File name:

2025-07-18_37739593849e91c3118beb48acb41923_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe

Full analysis: https://app.any.run/tasks/27c0305b-0dac-437e-be2b-f672ce076be0
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: July 18, 2025, 15:47:37
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
jeefo
auto-reg
stealer
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

37739593849E91C3118BEB48ACB41923

SHA1:

3DF3A70838B6D98921FBFF1EBA61B16090C0C3AB

SHA256:

5BFFF4F8A42141C67CCF8C5FCBE5AA137AFE47841671F6494D107105C2A8C71A

SSDEEP:

49152:5cztG5s6YAVEAeUQsnoZUougDTotSe2UEnlAc/rJZBbyUhFOZD2QG4tENa9thXuy:5czfDAVEpGoZUwC92FrjJZByUhaD2QVx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • JEEFO has been detected

      • 27c0305b-0dac-437e-be2b-f672ce076be0.exe (PID: 504)
      • csrss.exe (PID: 608)
      • icsys.icn.exe (PID: 2192)
      • explorer.exe (PID: 1160)
      • svchost.exe (PID: 2400)

    • Changes the autorun value in the registry

      • explorer.exe (PID: 1160)
      • svchost.exe (PID: 2400)
      • setup.exe (PID: 4692)

    • Actions looks like stealing of personal data

      • setup.exe (PID: 4692)
      • csrss.exe (PID: 608)
      • brave.exe (PID: 856)
      • setup.exe (PID: 2108)
      • chrmstp.exe (PID: 6304)
      • chrmstp.exe (PID: 3872)
      • chrmstp.exe (PID: 4888)
      • chrmstp.exe (PID: 3148)
      • brave.exe (PID: 2704)
      • brave.exe (PID: 2532)
      • brave.exe (PID: 432)
      • brave.exe (PID: 440)
      • brave.exe (PID: 6220)
      • elevation_service.exe (PID: 2432)
      • csrss.exe (PID: 524)
      • brave.exe (PID: 4116)
      • brave.exe (PID: 4228)
      • chrmstp.exe (PID: 5460)
      • chrmstp.exe (PID: 7116)
      • chrmstp.exe (PID: 6452)
      • chrmstp.exe (PID: 6680)
      • brave.exe (PID: 1524)
      • brave.exe (PID: 1128)
      • brave.exe (PID: 1388)
      • brave.exe (PID: 5600)
      • brave.exe (PID: 6820)
      • brave.exe (PID: 7080)
      • brave.exe (PID: 3048)
      • brave.exe (PID: 6776)
      • brave.exe (PID: 6796)
      • brave.exe (PID: 4400)
      • brave.exe (PID: 7124)
      • brave.exe (PID: 4512)

    • Steals credentials from Web Browsers

      • brave.exe (PID: 856)

  • SUSPICIOUS

    • Starts application with an unusual extension

      • 27c0305b-0dac-437e-be2b-f672ce076be0.exe (PID: 504)

    • Executable content was dropped or overwritten

      • 27c0305b-0dac-437e-be2b-f672ce076be0.exe (PID: 504)
      • 27c0305b-0dac-437e-be2b-f672ce076be0.exe  (PID: 3704)
      • BraveUpdate.exe (PID: 3504)
      • icsys.icn.exe (PID: 2192)
      • explorer.exe (PID: 1160)
      • spoolsv.exe (PID: 1800)
      • setup.exe (PID: 4692)
      • brave_installer-x64.exe (PID: 1468)

    • Creates/Modifies COM task schedule object

      • BraveUpdateComRegisterShell64.exe (PID: 6900)
      • BraveUpdate.exe (PID: 1560)
      • BraveUpdateComRegisterShell64.exe (PID: 6540)
      • BraveUpdateComRegisterShell64.exe (PID: 4528)

    • Starts itself from another location

      • BraveUpdate.exe (PID: 3504)
      • 27c0305b-0dac-437e-be2b-f672ce076be0.exe (PID: 504)
      • icsys.icn.exe (PID: 2192)
      • explorer.exe (PID: 1160)
      • spoolsv.exe (PID: 1800)
      • svchost.exe (PID: 2400)

