File name:	ZelyanorSetup1.0.0.exe
Full analysis:	https://app.any.run/tasks/096da8a6-1d28-4bf1-884d-d0b780cd3d63
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	January 09, 2026, 23:30:01
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	silentstealer stealer python generic nodejs
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:	328AF41E6AAC5DF70E9611D4584E8B27
SHA1:	5B99A297DED651F86A29A74404213E85EDE32BE4
SHA256:	B16E6B56B4ADAA070DE1DA74F9C6F16469182397F80D2587C5DBA3229FDF1898
SSDEEP:	786432:eEnaHx5ZPDFIBjkCVbHwycGNsSfwli+WPGQ:eEnS5ZPDFIBjkosycGNsSoli+qGQ

.exe	\|	Win32 Executable MS Visual C++ (generic) (67.4)
.dll	\|	Win32 Dynamic Link Library (generic) (14.2)
.exe	\|	Win32 Executable (generic) (9.7)
.exe	\|	Generic Win/DOS Executable (4.3)
.exe	\|	DOS Executable Generic (4.3)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2018:12:15 22:26:14+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	26624
InitializedDataSize:	473088
UninitializedDataSize:	16384
EntryPoint:	0x338f
OSVersion:	4
ImageVersion:	6
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	Fallik
FileDescription:	Setup of Velyanor game.
FileVersion:	1.0.0
LegalCopyright:	Copyright © 2026 Fallik
ProductName:	Zelyanor
ProductVersion:	1.0.0


(PID) Process:	(7832) ZelyanorSetup1.0.0.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\a88536c9-01c5-5bf9-80fd-a719f0683ae1
Operation:	write	Name:	InstallLocation
Value: C:\Users\admin\AppData\Local\Programs\Zelyanor
(PID) Process:	(7832) ZelyanorSetup1.0.0.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\a88536c9-01c5-5bf9-80fd-a719f0683ae1
Operation:	write	Name:	KeepShortcuts
Value: true
(PID) Process:	(7832) ZelyanorSetup1.0.0.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\a88536c9-01c5-5bf9-80fd-a719f0683ae1
Operation:	write	Name:	ShortcutName
Value: Zelyanor
(PID) Process:	(7832) ZelyanorSetup1.0.0.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\a88536c9-01c5-5bf9-80fd-a719f0683ae1
Operation:	write	Name:	DisplayName
Value: Zelyanor 1.0.0
(PID) Process:	(7832) ZelyanorSetup1.0.0.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\a88536c9-01c5-5bf9-80fd-a719f0683ae1
Operation:	write	Name:	UninstallString
Value: "C:\Users\admin\AppData\Local\Programs\Zelyanor\Uninstall Zelyanor.exe" /currentuser
(PID) Process:	(7832) ZelyanorSetup1.0.0.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\a88536c9-01c5-5bf9-80fd-a719f0683ae1
Operation:	write	Name:	QuietUninstallString
Value: "C:\Users\admin\AppData\Local\Programs\Zelyanor\Uninstall Zelyanor.exe" /currentuser /S
(PID) Process:	(7832) ZelyanorSetup1.0.0.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\a88536c9-01c5-5bf9-80fd-a719f0683ae1
Operation:	write	Name:	DisplayVersion
Value: 1.0.0
(PID) Process:	(7832) ZelyanorSetup1.0.0.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\a88536c9-01c5-5bf9-80fd-a719f0683ae1
Operation:	write	Name:	DisplayIcon
Value: C:\Users\admin\AppData\Local\Programs\Zelyanor\Zelyanor.exe,0
(PID) Process:	(7832) ZelyanorSetup1.0.0.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\a88536c9-01c5-5bf9-80fd-a719f0683ae1
Operation:	write	Name:	Publisher
Value: Fallik
(PID) Process:	(7832) ZelyanorSetup1.0.0.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\a88536c9-01c5-5bf9-80fd-a719f0683ae1
Operation:	write	Name:	NoModify
Value: 1

