| File name: | BraveBrowserSetup.exe |
| Full analysis: | https://app.any.run/tasks/5292a631-61cb-44d1-bb67-2958b7744171 |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | March 25, 2025, 06:55:06 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections |
| MD5: | CA4371125A3B496DFCE765632956881E |
| SHA1: | CAE6C3AA50EE92D9868D6D472B2288C8CFCC820D |
| SHA256: | 4D5A72854074D87E12BFD195CDEC921D2DD81C519F5C455F5D69A8009C635CA3 |
| SSDEEP: | 49152:OtGeZp7uC6XOFU2Ihs9BIxgXOz0u8QMWV4RS3uo3S1rb31n640w19b9UfEI3qRwF:OrqCsOFU2KKmgXOwu8Q/V4RS3n3S1rb+ |
MALICIOUS
Changes the autorun value in the registry
- setup.exe (PID: 7256)
Actions looks like stealing of personal data
- csrss.exe (PID: 5824)
- setup.exe (PID: 7256)
- BraveUpdate.exe (PID: 6268)
- brave.exe (PID: 2980)
- brave.exe (PID: 7156)
- setup.exe (PID: 856)
- services.exe (PID: 748)
- brave.exe (PID: 7384)
- elevation_service.exe (PID: 872)
- brave.exe (PID: 5776)
- csrss.exe (PID: 532)
- brave.exe (PID: 6248)
- CompatTelRunner.exe (PID: 5892)
- brave.exe (PID: 5132)
- brave.exe (PID: 1052)
- brave.exe (PID: 6752)
- brave.exe (PID: 8016)
- brave.exe (PID: 8040)
- brave.exe (PID: 7976)
- brave.exe (PID: 4188)
- chrmstp.exe (PID: 4740)
- brave.exe (PID: 8036)
- brave.exe (PID: 4000)
- chrmstp.exe (PID: 2980)
- brave.exe (PID: 8096)
- chrmstp.exe (PID: 2908)
- brave.exe (PID: 3760)
- brave.exe (PID: 8108)
- chrmstp.exe (PID: 8012)
- brave.exe (PID: 7892)
- brave.exe (PID: 7552)
- brave.exe (PID: 7680)
- brave.exe (PID: 2980)
- brave.exe (PID: 6708)
- brave.exe (PID: 8044)
- brave.exe (PID: 6184)
- brave.exe (PID: 776)
- brave.exe (PID: 1812)
- brave.exe (PID: 6620)
- brave.exe (PID: 7272)
- brave.exe (PID: 3976)
- brave.exe (PID: 7584)
- brave.exe (PID: 8068)
- brave.exe (PID: 5436)
Steals credentials from Web Browsers
- brave.exe (PID: 7156)
SUSPICIOUS
Executable content was dropped or overwritten
- BraveBrowserSetup.exe (PID: 7400)
- BraveUpdateSetup.exe (PID: 7552)
- BraveUpdate.exe (PID: 7624)
- brave_installer-x64.exe (PID: 7528)
- setup.exe (PID: 7256)
Reads security settings of Internet Explorer
- BraveUpdate.exe (PID: 7420)
- BraveUpdate.exe (PID: 8020)
- BraveUpdate.exe (PID: 7624)
- ShellExperienceHost.exe (PID: 7180)
Disables SEHOP
- BraveUpdate.exe (PID: 7624)
Starts itself from another location
- BraveUpdate.exe (PID: 7624)
Creates/Modifies COM task schedule object
- BraveUpdateComRegisterShell64.exe (PID: 7768)
- BraveUpdateComRegisterShell64.exe (PID: 7888)
- BraveUpdate.exe (PID: 7732)
- BraveUpdateComRegisterShell64.exe (PID: 7916)
Executes as Windows Service
- BraveUpdate.exe (PID: 8068)
- elevation_service.exe (PID: 872)
There is functionality for taking screenshot (YARA)
- BraveUpdate.exe (PID: 7420)
- BraveUpdate.exe (PID: 7624)
- BraveUpdate.exe (PID: 8020)
- BraveUpdate.exe (PID: 8068)
Application launched itself
- setup.exe (PID: 7256)
- setup.exe (PID: 856)
- brave.exe (PID: 7156)
- BraveUpdate.exe (PID: 8068)
- chrmstp.exe (PID: 8012)
- chrmstp.exe (PID: 2908)
Searches for installed software
- setup.exe (PID: 856)
- setup.exe (PID: 7256)
- CompatTelRunner.exe (PID: 5892)
Creates a software uninstall entry
- setup.exe (PID: 7256)
Reads Mozilla Firefox installation path
- brave.exe (PID: 7156)
The process checks if it is being run in the virtual environment
- brave.exe (PID: 7156)
Reads the date of Windows installation
- chrmstp.exe (PID: 2908)
Checks for external IP
- brave.exe (PID: 7384)
INFO
The sample compiled with german language support
- BraveBrowserSetup.exe (PID: 7400)
- BraveUpdateSetup.exe (PID: 7552)
- BraveUpdate.exe (PID: 7624)
Create files in a temporary directory
- BraveBrowserSetup.exe (PID: 7400)
- brave.exe (PID: 7156)
The sample compiled with english language support
- BraveBrowserSetup.exe (PID: 7400)
- BraveUpdateSetup.exe (PID: 7552)
- BraveUpdate.exe (PID: 7624)
- brave_installer-x64.exe (PID: 7528)
- setup.exe (PID: 7256)
The sample compiled with bulgarian language support
- BraveBrowserSetup.exe (PID: 7400)
- BraveUpdateSetup.exe (PID: 7552)
- BraveUpdate.exe (PID: 7624)
The sample compiled with arabic language support
- BraveBrowserSetup.exe (PID: 7400)
- BraveUpdateSetup.exe (PID: 7552)
- BraveUpdate.exe (PID: 7624)
The sample compiled with japanese language support
- BraveBrowserSetup.exe (PID: 7400)
- BraveUpdateSetup.exe (PID: 7552)
- BraveUpdate.exe (PID: 7624)
The sample compiled with Italian language support
- BraveBrowserSetup.exe (PID: 7400)
- BraveUpdateSetup.exe (PID: 7552)
- BraveUpdate.exe (PID: 7624)
The sample compiled with czech language support
- BraveBrowserSetup.exe (PID: 7400)
- BraveUpdateSetup.exe (PID: 7552)
- BraveUpdate.exe (PID: 7624)
The sample compiled with polish language support
- BraveBrowserSetup.exe (PID: 7400)
- BraveUpdateSetup.exe (PID: 7552)
- BraveUpdate.exe (PID: 7624)
The sample compiled with portuguese language support
- BraveBrowserSetup.exe (PID: 7400)
- BraveUpdateSetup.exe (PID: 7552)
- BraveUpdate.exe (PID: 7624)
The sample compiled with korean language support
- BraveBrowserSetup.exe (PID: 7400)
- BraveUpdateSetup.exe (PID: 7552)
- BraveUpdate.exe (PID: 7624)
The sample compiled with russian language support
- BraveBrowserSetup.exe (PID: 7400)
- BraveUpdateSetup.exe (PID: 7552)
- BraveUpdate.exe (PID: 7624)
The sample compiled with swedish language support
- BraveBrowserSetup.exe (PID: 7400)
- BraveUpdateSetup.exe (PID: 7552)
- BraveUpdate.exe (PID: 7624)
The sample compiled with slovak language support
- BraveBrowserSetup.exe (PID: 7400)
- BraveUpdateSetup.exe (PID: 7552)
- BraveUpdate.exe (PID: 7624)
Checks supported languages
- BraveBrowserSetup.exe (PID: 7400)
- BraveUpdate.exe (PID: 7420)
- BraveUpdateSetup.exe (PID: 7552)
- BraveUpdate.exe (PID: 7624)
- BraveUpdate.exe (PID: 7696)
- BraveUpdate.exe (PID: 7732)
- BraveUpdateComRegisterShell64.exe (PID: 7888)
- BraveUpdateComRegisterShell64.exe (PID: 7768)
- BraveUpdateComRegisterShell64.exe (PID: 7916)
- BraveUpdate.exe (PID: 7960)
- BraveUpdate.exe (PID: 8020)
- BraveUpdate.exe (PID: 8068)
- brave_installer-x64.exe (PID: 7528)
- setup.exe (PID: 7256)
- setup.exe (PID: 8004)
- ShellExperienceHost.exe (PID: 7180)
- setup.exe (PID: 856)
- setup.exe (PID: 7520)
- BraveUpdateOnDemand.exe (PID: 1388)
- BraveUpdate.exe (PID: 6268)
- brave.exe (PID: 7156)
- brave.exe (PID: 2980)
- BraveUpdate.exe (PID: 7888)
- brave.exe (PID: 7384)
- brave.exe (PID: 5776)
- brave.exe (PID: 5132)
- brave.exe (PID: 1052)
- brave.exe (PID: 6248)
- elevation_service.exe (PID: 872)
- brave.exe (PID: 4000)
- brave.exe (PID: 8016)
- brave.exe (PID: 6752)
- brave.exe (PID: 7976)
- brave.exe (PID: 8040)
- brave.exe (PID: 4188)
- brave.exe (PID: 8036)
- chrmstp.exe (PID: 2908)
- chrmstp.exe (PID: 2980)
- brave.exe (PID: 8108)
- brave.exe (PID: 3760)
- brave.exe (PID: 8096)
- chrmstp.exe (PID: 4740)
- brave.exe (PID: 1812)
- brave.exe (PID: 7892)
- brave.exe (PID: 7552)
- brave.exe (PID: 2980)
- brave.exe (PID: 8044)
- brave.exe (PID: 6184)
- brave.exe (PID: 7584)
- brave.exe (PID: 7680)
- brave.exe (PID: 8068)
- brave.exe (PID: 6620)
- brave.exe (PID: 7272)
- brave.exe (PID: 5436)
- brave.exe (PID: 3976)
The sample compiled with chinese language support
