File name:

BraveBrowserSetup-BRV011.exe

Full analysis: https://app.any.run/tasks/d9b99b6b-0776-42bf-be68-485e68aa4531
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: February 21, 2026, 21:14:01
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

ED985DD5807036EA6F245E7176093975

SHA1:

1EC495B23C533FDCA3192E5D939E74F5BA7D5DEE

SHA256:

2512598718FB4E27CFF5E5B67483DAD16E1613E83E74B9E7BD8C5BE2EFA6C7B1

SSDEEP:

49152:ftG/wwHVgu3eBBzIgw++M6EiWHowDxjRZ6W2oclXqvbF47A34NaXWHm8h+sSVzca:fUwwHVOI9LbWHnxkavb+45e8LogExcP4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • setup.exe (PID: 3388)
      • csrss.exe (PID: 652)
      • brave.exe (PID: 1868)
      • brave.exe (PID: 6332)
      • setup.exe (PID: 4968)
      • brave.exe (PID: 7432)
      • brave.exe (PID: 8720)
      • csrss.exe (PID: 564)
      • elevation_service.exe (PID: 4856)
      • brave.exe (PID: 6400)
      • brave.exe (PID: 752)
      • brave.exe (PID: 3404)
      • brave.exe (PID: 7932)
      • brave.exe (PID: 6640)
      • brave.exe (PID: 5872)
      • brave.exe (PID: 6784)
      • brave.exe (PID: 8552)
      • brave.exe (PID: 8976)
      • brave.exe (PID: 9260)
      • brave.exe (PID: 9276)
      • chrmstp.exe (PID: 9508)
      • chrmstp.exe (PID: 9436)
      • chrmstp.exe (PID: 9596)
      • brave.exe (PID: 9284)
      • brave.exe (PID: 9444)
      • brave.exe (PID: 9624)
      • brave.exe (PID: 9676)
      • brave.exe (PID: 9668)
      • brave.exe (PID: 9652)
      • brave.exe (PID: 9696)
      • chrmstp.exe (PID: 9548)
      • brave.exe (PID: 9948)
      • brave.exe (PID: 10032)

    • Changes the autorun value in the registry

      • setup.exe (PID: 3388)

    • Steals credentials from Web Browsers

      • brave.exe (PID: 6332)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • BraveBrowserSetup-BRV011.exe (PID: 8412)
      • BraveUpdateSetup.exe (PID: 6828)

    • Disables SEHOP

      • BraveUpdate.exe (PID: 1612)

    • Starts itself from another location

      • BraveUpdate.exe (PID: 1612)

    • Creates/Modifies COM task schedule object

      • BraveUpdate.exe (PID: 6152)
      • BraveUpdateComRegisterShell64.exe (PID: 2376)
      • BraveUpdateComRegisterShell64.exe (PID: 2212)
      • BraveUpdateComRegisterShell64.exe (PID: 7680)

    • Executes as Windows Service

      • BraveUpdate.exe (PID: 6784)
      • elevation_service.exe (PID: 4856)

    • Application launched itself

      • setup.exe (PID: 3388)
      • setup.exe (PID: 4968)
      • BraveUpdate.exe (PID: 6784)
      • brave.exe (PID: 6332)
      • chrmstp.exe (PID: 9436)
      • chrmstp.exe (PID: 9548)

    • Searches for installed software

      • setup.exe (PID: 3388)
      • setup.exe (PID: 4968)
      • chrmstp.exe (PID: 9436)
      • chrmstp.exe (PID: 9548)

    • Reads Mozilla Firefox installation path

      • brave.exe (PID: 6332)

    • Possible stealing from browsers

      • brave.exe (PID: 6332)

    • Reads the date of Windows installation

      • chrmstp.exe (PID: 9548)

