URL:

https://hygreen.qa/index.php?36figa

Full analysis: https://app.any.run/tasks/a4a43c3a-a2b5-4100-bd18-9c17d2279d9d
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 04:43:42
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-scr
opera
tool
stealer
Indicators:
MD5:

0F9822F2550D1411C82106BA45EC8494

SHA1:

DDBFE89692981A8950CF02A75E8916E584E7BB6F

SHA256:

47C8066AF66C897ABBBD85FC2DC4001CB75D6CDF4A0827670CB9BF96191B37E4

SSDEEP:

3:N8gDMKbH+:2gDMKbH+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • opera.exe (PID: 4456)

    • Actions looks like stealing of personal data

      • opera.exe (PID: 4456)

    • Steals credentials from Web Browsers

      • opera.exe (PID: 4456)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • OperaGXSetup(1).exe (PID: 7664)
      • setup.exe (PID: 5904)
      • setup.exe (PID: 6700)
      • setup.exe (PID: 592)
      • setup.exe (PID: 6492)
      • Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe (PID: 2632)
      • installer.exe (PID: 3752)
      • setup.exe (PID: 7632)
      • installer.exe (PID: 6256)
      • installer.exe (PID: 9984)
      • installer.exe (PID: 9260)
      • opera_autoupdate.exe (PID: 6776)
      • installer.exe (PID: 8200)
      • opera.exe (PID: 9740)

    • Application launched itself

      • setup.exe (PID: 6492)
      • setup.exe (PID: 592)
      • assistant_installer.exe (PID: 2320)
      • installer.exe (PID: 3752)
      • opera.exe (PID: 4456)
      • opera_autoupdate.exe (PID: 6492)
      • installer.exe (PID: 9984)
      • opera_autoupdate.exe (PID: 6776)

    • Reads security settings of Internet Explorer

      • setup.exe (PID: 6492)
      • installer.exe (PID: 3752)
      • opera.exe (PID: 11352)

    • Starts itself from another location

      • setup.exe (PID: 6492)

    • There is functionality for taking screenshot (YARA)

      • setup.exe (PID: 6492)
      • setup.exe (PID: 5904)

    • Creates a software uninstall entry

      • installer.exe (PID: 3752)

    • Reads the date of Windows installation

      • installer.exe (PID: 3752)
      • opera.exe (PID: 4456)

    • Searches for installed software

      • installer.exe (PID: 3752)

    • The process checks if it is being run in the virtual environment

      • opera.exe (PID: 4456)

    • The process executes via Task Scheduler

      • opera_autoupdate.exe (PID: 6776)

    • Reads Mozilla Firefox installation path

      • opera.exe (PID: 4456)

  • INFO

    • Reads Microsoft Office registry keys

      • firefox.exe (PID: 1944)

    • Application launched itself

      • firefox.exe (PID: 3884)
      • firefox.exe (PID: 1944)

    • Launching a file from the Downloads directory

      • firefox.exe (PID: 1944)

    • Create files in a temporary directory

      • OperaGXSetup(1).exe (PID: 7664)
      • setup.exe (PID: 5904)
      • setup.exe (PID: 6492)
      • setup.exe (PID: 6700)
      • setup.exe (PID: 592)
      • setup.exe (PID: 7632)
      • Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe (PID: 2632)
      • installer.exe (PID: 3752)
      • installer.exe (PID: 6256)
      • opera.exe (PID: 4456)
      • installer.exe (PID: 9984)
      • installer.exe (PID: 9260)
      • installer.exe (PID: 8200)
      • opera_autoupdate.exe (PID: 6776)

    • The sample compiled with english language support

      • setup.exe (PID: 6492)
      • OperaGXSetup(1).exe (PID: 7664)
      • setup.exe (PID: 5904)
      • setup.exe (PID: 6700)
      • setup.exe (PID: 592)
      • Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe (PID: 2632)
      • installer.exe (PID: 3752)
      • setup.exe (PID: 7632)
      • installer.exe (PID: 6256)
      • installer.exe (PID: 9984)
      • installer.exe (PID: 9260)
      • opera_autoupdate.exe (PID: 6776)
      • installer.exe (PID: 8200)
      • firefox.exe (PID: 1944)
      • opera.exe (PID: 9740)

