File name:

Brave.exe

Full analysis: https://app.any.run/tasks/7f7e49f2-c417-4c71-bfb0-45af5ee78690
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: March 22, 2025, 00:05:02
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 8 sections
MD5:

4E4C82586D5463D298CF16CDA5978BBE

SHA1:

4E42352AC32834B53346B47F7206C7B52CBD2E34

SHA256:

0ED2B6C373446E31C3AB8E424BE0783B7DC397B67DB6DBE29173271321C3F426

SSDEEP:

98304:Q5SWISjW2svVyxboNUeCv8j7F6ptO+p2fyke/N5:a

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • Brave.exe (PID: 7316)
      • setup.exe (PID: 8232)
      • setup.exe (PID: 5988)
      • csrss.exe (PID: 5824)
      • BraveUpdate.exe (PID: 8468)
      • brave.exe (PID: 8484)
      • brave.exe (PID: 8120)
      • services.exe (PID: 748)
      • brave.exe (PID: 4068)
      • brave.exe (PID: 2268)
      • brave.exe (PID: 5216)
      • brave.exe (PID: 5376)
      • elevation_service.exe (PID: 7784)
      • brave.exe (PID: 6184)
      • csrss.exe (PID: 532)
      • brave.exe (PID: 7824)
      • brave.exe (PID: 7344)
      • brave.exe (PID: 7648)
      • CompatTelRunner.exe (PID: 2092)
      • brave.exe (PID: 7184)
      • brave.exe (PID: 8000)
      • brave.exe (PID: 7720)
      • chrmstp.exe (PID: 7332)
      • chrmstp.exe (PID: 8068)
      • chrmstp.exe (PID: 7972)
      • brave.exe (PID: 720)
      • brave.exe (PID: 1676)
      • chrmstp.exe (PID: 7964)
      • brave.exe (PID: 7308)
      • brave.exe (PID: 5972)
      • brave.exe (PID: 2852)
      • brave.exe (PID: 7748)
      • brave.exe (PID: 9176)
      • brave.exe (PID: 2316)
      • Brave.exe (PID: 1056)
      • brave.exe (PID: 8188)
      • Brave.exe (PID: 456)
      • Brave.exe (PID: 4000)
      • Brave.exe (PID: 7104)
      • brave.exe (PID: 8400)
      • brave.exe (PID: 8584)
      • brave.exe (PID: 8676)
      • brave.exe (PID: 8404)
      • brave.exe (PID: 8944)
      • brave.exe (PID: 8220)
      • brave.exe (PID: 8336)
      • brave.exe (PID: 8496)
      • brave.exe (PID: 8784)
      • Brave.exe (PID: 5044)
      • brave.exe (PID: 8128)
      • Taskmgr.exe (PID: 4424)
      • Brave.exe (PID: 8040)

    • Changes the autorun value in the registry

      • setup.exe (PID: 8232)

    • Steals credentials from Web Browsers

      • brave.exe (PID: 8484)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • BraveBrowserSetup-BRV010.exe (PID: 7564)
      • BraveUpdateSetup.exe (PID: 8944)
      • BraveUpdate.exe (PID: 8348)
      • brave_installer-x64.exe (PID: 8228)
      • setup.exe (PID: 8232)

    • Reads security settings of Internet Explorer

      • BraveUpdate.exe (PID: 8896)
      • BraveUpdate.exe (PID: 8348)
      • BraveUpdate.exe (PID: 8676)
      • chrmstp.exe (PID: 7972)
      • Brave.exe (PID: 1056)
      • Brave.exe (PID: 456)
      • Brave.exe (PID: 4000)
      • Brave.exe (PID: 7104)
      • Brave.exe (PID: 5044)
      • Brave.exe (PID: 8040)

    • Disables SEHOP

      • BraveUpdate.exe (PID: 8348)

    • Starts itself from another location

      • BraveUpdate.exe (PID: 8348)