PID	Process	Filename		Type
7832	ZelyanorSetup1.0.0.exe	C:\Users\admin\AppData\Local\Temp\nsnC76.tmp\app-64.7z		—
		MD5:—	SHA256:—
7832	ZelyanorSetup1.0.0.exe	C:\Users\admin\AppData\Local\Temp\nsnC76.tmp\7z-out\icudtl.dat		—
		MD5:—	SHA256:—
7832	ZelyanorSetup1.0.0.exe	C:\Users\admin\AppData\Local\Temp\nsnC76.tmp\7z-out\LICENSES.chromium.html		—
		MD5:—	SHA256:—
7832	ZelyanorSetup1.0.0.exe	C:\Users\admin\AppData\Local\Temp\nsnC76.tmp\SpiderBanner.dll		executable
		MD5:17309E33B596BA3A5693B4D3E85CF8D7	SHA256:996A259E53CA18B89EC36D038C40148957C978C0FD600A268497D4C92F882A93
7832	ZelyanorSetup1.0.0.exe	C:\Users\admin\AppData\Local\Temp\nsnC76.tmp\nsis7z.dll		executable
		MD5:80E44CE4895304C6A3A831310FBF8CD0	SHA256:B393F05E8FF919EF071181050E1873C9A776E1A0AE8329AEFFF7007D0CADF592
7832	ZelyanorSetup1.0.0.exe	C:\Users\admin\AppData\Local\Temp\nsnC76.tmp\StdUtils.dll		executable
		MD5:C6A6E03F77C313B267498515488C5740	SHA256:B72E9013A6204E9F01076DC38DABBF30870D44DFC66962ADBF73619D4331601E
7832	ZelyanorSetup1.0.0.exe	C:\Users\admin\AppData\Local\Temp\nsnC76.tmp\System.dll		executable
		MD5:0D7AD4F45DC6F5AA87F606D0331C6901	SHA256:3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA
7832	ZelyanorSetup1.0.0.exe	C:\Users\admin\AppData\Local\Temp\nsnC76.tmp\7z-out\LICENSE.electron.txt		text
		MD5:4D42118D35941E0F664DDDBD83F633C5	SHA256:5154E165BD6C2CC0CFBCD8916498C7ABAB0497923BAFCD5CB07673FE8480087D
7832	ZelyanorSetup1.0.0.exe	C:\Users\admin\AppData\Local\Temp\nsnC76.tmp\7z-out\locales\bg.pak		binary
		MD5:9DC95C3B9B47CC9FE5A34B2AAB2D4D01	SHA256:FC4A59EA60D04B224765BE4916090E97ED8DDDA6B136A92A3827ED0FCC64BB0E
7832	ZelyanorSetup1.0.0.exe	C:\Users\admin\AppData\Local\Temp\nsnC76.tmp\7z-out\locales\ar.pak		binary
		MD5:98F8A48892B41E64BEF135B86F3D4A6C	SHA256:E34D5CABAED4634C672591074057C12947BC9E728004228A9E75F87829F4A48A

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2952	svchost.exe	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
—	—	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
—	—	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
2952	svchost.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
—	—	GET	200	2.16.206.133:443	https://globalcdn.nuget.org/packages/python.3.10.0.nupkg	unknown	binary	13.6 Mb	unknown
7440	slui.exe	POST	500	48.192.1.64:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	US	xml	512 b	whitelisted
7312	slui.exe	POST	500	48.192.1.65:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	US	xml	512 b	whitelisted
—	—	POST	500	48.192.1.64:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	US	xml	512 b	unknown
—	—	POST	500	48.192.1.65:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	US	xml	512 b	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:137	—	Not routed	—	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
2952	svchost.exe	23.216.77.28:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
—	—	23.216.77.28:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
2952	svchost.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
—	—	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
8068	Zelyanor.exe	23.2.13.144:443	globalcdn.nuget.org	AKAMAI-ASN1	NL	whitelisted
7440	slui.exe	48.192.1.64:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
2432	python.exe	151.101.64.223:443	pypi.org	FASTLY	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146	whitelisted
google.com	142.250.186.142	whitelisted
crl.microsoft.com	23.216.77.28 23.216.77.6	whitelisted
www.microsoft.com	88.221.169.152	whitelisted
globalcdn.nuget.org	23.2.13.144 23.2.13.138	whitelisted
self.events.data.microsoft.com	20.189.173.8	whitelisted
activation-v2.sls.microsoft.com	48.192.1.64 48.192.1.65	whitelisted
pypi.org	151.101.64.223 151.101.192.223 151.101.128.223 151.101.0.223	whitelisted

General Info

ZelyanorSetup1.0.0.exe

328AF41E6AAC5DF70E9611D4584E8B27

5B99A297DED651F86A29A74404213E85EDE32BE4

B16E6B56B4ADAA070DE1DA74F9C6F16469182397F80D2587C5DBA3229FDF1898

786432:eEnaHx5ZPDFIBjkCVbHwycGNsSfwli+WPGQ:eEnS5ZPDFIBjkosycGNsSoli+qGQ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SILENTSTEALER has been detected

Steals credentials from Web Browsers

Changes powershell execution policy (Bypass)

Actions looks like stealing of personal data

Bypass execution policy to execute commands

Steals Discord credentials and data (YARA)

SUSPICIOUS

Malware-specific behavior (creating "System.dll" in Temp)

Drops 7-zip archiver for unpacking

The process creates files with name similar to system file names

Reads security settings of Internet Explorer

Uses TASKKILL.EXE to kill process

There is functionality for taking screenshot (YARA)

Process drops legitimate windows executable

Executable content was dropped or overwritten

Starts CMD.EXE for commands execution

Starts NET.EXE to display or manage information about active sessions

Cryptography encrypted command line is found

Application launched itself

Starts POWERSHELL.EXE for commands execution

Obfuscation pattern (POWERSHELL)

The process bypasses the loading of PowerShell profile settings

Uses TASKKILL.EXE to kill Browsers

Possible stealing of messenger data

The process drops C-runtime libraries

Process drops python dynamic module

Loads Python modules

INFO

The sample compiled with english language support

Checks supported languages

Create files in a temporary directory

Reads the computer name

Creates files or folders in the user directory

Creates a software uninstall entry

Manual execution by a user

Reads product name

Reads Environment values

Process checks computer location settings

Checks proxy server information

Node.js compiler has been detected

Python executable

Reads the machine GUID from the registry

Checks operating system version

Drops encrypted JS script (Microsoft Script Encoder)

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules