File name:

CS2.exe

Full analysis: https://app.any.run/tasks/7cd247af-0f17-4738-9fdc-aa06bd39b2b2
Verdict: Malicious activity
Analysis date: June 08, 2024, 13:42:20
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
python
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (console) x86-64, for MS Windows
MD5:

4CAE556E4222002A9C4CE5B276230A17

SHA1:

5921E0471BCD78F0F1729FB9311786C88A601DD4

SHA256:

2128EC4EA2F1ADF1EB7396D63E881F48EC403577DED6C0A85B47F06C34CD7B70

SSDEEP:

98304:hQWOoZkEGcMXnZwhAxcnLgri0GKVYhWnXZLvbN+pl89blvtVlsSihbIa47TUj17m:o5uRuyVq7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • CS2.exe (PID: 6612)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • CS2.exe (PID: 6612)

    • The process drops C-runtime libraries

      • CS2.exe (PID: 6612)

    • Executable content was dropped or overwritten

      • CS2.exe (PID: 6612)

    • Process drops python dynamic module

      • CS2.exe (PID: 6612)

    • Application launched itself

      • CS2.exe (PID: 6612)
      • cmd.exe (PID: 6720)
      • cmd.exe (PID: 6808)

    • Loads Python modules

      • CS2.exe (PID: 6692)

    • Starts CMD.EXE for commands execution

      • CS2.exe (PID: 6692)
      • cmd.exe (PID: 6720)
      • cmd.exe (PID: 6808)

    • Reads security settings of Internet Explorer

      • ShellExperienceHost.exe (PID: 2588)
      • TextInputHost.exe (PID: 5656)

  • INFO

    • Checks supported languages

      • CS2.exe (PID: 6612)
      • CS2.exe (PID: 6692)
      • ShellExperienceHost.exe (PID: 2588)
      • TextInputHost.exe (PID: 5656)

    • Reads the computer name

      • CS2.exe (PID: 6612)
      • TextInputHost.exe (PID: 5656)
      • ShellExperienceHost.exe (PID: 2588)

    • Create files in a temporary directory

      • CS2.exe (PID: 6612)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:06:08 12:43:41+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.38
CodeSize: 176640
InitializedDataSize: 154112
UninitializedDataSize: -
EntryPoint: 0xb9e0
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
179
Monitored processes
18
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start cs2.exe conhost.exe no specs cs2.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs explorer.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs explorer.exe no specs explorer.exe no specs explorer.exe no specs explorer.exe no specs explorer.exe no specs explorer.exe no specs shellexperiencehost.exe no specs textinputhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
624C:\WINDOWS\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
1204C:\WINDOWS\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
1572C:\WINDOWS\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
2588"C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mcaC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shell Experience Host
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\dxgi.dll
4004C:\WINDOWS\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
4724C:\WINDOWS\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
5656"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mcaC:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
1
Version:
123.26505.0.0
Modules
Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\textinputhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\vcruntime140_app.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
6212C:\WINDOWS\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
6612"C:\Users\admin\Desktop\CS2.exe" C:\Users\admin\Desktop\CS2.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\cs2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6624\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeCS2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
3 938
Read events
3 937
Write events
1
Delete events
0

Modification events

(PID) Process:(2588) ShellExperienceHost.exeKey:\REGISTRY\A\{7787a22f-00eb-577d-b06b-66909d219b46}\LocalState
Operation:writeName:LastNetworkingFlyoutHeight
Value:
0000124330B599E2A9B9DA01
Executable files
10
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6612CS2.exeC:\Users\admin\AppData\Local\Temp\_MEI66122\VCRUNTIME140.dllexecutable
MD5:BE8DBE2DC77EBE7F88F910C61AEC691A
SHA256:4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83
6612CS2.exeC:\Users\admin\AppData\Local\Temp\_MEI66122\_bz2.pydexecutable
MD5:223FD6748CAE86E8C2D5618085C768AC
SHA256:F81DC49EAC5ECC528E628175ADD2FF6BDA695A93EA76671D7187155AA6326ABB
6612CS2.exeC:\Users\admin\AppData\Local\Temp\_MEI66122\_hashlib.pydexecutable
MD5:EEDB6D834D96A3DFFFFB1F65B5F7E5BE
SHA256:79C4CDE23397B9A35B54A3C2298B3C7A844454F4387CB0693F15E4FACD227DD2
6612CS2.exeC:\Users\admin\AppData\Local\Temp\_MEI66122\python312.dllexecutable
MD5:3C388CE47C0D9117D2A50B3FA5AC981D
SHA256:C98BA3354A7D1F69BDCA42560FEEC933CCBA93AFCC707391049A065E1079CDDB
6612CS2.exeC:\Users\admin\AppData\Local\Temp\_MEI66122\base_library.zipcompressed
MD5:8DAD91ADD129DCA41DD17A332A64D593
SHA256:8DE4F013BFECB9431AABAA97BB084FB7DE127B365B9478D6F7610959BF0D2783
6612CS2.exeC:\Users\admin\AppData\Local\Temp\_MEI66122\unicodedata.pydexecutable
MD5:16BE9A6F941F1A2CB6B5FCA766309B2C
SHA256:10FFD5207EEFF5A836B330B237D766365D746C30E01ABF0FD01F78548D1F1B04
6612CS2.exeC:\Users\admin\AppData\Local\Temp\_MEI66122\_lzma.pydexecutable
MD5:05E8B2C429AFF98B3AE6ADC842FB56A3
SHA256:A6E2A5BB7A33AD9054F178786A031A46EA560FAEEF1FB96259331500AAE9154C
6612CS2.exeC:\Users\admin\AppData\Local\Temp\_MEI66122\_decimal.pydexecutable
MD5:3055EDF761508190B576E9BF904003AA
SHA256:E4104E47399D3F635A14D649F61250E9FD37F7E65C81FFE11F099923F8532577
6612CS2.exeC:\Users\admin\AppData\Local\Temp\_MEI66122\_socket.pydexecutable
MD5:DC06F8D5508BE059EAE9E29D5BA7E9EC
SHA256:7DAFF6AA3851A913ED97995702A5DFB8A27CB7CF00FB496597BE777228D7564A
6612CS2.exeC:\Users\admin\AppData\Local\Temp\_MEI66122\libcrypto-3.dllexecutable
MD5:E547CF6D296A88F5B1C352C116DF7C0C
SHA256:05FE080EAB7FC535C51E10C1BD76A2F3E6217F9C91A25034774588881C3F99DE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
137
TCP/UDP connections
135
DNS requests
120
Threats
32

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4232
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5952
svchost.exe
GET
200
2.16.241.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
4232
RUXIMICS.exe
GET
200
2.16.241.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
2.16.241.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
GET
304
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
GET
200
52.58.254.253:443
https://cant-not-tweet-this.com/
unknown
html
2.10 Kb
GET
200
204.79.197.239:443
https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=122.0.2365.59&experimentationmode=2&scpguard=0&scpfull=0&scpver=0
unknown
binary
1.02 Kb
GET
200
13.107.42.16:443
https://config.edge.skype.com/config/v1/Edge/122.0.2365.59?clientId=4489578223053569932&agents=EdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=27&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245&fg=1
unknown
binary
1.15 Kb
GET
200
151.101.1.195:443
https://hooooooooo.com/js/jquery.jplayer.min.js
unknown
32.5 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
5952
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4364
svchost.exe
239.255.255.250:1900
unknown
4232
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
5140
MoUsoCoreWorker.exe
2.16.241.6:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
5952
svchost.exe
2.16.241.6:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
4232
RUXIMICS.exe
2.16.241.6:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
4232
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
unknown
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
unknown

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.16.241.6
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
cant-not-tweet-this.com
  • 18.192.231.252
  • 52.58.254.253
unknown
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.45
unknown
thatsthefinger.com
  • 3.72.140.173
  • 18.192.231.252
whitelisted
mondrianandme.com
  • 3.70.101.28
  • 3.72.140.173
unknown
google.com
  • 142.250.181.238
whitelisted

Threats

PID
Process
Class
Message
Generic Protocol Command Decode
SURICATA HTTP Request abnormal Content-Encoding header
Generic Protocol Command Decode
SURICATA HTTP Request abnormal Content-Encoding header
Generic Protocol Command Decode
SURICATA HTTP Request abnormal Content-Encoding header
Generic Protocol Command Decode
SURICATA HTTP Request abnormal Content-Encoding header
Generic Protocol Command Decode
SURICATA HTTP Request abnormal Content-Encoding header
Generic Protocol Command Decode
SURICATA HTTP Request abnormal Content-Encoding header
Generic Protocol Command Decode
SURICATA HTTP Request abnormal Content-Encoding header
Generic Protocol Command Decode
SURICATA HTTP Request abnormal Content-Encoding header
Generic Protocol Command Decode
SURICATA HTTP Request abnormal Content-Encoding header
Generic Protocol Command Decode
SURICATA HTTP Request abnormal Content-Encoding header
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CS2.exe