  • INFO

    • Checks supported languages

      • BraveBrowserSetup-BRV011.exe (PID: 8412)
      • BraveUpdate.exe (PID: 3716)
      • BraveUpdateSetup.exe (PID: 6828)
      • BraveUpdate.exe (PID: 1612)
      • BraveUpdate.exe (PID: 5464)
      • BraveUpdate.exe (PID: 6152)
      • BraveUpdateComRegisterShell64.exe (PID: 2376)
      • BraveUpdateComRegisterShell64.exe (PID: 2212)
      • BraveUpdateComRegisterShell64.exe (PID: 7680)
      • BraveUpdate.exe (PID: 2428)
      • BraveUpdate.exe (PID: 6784)
      • BraveUpdate.exe (PID: 4212)
      • brave_installer-x64.exe (PID: 2376)
      • setup.exe (PID: 3388)
      • setup.exe (PID: 6432)
      • setup.exe (PID: 4968)
      • setup.exe (PID: 8256)
      • BraveUpdate.exe (PID: 8120)
      • BraveUpdate.exe (PID: 8052)
      • brave.exe (PID: 6332)
      • brave.exe (PID: 1868)
      • BraveUpdateOnDemand.exe (PID: 6272)
      • brave.exe (PID: 8720)
      • brave.exe (PID: 7432)
      • brave.exe (PID: 6400)
      • elevation_service.exe (PID: 4856)
      • brave.exe (PID: 3404)
      • brave.exe (PID: 752)
      • brave.exe (PID: 5872)
      • brave.exe (PID: 6784)
      • brave.exe (PID: 7932)
      • brave.exe (PID: 8976)
      • brave.exe (PID: 6640)
      • brave.exe (PID: 8552)
      • brave.exe (PID: 9260)
      • brave.exe (PID: 9444)
      • brave.exe (PID: 9276)
      • brave.exe (PID: 9284)
      • chrmstp.exe (PID: 9548)
      • chrmstp.exe (PID: 9436)
      • chrmstp.exe (PID: 9508)
      • chrmstp.exe (PID: 9596)
      • brave.exe (PID: 9624)
      • brave.exe (PID: 9652)
      • brave.exe (PID: 9676)
      • brave.exe (PID: 9668)
      • brave.exe (PID: 9696)
      • brave.exe (PID: 9948)
      • brave.exe (PID: 10032)

    • The sample compiled with english language support

      • BraveBrowserSetup-BRV011.exe (PID: 8412)
      • BraveUpdateSetup.exe (PID: 6828)

    • Create files in a temporary directory

      • BraveBrowserSetup-BRV011.exe (PID: 8412)
      • svchost.exe (PID: 6956)
      • brave.exe (PID: 6332)

    • Reads the computer name

      • BraveUpdate.exe (PID: 3716)
      • BraveUpdate.exe (PID: 1612)
      • BraveUpdate.exe (PID: 5464)
      • BraveUpdate.exe (PID: 6152)
      • BraveUpdateComRegisterShell64.exe (PID: 2212)
      • BraveUpdateComRegisterShell64.exe (PID: 2376)
      • BraveUpdateComRegisterShell64.exe (PID: 7680)
      • BraveUpdate.exe (PID: 2428)
      • BraveUpdate.exe (PID: 4212)
      • BraveUpdate.exe (PID: 6784)
      • brave_installer-x64.exe (PID: 2376)
      • setup.exe (PID: 3388)
      • setup.exe (PID: 4968)
      • BraveUpdate.exe (PID: 8052)
      • BraveUpdate.exe (PID: 8120)
      • brave.exe (PID: 6332)
      • brave.exe (PID: 8720)
      • brave.exe (PID: 7432)
      • elevation_service.exe (PID: 4856)
      • brave.exe (PID: 7932)
      • chrmstp.exe (PID: 9436)
      • chrmstp.exe (PID: 9548)

    • Reads security settings of Internet Explorer

      • BraveUpdate.exe (PID: 3716)
      • BraveUpdate.exe (PID: 1612)
      • BraveUpdate.exe (PID: 4212)
      • brave.exe (PID: 6332)
      • chrmstp.exe (PID: 9548)

    • Brave updater related mutex has been found

      • BraveUpdate.exe (PID: 3716)
      • BraveUpdate.exe (PID: 1612)
      • BraveUpdate.exe (PID: 5464)
      • BraveUpdate.exe (PID: 6152)
      • BraveUpdate.exe (PID: 2428)
      • BraveUpdate.exe (PID: 4212)
      • BraveUpdate.exe (PID: 6784)
      • BraveUpdate.exe (PID: 8052)
      • BraveUpdate.exe (PID: 8120)

    • Process checks computer location settings

      • BraveUpdate.exe (PID: 3716)
      • BraveUpdate.exe (PID: 1612)
      • brave.exe (PID: 6332)
      • brave.exe (PID: 3404)
      • brave.exe (PID: 752)

