File name:

OperaGXSetup.exe

Full analysis: https://app.any.run/tasks/03094109-fb7d-4eda-ae1c-784269d7e34e
Verdict: Malicious activity
Analysis date: September 23, 2024, 09:01:47
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

89906F184A712E7399A52B7B4A99275B

SHA1:

CA971FD481F783549613C6491F94A7AD1CA53C94

SHA256:

B80ACEFE3F79EEC30236F57AA2362B4183B7FAAA9F585D3E6DF9279C71ED15F0

SSDEEP:

98304:awyWSeMgtibP1SlLYS5gf3JeeKhIeO/W+v3ESzk8xn7cQUILZHo/ObG8hzS14Prm:a3+p

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • setup.exe (PID: 1164)
      • OperaGXSetup.exe (PID: 6664)
      • setup.exe (PID: 5116)
      • setup.exe (PID: 5220)

    • Application launched itself

      • setup.exe (PID: 1164)

    • Starts itself from another location

      • setup.exe (PID: 1164)

  • INFO

    • Checks supported languages

      • OperaGXSetup.exe (PID: 6664)

    • Create files in a temporary directory

      • OperaGXSetup.exe (PID: 6664)
      • setup.exe (PID: 1164)

    • Creates files or folders in the user directory

      • setup.exe (PID: 1164)

    • Manual execution by a user

      • Taskmgr.exe (PID: 4044)
      • Taskmgr.exe (PID: 1488)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:06:12 14:59:19+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.39
CodeSize: 238080
InitializedDataSize: 92672
UninitializedDataSize: -
EntryPoint: 0x213c0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 113.0.5230.108
ProductVersionNumber: 113.0.5230.108
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileVersion: 113.0.5230.108
ProductVersion: 113.0.5230.108
FileDescription: Opera installer SFX
CompanyName:
LegalCopyright: Opera Software 2024
Productname: Opera installer
Stream: Stable
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
6
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start operagxsetup.exe setup.exe setup.exe setup.exe taskmgr.exe no specs taskmgr.exe

Process information

PID
CMD
Path
Indicators
Parent process
1164C:\Users\admin\AppData\Local\Temp\7zS80A74EAF\setup.exe --server-tracking-blob=ZjhiYWIzZDIzMmU2OTY5ODhhOGNiZTU2ODk0MzkyNzQyZDMzM2YxYzVlMTFkZmNmOTJmYTlhZjIwZDRjYmFmZjp7ImNvdW50cnkiOiJJVCIsImVkaXRpb24iOiJzdGQtMiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFHWFNldHVwLmV4ZSIsInByb2R1Y3QiOiJvcGVyYV9neCIsInF1ZXJ5IjoiL29wZXJhX2d4L3N0YWJsZS9lZGl0aW9uL3N0ZC0yP3V0bV9zb3VyY2U9UFdOZ2FtZXMmdXRtX21lZGl1bT1wYSZ1dG1fY2FtcGFpZ249UFdOX0lUX0hWUl9ERF8zNzQyJnV0bV9pZD1iZjk0MjBjYjk3MDc0ZDExYWVhNzk3NjQyOGJhZDA5ZCZ1dG1fY29udGVudD0zNzQyXzMyNzQ4XzMxMjcwNzUtMjUxNzU1NTA4NS00MjY5NDQxNDk4IiwidGltZXN0YW1wIjoiMTcyNzAzODM0NC41OTM1IiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzEyOC4wLjAuMCBTYWZhcmkvNTM3LjM2IiwidXRtIjp7ImNhbXBhaWduIjoiUFdOX0lUX0hWUl9ERF8zNzQyIiwiY29udGVudCI6IjM3NDJfMzI3NDhfMzEyNzA3NS0yNTE3NTU1MDg1LTQyNjk0NDE0OTgiLCJpZCI6ImJmOTQyMGNiOTcwNzRkMTFhZWE3OTc2NDI4YmFkMDlkIiwibWVkaXVtIjoicGEiLCJzb3VyY2UiOiJQV05nYW1lcyJ9LCJ1dWlkIjoiN2QzYjg2NDUtYzEzZS00OTY3LTlhNTktMzhlMzNmODNhZWE1In0=C:\Users\admin\AppData\Local\Temp\7zS80A74EAF\setup.exe
OperaGXSetup.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera GX Installer
Exit code:
1
Version:
113.0.5230.108
Modules
Images
c:\users\admin\appdata\local\temp\7zs80a74eaf\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
1488"C:\WINDOWS\system32\taskmgr.exe" /7C:\Windows\System32\Taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Manager
Exit code:
3221226540
Version:
10.0.19041.3636 (WinBuild.160101.0800)
4044"C:\WINDOWS\system32\taskmgr.exe" /7C:\Windows\System32\Taskmgr.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Manager
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
5116C:\Users\admin\AppData\Local\Temp\7zS80A74EAF\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=113.0.5230.108 --initial-client-data=0x2f4,0x33c,0x340,0x31c,0x344,0x74421864,0x74421870,0x7442187cC:\Users\admin\AppData\Local\Temp\7zS80A74EAF\setup.exe
setup.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera GX Installer
Exit code:
1
Version:
113.0.5230.108
Modules
Images
c:\users\admin\appdata\local\temp\7zs80a74eaf\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
5220"C:\Users\admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --versionC:\Users\admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe
setup.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\.opera\opera gx installer temp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
6664"C:\Users\admin\AppData\Local\Temp\OperaGXSetup.exe" C:\Users\admin\AppData\Local\Temp\OperaGXSetup.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Opera installer SFX
Exit code:
1
Version:
113.0.5230.108
Modules
Images
c:\users\admin\appdata\local\temp\operagxsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
910
Read events
907
Write events
3
Delete events
0

Modification events

(PID) Process:(1164) setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1164) setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1164) setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
5
Suspicious files
8
Text files
2
Unknown types
5

Dropped files

PID
Process
Filename
Type
1164setup.exeC:\Users\admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports\settings.datbinary
MD5:77EA3E32D6645D6D8A792A243EF245A6
SHA256:46ABC3C8EB9EB3D6B864C46EB125B8C9737287A9844F91900494BAECDC72ED40
1164setup.exeC:\Users\admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409230901571\opera_package
MD5:
SHA256:
1164setup.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\Opera_GX_113.0.5230.118_Autoupdate_x64[1].exe
MD5:
SHA256:
5116setup.exeC:\Users\admin\AppData\Local\Temp\Opera_installer_2409230901552525116.dllexecutable
MD5:88F60EFA6204B7AFE492E82AA60A3417
SHA256:0F6C713EC354989E9153FCB80A4EF72E21B6C707B68EE2EE6C88C4ED397C8B09
1164setup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419der
MD5:7C5F25DB28ACEE96CDEE10FBF37E23AA
SHA256:95684A668559F58EB45E45F11C6D63C95FCBECB647FFA81CE4D8EA47E30A36C0
1164setup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\59D76868C250B3240414CE3EFBB12518_17DD39A60A87A85D0DDEF9FD164BB3E9der
MD5:999CAD8637802599DED1BBBD4891E5DF
SHA256:522F938BB447E9D855A3B989CF8E69D740D70A4C24766A9F3E1A6CF2CE29CBE6
1164setup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:8CA62920367F9B1273923146E48CE406
SHA256:43E4DE12D65652C730E8CAE0E10AB646E0343C21E897747C7FEC76145BE22959
6664OperaGXSetup.exeC:\Users\admin\AppData\Local\Temp\7zS80A74EAF\setup.exeexecutable
MD5:DA8E25FE4788692A6EB45AEABE53C618
SHA256:2D9B00B5D083E5C0475B174E8911D1FD8697F227714B16646DC9C8DE35FB2D2B
1164setup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12der
MD5:7FB5FA1534DCF77F2125B2403B30A0EE
SHA256:33A39E9EC2133230533A686EC43760026E014A3828C703707ACBC150FE40FD6F
1164setup.exeC:\Users\admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exeexecutable
MD5:DA8E25FE4788692A6EB45AEABE53C618
SHA256:2D9B00B5D083E5C0475B174E8911D1FD8697F227714B16646DC9C8DE35FB2D2B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
52
DNS requests
27
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1164
setup.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D
unknown
whitelisted
1164
setup.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnxLiz3Fu1WB6n1%2FE6xWn1b0jXiQQUdIWAwGbH3zfez70pN6oDHb7tzRcCEAfyOr5A1UWlCmQhXhy%2Bwwk%3D
unknown
whitelisted
904
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
1164
setup.exe
GET
200
172.217.18.3:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
6892
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5900
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1164
setup.exe
82.145.217.121:443
desktop-netinstaller-sub.osp.opera.software
Opera Software AS
NO
whitelisted
1164
setup.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1164
setup.exe
185.26.182.124:443
autoupdate.geo.opera.com
Opera Software AS
whitelisted
1164
setup.exe
185.26.182.118:443
features.opera-api2.com
Opera Software AS
malicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
google.com
  • 216.58.206.78
whitelisted
desktop-netinstaller-sub.osp.opera.software
  • 82.145.217.121
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
autoupdate.geo.opera.com
  • 185.26.182.124
  • 185.26.182.123
whitelisted
features.opera-api2.com
  • 185.26.182.118
  • 185.26.182.94
  • 185.26.182.112
  • 185.26.182.106
  • 185.26.182.93
  • 185.26.182.111
malicious
api.config.opr.gg
  • 104.18.24.17
  • 104.18.25.17
unknown
c.pki.goog
  • 172.217.18.3
whitelisted
download.opera.com
  • 82.145.216.24
  • 82.145.216.23
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
OperaGXSetup.exe