    • Reads the computer name

      • setup.exe (PID: 6492)
      • setup.exe (PID: 592)
      • assistant_installer.exe (PID: 2320)
      • opera.exe (PID: 4456)
      • installer.exe (PID: 3752)
      • opera.exe (PID: 4880)
      • opera.exe (PID: 6672)
      • opera_gx_splash.exe (PID: 8480)
      • opera.exe (PID: 8664)
      • opera_autoupdate.exe (PID: 6492)
      • installer.exe (PID: 9984)
      • opera_autoupdate.exe (PID: 6776)
      • opera.exe (PID: 11352)

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 1944)

    • Checks supported languages

      • setup.exe (PID: 5904)
      • setup.exe (PID: 6492)
      • OperaGXSetup(1).exe (PID: 7664)
      • setup.exe (PID: 6700)
      • setup.exe (PID: 7632)
      • setup.exe (PID: 592)
      • Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe (PID: 2632)
      • installer.exe (PID: 3752)
      • assistant_installer.exe (PID: 2320)
      • assistant_installer.exe (PID: 4576)
      • installer.exe (PID: 6256)
      • opera.exe (PID: 7120)
      • opera_crashreporter.exe (PID: 7276)
      • opera.exe (PID: 4456)
      • opera.exe (PID: 6672)
      • opera.exe (PID: 4880)
      • opera.exe (PID: 2464)
      • opera.exe (PID: 5168)
      • opera.exe (PID: 8196)
      • opera.exe (PID: 7548)
      • opera.exe (PID: 7680)
      • opera.exe (PID: 3652)
      • opera_gx_splash.exe (PID: 8480)
      • opera.exe (PID: 8824)
      • opera.exe (PID: 8864)
      • opera.exe (PID: 8940)
      • opera.exe (PID: 8964)
      • opera.exe (PID: 9032)
      • opera.exe (PID: 6732)
      • opera.exe (PID: 9044)
      • opera.exe (PID: 9056)
      • opera.exe (PID: 8972)
      • opera.exe (PID: 9108)
      • opera.exe (PID: 9124)
      • opera.exe (PID: 9064)
      • opera.exe (PID: 9140)
      • opera.exe (PID: 9132)
      • opera.exe (PID: 8644)
      • opera.exe (PID: 8232)
      • opera.exe (PID: 8324)
      • opera.exe (PID: 7620)
      • opera.exe (PID: 8212)
      • opera.exe (PID: 592)
      • opera.exe (PID: 8664)
      • opera.exe (PID: 8588)
      • opera.exe (PID: 9464)
      • opera.exe (PID: 9212)
      • opera.exe (PID: 9448)
      • opera.exe (PID: 9036)
      • opera.exe (PID: 9456)
      • installer.exe (PID: 9984)
      • opera.exe (PID: 9468)
      • opera.exe (PID: 9440)
      • opera.exe (PID: 9748)
      • opera.exe (PID: 9736)
      • opera.exe (PID: 10056)
      • opera.exe (PID: 10068)
      • opera.exe (PID: 9156)
      • installer.exe (PID: 9260)
      • opera_autoupdate.exe (PID: 9252)
      • opera.exe (PID: 9148)
      • opera.exe (PID: 10236)
      • opera_autoupdate.exe (PID: 6492)
      • opera.exe (PID: 9200)
      • opera_autoupdate.exe (PID: 6776)
      • opera_autoupdate.exe (PID: 10316)
      • opera.exe (PID: 11452)
      • opera.exe (PID: 11840)
      • opera.exe (PID: 11496)
      • opera.exe (PID: 11656)
      • opera.exe (PID: 11924)
      • opera.exe (PID: 11432)
      • opera.exe (PID: 11852)
      • opera.exe (PID: 11932)
      • opera.exe (PID: 12004)
      • opera.exe (PID: 10392)
      • opera.exe (PID: 11352)
      • opera.exe (PID: 11564)
      • opera.exe (PID: 12164)
      • opera.exe (PID: 12128)
      • opera.exe (PID: 12200)
      • opera.exe (PID: 12252)
      • opera.exe (PID: 12244)
      • opera.exe (PID: 4080)
      • opera.exe (PID: 9968)
      • opera.exe (PID: 8296)
      • opera.exe (PID: 7684)
      • opera.exe (PID: 8404)
      • opera.exe (PID: 2620)
      • opera.exe (PID: 11996)
      • opera.exe (PID: 12084)
      • opera.exe (PID: 7992)
      • opera.exe (PID: 8220)
      • installer.exe (PID: 8200)
      • opera.exe (PID: 10612)
      • opera.exe (PID: 6492)
      • opera.exe (PID: 11556)
      • opera.exe (PID: 8548)
      • opera.exe (PID: 10108)
      • opera.exe (PID: 9772)
      • opera.exe (PID: 9740)
      • opera.exe (PID: 9856)
      • opera.exe (PID: 11740)
      • opera.exe (PID: 11432)
      • opera.exe (PID: 9244)

    • Creates files or folders in the user directory

      • setup.exe (PID: 5904)
      • setup.exe (PID: 6492)
      • setup.exe (PID: 592)
      • installer.exe (PID: 3752)
      • opera.exe (PID: 4456)
      • opera.exe (PID: 6672)
      • opera.exe (PID: 11352)
      • opera_autoupdate.exe (PID: 6776)

    • Reads the software policy settings

      • setup.exe (PID: 6492)
      • slui.exe (PID: 8724)

    • Checks proxy server information

      • setup.exe (PID: 6492)
      • opera.exe (PID: 4456)
      • opera.exe (PID: 11352)
      • opera_autoupdate.exe (PID: 6492)
      • opera_autoupdate.exe (PID: 6776)
      • slui.exe (PID: 8724)

    • Reads the machine GUID from the registry

      • setup.exe (PID: 6492)
      • opera.exe (PID: 4456)
      • opera_autoupdate.exe (PID: 6492)
      • opera_autoupdate.exe (PID: 10316)
      • opera_autoupdate.exe (PID: 9252)
      • opera_autoupdate.exe (PID: 6776)

    • Launching a file from a Registry key

      • opera.exe (PID: 4456)

    • Process checks computer location settings

      • opera.exe (PID: 4456)
      • opera.exe (PID: 8196)
      • opera.exe (PID: 8824)
      • opera.exe (PID: 8864)
      • opera.exe (PID: 8940)
      • opera.exe (PID: 8972)
      • opera.exe (PID: 8964)
      • opera.exe (PID: 9140)
      • opera.exe (PID: 9108)
      • opera.exe (PID: 9132)
      • opera.exe (PID: 8644)
      • opera.exe (PID: 9124)
      • opera.exe (PID: 9448)
      • opera.exe (PID: 9156)
      • opera.exe (PID: 9148)
      • opera.exe (PID: 10392)
      • opera.exe (PID: 7992)
      • opera.exe (PID: 2620)
      • opera.exe (PID: 11432)
      • opera.exe (PID: 10612)
      • opera.exe (PID: 11556)
      • opera.exe (PID: 6492)
      • opera.exe (PID: 9856)
      • opera.exe (PID: 11740)
      • opera.exe (PID: 11432)

    • OPERA mutex has been found

      • opera.exe (PID: 4456)
      • opera_autoupdate.exe (PID: 6492)
      • opera_autoupdate.exe (PID: 6776)

    • Reads CPU info

      • opera.exe (PID: 4456)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
265
Monitored processes
126
Malicious processes
5
Suspicious processes
2

Behavior graph

Click at the process to see the details
start firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs operagxsetup(1).exe setup.exe setup.exe setup.exe setup.exe setup.exe opera_gx_assistant_73.0.3856.382_setup.exe_sfx.exe assistant_installer.exe assistant_installer.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs installer.exe installer.exe opera.exe opera_crashreporter.exe no specs opera.exe opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera_gx_splash.exe no specs slui.exe opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs comppkgsrv.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs installer.exe opera.exe no specs opera.exe no specs opera.exe no specs opera_autoupdate.exe opera_autoupdate.exe installer.exe opera_autoupdate.exe no specs opera_autoupdate.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs installer.exe opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
592"C:\Users\admin\AppData\Local\Temp\7zS0FD4BB87\setup.exe" --backend --install --import-browser-data=0 --enable-crash-reporting=1 --enable-stats=1 --enable-installer-stats=1 --consent-given=1 --general-interests=1 --general-location=1 --personalized-content=1 --personalized-ads=1 --vought_browser=0 --launchopera=1 --showunbox=0 --installfolder="C:\Users\admin\AppData\Local\Programs\Opera GX" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=6492 --package-dir-prefix="C:\Users\admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_20250621044406" --session-guid=e3bc6c0b-5131-432d-8a63-82c70917e874 --server-tracking-blob=NzNlZDA2OGQwMTFkYzdhNzI4N2UwZjMyZmVkMWQwZmVhNDAxY2RhYzZkODY4OWNlMThhZTJkYjMyZDRlOWNmMzp7ImNvdW50cnkiOiJHQiIsImVkaXRpb24iOiJzdGQtMiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL2RyYW50ZWUuZmVhc2luby5zaG9wLyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFHWFNldHVwLmV4ZSIsInByb2R1Y3QiOnsibmFtZSI6Im9wZXJhX2d4In0sInF1ZXJ5IjoiL29wZXJhX2d4L3N0YWJsZS9lZGl0aW9uL3N0ZC0yP3V0bV9zb3VyY2U9UFdOZ2FtZXMmdXRtX21lZGl1bT1wYSZ1dG1fY2FtcGFpZ249UFdOX0dCX0hWUl85Mzk3X0REXzQ2MDEmdXRtX2lkPTU2OTkwZWVjOThlZDQ2ZjJhMWQ4YTk0YmE4NzJkYWI5Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzUwNDgxMDM2LjAxNzIiLCJ1c2VyYWdlbnQiOiJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0OyBydjoxMzYuMCkgR2Vja28vMjAxMDAxMDEgRmlyZWZveC8xMzYuMCIsInV0bSI6eyJjYW1wYWlnbiI6IlBXTl9HQl9IVlJfOTM5N19ERF80NjAxIiwiaWQiOiI1Njk5MGVlYzk4ZWQ0NmYyYTFkOGE5NGJhODcyZGFiOSIsIm1lZGl1bSI6InBhIiwic291cmNlIjoiUFdOZ2FtZXMifSwidXVpZCI6IjhlZTNhYjRiLWJlZGMtNDM3OC05M2QwLWU2NTE0ODZjMTI5ZSJ9 --desktopshortcut=1 --wait-for-package --initial-proc-handle=0C0B000000000000C:\Users\admin\AppData\Local\Temp\7zS0FD4BB87\setup.exe
setup.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera GX Installer
Exit code:
0
Version:
119.0.5497.108
Modules
Images
c:\users\admin\appdata\local\temp\7zs0fd4bb87\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
592"C:\Users\admin\AppData\Local\Programs\Opera GX\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --no-pre-read-main-dll --with-feature:cashback-assistant=on --with-feature:address-bar-dropdown-autocompleted-domains=on --with-feature:address-bar-dropdown-cities=off --with-feature:address-bar-dropdown-keyword-ads=on --with-feature:address-bar-dropdown-unfiltered-full=off --with-feature:ai-writing-mode-in-context-menu=on --with-feature:aria-in-tab-view=on --with-feature:cashback-assistant=on --with-feature:continue-on-booking=on --with-feature:continue-on-shopping-via-amp=off --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-amazon-us-associates=off --with-feature:continue-shopping-explore=off --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-servers=off --with-feature:gx-april1st=off --with-feature:gx-post-mortem=on --with-feature:gx-reactinator=on --with-feature:gx-spotlight=on --with-feature:gx-video-to-phone=on --with-feature:hide-navigations-from-extensions=on --with-feature:panic-button=on --with-feature:play-again=on --with-feature:realtime-impressions-reporting=on --with-feature:run-at-startup-default=on --with-feature:sd-suggestions-external=on --with-feature:side-profiles=on --with-feature:sitecheck-age=on --with-feature:suggestion-redirect-handler=on --with-feature:tiktok-panel=on --with-feature:ui-compositor-multithreaded=on --with-feature:installer-experiment-test=off --ab_tests=GXCTest25-test:DNA-99214_GXCTest25,GXCTest50-ref:DNA-99214_GXCTest50 --field-trial-handle=2044,i,14529338565873039053,2389309558564742935,262144 --disable-features=CertificateTransparencyAskBeforeEnabling,PlatformSoftwareH264EncoderInGpu,UpdatableKeyPins --variations-seed-version --mojo-platform-channel-handle=9156 /prefetch:8C:\Users\admin\AppData\Local\Programs\Opera GX\opera.exeopera.exe
User:
admin
Company:
Opera Software
Integrity Level:
LOW
Description:
Opera GX Internet Browser
Exit code:
0
Version:
119.0.5497.108
Modules
Images
c:\users\admin\appdata\local\programs\opera gx\opera.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\programs\opera gx\119.0.5497.108\opera_elf.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shcore.dll
c:\windows\system32\combase.dll
728"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6704 -prefsLen 39438 -prefMapHandle 5380 -prefMapSize 272997 -jsInitHandle 6988 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 4760 -initialChannelId {f7d4ca33-a243-4025-9f7d-94ec69f5264b} -parentPid 1944 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1944" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 16 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140.dll
1472"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250227124745 -sandboxingKind 0 -prefsHandle 4540 -prefsLen 44905 -prefMapHandle 4588 -prefMapSize 272997 -ipcHandle 4596 -initialChannelId {e8073609-9180-4448-8ea3-0d87e7ee47cb} -parentPid 1944 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1944" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utilityC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
1944"C:\Program Files\Mozilla Firefox\firefox.exe" https://hygreen.qa/index.php?36figaC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2320"C:\Users\admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202506210444061\assistant\assistant_installer.exe" --versionC:\Users\admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202506210444061\assistant\assistant_installer.exe
setup.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera GX Browser Assistant Installer
Exit code:
0
Version:
73.0.3856.382
Modules
Images
c:\users\admin\appdata\local\temp\.opera\opera gx installer temp\opera_package_202506210444061\assistant\assistant_installer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2464"C:\Users\admin\AppData\Local\Programs\Opera GX\opera.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --enable-quic --no-pre-read-main-dll --with-feature:cashback-assistant=on --with-feature:address-bar-dropdown-autocompleted-domains=on --with-feature:address-bar-dropdown-cities=off --with-feature:address-bar-dropdown-keyword-ads=on --with-feature:address-bar-dropdown-unfiltered-full=off --with-feature:ai-writing-mode-in-context-menu=on --with-feature:aria-in-tab-view=on --with-feature:cashback-assistant=on --with-feature:continue-on-booking=on --with-feature:continue-on-shopping-via-amp=off --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-amazon-us-associates=off --with-feature:continue-shopping-explore=off --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-servers=off --with-feature:gx-april1st=off --with-feature:gx-post-mortem=on --with-feature:gx-reactinator=on --with-feature:gx-spotlight=on --with-feature:gx-video-to-phone=on --with-feature:hide-navigations-from-extensions=on --with-feature:panic-button=on --with-feature:play-again=on --with-feature:realtime-impressions-reporting=on --with-feature:run-at-startup-default=on --with-feature:sd-suggestions-external=on --with-feature:side-profiles=on --with-feature:sitecheck-age=on --with-feature:suggestion-redirect-handler=on --with-feature:tiktok-panel=on --with-feature:ui-compositor-multithreaded=on --with-feature:installer-experiment-test=off --ab_tests=GXCTest25-test:DNA-99214_GXCTest25,GXCTest50-ref:DNA-99214_GXCTest50 --field-trial-handle=2044,i,14529338565873039053,2389309558564742935,262144 --disable-features=CertificateTransparencyAskBeforeEnabling,PlatformSoftwareH264EncoderInGpu,UpdatableKeyPins --variations-seed-version --mojo-platform-channel-handle=2448 /prefetch:8C:\Users\admin\AppData\Local\Programs\Opera GX\opera.exeopera.exe
User:
admin
Company:
Opera Software
Integrity Level:
LOW
Description:
Opera GX Internet Browser
Version:
119.0.5497.108
Modules
Images
c:\users\admin\appdata\local\programs\opera gx\opera.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\programs\opera gx\119.0.5497.108\opera_elf.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shcore.dll
c:\windows\system32\combase.dll
2620"C:\Users\admin\AppData\Local\Programs\Opera GX\opera.exe" --type=renderer --extension-process --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 OPR/119.0.0.0 (Edition std-2)" --no-pre-read-main-dll --with-feature:cashback-assistant=on --with-feature:address-bar-dropdown-autocompleted-domains=on --with-feature:address-bar-dropdown-cities=off --with-feature:address-bar-dropdown-keyword-ads=on --with-feature:address-bar-dropdown-unfiltered-full=off --with-feature:ai-writing-mode-in-context-menu=on --with-feature:aria-in-tab-view=on --with-feature:cashback-assistant=on --with-feature:continue-on-booking=on --with-feature:continue-on-shopping-via-amp=off --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-amazon-us-associates=off --with-feature:continue-shopping-explore=off --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-servers=off --with-feature:gx-april1st=off --with-feature:gx-post-mortem=on --with-feature:gx-reactinator=on --with-feature:gx-spotlight=on --with-feature:gx-video-to-phone=on --with-feature:hide-navigations-from-extensions=on --with-feature:panic-button=on --with-feature:play-again=on --with-feature:realtime-impressions-reporting=on --with-feature:run-at-startup-default=on --with-feature:sd-suggestions-external=on --with-feature:side-profiles=on --with-feature:sitecheck-age=on --with-feature:suggestion-redirect-handler=on --with-feature:tiktok-panel=on --with-feature:ui-compositor-multithreaded=on --with-feature:installer-experiment-test=off --ab_tests=GXCTest25-test:DNA-99214_GXCTest25,GXCTest50-ref:DNA-99214_GXCTest50 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=78 --field-trial-handle=2044,i,14529338565873039053,2389309558564742935,262144 --disable-features=CertificateTransparencyAskBeforeEnabling,PlatformSoftwareH264EncoderInGpu,UpdatableKeyPins --variations-seed-version --mojo-platform-channel-handle=11664 /prefetch:2C:\Users\admin\AppData\Local\Programs\Opera GX\opera.exeopera.exe
User:
admin
Company:
Opera Software
Integrity Level:
LOW
Description:
Opera GX Internet Browser
Version:
119.0.5497.108
Modules
Images
c:\users\admin\appdata\local\programs\opera gx\opera.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\programs\opera gx\119.0.5497.108\opera_elf.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shcore.dll
c:\windows\system32\combase.dll
2632"C:\Users\admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202506210444061\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"C:\Users\admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202506210444061\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
setup.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Opera installer SFX
Exit code:
0
Version:
73.0.3856.382
Modules
Images
c:\users\admin\appdata\local\temp\.opera\opera gx installer temp\opera_package_202506210444061\assistant\opera_gx_assistant_73.0.3856.382_setup.exe_sfx.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
Total events
39 776
Read events
39 185
Write events
578
Delete events
13

Modification events

(PID) Process:(1944) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
(PID) Process:(1944) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(6492) setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6492) setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6492) setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(592) setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Opera Software
Operation:writeName:Last Opera GX Stable Install Path
Value:
C:\Users\admin\AppData\Local\Programs\Opera GX\
(PID) Process:(3752) installer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Opera Software
Operation:writeName:Last Opera GX Stable Install Path
Value:
C:\Users\admin\AppData\Local\Programs\Opera GX\
(PID) Process:(3752) installer.exeKey:HKEY_CLASSES_ROOT\Opera GXStable
Operation:writeName:FriendlyTypeName
Value:
Opera GX Web Document
(PID) Process:(3752) installer.exeKey:HKEY_CLASSES_ROOT\Opera GXStable
Operation:writeName:URL Protocol
Value:
(PID) Process:(3752) installer.exeKey:HKEY_CLASSES_ROOT\.gxanimations\OpenWithProgIDs
Operation:writeName:Opera GXStable
Value:
Executable files
44
Suspicious files
1 540
Text files
779
Unknown types
3

Dropped files

PID
Process
Filename
Type
1944firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
MD5:
SHA256:
1944firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
1944firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs-1.jstext
MD5:2FD670934FEF0C60E2119BD874AAF470
SHA256:771A7C83CA015BDBC6AB86A7BD9B1D54E40062E28942D311A9178A0FE6433CF2
1944firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
1944firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs.jstext
MD5:2FD670934FEF0C60E2119BD874AAF470
SHA256:771A7C83CA015BDBC6AB86A7BD9B1D54E40062E28942D311A9178A0FE6433CF2
1944firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
1944firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
1944firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\SiteSecurityServiceState.binbinary
MD5:66712B1CC7FA8F6F3D846055CEDD81AD
SHA256:D7AC389EF853C7B01910663ACBDB95C37DAA3F058D4CCC9CBA7AB4EA61822518
1944firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walbinary
MD5:485CF1B75BF40A71787D53FA62F0D533
SHA256:7410DAA6849175AEE573BD0B3FF44C2E773A1568BBECA7CFF9E410AE62E43A4B
1944firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\activity-stream.contile.json.tmpbinary
MD5:5051C7888C330D0896BF043ACDC50CF4
SHA256:3F24AA30C93B827C3E297782A597AD3C76BCFA465DD179D13A0070A07F58BFB9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
53
TCP/UDP connections
258
DNS requests
318
Threats
69

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1944
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
1944
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
1944
firefox.exe
POST
200
142.250.185.163:80
http://o.pki.goog/s/wr3/FIY
unknown
whitelisted
1944
firefox.exe
POST
200
142.250.185.163:80
http://o.pki.goog/we2
unknown
whitelisted
1944
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
1944
firefox.exe
POST
200
142.250.185.163:80
http://o.pki.goog/s/wr3/azY
unknown
whitelisted
1944
firefox.exe
POST
200
184.24.77.54:80
http://r11.o.lencr.org/
unknown
whitelisted
1944
firefox.exe
POST
200
142.250.185.163:80
http://o.pki.goog/s/wr3/azY
unknown
whitelisted
1944
firefox.exe
POST
200
142.250.185.163:80
http://o.pki.goog/s/wr3/azY
unknown
whitelisted
1944
firefox.exe
POST
200
184.24.77.54:80
http://r11.o.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2228
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1944
firefox.exe
34.160.144.191:443
content-signature-2.cdn.mozilla.net
GOOGLE
US
whitelisted
1944
firefox.exe
50.116.92.245:443
hygreen.qa
UNIFIEDLAYER-AS-1
US
unknown
1944
firefox.exe
34.107.221.82:80
detectportal.firefox.com
GOOGLE
US
whitelisted
1944
firefox.exe
34.36.137.203:443
contile.services.mozilla.com
GOOGLE-CLOUD-PLATFORM
US
whitelisted
1944
firefox.exe
34.149.100.209:443
firefox.settings.services.mozilla.com
GOOGLE
US
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.238
whitelisted
content-signature-2.cdn.mozilla.net
  • 34.160.144.191
whitelisted
content-signature-chains.prod.autograph.services.mozaws.net
  • 34.160.144.191
  • 2600:1901:0:92a9::
whitelisted
hygreen.qa
  • 50.116.92.245
unknown
detectportal.firefox.com
  • 34.107.221.82
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
contile.services.mozilla.com
  • 34.36.137.203
whitelisted
spocs.getpocket.com
  • 34.36.137.203
whitelisted
mc.prod.ads.prod.webservices.mozgcp.net
  • 34.36.137.203
whitelisted
firefox.settings.services.mozilla.com
  • 34.149.100.209
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Web apps custom Builder (.my .id)
2200
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Web apps custom Builder (.my .id)
2200
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Web apps custom Builder (.my .id)
6672
opera.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
6672
opera.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
6672
opera.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
6672
opera.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
6672
opera.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
6672
opera.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
6672
opera.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
Process
Message
assistant_installer.exe
[0621/044421.368:INFO:assistant_installer_main.cc(169)] Running assistant installer with command line "C:\Users\admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202506210444061\assistant\assistant_installer.exe" --version
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://hygreen.qa/index.php?36figa