- BraveBrowserSetup.exe (PID: 7400)
- BraveUpdateSetup.exe (PID: 7552)
- BraveUpdate.exe (PID: 7624)
The sample compiled with turkish language support
- BraveBrowserSetup.exe (PID: 7400)
- BraveUpdateSetup.exe (PID: 7552)
- BraveUpdate.exe (PID: 7624)
Brave updater related mutex has been found
- BraveUpdate.exe (PID: 7420)
- BraveUpdate.exe (PID: 7624)
- BraveUpdate.exe (PID: 7696)
- BraveUpdate.exe (PID: 7732)
- BraveUpdate.exe (PID: 8020)
- BraveUpdate.exe (PID: 8068)
- BraveUpdate.exe (PID: 7960)
- BraveUpdate.exe (PID: 6268)
- BraveUpdate.exe (PID: 7888)
Reads the computer name
- BraveUpdate.exe (PID: 7420)
- BraveUpdate.exe (PID: 7624)
- BraveUpdate.exe (PID: 7696)
- BraveUpdate.exe (PID: 7732)
- BraveUpdateComRegisterShell64.exe (PID: 7916)
- BraveUpdateComRegisterShell64.exe (PID: 7768)
- BraveUpdateComRegisterShell64.exe (PID: 7888)
- BraveUpdate.exe (PID: 8020)
- BraveUpdate.exe (PID: 8068)
- BraveUpdate.exe (PID: 7960)
- brave_installer-x64.exe (PID: 7528)
- setup.exe (PID: 7256)
- ShellExperienceHost.exe (PID: 7180)
- BraveUpdate.exe (PID: 7888)
- BraveUpdate.exe (PID: 6268)
- brave.exe (PID: 7156)
- brave.exe (PID: 5776)
- elevation_service.exe (PID: 872)
- brave.exe (PID: 7384)
- chrmstp.exe (PID: 8012)
- chrmstp.exe (PID: 2908)
- brave.exe (PID: 3976)
Process checks computer location settings
- BraveUpdate.exe (PID: 7420)
- BraveUpdate.exe (PID: 7624)
- brave.exe (PID: 7156)
- brave.exe (PID: 1052)
- brave.exe (PID: 6248)
- brave.exe (PID: 5436)
Creates files in the program directory
- BraveUpdate.exe (PID: 7624)
- BraveUpdate.exe (PID: 8068)
- setup.exe (PID: 7256)
- brave_installer-x64.exe (PID: 7528)
- setup.exe (PID: 856)
Checks proxy server information
- BraveUpdate.exe (PID: 7960)
- BraveUpdate.exe (PID: 8020)
- BackgroundTransferHost.exe (PID: 8104)
- brave.exe (PID: 7156)
Reads the software policy settings
- BraveUpdate.exe (PID: 7960)
- BraveUpdate.exe (PID: 8068)
- BraveUpdate.exe (PID: 8020)
- BackgroundTransferHost.exe (PID: 8104)
- slui.exe (PID: 7836)
- BraveUpdate.exe (PID: 7888)
- slui.exe (PID: 6576)
- CompatTelRunner.exe (PID: 5892)
Creates files or folders in the user directory
- BackgroundTransferHost.exe (PID: 8104)
- BraveUpdate.exe (PID: 8020)
- setup.exe (PID: 856)
- brave.exe (PID: 7156)
- brave.exe (PID: 7384)
- chrmstp.exe (PID: 2908)
- brave.exe (PID: 3976)
Reads the machine GUID from the registry
- BraveUpdate.exe (PID: 8020)
- brave.exe (PID: 7156)
Reads security settings of Internet Explorer
- BackgroundTransferHost.exe (PID: 7468)
- BackgroundTransferHost.exe (PID: 2108)
- BackgroundTransferHost.exe (PID: 8104)
- BackgroundTransferHost.exe (PID: 1388)
- BackgroundTransferHost.exe (PID: 4220)
Disables trace logs
- brave.exe (PID: 7156)
Reads CPU info
- brave.exe (PID: 7156)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (76.4) |
|---|---|---|
| .exe | | | Win32 Executable (generic) (12.4) |
| .exe | | | Generic Win/DOS Executable (5.5) |
| .exe | | | DOS Executable Generic (5.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2025:03:20 06:15:06+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.41 |
| CodeSize: | 105984 |
| InitializedDataSize: | 1150976 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x6f24 |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.3.361.151 |
| ProductVersionNumber: | 1.3.361.151 |
| FileFlagsMask: | 0x003f |
| FileFlags: | Private build |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | BraveSoftware Inc. |
| FileDescription: | BraveSoftware Update Setup |
| FileVersion: | 1.3.361.151 |
| InternalName: | BraveSoftware Update Setup |
| OriginalFileName: | BraveUpdateSetup.exe |
| ProductName: | BraveSoftware Update |
| ProductVersion: | 1.3.361.151 |
| LanguageId: | en |
| PrivateBuild: | - |
Total processes
209
Monitored processes
70
Malicious processes
50
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 532 | %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | C:\Windows\System32\csrss.exe | — | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Client Server Runtime Process Version: 10.0.19041.1 (WinBuild.160101.0800) | |||||||||||||||
| 748 | C:\WINDOWS\system32\services.exe | C:\Windows\System32\services.exe | wininit.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Services and Controller app Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 776 | "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=1984,i,18197061148260411694,8159757016541739494,262144 --variations-seed-version=main@533f1f2dd75e8be37bc43f03ace8b2228d90641e --mojo-platform-channel-handle=6024 /prefetch:8 | C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe | brave.exe | ||||||||||||
User: admin Company: Brave Software, Inc. Integrity Level: LOW Description: Brave Browser Exit code: 0 Version: 134.1.76.81 Modules
| |||||||||||||||
| 856 | "C:\Program Files (x86)\BraveSoftware\Update\Install\{5691FF84-EA77-492A-86A9-1E300BB21DA4}\CR_ABD1A.tmp\setup.exe" --system-level --verbose-logging --installerdata="C:\Program Files (x86)\BraveSoftware\Update\Install\{5691FF84-EA77-492A-86A9-1E300BB21DA4}\gui419C.tmp" --create-shortcuts=0 --install-level=1 | C:\Program Files (x86)\BraveSoftware\Update\Install\{5691FF84-EA77-492A-86A9-1E300BB21DA4}\CR_ABD1A.tmp\setup.exe | setup.exe | ||||||||||||
User: admin Company: Brave Software, Inc. Integrity Level: HIGH Description: Brave Installer Exit code: 73 Version: 134.1.76.81 Modules
| |||||||||||||||
| 872 | "C:\Program Files\BraveSoftware\Brave-Browser\Application\134.1.76.81\elevation_service.exe" | C:\Program Files\BraveSoftware\Brave-Browser\Application\134.1.76.81\elevation_service.exe | services.exe | ||||||||||||
User: SYSTEM Company: Brave Software, Inc. Integrity Level: SYSTEM Description: Brave Browser Exit code: 0 Version: 134.1.76.81 Modules
| |||||||||||||||
| 1052 | "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=1984,i,18197061148260411694,8159757016541739494,262144 --variations-seed-version=main@533f1f2dd75e8be37bc43f03ace8b2228d90641e --mojo-platform-channel-handle=3512 /prefetch:1 | C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe | brave.exe | ||||||||||||
User: admin Company: Brave Software, Inc. Integrity Level: LOW Description: Brave Browser Exit code: 0 Version: 134.1.76.81 Modules
| |||||||||||||||
| 1388 | "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 | C:\Windows\System32\BackgroundTransferHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Download/Upload Host Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1388 | "C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateOnDemand.exe" -Embedding | C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateOnDemand.exe | — | svchost.exe | |||||||||||
User: admin Company: BraveSoftware Inc. Integrity Level: MEDIUM Description: BraveSoftware Update Exit code: 0 Version: 1.3.361.151 Modules
| |||||||||||||||
| 1812 | "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=1984,i,18197061148260411694,8159757016541739494,262144 --variations-seed-version=main@533f1f2dd75e8be37bc43f03ace8b2228d90641e --mojo-platform-channel-handle=5440 /prefetch:8 | C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe | brave.exe | ||||||||||||
User: admin Company: Brave Software, Inc. Integrity Level: LOW Description: Brave Browser Exit code: 0 Version: 134.1.76.81 Modules
| |||||||||||||||
| 2108 | "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 | C:\Windows\System32\BackgroundTransferHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Download/Upload Host Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
69 128
Read events
66 802
Write events
2 201
Delete events
125
Modification events
| (PID) Process: | (7400) BraveBrowserSetup.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\BraveSoftware\Promo |
| Operation: | write | Name: | StubInstallerPath |
Value: C:\Users\admin\AppData\Local\Temp\BraveBrowserSetup.exe | |||
| (PID) Process: | (748) services.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\brave |
| Operation: | write | Name: | Type |
Value: 16 | |||
| (PID) Process: | (748) services.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\brave |
| Operation: | write | Name: | Start |
Value: 2 | |||
| (PID) Process: | (748) services.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\brave |
| Operation: | write | Name: | ErrorControl |
Value: 1 | |||
| (PID) Process: | (748) services.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\brave |
| Operation: | write | Name: | ImagePath |
Value: "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /svc | |||
| (PID) Process: | (748) services.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\brave |
| Operation: | write | Name: | DisplayName |
Value: Brave Update Service (brave) | |||
| (PID) Process: | (748) services.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\brave |
| Operation: | write | Name: | DependOnService |
Value: RPCSS | |||
| (PID) Process: | (748) services.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\brave |
| Operation: | delete value | Name: | DependOnGroup |
Value: | |||
| (PID) Process: | (748) services.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\brave |
| Operation: | write | Name: | WOW64 |
Value: 332 | |||
| (PID) Process: | (748) services.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\brave |
| Operation: | write | Name: | ObjectName |
Value: LocalSystem | |||
Executable files
248
Suspicious files
336
Text files
102
Unknown types
8
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7400 | BraveBrowserSetup.exe | C:\Users\admin\AppData\Local\Temp\GUMB23B.tmp\BraveUpdateCore.exe | executable | |
MD5:0DBC2D6B4ED1D89EE8C03B80F7332394 | SHA256:B6E26DECDBEA2C40B5E1420E40363E6467D8B3660328A92FC0138B1CBC699BAB | |||
| 7400 | BraveBrowserSetup.exe | C:\Users\admin\AppData\Local\Temp\GUMB23B.tmp\psuser_64.dll | executable | |
MD5:6A43D0B6700FEBCDB7917E3570336F31 | SHA256:36438C7379D01BB982232D183ECB82D45A1B819A916F4B693124FB6E3B8A067B | |||
| 7400 | BraveBrowserSetup.exe | C:\Users\admin\AppData\Local\Temp\GUMB23B.tmp\BraveUpdateBroker.exe | executable | |
MD5:17313001F96CCC653CA2D3DD4FBF61BE | SHA256:A2552AD6127B7FF9D47DD17F677A3F66ADBEA9530F40C82C16CE1D723B096A45 | |||
| 7400 | BraveBrowserSetup.exe | C:\Users\admin\AppData\Local\Temp\GUMB23B.tmp\psuser.dll | executable | |
MD5:77B1C38D733F0D72DAC760D22B300CAD | SHA256:A0156F9F39005F9B0EC4EA531ABDCB443E94C62AC6031883AA357D945041AB65 | |||
| 7400 | BraveBrowserSetup.exe | C:\Users\admin\AppData\Local\Temp\GUMB23B.tmp\BraveUpdateComRegisterShell64.exe | executable | |
MD5:3502A248F302855CCDE8B98F54A7FC14 | SHA256:4DD3DB1AD373634743AC220D4B2F1737D8A3AD2692F401B22A050854F569CF2D | |||
