File name:

setup.exe

Full analysis: https://app.any.run/tasks/3a55ade8-bdf8-4ea8-bc42-67095077c04e
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: April 22, 2025, 14:52:17
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
Indicators:
MD5:

53966124DB88689E3C0836C5BC5508B6

SHA1:

B94EE8E675FA6C917398C78D8E7C89DB833AFD1D

SHA256:

346E414427D9352F6049EFFB479566D6F262372873F1EBB2EF5D6BFD5A8CD052

SSDEEP:

98304:hh8sddVtfX4d/13HmbdbU8KFzK1hpPulgQJC3MioyL/zNWVSW7Na0ZZg10Q5jr4V:hh3oCExik

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • setup.exe (PID: 7388)
      • assistant_installer.exe (PID: 5344)
      • assistant_installer.exe (PID: 2148)
      • setup.exe (PID: 7412)

    • Actions looks like stealing of personal data

      • setup.exe (PID: 7388)
      • assistant_installer.exe (PID: 5344)
      • assistant_installer.exe (PID: 2148)
      • setup.exe (PID: 7412)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • setup.exe (PID: 7388)
      • setup.exe (PID: 7412)
      • Assistant_118.0.5461.41_Setup.exe_sfx.exe (PID: 3240)
      • setup.exe (PID: 7496)

    • Application launched itself

      • setup.exe (PID: 7388)
      • assistant_installer.exe (PID: 5344)

    • Reads security settings of Internet Explorer

      • setup.exe (PID: 7388)

    • There is functionality for taking screenshot (YARA)

      • setup.exe (PID: 7412)
      • setup.exe (PID: 7388)

    • Process drops legitimate windows executable

      • Assistant_118.0.5461.41_Setup.exe_sfx.exe (PID: 3240)

    • Starts itself from another location

      • setup.exe (PID: 7388)

  • INFO

    • The sample compiled with english language support

      • setup.exe (PID: 7388)
      • setup.exe (PID: 7412)
      • Assistant_118.0.5461.41_Setup.exe_sfx.exe (PID: 3240)
      • setup.exe (PID: 7496)

    • Create files in a temporary directory

      • setup.exe (PID: 7388)
      • setup.exe (PID: 7412)
      • setup.exe (PID: 7496)
      • Assistant_118.0.5461.41_Setup.exe_sfx.exe (PID: 3240)

    • Checks supported languages

      • setup.exe (PID: 7412)
      • setup.exe (PID: 7496)
      • Assistant_118.0.5461.41_Setup.exe_sfx.exe (PID: 3240)
      • assistant_installer.exe (PID: 5344)
      • assistant_installer.exe (PID: 2148)
      • setup.exe (PID: 7388)

    • Reads the computer name

      • setup.exe (PID: 7388)
      • assistant_installer.exe (PID: 5344)

    • Creates files or folders in the user directory

      • setup.exe (PID: 7388)
      • setup.exe (PID: 7412)

    • Reads the software policy settings

      • setup.exe (PID: 7388)
      • slui.exe (PID: 7600)
      • slui.exe (PID: 5064)

    • Reads the machine GUID from the registry

      • setup.exe (PID: 7388)

    • Checks proxy server information

      • slui.exe (PID: 5064)
      • setup.exe (PID: 7388)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
146
Monitored processes
9
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start setup.exe setup.exe setup.exe sppextcomobj.exe no specs slui.exe assistant_118.0.5461.41_setup.exe_sfx.exe assistant_installer.exe assistant_installer.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2148"C:\Users\admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202504221452471\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=118.0.5461.41 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0x9c103c,0x9c1048,0x9c1054C:\Users\admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202504221452471\assistant\assistant_installer.exe
assistant_installer.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera Browser Assistant Installer
Exit code:
0
Version:
118.0.5461.41
Modules
Images
c:\users\admin\appdata\local\temp\.opera\opera installer temp\opera_package_202504221452471\assistant\assistant_installer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
3240"C:\Users\admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202504221452471\assistant\Assistant_118.0.5461.41_Setup.exe_sfx.exe"C:\Users\admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202504221452471\assistant\Assistant_118.0.5461.41_Setup.exe_sfx.exe
setup.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Opera installer SFX
Exit code:
0
Version:
118.0.5461.41
Modules
Images
c:\users\admin\appdata\local\temp\.opera\opera installer temp\opera_package_202504221452471\assistant\assistant_118.0.5461.41_setup.exe_sfx.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5064C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5344"C:\Users\admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202504221452471\assistant\assistant_installer.exe" --versionC:\Users\admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202504221452471\assistant\assistant_installer.exe
setup.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera Browser Assistant Installer
Exit code:
0
Version:
118.0.5461.41
Modules
Images
c:\users\admin\appdata\local\temp\.opera\opera installer temp\opera_package_202504221452471\assistant\assistant_installer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7388"C:\Users\admin\AppData\Local\Temp\setup.exe" C:\Users\admin\AppData\Local\Temp\setup.exe
explorer.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera Installer
Version:
118.0.5461.41
Modules
Images
c:\users\admin\appdata\local\temp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7412C:\Users\admin\AppData\Local\Temp\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=118.0.5461.41 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x7ffc8874d808,0x7ffc8874d814,0x7ffc8874d820C:\Users\admin\AppData\Local\Temp\setup.exe
setup.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera Installer
Version:
118.0.5461.41
Modules
Images
c:\users\admin\appdata\local\temp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7496"C:\Users\admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --versionC:\Users\admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
setup.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\.opera\opera installer temp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7560C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7600"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
5 200
Read events
5 197
Write events
3
Delete events
0

