-channel-handle=5080 /prefetch:14
  2⤵
  - Executes dropped EXE
  PID:5996
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4864,i,8970425293485910818,12509477359653316453,262144 --variations-seed-version --mojo-platform-channel-handle=4768 /prefetch:14
  2⤵
  - Executes dropped EXE
  PID:5356
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5728,i,8970425293485910818,12509477359653316453,262144 --variations-seed-version --mojo-platform-channel-handle=5648 /prefetch:14
  2⤵
  - Executes dropped EXE
  PID:5672
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --start-stack-profiler --brave_session_token=14768783063066929045 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5684,i,8970425293485910818,12509477359653316453,262144 --variations-seed-version --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  - Executes dropped EXE
  PID:572
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --brave_session_token=14768783063066929045 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5564,i,8970425293485910818,12509477359653316453,262144 --variations-seed-version --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  - Executes dropped EXE
  PID:3336
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --brave_session_token=14768783063066929045 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=3540,i,8970425293485910818,12509477359653316453,262144 --variations-seed-version --mojo-platform-channel-handle=6004 /prefetch:1
  2⤵
  - Executes dropped EXE
  PID:3704

C:\Program Files\BraveSoftware\Brave-Browser\Application\131.1.73.105\elevation_service.exe
"C:\Program Files\BraveSoftware\Brave-Browser\Application\131.1.73.105\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5220

