| File name: | OperaGXSetup.exe |
| Full analysis: | https://app.any.run/tasks/a8d010f0-72bf-4e47-9d4f-c7cdb5d80d49 |
| Verdict: | Malicious activity |
| Analysis date: | June 06, 2025, 16:28:12 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections |
| MD5: | C4C75E7642963C3C1E7BE11B5B1D92A2 |
| SHA1: | 6E799F42277C8F4C633CA40722615FD860DFAC65 |
| SHA256: | 47DBEA93E8B7CB38F942488544C09ED498645EC952D87D93447499564AA98BD4 |
| SSDEEP: | 98304:SwyWSeMgtUy6Ao1eP9/ZCr93PYca42xSDPpty0DYhVRi3JM92AUfcXW0cfX5ii+d:SyXKaY0PTdT |
MALICIOUS
No malicious indicators.SUSPICIOUS
Executable content was dropped or overwritten
- OperaGXSetup.exe (PID: 6816)
- setup.exe (PID: 6028)
- setup.exe (PID: 2332)
- setup.exe (PID: 1696)
- setup.exe (PID: 3096)
- setup.exe (PID: 7888)
Application launched itself
- setup.exe (PID: 2332)
- setup.exe (PID: 7888)
Starts itself from another location
- setup.exe (PID: 2332)
Reads security settings of Internet Explorer
- setup.exe (PID: 2332)
There is functionality for taking screenshot (YARA)
- setup.exe (PID: 6028)
- setup.exe (PID: 2332)
- setup.exe (PID: 7888)
- setup.exe (PID: 3096)
INFO
Checks supported languages
- OperaGXSetup.exe (PID: 6816)
- setup.exe (PID: 6028)
- setup.exe (PID: 2332)
- setup.exe (PID: 1696)
- setup.exe (PID: 7888)
- setup.exe (PID: 3096)
Reads the computer name
- setup.exe (PID: 2332)
- setup.exe (PID: 7888)
The sample compiled with english language support
- setup.exe (PID: 2332)
- OperaGXSetup.exe (PID: 6816)
- setup.exe (PID: 6028)
- setup.exe (PID: 1696)
- setup.exe (PID: 7888)
- setup.exe (PID: 3096)
Create files in a temporary directory
- OperaGXSetup.exe (PID: 6816)
- setup.exe (PID: 6028)
- setup.exe (PID: 2332)
- setup.exe (PID: 1696)
- setup.exe (PID: 7888)
- setup.exe (PID: 3096)
Creates files or folders in the user directory
- setup.exe (PID: 6028)
- setup.exe (PID: 2332)
Checks proxy server information
- setup.exe (PID: 2332)
- slui.exe (PID: 7928)
Reads the software policy settings
- setup.exe (PID: 2332)
- slui.exe (PID: 7928)
Reads the machine GUID from the registry
- setup.exe (PID: 2332)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (64.6) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (15.4) |
| .exe | | | Win32 Executable (generic) (10.5) |
| .exe | | | Generic Win/DOS Executable (4.6) |
| .exe | | | DOS Executable Generic (4.6) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2024:06:12 14:59:19+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.39 |
| CodeSize: | 238080 |
| InitializedDataSize: | 92672 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x213c0 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 119.0.5497.78 |
| ProductVersionNumber: | 119.0.5497.78 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Unknown |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| FileVersion: | 119.0.5497.78 |
| ProductVersion: | 119.0.5497.78 |
| FileDescription: | Opera installer SFX |
| CompanyName: | |
| LegalCopyright: | Opera Software 2025 |
| Productname: | Opera installer |
| Stream: | Stable |
Total processes
132
Monitored processes
8
Malicious processes
2