Modification events

(PID) Process:(7388) setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7388) setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7388) setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
11
Suspicious files
23
Text files
6
Unknown types
1

Dropped files

PID
Process
Filename
Type
7388setup.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\Opera_118.0.5461.41_Autoupdate_x64[1].exe
MD5:
SHA256:
7388setup.exeC:\Users\admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202504221452471\opera_package
MD5:
SHA256:
7412setup.exeC:\Users\admin\AppData\Local\Temp\Opera_installer_2504221452469907412.dllexecutable
MD5:83EB2F48045104FE716F0308EB7AEC4C
SHA256:0CABD4D09D54B363C97B27D4DEF1DB5CB184F9B3AC129856DD4B71C17F986F21
7388setup.exeC:\Users\admin\AppData\Local\Temp\Opera_installer_2504221452466157388.dllexecutable
MD5:83EB2F48045104FE716F0308EB7AEC4C
SHA256:0CABD4D09D54B363C97B27D4DEF1DB5CB184F9B3AC129856DD4B71C17F986F21
7388setup.exeC:\Users\admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exeexecutable
MD5:53966124DB88689E3C0836C5BC5508B6
SHA256:346E414427D9352F6049EFFB479566D6F262372873F1EBB2EF5D6BFD5A8CD052
7388setup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419binary
MD5:3DD90DE64D301C6CDC6188141F2A1C12
SHA256:D96FA749720D26CEAD40C5209FED7C5BDAE02B529CF4DC67795728B81F0BC11A
7388setup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\59D76868C250B3240414CE3EFBB12518_9AD8E6D69BA520C5190A9B86E29789D5binary
MD5:66D2F84FF5F81A6D8C7462BE1DD162E0
SHA256:52C25A1C5E96946A1EA25D0E64E9193EC6335A3826775D56A18011A6C6391037
7388setup.exeC:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.datbinary
MD5:A9239BE283DACB8FB055ECDE3840F7E9
SHA256:4A8DC597FC7F71E59D12D055899CBC485CFD4D75715B759FADE034D3F5C80BC0
7388setup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\59D76868C250B3240414CE3EFBB12518_9AD8E6D69BA520C5190A9B86E29789D5binary
MD5:5B12EF535A620EDF5B194B0BAC41C213
SHA256:5FF48C18D9F5886279298DFD0C993B5D4B31A240CC14C24AD7B1FECA3343622D
7388setup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:1FBB37F79B317A9A248E7C4CE4F5BAC5
SHA256:9BF639C595FE335B6F694EE35990BEFD2123F5E07FD1973FF619E3FC88F5F49F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
38
DNS requests
29
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4208
RUXIMICS.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7388
setup.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnxLiz3Fu1WB6n1%2FE6xWn1b0jXiQQUdIWAwGbH3zfez70pN6oDHb7tzRcCEA17ZgsSl63KHstWnAbUez0%3D
unknown
whitelisted
7388
setup.exe
GET
200
142.250.184.195:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
7388
setup.exe
GET
200
142.250.184.195:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
7388
setup.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAsA6S1NbXMfyjBZx8seGIY%3D
unknown
whitelisted
8188
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4208
RUXIMICS.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7388
setup.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
8188
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5496
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7388
setup.exe
82.145.216.47:443
autoupdate.opera.com
Opera Software AS
NO
whitelisted
7388
setup.exe
82.145.217.121:443
desktop-netinstaller-sub.osp.opera.software
Opera Software AS
NO
whitelisted
7388
setup.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
4208
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4208
RUXIMICS.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 142.250.184.206
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.249
whitelisted
autoupdate.opera.com
  • 82.145.216.47
  • 82.145.216.20
  • 82.145.216.46
  • 82.145.216.19
whitelisted
desktop-netinstaller-sub.osp.opera.software
  • 82.145.217.121
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
whitelisted
features.opera-api2.com
  • 82.145.216.58
  • 82.145.216.16
  • 82.145.216.59
  • 82.145.216.15
malicious
api.config.opr.gg
  • 104.18.24.17
  • 104.18.25.17
unknown
c.pki.goog
  • 142.250.184.195
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
setup.exe