    • Creates files in the program directory

      • BraveUpdate.exe (PID: 1612)
      • BraveUpdate.exe (PID: 6784)
      • setup.exe (PID: 3388)
      • brave_installer-x64.exe (PID: 2376)
      • setup.exe (PID: 4968)

    • Manual execution by a user

      • firefox.exe (PID: 7972)

    • Checks proxy server information

      • BraveUpdate.exe (PID: 2428)
      • BraveUpdate.exe (PID: 4212)
      • brave.exe (PID: 6332)

    • Application launched itself

      • firefox.exe (PID: 7972)
      • firefox.exe (PID: 3276)

    • Reads the machine GUID from the registry

      • BraveUpdate.exe (PID: 4212)
      • brave.exe (PID: 6332)

    • Creates files or folders in the user directory

      • BraveUpdate.exe (PID: 4212)
      • setup.exe (PID: 4968)
      • setup.exe (PID: 3388)
      • brave.exe (PID: 1868)
      • brave.exe (PID: 6332)
      • brave.exe (PID: 7432)
      • chrmstp.exe (PID: 9548)

    • Drops script file

      • firefox.exe (PID: 3276)
      • brave.exe (PID: 6332)

    • There is functionality for taking screenshot (YARA)

      • BraveUpdate.exe (PID: 3716)

    • Creates a software uninstall entry

      • setup.exe (PID: 3388)

    • Launching a file from a Registry key

      • setup.exe (PID: 3388)

    • Disables trace logs

      • brave.exe (PID: 6332)

    • Reads CPU info

      • brave.exe (PID: 6332)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2026:02:19 10:09:07+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.41
CodeSize: 105984
InitializedDataSize: 1150464
UninitializedDataSize: -
EntryPoint: 0x6f24
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.3.361.151
ProductVersionNumber: 1.3.361.151
FileFlagsMask: 0x003f
FileFlags: Private build
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: BraveSoftware Inc.
FileDescription: BraveSoftware Update Setup
FileVersion: 1.3.361.151
InternalName: BraveSoftware Update Setup
OriginalFileName: BraveUpdateSetup.exe
ProductName: BraveSoftware Update
ProductVersion: 1.3.361.151
LanguageId: en
PrivateBuild: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
212
Monitored processes
63
Malicious processes
37
Suspicious processes
3

Behavior graph

Click at the process to see the details
start bravebrowsersetup-brv011.exe braveupdate.exe no specs braveupdatesetup.exe braveupdate.exe no specs braveupdate.exe no specs braveupdate.exe no specs braveupdatecomregistershell64.exe no specs braveupdatecomregistershell64.exe no specs braveupdatecomregistershell64.exe no specs braveupdate.exe firefox.exe no specs firefox.exe braveupdate.exe braveupdate.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs svchost.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs brave_installer-x64.exe no specs setup.exe setup.exe no specs setup.exe setup.exe no specs braveupdate.exe braveupdateondemand.exe no specs braveupdate.exe no specs brave.exe brave.exe brave.exe brave.exe elevation_service.exe brave.exe brave.exe brave.exe brave.exe brave.exe brave.exe brave.exe brave.exe brave.exe brave.exe brave.exe brave.exe chrmstp.exe brave.exe chrmstp.exe chrmstp.exe chrmstp.exe brave.exe brave.exe brave.exe brave.exe brave.exe brave.exe brave.exe csrss.exe csrss.exe