    • Creates/Modifies COM task schedule object

      • BraveUpdateComRegisterShell64.exe (PID: 5408)
      • BraveUpdateComRegisterShell64.exe (PID: 8488)
      • BraveUpdateComRegisterShell64.exe (PID: 8564)
      • BraveUpdate.exe (PID: 8456)

    • Executes as Windows Service

      • BraveUpdate.exe (PID: 8748)
      • elevation_service.exe (PID: 7784)

    • There is functionality for taking screenshot (YARA)

      • BraveUpdate.exe (PID: 8748)
      • BraveUpdate.exe (PID: 8348)
      • BraveUpdate.exe (PID: 8896)
      • BraveUpdate.exe (PID: 8676)

    • Application launched itself

      • setup.exe (PID: 8232)
      • setup.exe (PID: 5988)
      • BraveUpdate.exe (PID: 8748)
      • brave.exe (PID: 8484)
      • chrmstp.exe (PID: 7332)
      • chrmstp.exe (PID: 7972)

    • Searches for installed software

      • setup.exe (PID: 8232)
      • setup.exe (PID: 5988)
      • CompatTelRunner.exe (PID: 2092)
      • chrmstp.exe (PID: 7332)
      • chrmstp.exe (PID: 7972)

    • Creates a software uninstall entry

      • setup.exe (PID: 8232)

    • Reads Mozilla Firefox installation path

      • brave.exe (PID: 8484)

    • The process checks if it is being run in the virtual environment

      • brave.exe (PID: 8484)

    • Reads the date of Windows installation

      • chrmstp.exe (PID: 7972)

  • INFO

    • Checks supported languages

      • Brave.exe (PID: 7316)
      • BraveUpdate.exe (PID: 8896)
      • BraveUpdateSetup.exe (PID: 8944)
      • BraveUpdate.exe (PID: 8348)
      • BraveUpdate.exe (PID: 8428)
      • BraveUpdate.exe (PID: 8456)
      • BraveUpdate.exe (PID: 8544)
      • BraveUpdateComRegisterShell64.exe (PID: 8488)
      • BraveUpdateComRegisterShell64.exe (PID: 5408)
      • BraveUpdateComRegisterShell64.exe (PID: 8564)
      • BraveBrowserSetup-BRV010.exe (PID: 7564)
      • BraveUpdate.exe (PID: 8676)
      • BraveUpdate.exe (PID: 8748)
      • brave_installer-x64.exe (PID: 8228)
      • setup.exe (PID: 8232)
      • setup.exe (PID: 8372)
      • setup.exe (PID: 5988)
      • setup.exe (PID: 5164)
      • BraveUpdate.exe (PID: 7560)
      • brave.exe (PID: 8484)
      • BraveUpdate.exe (PID: 8468)
      • brave.exe (PID: 8120)
      • BraveUpdateOnDemand.exe (PID: 8516)
      • brave.exe (PID: 2268)
      • brave.exe (PID: 4068)
      • brave.exe (PID: 6184)
      • elevation_service.exe (PID: 7784)
      • brave.exe (PID: 5376)
      • brave.exe (PID: 7824)
      • brave.exe (PID: 7344)
      • brave.exe (PID: 7648)
      • brave.exe (PID: 7184)
      • brave.exe (PID: 720)
      • brave.exe (PID: 7720)
      • chrmstp.exe (PID: 7332)
      • chrmstp.exe (PID: 8068)
      • brave.exe (PID: 1676)
      • brave.exe (PID: 8000)
      • chrmstp.exe (PID: 7964)
      • brave.exe (PID: 7748)
      • brave.exe (PID: 5972)
      • chrmstp.exe (PID: 7972)
      • brave.exe (PID: 7308)
      • brave.exe (PID: 2316)
      • Brave.exe (PID: 1056)
      • brave.exe (PID: 9176)
      • Brave.exe (PID: 456)
      • brave.exe (PID: 2852)
      • brave.exe (PID: 8188)
      • Brave.exe (PID: 7104)
      • brave.exe (PID: 8400)
      • Brave.exe (PID: 4000)
      • brave.exe (PID: 8496)
      • brave.exe (PID: 8404)
      • brave.exe (PID: 8584)
      • brave.exe (PID: 8944)
      • brave.exe (PID: 8676)
      • brave.exe (PID: 8220)
      • brave.exe (PID: 8336)
      • brave.exe (PID: 8784)
      • Brave.exe (PID: 5044)
      • brave.exe (PID: 8128)
      • Brave.exe (PID: 8040)
      • brave.exe (PID: 5216)

    • The sample compiled with bulgarian language support

      • BraveBrowserSetup-BRV010.exe (PID: 7564)
      • BraveUpdateSetup.exe (PID: 8944)
      • BraveUpdate.exe (PID: 8348)

    • The sample compiled with english language support

      • firefox.exe (PID: 7656)
      • BraveBrowserSetup-BRV010.exe (PID: 7564)
      • BraveUpdateSetup.exe (PID: 8944)
      • BraveUpdate.exe (PID: 8348)
      • brave_installer-x64.exe (PID: 8228)
      • setup.exe (PID: 8232)

    • The sample compiled with czech language support

      • BraveBrowserSetup-BRV010.exe (PID: 7564)
      • BraveUpdateSetup.exe (PID: 8944)
      • BraveUpdate.exe (PID: 8348)

    • The sample compiled with arabic language support

      • BraveBrowserSetup-BRV010.exe (PID: 7564)
      • BraveUpdateSetup.exe (PID: 8944)
      • BraveUpdate.exe (PID: 8348)

    • Application launched itself

      • firefox.exe (PID: 7656)
      • firefox.exe (PID: 7636)

    • The sample compiled with Indonesian language support

      • BraveBrowserSetup-BRV010.exe (PID: 7564)
      • BraveUpdateSetup.exe (PID: 8944)
      • BraveUpdate.exe (PID: 8348)

    • Create files in a temporary directory

      • BraveBrowserSetup-BRV010.exe (PID: 7564)
      • brave.exe (PID: 8484)

    • The sample compiled with french language support

      • BraveBrowserSetup-BRV010.exe (PID: 7564)
      • BraveUpdateSetup.exe (PID: 8944)
      • BraveUpdate.exe (PID: 8348)

    • The sample compiled with german language support

      • BraveBrowserSetup-BRV010.exe (PID: 7564)
      • BraveUpdateSetup.exe (PID: 8944)
      • BraveUpdate.exe (PID: 8348)

    • The sample compiled with Italian language support

      • BraveBrowserSetup-BRV010.exe (PID: 7564)
      • BraveUpdateSetup.exe (PID: 8944)
      • BraveUpdate.exe (PID: 8348)

    • The sample compiled with japanese language support

      • BraveBrowserSetup-BRV010.exe (PID: 7564)
      • BraveUpdateSetup.exe (PID: 8944)
      • BraveUpdate.exe (PID: 8348)

    • The sample compiled with polish language support

      • BraveBrowserSetup-BRV010.exe (PID: 7564)
      • BraveUpdateSetup.exe (PID: 8944)
      • BraveUpdate.exe (PID: 8348)

    • The sample compiled with korean language support

      • BraveBrowserSetup-BRV010.exe (PID: 7564)
      • BraveUpdateSetup.exe (PID: 8944)
      • BraveUpdate.exe (PID: 8348)

    • The sample compiled with portuguese language support

      • BraveBrowserSetup-BRV010.exe (PID: 7564)
      • BraveUpdateSetup.exe (PID: 8944)
      • BraveUpdate.exe (PID: 8348)

    • The sample compiled with slovak language support

      • BraveBrowserSetup-BRV010.exe (PID: 7564)
      • BraveUpdateSetup.exe (PID: 8944)
      • BraveUpdate.exe (PID: 8348)

    • The sample compiled with russian language support

      • BraveBrowserSetup-BRV010.exe (PID: 7564)
      • BraveUpdateSetup.exe (PID: 8944)
      • BraveUpdate.exe (PID: 8348)

    • The sample compiled with swedish language support

      • BraveBrowserSetup-BRV010.exe (PID: 7564)
      • BraveUpdateSetup.exe (PID: 8944)
      • BraveUpdate.exe (PID: 8348)

    • The sample compiled with turkish language support

      • BraveBrowserSetup-BRV010.exe (PID: 7564)
      • BraveUpdateSetup.exe (PID: 8944)
      • BraveUpdate.exe (PID: 8348)

    • The sample compiled with chinese language support

      • BraveBrowserSetup-BRV010.exe (PID: 7564)
      • BraveUpdateSetup.exe (PID: 8944)
      • BraveUpdate.exe (PID: 8348)

    • Brave updater related mutex has been found

      • BraveUpdate.exe (PID: 8896)
      • BraveUpdate.exe (PID: 8348)
      • BraveUpdate.exe (PID: 8428)
      • BraveUpdate.exe (PID: 8544)
      • BraveUpdate.exe (PID: 8456)
      • BraveUpdate.exe (PID: 8676)
      • BraveUpdate.exe (PID: 8748)
      • BraveUpdate.exe (PID: 7560)
      • BraveUpdate.exe (PID: 8468)

    • Reads the computer name

      • BraveUpdate.exe (PID: 8896)
      • BraveUpdate.exe (PID: 8348)
      • BraveUpdate.exe (PID: 8428)
      • BraveUpdate.exe (PID: 8456)
      • BraveUpdateComRegisterShell64.exe (PID: 8488)
      • BraveUpdateComRegisterShell64.exe (PID: 5408)
      • BraveUpdate.exe (PID: 8544)
      • BraveUpdateComRegisterShell64.exe (PID: 8564)
      • BraveUpdate.exe (PID: 8676)
      • BraveUpdate.exe (PID: 8748)
      • brave_installer-x64.exe (PID: 8228)
      • setup.exe (PID: 8232)
      • setup.exe (PID: 5988)
      • BraveUpdate.exe (PID: 7560)
      • BraveUpdate.exe (PID: 8468)
      • brave.exe (PID: 8484)
      • brave.exe (PID: 2268)
      • brave.exe (PID: 4068)
      • elevation_service.exe (PID: 7784)
      • brave.exe (PID: 7824)
      • chrmstp.exe (PID: 7332)
      • chrmstp.exe (PID: 7972)
      • Brave.exe (PID: 1056)
      • Brave.exe (PID: 456)
      • Brave.exe (PID: 4000)
      • Brave.exe (PID: 7104)
      • Brave.exe (PID: 5044)
      • brave.exe (PID: 8128)
      • Brave.exe (PID: 8040)

    • Process checks computer location settings

      • BraveUpdate.exe (PID: 8896)
      • BraveUpdate.exe (PID: 8348)
      • brave.exe (PID: 8484)
      • brave.exe (PID: 5216)
      • brave.exe (PID: 5376)
      • brave.exe (PID: 9176)

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 7656)

    • Manual execution by a user

      • firefox.exe (PID: 7636)
      • Brave.exe (PID: 456)
      • Brave.exe (PID: 1056)
      • Brave.exe (PID: 7104)
      • Brave.exe (PID: 4000)
      • Taskmgr.exe (PID: 6900)
      • Brave.exe (PID: 5044)
      • Brave.exe (PID: 8040)
      • Taskmgr.exe (PID: 4424)

    • Creates files in the program directory

      • BraveUpdate.exe (PID: 8348)
      • BraveUpdate.exe (PID: 8748)
      • brave_installer-x64.exe (PID: 8228)
      • setup.exe (PID: 8232)
      • setup.exe (PID: 5988)

    • Checks proxy server information

      • BraveUpdate.exe (PID: 8544)
      • BraveUpdate.exe (PID: 8676)
      • brave.exe (PID: 8484)
      • Brave.exe (PID: 1056)
      • Brave.exe (PID: 456)
      • Brave.exe (PID: 4000)
      • Brave.exe (PID: 7104)
      • slui.exe (PID: 8820)
      • Brave.exe (PID: 5044)
      • Brave.exe (PID: 8040)

    • Reads the software policy settings

      • BraveUpdate.exe (PID: 8544)
      • BraveUpdate.exe (PID: 8748)
      • BraveUpdate.exe (PID: 8676)
      • slui.exe (PID: 7444)
      • BraveUpdate.exe (PID: 7560)
      • CompatTelRunner.exe (PID: 2092)
      • slui.exe (PID: 8820)

    • Reads the machine GUID from the registry

      • BraveUpdate.exe (PID: 8676)
      • brave.exe (PID: 8484)
      • brave.exe (PID: 8128)

    • Creates files or folders in the user directory

      • BraveUpdate.exe (PID: 8676)
      • setup.exe (PID: 5988)
      • setup.exe (PID: 8232)
      • brave.exe (PID: 8484)
      • brave.exe (PID: 8120)
      • brave.exe (PID: 4068)
      • chrmstp.exe (PID: 7972)
      • brave.exe (PID: 8128)

    • Disables trace logs

      • brave.exe (PID: 8484)

    • Reads CPU info

      • brave.exe (PID: 8484)

    • Reads security settings of Internet Explorer

      • Taskmgr.exe (PID: 4424)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (57.6)
.exe | Win64 Executable (generic) (36.9)
.exe | Generic Win/DOS Executable (2.6)
.exe | DOS Executable Generic (2.6)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:01:03 02:09:49+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.41
CodeSize: 1560064
InitializedDataSize: 1151488
UninitializedDataSize: 543232
EntryPoint: 0x615d0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Brave
FileDescription: Brave
FileVersion: 1.0.0.0
InternalName: Brave.dll
LegalCopyright:
OriginalFileName: Brave.dll
ProductName: Brave
ProductVersion: 1.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
276
Monitored processes
93
Malicious processes
57
Suspicious processes
3

Behavior graph

Click at the process to see the details
start brave.exe conhost.exe no specs sppextcomobj.exe no specs slui.exe firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs bravebrowsersetup-brv010.exe braveupdate.exe no specs braveupdatesetup.exe braveupdate.exe braveupdate.exe no specs braveupdate.exe no specs braveupdatecomregistershell64.exe no specs braveupdatecomregistershell64.exe no specs braveupdatecomregistershell64.exe no specs braveupdate.exe braveupdate.exe braveupdate.exe slui.exe brave_installer-x64.exe setup.exe setup.exe no specs setup.exe setup.exe no specs braveupdate.exe braveupdateondemand.exe no specs braveupdate.exe brave.exe brave.exe compattelrunner.exe brave.exe brave.exe elevation_service.exe brave.exe brave.exe brave.exe brave.exe brave.exe brave.exe brave.exe brave.exe brave.exe brave.exe brave.exe chrmstp.exe chrmstp.exe chrmstp.exe chrmstp.exe brave.exe brave.exe brave.exe brave.exe brave.exe brave.exe brave.exe conhost.exe no specs brave.exe brave.exe conhost.exe no specs brave.exe conhost.exe no specs brave.exe conhost.exe no specs brave.exe brave.exe brave.exe brave.exe brave.exe brave.exe brave.exe brave.exe brave.exe taskmgr.exe no specs taskmgr.exe brave.exe conhost.exe no specs brave.exe brave.exe conhost.exe no specs csrss.exe services.exe csrss.exe

Process information

PID
CMD
Path
Indicators
Parent process
300\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeBrave.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
456"C:\Users\admin\Desktop\Brave.exe" C:\Users\admin\Desktop\Brave.exe
explorer.exe
User:
admin
Company:
Brave
Integrity Level:
MEDIUM
Description:
Brave
Exit code:
4294967295
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\brave.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
532%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\System32\csrss.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Client Server Runtime Process
Version:
10.0.19041.1 (WinBuild.160101.0800)
720"C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=2016,i,13873048309656950195,1132086336256106801,262144 --variations-seed-version=main@533f1f2dd75e8be37bc43f03ace8b2228d90641e --mojo-platform-channel-handle=5580 /prefetch:8C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
brave.exe
User:
admin
Company:
Brave Software, Inc.
Integrity Level:
LOW
Description:
Brave Browser
Exit code:
0
Version:
134.1.76.80
Modules
Images
c:\program files\bravesoftware\brave-browser\application\brave.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\bravesoftware\brave-browser\application\134.1.76.80\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
728"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5260 -childID 4 -isForBrowser -prefsHandle 5252 -prefMapHandle 5248 -prefsLen 31144 -prefMapSize 244583 -jsInitHandle 1388 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8292f74e-197c-4804-be2d-05b44bc13f1d} 7656 "\\.\pipe\gecko-crash-server-pipe.7656" 1a17204ef50 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
748C:\WINDOWS\system32\services.exeC:\Windows\System32\services.exe
wininit.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Services and Controller app
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\apphelp.dll
1056"C:\Users\admin\Desktop\Brave.exe" C:\Users\admin\Desktop\Brave.exe
explorer.exe
User:
admin
Company:
Brave
Integrity Level:
MEDIUM
Description:
Brave
Exit code:
4294967295
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\brave.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
1180"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4832 -parentBuildID 20240213221259 -sandboxingKind 0 -prefsHandle 4920 -prefMapHandle 4916 -prefsLen 36588 -prefMapSize 244583 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {569cdd18-c529-4ecc-8780-db8306348574} 7656 "\\.\pipe\gecko-crash-server-pipe.7656" 1a171d06b10 utilityC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
1
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
1676"C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=2016,i,13873048309656950195,1132086336256106801,262144 --variations-seed-version=main@533f1f2dd75e8be37bc43f03ace8b2228d90641e --mojo-platform-channel-handle=5260 /prefetch:8C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
brave.exe
User:
admin
Company:
Brave Software, Inc.
Integrity Level:
LOW
Description:
Brave Browser
Exit code:
0
Version:
134.1.76.80
Modules
Images
c:\program files\bravesoftware\brave-browser\application\brave.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\bravesoftware\brave-browser\application\134.1.76.80\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2092C:\WINDOWS\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryWC:\Windows\System32\CompatTelRunner.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Compatibility Telemetry
Exit code:
0
Version:
10.0.19645.1102 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\compattelrunner.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
91 413
Read events
89 299
Write events
1 990
Delete events
124

Modification events

(PID) Process:(7656) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
(PID) Process:(7656) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(7564) BraveBrowserSetup-BRV010.exeKey:HKEY_CURRENT_USER\SOFTWARE\BraveSoftware\Promo
Operation:writeName:StubInstallerPath
Value:
C:\Users\admin\Downloads\BraveBrowserSetup-BRV010.exe
(PID) Process:(8348) BraveUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BraveSoftware\Update
Operation:writeName:path
Value:
C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
(PID) Process:(8348) BraveUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BraveSoftware\Update
Operation:writeName:UninstallCmdLine
Value:
"C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /uninstall
(PID) Process:(8348) BraveUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BraveSoftware\Update\Clients\{B131C935-9BE6-41DA-9599-1F776BEB8019}
Operation:writeName:pv
Value:
1.3.361.151
(PID) Process:(8348) BraveUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BraveSoftware\Update\Clients\{B131C935-9BE6-41DA-9599-1F776BEB8019}
Operation:writeName:name
Value:
Brave Update
(PID) Process:(8348) BraveUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BraveSoftware\Update\ClientState\{B131C935-9BE6-41DA-9599-1F776BEB8019}
Operation:writeName:pv
Value:
1.3.361.151
(PID) Process:(8348) BraveUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BraveUpdate.exe
Operation:writeName:DisableExceptionChainValidation
Value:
0
(PID) Process:(8428) BraveUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BraveSoftware\Update
Operation:delete valueName:uid
Value:
Executable files
252
Suspicious files
461
Text files
115
Unknown types
4