    • Reads security settings of Internet Explorer

      • BraveUpdate.exe (PID: 3504)
      • BraveUpdate.exe (PID: 6748)
      • chrmstp.exe (PID: 6304)
      • brave.exe (PID: 856)
      • chrmstp.exe (PID: 6452)

    • Executes as Windows Service

      • BraveUpdate.exe (PID: 1132)
      • elevation_service.exe (PID: 2432)

    • The process creates files with name similar to system file names

      • icsys.icn.exe (PID: 2192)
      • spoolsv.exe (PID: 1800)

    • There is functionality for taking screenshot (YARA)

      • BraveUpdate.exe (PID: 6748)
      • BraveUpdate.exe (PID: 3504)
      • BraveUpdate.exe (PID: 1132)

    • Application launched itself

      • setup.exe (PID: 4692)
      • BraveUpdate.exe (PID: 1132)
      • brave.exe (PID: 856)
      • setup.exe (PID: 2108)
      • chrmstp.exe (PID: 3872)
      • chrmstp.exe (PID: 6304)
      • chrmstp.exe (PID: 5460)
      • chrmstp.exe (PID: 6452)

    • Creates or modifies Windows services

      • svchost.exe (PID: 2400)

    • Creates a software uninstall entry

      • setup.exe (PID: 4692)

    • Searches for installed software

      • setup.exe (PID: 4692)
      • setup.exe (PID: 2108)
      • chrmstp.exe (PID: 3872)
      • chrmstp.exe (PID: 6304)
      • chrmstp.exe (PID: 5460)
      • chrmstp.exe (PID: 6452)

    • Reads the date of Windows installation

      • chrmstp.exe (PID: 6304)
      • chrmstp.exe (PID: 6452)

    • Reads Mozilla Firefox installation path

      • brave.exe (PID: 856)

    • The process checks if it is being run in the virtual environment

      • brave.exe (PID: 856)

  • INFO

    • The sample compiled with english language support

      • 27c0305b-0dac-437e-be2b-f672ce076be0.exe (PID: 504)
      • 27c0305b-0dac-437e-be2b-f672ce076be0.exe  (PID: 3704)
      • BraveUpdate.exe (PID: 3504)
      • explorer.exe (PID: 1160)
      • spoolsv.exe (PID: 1800)
      • icsys.icn.exe (PID: 2192)
      • brave_installer-x64.exe (PID: 1468)
      • setup.exe (PID: 4692)

    • Checks supported languages

      • 27c0305b-0dac-437e-be2b-f672ce076be0.exe (PID: 504)
      • 27c0305b-0dac-437e-be2b-f672ce076be0.exe  (PID: 3704)
      • BraveUpdateComRegisterShell64.exe (PID: 4528)
      • BraveUpdateComRegisterShell64.exe (PID: 6540)
      • BraveUpdate.exe (PID: 2400)
      • BraveUpdate.exe (PID: 3504)
      • BraveUpdate.exe (PID: 1132)
      • BraveUpdate.exe (PID: 6748)
      • explorer.exe (PID: 1160)
      • spoolsv.exe (PID: 1800)
      • icsys.icn.exe (PID: 2192)
      • svchost.exe (PID: 2400)
      • spoolsv.exe (PID: 7140)
      • brave_installer-x64.exe (PID: 1468)
      • setup.exe (PID: 4692)
      • setup.exe (PID: 5684)
      • setup.exe (PID: 2108)
      • BraveUpdateOnDemand.exe (PID: 5548)
      • BraveUpdate.exe (PID: 3392)
      • BraveUpdate.exe (PID: 7032)
      • brave.exe (PID: 856)
      • setup.exe (PID: 5532)
      • brave.exe (PID: 2704)
      • chrmstp.exe (PID: 3872)
      • chrmstp.exe (PID: 4888)
      • chrmstp.exe (PID: 6304)
      • chrmstp.exe (PID: 3148)
      • brave.exe (PID: 432)
      • brave.exe (PID: 440)
      • brave.exe (PID: 6220)
      • elevation_service.exe (PID: 2432)
      • brave.exe (PID: 2532)
      • brave.exe (PID: 4116)
      • brave.exe (PID: 4228)
      • chrmstp.exe (PID: 5460)
      • chrmstp.exe (PID: 7116)
      • chrmstp.exe (PID: 6452)
      • chrmstp.exe (PID: 6680)
      • brave.exe (PID: 1524)
      • brave.exe (PID: 1128)
      • brave.exe (PID: 4512)
      • brave.exe (PID: 3048)
      • brave.exe (PID: 6776)
      • brave.exe (PID: 7080)
      • brave.exe (PID: 6820)
      • brave.exe (PID: 5600)
      • brave.exe (PID: 6796)
      • brave.exe (PID: 4400)
      • brave.exe (PID: 1388)
      • brave.exe (PID: 7124)

    • Create files in a temporary directory

      • 27c0305b-0dac-437e-be2b-f672ce076be0.exe (PID: 504)
      • explorer.exe (PID: 1160)
      • icsys.icn.exe (PID: 2192)
      • spoolsv.exe (PID: 1800)
      • svchost.exe (PID: 2400)
      • spoolsv.exe (PID: 7140)
      • brave.exe (PID: 856)

    • The sample compiled with bulgarian language support

      • 27c0305b-0dac-437e-be2b-f672ce076be0.exe  (PID: 3704)
      • BraveUpdate.exe (PID: 3504)

    • The sample compiled with german language support

      • 27c0305b-0dac-437e-be2b-f672ce076be0.exe  (PID: 3704)
      • BraveUpdate.exe (PID: 3504)

    • The sample compiled with arabic language support

      • 27c0305b-0dac-437e-be2b-f672ce076be0.exe  (PID: 3704)
      • BraveUpdate.exe (PID: 3504)

    • The sample compiled with Indonesian language support

      • 27c0305b-0dac-437e-be2b-f672ce076be0.exe  (PID: 3704)
      • BraveUpdate.exe (PID: 3504)

    • The sample compiled with czech language support

      • 27c0305b-0dac-437e-be2b-f672ce076be0.exe  (PID: 3704)
      • BraveUpdate.exe (PID: 3504)

    • The sample compiled with Italian language support

      • 27c0305b-0dac-437e-be2b-f672ce076be0.exe  (PID: 3704)
      • BraveUpdate.exe (PID: 3504)

    • The sample compiled with french language support

      • 27c0305b-0dac-437e-be2b-f672ce076be0.exe  (PID: 3704)
      • BraveUpdate.exe (PID: 3504)

    • The sample compiled with japanese language support

      • 27c0305b-0dac-437e-be2b-f672ce076be0.exe  (PID: 3704)
      • BraveUpdate.exe (PID: 3504)

    • The sample compiled with korean language support

      • 27c0305b-0dac-437e-be2b-f672ce076be0.exe  (PID: 3704)
      • BraveUpdate.exe (PID: 3504)

    • The sample compiled with polish language support

      • 27c0305b-0dac-437e-be2b-f672ce076be0.exe  (PID: 3704)
      • BraveUpdate.exe (PID: 3504)

    • The sample compiled with swedish language support

      • 27c0305b-0dac-437e-be2b-f672ce076be0.exe  (PID: 3704)
      • BraveUpdate.exe (PID: 3504)

    • The sample compiled with portuguese language support

      • 27c0305b-0dac-437e-be2b-f672ce076be0.exe  (PID: 3704)
      • BraveUpdate.exe (PID: 3504)

    • The sample compiled with slovak language support

      • 27c0305b-0dac-437e-be2b-f672ce076be0.exe  (PID: 3704)
      • BraveUpdate.exe (PID: 3504)

    • The sample compiled with chinese language support

      • 27c0305b-0dac-437e-be2b-f672ce076be0.exe  (PID: 3704)
      • BraveUpdate.exe (PID: 3504)

    • The sample compiled with russian language support

      • BraveUpdate.exe (PID: 3504)
      • 27c0305b-0dac-437e-be2b-f672ce076be0.exe  (PID: 3704)

    • The sample compiled with turkish language support

      • 27c0305b-0dac-437e-be2b-f672ce076be0.exe  (PID: 3704)
      • BraveUpdate.exe (PID: 3504)

    • Brave updater related mutex has been found

      • BraveUpdate.exe (PID: 3504)
      • BraveUpdate.exe (PID: 2400)
      • BraveUpdate.exe (PID: 1132)
      • BraveUpdate.exe (PID: 6748)
      • BraveUpdate.exe (PID: 3392)
      • BraveUpdate.exe (PID: 7032)

    • Reads the computer name

      • BraveUpdateComRegisterShell64.exe (PID: 6900)
      • BraveUpdateComRegisterShell64.exe (PID: 4528)
      • BraveUpdateComRegisterShell64.exe (PID: 6540)
      • BraveUpdate.exe (PID: 2400)
      • BraveUpdate.exe (PID: 6748)
      • BraveUpdate.exe (PID: 1132)
      • svchost.exe (PID: 2400)
      • brave_installer-x64.exe (PID: 1468)
      • setup.exe (PID: 4692)
      • setup.exe (PID: 2108)
      • BraveUpdate.exe (PID: 3392)
      • BraveUpdate.exe (PID: 7032)
      • brave.exe (PID: 856)
      • chrmstp.exe (PID: 3872)
      • chrmstp.exe (PID: 6304)
      • brave.exe (PID: 432)
      • brave.exe (PID: 440)
      • elevation_service.exe (PID: 2432)
      • chrmstp.exe (PID: 5460)
      • chrmstp.exe (PID: 6452)
      • brave.exe (PID: 4228)

    • Checks proxy server information

      • BraveUpdate.exe (PID: 2400)
      • BraveUpdate.exe (PID: 6748)
      • brave.exe (PID: 856)
      • slui.exe (PID: 5968)

    • Process checks computer location settings

      • BraveUpdate.exe (PID: 3504)
      • brave.exe (PID: 856)
      • brave.exe (PID: 4116)
      • brave.exe (PID: 2532)

    • Reads the machine GUID from the registry

      • BraveUpdate.exe (PID: 2400)
      • BraveUpdate.exe (PID: 1132)
      • BraveUpdate.exe (PID: 6748)
      • BraveUpdate.exe (PID: 3392)
      • brave.exe (PID: 856)

    • Reads the software policy settings

      • BraveUpdate.exe (PID: 2400)
      • BraveUpdate.exe (PID: 1132)
      • BraveUpdate.exe (PID: 6748)
      • BraveUpdate.exe (PID: 3392)
      • slui.exe (PID: 5968)

    • Creates files in the program directory

      • BraveUpdate.exe (PID: 1132)
      • brave_installer-x64.exe (PID: 1468)
      • setup.exe (PID: 4692)
      • setup.exe (PID: 2108)

    • Manual execution by a user

      • explorer.exe (PID: 1944)
      • svchost.exe (PID: 1936)
      • chrmstp.exe (PID: 3872)

    • Launching a file from a Registry key

      • svchost.exe (PID: 2400)
      • setup.exe (PID: 4692)
      • explorer.exe (PID: 1160)

    • Creates files or folders in the user directory

      • setup.exe (PID: 2108)
      • chrmstp.exe (PID: 6304)
      • brave.exe (PID: 856)
      • brave.exe (PID: 440)
      • chrmstp.exe (PID: 6452)

    • Disables trace logs

      • brave.exe (PID: 856)

    • Reads CPU info

      • brave.exe (PID: 856)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:04:01 07:08:22+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 106496
InitializedDataSize: 12288
UninitializedDataSize: -
EntryPoint: 0x290c
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
ProductName: Project1
FileVersion: 1
ProductVersion: 1
InternalName: TJprojMain
OriginalFileName: TJprojMain.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
192
Monitored processes
58
Malicious processes
42
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start #JEEFO 27c0305b-0dac-437e-be2b-f672ce076be0.exe 27c0305b-0dac-437e-be2b-f672ce076be0.exe  braveupdate.exe braveupdate.exe no specs braveupdatecomregistershell64.exe no specs braveupdatecomregistershell64.exe no specs braveupdatecomregistershell64.exe no specs braveupdate.exe braveupdate.exe braveupdate.exe #JEEFO icsys.icn.exe #JEEFO explorer.exe spoolsv.exe #JEEFO svchost.exe spoolsv.exe no specs explorer.exe no specs svchost.exe no specs slui.exe brave_installer-x64.exe setup.exe setup.exe no specs setup.exe setup.exe no specs braveupdate.exe braveupdateondemand.exe no specs braveupdate.exe no specs brave.exe brave.exe chrmstp.exe chrmstp.exe chrmstp.exe chrmstp.exe brave.exe brave.exe elevation_service.exe brave.exe brave.exe brave.exe brave.exe chrmstp.exe chrmstp.exe chrmstp.exe chrmstp.exe brave.exe brave.exe brave.exe brave.exe brave.exe brave.exe brave.exe brave.exe brave.exe brave.exe brave.exe brave.exe csrss.exe #JEEFO csrss.exe 27c0305b-0dac-437e-be2b-f672ce076be0.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
432"C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=gpu-process --no-pre-read-main-dll --force-high-res-timeticks=disabled --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2012,i,9126287562199169495,12146382408267255576,262144 --variations-seed-version=main@4d604d3d277d579b022fec268db522254da37c7d --mojo-platform-channel-handle=2008 /prefetch:2C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
brave.exe
User:
admin
Company:
Brave Software, Inc.
Integrity Level:
LOW
Description:
Brave Browser
Version:
138.1.80.122
Modules
Images
c:\program files\bravesoftware\brave-browser\application\brave.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\bravesoftware\brave-browser\application\138.1.80.122\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\shcore.dll
c:\windows\system32\combase.dll
440"C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --force-high-res-timeticks=disabled --start-stack-profiler --field-trial-handle=2012,i,9126287562199169495,12146382408267255576,262144 --variations-seed-version=main@4d604d3d277d579b022fec268db522254da37c7d --mojo-platform-channel-handle=2288 /prefetch:3C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
brave.exe
User:
admin
Company:
Brave Software, Inc.
Integrity Level:
MEDIUM
Description:
Brave Browser
Version:
138.1.80.122
Modules
Images
c:\program files\bravesoftware\brave-browser\application\brave.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\bravesoftware\brave-browser\application\138.1.80.122\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\shcore.dll
c:\windows\system32\combase.dll
504"C:\Users\admin\Desktop\27c0305b-0dac-437e-be2b-f672ce076be0.exe" C:\Users\admin\Desktop\27c0305b-0dac-437e-be2b-f672ce076be0.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\desktop\27c0305b-0dac-437e-be2b-f672ce076be0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
524%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\System32\csrss.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Client Server Runtime Process
Version:
10.0.19041.1 (WinBuild.160101.0800)
608%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\System32\csrss.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Client Server Runtime Process
Version:
10.0.19041.1 (WinBuild.160101.0800)
856"C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --from-installerC:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
BraveUpdate.exe
User:
admin
Company:
Brave Software, Inc.
Integrity Level:
MEDIUM
Description:
Brave Browser
Version:
138.1.80.122
Modules
Images
c:\program files\bravesoftware\brave-browser\application\brave.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\program files\bravesoftware\brave-browser\application\138.1.80.122\chrome_elf.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll
c:\windows\system32\advapi32.dll
1128"C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --force-high-res-timeticks=disabled --field-trial-handle=2012,i,9126287562199169495,12146382408267255576,262144 --variations-seed-version=main@4d604d3d277d579b022fec268db522254da37c7d --mojo-platform-channel-handle=4928 /prefetch:8C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
brave.exe
User:
admin
Company:
Brave Software, Inc.
Integrity Level:
LOW
Description:
Brave Browser
Exit code:
0
Version:
138.1.80.122
Modules
Images
c:\program files\bravesoftware\brave-browser\application\brave.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\bravesoftware\brave-browser\application\138.1.80.122\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\shcore.dll
c:\windows\system32\combase.dll
1132"C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /svcC:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
services.exe
User:
SYSTEM
Company:
BraveSoftware Inc.
Integrity Level:
SYSTEM
Description:
BraveSoftware Update
Exit code:
0
Version:
1.3.361.151
Modules
Images
c:\program files (x86)\bravesoftware\update\braveupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1160c:\windows\resources\themes\explorer.exeC:\Windows\Resources\Themes\explorer.exe
icsys.icn.exe
User:
admin
Integrity Level:
HIGH
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
1388"C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --force-high-res-timeticks=disabled --field-trial-handle=2012,i,9126287562199169495,12146382408267255576,262144 --variations-seed-version=main@4d604d3d277d579b022fec268db522254da37c7d --mojo-platform-channel-handle=5700 /prefetch:8C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
brave.exe
User:
admin
Company:
Brave Software, Inc.
Integrity Level:
LOW
Description:
Brave Browser
Exit code:
0
Version:
138.1.80.122
Modules
Images
c:\program files\bravesoftware\brave-browser\application\brave.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\bravesoftware\brave-browser\application\138.1.80.122\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\shcore.dll
c:\windows\system32\combase.dll
Total events
26 077
Read events
23 457
Write events
2 510
Delete events
110

Modification events

(PID) Process:(504) 27c0305b-0dac-437e-be2b-f672ce076be0.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(6900) BraveUpdateComRegisterShell64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EBDA5D88-AA7D-4A8C-A20C-C01FADB43EDA}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Both
(PID) Process:(6900) BraveUpdateComRegisterShell64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Both
(PID) Process:(6900) BraveUpdateComRegisterShell64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{574CD5D7-BB52-41CC-933D-426ECCD4481C}\InprocHandler32
Operation:writeName:ThreadingModel
Value:
Both
(PID) Process:(6900) BraveUpdateComRegisterShell64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F292661-9599-457E-AB6A-9E8DB62FDC72}\InProcServer32
Operation:writeName:ThreadingModel
Value:
Both
(PID) Process:(4528) BraveUpdateComRegisterShell64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EBDA5D88-AA7D-4A8C-A20C-C01FADB43EDA}\InprocServer32
Operation:delete keyName:(default)
Value:
(PID) Process:(4528) BraveUpdateComRegisterShell64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EBDA5D88-AA7D-4A8C-A20C-C01FADB43EDA}
Operation:delete keyName:(default)
Value:
(PID) Process:(4528) BraveUpdateComRegisterShell64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EBDA5D88-AA7D-4A8C-A20C-C01FADB43EDA}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Both
(PID) Process:(4528) BraveUpdateComRegisterShell64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32
Operation:delete keyName:(default)
Value:
(PID) Process:(4528) BraveUpdateComRegisterShell64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}
Operation:delete keyName:(default)
Value:
Executable files
154
Suspicious files
117
Text files
95
Unknown types
53

Dropped files

PID
Process
Filename
Type
370427c0305b-0dac-437e-be2b-f672ce076be0.exe C:\Windows\SystemTemp\GUMDA20.tmp\BraveUpdate.exeexecutable
MD5:DD8FB14489BFE64E1C78F4F9670A6262
SHA256:7BA69E05EC0F2C37511D04C1B5F31D38F23CE2F788CE57ADAE15C5495F414858
370427c0305b-0dac-437e-be2b-f672ce076be0.exe C:\Windows\SystemTemp\GUMDA20.tmp\BraveCrashHandler.exeexecutable
MD5:A4266DE745A0110C56DDCF8FEF6EE274
SHA256:961CC808E9F845EEB4498224CC24BEA911D0AFFBA04BD6FA5B42730B0C320E65
50427c0305b-0dac-437e-be2b-f672ce076be0.exeC:\Windows\Resources\Themes\icsys.icn.exeexecutable
MD5:2D263E3AA5F3016F959AE825D60C75C8
SHA256:2E43110CB8666470094E7EF86343D22C14CF3F642D4C93BD3DB036EC0245E186
50427c0305b-0dac-437e-be2b-f672ce076be0.exeC:\Users\admin\Desktop\27c0305b-0dac-437e-be2b-f672ce076be0.exe executable
MD5:029643459F24C9F383539E29D0EBC63A
SHA256:491B879CD5FA10E65EEFD5BDFDF3D570BF1ECDCF1B268B90828EE0CE17CD3725
370427c0305b-0dac-437e-be2b-f672ce076be0.exe C:\Windows\SystemTemp\GUMDA20.tmp\BraveCrashHandler64.exeexecutable
MD5:6DE64703572EB688046EB56993F94838
SHA256:5FB8EC941AEC444F0C1FC2FC3B3CB3DEB41F551F171EE74AF789623B32ADAB24
370427c0305b-0dac-437e-be2b-f672ce076be0.exe C:\Windows\SystemTemp\GUMDA20.tmp\psmachine.dllexecutable
MD5:5FEE50C060A6EFE63D42184B2D180E74
SHA256:1F56896475A6336BD9437F5B83C8CB57750FB34BF15D95AE5BA13A0E9CB0AC3B
370427c0305b-0dac-437e-be2b-f672ce076be0.exe C:\Windows\SystemTemp\GUMDA20.tmp\BraveUpdateCore.exeexecutable
MD5:B54125C21C5F4D06A80970FE84411731
SHA256:A5C65977432D5B84F6002CAFE886A7B2D5B0EECD9114640DD572BA99842A1F35
370427c0305b-0dac-437e-be2b-f672ce076be0.exe C:\Windows\SystemTemp\GUMDA20.tmp\psuser_64.dllexecutable
MD5:5FC903677AC780B8FBA8C947E89C86E5
SHA256:87FD6AA1ABFC83A5E08824D5056B571695382DD34513EB734B30456EA6C6ECFF
370427c0305b-0dac-437e-be2b-f672ce076be0.exe C:\Windows\SystemTemp\GUMDA20.tmp\psmachine_arm64.dllexecutable
MD5:96279D9D3B8913C7A0427C3DF5ED5E32
SHA256:3A6C8416508B6CDD8408DE071442A2273722034C3C069B662983BCB0D28F2B4C
370427c0305b-0dac-437e-be2b-f672ce076be0.exe C:\Windows\SystemTemp\GUMDA20.tmp\BraveCrashHandlerArm64.exeexecutable
MD5:37D0A868EC5044E4D153BED1757D6710
SHA256:866DDEEE5C54E5FCB4397ACC57112A96F82BDA7BF46CF959FAD7C2EAA755852C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
88
TCP/UDP connections
82
DNS requests
39
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
200
52.85.65.61:443
https://updates.bravesoftware.com/service/update2
unknown
xml
250 b
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
404
18.64.79.23:443
https://dl.brave.com/update2/installers/icons/%7BAFE6A462-C574-4B8A-AF43-4CC60DF4563B%7D.bmp
unknown
POST
200
52.85.65.63:443
https://updates.bravesoftware.com/service/update2?cup2key=2:W7sH33k-Y0S4G2v7clr5wVOr9ZXJm_ORBK-dBDK3CQI&cup2hreq=8d61acfc4ee9e80f95b0a4951322d721507236cd1ac473007b7669c02980ecbe
unknown
xml
7.97 Kb
HEAD
200
52.85.65.16:443
https://updates-cdn.bravesoftware.com/build/Brave-Release/release/win/138.1.80.122/x64/brave_installer-x64.exe
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2400
BraveUpdate.exe
52.85.65.61:443
updates.bravesoftware.com
AMAZON-02
US
shared
1132
BraveUpdate.exe
52.85.65.61:443
updates.bravesoftware.com
AMAZON-02
US
shared

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
updates.bravesoftware.com
  • 52.85.65.61
  • 52.85.65.48
  • 52.85.65.40
  • 52.85.65.63
  • 3.171.214.65
  • 3.171.214.82
  • 3.171.214.112
  • 3.171.214.3
shared
dl.brave.com
  • 54.230.228.70
  • 54.230.228.61
  • 54.230.228.87
  • 54.230.228.96
whitelisted
updates-cdn.bravesoftware.com
  • 52.85.65.16
  • 52.85.65.111
  • 52.85.65.125
  • 52.85.65.37
whitelisted
login.live.com
  • 20.190.159.128
  • 40.126.31.1
  • 20.190.159.4
  • 20.190.159.129
  • 20.190.159.68
  • 40.126.31.128
  • 20.190.159.2
  • 20.190.159.75
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
whitelisted

Threats

PID
Process
Class
Message
440
brave.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
440
brave.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
440
brave.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
440
brave.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
Process
Message
brave.exe
[0718/154910.561:ERROR:third_party\crashpad\crashpad\client\crash_report_database_win.cc:613] CreateDirectory C:\Users\admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Crashpad: The system cannot find the path specified. (0x3)
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-07-18_37739593849e91c3118beb48acb41923_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe