URL:

whatsapp.softboxdesign.net

Full analysis: https://app.any.run/tasks/15f74dd9-8721-464d-8674-7545b8978041
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 09:06:16
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
adware
innosetup
loader
inno
installer
delphi
Indicators:
MD5:

9B169AB1C6345C28795DD5522900F252

SHA1:

39ED3507FA24B9A836F2E558E2B2FBD8370EBB53

SHA256:

9557D18D2981C314605264E1A7575264624BAA79A954C1806A512B01A298166A

SSDEEP:

3:7wiRgAb:7wiRd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Signed with known abused certificate

      • explorer.exe (PID: 5492)

    • INNOSETUP has been detected (SURICATA)

      • whatsapp Soft setup.tmp (PID: 7588)

    • Actions looks like stealing of personal data

      • whatsapp Soft setup.tmp (PID: 7588)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • explorer.exe (PID: 5492)

    • Executable content was dropped or overwritten

      • whatsapp Soft setup.tmp (PID: 7588)
      • whatsapp Soft setup.exe (PID: 812)
      • WhatsAppSetup.exe (PID: 1672)
      • Update.exe (PID: 3300)
      • 928fcb337f4e08c0f47205acc123e567.exe (PID: 6080)
      • setup.exe (PID: 4068)
      • setup.exe (PID: 2780)
      • fe3787827a19a6ec15a0d5efcea6d559.exe (PID: 2332)
      • setup.exe (PID: 6964)
      • setup.exe (PID: 5640)
      • setup.exe (PID: 8120)
      • lite_installer.exe (PID: 232)
      • 360TS_Setup.exe (PID: 5280)
      • Yandex.exe (PID: 1512)
      • 360TS_Setup.exe (PID: 6768)
      • Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe (PID: 7084)
      • yb1168.tmp (PID: 8068)
      • installer.exe (PID: 4268)
      • installer.exe (PID: 672)
      • setup.exe (PID: 3268)
      • installer.exe (PID: 5708)
      • installer.exe (PID: 8684)

    • Access to an unwanted program domain was detected

      • whatsapp Soft setup.tmp (PID: 7588)

    • Process requests binary or script from the Internet

      • whatsapp Soft setup.tmp (PID: 7588)
      • fe3787827a19a6ec15a0d5efcea6d559.exe (PID: 2332)
      • lite_installer.exe (PID: 232)

    • Reads the Windows owner or organization settings

      • whatsapp Soft setup.tmp (PID: 7588)

    • Potential Corporate Privacy Violation

      • whatsapp Soft setup.tmp (PID: 7588)
      • fe3787827a19a6ec15a0d5efcea6d559.exe (PID: 2332)
      • lite_installer.exe (PID: 232)

    • Process drops legitimate windows executable

      • whatsapp Soft setup.tmp (PID: 7588)
      • Update.exe (PID: 3300)
      • 360TS_Setup.exe (PID: 6768)

    • Reads security settings of Internet Explorer

      • whatsapp Soft setup.tmp (PID: 7588)
      • Update.exe (PID: 3300)

    • The process drops C-runtime libraries

      • Update.exe (PID: 3300)

    • Starts a Microsoft application from unusual location

      • YandexPackSetup.exe (PID: 6960)

    • Uses REG/REGEDIT.EXE to modify registry

      • WhatsApp.exe (PID: 1748)

    • Application launched itself

      • WhatsApp.exe (PID: 1748)
      • setup.exe (PID: 4068)
      • setup.exe (PID: 5640)
      • assistant_installer.exe (PID: 1244)
      • setup.exe (PID: 3268)
      • installer.exe (PID: 4268)
      • opera.exe (PID: 3992)
      • opera_autoupdate.exe (PID: 9196)
      • installer.exe (PID: 5708)
      • explorer.exe (PID: 6088)
      • browser.exe (PID: 8996)
      • opera_autoupdate.exe (PID: 4784)

    • Starts itself from another location

      • setup.exe (PID: 4068)
      • Yandex.exe (PID: 1512)
      • 360TS_Setup.exe (PID: 5280)
      • setup.exe (PID: 3268)

    • Drops 7-zip archiver for unpacking

      • 360TS_Setup.exe (PID: 6768)

    • Starts application with an unusual extension

      • {A9229FC1-02B6-4544-BA90-EAFD8FF42F60}.exe (PID: 6256)

    • Drops a system driver (possible attempt to evade defenses)

      • 360TS_Setup.exe (PID: 6768)

    • The process executes via Task Scheduler

      • opera_autoupdate.exe (PID: 9196)

  • INFO

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 5492)

    • Application launched itself

      • chrome.exe (PID: 4944)
      • chrome.exe (PID: 4692)

    • Creates files or folders in the user directory

      • explorer.exe (PID: 5492)
      • WhatsAppSetup.exe (PID: 1672)
      • Update.exe (PID: 3300)
      • whatsapp Soft setup.tmp (PID: 7588)
      • squirrel.exe (PID: 2432)
      • WhatsApp.exe (PID: 1748)

    • Reads the software policy settings

      • explorer.exe (PID: 5492)
      • whatsapp Soft setup.tmp (PID: 7588)
      • slui.exe (PID: 7888)

    • Create files in a temporary directory

      • whatsapp Soft setup.exe (PID: 812)
      • whatsapp Soft setup.tmp (PID: 7588)
      • Update.exe (PID: 3300)
      • 928fcb337f4e08c0f47205acc123e567.exe (PID: 6080)
      • YandexPackSetup.exe (PID: 6960)

    • Checks proxy server information

      • whatsapp Soft setup.tmp (PID: 7588)
      • explorer.exe (PID: 5492)

    • Reads the computer name

      • whatsapp Soft setup.tmp (PID: 7588)
      • Update.exe (PID: 3300)
      • squirrel.exe (PID: 2432)
      • fe3787827a19a6ec15a0d5efcea6d559.exe (PID: 2332)
      • YandexPackSetup.exe (PID: 6960)

    • The sample compiled with english language support

      • whatsapp Soft setup.tmp (PID: 7588)
      • chrome.exe (PID: 8172)
      • Update.exe (PID: 3300)
      • 928fcb337f4e08c0f47205acc123e567.exe (PID: 6080)
      • setup.exe (PID: 2780)
      • fe3787827a19a6ec15a0d5efcea6d559.exe (PID: 2332)
      • setup.exe (PID: 4068)
      • setup.exe (PID: 6964)
      • setup.exe (PID: 5640)
      • setup.exe (PID: 8120)
      • lite_installer.exe (PID: 232)
      • 360TS_Setup.exe (PID: 6768)
      • Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe (PID: 7084)
      • installer.exe (PID: 4268)
      • installer.exe (PID: 672)
      • setup.exe (PID: 3268)
      • installer.exe (PID: 5708)
      • installer.exe (PID: 8684)
      • yb1168.tmp (PID: 8068)

    • Compiled with Borland Delphi (YARA)

      • whatsapp Soft setup.exe (PID: 812)
      • whatsapp Soft setup.tmp (PID: 7588)

    • Detects InnoSetup installer (YARA)

      • whatsapp Soft setup.tmp (PID: 7588)
      • whatsapp Soft setup.exe (PID: 812)

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 8172)
      • chrome.exe (PID: 4944)
      • msiexec.exe (PID: 7652)
      • msiexec.exe (PID: 1764)

    • Checks supported languages

      • WhatsAppSetup.exe (PID: 1672)
      • Update.exe (PID: 3300)
      • whatsapp Soft setup.exe (PID: 812)
      • whatsapp Soft setup.tmp (PID: 7588)
      • WhatsApp.exe (PID: 1748)
      • fe3787827a19a6ec15a0d5efcea6d559.exe (PID: 2332)
      • squirrel.exe (PID: 2432)
      • 15dfc63a260a713127b53b2ecf694bc8.exe (PID: 536)
      • 928fcb337f4e08c0f47205acc123e567.exe (PID: 6080)
      • YandexPackSetup.exe (PID: 6960)

    • Process checks computer location settings

      • whatsapp Soft setup.tmp (PID: 7588)
      • Update.exe (PID: 3300)

    • Reads the machine GUID from the registry

      • squirrel.exe (PID: 2432)
      • Update.exe (PID: 3300)

