zloader | f1dc920869794df3e258f42f9b99157104cd3f8c14394c1b9d043d6fcda14c0a

Analysis

max time kernel
660s
max time network
660s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
04/03/2025, 09:20

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

zblg.zip
Size

9.4MB
MD5

207b597f03033b2e0644bbbc29f04053
SHA1

0ad88c964f6f7eebafa7156080a7bcd90ab32a16
SHA256

f1dc920869794df3e258f42f9b99157104cd3f8c14394c1b9d043d6fcda14c0a
SHA512

f50cdf77557160a7294406e1f2d57ca789ec42834881069281e88ac334fbaad901229da0e460b26a1b69724a4adbf9d0e92adba9c3ac86aa1603b857789c1db6
SSDEEP

49152:h7dI9o//FRKZYIH4Lqq2iPYaTSQjBO5bDhWBw5iDx+HdHg:h7dI9o//FXIH4WiPYaeyQ5bD8Dx+Hi

Score

10^/10

zloader botnet defense_evasion discovery persistence privilege_escalation spyware stealer trojan

Malware Config

Signatures

Zloader family
zloader
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}\ = "Brave"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}\StubPath = "\"C:\\Program Files\\BraveSoftware\\Brave-Browser\\Application\\133.1.75.181\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}\Localized Name = "Brave"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}\Version = "43,0,0,0"	setup.exe

Downloads MZ/PE file 2 IoCs

flow	pid	Process
137	4656	chrome.exe
347	1000	SSCapUp.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BraveUpdate.exe	BraveUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BraveUpdate.exe\DisableExceptionChainValidation = "0"	BraveUpdate.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 64 IoCs

pid	Process
1068	BraveBrowserSetup-BRV010.exe
2568	BraveUpdate.exe
4968	BraveUpdate.exe
2068	BraveUpdate.exe
3268	BraveUpdateComRegisterShell64.exe
3276	BraveUpdateComRegisterShell64.exe
1012	BraveUpdateComRegisterShell64.exe
1320	BraveUpdate.exe
876	BraveUpdate.exe
4984	BraveUpdate.exe
1760	brave_installer-x64.exe
1424	setup.exe
4408	setup.exe
328	setup.exe
4280	setup.exe
1880	BraveUpdate.exe
3096	BraveUpdateOnDemand.exe
2752	BraveUpdate.exe
480	brave.exe
3284	brave.exe
2172	brave.exe
4316	brave.exe
4480	brave.exe
836	brave.exe
4360	brave.exe
832	elevation_service.exe
2932	brave.exe
1412	brave.exe
2868	brave.exe
104	brave.exe
1032	brave.exe
492	brave.exe
3716	brave.exe
260	brave.exe
1672	chrmstp.exe
3464	chrmstp.exe
4732	chrmstp.exe
232	chrmstp.exe
780	brave.exe
3660	brave.exe
4464	brave.exe
8	brave.exe
4040	brave.exe
3688	brave.exe
1228	brave.exe
2288	brave.exe
4968	brave.exe
5032	brave.exe
4752	brave.exe
1408	brave.exe
1928	brave.exe
4424	brave.exe
2256	brave.exe
3800	brave.exe
3084	brave.exe
1372	brave.exe
496	brave.exe
1952	brave.exe
2020	brave.exe
4252	brave.exe
3924	brave.exe
1908	brave.exe
3840	brave.exe
2408	brave.exe

Loads dropped DLL 64 IoCs

pid	Process
2568	BraveUpdate.exe
4968	BraveUpdate.exe
2068	BraveUpdate.exe
3268	BraveUpdateComRegisterShell64.exe
2068	BraveUpdate.exe
3276	BraveUpdateComRegisterShell64.exe
2068	BraveUpdate.exe
1012	BraveUpdateComRegisterShell64.exe
2068	BraveUpdate.exe
1320	BraveUpdate.exe
876	BraveUpdate.exe
4984	BraveUpdate.exe
4984	BraveUpdate.exe
876	BraveUpdate.exe
1880	BraveUpdate.exe
2752	BraveUpdate.exe
2752	BraveUpdate.exe
480	brave.exe
3284	brave.exe
480	brave.exe
2172	brave.exe
4316	brave.exe
2172	brave.exe
4316	brave.exe
4480	brave.exe
4316	brave.exe
4316	brave.exe
4316	brave.exe
4480	brave.exe
836	brave.exe
4360	brave.exe
4360	brave.exe
4316	brave.exe
4316	brave.exe
4316	brave.exe
836	brave.exe
2932	brave.exe
1412	brave.exe
1412	brave.exe
2932	brave.exe
2868	brave.exe
2868	brave.exe
104	brave.exe
104	brave.exe
1032	brave.exe
1032	brave.exe
492	brave.exe
492	brave.exe
3716	brave.exe
3716	brave.exe
260	brave.exe
260	brave.exe
780	brave.exe
780	brave.exe
3660	brave.exe
3660	brave.exe
4464	brave.exe
4464	brave.exe
8	brave.exe
8	brave.exe
4040	brave.exe
4040	brave.exe
3688	brave.exe
3688	brave.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	brave.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	brave.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1424_1531458913\Chrome-bin\133.1.75.181\Locales\bg.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1424_1531458913\Chrome-bin\133.1.75.181\Locales\en-US.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1424_1531458913\Chrome-bin\133.1.75.181\resources\brave_extension\_locales\am\messages.json	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1424_1531458913\Chrome-bin\133.1.75.181\resources\brave_extension\_locales\ar\messages.json	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1424_1531458913\Chrome-bin\133.1.75.181\resources\brave_extension\_locales\cs\messages.json	setup.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShellArm64.exe	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_ja.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_lv.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\psmachine_64.dll	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1424_1531458913\Chrome-bin\133.1.75.181\Locales\ta.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1424_1531458913\Chrome-bin\133.1.75.181\resources\brave_extension\_locales\bn\messages.json	setup.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_nl.dll	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1424_1531458913\Chrome-bin\133.1.75.181\Locales\mr.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1424_1531458913\Chrome-bin\133.1.75.181\Locales\sw.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1424_1531458913\Chrome-bin\133.1.75.181\Locales\uk.pak	setup.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_bn.dll	BraveUpdate.exe
File opened for modification	C:\Program Files (x86)\BraveSoftware\Update\Download\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}\133.1.75.181\brave_installer-x64.exe	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1424_1531458913\Chrome-bin\133.1.75.181\Locales\ru.pak	setup.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_hr.dll	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1424_1531458913\Chrome-bin\133.1.75.181\resources\brave_extension\_locales\ta\messages.json	setup.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_cs.dll	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1424_1531458913\Chrome-bin\133.1.75.181\brave_100_percent.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1424_1531458913\Chrome-bin\133.1.75.181\brave_resources.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1424_1531458913\Chrome-bin\133.1.75.181\chrome_pwa_launcher.exe	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1424_1531458913\Chrome-bin\133.1.75.181\Locales\ja.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1424_1531458913\Chrome-bin\133.1.75.181\Locales\pl.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1424_1531458913\Chrome-bin\133.1.75.181\Locales\zh-TW.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Application\SetupMetrics\a4208683-34b4-40e2-a6b7-9f419817bd11.tmp	setup.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_zh-TW.dll	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1424_1531458913\Chrome-bin\133.1.75.181\resources\brave_extension\_locales\en_US\messages.json	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Application\SetupMetrics\834e7acc-1de4-48da-90e1-cedc992de186.tmp	setup.exe
File opened for modification	C:\Program Files\BraveSoftware\Brave-Browser\Application\SetupMetrics\1424_13385553948281392.pma	setup.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_ca.dll	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1424_1531458913\Chrome-bin\133.1.75.181\Locales\ro.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1424_1531458913\Chrome-bin\133.1.75.181\Locales\te.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1424_1531458913\Chrome-bin\133.1.75.181\resources\brave_extension\_locales\ja\messages.json	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1424_1531458913\Chrome-bin\133.1.75.181\Locales\bn.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1424_1531458913\Chrome-bin\133.1.75.181\Locales\sl.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1424_1531458913\Chrome-bin\133.1.75.181\vk_swiftshader_icd.json	setup.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_da.dll	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1424_1531458913\Chrome-bin\133.1.75.181\Locales\en-GB.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1424_1531458913\Chrome-bin\133.1.75.181\Locales\fr.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1424_1531458913\Chrome-bin\133.1.75.181\resources\brave_extension\_locales\ru\messages.json	setup.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdate.exe	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_zh-CN.dll	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1424_1531458913\Chrome-bin\133.1.75.181\chrome_100_percent.pak	setup.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_gu.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\Install\{5D4E34B1-DA9E-4035-9A95-AA88B9808AC8}\CR_96A7F.tmp\setup.exe	brave_installer-x64.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1424_1531458913\Chrome-bin\133.1.75.181\BraveVpnWireguardService\tunnel.dll	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1424_1531458913\Chrome-bin\133.1.75.181\resources\brave_extension\_locales\da\messages.json	setup.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\Install\{5D4E34B1-DA9E-4035-9A95-AA88B9808AC8}\brave_installer-x64.exe	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1424_1531458913\Chrome-bin\133.1.75.181\Locales\fa.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1424_1531458913\Chrome-bin\133.1.75.181\resources\brave_extension\_locales\es\messages.json	setup.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_mr.dll	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1424_1531458913\Chrome-bin\133.1.75.181\resources\brave_extension\_locales\ms\messages.json	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Application\133.1.75.181\Installer\setup.exe	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1424_1531458913\Chrome-bin\133.1.75.181\chrome.dll	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1424_1531458913\Chrome-bin\133.1.75.181\Locales\it.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1424_1531458913\Chrome-bin\133.1.75.181\Locales\vi.pak	setup.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_iw.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_sl.dll	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1424_1531458913\Chrome-bin\133.1.75.181\resources\brave_extension\_locales\hr\messages.json	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source1424_1531458913\Chrome-bin\133.1.75.181\VisualElements\Logo.png	setup.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\goopdateres_fr.dll	BraveUpdate.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File created	C:\Windows\SystemTemp\~DF89E2CF12BC2883AE.TMP	msiexec.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File created	C:\Windows\SystemTemp\GUM8A1D.tmp\BraveCrashHandler.exe	BraveBrowserSetup-BRV010.exe
File created	C:\Windows\SystemTemp\GUM8A1D.tmp\goopdateres_en.dll	BraveBrowserSetup-BRV010.exe
File created	C:\Windows\SystemTemp\GUM8A1D.tmp\goopdateres_ml.dll	BraveBrowserSetup-BRV010.exe
File created	C:\Windows\SystemTemp\GUM8A1D.tmp\BraveUpdateSetup.exe\:Zone.Identifier:$DATA	BraveBrowserSetup-BRV010.exe
File opened for modification	C:\Windows\SystemTemp\chromium_installer.log	chrmstp.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\GUM8A1D.tmp\BraveUpdateOnDemand.exe	BraveBrowserSetup-BRV010.exe
File created	C:\Windows\SystemTemp\GUM8A1D.tmp\goopdateres_es.dll	BraveBrowserSetup-BRV010.exe
File created	C:\Windows\SystemTemp\GUM8A1D.tmp\goopdateres_it.dll	BraveBrowserSetup-BRV010.exe
File created	C:\Windows\SystemTemp\GUM8A1D.tmp\goopdateres_ko.dll	BraveBrowserSetup-BRV010.exe
File created	C:\Windows\SystemTemp\GUM8A1D.tmp\BraveUpdateSetup.exe	BraveBrowserSetup-BRV010.exe
File opened for modification	C:\Windows\SystemTemp\chromium_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	chrmstp.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File created	C:\Windows\SystemTemp\GUM8A1D.tmp\BraveUpdate.exe	BraveBrowserSetup-BRV010.exe
File created	C:\Windows\SystemTemp\GUM8A1D.tmp\goopdate.dll	BraveBrowserSetup-BRV010.exe
File created	C:\Windows\SystemTemp\GUM8A1D.tmp\psuser_64.dll	BraveBrowserSetup-BRV010.exe
File created	C:\Windows\SystemTemp\GUM8A1D.tmp\goopdateres_ar.dll	BraveBrowserSetup-BRV010.exe
File created	C:\Windows\SystemTemp\GUM8A1D.tmp\goopdateres_en-GB.dll	BraveBrowserSetup-BRV010.exe
File created	C:\Windows\Installer\e602186.msi	msiexec.exe
File opened for modification	C:\Windows\SystemTemp\GUT8A1E.tmp	BraveBrowserSetup-BRV010.exe
File created	C:\Windows\SystemTemp\GUM8A1D.tmp\BraveUpdateBroker.exe	BraveBrowserSetup-BRV010.exe
File created	C:\Windows\SystemTemp\GUM8A1D.tmp\psuser_arm64.dll	BraveBrowserSetup-BRV010.exe
File created	C:\Windows\SystemTemp\GUM8A1D.tmp\goopdateres_el.dll	BraveBrowserSetup-BRV010.exe
File created	C:\Windows\SystemTemp\GUM8A1D.tmp\goopdateres_fr.dll	BraveBrowserSetup-BRV010.exe
File opened for modification	C:\Windows\SystemTemp	chrmstp.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	chrmstp.exe
File created	C:\Windows\SystemTemp\~DFE92EE066DACC7AD8.TMP	msiexec.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File created	C:\Windows\SystemTemp\GUM8A1D.tmp\goopdateres_et.dll	BraveBrowserSetup-BRV010.exe
File created	C:\Windows\SystemTemp\GUM8A1D.tmp\goopdateres_is.dll	BraveBrowserSetup-BRV010.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	chrmstp.exe
File created	C:\Windows\Installer\SourceHash{24263341-DDFF-4DF8-A62A-B85C639BE64D}	msiexec.exe
File created	C:\Windows\SystemTemp\~DF625FDFFC382D22DB.TMP	msiexec.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File created	C:\Windows\SystemTemp\GUM8A1D.tmp\goopdateres_bn.dll	BraveBrowserSetup-BRV010.exe
File created	C:\Windows\SystemTemp\GUM8A1D.tmp\goopdateres_ca.dll	BraveBrowserSetup-BRV010.exe
File created	C:\Windows\SystemTemp\GUM8A1D.tmp\goopdateres_fa.dll	BraveBrowserSetup-BRV010.exe
File created	C:\Windows\SystemTemp\GUM8A1D.tmp\goopdateres_hi.dll	BraveBrowserSetup-BRV010.exe
File created	C:\Windows\SystemTemp\GUM8A1D.tmp\goopdateres_hr.dll	BraveBrowserSetup-BRV010.exe
File created	C:\Windows\SystemTemp\GUM8A1D.tmp\goopdateres_ja.dll	BraveBrowserSetup-BRV010.exe
File created	C:\Windows\SystemTemp\GUM8A1D.tmp\goopdateres_kn.dll	BraveBrowserSetup-BRV010.exe
File created	C:\Windows\SystemTemp\GUM8A1D.tmp\goopdateres_lt.dll	BraveBrowserSetup-BRV010.exe
File created	C:\Windows\SystemTemp\GUM8A1D.tmp\goopdateres_lv.dll	BraveBrowserSetup-BRV010.exe
File created	C:\Windows\SystemTemp\GUM8A1D.tmp\goopdateres_ms.dll	BraveBrowserSetup-BRV010.exe
File opened for modification	C:\Windows\SystemTemp\GUM8A1D.tmp\BraveUpdateSetup.exe	BraveBrowserSetup-BRV010.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\Installer\MSI22BF.tmp	msiexec.exe
File created	C:\Windows\Installer\e602188.msi	msiexec.exe
File created	C:\Windows\SystemTemp\GUM8A1D.tmp\goopdateres_bg.dll	BraveBrowserSetup-BRV010.exe
File created	C:\Windows\SystemTemp\GUM8A1D.tmp\BraveUpdateComRegisterShell64.exe	BraveBrowserSetup-BRV010.exe
File created	C:\Windows\SystemTemp\GUM8A1D.tmp\psmachine_64.dll	BraveBrowserSetup-BRV010.exe
File created	C:\Windows\SystemTemp\GUM8A1D.tmp\goopdateres_pl.dll	BraveBrowserSetup-BRV010.exe
File created	C:\Windows\SystemTemp\GUM8A1D.tmp\goopdateres_th.dll	BraveBrowserSetup-BRV010.exe
File created	C:\Windows\SystemTemp\GUM8A1D.tmp\goopdateres_zh-TW.dll	BraveBrowserSetup-BRV010.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\Installer\e602186.msi	msiexec.exe
File created	C:\Windows\SystemTemp\GUM8A1D.tmp\psuser.dll	BraveBrowserSetup-BRV010.exe
File created	C:\Windows\SystemTemp\GUM8A1D.tmp\goopdateres_id.dll	BraveBrowserSetup-BRV010.exe
File created	C:\Windows\SystemTemp\GUM8A1D.tmp\goopdateres_no.dll	BraveBrowserSetup-BRV010.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\BraveBrowserSetup-BRV010.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveBrowserSetup-BRV010.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveCrashHandler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdateOnDemand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIEXEC.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SSCap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SSCapUp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SSCap.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1320	BraveUpdate.exe
1880	BraveUpdate.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000745509500620e41d0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000745509500000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090074550950000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d74550950000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007455095000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 15 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	brave.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	brave.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	brave.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 19 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133855536796454901"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	brave.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "73"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{852A0F87-D117-4B7C-ABA9-2F76D91BCB9D}	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7CB305B1-4D45-4668-AD91-677F87BED305}\ProxyStubClsid32\ = "{D6B69C35-7959-4D65-8BA4-10954460CD13}"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{852A0F87-D117-4B7C-ABA9-2F76D91BCB9D}	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C929BFE-4FA4-488D-B1E2-82ECD6F076C8}\NumMethods	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.OnDemandCOMClassMachine\CurVer\ = "BraveSoftwareUpdate.OnDemandCOMClassMachine.1.0"	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28C83F57-E4C0-4B54-B187-585C51EE8F9C}\ProgID	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28C83F57-E4C0-4B54-B187-585C51EE8F9C}\VersionIndependentProgID	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.CoCreateAsync.1.0\CLSID\ = "{8F6D9FE5-6ED3-43A3-80D2-EA8766D65352}"	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{931E73FD-D487-4458-AA08-1FF41413377B}\ProxyStubClsid32	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA1FA03C-B629-4C5D-BF95-FC7C56AACE2A}\InprocHandler32\ = "C:\\Program Files (x86)\\BraveSoftware\\Update\\1.3.361.151\\psmachine.dll"	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4842EC21-0860-45B5-99F0-A1E6E7C11561}\NumMethods	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FB43AAD0-DDBA-4D01-A3E0-FAB100E7926B}\ProxyStubClsid32	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.CoCreateAsync\CLSID	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C11C073F-E6D0-4EF7-897B-AAF52498CD2F}	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FB43AAD0-DDBA-4D01-A3E0-FAB100E7926B}\ProxyStubClsid32\ = "{D6B69C35-7959-4D65-8BA4-10954460CD13}"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{931E73FD-D487-4458-AA08-1FF41413377B}\ = "IPolicyStatusValue"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBDA5D88-AA7D-4A8C-A20C-C01FADB43EDA}\InprocServer32\ThreadingModel = "Both"	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{660130E8-74E4-4821-A6FD-4E9A86E06470}	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BravePDF\Application\ApplicationIcon = "C:\\Program Files\\BraveSoftware\\Brave-Browser\\Application\\brave.exe,0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70E5ECF5-2CA7-4019-9B23-916789A13C2C}\ProxyStubClsid32\ = "{D6B69C35-7959-4D65-8BA4-10954460CD13}"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10479D64-2C5F-46CD-9BC8-FD04FF4D02D8}	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C974F2DD-CFB8-4466-8E6D-96ED901DAACA}\ = "IPolicyStatus3"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10479D64-2C5F-46CD-9BC8-FD04FF4D02D8}\NumMethods\ = "4"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{660130E8-74E4-4821-A6FD-4E9A86E06470}\NumMethods\ = "4"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4C3BA8F3-1264-4BDB-BB2D-CA44734AD00D}\LocalServer32	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F396861E-0C8E-4C71-8256-2FAE6D759CE9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\BraveFile\Application	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{852A0F87-D117-4B7C-ABA9-2F76D91BCB9D}\NumMethods	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7CFC4E00-1C9D-443D-B5BE-CEEEAC1443AF}\NumMethods\ = "13"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28C83F57-E4C0-4B54-B187-585C51EE8F9C}\Elevation	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5D1924F-CB80-47AA-8DEC-5E0854A42A73}\VersionIndependentProgID	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F396861E-0C8E-4C71-8256-2FAE6D759CE9}	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\BraveHTML	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EA1FA03C-B629-4C5D-BF95-FC7C56AACE2A}\InprocHandler32	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C663DEBB-F082-4971-9F6E-35DE45C96F4E}\NumMethods	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C974F2DD-CFB8-4466-8E6D-96ED901DAACA}\NumMethods\ = "24"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{931E73FD-D487-4458-AA08-1FF41413377B}\ProxyStubClsid32\ = "{D6B69C35-7959-4D65-8BA4-10954460CD13}"	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{598BBE98-5919-4392-B62A-50D7115F10A3}\Elevation	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAE4AD28-500D-43BA-9F54-730CA146C190}\ = "IBrowserHttpRequest2"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBDA5D88-AA7D-4A8C-A20C-C01FADB43EDA}\InprocServer32\ = "C:\\Program Files (x86)\\BraveSoftware\\Update\\1.3.361.151\\psmachine.dll"	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4BCDF52-2179-4C77-8C5F-B8095712B563}\NumMethods\ = "41"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C974F2DD-CFB8-4466-8E6D-96ED901DAACA}\ProxyStubClsid32\ = "{D6B69C35-7959-4D65-8BA4-10954460CD13}"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.CredentialDialogMachine.1.0\CLSID	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.pdf	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	brave.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3AD2D487-D166-4160-8E36-1AE505233A55}\ProgID\ = "BraveSoftwareUpdate.CoreClass.1"	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8504FB26-FC3E-4C1C-9C94-46EC93E6BA63}\NumMethods	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4BCDF52-2179-4C77-8C5F-B8095712B563}\NumMethods\ = "41"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48B5E6B2-9383-4B1E-AAE7-720C4779ABA6}\NumMethods	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7CFC4E00-1C9D-443D-B5BE-CEEEAC1443AF}\ProxyStubClsid32	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24D704AD-AC42-49F2-BB4F-68BA77C98E91}\NumMethods\ = "4"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DB7BD5-BD0B-4886-9705-174203FE0ADA}\NumMethods	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3282EB12-D954-4FD2-A2E1-C942C8745C65}\VersionIndependentProgID	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24D704AD-AC42-49F2-BB4F-68BA77C98E91}	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70E5ECF5-2CA7-4019-9B23-916789A13C2C}\NumMethods\ = "6"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FB43AAD0-DDBA-4D01-A3E0-FAB100E7926B}\ProxyStubClsid32	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{852A0F87-D117-4B7C-ABA9-2F76D91BCB9D}\NumMethods\ = "24"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.Update3WebMachine\CurVer\ = "BraveSoftwareUpdate.Update3WebMachine.1.0"	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.PolicyStatusMachine\CLSID	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EFF9CA12-4CD3-474B-B881-CDE1D92F1996}\ProxyStubClsid32\ = "{D6B69C35-7959-4D65-8BA4-10954460CD13}"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48B5E6B2-9383-4B1E-AAE7-720C4779ABA6}\ProxyStubClsid32\ = "{D6B69C35-7959-4D65-8BA4-10954460CD13}"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4842EC21-0860-45B5-99F0-A1E6E7C11561}\ProxyStubClsid32\ = "{D6B69C35-7959-4D65-8BA4-10954460CD13}"	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{852A0F87-D117-4B7C-ABA9-2F76D91BCB9D}\ProxyStubClsid32\ = "{D6B69C35-7959-4D65-8BA4-10954460CD13}"	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48B5E6B2-9383-4B1E-AAE7-720C4779ABA6}\ProxyStubClsid32	BraveUpdate.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\zblg.zip:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\BraveBrowserSetup-BRV010.exe:Zone.Identifier	chrome.exe
File created	C:\Windows\SystemTemp\GUM8A1D.tmp\BraveUpdateSetup.exe\:Zone.Identifier:$DATA	BraveBrowserSetup-BRV010.exe
File opened for modification	C:\Users\Admin\Downloads\gamennow201.zip:Zone.Identifier	brave.exe

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
2516	vlc.exe
1044	WINWORD.EXE
1044	WINWORD.EXE
5096	vlc.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4868	chrome.exe
4868	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
2832	chrome.exe
2832	chrome.exe
2568	BraveUpdate.exe
2568	BraveUpdate.exe
2568	BraveUpdate.exe
2568	BraveUpdate.exe
2568	BraveUpdate.exe
2568	BraveUpdate.exe
2568	BraveUpdate.exe
2568	BraveUpdate.exe
876	BraveUpdate.exe
876	BraveUpdate.exe
1880	BraveUpdate.exe
1880	BraveUpdate.exe
2568	BraveUpdate.exe
2568	BraveUpdate.exe
2568	BraveUpdate.exe
2568	BraveUpdate.exe
1908	brave.exe
1908	brave.exe
1100	msiexec.exe
1100	msiexec.exe
4548	BraveUpdate.exe
4548	BraveUpdate.exe
996	BraveUpdate.exe
996	BraveUpdate.exe
3084	BraveUpdate.exe
3084	BraveUpdate.exe
496	msedge.exe
496	msedge.exe
2216	msedge.exe
2216	msedge.exe
5528	msedge.exe
5528	msedge.exe
6040	identity_helper.exe
6040	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2516	vlc.exe
5096	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 30 IoCs

pid	Process
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
2516	vlc.exe
2516	vlc.exe
2516	vlc.exe
2516	vlc.exe
5096	vlc.exe
5096	vlc.exe
5096	vlc.exe
5096	vlc.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
2516	vlc.exe
2516	vlc.exe
2516	vlc.exe
5096	vlc.exe
5096	vlc.exe
5096	vlc.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
1268	SSCap.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
1268	SSCap.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
1032	OpenWith.exe
2516	vlc.exe
1044	WINWORD.EXE
1044	WINWORD.EXE
1044	WINWORD.EXE
1044	WINWORD.EXE
1044	WINWORD.EXE
1044	WINWORD.EXE
1044	WINWORD.EXE
1044	WINWORD.EXE
5096	vlc.exe
788	brave.exe
3460	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 1204	4868	chrome.exe	88
PID 4868 wrote to memory of 1204	4868	chrome.exe	88
PID 4868 wrote to memory of 3932	4868	chrome.exe	89
PID 4868 wrote to memory of 3932	4868	chrome.exe	89
PID 4868 wrote to memory of 3932	4868	chrome.exe	89
PID 4868 wrote to memory of 3932	4868	chrome.exe	89
PID 4868 wrote to memory of 3932	4868	chrome.exe	89
PID 4868 wrote to memory of 3932	4868	chrome.exe	89
PID 4868 wrote to memory of 3932	4868	chrome.exe	89
PID 4868 wrote to memory of 3932	4868	chrome.exe	89
PID 4868 wrote to memory of 3932	4868	chrome.exe	89
PID 4868 wrote to memory of 3932	4868	chrome.exe	89
PID 4868 wrote to memory of 3932	4868	chrome.exe	89
PID 4868 wrote to memory of 3932	4868	chrome.exe	89
PID 4868 wrote to memory of 3932	4868	chrome.exe	89
PID 4868 wrote to memory of 3932	4868	chrome.exe	89
PID 4868 wrote to memory of 3932	4868	chrome.exe	89
PID 4868 wrote to memory of 3932	4868	chrome.exe	89
PID 4868 wrote to memory of 3932	4868	chrome.exe	89
PID 4868 wrote to memory of 3932	4868	chrome.exe	89
PID 4868 wrote to memory of 3932	4868	chrome.exe	89
PID 4868 wrote to memory of 3932	4868	chrome.exe	89
PID 4868 wrote to memory of 3932	4868	chrome.exe	89
PID 4868 wrote to memory of 3932	4868	chrome.exe	89
PID 4868 wrote to memory of 3932	4868	chrome.exe	89
PID 4868 wrote to memory of 3932	4868	chrome.exe	89
PID 4868 wrote to memory of 3932	4868	chrome.exe	89
PID 4868 wrote to memory of 3932	4868	chrome.exe	89
PID 4868 wrote to memory of 3932	4868	chrome.exe	89
PID 4868 wrote to memory of 3932	4868	chrome.exe	89
PID 4868 wrote to memory of 3932	4868	chrome.exe	89
PID 4868 wrote to memory of 3932	4868	chrome.exe	89
PID 4868 wrote to memory of 1688	4868	chrome.exe	90
PID 4868 wrote to memory of 1688	4868	chrome.exe	90
PID 4868 wrote to memory of 4344	4868	chrome.exe	91
PID 4868 wrote to memory of 4344	4868	chrome.exe	91
PID 4868 wrote to memory of 4344	4868	chrome.exe	91
PID 4868 wrote to memory of 4344	4868	chrome.exe	91
PID 4868 wrote to memory of 4344	4868	chrome.exe	91
PID 4868 wrote to memory of 4344	4868	chrome.exe	91
PID 4868 wrote to memory of 4344	4868	chrome.exe	91
PID 4868 wrote to memory of 4344	4868	chrome.exe	91
PID 4868 wrote to memory of 4344	4868	chrome.exe	91
PID 4868 wrote to memory of 4344	4868	chrome.exe	91
PID 4868 wrote to memory of 4344	4868	chrome.exe	91
PID 4868 wrote to memory of 4344	4868	chrome.exe	91
PID 4868 wrote to memory of 4344	4868	chrome.exe	91
PID 4868 wrote to memory of 4344	4868	chrome.exe	91
PID 4868 wrote to memory of 4344	4868	chrome.exe	91
PID 4868 wrote to memory of 4344	4868	chrome.exe	91
PID 4868 wrote to memory of 4344	4868	chrome.exe	91
PID 4868 wrote to memory of 4344	4868	chrome.exe	91
PID 4868 wrote to memory of 4344	4868	chrome.exe	91
PID 4868 wrote to memory of 4344	4868	chrome.exe	91
PID 4868 wrote to memory of 4344	4868	chrome.exe	91
PID 4868 wrote to memory of 4344	4868	chrome.exe	91
PID 4868 wrote to memory of 4344	4868	chrome.exe	91
PID 4868 wrote to memory of 4344	4868	chrome.exe	91
PID 4868 wrote to memory of 4344	4868	chrome.exe	91
PID 4868 wrote to memory of 4344	4868	chrome.exe	91
PID 4868 wrote to memory of 4344	4868	chrome.exe	91
PID 4868 wrote to memory of 4344	4868	chrome.exe	91
PID 4868 wrote to memory of 4344	4868	chrome.exe	91
PID 4868 wrote to memory of 4344	4868	chrome.exe	91