Process information

PID
CMD
Path
Indicators
Parent process
564%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\System32\csrss.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Client Server Runtime Process
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\csrss.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\csrsrv.dll
c:\windows\system32\basesrv.dll
c:\windows\system32\winsrv.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\winsrvext.dll
c:\windows\system32\user32.dll
c:\windows\system32\cfgmgr32.dll
652%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\System32\csrss.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Client Server Runtime Process
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\csrss.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\csrsrv.dll
c:\windows\system32\basesrv.dll
c:\windows\system32\winsrv.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winsrvext.dll
c:\windows\system32\combase.dll
c:\windows\system32\cfgmgr32.dll
752"C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --force-high-res-timeticks=disabled --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=5 --metrics-shmem-handle=3504,i,4913089203019206184,8303700965487984126,2097152 --field-trial-handle=2024,i,13491504459691932255,14264176421707662381,262144 --variations-seed-version=main@fccbb0196038a300df04f2994cd146d2dabefd66 --trace-process-track-uuid=3190708990997080739 --mojo-platform-channel-handle=3524 /prefetch:1C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
brave.exe
User:
admin
Company:
Brave Software, Inc.
Integrity Level:
LOW
Description:
Brave Browser
Version:
145.1.87.190
Modules
Images
c:\program files\bravesoftware\brave-browser\application\brave.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\bravesoftware\brave-browser\application\145.1.87.190\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
848"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250227124745 -sandboxingKind 0 -prefsHandle 4680 -prefsLen 45267 -prefMapHandle 4676 -prefMapSize 272981 -ipcHandle 4776 -initialChannelId {02afd51a-b712-4ba1-a6a1-634ae751014c} -parentPid 3276 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3276" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utilityC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\crypt32.dll
1584"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4944 -prefsLen 39330 -prefMapHandle 4948 -prefMapSize 272981 -jsInitHandle 4952 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 3284 -initialChannelId {06884d65-e6f0-47db-aedf-6a8c127fde33} -parentPid 3276 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3276" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\crypt32.dll
1612C:\WINDOWS\SystemTemp\GUM55A1.tmp\BraveUpdate.exe /installsource taggedmi /install "appguid={AFE6A462-C574-4B8A-AF43-4CC60DF4563B}&appname=Brave-Release&needsadmin=prefers&ap=release&installdataindex=default&referral=none" /installelevatedC:\Windows\SystemTemp\GUM55A1.tmp\BraveUpdate.exeBraveUpdateSetup.exe
User:
admin
Company:
BraveSoftware Inc.
Integrity Level:
HIGH
Description:
BraveSoftware Update
Exit code:
0
Version:
1.3.361.151
Modules
Images
c:\windows\systemtemp\gum55a1.tmp\braveupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1672"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5172 -prefsLen 39330 -prefMapHandle 5176 -prefMapSize 272981 -jsInitHandle 5180 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 5188 -initialChannelId {817d161c-96ef-41ab-ab04-0fc16e4911dd} -parentPid 3276 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3276" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140_1.dll
1868"C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\BraveSoftware\Brave-Browser\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Crashpad" --url=https://cr.brave.com --annotation=plat=Win64 --annotation=prod=Brave --annotation=ver=145.1.87.190 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffd6fc63128,0x7ffd6fc63134,0x7ffd6fc63140C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
brave.exe
User:
admin
Company:
Brave Software, Inc.
Integrity Level:
MEDIUM
Description:
Brave Browser
Version:
145.1.87.190
Modules
Images
c:\program files\bravesoftware\brave-browser\application\brave.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\bravesoftware\brave-browser\application\145.1.87.190\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\shcore.dll
c:\windows\system32\combase.dll
2212"C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShell64.exe" C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShell64.exeBraveUpdate.exe
User:
admin
Company:
BraveSoftware Inc.
Integrity Level:
HIGH
Description:
BraveSoftware Update
Exit code:
0
Version:
1.3.361.151
Modules
Images
c:\program files (x86)\bravesoftware\update\1.3.361.151\braveupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2376"C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShell64.exe" C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShell64.exeBraveUpdate.exe
User:
admin
Company:
BraveSoftware Inc.
Integrity Level:
HIGH
Description:
BraveSoftware Update
Exit code:
0
Version:
1.3.361.151
Modules
Images
c:\program files (x86)\bravesoftware\update\1.3.361.151\braveupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
9 958
Read events
8 835
Write events
1 004
Delete events
119

