File name:

setup.exe

Full analysis: https://app.any.run/tasks/3a55ade8-bdf8-4ea8-bc42-67095077c04e
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: April 22, 2025, 14:52:17
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
Indicators:
MD5:

53966124DB88689E3C0836C5BC5508B6

SHA1:

B94EE8E675FA6C917398C78D8E7C89DB833AFD1D

SHA256:

346E414427D9352F6049EFFB479566D6F262372873F1EBB2EF5D6BFD5A8CD052

SSDEEP:

98304:hh8sddVtfX4d/13HmbdbU8KFzK1hpPulgQJC3MioyL/zNWVSW7Na0ZZg10Q5jr4V:hh3oCExik

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • setup.exe (PID: 7388)
      • setup.exe (PID: 7412)
      • assistant_installer.exe (PID: 2148)
      • assistant_installer.exe (PID: 5344)

    • Actions looks like stealing of personal data

      • setup.exe (PID: 7388)
      • setup.exe (PID: 7412)
      • assistant_installer.exe (PID: 2148)
      • assistant_installer.exe (PID: 5344)

  • SUSPICIOUS

    • Application launched itself

      • setup.exe (PID: 7388)
      • assistant_installer.exe (PID: 5344)

    • Executable content was dropped or overwritten

      • setup.exe (PID: 7388)
      • setup.exe (PID: 7412)
      • setup.exe (PID: 7496)
      • Assistant_118.0.5461.41_Setup.exe_sfx.exe (PID: 3240)

    • Starts itself from another location

      • setup.exe (PID: 7388)

    • Reads security settings of Internet Explorer

      • setup.exe (PID: 7388)

    • There is functionality for taking screenshot (YARA)

      • setup.exe (PID: 7412)
      • setup.exe (PID: 7388)

    • Process drops legitimate windows executable

      • Assistant_118.0.5461.41_Setup.exe_sfx.exe (PID: 3240)

  • INFO

    • The sample compiled with english language support

      • setup.exe (PID: 7388)
      • setup.exe (PID: 7412)
      • setup.exe (PID: 7496)
      • Assistant_118.0.5461.41_Setup.exe_sfx.exe (PID: 3240)

    • Create files in a temporary directory

      • setup.exe (PID: 7388)
      • setup.exe (PID: 7412)
      • setup.exe (PID: 7496)
      • Assistant_118.0.5461.41_Setup.exe_sfx.exe (PID: 3240)

    • Checks supported languages

      • setup.exe (PID: 7412)
      • setup.exe (PID: 7388)
      • setup.exe (PID: 7496)
      • Assistant_118.0.5461.41_Setup.exe_sfx.exe (PID: 3240)
      • assistant_installer.exe (PID: 5344)
      • assistant_installer.exe (PID: 2148)

    • Reads the computer name

      • setup.exe (PID: 7388)
      • assistant_installer.exe (PID: 5344)

    • Creates files or folders in the user directory

      • setup.exe (PID: 7388)
      • setup.exe (PID: 7412)

    • Checks proxy server information

      • setup.exe (PID: 7388)
      • slui.exe (PID: 5064)

    • Reads the machine GUID from the registry

      • setup.exe (PID: 7388)

    • Reads the software policy settings

      • setup.exe (PID: 7388)
      • slui.exe (PID: 5064)
      • slui.exe (PID: 7600)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
146
Monitored processes
9
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start setup.exe setup.exe setup.exe sppextcomobj.exe no specs slui.exe assistant_118.0.5461.41_setup.exe_sfx.exe assistant_installer.exe assistant_installer.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2148"C:\Users\admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202504221452471\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=118.0.5461.41 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0x9c103c,0x9c1048,0x9c1054C:\Users\admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202504221452471\assistant\assistant_installer.exe
assistant_installer.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera Browser Assistant Installer
Exit code:
0
Version:
118.0.5461.41
Modules
Images
c:\users\admin\appdata\local\temp\.opera\opera installer temp\opera_package_202504221452471\assistant\assistant_installer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
3240"C:\Users\admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202504221452471\assistant\Assistant_118.0.5461.41_Setup.exe_sfx.exe"C:\Users\admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202504221452471\assistant\Assistant_118.0.5461.41_Setup.exe_sfx.exe
setup.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Opera installer SFX
Exit code:
0
Version:
118.0.5461.41
Modules
Images
c:\users\admin\appdata\local\temp\.opera\opera installer temp\opera_package_202504221452471\assistant\assistant_118.0.5461.41_setup.exe_sfx.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5064C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5344"C:\Users\admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202504221452471\assistant\assistant_installer.exe" --versionC:\Users\admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202504221452471\assistant\assistant_installer.exe
setup.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera Browser Assistant Installer
Exit code:
0
Version:
118.0.5461.41
Modules
Images
c:\users\admin\appdata\local\temp\.opera\opera installer temp\opera_package_202504221452471\assistant\assistant_installer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7388"C:\Users\admin\AppData\Local\Temp\setup.exe" C:\Users\admin\AppData\Local\Temp\setup.exe
explorer.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera Installer
Version:
118.0.5461.41
Modules
Images
c:\users\admin\appdata\local\temp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7412C:\Users\admin\AppData\Local\Temp\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=118.0.5461.41 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x7ffc8874d808,0x7ffc8874d814,0x7ffc8874d820C:\Users\admin\AppData\Local\Temp\setup.exe
setup.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera Installer
Version:
118.0.5461.41
Modules
Images
c:\users\admin\appdata\local\temp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7496"C:\Users\admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --versionC:\Users\admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
setup.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\.opera\opera installer temp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7560C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7600"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
5 200
Read events
5 197
Write events
3
Delete events
0

Modification events

(PID) Process:(7388) setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7388) setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7388) setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
11
Suspicious files
23
Text files
6
Unknown types
1

Dropped files

PID
Process
Filename
Type
7388setup.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\Opera_118.0.5461.41_Autoupdate_x64[1].exe
MD5:
SHA256:
7388setup.exeC:\Users\admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202504221452471\opera_package
MD5:
SHA256:
7388setup.exeC:\Users\admin\AppData\Local\Temp\Opera_installer_2504221452466157388.dllexecutable
MD5:83EB2F48045104FE716F0308EB7AEC4C
SHA256:0CABD4D09D54B363C97B27D4DEF1DB5CB184F9B3AC129856DD4B71C17F986F21
7388setup.exeC:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.datbinary
MD5:A9239BE283DACB8FB055ECDE3840F7E9
SHA256:4A8DC597FC7F71E59D12D055899CBC485CFD4D75715B759FADE034D3F5C80BC0
7388setup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:1FBB37F79B317A9A248E7C4CE4F5BAC5
SHA256:9BF639C595FE335B6F694EE35990BEFD2123F5E07FD1973FF619E3FC88F5F49F
7388setup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:50CD84934D48750F1C18DE1CA8E8552D
SHA256:9DAE7F97833241D149B52851E0F513BBCDACF506DC8D01611ADCDF59DC2D44F7
7388setup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:DAF220C59011E8B4C2209785A3CD0DAC
SHA256:09864A87707660A5920570D6C4B941859C557579AC377DA8FB016AB822D18772
7388setup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\59D76868C250B3240414CE3EFBB12518_9AD8E6D69BA520C5190A9B86E29789D5binary
MD5:5B12EF535A620EDF5B194B0BAC41C213
SHA256:5FF48C18D9F5886279298DFD0C993B5D4B31A240CC14C24AD7B1FECA3343622D
7388setup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:F41FB8387DFBE148A9DBF9C1435F12C5
SHA256:078AED6C4C31EF215DC62646E69A8AEA0FF47558A6AE7B76291B4AFC1932C270
7388setup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\26C212D9399727259664BDFCA073966E_B7ED31D77D311A56FDCB56A0083B3E0Bbinary
MD5:4E9820DC0F3B8F6CB6709A506D49BC53
SHA256:F53CD618B1F52EEE0B31051E868D4972EAD2A096B0978C0D0373FCB6EA556D00
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
38
DNS requests
29
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7388
setup.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D
unknown
whitelisted
7388
setup.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnxLiz3Fu1WB6n1%2FE6xWn1b0jXiQQUdIWAwGbH3zfez70pN6oDHb7tzRcCEA17ZgsSl63KHstWnAbUez0%3D
unknown
whitelisted
4208
RUXIMICS.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7388
setup.exe
GET
200
142.250.184.195:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
7388
setup.exe
GET
200
142.250.184.195:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
7388
setup.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAsA6S1NbXMfyjBZx8seGIY%3D
unknown
whitelisted
4208
RUXIMICS.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
8188
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
8188
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5496
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7388
setup.exe
82.145.216.47:443
autoupdate.opera.com
Opera Software AS
NO
whitelisted
7388
setup.exe
82.145.217.121:443
desktop-netinstaller-sub.osp.opera.software
Opera Software AS
NO
whitelisted
7388
setup.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
4208
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4208
RUXIMICS.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 142.250.184.206
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.249
whitelisted
autoupdate.opera.com
  • 82.145.216.47
  • 82.145.216.20
  • 82.145.216.46
  • 82.145.216.19
whitelisted
desktop-netinstaller-sub.osp.opera.software
  • 82.145.217.121
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
whitelisted
features.opera-api2.com
  • 82.145.216.58
  • 82.145.216.16
  • 82.145.216.59
  • 82.145.216.15
malicious
api.config.opr.gg
  • 104.18.24.17
  • 104.18.25.17
unknown
c.pki.goog
  • 142.250.184.195
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
setup.exe