Dropped files

PID
Process
Filename
Type
7656firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-current.bin
MD5:
SHA256:
7656firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
7656firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs-1.jstext
MD5:2C99A16AED3906D92FFE3EF1808E2753
SHA256:08412578CC3BB4922388F8FF8C23962F616B69A1588DA720ADE429129C73C452
7656firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cookies.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
7656firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\urlCache-current.binbinary
MD5:297E88D7CEB26E549254EC875649F4EB
SHA256:8B75D4FB1845BAA06122888D11F6B65E6A36B140C54A72CC13DF390FD7C95702
7656firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
MD5:
SHA256:
7656firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
7656firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
7656firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-child-current.binbinary
MD5:C95DDC2B1A525D1A243E4C294DA2F326
SHA256:3A5919E086BFB31E36110CF636D2D5109EB51F2C410B107F126126AB25D67363
7656firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
55
TCP/UDP connections
208
DNS requests
232
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.16.168.199:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7656
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
7656
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
7656
firefox.exe
POST
200
172.217.16.131:80
http://o.pki.goog/s/wr3/cgo
unknown
whitelisted
7656
firefox.exe
POST
200
95.101.54.131:80
http://r11.o.lencr.org/
unknown
whitelisted
7656
firefox.exe
POST
200
95.101.54.114:80
http://r10.o.lencr.org/
unknown
whitelisted
7656
firefox.exe
POST
200
95.101.54.114:80
http://r10.o.lencr.org/
unknown
whitelisted
7656
firefox.exe
POST
200
95.101.54.131:80
http://r11.o.lencr.org/
unknown
whitelisted
7656
firefox.exe
POST
200
172.217.16.131:80
http://o.pki.goog/we2
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
2.16.168.199:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
4
System
192.168.100.255:138
whitelisted
6544
svchost.exe
20.190.159.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2112
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7656
firefox.exe
34.107.221.82:80
detectportal.firefox.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 2.16.168.199
  • 2.16.168.200
whitelisted
login.live.com
  • 20.190.159.64
  • 20.190.159.129
  • 20.190.159.2
  • 40.126.31.71
  • 40.126.31.130
  • 20.190.159.0
  • 40.126.31.2
  • 20.190.159.4
  • 40.126.32.138
  • 40.126.32.136
  • 40.126.32.140
  • 20.190.160.131
  • 20.190.160.65
  • 20.190.160.64
  • 40.126.32.133
  • 20.190.160.130
whitelisted
ocsp.digicert.com
  • 2.23.77.188
  • 184.30.131.245
whitelisted
client.wns.windows.com
  • 40.113.110.67
  • 40.113.103.199
whitelisted
detectportal.firefox.com
  • 34.107.221.82
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
example.org
  • 96.7.128.186
  • 23.215.0.133
  • 96.7.128.192
  • 23.215.0.132
whitelisted
ipv4only.arpa
  • 192.0.0.170
  • 192.0.0.171
whitelisted

Threats

PID
Process
Class
Message
4068
brave.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
4068
brave.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
4068
brave.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
4068
brave.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
4068
brave.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
4068
brave.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
4068
brave.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
4068
brave.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
4068
brave.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Brave.exe