C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
"C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe"
1⤵
- Executes dropped EXE
- Checks system information in the registry
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:5684
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Crashpad" --url=https://cr.brave.com --annotation=plat=Win64 --annotation=prod=Brave --annotation=ver=131.1.73.105 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa61ca1d18,0x7ffa61ca1d24,0x7ffa61ca1d30
  2⤵
  - Executes dropped EXE
  PID:5604
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=3440,i,17407493790743248398,14654264409891520215,262144 --variations-seed-version=main@8f14ef729bcc8d7433969588d077bea52bd6b546 --mojo-platform-channel-handle=3436 /prefetch:2
  2⤵
  - Executes dropped EXE
  PID:5288
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --start-stack-profiler --field-trial-handle=1836,i,17407493790743248398,14654264409891520215,262144 --variations-seed-version=main@8f14ef729bcc8d7433969588d077bea52bd6b546 --mojo-platform-channel-handle=3572 /prefetch:11
  2⤵
  - Executes dropped EXE
  PID:5412
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --field-trial-handle=2084,i,17407493790743248398,14654264409891520215,262144 --variations-seed-version=main@8f14ef729bcc8d7433969588d077bea52bd6b546 --mojo-platform-channel-handle=3576 /prefetch:13
  2⤵
  - Executes dropped EXE
  PID:5172
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --brave_session_token=5151477753393177795 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3328,i,17407493790743248398,14654264409891520215,262144 --variations-seed-version=main@8f14ef729bcc8d7433969588d077bea52bd6b546 --mojo-platform-channel-handle=3744 /prefetch:1
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --start-stack-profiler --brave_session_token=5151477753393177795 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3336,i,17407493790743248398,14654264409891520215,262144 --variations-seed-version=main@8f14ef729bcc8d7433969588d077bea52bd6b546 --mojo-platform-channel-handle=4112 /prefetch:1
  2⤵
  - Executes dropped EXE
  PID:4440
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4652,i,17407493790743248398,14654264409891520215,262144 --variations-seed-version=main@8f14ef729bcc8d7433969588d077bea52bd6b546 --mojo-platform-channel-handle=4684 /prefetch:14
  2⤵
  PID:5708
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5060,i,17407493790743248398,14654264409891520215,262144 --variations-seed-version=main@8f14ef729bcc8d7433969588d077bea52bd6b546 --mojo-platform-channel-handle=5068 /prefetch:14
  2⤵
  PID:1508
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5300,i,17407493790743248398,14654264409891520215,262144 --variations-seed-version=main@8f14ef729bcc8d7433969588d077bea52bd6b546 --mojo-platform-channel-handle=5324 /prefetch:14
  2⤵
  PID:560
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --brave_session_token=5151477753393177795 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5432,i,17407493790743248398,14654264409891520215,262144 --variations-seed-version=main@8f14ef729bcc8d7433969588d077bea52bd6b546 --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:5308
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --brave_session_token=5151477753393177795 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4676,i,17407493790743248398,14654264409891520215,262144 --variations-seed-version=main@8f14ef729bcc8d7433969588d077bea52bd6b546 --mojo-platform-channel-handle=4692 /prefetch:1
  2⤵
  PID:440
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=928,i,17407493790743248398,14654264409891520215,262144 --variations-seed-version=main@8f14ef729bcc8d7433969588d077bea52bd6b546 --mojo-platform-channel-handle=4724 /prefetch:14
  2⤵
  PID:1760
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=2456,i,17407493790743248398,14654264409891520215,262144 --variations-seed-version=main@8f14ef729bcc8d7433969588d077bea52bd6b546 --mojo-platform-channel-handle=4164 /prefetch:14
  2⤵
  PID:2620
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5472,i,17407493790743248398,14654264409891520215,262144 --variations-seed-version=main@8f14ef729bcc8d7433969588d077bea52bd6b546 --mojo-platform-channel-handle=4208 /prefetch:14
  2⤵
  PID:6008
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --brave_session_token=5151477753393177795 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=2508,i,17407493790743248398,14654264409891520215,262144 --variations-seed-version=main@8f14ef729bcc8d7433969588d077bea52bd6b546 --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:2804
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4180,i,17407493790743248398,14654264409891520215,262144 --variations-seed-version=main@8f14ef729bcc8d7433969588d077bea52bd6b546 --mojo-platform-channel-handle=5572 /prefetch:14
  2⤵
  PID:4900
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5764,i,17407493790743248398,14654264409891520215,262144 --variations-seed-version=main@8f14ef729bcc8d7433969588d077bea52bd6b546 --mojo-platform-channel-handle=5692 /prefetch:14
  2⤵
  PID:1288
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5576,i,17407493790743248398,14654264409891520215,262144 --variations-seed-version=main@8f14ef729bcc8d7433969588d077bea52bd6b546 --mojo-platform-channel-handle=4900 /prefetch:14
  2⤵
  PID:2076
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5796,i,17407493790743248398,14654264409891520215,262144 --variations-seed-version=main@8f14ef729bcc8d7433969588d077bea52bd6b546 --mojo-platform-channel-handle=5784 /prefetch:14
  2⤵
  PID:5460
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --brave_session_token=5151477753393177795 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5824,i,17407493790743248398,14654264409891520215,262144 --variations-seed-version=main@8f14ef729bcc8d7433969588d077bea52bd6b546 --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations=is-enterprise-managed=no --start-stack-profiler --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=5516,i,17407493790743248398,14654264409891520215,262144 --variations-seed-version=main@8f14ef729bcc8d7433969588d077bea52bd6b546 --mojo-platform-channel-handle=4160 /prefetch:10
  2⤵
  PID:2956
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5740,i,17407493790743248398,14654264409891520215,262144 --variations-seed-version=main@8f14ef729bcc8d7433969588d077bea52bd6b546 --mojo-platform-channel-handle=5476 /prefetch:14
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3692
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5980,i,17407493790743248398,14654264409891520215,262144 --variations-seed-version=main@8f14ef729bcc8d7433969588d077bea52bd6b546 --mojo-platform-channel-handle=5868 /prefetch:14
  2⤵
  PID:2836
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5832,i,17407493790743248398,14654264409891520215,262144 --variations-seed-version=main@8f14ef729bcc8d7433969588d077bea52bd6b546 --mojo-platform-channel-handle=3852 /prefetch:14
  2⤵
  - NTFS ADS
  PID:5560
- C:\Program Files\WinRAR\WinRAR.exe
  "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.zip"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1760
- - C:\Program Files\WinRAR\RarExtInstaller.exe
    "C:\Program Files\WinRAR\RarExtInstaller.exe" -install
    3⤵
    PID:384

C:\Program Files\BraveSoftware\Brave-Browser\Application\131.1.73.105\elevation_service.exe
"C:\Program Files\BraveSoftware\Brave-Browser\Application\131.1.73.105\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1032

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5784

C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
"C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /c
1⤵
- System Location Discovery: System Language Discovery
PID:2784
- C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
  "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /cr
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1892
- C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveCrashHandler.exe
  "C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveCrashHandler.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5720
- C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveCrashHandler64.exe
  "C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveCrashHandler64.exe"
  2⤵
  PID:6120
- C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
  "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /ua /installsource core
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5516

C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
"C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /ua /installsource scheduler
1⤵
- System Location Discovery: System Language Discovery
PID:4304

C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
"C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /svc
1⤵
- System Location Discovery: System Language Discovery
PID:4880

C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
"C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2608

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ver -imon1 -- "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.zip" C:\Users\Admin\Desktop\
1⤵
PID:5052

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5936
- C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
  "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
  2⤵
  PID:4132

C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
"C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe"
1⤵
PID:532
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Crashpad" --url=https://cr.brave.com --annotation=plat=Win64 --annotation=prod=Brave --annotation=ver=131.1.73.105 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffa61ca1d18,0x7ffa61ca1d24,0x7ffa61ca1d30
  2⤵
  PID:5496
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1988,i,14219569597906376400,16649176601566114123,262144 --variations-seed-version=main@8f14ef729bcc8d7433969588d077bea52bd6b546 --mojo-platform-channel-handle=1984 /prefetch:2
  2⤵
  PID:2132
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --start-stack-profiler --field-trial-handle=1844,i,14219569597906376400,16649176601566114123,262144 --variations-seed-version=main@8f14ef729bcc8d7433969588d077bea52bd6b546 --mojo-platform-channel-handle=2100 /prefetch:11
  2⤵
  PID:5364
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --field-trial-handle=2364,i,14219569597906376400,16649176601566114123,262144 --variations-seed-version=main@8f14ef729bcc8d7433969588d077bea52bd6b546 --mojo-platform-channel-handle=2376 /prefetch:13
  2⤵
  PID:3700
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --brave_session_token=13260805317228309666 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3932,i,14219569597906376400,16649176601566114123,262144 --variations-seed-version=main@8f14ef729bcc8d7433969588d077bea52bd6b546 --mojo-platform-channel-handle=3980 /prefetch:1
  2⤵
  PID:5184
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --start-stack-profiler --brave_session_token=13260805317228309666 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3936,i,14219569597906376400,16649176601566114123,262144 --variations-seed-version=main@8f14ef729bcc8d7433969588d077bea52bd6b546 --mojo-platform-channel-handle=4172 /prefetch:1
  2⤵
  PID:1428
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --brave_session_token=13260805317228309666 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4712,i,14219569597906376400,16649176601566114123,262144 --variations-seed-version=main@8f14ef729bcc8d7433969588d077bea52bd6b546 --mojo-platform-channel-handle=3928 /prefetch:1
  2⤵
  PID:3816
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5168,i,14219569597906376400,16649176601566114123,262144 --variations-seed-version=main@8f14ef729bcc8d7433969588d077bea52bd6b546 --mojo-platform-channel-handle=5224 /prefetch:14
  2⤵
  PID:5576
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5296,i,14219569597906376400,16649176601566114123,262144 --variations-seed-version=main@8f14ef729bcc8d7433969588d077bea52bd6b546 --mojo-platform-channel-handle=5276 /prefetch:14
  2⤵
  PID:3688
- C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
  "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --start-stack-profiler --brave_session_token=13260805317228309666 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5564,i,14219569597906376400,16649176601566114123,262144 --variations-seed-version=main@8f14ef729bcc8d7433969588d077bea52bd6b546 --mojo-platform-channel-handle=4240 /prefetch:1
  2⤵
  PID:704

C:\Program Files\BraveSoftware\Brave-Browser\Application\131.1.73.105\elevation_service.exe
"C:\Program Files\BraveSoftware\Brave-Browser\Application\131.1.73.105\elevation_service.exe"
1⤵
PID:5720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5508

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4872
- C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
  "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
  2⤵
  PID:4920
- - C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
    "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
    3⤵
    PID:6024
  - - C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
      "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
      4⤵
      PID:6104
    - - C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        5⤵
        
        PID:3124
      - C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        6⤵
        
        PID:384
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        7⤵
        
        PID:4264
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        8⤵
        
        PID:3684
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        9⤵
        
        PID:572
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        10⤵
        
        PID:3248
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        11⤵
        
        PID:5124
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        12⤵
        
        PID:1156
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        13⤵
        
        PID:1004
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        14⤵
        
        PID:3556
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        15⤵
        
        PID:1396
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        16⤵
        
        PID:5532
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        17⤵
        
        PID:684
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        18⤵
        
        PID:5552
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        19⤵
        
        PID:3004
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        20⤵
        
        PID:1760
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        21⤵
        
        PID:5240
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        22⤵
        
        PID:1572
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        23⤵
        
        PID:5944
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        24⤵
        
        PID:5336
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        25⤵
        
        PID:5212
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        26⤵
        
        PID:2220
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        27⤵
        
        PID:5296
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        28⤵
        
        PID:3592
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        29⤵
        
        PID:4264
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        30⤵
        
        PID:5552
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        31⤵
        
        PID:5340
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        32⤵
        
        PID:6036
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        33⤵
        
        PID:3824
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        34⤵
        
        PID:5248
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        35⤵
        
        PID:5180
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        36⤵
        
        PID:788
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        37⤵
        
        PID:1228
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        38⤵
        
        PID:6104
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        39⤵
        
        PID:5732
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        40⤵
        
        PID:3032
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        41⤵
        
        PID:6132
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        42⤵
        
        PID:2892
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        43⤵
        
        PID:4312
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        44⤵
        
        PID:5392
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        45⤵
        
        PID:5184
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        46⤵
        
        PID:2000
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        47⤵
        
        PID:3048
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        48⤵
        
        PID:5652
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        49⤵
        
        PID:1512
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        50⤵
        
        PID:2280
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        51⤵
        
        PID:5236
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        52⤵
        
        PID:1680
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        53⤵
        
        PID:712
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        54⤵
        
        PID:5872
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        55⤵
        
        PID:5344
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        56⤵
        
        PID:5312
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        57⤵
        
        PID:4920
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        58⤵
        
        PID:2788
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        59⤵
        
        PID:5184
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        60⤵
        
        PID:2000
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        61⤵
        
        PID:5732
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        62⤵
        
        PID:3592
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        63⤵
        
        PID:1984
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        64⤵
        
        PID:1936
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        65⤵
        
        PID:5460
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        66⤵
        
        PID:1336
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        67⤵
        
        PID:2668
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        68⤵
        
        PID:1572
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        69⤵
        
        PID:4400
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        70⤵
        
        PID:1900
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        71⤵
        
        PID:1624
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        72⤵
        
        PID:6008
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        73⤵
        
        PID:3684
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        74⤵
        
        PID:2728
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        75⤵
        
        PID:4264
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        76⤵
        
        PID:2672
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        77⤵
        
        PID:2908
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        78⤵
        
        PID:1564
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        79⤵
        
        PID:2180
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        80⤵
        
        PID:2820
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        81⤵
        
        PID:1092
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        82⤵
        
        PID:4200
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        83⤵
        
        PID:5376
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        84⤵
        
        PID:6120
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        85⤵
        
        PID:5296
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        86⤵
        
        PID:6032
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        87⤵
        
        PID:3620
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        88⤵
        
        PID:2788
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        89⤵
        
        PID:5292
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        90⤵
        
        PID:2712
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        91⤵
        
        PID:5232
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        92⤵
        
        PID:4136
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        93⤵
        
        PID:4312
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        94⤵
        
        PID:3556
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        95⤵
        
        PID:408
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        96⤵
        
        PID:4204
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        97⤵
        
        PID:6116
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        98⤵
        
        PID:1860
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        99⤵
        
        PID:2488
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        100⤵
        
        PID:5732
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        101⤵
        
        PID:5480
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        102⤵
        
        PID:3796
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        103⤵
        
        PID:2788
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        104⤵
        
        PID:5716
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        105⤵
        
        PID:5928
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        106⤵
        
        PID:892
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        107⤵
        
        PID:2940
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        108⤵
        
        PID:384
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        109⤵
        
        PID:4868
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        110⤵
        
        PID:5388
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        111⤵
        
        PID:1284
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        112⤵
        
        PID:5296
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        113⤵
        
        PID:3356
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        114⤵
        
        PID:5712
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        115⤵
        
        PID:2840
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        116⤵
        
        PID:1656
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        117⤵
        
        PID:4688
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        118⤵
        
        PID:6040
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        119⤵
        
        PID:2676
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        120⤵
        
        PID:5272
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        121⤵
        
        PID:2292
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        122⤵
        
        PID:6108
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        123⤵
        
        PID:1128
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        124⤵
        
        PID:992
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        125⤵
        
        PID:6036
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        126⤵
        
        PID:6020
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        127⤵
        
        PID:5816
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        128⤵
        
        PID:2788
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        129⤵
        
        PID:728
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        130⤵
        
        PID:3088
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        131⤵
        
        PID:2992
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        132⤵
        
        PID:2516
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        133⤵
        
        PID:1004
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        134⤵
        
        PID:3408
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        135⤵
        
        PID:5780
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        136⤵
        
        PID:5108
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        137⤵
        
        PID:4952
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        138⤵
        
        PID:5384
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        139⤵
        
        PID:820
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        140⤵
        
        PID:376
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        141⤵
        
        PID:5404
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        142⤵
        
        PID:3452
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        143⤵
        
        PID:2180
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        144⤵
        
        PID:5632
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        145⤵
        
        PID:3080
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        146⤵
        
        PID:3132
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        147⤵
        
        PID:5676
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        148⤵
        
        PID:1628
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        149⤵
        
        PID:1400
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        150⤵
        
        PID:5144
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        151⤵
        
        PID:3076
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        152⤵
        
        PID:5024
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        153⤵
        
        PID:1848
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        154⤵
        
        PID:5760
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        155⤵
        
        PID:2512
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        156⤵
        
        PID:6040
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        157⤵
        
        PID:5216
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        158⤵
        
        PID:5140
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        159⤵
        
        PID:1624
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        160⤵
        
        PID:4740
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        161⤵
        
        PID:972
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        162⤵
        
        PID:6128
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        163⤵
        
        PID:712
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        164⤵
        
        PID:5828
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        165⤵
        
        PID:3476
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        166⤵
        
        PID:5428
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        167⤵
        
        PID:1316
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        168⤵
        
        PID:1208
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        169⤵
        
        PID:5600
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        170⤵
        
        PID:4480
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        171⤵
        
        PID:3224
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        172⤵
        
        PID:384
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        173⤵
        
        PID:5288
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        174⤵
        
        PID:4528
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        175⤵
        
        PID:2224
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        176⤵
        
        PID:5276
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        177⤵
        
        PID:2892
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        178⤵
        
        PID:2840
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        179⤵
        
        PID:3712
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        180⤵
        
        PID:5696
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        181⤵
        
        PID:4844
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        182⤵
        
        PID:1092
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        183⤵
        
        PID:6024
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        184⤵
        
        PID:5140
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        185⤵
        
        PID:5328
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        186⤵
        
        PID:5644
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        187⤵
        
        PID:2132
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        188⤵
        
        PID:1284
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        189⤵
        
        PID:704
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        190⤵
        
        PID:2908
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        191⤵
        
        PID:5640
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        192⤵
        
        PID:2924
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        193⤵
        
        PID:5948
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        194⤵
        
        PID:3100
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        195⤵
        
        PID:3020
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        196⤵
        
        PID:5724
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        197⤵
        
        PID:5036
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        198⤵
        
        PID:3392
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        199⤵
        
        PID:2504
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        200⤵
        
        PID:3492
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        201⤵
        
        PID:992
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        202⤵
        
        PID:2076
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        203⤵
        
        PID:5288
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        204⤵
        
        PID:5716
        
        C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe
        
        "C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe" "C:\Users\Admin\Desktop\aed69695fb4b2c8572e24c36daabaf9154b3d5c4efd4a71efeb2e3cb64e2e93d.sh"
        205⤵
        
        PID:3832

C:\Program Files\SystemInformer\SystemInformer.exe
"C:\Program Files\SystemInformer\SystemInformer.exe"
1⤵
PID:4600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

System Information Discovery