File name:

CS2_Skin_Changer_V3.2.7z

Full analysis: https://app.any.run/tasks/98ccf90b-161b-4354-8d3a-df1ac76852f7
Verdict: Malicious activity
Analysis date: November 11, 2023, 19:39:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

1D1940ECD5421D7B4C5D7F951AE9A979

SHA1:

E03789F8184A4C7C01FA67A37657C5D732953C40

SHA256:

4BC6A1086BFB970C4D4E872CB30D1C5D58E8476BAE664364F9A208857AA86D3E

SSDEEP:

6144:TmbiwD7B8YjrgUSgYNW80ym/sy3tVKxbcF43CzotIgahuLbl50n:QDmYjrgUSgYNFrmkOVKxbK4XZGu6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • CS2 Skin Changer V3.2 (original).exe (PID: 3524)

    • Actions looks like stealing of personal data

      • CS2 Skin Changer V3.2 (original).exe (PID: 3524)

  • SUSPICIOUS

    • Searches for installed software

      • CS2 Skin Changer V3.2 (original).exe (PID: 3524)

    • Reads settings of System Certificates

      • CS2 Skin Changer V3.2 (original).exe (PID: 3524)

    • Reads the Internet Settings

      • CS2 Skin Changer V3.2 (original).exe (PID: 3524)

    • Reads browser cookies

      • CS2 Skin Changer V3.2 (original).exe (PID: 3524)

  • INFO

    • Manual execution by a user

      • CS2 Skin Changer V3.2 (original).exe (PID: 3524)
      • wmpnscfg.exe (PID: 3932)

    • Checks supported languages

      • CS2 Skin Changer V3.2 (original).exe (PID: 3524)
      • wmpnscfg.exe (PID: 3932)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3440)

    • Reads the computer name

      • CS2 Skin Changer V3.2 (original).exe (PID: 3524)
      • wmpnscfg.exe (PID: 3932)

    • Reads Environment values

      • CS2 Skin Changer V3.2 (original).exe (PID: 3524)

    • Reads the machine GUID from the registry

      • CS2 Skin Changer V3.2 (original).exe (PID: 3524)
      • wmpnscfg.exe (PID: 3932)

    • Reads product name

      • CS2 Skin Changer V3.2 (original).exe (PID: 3524)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs cs2 skin changer v3.2 (original).exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3440"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\CS2_Skin_Changer_V3.2.7z.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3524"C:\Users\admin\Desktop\CS2 Skin Changer V3.2 (original).exe" C:\Users\admin\Desktop\CS2 Skin Changer V3.2 (original).exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\cs2 skin changer v3.2 (original).exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3932"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
Total events
6 051
Read events
6 016
Write events
32
Delete events
3

Modification events

(PID) Process:(3440) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17A\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3440) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3440) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3440) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3440) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3440) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3440) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3440) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3440) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
(PID) Process:(3440) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\Desktop
Executable files
1
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3440WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3440.4748\core\saved_model.pb
MD5:
SHA256:
3440WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3440.4748\resource\thirdpartylegalnotices.txttext
MD5:BB5BB51FCFB5D96BB3D16B1CB154CC9D
SHA256:152A3C34976C1510407A480F8AE09792AA1B7D4C72CC47B94D318D138CCF45C7
3440WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3440.4748\CS2 Skin Changer V3.2 (original).exeexecutable
MD5:72D386767405852C0DA14B75EEE3F1F5
SHA256:E99CC7B4A3C85165071FF93F1DDD0C7A482A47D14D14651CCB851C7080905CA3
3440WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3440.4748\README.txttext
MD5:05D89A82896CC1F74CD35CA1938A720A
SHA256:B9F0BF17BB2B9C825D4D79EA6ED914864250A7BFD94477C7A584F8DC32C279F8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
2
Threats
1

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
3524
CS2 Skin Changer V3.2 (original).exe
104.20.68.143:443
pastebin.com
CLOUDFLARENET
unknown
3524
CS2 Skin Changer V3.2 (original).exe
65.109.160.253:443
db.liquidbbq.pl
Hetzner Online GmbH
FI
unknown

DNS requests

Domain
IP
Reputation
pastebin.com
  • 104.20.68.143
  • 104.20.67.143
  • 172.67.34.170
shared
db.liquidbbq.pl
  • 65.109.160.253
unknown

Threats

PID
Process
Class
Message
3524
CS2 Skin Changer V3.2 (original).exe
Potentially Bad Traffic
ET INFO Microsoft net.tcp Connection Initialization Activity
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CS2_Skin_Changer_V3.2.7z