Modification events

(PID) Process:(8412) BraveBrowserSetup-BRV011.exeKey:HKEY_CURRENT_USER\SOFTWARE\BraveSoftware\Promo
Operation:writeName:StubInstallerPath
Value:
C:\Users\admin\AppData\Local\Temp\BraveBrowserSetup-BRV011.exe
(PID) Process:(5464) BraveUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BraveSoftware\Update
Operation:delete valueName:uid
Value:
(PID) Process:(5464) BraveUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BraveSoftware\Update
Operation:delete valueName:old-uid
Value:
(PID) Process:(1612) BraveUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BraveSoftware\Update
Operation:writeName:brave_task_name_c
Value:
BraveSoftwareUpdateTaskMachineCore{ACCB27D8-B0BA-409E-993A-2BA8DE62A1E6}
(PID) Process:(1612) BraveUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BraveSoftware\Update
Operation:writeName:brave_task_name_ua
Value:
BraveSoftwareUpdateTaskMachineUA{70FA5A3A-875B-4ACE-815F-3E210FEBE0AC}
(PID) Process:(6152) BraveUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BraveSoftware\Update
Operation:delete valueName:uid
Value:
(PID) Process:(6152) BraveUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BraveSoftware\Update
Operation:delete valueName:old-uid
Value:
(PID) Process:(2376) BraveUpdateComRegisterShell64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EBDA5D88-AA7D-4A8C-A20C-C01FADB43EDA}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Both
(PID) Process:(2376) BraveUpdateComRegisterShell64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Both
(PID) Process:(2376) BraveUpdateComRegisterShell64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{07A9016F-6F57-4DD7-8654-81CCF0EC2A97}\InprocHandler32
Operation:writeName:ThreadingModel
Value:
Both
Executable files
2
Suspicious files
0
Text files
0
Unknown types
844

Dropped files

PID
Process
Filename
Type
8412BraveBrowserSetup-BRV011.exeC:\Users\admin\AppData\Local\Temp\GUM5254.tmp\BraveUpdateCore.exebinary
MD5:FD6B3A26F9B0F07CE485198D91823D5D
SHA256:F150EC3C01C377164ABBFC6898B66E803863B026C0E38F0057C8854704807405
8412BraveBrowserSetup-BRV011.exeC:\Users\admin\AppData\Local\Temp\GUM5254.tmp\BraveUpdateComRegisterShellArm64.exebinary
MD5:1C28AE0A59D2890A551A1A49EA1A83B3
SHA256:ACABCC54F6BFA172B792DBA97D49C26B01B16305D19521223541759455CC8D7F
8412BraveBrowserSetup-BRV011.exeC:\Users\admin\AppData\Local\Temp\GUM5254.tmp\BraveCrashHandlerArm64.exebinary
MD5:9C798CF3015CD05930E328058EA2C66E
SHA256:A6EBB59B17685E963FAA1F4CAB79D979314255BEF3DFE64A88A1487DAFCE39D2
8412BraveBrowserSetup-BRV011.exeC:\Users\admin\AppData\Local\Temp\GUM5254.tmp\goopdateres_bg.dllbinary
MD5:BD6D27BE3C928A3797B5246EB4E2550D
SHA256:BE5EE69D918CAF361B94780C793CD62C484C72A4B085032287B59197ACD6EE9A
8412BraveBrowserSetup-BRV011.exeC:\Users\admin\AppData\Local\Temp\GUM5254.tmp\BraveUpdateComRegisterShell64.exebinary
MD5:E552CEDB64A3DFBE9A08548E55AE4CCD
SHA256:6E291B85A0FEAF921A86685C83600D93388BB7B72EA3E7CB3F7EE1D461116740
8412BraveBrowserSetup-BRV011.exeC:\Users\admin\AppData\Local\Temp\GUM5254.tmp\psuser_arm64.dllbinary
MD5:EA49430F2239F25AD0EEF209F55893DA
SHA256:7A5A82B15705C0167B31E2970DBA1736CC101D595F1691735DD35CAE5CBDFE35
8412BraveBrowserSetup-BRV011.exeC:\Users\admin\AppData\Local\Temp\GUM5254.tmp\psmachine_arm64.dllbinary
MD5:81085C4F95CAF49BA7EAA2388DE7658D
SHA256:500F702EEE6161A7C7A8D0E41E19B0B5E0C11ACA8AB8D9EEE04952D5B9E9E3BD
8412BraveBrowserSetup-BRV011.exeC:\Users\admin\AppData\Local\Temp\GUM5254.tmp\psmachine.dllbinary
MD5:94332024C4C50B2CDEDFBCBA7A5CAF6E
SHA256:65D8C8007A7AF9E3A6DD2E18693585A421583E9F17F2ECE63C9224572E3D0101
8412BraveBrowserSetup-BRV011.exeC:\Users\admin\AppData\Local\Temp\GUM5254.tmp\BraveCrashHandler64.exebinary
MD5:564A0802CB0B0935141E4390A9FE0180
SHA256:269842CAA020F8B7626FCF19AEC4BE5C2C47ADDDDF1490EDD05DD0BA7E717181
8412BraveBrowserSetup-BRV011.exeC:\Users\admin\AppData\Local\Temp\GUM5254.tmp\goopdateres_am.dllbinary
MD5:414B721C14258DAE96C2C86C2CD636CB
SHA256:05F6CA272A4765DF41F6A2A09251010ADD9232DBD9E26E8D164DC7B80BD2C1E5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
39
TCP/UDP connections
104
DNS requests
99
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4212
BraveUpdate.exe
GET
404
13.32.99.14:443
https://dl.brave.com/update2/installers/icons/%7BAFE6A462-C574-4B8A-AF43-4CC60DF4563B%7D.bmp
unknown
unknown
6956
svchost.exe
HEAD
200
65.8.131.81:443
https://updates-cdn.bravesoftware.com/build/Brave-Release/release/win/145.1.87.190/x64/brave_installer-x64.exe
unknown
unknown
6956
svchost.exe
GET
200
65.8.131.81:443
https://updates-cdn.bravesoftware.com/build/Brave-Release/release/win/145.1.87.190/x64/brave_installer-x64.exe
unknown
unknown
GET
200
23.63.118.230:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAjTxtAB8my1oj8MfWpz%2F7Y%3D
unknown
whitelisted
GET
200
204.79.197.203:80
http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ3L3%2F%2Fa6ADK8NraY2GXzVaYrHG4AQUb6t%2B2v%2BXQ3LsO2d33oJhNYhHQoUCEzMAAAAGb6JMMcOVb6sAAAAAAAY%3D
unknown
whitelisted
2428
BraveUpdate.exe
POST
200
3.171.214.3:443
https://updates.bravesoftware.com/service/update2
unknown
250 b
unknown
6784
BraveUpdate.exe
POST
200
3.171.214.3:443
https://updates.bravesoftware.com/service/update2?cup2key=2:OUiPUM0K45Z-LwMBPY_KY4kSHq_5kiSY2GzO3s6GlxQ&cup2hreq=df58a8317229b30a2453798fa1ec789f7c11a95cf8eb2064c28aba84daf3a57d
unknown
binary
8.96 Kb
unknown
4212
BraveUpdate.exe
GET
200
18.245.38.235:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEjgLnWaIozse2b%2BczaaODg8%3D
unknown
unknown
3276
firefox.exe
GET
200
151.101.65.91:443
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/newtab-wallpapers-v2/e94b1e49-c518-40d6-98e3-dffab6cc370d.avif
unknown
unknown
3276
firefox.exe
GET
200
151.101.65.91:443
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/newtab-wallpapers-v2/18c7861f-0c9d-48d4-a98c-fb8999e331bd.avif
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
1488
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
8176
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5568
SearchApp.exe
2.16.204.142:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
23.63.118.230:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
204.79.197.203:80
oneocsp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
3140
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
  • 51.124.78.146
whitelisted
self.events.data.microsoft.com
  • 104.46.162.225
whitelisted
google.com
  • 142.251.127.138
  • 142.251.127.100
  • 142.251.127.102
  • 142.251.127.113
  • 142.251.127.101
  • 142.251.127.139
whitelisted
www.bing.com
  • 2.16.204.142
  • 2.16.204.141
  • 2.16.204.138
  • 2.16.204.146
  • 2.16.204.143
  • 2.16.204.147
  • 2.16.204.152
  • 2.16.204.134
  • 2.16.204.135
whitelisted
ocsp.digicert.com
  • 23.63.118.230
whitelisted
oneocsp.microsoft.com
  • 204.79.197.203
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
updates.bravesoftware.com
  • 3.171.214.3
  • 3.171.214.82
  • 3.171.214.112
  • 3.171.214.65
whitelisted
dl.brave.com
  • 13.32.99.14
  • 13.32.99.78
  • 13.32.99.23
  • 13.32.99.123
whitelisted
ocsp.rootca1.amazontrust.com
  • 18.245.38.235
whitelisted

Threats

PID
Process
Class
Message
6956
svchost.exe
Potentially Bad Traffic
ET INFO PE EXE or DLL Windows file download HTTP
6956
svchost.exe
Potentially Bad Traffic
ET INFO Executable served from Amazon S3
6956
svchost.exe
Misc activity
ET INFO Packed Executable Download
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
BraveBrowserSetup-BRV011.exe