File name:

Vintagestory.exe

Full analysis: https://app.any.run/tasks/9defec70-e59d-42cb-9c25-d76584fd7639
Verdict: Malicious activity
Analysis date: May 02, 2025, 19:14:39
OS: Windows 11 Professional (build: 22000, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

50A79A30A791AAE2069DBB6F71C31838

SHA1:

C9E2B620F6A5C0B66DB556B07564029B18211DD8

SHA256:

78196AA73DA7CE686A8121177374E5492B1BFFBD7FFB1BC15E5A0CDDBF21AE58

SSDEEP:

6144:IH9VTPuD3bLDKduBFBEUiug7Qf+2R/OSA:IH9VTPuD3bLDKC6og8m2R/OSA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • Vintagestory.exe (PID: 1076)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Checks supported languages

      • Vintagestory.exe (PID: 1076)

    • Reads the computer name

      • Vintagestory.exe (PID: 1076)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:05:17 06:58:08+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.39
CodeSize: 104960
InitializedDataSize: 144384
UninitializedDataSize: -
EntryPoint: 0x140e0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.20.9.0
ProductVersionNumber: 1.20.9.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: www.vintagestory.at
CompanyName: Tyron Madlener (Anego Studios)
FileDescription: Vintage Story Client
FileVersion: 1.20.9
InternalName: Vintagestory.dll
LegalCopyright: Copyright © 2016-2024 Anego Studios
OriginalFileName: Vintagestory.dll
ProductName: Vintage Story
ProductVersion: 1.20.9
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
100
Monitored processes
1
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start vintagestory.exe

Process information

PID
CMD
Path
Indicators
Parent process
1076"C:\Users\admin\Desktop\Vintagestory.exe" C:\Users\admin\Desktop\Vintagestory.exe
explorer.exe
User:
admin
Company:
Tyron Madlener (Anego Studios)
Integrity Level:
MEDIUM
Description:
Vintage Story Client
Exit code:
2147516570
Version:
1.20.9
Modules
Images
c:\users\admin\desktop\vintagestory.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
32
Read events
32
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
14
DNS requests
9
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.164.42:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
5336
MoUsoCoreWorker.exe
GET
200
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?cbde269901868ed9
unknown
whitelisted
2768
svchost.exe
GET
200
23.50.131.221:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?98835d2fbe5f2dfa
unknown
whitelisted
2768
svchost.exe
GET
200
23.50.131.221:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?95ffe5009287b7a1
unknown
whitelisted
HEAD
200
23.197.142.186:443
https://fs.microsoft.com/fs/windows/config.json
unknown
2768
svchost.exe
GET
200
23.50.131.221:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?96d7e1e649d02ef8
unknown
whitelisted
2768
svchost.exe
GET
200
23.50.131.221:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?4c1c53e3976db8c9
unknown
whitelisted
POST
200
40.126.32.76:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
POST
200
20.82.9.214:443
https://checkappexec.microsoft.com/windows/shell/actions
unknown
binary
182 b
whitelisted
POST
200
40.126.32.133:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2.16.164.42:80
Akamai International B.V.
NL
unknown
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5336
MoUsoCoreWorker.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted
3640
svchost.exe
20.190.159.129:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1640
smartscreen.exe
172.205.25.163:443
checkappexec.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
VN
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted
5364
svchost.exe
23.60.203.209:443
fs.microsoft.com
AKAMAI-AS
DE
whitelisted
2768
svchost.exe
23.50.131.221:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
whitelisted
2988
OfficeClickToRun.exe
104.208.16.91:443
self.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.110
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
ctldl.windowsupdate.com
  • 199.232.214.172
  • 199.232.210.172
  • 23.50.131.221
  • 23.50.131.216
whitelisted
login.live.com
  • 20.190.159.129
  • 40.126.31.67
  • 20.190.159.130
  • 20.190.159.4
  • 20.190.159.128
  • 20.190.159.71
  • 40.126.31.130
  • 40.126.31.2
whitelisted
checkappexec.microsoft.com
  • 172.205.25.163
whitelisted
fs.microsoft.com
  • 23.60.203.209
whitelisted
dns.msftncsi.com
  • 131.107.255.255
whitelisted
self.events.data.microsoft.com
  • 104.208.16.91
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Microsoft Connection Test
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
Process
Message
Vintagestory.exe
The application to execute does not exist: 'C:\Users\admin\Desktop\Vintagestory.dll'.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Vintagestory.exe