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1696 | "C:\Users\admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version | C:\Users\admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe | setup.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 2196 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2332 | C:\Users\admin\AppData\Local\Temp\7zS0AAE0352\setup.exe --server-tracking-blob=ZjkxMjI4NGMzMDg3ODFiNzA5MzBjYmQ2NGIwNGIyZDc4YmNiMDdhMmU1YzZmMWU3ZTM1MGJmOWVhOGJlZWEyMzp7ImNvdW50cnkiOiJHQiIsImVkaXRpb24iOiJzdGQtMSIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL251cnNlcnVucm92ZS5zaG9wLyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFHWFNldHVwLmV4ZSIsInByb2R1Y3QiOiJvcGVyYV9neCIsInF1ZXJ5IjoiL29wZXJhX2d4L3N0YWJsZS9lZGl0aW9uL3N0ZC0xP3V0bV9zb3VyY2U9UFdOZ2FtZXMmdXRtX21lZGl1bT1wYSZ1dG1fY2FtcGFpZ249UFdOX0dCX01WUl85MTU4X0REXzM2NjEmdXRtX2lkPTE3ZGFlNDgzNWRmNTRmZDJiZmJkNmNjZjMwMzk2YzViIiwidGltZXN0YW1wIjoiMTc0OTIyNTg2Mi44NDE1IiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NDsgcnY6MTM5LjApIEdlY2tvLzIwMTAwMTAxIEZpcmVmb3gvMTM5LjAiLCJ1dG0iOnsiY2FtcGFpZ24iOiJQV05fR0JfTVZSXzkxNThfRERfMzY2MSIsImlkIjoiMTdkYWU0ODM1ZGY1NGZkMmJmYmQ2Y2NmMzAzOTZjNWIiLCJtZWRpdW0iOiJwYSIsInNvdXJjZSI6IlBXTmdhbWVzIn0sInV1aWQiOiJiOGU2NTJmMy1mMTIzLTQxYzUtYmMxNC0zYTljZWE2ZTVmNDUifQ== | C:\Users\admin\AppData\Local\Temp\7zS0AAE0352\setup.exe | OperaGXSetup.exe | ||||||||||||
User: admin Company: Opera Software Integrity Level: MEDIUM Description: Opera GX Installer Version: 119.0.5497.78 Modules
| |||||||||||||||
| 3096 | C:\Users\admin\AppData\Local\Temp\7zS0AAE0352\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktopGX --annotation=ver=119.0.5497.78 --initial-client-data=0x298,0x29c,0x2ac,0x25c,0x2b0,0x7ffc86a2b188,0x7ffc86a2b194,0x7ffc86a2b1a0 | C:\Users\admin\AppData\Local\Temp\7zS0AAE0352\setup.exe | setup.exe | ||||||||||||
User: admin Company: Opera Software Integrity Level: MEDIUM Description: Opera GX Installer Version: 119.0.5497.78 Modules
| |||||||||||||||
| 6028 | C:\Users\admin\AppData\Local\Temp\7zS0AAE0352\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktopGX --annotation=ver=119.0.5497.78 --initial-client-data=0x2a0,0x2a4,0x2a8,0x27c,0x2ac,0x7ffc88cbb188,0x7ffc88cbb194,0x7ffc88cbb1a0 | C:\Users\admin\AppData\Local\Temp\7zS0AAE0352\setup.exe | setup.exe | ||||||||||||
User: admin Company: Opera Software Integrity Level: MEDIUM Description: Opera GX Installer Version: 119.0.5497.78 Modules
| |||||||||||||||
| 6816 | "C:\Users\admin\Desktop\OperaGXSetup.exe" | C:\Users\admin\Desktop\OperaGXSetup.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Opera installer SFX Version: 119.0.5497.78 Modules
| |||||||||||||||
| 7888 | "C:\Users\admin\AppData\Local\Temp\7zS0AAE0352\setup.exe" --backend --install --import-browser-data=0 --enable-crash-reporting=1 --enable-stats=1 --enable-installer-stats=1 --consent-given=1 --general-interests=1 --general-location=1 --personalized-content=1 --personalized-ads=1 --vought_browser=0 --launchopera=1 --showunbox=0 --installfolder="C:\Users\admin\AppData\Local\Programs\Opera GX" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=2332 --package-dir-prefix="C:\Users\admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_20250606162823" --session-guid=45879be4-fd41-451c-8794-3e0fe5aa4647 --server-tracking-blob="MjcwMjQzZTllMTVjOGVlNjc2Mzc2MTkyYjMwMzhkZGEzM2U4ZTgwZjEwMTJlNjliNzk3MjU0NGIwMGFhYWYyNjp7ImNvdW50cnkiOiJHQiIsImVkaXRpb24iOiJzdGQtMSIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL251cnNlcnVucm92ZS5zaG9wLyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFHWFNldHVwLmV4ZSIsInByb2R1Y3QiOnsibmFtZSI6Im9wZXJhX2d4In0sInF1ZXJ5IjoiL29wZXJhX2d4L3N0YWJsZS9lZGl0aW9uL3N0ZC0xP3V0bV9zb3VyY2U9UFdOZ2FtZXMmdXRtX21lZGl1bT1wYSZ1dG1fY2FtcGFpZ249UFdOX0dCX01WUl85MTU4X0REXzM2NjEmdXRtX2lkPTE3ZGFlNDgzNWRmNTRmZDJiZmJkNmNjZjMwMzk2YzViIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzQ5MjI1ODYyLjg0MTUiLCJ1c2VyYWdlbnQiOiJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0OyBydjoxMzkuMCkgR2Vja28vMjAxMDAxMDEgRmlyZWZveC8xMzkuMCIsInV0bSI6eyJjYW1wYWlnbiI6IlBXTl9HQl9NVlJfOTE1OF9ERF8zNjYxIiwiaWQiOiIxN2RhZTQ4MzVkZjU0ZmQyYmZiZDZjY2YzMDM5NmM1YiIsIm1lZGl1bSI6InBhIiwic291cmNlIjoiUFdOZ2FtZXMifSwidXVpZCI6ImI4ZTY1MmYzLWYxMjMtNDFjNS1iYzE0LTNhOWNlYTZlNWY0NSJ9 " --desktopshortcut=1 --wait-for-package --initial-proc-handle=FC09000000000000 | C:\Users\admin\AppData\Local\Temp\7zS0AAE0352\setup.exe | setup.exe | ||||||||||||
User: admin Company: Opera Software Integrity Level: MEDIUM Description: Opera GX Installer Version: 119.0.5497.78 Modules
| |||||||||||||||
| 7928 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
7 000
Read events
6 996
Write events
4
Delete events
0
Modification events
| (PID) Process: | (2332) setup.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (2332) setup.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (2332) setup.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (7888) setup.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Opera Software |
| Operation: | write | Name: | Last Opera GX Stable Install Path |
Value: C:\Users\admin\AppData\Local\Programs\Opera GX\ | |||
Executable files
7
Suspicious files
2
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6816 | OperaGXSetup.exe | C:\Users\admin\AppData\Local\Temp\7zS0AAE0352\setup.exe | executable | |
MD5:122379ACB9FA14FD5A90B321BE840E1D | SHA256:AE0BD7E58F0F5FE4CF1779ACA90110B448841C9515F774CA972AD95D5FBB5131 | |||
| 6028 | setup.exe | C:\Users\admin\AppData\Local\Temp\Opera_installer_2506061628225206028.dll | executable | |
MD5:B42F014712C026FE14F38B604E6521BB | SHA256:54637DA071D4CF6B325CD2F16658BDDB10FA70DEA7201AEF5892EFC06EF3EB55 | |||
| 2332 | setup.exe | C:\Users\admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe | executable | |
MD5:122379ACB9FA14FD5A90B321BE840E1D | SHA256:AE0BD7E58F0F5FE4CF1779ACA90110B448841C9515F774CA972AD95D5FBB5131 | |||
| 2332 | setup.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\features[1].json | binary | |
MD5:49F5B6D1904EE263C09AE2A455B09205 | SHA256:777A4257C30FC52AD0F8DD78D7AA3137C3D951BBBB0985B2937F5F552CFDAFCF | |||
| 2332 | setup.exe | C:\Users\admin\AppData\Local\Temp\Opera_installer_2506061628223642332.dll | executable | |
MD5:B42F014712C026FE14F38B604E6521BB | SHA256:54637DA071D4CF6B325CD2F16658BDDB10FA70DEA7201AEF5892EFC06EF3EB55 | |||
| 1696 | setup.exe | C:\Users\admin\AppData\Local\Temp\Opera_installer_2506061628228481696.dll | executable | |