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\zblg.zip
1⤵
PID:1092

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa8e0fcc40,0x7ffa8e0fcc4c,0x7ffa8e0fcc58
  2⤵
  PID:1204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1820,i,12747590776555851069,8301944693729770036,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1816 /prefetch:2
  2⤵
  PID:3932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1972,i,12747590776555851069,8301944693729770036,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2100 /prefetch:3
  2⤵
  PID:1688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2180,i,12747590776555851069,8301944693729770036,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2404 /prefetch:8
  2⤵
  PID:4344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,12747590776555851069,8301944693729770036,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3260,i,12747590776555851069,8301944693729770036,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:3304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3660,i,12747590776555851069,8301944693729770036,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4476 /prefetch:1
  2⤵
  PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3648,i,12747590776555851069,8301944693729770036,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4612 /prefetch:8
  2⤵
  PID:4056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4724,i,12747590776555851069,8301944693729770036,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4736 /prefetch:8
  2⤵
  PID:700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4828,i,12747590776555851069,8301944693729770036,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4684 /prefetch:8
  2⤵
  PID:2912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4968,i,12747590776555851069,8301944693729770036,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4964 /prefetch:8
  2⤵
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4696,i,12747590776555851069,8301944693729770036,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4964 /prefetch:8
  2⤵
  PID:440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5008,i,12747590776555851069,8301944693729770036,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5004 /prefetch:8
  2⤵
  PID:1360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5016,i,12747590776555851069,8301944693729770036,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4960 /prefetch:8
  2⤵
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4816,i,12747590776555851069,8301944693729770036,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5204 /prefetch:8
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4984,i,12747590776555851069,8301944693729770036,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5068 /prefetch:2
  2⤵
  PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4788,i,12747590776555851069,8301944693729770036,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:1168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4876,i,12747590776555851069,8301944693729770036,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:3252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5260,i,12747590776555851069,8301944693729770036,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:2448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5212,i,12747590776555851069,8301944693729770036,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:1048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5004,i,12747590776555851069,8301944693729770036,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:2968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3320,i,12747590776555851069,8301944693729770036,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  - NTFS ADS
  PID:836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5688,i,12747590776555851069,8301944693729770036,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4912 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:588

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1092

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1032

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\RegisterRevoke.mp4v"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2516

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\SetWrite.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1044

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\RegisterUndo.mp4"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffa8e0fcc40,0x7ffa8e0fcc4c,0x7ffa8e0fcc58
  2⤵
  PID:1468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1840,i,15955752560258623232,4238880145472722995,262144 --variations-seed-version=20250303-180020.638000 --mojo-platform-channel-handle=1832 /prefetch:2
  2⤵
  PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1888,i,15955752560258623232,4238880145472722995,262144 --variations-seed-version=20250303-180020.638000 --mojo-platform-channel-handle=2008 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:4656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,15955752560258623232,4238880145472722995,262144 --variations-seed-version=20250303-180020.638000 --mojo-platform-channel-handle=2228 /prefetch:8
  2⤵
  PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,15955752560258623232,4238880145472722995,262144 --variations-seed-version=20250303-180020.638000 --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,15955752560258623232,4238880145472722995,262144 --variations-seed-version=20250303-180020.638000 --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4484,i,15955752560258623232,4238880145472722995,262144 --variations-seed-version=20250303-180020.638000 --mojo-platform-channel-handle=4472 /prefetch:1
  2⤵
  PID:3124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4668,i,15955752560258623232,4238880145472722995,262144 --variations-seed-version=20250303-180020.638000 --mojo-platform-channel-handle=4652 /prefetch:8
  2⤵
  PID:3276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4632,i,15955752560258623232,4238880145472722995,262144 --variations-seed-version=20250303-180020.638000 --mojo-platform-channel-handle=4756 /prefetch:8
  2⤵
  PID:2512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4644,i,15955752560258623232,4238880145472722995,262144 --variations-seed-version=20250303-180020.638000 --mojo-platform-channel-handle=4308 /prefetch:8
  2⤵
  PID:3848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4976,i,15955752560258623232,4238880145472722995,262144 --variations-seed-version=20250303-180020.638000 --mojo-platform-channel-handle=4984 /prefetch:8
  2⤵
  PID:476
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:2572
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff6f8824698,0x7ff6f88246a4,0x7ff6f88246b0
    3⤵
    PID:3372
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:1512
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff6f8824698,0x7ff6f88246a4,0x7ff6f88246b0
    3⤵
    - Drops file in Windows directory
    PID:1660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5048,i,15955752560258623232,4238880145472722995,262144 --variations-seed-version=20250303-180020.638000 --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:3284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3740,i,15955752560258623232,4238880145472722995,262144 --variations-seed-version=20250303-180020.638000 --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:1096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5284,i,15955752560258623232,4238880145472722995,262144 --variations-seed-version=20250303-180020.638000 --mojo-platform-channel-handle=5268 /prefetch:8
  2⤵
  PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5156,i,15955752560258623232,4238880145472722995,262144 --variations-seed-version=20250303-180020.638000 --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5100,i,15955752560258623232,4238880145472722995,262144 --variations-seed-version=20250303-180020.638000 --mojo-platform-channel-handle=3504 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4112
- C:\Users\Admin\Downloads\BraveBrowserSetup-BRV010.exe
  "C:\Users\Admin\Downloads\BraveBrowserSetup-BRV010.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:1068
- - C:\Windows\SystemTemp\GUM8A1D.tmp\BraveUpdate.exe
    C:\Windows\SystemTemp\GUM8A1D.tmp\BraveUpdate.exe /installsource taggedmi /install "appguid={AFE6A462-C574-4B8A-AF43-4CC60DF4563B}&appname=Brave-Release&needsadmin=prefers&ap=release&installdataindex=default&referral=none"
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2568
  - - C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
      "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /regsvc
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:4968
  - - C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
      "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /regserver
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2068
    - - C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:3268
    - - C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:3276
    - - C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1012
  - - C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
      "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNjEuMTUxIiBzaGVsbF92ZXJzaW9uPSIxLjMuMzYxLjE1MSIgaXNtYWNoaW5lPSIxIiBzZXNzaW9uaWQ9IntGNDk2QjIxNi1GRjczLTREQkEtQTAzMi05RjdGOUM0NzA2ODV9IiBpbnN0YWxsc291cmNlPSJ0YWdnZWRtaSIgdGVzdHNvdXJjZT0iYXV0byIgcmVxdWVzdGlkPSJ7NjkzMUJGRTgtRTc2NS00ODhBLUFFN0QtOTkwOEJEMDMzRjJCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBwaHlzbWVtb3J5PSI4IiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0ie0IxMzFDOTM1LTlCRTYtNDFEQS05NTk5LTFGNzc2QkVCODAxOX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEuMy4zNjEuMTUxIiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBpbnN0YWxsX3RpbWVfbXM9IjYyNSIvPjwvYXBwPjwvcmVxdWVzdD4
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      PID:1320
  - - C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
      "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /handoff "appguid={AFE6A462-C574-4B8A-AF43-4CC60DF4563B}&appname=Brave-Release&needsadmin=prefers&ap=release&installdataindex=default&referral=none" /installsource taggedmi /sessionid "{F496B216-FF73-4DBA-A032-9F7F9C470685}"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5580,i,15955752560258623232,4238880145472722995,262144 --variations-seed-version=20250303-180020.638000 --mojo-platform-channel-handle=3504 /prefetch:1
  2⤵
  PID:3548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=6276,i,15955752560258623232,4238880145472722995,262144 --variations-seed-version=20250303-180020.638000 --mojo-platform-channel-handle=6256 /prefetch:1
  2⤵
  PID:1928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6412,i,15955752560258623232,4238880145472722995,262144 --variations-seed-version=20250303-180020.638000 --mojo-platform-channel-handle=6420 /prefetch:8
  2⤵
  PID:3888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6444,i,15955752560258623232,4238880145472722995,262144 --variations-seed-version=20250303-180020.638000 --mojo-platform-channel-handle=6544 /prefetch:8
  2⤵
  PID:1284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5016,i,15955752560258623232,4238880145472722995,262144 --variations-seed-version=20250303-180020.638000 --mojo-platform-channel-handle=6712 /prefetch:1
  2⤵
  PID:2520

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4228

C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
"C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4984
- C:\Program Files (x86)\BraveSoftware\Update\Install\{5D4E34B1-DA9E-4035-9A95-AA88B9808AC8}\brave_installer-x64.exe
  "C:\Program Files (x86)\BraveSoftware\Update\Install\{5D4E34B1-DA9E-4035-9A95-AA88B9808AC8}\brave_installer-x64.exe" --do-not-launch-chrome /installerdata="C:\Program Files (x86)\BraveSoftware\Update\Install\{5D4E34B1-DA9E-4035-9A95-AA88B9808AC8}\guiE2BD.tmp"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1760
- - C:\Program Files (x86)\BraveSoftware\Update\Install\{5D4E34B1-DA9E-4035-9A95-AA88B9808AC8}\CR_96A7F.tmp\setup.exe
    "C:\Program Files (x86)\BraveSoftware\Update\Install\{5D4E34B1-DA9E-4035-9A95-AA88B9808AC8}\CR_96A7F.tmp\setup.exe" --install-archive="C:\Program Files (x86)\BraveSoftware\Update\Install\{5D4E34B1-DA9E-4035-9A95-AA88B9808AC8}\CR_96A7F.tmp\CHROME.PACKED.7Z" --do-not-launch-chrome /installerdata="C:\Program Files (x86)\BraveSoftware\Update\Install\{5D4E34B1-DA9E-4035-9A95-AA88B9808AC8}\guiE2BD.tmp" --brave-referral-code="BRV010"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    PID:1424
  - - C:\Program Files (x86)\BraveSoftware\Update\Install\{5D4E34B1-DA9E-4035-9A95-AA88B9808AC8}\CR_96A7F.tmp\setup.exe
      "C:\Program Files (x86)\BraveSoftware\Update\Install\{5D4E34B1-DA9E-4035-9A95-AA88B9808AC8}\CR_96A7F.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://cr.brave.com --annotation=plat=Win64 --annotation=prod=Brave --annotation=ver=133.1.75.181 --initial-client-data=0x294,0x298,0x29c,0x270,0x2a0,0x7ff6eb3c1618,0x7ff6eb3c1624,0x7ff6eb3c1630
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:4408
  - - C:\Program Files (x86)\BraveSoftware\Update\Install\{5D4E34B1-DA9E-4035-9A95-AA88B9808AC8}\CR_96A7F.tmp\setup.exe
      "C:\Program Files (x86)\BraveSoftware\Update\Install\{5D4E34B1-DA9E-4035-9A95-AA88B9808AC8}\CR_96A7F.tmp\setup.exe" --system-level --verbose-logging --installerdata="C:\Program Files (x86)\BraveSoftware\Update\Install\{5D4E34B1-DA9E-4035-9A95-AA88B9808AC8}\guiE2BD.tmp" --create-shortcuts=0 --install-level=1
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      PID:328
    - - C:\Program Files (x86)\BraveSoftware\Update\Install\{5D4E34B1-DA9E-4035-9A95-AA88B9808AC8}\CR_96A7F.tmp\setup.exe
        
        "C:\Program Files (x86)\BraveSoftware\Update\Install\{5D4E34B1-DA9E-4035-9A95-AA88B9808AC8}\CR_96A7F.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://cr.brave.com --annotation=plat=Win64 --annotation=prod=Brave --annotation=ver=133.1.75.181 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff6eb3c1618,0x7ff6eb3c1624,0x7ff6eb3c1630
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4280
- C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
  "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNjEuMTUxIiBzaGVsbF92ZXJzaW9uPSIxLjMuMzYxLjE1MSIgaXNtYWNoaW5lPSIxIiBzZXNzaW9uaWQ9IntGNDk2QjIxNi1GRjczLTREQkEtQTAzMi05RjdGOUM0NzA2ODV9IiBpbnN0YWxsc291cmNlPSJ0YWdnZWRtaSIgdGVzdHNvdXJjZT0iYXV0byIgcmVxdWVzdGlkPSJ7OTQ4QzIwRkEtNzFBNi00RjdBLTlGNTktMTg0MzMxNkUxOENFfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBwaHlzbWVtb3J5PSI4IiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0ie0FGRTZBNDYyLUM1NzQtNEI4QS1BRjQzLTRDQzYwREY0NTYzQn0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEzMy4xLjc1LjE4MSIgYXA9InJlbGVhc2UiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiIGluc3RhbGxhZ2U9Ii0xIiBpbnN0YWxsZGF0ZT0iLTEiPjxldmVudCBldmVudHR5cGU9IjkiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwczovL3VwZGF0ZXMtY2RuLmJyYXZlc29mdHdhcmUuY29tL2J1aWxkL0JyYXZlLVJlbGVhc2UvcmVsZWFzZS93aW4vMTMzLjEuNzUuMTgxL3g2NC9icmF2ZV9pbnN0YWxsZXIteDY0LmV4ZSIgZG93bmxvYWRlZD0iMTI4NzE4ODY0IiB0b3RhbD0iMTI4NzE4ODY0IiBkb3dubG9hZF90aW1lX21zPSIxMjMzNiIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI2IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NzA3IiBzb3VyY2VfdXJsX2luZGV4PSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iMzQ5IiBkb3dubG9hZF90aW1lX21zPSIxNDMyNSIgZG93bmxvYWRlZD0iMTI4NzE4ODY0IiB0b3RhbD0iMTI4NzE4ODY0IiBpbnN0YWxsX3RpbWVfbXM9IjMzOTE2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1880

C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateOnDemand.exe
"C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateOnDemand.exe" -Embedding
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3096
- C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
  "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /ondemand
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2752
- - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
    "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --from-installer
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks system information in the registry
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    PID:480
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Crashpad" --url=https://cr.brave.com --annotation=plat=Win64 --annotation=prod=Brave --annotation=ver=133.1.75.181 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa9c34ed08,0x7ffa9c34ed14,0x7ffa9c34ed20
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3284
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --start-stack-profiler --field-trial-handle=1908,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=2088 /prefetch:11
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2172
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=gpu-process --string-annotations --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2060,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=2056 /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4316
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2380,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=2632 /prefetch:13
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4480
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --string-annotations --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --field-trial-handle=3296,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=3340 /prefetch:1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:836
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --string-annotations --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --field-trial-handle=3304,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=3316 /prefetch:1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4360
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5152,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=5160 /prefetch:14
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2932
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5260,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=5268 /prefetch:14
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1412
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5156,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=5420 /prefetch:14
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2868
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5412,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=5280 /prefetch:14
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:104
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5444,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=4728 /prefetch:14
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1032
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4664,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=5712 /prefetch:14
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:492
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\133.1.75.181\Installer\chrmstp.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\133.1.75.181\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:1672
    - - C:\Program Files\BraveSoftware\Brave-Browser\Application\133.1.75.181\Installer\chrmstp.exe
        
        "C:\Program Files\BraveSoftware\Brave-Browser\Application\133.1.75.181\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://cr.brave.com --annotation=plat=Win64 --annotation=prod=Brave --annotation=ver=133.1.75.181 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff756ed1618,0x7ff756ed1624,0x7ff756ed1630
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3464
    - - C:\Program Files\BraveSoftware\Brave-Browser\Application\133.1.75.181\Installer\chrmstp.exe
        
        "C:\Program Files\BraveSoftware\Brave-Browser\Application\133.1.75.181\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\BraveSoftware\Brave-Browser\Application\initial_preferences" --create-shortcuts=1 --install-level=0
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4732
      - C:\Program Files\BraveSoftware\Brave-Browser\Application\133.1.75.181\Installer\chrmstp.exe
        
        "C:\Program Files\BraveSoftware\Brave-Browser\Application\133.1.75.181\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://cr.brave.com --annotation=plat=Win64 --annotation=prod=Brave --annotation=ver=133.1.75.181 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff756ed1618,0x7ff756ed1624,0x7ff756ed1630
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:232
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5060,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=5868 /prefetch:14
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3716
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5076,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=6016 /prefetch:14
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:260
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5864,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=5884 /prefetch:14
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:780
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5820,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=5740 /prefetch:14
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3660
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6068,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=6072 /prefetch:14
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4464
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5848,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=5388 /prefetch:14
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:8
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5648,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=5644 /prefetch:14
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4040
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4652,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=5900 /prefetch:14
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3688
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --string-annotations --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5700,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=5888 /prefetch:1
      4⤵
      Executes dropped EXE
      PID:1228
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3360,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=3552 /prefetch:14
      4⤵
      Executes dropped EXE
      PID:2288
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --string-annotations --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=3632,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=3568 /prefetch:1
      4⤵
      Executes dropped EXE
      PID:4968
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --string-annotations --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=3524,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=6192 /prefetch:1
      4⤵
      Executes dropped EXE
      PID:5032
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --string-annotations --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=3364,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=3472 /prefetch:1
      4⤵
      Executes dropped EXE
      PID:4752
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --string-annotations --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --field-trial-handle=5352,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=5304 /prefetch:1
      4⤵
      Executes dropped EXE
      PID:1408
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --string-annotations --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --start-stack-profiler --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --field-trial-handle=5840,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=5684 /prefetch:1
      4⤵
      Executes dropped EXE
      PID:1928
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --string-annotations --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --field-trial-handle=3824,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=5812 /prefetch:1
      4⤵
      Executes dropped EXE
      PID:4424
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3340,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=6088 /prefetch:14
      4⤵
      Executes dropped EXE
      PID:2256
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=1284,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=5892 /prefetch:14
      4⤵
      Executes dropped EXE
      PID:3800
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6236,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=3408 /prefetch:14
      4⤵
      Executes dropped EXE
      PID:3084
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5464,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=6148 /prefetch:14
      4⤵
      Executes dropped EXE
      PID:1372
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3348,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=6176 /prefetch:14
      4⤵
      Executes dropped EXE
      PID:496
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5748,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=5928 /prefetch:14
      4⤵
      Executes dropped EXE
      PID:1952
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5908,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=6316 /prefetch:14
      4⤵
      Executes dropped EXE
      PID:2020
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6232,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=6216 /prefetch:14
      4⤵
      Executes dropped EXE
      PID:4252
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6060,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=3520 /prefetch:14
      4⤵
      Executes dropped EXE
      PID:3924
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --start-stack-profiler --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=6100,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=6320 /prefetch:10
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1908
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --string-annotations --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --field-trial-handle=5268,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=4348 /prefetch:1
      4⤵
      Executes dropped EXE
      PID:3840
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --string-annotations --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --start-stack-profiler --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --field-trial-handle=6508,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=6524 /prefetch:1
      4⤵
      Executes dropped EXE
      PID:2408
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --string-annotations --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --field-trial-handle=6512,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=3352 /prefetch:1
      4⤵
      PID:3608
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --string-annotations --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --start-stack-profiler --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --field-trial-handle=5652,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=6256 /prefetch:1
      4⤵
      PID:4648
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --string-annotations --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --start-stack-profiler --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --field-trial-handle=6632,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=5476 /prefetch:1
      4⤵
      PID:2664
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6504,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=6660 /prefetch:14
      4⤵
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:788
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3520,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=6688 /prefetch:14
      4⤵
      PID:1140
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6688,i,13502751685590572662,11332201815051573728,262144 --variations-seed-version=main@a8723b3b0b4ce43e3f2a414843d68e4d8190eabb --mojo-platform-channel-handle=6148 /prefetch:14
      4⤵
      NTFS ADS
      PID:988

C:\Program Files\BraveSoftware\Brave-Browser\Application\133.1.75.181\elevation_service.exe
"C:\Program Files\BraveSoftware\Brave-Browser\Application\133.1.75.181\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:832

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
PID:2548

C:\Users\Admin\Downloads\gamennow201\setup.exe
"C:\Users\Admin\Downloads\gamennow201\setup.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1536
- C:\Windows\SysWOW64\MSIEXEC.EXE
  MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Temp\{249B0777-F0D9-4E5A-85A2-DE6D67ACD3D0}\‚ª‚ß‚ñ‚È‚¤.msi" SETUPEXEDIR="C:\Users\Admin\Downloads\gamennow201"
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:2968

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1100
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4552

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4052

C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
"C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /c
1⤵
- System Location Discovery: System Language Discovery
PID:4424
- C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
  "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /cr
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4548
- C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveCrashHandler.exe
  "C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveCrashHandler.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3924
- C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveCrashHandler64.exe
  "C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveCrashHandler64.exe"
  2⤵
  PID:3376
- C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
  "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /ua /installsource core
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1652

C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
"C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /ua /installsource scheduler
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:996

C:\Users\Admin\AppData\Roaming\GamenNow\SSCap.exe
"C:\Users\Admin\AppData\Roaming\GamenNow\SSCap.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3268
- C:\Users\Admin\AppData\Roaming\GamenNow\SSCapUp.exe
  SSCapUp.exe
  2⤵
  - Downloads MZ/PE file
  - System Location Discovery: System Language Discovery
  PID:1000
- - C:\Users\Admin\AppData\Roaming\GamenNow\SSCap.exe
    "C:\Users\Admin\AppData\Roaming\GamenNow\SSCap.exe" update
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SendNotifyMessage
    PID:1268
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://live.erinn.biz/login.gamennow.php?login_request_token=120b1105ff0d93f968f974d5d54a835f
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of SendNotifyMessage
      PID:2216
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa9c143cb8,0x7ffa9c143cc8,0x7ffa9c143cd8
        5⤵
        
        PID:1544
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,14191337548508970412,3778242269600313204,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
        5⤵
        
        PID:1000
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,14191337548508970412,3778242269600313204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:496
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,14191337548508970412,3778242269600313204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
        5⤵
        
        PID:1652
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,14191337548508970412,3778242269600313204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
        5⤵
        
        PID:2100
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,14191337548508970412,3778242269600313204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
        5⤵
        
        PID:3656
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,14191337548508970412,3778242269600313204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
        5⤵
        
        PID:5264
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,14191337548508970412,3778242269600313204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1880 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5528
    - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,14191337548508970412,3778242269600313204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6020 /prefetch:8
        5⤵
        
        PID:6004
    - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,14191337548508970412,3778242269600313204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6020 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6040
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,14191337548508970412,3778242269600313204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:1
        5⤵
        
        PID:5132
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,14191337548508970412,3778242269600313204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
        5⤵
        
        PID:5396
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,14191337548508970412,3778242269600313204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
        5⤵
        
        PID:5956
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,14191337548508970412,3778242269600313204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
        5⤵
        
        PID:5236
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,14191337548508970412,3778242269600313204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
        5⤵
        
        PID:500
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1896,14191337548508970412,3778242269600313204,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3460 /prefetch:8
        5⤵
        
        PID:5824
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,14191337548508970412,3778242269600313204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:1
        5⤵
        
        PID:5144
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,14191337548508970412,3778242269600313204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
        5⤵
        
        PID:5416
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,14191337548508970412,3778242269600313204,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
        5⤵
        
        PID:5464
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,14191337548508970412,3778242269600313204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:1
        5⤵
        
        PID:5852
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,14191337548508970412,3778242269600313204,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
        5⤵
        
        PID:1068

C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
"C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /svc
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1144

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3472

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004D8
1⤵
PID:4416

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3951055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e602187.rbs

Filesize
13KB

MD5
7305d13f5b691cd9eeed4ad7eb79cc59

SHA1
059f4fe11330e650e2ec7745b625fd24c0203bde

SHA256
8bb1c27e66633cba9eb93644d8b86f93dd8252e3d38ef66fe9334754212db72e

SHA512
1c4204201262cee5920dacc87c5cecafbe673893718684cf5bcf903b5af669aeed0a28225aabb8bb175d9cfab02ae4ccfe702545f4a2e1e3250d653bc95efbbc

Download Submit
C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe

Filesize
163KB

MD5
cc952910623edaec05efb9b4da0126d3

SHA1
5c0c59e23e4a471823a042ee93bbe9d059e4ccdb

SHA256
9e58f43bdf203cfed65c4281b0dd451065c1d5a90fa5b8b29c288b9667c0ea6c

SHA512
89361975fab0647169ce2be797eedd631696a5070abd2a94a4744f9e292a39d68da92da1a5ca47a919868578be9d3ee69c47d56cfe332a6e47e80f3fe142378d

Download Submit
C:\Program Files\BraveSoftware\Brave-Browser\Application\133.1.75.181\Installer\setup.exe

Filesize
4.7MB

MD5
d4c6bae7f14c4681d64d612020c442a7

SHA1
960442700428853424d5a90fd1c6628a8142e4d2

SHA256
f88c3feb61c5a9ef101172eb460afdc9fb965c9ca14810263bf76ecad4f8a852

SHA512
6205b607553db6c076a68797d4cd8ada5823db3fec2826f5f665f6a2efb575adf1d739d4821868c00ab5f00ba107b8c78abbb1b269cb5b3d1e96e4ed4fc1f70b

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Cache\Cache_Data\f_000002

Filesize
21KB

MD5
bdc2e6d29677bb5e1ce989d8f582ecb1

SHA1
4124717e97e4d0d5ad5800bc3ec6da17cb487b7c

SHA256
8f1faf5a15eee35476f473f2f430d9261ba58690450638c437e2d7d2874b5163

SHA512
08d5e4ba186863faa288304531dc8ef335aa648562c4939528cf1606f0a9c565901406bc90ff4d81edaa9ebc556539e2e5c980a5820c870fb1ab0a241f83035a

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
eecd8eb8798ec9c2ad851a3502a7ec65

SHA1
58b3084542f6e249a748c76c8803f63d7c08082b

SHA256
93e8149f8332c7501a43a5b1884e919ea4794219d5ce4013c1dc5076be81d577

SHA512
37e981ea66941a0d1943940073fde79924d91d4a3c0a58abee239b7e03af44290f0887a36190693123703a6371c6ac924040d867842155d1fc82a221f03008a0

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
17ff9471ae1ed30c2da75005af070333

SHA1
21452a5573b5c72656fd56bd835f8ca15da4832f

SHA256
fe6658e31ffad356686a4c1a06dba5e76ceea4e20fae579f11614527045a20d6

SHA512
37579f393a01eb3558c9a546541d8f93d814cbeb2cad5bb5fb4072e40d838390b873abab5347ff6d1b2f8558d9f3d3659c28b166f60a7bb7c79328d9c2f9215a

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Network\Network Persistent State

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
68a282d66eaa449d659b719f7123479d

SHA1
b91e2c870ec0e7c02409ea14a7a7cf5de4f316d4

SHA256
4c09e3116f136a864b2f6a35caf4d2ced22b76d15923475ef327d64b40750aaa

SHA512
9cfe9eda5d5ddc7a05780cb444a79a1b59f166d0dabb816dedca30161f663e818d2e8af5d60f55ea76106ccc892dad4f1e2e52edd5248869e35213ad2cf42c83

Download Submit
C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Network\Network Persistent State~RFe5cbde9.TMP

Filesize
59B

MD5
78bfcecb05ed1904edce3b60cb5c7e62

SHA1
bf77a7461de9d41d12aa88fba056ba758793d9ce

SHA256
c257f929cff0e4380bf08d9f36f310753f7b1ccb5cb2ab811b52760dd8cb9572

SHA512
2420dff6eb853f5e1856cdab99561a896ea0743fcff3e04b37cb87eddf063770608a30c6ffb0319e5d353b0132c5f8135b7082488e425666b2c22b753a6a4d73

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
a8b611bf10e7fb1e85c2e95d4fd7f350

SHA1
0011938eb4ce1e39af443a5241d5189eddb772d9

SHA256
d5ef4c50a7e20c30f15d19834225512a1ddf039de10c460f87f52a25a11595f1

SHA512
cfabda18ff187c2985a9d46fb5cd788dd65a7bb33f2068ab7a8dd70b0a6fe40c51127a9288f6174ac6f497b12615a71ebcd549c39a98ce45d5c8d37878169b83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\7185124f-4f5d-4ea2-8574-9c9282c9a51b.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
27b7dfd7bc57659889de970107d4aef9

SHA1
d24bf22cb40aa22605abc1c15535ce9c22e79fae

SHA256
986248b75c79cf9e769842546c6e6e31ccf2e005f50217710327b1720d316fb1

SHA512
40b49c094f975b0ae98c2fb8334c78243a9e88ff1d0c39cd7005ef84bfa40b1f6c6c6c38e425560cf1f77d8d5584fa64cf7160a9278c8ffe5bc5308d22a8195d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002c

Filesize
411KB

MD5
f6f6e62ceef2eb8875f87adbbc6cfe7c

SHA1
762cbf671a571b6e33d29675bfdf41087612d17d

SHA256
4211a7f0336e5b8625e5dcf1fab58a7ce054fa4ca7b10f06d0ae6e1cefe55dda

SHA512
a87e3fc698c52adfd05096d114f22629b9661e568ef76a20f934926a67c88c9ea40e770f99adb508e887ceefba3e59fdfb3703ab21d5e66a1f681f807e5cea00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002d

Filesize
83KB

MD5
a6239987c3770e77a9d85c890a4e93aa

SHA1
ceaf3e20db2e20cb52001b2e1838165a1d1683ef

SHA256
b5cc2fda0ebc7a1955a2ed178ec9f881f22b8154c6b9d5cacf5968e6a1cfbbd1

SHA512
41eda81934b9213760fd547ee91508351ca0b53662000a3ad7379f51ddfff5dddb98f97f0c3c12799c6259194bb069853704c53730d869a6879297c136477531

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000057

Filesize
107KB

MD5
9a969ff454b5cabfe76cca417ef46348

SHA1
bc18794d9d6db605989be897debdfa046ed6beb5

SHA256
d0d5083022005b8865f81fa82078c70251ceeb65e5f75c1480956be4b38424a0

SHA512
b8075e4e479daa6adc7a643d3a9b6deac3d72f9e3ec5357eb9dfae0f389282e0fa7a731d94bb8473b6ac8740bd725adf5fe10b1d1f1b74a5fe218f541d3950ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
744B

MD5
54abc87d6932e477e98f9c9eea9ddf49

SHA1
de3dd24387c3aa286313ccf388c5635b88f79c8a

SHA256
4ffe38c8c89113b3f08efe0cf47eb6720205c4b69a0f707d57f7baf6acfa889b

SHA512
dda9783af212dda9eb3d73cd325d0760ddaae8122b53a73a7f75899aedddef8aa3dd503a59febf0f5c08b846e3fca3ba1d6b5e8a14e22521fbc49a5ddd84b4a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
4311621da21977ffd6f6d17ecbf742ae

SHA1
01186154465067f01fe6f9163a86275920c6008c

SHA256
951d413a94a9f5122e209c4dac607836c7db3f7470d008d54be7beb1623fd99e

SHA512
0084dcbd96ef567c5d4f2df9a3c432c693570cd4a84493f15cae25cde456c5a00b1f70e01b9a0d7e4e9f4ce1b1659cd2731ce6bec26ff36f672ac3f97e7db504

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e19684ae28eed1ef7defe88f68692dbc

SHA1
02b8cc57d1a06d252e0c4098ca816e392744712b

SHA256
e456007de841cdbc34db843c3a5ed1696202c2bf95fb2adcebaa033edc59c644

SHA512
52d94c0f15208c2a2cfbe2acb0414653aac4e6250262ad93d4ba75bc4698efbfab546996add4208cb6857bc8a0e50eac44ccae427281a1d86f1a0672d09b6b6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
93fe0a6430be8bdd71971bb68e84453b

SHA1
669cdaecf12242d2a57cdc21f5dcddaeb158df7a

SHA256
521f882708df6d146e751abc45898a06884e88774e36f0e8d971878a01f8bc2a

SHA512
a69aca1614d009f3628f5dd23af00111f268f1ba83383f2be9c130078479ab3eac80cf0e2c572690483c1645256f20836139903b4c9a002f44ccca9ccd44768c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
ef602b11c2660739d2a2bcb87a94126e

SHA1
a85fedc34f6726dbbd6ebc7032a0c16bf2bb2bc1

SHA256
c0ac6ca01339ab111f64612fd95df8a8534a67e43cabe4b12f4015e398c45783

SHA512
163055c73fb14074099d85dca82ffa8a2f43bef7fc455e52f9ad21bb51b4a84180676d717f44f40f378aa66046d7739f79a1a99b4216f9e94b721268d3d4156a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
118c21e59188a9f80cbd7d354b9d5886

SHA1
d68d4fa6368f668a41a901f4f09be95fab59685a

SHA256
8c17e0cc6edf98775f735a06f7c000c96663b9a16bce4bf6c2e7dee58f316fd0

SHA512
b0a286ee840714620486294628a2657cb9add4a08c6ec89b2a581a8cd917eff4abc5751974eff9a4973e604de3e4413d8f0be08227742ba63e36e9d24ef05993

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
eae68ed9ec49fd26a417d500238cd832

SHA1
fe00c586d89282dffd94b4c70c66dbf960f9f75f

SHA256
2891877ffa748b12b9898c53907655aaa0182ac6691f28acf46d221c69276682

SHA512
093d47c8482d93e47d42c1499b9efff75b8e45d9efb9c572fe036c21c16b74f1ecdad7422b0be61e0896e992f009487cb6631cc12f1715d12744e15e44277fcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
290bb1150728cbfa55fe93c8f982e79d

SHA1
e29de8e23f3a28790558284047bd2218d67a22aa

SHA256
a661d1e13b9d6855069e8145022d1235ff46d14e19778de939afbabf1de4d9fe

SHA512
4e5aef1e33dfcc62abbae1072b03620d00bdb7c4b2cf7ac30d818754ca3ebf67c3394fa85f7fcf38d036af260597693c7c567af51b028210718f5cfc153eb7cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
30f1792de7c4646ed35f725e4695298a

SHA1
bfddc36a564f8044a304a4e3c9be9dfac7ac28d4

SHA256
c3e98bd81c3854b9a8d2dd4d2f8850f2bc31b9fe8a300f42a83066fff1465ee2

SHA512
8c376cdfff1178a05e571493a2cd297282505fdd267e125ca7883ee22f677f4ffdc415639bb1d8bbf54c283597d4a12c30053e4f4205a53e97666a89c8d80e76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
981293215508674cfbe7fb34163ecc35

SHA1
6a9d7f344fdbe0f4a3710d42fe466964a7f6af57

SHA256
80a1a907846454bfb5ead1b13cc91978da0dbee376c694fa4c47521e847a52ab

SHA512
62a930d56e05e497e6f49efa92460f983da6ad8a77c0511c972e147153d223ed12c82c4ed70b02f1e2d037d1715436e279caa590238c320203e705163185c533

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a3b201b1bacc86183f94a6dad232a396

SHA1
ef081837db7c1a7ae10fe1e07e05e79b6760c53e

SHA256
82138ee32749408779d71d04e779496412299014fce7105994d6f279b164d65c

SHA512
56e2c3b40b21a3587bc7805cf34b6e6a5dce16f4c8fd1b5992f078ee2911f6315b97993674b36cd6256184442e9c366d359ac1b5d70e4679cc6d04cec6797f04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5f284fdf542582a9e93bb6183d14be15

SHA1
219b8d3ef19ed941825886456a5e53828d27e98d

SHA256
78078ac210db80ae3e165dfed7fbff4bb7372323689603a81770242fb604659f

SHA512
5a3422f9e354bc94e465ee575d3002b0374212c0d4b57bc4ec55d461e7ae14cf4374560cbe0083b6cb0320ec0e1b76f65b7165c8f2c7b026263ff7449b6b20f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
eec7ab25fbf5b01f79b7bcdafb6b720e

SHA1
f29255dfcf628152d8c0d9b1731e0cb586a901b5

SHA256
c03078412f759bf0dfb0a4c4e6c16e0a41923013d7e7e023b79ec7e5f9844e12

SHA512
4a6f45d1982558f2a5c025d1eae2d41a1137ba0e8db044d3d3432d9ec4611c8a91b039ec224f1b1d1d3899987a859248643d431f4f01573a7543bd71065096bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f401d98fafac32e063f62cdab695c1e4

SHA1
0d249e174325b5d63492237b540f471dac9e2450

SHA256
26016b208cf2f3136a98d3237e5984ed8173ac4eb1608b258c8ab1964972fb5b

SHA512
258f5ac751c23d4f1e96abede866ae70b7866f187f70b6e6d80f2ebc41f8cda2426b18f2a384d7891bd307d9951228a308c14f0be6c9c39b56e64fdfd795d53f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e4b902966e72c31ec591461186b1c6ae

SHA1
887dc650165c663cb892bf621d2069042c7f5791

SHA256
c13d2ccd35a604b10637ecc5ad54a6917ac4df69fbc0a06ea039db1abdac7311

SHA512
47f10cfa36ddeb7cc05321990db98356b0ab374596144bda4f9451a3133540a75ddee09865453a0074e6932db9e4acdaeaa81c729ac7049fb38ecc85e6a2d92f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b3e581e3a09414c7a94d042c8244ea78

SHA1
202fd249a798bde962f6c3f437e6ed115b026d55

SHA256
834a20a6c4e2c49749f31f1c7fc208a10a78702473d60b152a940e7424c43225

SHA512
5f33350a671c407c1fe6190a5d5b50eefc290eac01dd3618bfc47cbcc29b4dbc6da74614278c21ce57c8929f58b67a28433cc78f0f7e6252eb385f4c71e787bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b0ad20e8ea4784bc3b289f4acd60bc36

SHA1
95a7d348aa1d33eaa05ac1ea36cc161a51e8a5a9

SHA256
577e808fe6a28be2e7f6f9a79f541d11ed275bc6a3d4165eab59399092367893

SHA512
a05b6b9019d2cd36fcf4f8e9bd5ffa0f469f013377b8afd6d790ff67b85a069c8a5fae7ae1b0fa8ae0d9b038865c2799f44f6c3b953991b04cd58a1dd01f654b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f4a8b1a5714a98458dd39567ac525fc6

SHA1
4cf423da20efd2eeed2d6a0c4ca12876e84d1855

SHA256
fc3ce46e1be45efbd43bfbcb63a11748538c7ad48f444928feb27e9e4caa5676

SHA512
745e55226fd1db62139b9000843b29038d2244d3d5ae57d9388640c4bfbfdf5f51c6b237a646fbb536d7f4eb1c9c9beb9890c40f481f8034c482b81353ff1c34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
bb8daf09b00e1eeb75c79141d41d65c4

SHA1
69c45c5c04472aa3df56d5aef42944eb68fd9110

SHA256
6d2096f7e3fe50e56b6e41793b8340eab8394fa6defc520afcf6e1643e685eb9

SHA512
9d3e127f1b7df459b673bcb510183b60270420c7903f15f8512493b1652fc4244c3f9eb119fe41021f39026b5b183699e89eab53b6eb0c3723b525e34e7344d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a95600489f4442edfa6158daf07b3985

SHA1
318d72555a6251760a15e2d56f6fb0a68a6e7964

SHA256
0efb512944f87ca3ce3e7030d9705c7783f310161a6a235e5c6c8bff074c8efd

SHA512
1def40be8dcb76547003080f9a7b5b1f6d803ffffe7ec4fd2a9663fe8a71e48f39878a00fcfc6bef1604020e013d15c36899296f0fdd6a19c604a304fae40838

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f694b08dddbc6a9d35e2479f2df6aa1f

SHA1
9b3b63a18624f3026028fa5732af5a901d03996c

SHA256
e114a3c4182bbeda4fbcff6e09f2fa01d73e6957026ab2dc17361982e6576630

SHA512
adc57e7a81663c8f78fdd62a542c5820d853648e0121fe73524bf397150bcf252318e2e598719a29a4322de21066f07a05145ff594e83a3f9f7ba577a94d6596

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1244f4d7cd9f559ccd3742fe150b4a7c

SHA1
c289b60605475e5d0bf42c652c0a9afc36c27945

SHA256
cd097157ce7e2718b27af59bd17a9c4cdfb552d7c303d406b8d9ca859bfa308c

SHA512
9ed3034cdc830fc8cfe5fe04d9070b4dca2b0ba2c70589e508d5bf177b4221cbc99db651c082d7e8f24e3c2177591422f37f25a569e4e9144037ddf476bf8dd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
11ad8e8b69c7b30df203ea5e3723bab3

SHA1
fa5bc55edeef55f6f1ae6d603bf13e8a06dcbf46

SHA256
73a0cb655b1e6f5d6541ee764d925b33e6b087e4031845044fb77e4b26abc8f2

SHA512
2916399dbdc56ea33ca71392b231de9e8ad6f543664c228927157f939ee7cd0b51e35386d06586cc7ebaee100d6422f8ba8188395067e579cfbba0989b459c5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b7f39b8502d0e166fe2f8b9a6e753a8f

SHA1
1852379a45b7015bb7c5514d79538c0e47963e19

SHA256
9876a89c8b4bba6f4016b6c33bcb9124373c6d9c462faa8a122ab9f9fa64421f

SHA512
6e74ae71c18e2df9bc1586870d9c5856bf8de92b90eaf3f981746a081308e37ec8de7ddd103bc60a950b84bdc07482a4ed36fd34b763f125c680ff5dbd6f195a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3dffe91a0a0e5fbdc1f544580e22fece

SHA1
6750a9e932d0739ebf8906fcf32fe65b4860f540

SHA256
c4f573db0f52fd9c97890179ee603a62e80003ee7c16bc4650946a8ea2a67b7d

SHA512
0f6f3fb6c257d0247d56943797abd205e24a47986e30e03344da27ff45bb028ef6a2c0060080d6628a089361983317521cb94065772bf64b87e15f465b4288fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
b048640ee6f9574573d2fdb66d8ee24c

SHA1
47e0030a10b86cd5cbe81adbae94353a261aa4f4

SHA256
84d63ed2a20847969d738f81c66b18f8fdb3dfc1cbe0a737badb9be3ba157304

SHA512
b3795af9b86b3e83dc40e1634601289f1464c6a870e043267c98601b68284039c56f96ecddfa241a0e3a77ff69de2567c765920441f36e4ce9ffdb7be1588d3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b810694e2029d6bd8bb2349b4f7c89c8

SHA1
83fff685ee5e8e5f5c31fc47fa342b4322f4b6fc

SHA256
470bcbfd585dcf1f5cfd029ac6af96f38d308f193888d8b6a20de36fbab81d50

SHA512
50dc0d537676563d3257ef25f7b5014ecd445b7471839bf2418612fa3329a427e3a6a10af5381359a6f1752f299c1fc10f86c2900fe29ccedd14337833934af5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
afd0c2f3f4d34c2b59a3e74c0f32069e

SHA1
f0baa5fdf45b98d1abb9a24e76dc968173583a93

SHA256
120d80be3e0bd90a720b5a681c18c73b7a53c679c08527b1bbfb8000176a22c9

SHA512
f3730cb8b575cb7d03f46c8083d66085ce27c781f2b16c1091451db5aeddb1950fa492ce94b1f6487cceb01cf64a2c513f019a3236e8cf3dcaf7e188bf0040bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
86055703c256efc6fc92beadd207d028

SHA1
bf1866cbf3fb91b6a8352d039e17ddd7498a734d

SHA256
ea7bc859a5f47bc5ee637f1f184e3d68e14d69eb70540a451052059b3a5cd149

SHA512
e01a42bc116690171df89971b233c6f70d2c0c7b80a2367ca3dae28d26d1ea153761b433c83845dd2221024371633cae20212e74bc75eb82ecac4cb8df739958

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2dfc6ce1dc8ce39b5bc5bdcd53abc9c6

SHA1
a29bf1c60f8dc7427605a8f063f967c22ea5f76e

SHA256
635dd4c52789942733ba8a9c5cdf2d25b43b8c9ece528e2e2b17582ef0157150

SHA512
6e783a506748f89172dab1b84b29f137cddd4668c7184ec1b6fcff789d87579685c771cb18c1d9d48ad6ad6aafbfba90771672e09645eb7b2bcfaec759326573

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e438b0fe76c7890562f7dc9e9477b03a

SHA1
809ab88dd8b21b2ee2f0357c00035ef4c11ccce6

SHA256
affde17b03cf45f79fe10dcf57c870895165f8ff03f49b8990eca03c2bf52439

SHA512
5a796e3c3a5dda97ed74006be5f8efdb33cf70d5d2b479ffe3666dec77418215611764a939db3571a7f7d9c7348e620e7603a9af4ed2eae93446b89b67a9a78b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
f47705b20d90bdfe8d3b9e6dcd6b0a1f

SHA1
d50dd374f96b2db74c1502fea666b8f7b9f9adde

SHA256
bfd0ece9b8439ffaaa9ee75321bf3fb953e819dbf3a8d631ce927e3e6cd53ba7

SHA512
81b668e3d06fa6038296a9c2d26123d7f21f0db09f39a521ce6ab1007963da7b5211928cb53d311b900ab471cffe740e3e1e38c6920c5f0778166b71952e3438

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
99d016a9e4a1ac48ac9c76cd4cd3a51a

SHA1
e778dbb8db9175b2952495213582c2669c88caea

SHA256
3cbe269b67ccab8cf0c25ba184a41632cfd4e7fdc7338196fafe6d6277fe28ff

SHA512
b49ad80818002e72ca158aa4acc182f66ba82f377b251c9b81a68a44d4f409f7990fa83c5ea68207573488093117312f7ff0f79a5548a2abe0989f8f236841c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fa5e567088385deaa96a2787a25f7019

SHA1
0d4a8127e23c3936e73a9be360de47821a55ff77

SHA256
620042418420e8f9ced1b00488f29bd53e5490cef21542103ecf592adcfcd2a6

SHA512
923b96931636c536cd5ef4dd4fb7ff3cce3fcabd4a5eb1fd2ab5bd3d8be90b280045742a8e73d0dcb87c41f520973b4dd7818a83f880b4bf8bf5bfc272b0c417

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
0fa8792fad82b39bc8a340713636d07a

SHA1
0e2d6a75c2b409dfd9ea109c0f3f14aa39533c20

SHA256
fa5b3a8b99943c83c725f736e7e96c71ff79295e1f5d1f4f6c170232711e2adb

SHA512
f3a3794edcca810195fdded8173d86cd5a15b52a38d81986b05e9426aba2ac73d7192091a4d1873dc99639733b314694fe4f30efacbb5ffe0ab918c47224b186

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
d01c089cf9ec8df7ad5670568ccfd773

SHA1
270202263f7902f6b5946d623cdfa097e8c54499

SHA256
6d47e64305580bf118d54b6c6a2eb785c12cbb6ac01a99c8d98762aa17e7ee8f

SHA512
214a31ddc783650ec16023e12839a9b0140d0ba74756084ed77c37ee19121e5a799bf1847c4b747c1e8d7d9002ea17679f0d6b6dc3db2cb649b6fffbcb8b0dab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
94c75494292159d70840afd9fe000987

SHA1
b0107412cabc6bf032cc4860614d25d5bdbb546e

SHA256
e4fa4765bf7a012aa89b9e9dd77c65faa0f18e2da53327b4a778683a5eee0564

SHA512
9ba85e6197c40d53da52b0d384e066b8f6b5797545771bdd4b815d9bdc7d5ca9ae5ddcd4d92b53992ccd0cf1e8d01dd4a35014051bcf30a6b0e273bcce93c072

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
9abc3ed8029ded8d72b2bded126a6af9

SHA1
e8b9197d92308151c86a28b394d26acc7511e048

SHA256
0ff14c7571630756bd9ddad91359a76a3248b51147a4f12ac552bb814aba0924

SHA512
929c92c79bf8fd96719e9d9aa28a89540b64ab60c2b912aa2e4881c392d14dd66bdd4a18f73e6eb36b85cc82f888f2cdb97b06123585da9684c62677cda2b2ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
ef48733031b712ca7027624fff3ab208

SHA1
da4f3812e6afc4b90d2185f4709dfbb6b47714fa

SHA256
c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99

SHA512
ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
244KB

MD5
8eb5eab27473e2872497f1a17b7f165a

SHA1
fdbb2c94a3ca388a7e6a7833856fa42a2481d59d

SHA256
d626d641286ba62362b8fc7290bcd70e4c2691c6d49e2ca5ec5ce3670d9737e5

SHA512
36afdc1d699deebc3a3a03d5871ccd2b1b92265e4a76bdb58c06120634d77a1ec670a84e3b584234dc0938a09b5ea664c6a104f1d6252837aa6bb3bed0ea08cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
244KB

MD5
f7f4afa433b7beb13d1ed113511f4d6b

SHA1
eb11b0c0fdd0313b3ef1fbae66edcd3f1a154913

SHA256
828f639ae2e5ae53d7fd5a46cc95878ec99317dcdf56f5cd4266eacad8001e85

SHA512
30b17e755d977b89da42b09fcfe2fe75ef756a20d61cb1fd7812d2431abd579aacba682121561e66bf11ea80bff2f5d2ad69b3a49bde0066645be8bd0ad21099

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
244KB

MD5
9546fcfdbd52a0554f34ede7df764cca

SHA1
f8d10fa1690a9d348ce67eff3c3b607d2ab6b2fa

SHA256
44730774a507e624861d10966230607848d763c4eaa382c9d66ac9dd0d4824b5

SHA512
d1d05f85c50202ed8fbc05af01713b1b6b5998dc44365d86118df90db6e82a8d857ca6415448c42c194f1ba675468ea1337db98a3bce5c7462a589bdf0641289

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
125KB

MD5
8a22354e6dc8ce2d02a12212a76ec2e4

SHA1
14fabcf4bf4690ea5a184af0a963a29877cab98d

SHA256
9401680447ede9ddd2d389dd7732d4b3f9ca0d288aa9c732388c67524172bd56

SHA512
6c1e05cb5540b9893b116bd889112955a50055c5124b9762f105d41f8cee49fbc6fd84028943cbaf77ef743afeb76b501aea8a52654cb1c3654fc750046b30fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
125KB

MD5
edf0672f95d3c0b39bbda2d8ac0b9195

SHA1
3e311c01ad1d71ad9d4978ca2adedb89f0e5935f

SHA256
d2b55b7a5a692a283a824f40c0b2204816a80fca0e721ee3c0d19c75dc1073b2

SHA512
9cd255ba3fa838e80231c23f78b9501dc77236a159dca8fdf4654aa6eb9c4b1d3caffd6a4f7470132bf57446682dbf742da6aeb4b395d544c415144535d9b984

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
125KB

MD5
5221eec3208dbb1b8d5327bbba5f48aa

SHA1
81949c6b4db7cf6c9067255ec79fa5a3fb86e179

SHA256
9d05e8bbcc3a4cbac6f1c16fd2dace972c4af720fb94072a165175414801f4b3

SHA512
a068f9c94189fb8c3be0e281358128401c7f3440f4b7796529d6c8b7bc960990933e6a07e91759eb941e55f138192c0505230b2fdb1a1643923f61eb1365c15b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
4964d48672520fe7ab79535cac81b755

SHA1
3a30e820cbc6df51f2be44908d424bb5d22bffc4

SHA256
a50ec71c4398c140ae0da3e3f90293f91f4f30432855b28b0f8886a580e25585

SHA512
1764e43a38b42a881ecef7a6ff32e298b2b05d56cbe71835f0925e1a4ace950870ebf92ecb0e50fd5fd2092897d82f96b3bcfe542afe9f1d0996e327ddbd2aed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\segmentation_platform\ukm_db

Filesize
28KB

MD5
e30be7bb4f934c2ce021bfcd7ccc83dc

SHA1
9ab33c38fc40dc2a730a90a8b461bb462063fbbc

SHA256
489e565941bf4f5621a6d7de1c0de6f7f16e8b1fa7d38d38c8dceeefb521dbb4

SHA512
47684adf821260fcb770e5e5f4fa11eb816d5440540dc7e23e3aecd1904f4f0f0b843a73b949ea6c1fe8cb137fd24d38bc3de6ba5c207bb46bd98563310d8a48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\segmentation_platform\ukm_db-journal

Filesize
20KB

MD5
f7d1f64ce92818fcf026bf7388495e8d

SHA1
c7dea21700f5ac79c75ffadca3e8b77037766f1c

SHA256
e84d907934e61b57734405e074f68daec216bae35575037e7b856047520a8d76

SHA512
8996851563f20d55683fc41dd4c0f0d212b166d2442d79e5dd7d9acb57356f770b7d1b1233b4130e8888fd3cee22f832138ba0a0506cfa0dba8dfd1f06cdbb89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
65e4ec4ac6e46cd0089677aa7d21b6ac

SHA1
3a4a960c8c4124adf7d4ae172dbcfc6bea04e9f8

SHA256
642f9feb6154979ad1d820c4f06528a68f22beb3d68e7f6d9f6effeeeca9d373

SHA512
de864963da030d132b366a466c71ac9a6349c505ff6323698309d31bcc85a378cf9a1e3f0252dd99f52ca1bfb45b58755905d7bd991ff540055a406d00905589

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6b9ce6bc1a88163282c78707a8b925d6

SHA1
fda0231f975424726b6cddf7352f61bf4b8b1545

SHA256
b6cb26b9adc42bf4160b174c05ed54f0e313973644470651a45de470ad87814b

SHA512
31aac5ee39b3f443f4adc6b1b9d5f846124b521c80aaf31ac1ddf881c9a551649ef6244bdb8554a39d364420634b6044b3cf27df7bcbdd4f889ef7f870a51564

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
29KB

MD5
fc3fc31e5e7c0933dc18e562c1c071bf

SHA1
a44c31323f6bd29e583cc585036e6eb39f7014a6

SHA256
ddad766fb94b23efeb5574cdedc5e8446d496fb91bd0b08cd80be212e001055d

SHA512
e54f561241404a5fee5b5a87044c28d9fed16bdc7904324cd968d80456be465ac3e6235fe1c82f2181c2da1ba773c89a13b2fa333de73c1e7f693983c330882f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
26KB

MD5
f88b7516d48931c6c5e1eb106552a722

SHA1
2e4216515a3ee4e1e655beb78ab5ae6bc3004d6b

SHA256
f2077ee3064c809a510b1ab40c9df0bb97701c6c65c3574f6aae641735577d60

SHA512
4833298d268708de38f9b748fe0db0befcda7d94eb28183ce782a604fceb97fa5d60da71c07bb5d4951d695f14327962f8cec2e8e4e58395668b7cf77bd53811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
85KB

MD5
64bbc7cc794455aa7116d7ddb58da7f5

SHA1
aa9a03f4fa02ef2ad631759cb8ec7442f4e69990

SHA256
8de0f350739f230ce649adcac3d474dedc83a2fe90d48711407ba7ba2c049595

SHA512
69f02628d10806d488d89d75ea860a174843789e3fb4cb1982dcfcff4b0ee90c743315ae9117dd8140ae9d45d0424ea5276f91e1e2696fafa3d8004250229049

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
66KB

MD5
ee07c7f28de9e54613bd22b5b4e0b6a6

SHA1
a9383e8e03840325c239a94612e90fe36c6b45fe

SHA256
860956e659664f8f72b7dc852a0dcc5f72619a25eea7ffe742ea1b6382da3151

SHA512
cb591fd682cb40e599386e131f70fead6b7e70074cd2229f2c30fa718bd115a20996ad8b1c857ebaac1858c5cf007ba5c3e78536036d42d137d18a76eb192d6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
20KB

MD5
167f07d35c1fbbb38741738cacf98726

SHA1
75e6f019d9c1a16a511b84ee44b64b341746d734

SHA256
27b7438871605e40969c225602d71db7d244ccb4124febe33950b5aa6b6bbbde

SHA512
f5289fa5bdb085d15983c8659e9ba91941ae3374233573f6e1f911cc4b7e5ba60460b4b13b321d059741ca9280bd81cad149c9b139c3d908516b387fa4aff782

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e929f62e4bceb93bc7a3211de403b880

SHA1
cbadc530069d2f303fd5cd4690adf1a312174820

SHA256
092f371b483b332c9091691de74c71507087d85654770622ab12522de38c2d38

SHA512
fb2900d473b65eadd3c466f2793513e873482f434895301cc76776e2d1f33a765e390835a1f894eaf7b16aa92944fa7a2e93854d3e604d984d20b2002ff1b055

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
59dfd3230926d3be89be6119118e3386

SHA1
5ccec7b10d4cbbd7de6c25ab3e0620a612c68da1

SHA256
cc43722484c74eb0fd4f86ab5dd49b472d2c9b7b1641bdd324becec3bd3fcf93

SHA512
bb43cd5d3093e80334d23cf3c786954aaf5b3f9497174273f69381e59549a1a66ec7dd96c97e461a1e4550599d982f4aeaad89709591afcc9440218d719184bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
81a334a60f5f57b1a6c13d986fbb23f8

SHA1
e004b1da440d8a81102d447444fe728ba6154de1

SHA256
261510772f845735cc61f129943046f25218d844069e9a95f3ef879c442aa82b

SHA512
d77fff01b62f1d1e3cb213d6d32a32369389c34eb565e8d7c8c63d09a291424f59252ab843d64277dd417809b9a1227c2441ed58fea2bc132dc6e55be3b9d807

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
86b71cc36fa9added27416e267421ae0

SHA1
d13f93f09ab18e43a4c97f422a25c495c30329ac

SHA256
b5bd0fd9d5d3b79093193fe71195e9fcb6ef831951498edfd04363ce7a8e4761

SHA512
63fd156d33494de131190f330a76b91374de5ce61e6a1904a5980876d761da680255369b1bfa4ca20a43721cf19a71ad01c49c26e4c0e45e4cce87d2605ecc44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
eb597b4a000f2beba98dca7dd268cb80

SHA1
f2d567f4082717189f668ecd9b266cb15914a4b3

SHA256
93597d20f9167a0f9315d4f2caf479aa2f6b82167bee448611d7c504cd072393

SHA512
dc757a01f1acd8b32fb23b4f1a77ec92dee068c97f9db313ac2e056ac0df377187b81a4407f96ee92216f24cfaa48516d0717d1bfe85baf61d36cf6fddbb2e95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d031d0084fb904d2f6e6d173c1348bc6

SHA1
63405ef679fb5f80c71654c3db647177407e1afc

SHA256
e72fc9d40c590118a817c5ae3e7f6aff53388986444bd766890b219c698431e2

SHA512
d3dde8ea0c79a0e7155b9881dba0287357c78ea07e8d1d617f4858f397c90aa3bd7ea3bff9e33be92cd8ac02e7d1e1e8495bdb9a97e2ce3af132c6b948d008d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
cfa3768a76f0138d028899eb92436779

SHA1
408a70b937812ae4d6a93ac25e59c47c8988fa5b

SHA256
d7d245d62308e8ac3a8bdde7f526394ca7ddad85e81dc627c8459ba1841a2e28

SHA512
ee9d99fe30cdf3c9ca3ee2fa05e80ae86ef6d16bab4e882e60eb0445f23012c3bbb651b52d59f7296f19f52e147c6f288b87a18aa4705e1c075daabc743f98c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe61690a.TMP

Filesize
48B

MD5
e9a08f02dc5db05c52dcf5484358ff2c

SHA1
6f3fb3d96b8fec28c826f862002e3ef25e83daaa

SHA256
f1e08ed2601f990ab47fd96dac30a720a6df62a537b4a4210c22a3c238cf7c52

SHA512
6b831963c148f19763072c53c83cc8e8e04581936df15fc57c516efd61af82ae5fcaf80bc53afd6d9bb9aaf2593493dd08378c9484a69ec9aa0d3c356d18637d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
704B

MD5
46d4dea452b4e93e6045139891b477d6

SHA1
0106f5d5a004931f5002bffab4deaf2100f8a80d

SHA256
96fe056eb08b33d94632e9ef6cc4ea4479ce2217ba8153ebb3984a713c4a3931

SHA512
abfc3c9a087bc18dc193eddfc3a02f22d6bfe70212ea3b110ba31440d282b87c1329315dfbaee457e3445518b426ddf243d395e34b8141933902e01d52ef998d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
adb5f2740c3100eaad7b82ae20501608

SHA1
08c4de8baa58917f4bf5376d297fd6a3a1b2f426

SHA256
1545747c992d3815b109ce8995a0840771473d9b02f2875aa52a095dcbeb703f

SHA512
fd7e678c35ad30b0ca728dce7659deddea5f4b9b3742bd51e8955f77ae1e15dab42a8a26a070b3c339fbcbcf43c35f62d3909e9b552e9645fc8180a1d049b583

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe6146eb.TMP

Filesize
538B

MD5
3540de7fdaf31fe9c8e4c415bee6420d

SHA1
bd0b523b43eb951881e929579db0df2b38538d42

SHA256
6f686fa3905d9f59d259fbc2c9ffbf1df107ebf99dd7a5eaacbb98af9aae3dff

SHA512
801efdee86d31763b5a0bf2e077f47ad3ec5d6cc9f88449e85af57fbde4aa7505bd71bc1f43169b399546632815302244564e9052a0dd41b1dc9600db3cb26f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d67709af8e2f7f384ef33800f9671c0d

SHA1
2f0cf34637273ca7615efedee7e017d9fdef9438

SHA256
173932a7976c4786a7c96285cc40fcb4c6b1dd3e1e3ea3294ab45b67fc2843f1

SHA512
876a6138956d81635a6939149514ad4dc5fb63429729e45cf984812a55d9d6eedc30d7a2a6638508d8dbcce5eca031ee7527203786283f6689845ca532a1913b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
557235c46544ec669c92d18738447ce0

SHA1
a3f5ff3dc9b1bed3a964d02f74f6dfb58a0a2ea5

SHA256
c19e4d684128c91e9406e521740d15d7f2a737eca7ed4b198f65800236a95f20

SHA512
b0f27b52d30bc1a41657c63182769f9fe9ed61581f0eb231e797c0f3709e62972dac022ce84326c41e7fc1c4bed833eb9a4e308989d93b2ffbee9a2f431aa924

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6176f8c14e879eb1ac4d950d612b1383