| 7400 | BraveBrowserSetup.exe | C:\Users\admin\AppData\Local\Temp\GUMB23B.tmp\goopdate.dll | executable | |
MD5:F6B05EC0F3930B636F67237DCFA80510 | SHA256:B370517D5375779BDCBE754DBC301C14AF0F4550B41137557B92F47CAF7208FE | |||
| 7400 | BraveBrowserSetup.exe | C:\Users\admin\AppData\Local\Temp\GUMB23B.tmp\psmachine_64.dll | executable | |
MD5:DC42A30076DC723EF9D21483850A3107 | SHA256:917D7871938D8A724A2B3A286244EF55078AC78B1F683D5C798808B21508B33A | |||
| 7400 | BraveBrowserSetup.exe | C:\Users\admin\AppData\Local\Temp\GUMB23B.tmp\BraveUpdateOnDemand.exe | executable | |
MD5:AE90F47A848B9D2C41EE022F28D51BC5 | SHA256:1F027A32B93D34DC092C15F0112A628C53099691A34B4BE5C28323165FA1A02C | |||
| 7400 | BraveBrowserSetup.exe | C:\Users\admin\AppData\Local\Temp\GUMB23B.tmp\psmachine.dll | executable | |
MD5:218FA8CBE6ED91AD7ED717905BA2B369 | SHA256:8D180D8D8396630B276E8248F75B5D9318C67E56AD395350AAACCAA427F07C12 | |||
| 7400 | BraveBrowserSetup.exe | C:\Users\admin\AppData\Local\Temp\GUMB23B.tmp\psuser_arm64.dll | executable | |
MD5:791C99BB51883A427403EFF2312F1D62 | SHA256:6F620E377114C2881CF2E6E324433237CA5041FF0D85756E3F95E68E957D78FB | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
86
DNS requests
55
Threats
19
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 23.53.40.176:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
8020 | BraveUpdate.exe | GET | 200 | 18.245.38.41:80 | http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEkpLy9ROx7U76vGUhC06D6E%3D | unknown | — | — | whitelisted |
6544 | svchost.exe | GET | 200 | 184.30.131.245:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
7220 | backgroundTaskHost.exe | GET | 200 | 184.30.131.245:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D | unknown | — | — | whitelisted |
— | — | GET | 200 | 184.30.131.245:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | whitelisted |
7712 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
7712 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2104 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 23.53.40.176:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
7960 | BraveUpdate.exe | 13.32.121.70:443 | updates.bravesoftware.com | AMAZON-02 | US | shared |
8068 | BraveUpdate.exe | 13.32.121.70:443 | updates.bravesoftware.com | AMAZON-02 | US | shared |
8020 | BraveUpdate.exe | 13.32.99.14:443 | dl.brave.com | AMAZON-02 | US | whitelisted |
2112 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3812 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
updates.bravesoftware.com |
| shared |
dl.brave.com |
| whitelisted |
ocsp.rootca1.amazontrust.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
updates-cdn.bravesoftware.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
7384 | brave.exe | Generic Protocol Command Decode | SURICATA QUIC failed decrypt |
7384 | brave.exe | Generic Protocol Command Decode | SURICATA QUIC failed decrypt |
7384 | brave.exe | Generic Protocol Command Decode | SURICATA QUIC failed decrypt |
7384 | brave.exe | Generic Protocol Command Decode | SURICATA QUIC failed decrypt |
7384 | brave.exe | Generic Protocol Command Decode | SURICATA QUIC failed decrypt |
7384 | brave.exe | Generic Protocol Command Decode | SURICATA QUIC failed decrypt |
7384 | brave.exe | Generic Protocol Command Decode | SURICATA QUIC failed decrypt |
7384 | brave.exe | Generic Protocol Command Decode | SURICATA QUIC failed decrypt |
7384 | brave.exe | Generic Protocol Command Decode | SURICATA QUIC failed decrypt |
7384 | brave.exe | Generic Protocol Command Decode | SURICATA QUIC failed decrypt |