MD5:B42F014712C026FE14F38B604E6521BB | SHA256:54637DA071D4CF6B325CD2F16658BDDB10FA70DEA7201AEF5892EFC06EF3EB55 | |||
| 7888 | setup.exe | C:\Users\admin\AppData\Local\Temp\Opera_installer_2506061628312547888.dll | executable | |
MD5:B42F014712C026FE14F38B604E6521BB | SHA256:54637DA071D4CF6B325CD2F16658BDDB10FA70DEA7201AEF5892EFC06EF3EB55 | |||
| 3096 | setup.exe | C:\Users\admin\AppData\Local\Temp\Opera_installer_2506061628314113096.dll | executable | |
MD5:B42F014712C026FE14F38B604E6521BB | SHA256:54637DA071D4CF6B325CD2F16658BDDB10FA70DEA7201AEF5892EFC06EF3EB55 | |||
| 2332 | setup.exe | C:\Users\admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports\settings.dat | binary | |
MD5:A27FC9A3AD10F5C41FD9BACB7150177B | SHA256:3A166F63C523CBD79C7F7C3CA8327C6A6C9A80A819FF0427401BDA24ACBDDF56 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
46
TCP/UDP connections
70
DNS requests
20
Threats
1
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | POST | 201 | 82.145.217.121:443 | https://desktop-netinstaller-sub.osp.opera.software/v1/binary | unknown | text | 36 b | whitelisted |
6960 | svchost.exe | GET | 200 | 2.16.164.91:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 185.26.182.123:443 | https://autoupdate.opera.com/me/ | unknown | binary | 46 b | whitelisted |
— | — | POST | 200 | 185.26.182.123:443 | https://autoupdate.opera.com/v5/netinstaller/gx/Stable/windows/x64 | unknown | binary | 1.47 Kb | whitelisted |
6960 | svchost.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
6544 | svchost.exe | GET | 200 | 184.30.131.245:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
— | — | POST | 200 | 40.126.31.69:443 | https://login.live.com/RST2.srf | unknown | xml | 11.0 Kb | whitelisted |
— | — | POST | 200 | 40.126.31.69:443 | https://login.live.com/RST2.srf | unknown | xml | 10.3 Kb | whitelisted |
— | — | POST | 200 | 20.190.159.130:443 | https://login.live.com/RST2.srf | unknown | xml | 10.3 Kb | whitelisted |
— | — | POST | 200 | 20.190.159.68:443 | https://login.live.com/RST2.srf | unknown | xml | 11.0 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
6960 | svchost.exe | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6544 | svchost.exe | 40.126.31.131:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
6960 | svchost.exe | 2.16.164.91:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
6544 | svchost.exe | 184.30.131.245:80 | ocsp.digicert.com | AKAMAI-AS | US | whitelisted |
6960 | svchost.exe | 2.23.246.101:80 | www.microsoft.com | Ooredoo Q.S.C. | QA | whitelisted |
2332 | setup.exe | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | Opera Software AS | NO | whitelisted |
2332 | setup.exe | 82.145.216.46:443 | autoupdate.opera.com | Opera Software AS | NO | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
desktop-netinstaller-sub.osp.opera.software |
| whitelisted |
autoupdate.opera.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
features.opera-api2.com |
| malicious |
api.config.opr.gg |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Potential Corporate Privacy Violation | ET INFO Outgoing Basic Auth Base64 HTTP Password detected unencrypted |