SHA1
2b347134b063139dd126593b82c5ab2e9e43ec90

SHA256
b6a9b919a1a95a57de1ef650f101a5dcc48ed91838ced475bd9c499ce710c3ed

SHA512
96a19dc1aefcf4e54f12a71e586f3c8a709811fbd2e363fb26124088eb4966628413eea3cbb6c7606c4ed3466bd2bf1d6e1612a1bfa05421f9f6c83f0701f04b

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\858e1d37-9c72-4fe7-973c-f9d038a22974.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4868_346736614\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4868_346736614\f772c7a2-dcb8-47bb-bc59-c26fefea975c.tmp

Filesize
150KB

MD5
eae462c55eba847a1a8b58e58976b253

SHA1
4d7c9d59d6ae64eb852bd60b48c161125c820673

SHA256
ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad

SHA512
494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{249B0777-F0D9-4E5A-85A2-DE6D67ACD3D0}\0x0411.ini

Filesize
6KB

MD5
b78f07373d168465f0aa26d5ea33fad0

SHA1
8d4d8e51a3ebba5c9f8c4b6f3e97365c1b977915

SHA256
bfad93ba3d071fb85c774510a3932fdde7bd4368a7e9eab23a1eafe156907e05

SHA512
51d7094f1c933016f723216abe76d3286fa75c543bb8c3530d52c666475ddce286e93bdb7ee04fa2dcd0bcd0b9337c7e81f7df8d3b01bd9afef1f9b52c0ee94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{249B0777-F0D9-4E5A-85A2-DE6D67ACD3D0}\Setup.INI

Filesize
1KB

MD5
4bb5271289b22735b95ac8545ce4386c

SHA1
9d4790f878a4902d326276822694997c7da2005e

SHA256
6c2512aca15b2f536270e8f368d4b360b66aa042d885fc5bd8962fd7627d77f1

SHA512
ed63a848fac7ae8feda71e1a4dbbb923e562be64b2dc75534c92c894a57e2f654e41730c51be57611e8f3a9bec4ca47856bde3b020b4b5321e735a73241f9236

Download Submit
C:\Users\Admin\AppData\Local\Temp\{249B0777-F0D9-4E5A-85A2-DE6D67ACD3D0}\_ISMSIDEL.INI

Filesize
11B

MD5
3fdd2635aa94921522af8186f3c3d736

SHA1
0fe63553e9f993c0cb2cb36b8cdcfba4f4a2650d

SHA256
17ad78845c9c6a8e97a5bd14be56700a51ee85867c979ed6cf538e1fed82cf7c

SHA512
ebdbeefbdc777937fce516a1cbd9af7c305fc242091d695ad919a27c98fac5b6b16b44130bdf97dbfd10561cce701180b1fbb303d848944c3b33b8a3c058653a

Download Submit
C:\Users\Admin\AppData\Roaming\GamenNow\SSCap.exe

Filesize
790KB

MD5
9f8d7d3b160d8dac6828814c666d96be

SHA1
3765125075f401f98ee97cf7064350463595383e

SHA256
39e287eabcf6158385ae88276eeb6b0f1443e6b37b3a5aa840ff85617ae475c3

SHA512
a9c09e3ec6016a13cc5d82eeebb38b111f2732f29de0bf7c9296a277dfdf2953fc40e7ed027953c7048145841eb63c307196a94a081fd972c34b068dd120078b

Download Submit
C:\Users\Admin\AppData\Roaming\GamenNow\_server_response.tmp

Filesize
100B

MD5
f08a12a90635deb821750ee278703f5e

SHA1
47a9ee295c653bafc79b3e0190ec81e1cd29f05f

SHA256
dacdefd67ef43357c294a50185de1e40c9908f8d1d1925b675884c51c963895f

SHA512
202e3e2cec5a905e64cf6a5de3235f644aad152a5b63fd2064ff25a3b49226ac97f1c8243fed16d9d85fdd1b26da8c97a9678dc36c292b09b008e25bf7b8d790

Download Submit
C:\Users\Admin\AppData\Roaming\GamenNow\download.tmp

Filesize
848KB

MD5
cb76eeca0202d90bcded31544fbb74dd

SHA1
163cd2a79699f5e8f6a665dc8a4afd1726e8f0e9

SHA256
48930be9c17fb37fdaeeadb7afb7211ec0f9cdba0a796dfbb7bbd850e7ce9d34

SHA512
5150df49d43d826d5fa890b8f76fea0b8d446704801b809b396646f36405718964cb068cc4b652ae2334316534b37db17f9587fb20e2283e2f6e0bdd22b65b07

Download Submit
C:\Users\Admin\AppData\Roaming\GamenNow\kukuluID.ini

Filesize
84B

MD5
4ba3b9a9eb7967bac32a4f5f691c2926

SHA1
d3dc5f52aa185dc8e437cc06b92d3f4fb0f4da18

SHA256
d212dcc0e22057d1a93e551402642265828cd95f41ceea1959ce2432a9602732

SHA512
626b43fefdf00f276f5a2e76ba49531d97b8503bd718d6ecddf60645cc75c950608900e3f2868f33f5ce6a9e4541ae5d8977ce11f42c96e6b36a3b3995560b43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Installer\{24263341-DDFF-4DF8-A62A-B85C639BE64D}\ARPPRODUCTICON.exe

Filesize
344KB

MD5
c12bfaefbba6b990c814f697414af8be

SHA1
8cc34390878e991574604420af2ba11c3ab21b07

SHA256
21ef8bfa666ce769b7db6763b2aeaaf1ae7cdf3a2b4cc9c17c9f7a9137be456c

SHA512
711401b6ffbe8b8fe2dfa729b93bb8f4ced9aabd43df07317051d74e3496f4a10dbed35a26a7a23fc649ef1a2721d21e632064bc5bf2798b528b433df687b946

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Brave.lnk

Filesize
2KB

MD5
9eb3793505cf1db718b17bb446beff6d

SHA1
ee847157c58b54ca7e7b1c102c94e2549075304a

SHA256
c067b0afc8e935a7a383599b3a209d96dcdaf5a2a63b2901380b49ab7ae17020

SHA512
75080050d227af8acf518586ceab72615f30d470fbf78566d7e82ae8360cc5ff21f54e64eda763245b0c6137ed9e0f93a31f01c4a3665dac491a419e2f7ab613

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
347B

MD5
7ec2fde39b3a0ab4369bd39060c97c1e

SHA1
0f68bde183afbc4a7c93e7eafcdfdd72353a7fff

SHA256
c903e5d14b74dbedc77a6cb6c2e2e3cd04945e0fcf64e2f8f6ac72e36fe62862

SHA512
205a76aadbd4bbd3d0dbb55c68e5d73d425b5109285c304f4f4e5a82e69dca179cc73b01a5387f38a72ea36aab311a0aa6087beba7e24b72680254d4170ffafb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\ml.xspf

Filesize
304B

MD5
781602441469750c3219c8c38b515ed4

SHA1
e885acd1cbd0b897ebcedbb145bef1c330f80595

SHA256
81970dbe581373d14fbd451ac4b3f96e5f69b79645f1ee1ca715cff3af0bf20d

SHA512
2b0a1717d96edb47bdf0ffeb250a5ec11f7d0638d3e0a62fbe48c064379b473ca88ffbececb32a72129d06c040b107834f1004ccda5f0f35b8c3588034786461

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
498B

MD5
6dad9362c473438326f37814160d657a

SHA1
3c137404bc2263d0eb0cbd6f7893952490d76b35

SHA256
95ae84e8b1cb583852152a96c84922f53d701c9fa070e6da15db5ec54b01ecfe

SHA512
d2d4ed8649ee4f59d4b0d336e6650629dcdb8f1e3e07d6cf3cafc9a52700e1bfd0a3961030d03fc6e200289e8fb75b94b1b8e48f2bfca2378b759e549b3fbc0b

Download Submit
C:\Users\Admin\Desktop\AddMount.edrwx

Filesize
364KB

MD5
cd5b9a3b5248b2ee88f9be2c4a446410

SHA1
37efabe50a52f1871b6c68cb35492438cdc752ea

SHA256
e2f776fb56de9d7faade7dde0e4d9265c32a064b48ce50c5b3b1860c12260831

SHA512
6f3a7691d9ee9d6d23ae12737c2f3addd1bfc308eee8832da9bcb0c180a73acd71253d2684a2ace29fbfdf8484ab3c25c45e449c5bde8bf968f212a0163164ca

Download Submit
C:\Users\Admin\Desktop\AddUnlock.MTS

Filesize
692KB

MD5
d3b4e2f811b705f79aa4918fe47406e3

SHA1
432a65ab7e629c464ea82154c06b4c976c397b9a

SHA256
855c88a135f530b9cb1f1808bfd25e7d214dfbebec45510dfa28286f74c9ab5a

SHA512
17c40556af867b7b49ba102b89cc7b1721651461e5b7e2c5a6c5d040e38d0440433db1806596de6b4c4989178de5c717baf8cae457c77c44c54aa45c117b66f1

Download Submit
C:\Users\Admin\Desktop\BlockPing.xlsx

Filesize
10KB

MD5
878e6391a91ae200b76e510c22ef0e91

SHA1
86973d6ae11c340fdc97e3852055082bec047855

SHA256
f00646f28b9b450561baf35a76382dc3df9654d1c4c5434ee2158ea69da25580

SHA512
a6b37d1d5a69f17a6122c8c1602dd4d480dfc228e95181d02624955bbc9e24c07f1139dc300c79dea585a4ff25a183034b90b6e635cd31662e070aba1aaf4d30

Download Submit
C:\Users\Admin\Desktop\CompressSave.xlsx

Filesize
10KB

MD5
d18d42db4b912ef62d5bb1b16425ec40

SHA1
59a37affd61b859abb5060f67afa5a2b8f495b1b

SHA256
982e06fa831ef75ccbb992d23f888c5be9735afc5a45eb23d79cf98a31f904a1

SHA512
779a24fa9fc7066d34b86f5ebcd5b1c278321fa68285b5c4f67ece63734e9695f44562a3aacdb8e710c58027ad04729a83291e402d815727d25b923d775d0ac6

Download Submit
C:\Users\Admin\Desktop\DebugGroup.ini

Filesize
742KB

MD5
5d8d2521f96efca3abb0e06818979478

SHA1
44d1d9d0627b5faa5610489b497021a8fed6bf41

SHA256
f3411f4d3be7e9da7f83a0c96bd9593889788689aec1471ec004241ed2cc47b6

SHA512
b9c3e6b2bcbed81d5aae0a9956d83280e47513a51caddeecd55a791826704ca6aa66fe9d9a21e4d18ccca7b59c439702707c4915b4c8aeb0cd0bc1c7af862ba7

Download Submit
C:\Users\Admin\Desktop\EditAdd.js

Filesize
591KB

MD5
afdb8148b0333c2a4e805d91a410e23a

SHA1
af83612059db9b174961cf066613b59dc30d82cc

SHA256
156bb1287bd4a0ac1f91dd5e2bb14116700fd8cb9d867dde63229617dc61e26e

SHA512
a53a9af731eaee07fc428034422a50f2ecf2a64c7607e133c9d18615dbfc618c7e53efb2293310db408caec80760d886bd53711d22f770e4e093394a692aef40

Download Submit
C:\Users\Admin\Desktop\ExitResolve.tmp

Filesize
314KB

MD5
38976cde311ebf0f66b6056095f02cd0

SHA1
2bc6199437c900253841a7384af150e03e1db3d4

SHA256
9fc9b9deb9d7a51a189a6d5ffe3afd935598c032d13c0033139629d39d239b99

SHA512
c4e1e1c15411a24c2bf89c3fe49b753b9faa543229659a37fcdd16af3e287c3bea1a2206694b143646a4b77b7a1548f2341f085e5d0c67009205b61c61640943

Download Submit
C:\Users\Admin\Desktop\ExpandUnpublish.pdf

Filesize
767KB

MD5
578a62ebb5e95373aabdc5507070961d

SHA1
0445f7476c99d98c876a202fee9b0775d31680df

SHA256
53e884be74fece9989a7de5966ba2d404fd8713f9e4d71fcc75314ba77db6a9b

SHA512
a88f7b2237d2d1f75bcf165f67bfa9521cff9b6d72e997874be4e3e134e6cc57b4cce17531d392dd1308a95e8f57ac022eaf05418dbb83e928c3d91e23c05442

Download Submit
C:\Users\Admin\Desktop\GetDisconnect.xsl

Filesize
289KB

MD5
c14ae14f4c2406a802d6c6134a8f6621

SHA1
a917f187fab626a9a33b467a8397c408700c6962

SHA256
f3efdf90a31906c8d5b1f8359c78a1777de48bd70adcdd1253f9da78040fd47e

SHA512
76d23757f94ddc05653d345cb5e28c7ade35f03e1a101c31dd86aea6fe5555f52c346b117f6ca6ce93e81b95ea3dc3fe9665d86d4bce879d0ee2d728c1f4fe3d

Download Submit
C:\Users\Admin\Desktop\GrantRead.xlsx

Filesize
10KB

MD5
c0e382b9b3f1781d10e7c96750b693a8

SHA1
1fb2fd252a415725c87c31c48c1361427492ad78

SHA256
444c6b01fc30285796455c432ca40efd211c8028de53d1bbf0fcf976c9865f6d

SHA512
4c41d4fcccbac9605cca8d33db98b3c7f1a8796fdf0ab1533c8134fe1ea6036d48b2ab3190e8f92f30af63bf5ccdb94a4a3739be0a2cd7a0afde3ed4d684dc58

Download Submit
C:\Users\Admin\Desktop\OptimizeHide.txt

Filesize
792KB

MD5
4df6651826b3a1ddde1f9d7d5a663562

SHA1
dd0cf7f5340f56bae30c99ffbdfb75361b553004

SHA256
5df45eee0843546d975a01f5087fcd3ae404635b189ee93484344c34481a0ec7

SHA512
4e6697d526102dacbab8a3dc3a9d5b77216d47535f2b37a80cf00970a184f7d0b22cc1fd4042aeb69477133f81b520ae0bfc7a2eeb5f1fa550a2782000db8984

Download Submit
C:\Users\Admin\Desktop\PopUnregister.pps

Filesize
490KB

MD5
417d9789e50489a8c051d1cad2be5cae

SHA1
087d28636cf11f2bfdc817f6770885c67a806372

SHA256
cc3ab69da3f1da4e5f38cf0b00b9f1a0f084fab8d033411e7b70f99282473de9

SHA512
424c8853dff3da5ceef79e7f1b3ee4f03e2a1afacb2cbc2d2da64a10ded856a69abb79d971b6f2fa3e3360fef554691891e8ee5ea404d6f68a7d465f36c1dca5

Download Submit
C:\Users\Admin\Desktop\ProtectRestart.wmv

Filesize
641KB

MD5
50aaf252c1c18a65ab2f5d5672011cd5

SHA1
8bb31f1ad299d26a86deb95fe5c4eabfd62a3650

SHA256
5174e379ee4231612a897be5ded211b13f9b94bf6a176a49f334ab7c7c4daf3f

SHA512
f2ac23bffabe9318d5295437ff592a36c8f944acaba69ed38353a9ad2f58418ddac4d9ff08abcd842baa30cab5e374b04c9da1ab3ff4ef7f7227502690b4f0be

Download Submit
C:\Users\Admin\Desktop\ReadImport.xlsx

Filesize
11KB

MD5
e93fc0da7faa4e682ef5d8c195787714

SHA1
ff367d70eb0eff94394731f610a8f0f9c8020dd7

SHA256
93b5d50803098085045ad7f2d3a9364bc03a8b9648f5fffc67115cc34165808c

SHA512
51a72e038bd10c4da83c064979559af5c803cd5e9fcea71a2a29cd5ce6e68876ac176273d5a33b2fc0610b08884704fba6549f5d3cf4bf3dc5a392a38955864d

Download Submit
C:\Users\Admin\Desktop\ReadTest.dib

Filesize
616KB

MD5
54febd9cc7e4830dcf9566455a6b0877

SHA1
07e44c6de1a03e8d35d2fd9a14ad3a5cdf3e63f4

SHA256
04e5b9165075a02cc53696dbc0ebb28ecd18b91cb441f719239b040a782eb794

SHA512
71db1f2a268dfe4b439654ed1ccbb738788a1a75709657b62efc712425858c2aad324d0fbf646b1dbe9179c059a21147546171cc69326fb2632a4fa57578eb75

Download Submit
C:\Users\Admin\Desktop\RegisterRevoke.mp4v

Filesize
339KB

MD5
9ebeae046c299e69088b6fdd456c6f44

SHA1
3f23f11e7cde08d03256e15d89ec38786727e7a1

SHA256
3ea0d5b76483c0993461a14a7e2359a81e3b91b8e6588bef0e1133789a63e7f0

SHA512
b36646cda152b81ed6f177e11340af8ccea1d351050da316bd6d8165688e42d621e92d24bf5001007a919b0100e7d6aa92256fe621ed6caca7a2e59de0b3b53f

Download Submit
C:\Users\Admin\Desktop\RegisterTest.xlsx

Filesize
10KB

MD5
15fa2ea26ac4c8f1c72241b153aa5efd

SHA1
1973b5a325afbe91af202aca8b2065e16e7c7613

SHA256
a6ad6458909872e0fb0d53faf53953026a7a62180538a179a8badbbaac0852ae

SHA512
1d37d3da79e4765cbfec6bf9f0f5c3d8279a5d991e7896c4a385343edb020cd5a4290614ad33d3fbab56a0a5387ed66c8f85962b75bfe0ebd03566242aac6a2c

Download Submit
C:\Users\Admin\Desktop\RegisterUndo.mp4

Filesize
817KB

MD5
a9e639ef8fc4396513c790d39b898524

SHA1
1be64919b89961d3ffdcc75cccf34852bf377ffc

SHA256
a0e788dc4b298ac5a99cd7e5edf3e8ff873b0942400413080db7815d720e96cd

SHA512
64f5abe0d7f7d6c39d6282c81b5d4c5c84bae8f8edd3636a006d41464ad8a9e683fb5f1f59a8eb5ba393a87893e9f0442fdff935a660b0d9bd0bda8ef9e93826

Download Submit
C:\Users\Admin\Desktop\RestartExport.txt

Filesize
566KB

MD5
b33de0eb1276abc15a5f6fc0a401b249

SHA1
cc54eabdcbb61bd2869bb86262ba68b4d537df5d

SHA256
ec2f62e5a98d52f153c7dbd9ca94ccb1f005b69494077cec975a4da05a27364a

SHA512
abf083906b25fed2437e84a22a7c2e7c35981cd4fdddd4c10f2f77bd721b93080a8ea7e2bfcdb3a2fe6e5458ef49f8fc98fb816f78cc0b6628e60851c7d4ca87

Download Submit
C:\Users\Admin\Desktop\RestartMove.exe

Filesize
666KB

MD5
90687e3fe4e6094432d662c46237884b

SHA1
49e8a148a6b4823fc081e5139101f6d339908fb9

SHA256
b469c2f0a2b35d8494495a01c2f63e8e011c58ae574aa1ae0589b0de212b920a

SHA512
0de58b5357a9f1945472c2128c66aacf179981d0200cfb98076305e5bfbc5392c328b98d1a8dc9e6300a3402172dc2e4bd56b62988d943388e2ace90c0906391

Download Submit
C:\Users\Admin\Desktop\SelectImport.wps

Filesize
390KB

MD5
921f20630f606519ac7dfe745d72c0ce

SHA1
628a4505640ba3429e99b65a5e06ff7f4aebcbaa

SHA256
8066305506aa34f2216c6740fc0f361005cec1788810103c575d5539178c6558

SHA512
2e581d63fa12a78ab62fa5ed9dd963b2ce8a3ccf81855f157e40f3d8714ba550ec48caba44496830c7e4f462bf841294da5dedb7d0c92c44624c6142fadb56ee

Download Submit
C:\Users\Admin\Desktop\SelectRename.ex_

Filesize
541KB

MD5
aff073c4d69171fb14ecd772ba99e8cf

SHA1
e44d5e0b4953e594dff12ea09f4712f4c5470c82

SHA256
69fa9e264f81472c3ba4efc5d671a3a6778627e966088fd7ed47fb332192ad51

SHA512
80b2274dc3a2f93f247b0d8c84760c0aa0f45b3bd8a7e0cd5849f0d15fc62a7e7c61f404f35740e837d292bd7c10efc7dc6ba79d9ae2424e3ea7b5a7112a4f87

Download Submit
C:\Users\Admin\Desktop\SetWrite.docx

Filesize
14KB

MD5
0ed9abfc4a292dd8acc3e7f3fe75d466

SHA1
c247587b67baa8e01eceb8a81da22e3520528524

SHA256
d3d1ac90afa1ef1fb1e398e23c9c6ef56ef95051a9d5e30d4a40a7ab58335384

SHA512
b432fa574ca8d1d07bf754b8718a3a93b67005802bbe380d34b1e0cd71ed678e3d8dabbc10bf36eef946fb49758cf47f30f8adc3d2218e7a7da21cd5268387f7

Download Submit
C:\Users\Admin\Desktop\SplitWatch.rtf

Filesize
1.1MB

MD5
75b91d6dc1cf839b69d4def7b053df7a

SHA1
35d1f625b77bc04c5227c704ed4bcf239f9dacb4

SHA256
5b459c5cd9ab488849d254273aeb616f93e3f804301670cdc66bfa11b0cc3091

SHA512
7bce1ceec82be86037755b1648d72747ccec0e4c6ad9609d4bbeb6945019d7294cdfb379f05340a73f7e2b0834a12ab55050eb4cc62d0a9ce775fb8016cf0c50

Download Submit
C:\Users\Admin\Desktop\SwitchSkip.tiff

Filesize
415KB

MD5
6f15f396385948be81ac64d3ff1130c2

SHA1
1b7a363afbe668f798be4494bcbf69b99a2b724a

SHA256
c5eee65e28adf0da59028120e5f3767b352f6352c05bbf3faeda359f91745a83

SHA512
55d0373e83d6a6211dbcc34eff1266d678a355b9a6bad56a453864bac2280c669d1b3e1e890e6a2d013f8914cb85178553c1b99c46d70d4d974ff42244913f8f

Download Submit
C:\Users\Admin\Desktop\TestUndo.xsl

Filesize
717KB

MD5
3e90e16655bb66215e1165fe680f19a8

SHA1
98522d4befad4bb1e63714bafaa6912da59f0f6d

SHA256
45aac8e0b2bcb5304c822363dc1c1665ea9abf13f0dd250ac594fe06b8fafe75

SHA512
665dd43a266dd8a5ab206fdd1d8182440b0b3e21e4af9fe51b935a08e6c2079a19a60587b842fd5cad53dc72c66f7fb946d1d79118b03d1aefbb47d47abf84d8

Download Submit
C:\Users\Admin\Desktop\TraceCompress.ods

Filesize
515KB

MD5
2a945165081a015a1e139b6f6091eda0

SHA1
85c1a30c967e38f76a10aa041bfc1be4e1abee11

SHA256
6c5f596f284146b3cec4fa4c95a543790b71dc4d7ef6427433f625eee4186653

SHA512
c9bb19382bd4242b1534707a4ca5c4029d97e7801b8047ca4240cb23dc7c25d432c47d57e35da1ebdb91434049e881a8f85fe35b2b87e6d94b758942c7fad521

Download Submit
C:\Users\Admin\Desktop\UninstallClear.xlsx

Filesize
10KB

MD5
9f7b2c1746fa36e9d81d20bc80aba6b6

SHA1
81a9c19c630ac335fc15ebd404246fc280f470c3

SHA256
69713e04499941e9c28b9a4887a826c94582a7bdc7dbe96c3099c74943214c87

SHA512
2fc5d03f3473e11a2339a22009e2f9774f449d4ffb0ae738ac06400b0370f426b701f7a7f4ca4662b48023ed189a8203b3e730e20e0b03fab0154c2452db6f57

Download Submit
C:\Users\Admin\Desktop\UpdateExport.xml

Filesize
465KB

MD5
dcb593e7b55b7bde600f52981480e2d1

SHA1
c9ab6d46a3abe6860b0e56db69ded546cd23294e

SHA256
43e1984239cab6e3c4adc12212e73268a6779f1315bd16b6818fb10c981efc3f

SHA512
8452858638d4f33262bdce093bd451fd6aa2b519980f2b4bb79919d5dc50ddcd69243e9bd2e08f044b6215f24f70452fa05db6584548f0ea78ad5c9463e779d8

Download Submit
C:\Users\Admin\Desktop\UseOptimize.htm

Filesize
440KB

MD5
3f69265591499d0b25d514202cc31555

SHA1
c32b380e75d6e84f562d52a8aeff91aa4fdb63c0

SHA256
1b8b3186fdfbdb0576735fd92e70757f50957df0d41cef281496853561618d1f

SHA512
8b421aa160706f21721c71ba03ac95ca8b9fb7ad5fc969eb9527534705cc2bf1ecd81501eb6d141eb97b649d8ee9e4a006757437a05d2d4ce96cb711dd74555e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 315677.crdownload

Filesize
1.2MB

MD5
af001314ddeca9ea4a2895357942af6f

SHA1
f6c8ce26bca8ebfa05dcef5eadda31d9510b72b9

SHA256
49253949b9ea09a9d7e7143c71c2107a315d5cba8f463cd6cf67ae74e6c44bdc

SHA512
aa2f81a2c3f722f4484bcc4b1b7113d76d3c05be34b406003574ba51e6babf10dfd1a0b9e7496320cefd6b128a0a82443fcf7f644f77006e790fe7b6c27d6c52

Download Submit
C:\Users\Admin\Downloads\zblg.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Public\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
d2b0c71862ee2fa4a6c40b92c34f839e

SHA1
03cd15cd6eddcfe22a0403e617f34c1cfb758645

SHA256
711249a50e44ac9abeea67a0f14cd05caede977ec8441c5d5be43d27a4c27329

SHA512
40c2989de60cbeffc605a44f9ef4fd112ee0939b4fa4ecf5fc8332c1a1176f0a4e56e32f7150ed53d4f5749199e36e315aefd4a51d742044916cb8c05bdca745

Download Submit
C:\Windows\Installer\e602186.msi

Filesize
3.5MB

MD5
3e1a2132fb05cdb315f0e9205fff5d77

SHA1
97f64df3e5a2de551cb5b2cfb502a88b43ee8f17

SHA256
068a1ec913be6e3412156a8bd019a38607a51b149c13b303f144f117e6c34a47

SHA512
f950e05e2e7ff08237c7fbec1106a6e9777032f500c55a5dad523607b8aaa2df1c882c0d2db423d058c2610570e850501dd9a8d0854026b9588e23a7d896effb

Download Submit
C:\Windows\SystemTemp\Crashpad\settings.dat

Filesize
40B

MD5
412f0f1d3cc88c2a9408a7cdfee5fc1d

SHA1
1d252c45f220e65113ab8fec2222c749a85b27b8

SHA256
a4c84569bbc01e488e54e95731a77373e473349da87143218a30e50461e8d430

SHA512
e87bab6d80c4dbf357e36207533adcf288a68e6ac7a68dae25ccc3d5c37821b4450a73fd9e0b7fa3971d9b64ffcf0e9fa55770cbf28291c9fc25ef1545ed8fa4

Download Submit
memory/1044-855-0x00007FFA6C370000-0x00007FFA6C380000-memory.dmp

Filesize
64KB

Download
memory/1044-910-0x00007FFA6EE50000-0x00007FFA6EE60000-memory.dmp

Filesize
64KB

Download
memory/1044-850-0x00007FFA6EE50000-0x00007FFA6EE60000-memory.dmp

Filesize
64KB

Download
memory/1044-852-0x00007FFA6EE50000-0x00007FFA6EE60000-memory.dmp

Filesize
64KB

Download
memory/1044-856-0x00007FFA6C370000-0x00007FFA6C380000-memory.dmp

Filesize
64KB

Download
memory/1044-854-0x00007FFA6EE50000-0x00007FFA6EE60000-memory.dmp

Filesize
64KB

Download
memory/1044-853-0x00007FFA6EE50000-0x00007FFA6EE60000-memory.dmp

Filesize
64KB

Download
memory/1044-911-0x00007FFA6EE50000-0x00007FFA6EE60000-memory.dmp

Filesize
64KB

Download
memory/1044-912-0x00007FFA6EE50000-0x00007FFA6EE60000-memory.dmp

Filesize
64KB

Download
memory/1044-913-0x00007FFA6EE50000-0x00007FFA6EE60000-memory.dmp

Filesize
64KB

Download
memory/1044-851-0x00007FFA6EE50000-0x00007FFA6EE60000-memory.dmp

Filesize
64KB

Download
memory/1908-1984-0x0000024BE4030000-0x0000024BE4031000-memory.dmp

Filesize
4KB

Download
memory/1908-1976-0x0000024BE4030000-0x0000024BE4031000-memory.dmp

Filesize
4KB

Download
memory/1908-1975-0x0000024BE4030000-0x0000024BE4031000-memory.dmp

Filesize
4KB

Download
memory/1908-1974-0x0000024BE4030000-0x0000024BE4031000-memory.dmp

Filesize
4KB

Download
memory/1908-1980-0x0000024BE4030000-0x0000024BE4031000-memory.dmp

Filesize
4KB

Download
memory/1908-1986-0x0000024BE4030000-0x0000024BE4031000-memory.dmp

Filesize
4KB

Download
memory/1908-1985-0x0000024BE4030000-0x0000024BE4031000-memory.dmp

Filesize
4KB

Download
memory/1908-1981-0x0000024BE4030000-0x0000024BE4031000-memory.dmp

Filesize
4KB

Download
memory/1908-1982-0x0000024BE4030000-0x0000024BE4031000-memory.dmp

Filesize
4KB

Download
memory/1908-1983-0x0000024BE4030000-0x0000024BE4031000-memory.dmp

Filesize
4KB

Download
memory/2516-849-0x00007FFA8C820000-0x00007FFA8D8D0000-memory.dmp

Filesize
16.7MB

Download
memory/2516-848-0x00007FFA8DD10000-0x00007FFA8DFC6000-memory.dmp

Filesize
2.7MB

Download
memory/2516-847-0x00007FFAA80D0000-0x00007FFAA8104000-memory.dmp

Filesize
208KB

Download
memory/2516-846-0x00007FF678680000-0x00007FF678778000-memory.dmp

Filesize
992KB

Download
memory/3268-2256-0x0000000002480000-0x00000000024D8000-memory.dmp

Filesize
352KB

Download
memory/3268-2257-0x00000000024E0000-0x0000000002500000-memory.dmp

Filesize
128KB

Download
memory/5096-924-0x00007FF678680000-0x00007FF678778000-memory.dmp

Filesize
992KB

Download
memory/5096-925-0x00007FFAA80D0000-0x00007FFAA8104000-memory.dmp

Filesize
208KB

Download
memory/5096-926-0x00007FFA8DD10000-0x00007FFA8DFC6000-memory.dmp

Filesize
2.7MB

Download
memory/5096-927-0x00007FFA8D640000-0x00007FFA8D74E000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads