File name:

80b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exe

Full analysis: https://app.any.run/tasks/5ec86d0d-44e0-4388-a80f-5449f82dc531
Verdict: Malicious activity
Analysis date: June 21, 2025, 19:22:14
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, 9 sections
MD5:

9C42F5CCAE30AFC9C70C924D543924F8

SHA1:

4E3C555CFEE82D23ACFDDA4754C0870F455156E8

SHA256:

80B6573208F2179C97CE64FF731269E349A07A3969C1198BF5A9092C5A01555C

SSDEEP:

98304:J+dm8gYux7Ede4oqZSYVgnSoPV7dquc8GV+x7YjvyeSdRYTUhQ5WwwFPc7xqSG6i:PvI2akT6ZJJW6dEQK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • 80b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exe (PID: 7080)

    • Executable content was dropped or overwritten

      • 80b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exe (PID: 7080)

    • Process drops legitimate windows executable

      • 80b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exe (PID: 7080)

    • Uses ICACLS.EXE to modify access control lists

      • 80b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exe (PID: 7080)

    • The process drops C-runtime libraries

      • 80b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exe (PID: 7080)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • 80b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exe (PID: 7080)

    • Creates a software uninstall entry

      • 80b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exe (PID: 7080)

  • INFO

    • Creates files in the program directory

      • 80b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exe (PID: 7080)

    • Reads the computer name

      • 80b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exe (PID: 7080)

    • Checks supported languages

      • 80b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exe (PID: 7080)

    • Create files in a temporary directory

      • 80b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exe (PID: 7080)

    • Creates files or folders in the user directory

      • 80b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exe (PID: 7080)

    • The sample compiled with english language support

      • 80b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exe (PID: 7080)

    • Reads the software policy settings

      • slui.exe (PID: 1028)

    • Checks proxy server information

      • slui.exe (PID: 1028)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:02:08 08:30:59+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.38
CodeSize: 36352
InitializedDataSize: 51200
UninitializedDataSize: 246784
EntryPoint: 0x4560
OSVersion: 5.1
ImageVersion: 6
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
141
Monitored processes
7
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 80b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exe icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs slui.exe 80b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1028C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3288\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeicacls.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3540"C:\Users\admin\Desktop\80b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exe" C:\Users\admin\Desktop\80b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\80b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exe
c:\windows\system32\ntdll.dll
4196icacls "C:\Program Files\SteamTools\*.*" /grant:r "*S-1-5-32-545:(OI)(CI)F"C:\Windows\System32\icacls.exe80b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4528icacls "C:\Program Files\SteamTools" /grant:r "*S-1-5-32-545:(OI)(CI)F" /TC:\Windows\System32\icacls.exe80b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5468\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeicacls.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7080"C:\Users\admin\Desktop\80b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exe" C:\Users\admin\Desktop\80b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\80b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
3 751
Read events
3 743
Write events
8
Delete events
0

Modification events

(PID) Process:(7080) 80b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SteamTools
Operation:writeName:DisplayName
Value:
SteamTools
(PID) Process:(7080) 80b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SteamTools
Operation:writeName:UninstallString
Value:
"C:\Program Files\SteamTools\Uninstall.exe"
(PID) Process:(7080) 80b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SteamTools
Operation:writeName:QuietUninstallString
Value:
"C:\Program Files\SteamTools\Uninstall.exe" /S
(PID) Process:(7080) 80b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SteamTools
Operation:writeName:InstallLocation
Value:
C:\Program Files\SteamTools
(PID) Process:(7080) 80b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SteamTools
Operation:writeName:DisplayIcon
Value:
C:\Program Files\SteamTools\SteamTools.exe,0
(PID) Process:(7080) 80b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SteamTools
Operation:writeName:NoModify
Value:
1
(PID) Process:(7080) 80b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SteamTools
Operation:writeName:NoRepair
Value:
1
(PID) Process:(7080) 80b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\SteamTools
Operation:writeName:Language
Value:
1033
Executable files
17
Suspicious files
3
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
708080b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exeC:\Users\admin\AppData\Local\Temp\nsi7BBA.tmp\System.dllexecutable
MD5:E74573CE106DD95B148BB8B1EF8E3418
SHA256:D12BC87BF84C51C13F0877949BCD719C5B90D9DF8658A2F8036DDC262CB0D87B
708080b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exeC:\Users\admin\AppData\Local\Temp\nsi7BBA.tmp\nsDialogs.dllexecutable
MD5:9CBB2C67258DF6CFC08E060BD8AB8309
SHA256:4AEC3A5A78295861C8AD96B70B0520C541EA4DF60651615802AD066780CE2296
708080b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exeC:\Program Files\SteamTools\SteamTools.exeexecutable
MD5:E45BFB5EDCC03451A85BC505298FBC16
SHA256:7AFCB8D488F34E284DEEF1559DBC0D46D1BD68E226928E5B583169A1FD275842
708080b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exeC:\Users\admin\AppData\Local\Temp\nsi7BB9.tmp
MD5:
SHA256:
708080b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exeC:\Program Files\SteamTools\Qt5Core.dllexecutable
MD5:817520432A42EFA345B2D97F5C24510E
SHA256:8D2FF4CE9096DDCCC4F4CD62C2E41FC854CFD1B0D6E8D296645A7F5FD4AE565A
708080b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exeC:\Program Files\SteamTools\Qt5Gui.dllexecutable
MD5:47307A1E2E9987AB422F09771D590FF1
SHA256:5E7D2D41B8B92A880E83B8CC0CA173F5DA61218604186196787EE1600956BE1E
708080b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exeC:\Users\admin\AppData\Local\Temp\nsi7BBA.tmp\modern-wizard.bmpimage
MD5:3614A4BE6B610F1DAF6C801574F161FE
SHA256:16E0EDC9F47E6E95A9BCAD15ADBDC46BE774FBCD045DD526FC16FC38FDC8D49B
708080b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exeC:\Users\admin\AppData\Local\Temp\nsi7BBA.tmp\modern-header.bmpimage
MD5:F1928D020EBD3BF2C54FB46B3253F2A9
SHA256:A928EDA70352B4BF7FE85EBEE91B1CA819AD78A4DBA4547B95A1A3FFF51F89DD
708080b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exeC:\Users\admin\Desktop\SteamTools.lnkbinary
MD5:20597137A9C72A4A1B147795F6788837
SHA256:434F638DA280D3C5061D539E74797B07A7655F1B9E7B585B60347993B5858301
708080b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exeC:\Program Files\SteamTools\platforms\qwindows.dllexecutable
MD5:4931FCD0E86C4D4F83128DC74E01EAAD
SHA256:3333BA244C97264E3BD19DB5953EFA80A6E47AACED9D337AC3287EC718162B85
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
22
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
184.24.77.18:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
184.24.77.18:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6172
RUXIMICS.exe
GET
200
184.24.77.18:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6172
RUXIMICS.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6172
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
184.24.77.18:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
184.24.77.18:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6172
RUXIMICS.exe
184.24.77.18:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 184.24.77.18
  • 184.24.77.13
  • 184.24.77.12
  • 184.24.77.9
  • 184.24.77.22
  • 184.24.77.7
  • 184.24.77.10
  • 184.24.77.11
  • 184.24.77.16
whitelisted
www.microsoft.com
  • 2.23.181.156
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 52.168.117.175
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
80b6573208f2179c97ce64ff731269e349a07a3969c1198bf5a9092c5a01555cst-setup-1.8.16.exe