    • Creates a software uninstall entry

      • whatsapp Soft setup.tmp (PID: 7588)

    • Reads product name

      • WhatsApp.exe (PID: 1748)

    • The sample compiled with russian language support

      • msiexec.exe (PID: 1764)
      • 360TS_Setup.exe (PID: 6768)
      • setup.exe (PID: 3268)

    • The sample compiled with chinese language support

      • 360TS_Setup.exe (PID: 5280)
      • 360TS_Setup.exe (PID: 6768)

    • Reads Environment values

      • WhatsApp.exe (PID: 1748)

    • The sample compiled with turkish language support

      • 360TS_Setup.exe (PID: 6768)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
289
Monitored processes
146
Malicious processes
8
Suspicious processes
8

Behavior graph

Click at the process to see the details
start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs sppextcomobj.exe no specs slui.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs rundll32.exe no specs explorer.exe whatsapp soft setup.exe slui.exe #INNOSETUP whatsapp soft setup.tmp chrome.exe whatsappsetup.exe update.exe chrome.exe no specs chrome.exe no specs squirrel.exe no specs fe3787827a19a6ec15a0d5efcea6d559.exe no specs whatsapp.exe no specs fe3787827a19a6ec15a0d5efcea6d559.exe 928fcb337f4e08c0f47205acc123e567.exe yandexpacksetup.exe no specs 15dfc63a260a713127b53b2ecf694bc8.exe no specs conhost.exe no specs setup.exe msiexec.exe reg.exe no specs conhost.exe no specs whatsapp.exe no specs whatsapp.exe no specs reg.exe no specs update.exe no specs conhost.exe no specs setup.exe whatsapp.exe no specs 15dfc63a260a713127b53b2ecf694bc8.exe no specs conhost.exe no specs comppkgsrv.exe no specs whatsapp.exe no specs setup.exe setup.exe setup.exe msiexec.exe lite_installer.exe seederexe.exe chrome.exe no specs {a9229fc1-02b6-4544-ba90-eafd8ff42f60}.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs yandex.exe chrome.exe no specs explorer.exe no specs sender.exe 360ts_setup.exe chrome.exe no specs 360ts_setup.exe chrome.exe no specs opera_gx_assistant_73.0.3856.382_setup.exe_sfx.exe assistant_installer.exe no specs assistant_installer.exe no specs yb1168.tmp setup.exe setup.exe no specs installer.exe installer.exe UIAutomationCrossBitnessHook32 Class no specs opera.exe no specs opera_crashreporter.exe no specs chrome.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera_gx_splash.exe no specs opera.exe no specs opera.exe no specs explorer.exe no specs opera.exe no specs explorer.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera_autoupdate.exe no specs installer.exe opera.exe no specs opera_autoupdate.exe opera_autoupdate.exe no specs clidmgr.exe no specs conhost.exe no specs opera_autoupdate.exe no specs clidmgr.exe no specs conhost.exe no specs installer.exe browser.exe no specs browser.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
132C:\Windows\System32\CompPkgSrv.exe -EmbeddingC:\Windows\System32\CompPkgSrv.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Component Package Support Server
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\comppkgsrv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
232"C:\Users\admin\AppData\Local\Temp\825E8C88-3B88-45FF-8FA8-AC22ACD14DD4\lite_installer.exe" --use-user-default-locale --silent --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --YABROWSERC:\Users\admin\AppData\Local\Temp\825E8C88-3B88-45FF-8FA8-AC22ACD14DD4\lite_installer.exe
msiexec.exe
User:
admin
Company:
Yandex
Integrity Level:
MEDIUM
Description:
YandexBrowserDownloader
Exit code:
0
Version:
1.0.1.9
Modules
Images
c:\users\admin\appdata\local\temp\825e8c88-3b88-45ff-8fa8-ac22acd14dd4\lite_installer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
536"C:\Users\admin\AppData\Local\Programs\Whats App\15dfc63a260a713127b53b2ecf694bc8.exe" "C:\Users\admin\AppData\Local\Programs\Whats App\Ìèð Кîðàáëåé.lnk" 5386C:\Users\admin\AppData\Local\Programs\Whats App\15dfc63a260a713127b53b2ecf694bc8.exewhatsapp Soft setup.tmp
User:
admin
Company:
Technosys Corporation
Integrity Level:
MEDIUM
Description:
Pin To Taskbar
Exit code:
0
Version:
0.99.9.1
Modules
Images
c:\users\admin\appdata\local\programs\whats app\15dfc63a260a713127b53b2ecf694bc8.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
644"C:\Users\admin\AppData\Local\Programs\Opera GX\opera.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --enable-quic --start-stack-profiler --with-feature:cashback-assistant=on --with-feature:address-bar-dropdown-autocompleted-domains=off --with-feature:address-bar-dropdown-cities=off --with-feature:address-bar-dropdown-unfiltered-full=off --with-feature:ai-writing-mode-in-context-menu=on --with-feature:aria-in-tab-view=on --with-feature:cashback-assistant=on --with-feature:continue-on-booking=on --with-feature:continue-on-shopping-via-amp=off --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-amazon-us-associates=off --with-feature:continue-shopping-explore=off --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-servers=off --with-feature:gx-april1st=on --with-feature:gx-post-mortem=on --with-feature:gx-reactinator=on --with-feature:gx-spotlight=on --with-feature:gx-video-to-phone=on --with-feature:hide-navigations-from-extensions=on --with-feature:lucid-mode-hide-text=on --with-feature:panic-button=on --with-feature:password-generator=off --with-feature:play-again=on --with-feature:realtime-impressions-reporting=on --with-feature:run-at-startup-default=on --with-feature:sd-suggestions-external=on --with-feature:session-restore-attribution=on --with-feature:side-profiles=on --with-feature:sitecheck-age=on --with-feature:tiktok-panel=on --with-feature:ui-compositor-multithreaded=on --with-feature:installer-experiment-test=off --field-trial-handle=5536,i,886282805493274995,14900290893773298632,262144 --disable-features=CertificateTransparencyAskBeforeEnabling,PlatformSoftwareH264EncoderInGpu --variations-seed-version --mojo-platform-channel-handle=3568 /prefetch:3C:\Users\admin\AppData\Local\Programs\Opera GX\opera.exe
opera.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera GX Internet Browser
Version:
118.0.5461.76
Modules
Images
c:\users\admin\appdata\local\programs\opera gx\opera.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\programs\opera gx\118.0.5461.76\opera_elf.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shcore.dll
672"C:\Users\admin\AppData\Local\Programs\Opera GX\118.0.5461.76\installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktopGX --annotation=ver=118.0.5461.76 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x7ffc7fe01b08,0x7ffc7fe01b14,0x7ffc7fe01b20C:\Users\admin\AppData\Local\Programs\Opera GX\118.0.5461.76\installer.exe
installer.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera GX Installer
Exit code:
0
Version:
118.0.5461.76
Modules
Images
c:\users\admin\appdata\local\programs\opera gx\118.0.5461.76\installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
812"C:\Users\admin\Downloads\whatsapp Soft setup.exe" C:\Users\admin\Downloads\whatsapp Soft setup.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Whats App Setup
Version:
Modules
Images
c:\users\admin\downloads\whatsapp soft setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
960"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5652 --field-trial-handle=1848,i,9504927154725214515,13307207467444057899,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
968"C:\Users\admin\AppData\Local\Programs\Opera GX\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:cashback-assistant=on --with-feature:address-bar-dropdown-autocompleted-domains=off --with-feature:address-bar-dropdown-cities=off --with-feature:address-bar-dropdown-unfiltered-full=off --with-feature:ai-writing-mode-in-context-menu=on --with-feature:aria-in-tab-view=on --with-feature:cashback-assistant=on --with-feature:continue-on-booking=on --with-feature:continue-on-shopping-via-amp=off --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-amazon-us-associates=off --with-feature:continue-shopping-explore=off --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-servers=off --with-feature:gx-april1st=on --with-feature:gx-post-mortem=on --with-feature:gx-reactinator=on --with-feature:gx-spotlight=on --with-feature:gx-video-to-phone=on --with-feature:hide-navigations-from-extensions=on --with-feature:lucid-mode-hide-text=on --with-feature:panic-button=on --with-feature:password-generator=off --with-feature:play-again=on --with-feature:realtime-impressions-reporting=on --with-feature:run-at-startup-default=on --with-feature:sd-suggestions-external=on --with-feature:session-restore-attribution=on --with-feature:side-profiles=on --with-feature:sitecheck-age=on --with-feature:tiktok-panel=on --with-feature:ui-compositor-multithreaded=on --with-feature:installer-experiment-test=off --field-trial-handle=3176,i,886282805493274995,14900290893773298632,262144 --disable-features=CertificateTransparencyAskBeforeEnabling,PlatformSoftwareH264EncoderInGpu --variations-seed-version --mojo-platform-channel-handle=3200 /prefetch:8C:\Users\admin\AppData\Local\Programs\Opera GX\opera.exeopera.exe
User:
admin
Company:
Opera Software
Integrity Level:
LOW
Description:
Opera GX Internet Browser
Exit code:
0
Version:
118.0.5461.76
Modules
Images
c:\users\admin\appdata\local\programs\opera gx\opera.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\programs\opera gx\118.0.5461.76\opera_elf.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shcore.dll
c:\windows\system32\combase.dll
1040"C:\Users\admin\AppData\Local\Programs\Opera GX\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:cashback-assistant=on --with-feature:address-bar-dropdown-autocompleted-domains=off --with-feature:address-bar-dropdown-cities=off --with-feature:address-bar-dropdown-unfiltered-full=off --with-feature:ai-writing-mode-in-context-menu=on --with-feature:aria-in-tab-view=on --with-feature:cashback-assistant=on --with-feature:continue-on-booking=on --with-feature:continue-on-shopping-via-amp=off --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-amazon-us-associates=off --with-feature:continue-shopping-explore=off --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-servers=off --with-feature:gx-april1st=on --with-feature:gx-post-mortem=on --with-feature:gx-reactinator=on --with-feature:gx-spotlight=on --with-feature:gx-video-to-phone=on --with-feature:hide-navigations-from-extensions=on --with-feature:lucid-mode-hide-text=on --with-feature:panic-button=on --with-feature:password-generator=off --with-feature:play-again=on --with-feature:realtime-impressions-reporting=on --with-feature:run-at-startup-default=on --with-feature:sd-suggestions-external=on --with-feature:session-restore-attribution=on --with-feature:side-profiles=on --with-feature:sitecheck-age=on --with-feature:tiktok-panel=on --with-feature:ui-compositor-multithreaded=on --with-feature:installer-experiment-test=off --field-trial-handle=3168,i,886282805493274995,14900290893773298632,262144 --disable-features=CertificateTransparencyAskBeforeEnabling,PlatformSoftwareH264EncoderInGpu --variations-seed-version --mojo-platform-channel-handle=3260 /prefetch:8C:\Users\admin\AppData\Local\Programs\Opera GX\opera.exeopera.exe
User:
admin
Company:
Opera Software
Integrity Level:
LOW
Description:
Opera GX Internet Browser
Exit code:
0
Version:
118.0.5461.76
Modules
Images
c:\users\admin\appdata\local\programs\opera gx\opera.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\programs\opera gx\118.0.5461.76\opera_elf.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shcore.dll
c:\windows\system32\combase.dll
1052"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5684 --field-trial-handle=1848,i,9504927154725214515,13307207467444057899,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
113 482
Read events
112 597
Write events
791
Delete events
94

Modification events

(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
23004100430042006C006F0062000000000000000000000001000000740065006D000000
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:0000000000030244
Operation:writeName:VirtualDesktop
Value:
1000000030304456BFA0DB55E4278845B426357D5B5F97B3
(PID) Process:(4944) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(4944) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(4944) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(4944) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(4944) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(5304) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{2781761E-28E0-4109-99FE-B9D127C57AFE} {56FFCC30-D398-11D0-B2AE-00A0C908FA49} 0xFFFF
Value:
010000000000000005202E1CE6B8DB01
(PID) Process:(5492) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(5492) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
04000000030000000E00000000000000100000000F0000000C0000000D0000000B000000050000000A000000090000000800000001000000070000000600000002000000FFFFFFFF
Executable files
737
Suspicious files
1 283
Text files
653
Unknown types
0

Dropped files

PID
Process
Filename
Type
4944chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old~RF10dc68.TMP
MD5:
SHA256:
4944chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
4944chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old~RF10dc68.TMP
MD5:
SHA256:
4944chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old~RF10dc68.TMP
MD5:
SHA256:
4944chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old
MD5:
SHA256:
4944chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF10dc77.TMP
MD5:
SHA256:
4944chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
4944chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
4944chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old~RF10dc77.TMP
MD5:
SHA256:
4944chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
93
TCP/UDP connections
189
DNS requests
127
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.164.18:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.16.164.18:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5800
SIHClient.exe
GET
200
72.246.169.155:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6544
svchost.exe
GET
200
23.52.56.216:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5800
SIHClient.exe
GET
200
72.246.169.155:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5492
explorer.exe
GET
200
108.138.36.12:80
http://ocsps.ssl.com/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBQMDtATfnJO6JAXDQoHl8pAaJdhTQQU3QQJB6L1en1SUxKSle44gCUNplkCCGQzUdPHOJ8I
unknown
whitelisted
8052
svchost.exe
HEAD
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/imoffpf67hel7kbknqflao2oo4_1.0.2738.0/neifaoindggfcjicffkgpmnlppeffabd_1.0.2738.0_win64_kj4dp5kifwxbdodqls7e5nzhtm.crx3
unknown
whitelisted
8052
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/imoffpf67hel7kbknqflao2oo4_1.0.2738.0/neifaoindggfcjicffkgpmnlppeffabd_1.0.2738.0_win64_kj4dp5kifwxbdodqls7e5nzhtm.crx3
unknown
whitelisted
8052
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/imoffpf67hel7kbknqflao2oo4_1.0.2738.0/neifaoindggfcjicffkgpmnlppeffabd_1.0.2738.0_win64_kj4dp5kifwxbdodqls7e5nzhtm.crx3
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.164.18:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5496
MoUsoCoreWorker.exe
2.16.164.18:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5496
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4944
chrome.exe
239.255.255.250:1900
whitelisted
7328
chrome.exe
85.209.70.13:80
whatsapp.softboxdesign.net
Docker LTD
RU
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.206
whitelisted
crl.microsoft.com
  • 2.16.164.18
  • 2.16.164.42
  • 2.16.164.74
  • 2.16.164.72
  • 2.16.164.24
  • 2.16.164.32
  • 2.16.164.25
  • 2.16.164.114
  • 2.16.164.58
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 72.246.169.155
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
  • 20.73.194.208
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.250
whitelisted
whatsapp.softboxdesign.net
  • 85.209.70.13
unknown
accounts.google.com
  • 74.125.206.84
whitelisted
mc.yandex.ru
  • 87.250.250.119
  • 87.250.251.119
  • 77.88.21.119
whitelisted
mc.yandex.com
  • 87.250.251.119
  • 77.88.21.119
  • 87.250.250.119
whitelisted
login.live.com
  • 40.126.32.68
  • 40.126.32.76
  • 20.190.160.4
  • 20.190.160.5
  • 20.190.160.66
  • 20.190.160.131
  • 20.190.160.3
  • 20.190.160.14
  • 40.126.32.138
  • 20.190.160.20
  • 40.126.32.74
  • 20.190.160.128
  • 20.190.160.17
  • 20.190.160.132
whitelisted

Threats

PID
Process
Class
Message
7588
whatsapp Soft setup.tmp
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] InnoSetup Installer
7588
whatsapp Soft setup.tmp
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] InnoSetup Installer
7588
whatsapp Soft setup.tmp
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
7588
whatsapp Soft setup.tmp
Misc activity
ET INFO Packed Executable Download
2332
fe3787827a19a6ec15a0d5efcea6d559.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
2332
fe3787827a19a6ec15a0d5efcea6d559.exe
Misc activity
ET INFO Packed Executable Download
232
lite_installer.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
232
lite_installer.exe
Misc activity
ET INFO EXE - Served Attached HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
whatsapp.softboxdesign.net