Malware analysis 7l_csgo_setup.exe Malicious activity

Add for printing

File name:	7l_csgo_setup.exe
Full analysis:	https://app.any.run/tasks/d5a19620-42ec-4301-8ffc-f7672518a765
Verdict:	Malicious activity
Analysis date:	October 07, 2018, 18:21:42
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	BAEAB5B542F393EC21AC59FE324DE4D6
SHA1:	9A5857CDCC33BC19394AB067191AC5E115C2468D
SHA256:	AA60761EA3E570F11EFF22586CC64486317113EE1F1639995318635A59383CB6
SSDEEP:	49152:DIO5n8/fK5CbQ195KIqx2sQRvJxDszuGzZ0dd2:P5n865CskIyTZzuIIo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: off
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (68.0.3440.106)
Google Update Helper (1.3.33.17)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - Run_CSGO.exe (PID: 2524)
  - Run_CSGO.exe (PID: 2112)
  - Run_CSGO.exe (PID: 2080)
  - steamerrorreporter.exe (PID: 2372)
  - steamcmd.exe (PID: 2244)
  - steamcmd.exe (PID: 3576)
  - steamcmd.exe (PID: 3972)
- Changes settings of System certificates
  - Run_CSGO.exe (PID: 2080)
- Loads dropped or rewritten executable
  - steamerrorreporter.exe (PID: 2372)
  - steamcmd.exe (PID: 2244)
  - steamcmd.exe (PID: 3576)
SUSPICIOUS
- Executable content was dropped or overwritten
  - 7l_csgo_setup.exe (PID: 2456)
  - 7l_csgo_setup.exe (PID: 2528)
  - 7l_csgo_setup.tmp (PID: 1480)
  - Run_CSGO.exe (PID: 2080)
  - steamcmd.exe (PID: 3972)
  - steamcmd.exe (PID: 2244)
- Reads Windows owner settings
  - 7l_csgo_setup.tmp (PID: 1480)
- Reads the Windows organization settings
  - 7l_csgo_setup.tmp (PID: 1480)
- Uses TASKKILL.EXE to kill process
  - 7l_csgo_setup.tmp (PID: 1480)
- Creates files in the program directory
  - Run_CSGO.exe (PID: 2080)
  - steamcmd.exe (PID: 2244)
  - steamcmd.exe (PID: 3972)
  - steamcmd.exe (PID: 3576)
- Modifies the open verb of a shell class
  - Run_CSGO.exe (PID: 2080)
- Reads internet explorer settings
  - Run_CSGO.exe (PID: 2080)
- Adds / modifies Windows certificates
  - Run_CSGO.exe (PID: 2080)
- Creates files in the user directory
  - Run_CSGO.exe (PID: 2080)
- Application launched itself
  - steamcmd.exe (PID: 2244)
INFO
- Application was dropped or rewritten from another process
  - 7l_csgo_setup.tmp (PID: 2724)
  - 7l_csgo_setup.tmp (PID: 1480)
- Creates files in the program directory
  - 7l_csgo_setup.tmp (PID: 1480)
- Creates a software uninstall entry
  - 7l_csgo_setup.tmp (PID: 1480)
- Reads settings of System Certificates
  - steamcmd.exe (PID: 3576)
- Dropped object may contain Bitcoin addresses
  - steamcmd.exe (PID: 3576)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable Delphi generic (57.2)
.exe	\|	Win32 Executable (generic) (18.2)
.exe	\|	Win16/32 Executable Delphi generic (8.3)
.exe	\|	Generic Win/DOS Executable (8)
.exe	\|	DOS Executable Generic (8)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2018:06:14 15:27:46+02:00
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	66560
InitializedDataSize:	240640
UninitializedDataSize:	-
EntryPoint:	0x1181c
OSVersion:	5
ImageVersion:	6
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	0.0.0.0
ProductVersionNumber:	0.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	This installation was built with Inno Setup.
CompanyName:	SE7EN Solutions
FileDescription:	7Launcher CSGO Setup
FileVersion:	1.3.2.1
LegalCopyright:	SE7EN Solutions
ProductName:	7Launcher CSGO
ProductVersion:	1.3.2.1

Summary

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	14-Jun-2018 13:27:46
Detected languages:	English - United States
Comments:	This installation was built with Inno Setup.
CompanyName:	SE7EN Solutions
FileDescription:	7Launcher CSGO Setup
FileVersion:	1.3.2.1
LegalCopyright:	SE7EN Solutions
ProductName:	7Launcher CSGO
ProductVersion:	1.3.2.1

DOS Header

Magic number:	MZ
Bytes on last page of file:	0x0050
Pages in file:	0x0002
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x000F
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x001A
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x00000100

PE Headers

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	8
Time date stamp:	14-Jun-2018 13:27:46
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_BYTES_REVERSED_HI IMAGE_FILE_BYTES_REVERSED_LO IMAGE_FILE_EXECUTABLE_IMAGE IMAGE_FILE_LINE_NUMS_STRIPPED IMAGE_FILE_LOCAL_SYMS_STRIPPED IMAGE_FILE_RELOCS_STRIPPED

Sections

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00001000	0x0000F25C	0x0000F400	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.37588
.itext	0x00011000	0x00000FA4	0x00001000	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	5.77877
.data	0x00012000	0x00000C8C	0x00000E00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	2.30283
.bss	0x00013000	0x000056BC	0x00000000	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	0
.idata	0x00019000	0x00000E04	0x00001000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	4.59781
.tls	0x0001A000	0x00000008	0x00000000	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	0
.rdata	0x0001B000	0x00000018	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	0.204488
.rsrc	0x0001C000	0x00038BA0	0x00038C00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.63241

Resources

Title	Entropy	Size	Codepage	Language	Type
1	5.13965	1580	Latin 1 / Western European	English - United States	RT_MANIFEST
2	3.12523	296	Latin 1 / Western European	English - United States	RT_ICON
3	4.62274	3752	Latin 1 / Western European	English - United States	RT_ICON
4	5.20856	2216	Latin 1 / Western European	English - United States	RT_ICON
5	5.15926	1384	Latin 1 / Western European	English - United States	RT_ICON
6	7.96266	34169	Latin 1 / Western European	English - United States	RT_ICON
7	2.84385	67624	Latin 1 / Western European	English - United States	RT_ICON
8	2.99808	38056	Latin 1 / Western European	English - United States	RT_ICON
9	3.32309	16936	Latin 1 / Western European	English - United States	RT_ICON
10	3.55573	9640	Latin 1 / Western European	English - United States	RT_ICON

Imports


advapi32.dll
comctl32.dll
kernel32.dll
oleaut32.dll
user32.dll

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1480

"C:\Users\admin\AppData\Local\Temp\is-HNGS3.tmp\7l_csgo_setup.tmp" /SL5="$2401FC,1589876,308224,C:\Users\admin\AppData\Local\Temp\7l_csgo_setup.exe" /SPAWNWND=$2F0210 /NOTIFYWND=$2D0202

C:\Users\admin\AppData\Local\Temp\is-HNGS3.tmp\7l_csgo_setup.tmp

7l_csgo_setup.exe

User:

admin

Integrity Level:

HIGH

Description:

Setup/Uninstall

Exit code:

Version:

51.1052.0.0

Modules

Images
c:\users\admin\appdata\local\temp\is-hngs3.tmp\7l_csgo_setup.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll

1508

"taskkill.exe" /f /im "Run_CSGO.exe"

C:\Windows\system32\taskkill.exe

—

7l_csgo_setup.tmp

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Terminates Processes

Exit code:

128

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll

2080

"C:\Program Files\Counter-Strike Global Offensive\Run_CSGO.exe" - forceupdate forcesteamcmd

C:\Program Files\Counter-Strike Global Offensive\Run_CSGO.exe

7l_csgo_setup.tmp

User:

admin

Company:

SE7EN Solutions

Integrity Level:

HIGH

Description:

Run_CSGO

Exit code:

Version:

1.3.2.1

Modules

Images
c:\program files\counter-strike global offensive\run_csgo.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

2112

"C:\Program Files\Counter-Strike Global Offensive\Run_CSGO.exe"

C:\Program Files\Counter-Strike Global Offensive\Run_CSGO.exe

explorer.exe

User:

admin

Company:

SE7EN Solutions

Integrity Level:

HIGH

Description:

Run_CSGO

Exit code:

Version:

1.3.2.1

Modules

Images
c:\program files\counter-strike global offensive\run_csgo.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

2116

"taskkill.exe" /f /im "Run_CSGO.exe"

C:\Windows\system32\taskkill.exe

—

7l_csgo_setup.tmp

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Terminates Processes

Exit code:

128

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll

2244

"C:\Program Files\Counter-Strike Global Offensive\7launcher\tools\steamcmd\steamcmd.exe" "+login" "anonymous" "+force_install_dir" "C:\Program Files\Counter-Strike Global Offensive" "+app_update" "740" "validate" "+quit"

C:\Program Files\Counter-Strike Global Offensive\7launcher\tools\steamcmd\steamcmd.exe

steamcmd.exe

User:

admin

Company:

Valve Corporation

Integrity Level:

HIGH

Description:

Steam Client Bootstrapper

Exit code:

Version:

04.62.99.22

Modules

Images
c:\program files\counter-strike global offensive\7launcher\tools\steamcmd\steamcmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

2372

C:\Program Files\Counter-Strike Global Offensive\7launche

C:\Program Files\Counter-Strike Global Offensive\7launcher\tools\steamcmd\steamerrorreporter.exe

steamcmd.exe

User:

admin

Company:

Valve Corporation

Integrity Level:

HIGH

Description:

steamerrorreporter.exe

Exit code:

Version:

04.62.99.22

Modules

Images
c:\program files\counter-strike global offensive\7launcher\tools\steamcmd\steamerrorreporter.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\counter-strike global offensive\7launcher\tools\steamcmd\tier0_s.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll

2456

"C:\Users\admin\AppData\Local\Temp\7l_csgo_setup.exe"

C:\Users\admin\AppData\Local\Temp\7l_csgo_setup.exe

explorer.exe

User:

admin

Company:

SE7EN Solutions

Integrity Level:

MEDIUM

Description:

7Launcher CSGO Setup

Exit code:

Version:

1.3.2.1

Modules

Images
c:\users\admin\appdata\local\temp\7l_csgo_setup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

2524

"C:\Program Files\Counter-Strike Global Offensive\Run_CSGO.exe"

C:\Program Files\Counter-Strike Global Offensive\Run_CSGO.exe

—

explorer.exe

User:

admin

Company:

SE7EN Solutions

Integrity Level:

MEDIUM

Description:

Run_CSGO

Exit code:

3221226540

Version:

1.3.2.1

Modules

Images
c:\program files\counter-strike global offensive\run_csgo.exe
c:\systemroot\system32\ntdll.dll

2528

"C:\Users\admin\AppData\Local\Temp\7l_csgo_setup.exe" /SPAWNWND=$2F0210 /NOTIFYWND=$2D0202

C:\Users\admin\AppData\Local\Temp\7l_csgo_setup.exe

7l_csgo_setup.tmp

User:

admin

Company:

SE7EN Solutions

Integrity Level:

HIGH

Description:

7Launcher CSGO Setup

Exit code:

Version:

1.3.2.1

Modules

Images
c:\users\admin\appdata\local\temp\7l_csgo_setup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

Add for printing

Total events

812

Read events

715

Write events

Delete events

Modification events


(PID) Process:	(1480) 7l_csgo_setup.tmp	Key:	HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Owner
Value: C80500008A7560B06A5ED401
(PID) Process:	(1480) 7l_csgo_setup.tmp	Key:	HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:	write	Name:	SessionHash
Value: BB0AF5C5C1017492CCCE6C6641DCE9928D48EE771A48EAEA471C0BDC5930D0A8
(PID) Process:	(1480) 7l_csgo_setup.tmp	Key:	HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Sequence
Value: 1
(PID) Process:	(1480) 7l_csgo_setup.tmp	Key:	HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:	write	Name:	RegFiles0000
Value: C:\Program Files\Counter-Strike Global Offensive\Run_CSGO.exe
(PID) Process:	(1480) 7l_csgo_setup.tmp	Key:	HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:	write	Name:	RegFilesHash
Value: 8FE69520A8C01A8819E62AD6C7567A94C1F3F7DF765AEB4BCB163B3D56C37BC6
(PID) Process:	(1480) 7l_csgo_setup.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\SE7EN\7Launcher CSGO
Operation:	write	Name:	InstallDir
Value: C:\Program Files\Counter-Strike Global Offensive
(PID) Process:	(1480) 7l_csgo_setup.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\SE7EN\7Launcher CSGO
Operation:	write	Name:	GameEXE
Value: C:\Program Files\Counter-Strike Global Offensive\Run_CSGO.exe
(PID) Process:	(1480) 7l_csgo_setup.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7l_csgo_is1
Operation:	write	Name:	Inno Setup: Setup Version
Value: 5.6.1 (u)
(PID) Process:	(1480) 7l_csgo_setup.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7l_csgo_is1
Operation:	write	Name:	Inno Setup: App Path
Value: C:\Program Files\Counter-Strike Global Offensive
(PID) Process:	(1480) 7l_csgo_setup.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7l_csgo_is1
Operation:	write	Name:	InstallLocation
Value: C:\Program Files\Counter-Strike Global Offensive\

Add for printing

Executable files

Suspicious files

Text files

693

Unknown types

247

Dropped files

PID	Process	Filename		Type
1480	7l_csgo_setup.tmp	C:\Program Files\Counter-Strike Global Offensive\is-5OEHB.tmp		—
		MD5:—	SHA256:—
1480	7l_csgo_setup.tmp	C:\Program Files\Counter-Strike Global Offensive\platform\is-SR9PC.tmp		—
		MD5:—	SHA256:—
1480	7l_csgo_setup.tmp	C:\Program Files\Counter-Strike Global Offensive\is-18IKR.tmp		—
		MD5:—	SHA256:—
1480	7l_csgo_setup.tmp	C:\Program Files\Counter-Strike Global Offensive\platform\is-K19UD.tmp		—
		MD5:—	SHA256:—
2080	Run_CSGO.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@se7enkills[1].txt		—
		MD5:—	SHA256:—
2080	Run_CSGO.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@yandex[1].txt		—
		MD5:—	SHA256:—
2528	7l_csgo_setup.exe	C:\Users\admin\AppData\Local\Temp\is-HNGS3.tmp\7l_csgo_setup.tmp		executable
		MD5:—	SHA256:—
1480	7l_csgo_setup.tmp	C:\Program Files\Counter-Strike Global Offensive\unins000.exe		executable
		MD5:—	SHA256:—
1480	7l_csgo_setup.tmp	C:\Program Files\Counter-Strike Global Offensive\Run_CSGO.exe		executable
		MD5:—	SHA256:—
1480	7l_csgo_setup.tmp	C:\Users\admin\Desktop\Counter-Strike Global Offensive.lnk		lnk
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

774

TCP/UDP connections

173

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3972	steamcmd.exe	GET	302	162.254.197.91:80	http://client-download.steampowered.com/client/steam_cmd_win32	DE	—	—	whitelisted
2080	Run_CSGO.exe	GET	200	51.255.119.149:80	http://updater.se7enkills.net//en/	FR	html	3.88 Kb	whitelisted
2080	Run_CSGO.exe	GET	200	51.255.119.149:80	http://updater.se7enkills.net/csgo/inf.ini	FR	text	529 b	whitelisted
2080	Run_CSGO.exe	GET	200	51.255.119.149:80	http://updater.se7enkills.net/csgo/inf.ini	FR	text	529 b	whitelisted
3972	steamcmd.exe	GET	200	205.185.216.10:80	http://media2.steampowered.com/client/steamcmd_bins_win32.zip.16eecf4312b74c5f1df3820a8f4501ad91dfea67	US	binary	6.71 Mb	whitelisted
3972	steamcmd.exe	GET	200	205.185.216.10:80	http://media2.steampowered.com/client/steamcmd_win32.zip.155fa64ee20d61958f49ac0b813d9a6d00f8f82d	US	binary	1.26 Mb	whitelisted
2080	Run_CSGO.exe	GET	200	51.255.119.149:80	http://updater.se7enkills.net/images/telegram-cannel.png	FR	image	22.4 Kb	whitelisted
2080	Run_CSGO.exe	GET	200	51.255.119.149:80	http://updater.se7enkills.net/tools/steamcmd/steamcmd.exe.lzma	FR	lzma	624 Kb	whitelisted
3972	steamcmd.exe	GET	200	205.185.216.10:80	http://media2.steampowered.com/client/steam_cmd_win32?1532464134	US	text	2.18 Kb	whitelisted
2080	Run_CSGO.exe	GET	200	104.109.65.17:80	http://api.steampowered.com/ISteamApps/UpToDateCheck/v1?appid=730&version=1.36.5.5&format=json	NL	text	74 b	suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2080	Run_CSGO.exe	51.255.119.149:80	updater.se7enkills.net	OVH SAS	FR	suspicious
2080	Run_CSGO.exe	104.109.65.17:80	api.steampowered.com	Akamai International B.V.	NL	whitelisted
2080	Run_CSGO.exe	77.88.21.119:443	mc.yandex.ru	YANDEX LLC	RU	whitelisted
3972	steamcmd.exe	162.254.197.91:80	client-download.steampowered.com	Valve Corporation	DE	unknown
3972	steamcmd.exe	205.185.216.10:80	media2.steampowered.com	Highwinds Network Group, Inc.	US	whitelisted
2244	steamcmd.exe	162.254.197.91:80	client-download.steampowered.com	Valve Corporation	DE	unknown
2244	steamcmd.exe	2.16.186.59:80	media4.steampowered.com	Akamai International B.V.	—	whitelisted
3576	steamcmd.exe	162.254.197.91:80	client-download.steampowered.com	Valve Corporation	DE	unknown
3576	steamcmd.exe	2.16.186.59:80	media4.steampowered.com	Akamai International B.V.	—	whitelisted
3576	steamcmd.exe	104.109.65.17:443	api.steampowered.com	Akamai International B.V.	NL	whitelisted

DNS requests

Domain	IP	Reputation
updater.se7enkills.net	51.255.119.149	whitelisted
api.steampowered.com	104.109.65.17	suspicious
mc.yandex.ru	77.88.21.119 87.250.251.119 87.250.250.119 93.158.134.119	whitelisted
client-download.steampowered.com	162.254.197.91 162.254.197.82 162.254.197.31 162.254.197.108 162.254.197.17 162.254.197.97 162.254.197.93 162.254.197.107	whitelisted
media2.steampowered.com	205.185.216.10 205.185.216.42	whitelisted
media4.steampowered.com	2.16.186.59 2.16.186.64	whitelisted
ocsp.digicert.com	93.184.220.29	whitelisted
clientconfig.akamai.steamstatic.com	2.16.186.82 2.16.186.83	whitelisted
valve300.steamcontent.com	162.254.192.2	unknown
valve307.steamcontent.com	162.254.192.37	unknown

Threats

PID	Process	Class	Message
2080	Run_CSGO.exe	A Network Trojan was detected	ET POLICY User-Agent (Launcher)
2080	Run_CSGO.exe	A Network Trojan was detected	ET POLICY User-Agent (Launcher)
2080	Run_CSGO.exe	A Network Trojan was detected	ET POLICY User-Agent (Launcher)
2080	Run_CSGO.exe	A Network Trojan was detected	ET POLICY User-Agent (Launcher)
2080	Run_CSGO.exe	A Network Trojan was detected	ET POLICY User-Agent (Launcher)
2080	Run_CSGO.exe	A Network Trojan was detected	ET POLICY User-Agent (Launcher)
2080	Run_CSGO.exe	A Network Trojan was detected	ET POLICY User-Agent (Launcher)

Add for printing

Process	Message
steamcmd.exe	C:\Program Files\Counter-Strike Global Offensive\7launcher\tools\steamcmd\crashhandler.dll
steamcmd.exe
steamcmd.exe	C:\Program Files\Counter-Strike Global Offensive\7launcher\tools\steamcmd\steamerrorreporter.exe
steamcmd.exe
steamcmd.exe	C:\Program Files\Counter-Strike Global Offensive\7launcher\tools\steamcmd\steamerrorreporter.exe
steamcmd.exe
steamcmd.exe	Starting minidump reporter process
steamerrorreporter.exe	SteamErrorReporter process started
steamcmd.exe	C:\Program Files\Counter-Strike Global Offensive\7launcher\tools\steamcmd\crashhandler.dll
steamcmd.exe

General Info

7l_csgo_setup.exe

BAEAB5B542F393EC21AC59FE324DE4D6

9A5857CDCC33BC19394AB067191AC5E115C2468D

AA60761EA3E570F11EFF22586CC64486317113EE1F1639995318635A59383CB6

49152:DIO5n8/fK5CbQ195KIqx2sQRvJxDszuGzZ0dd2:P5n865CskIyTZzuIIo

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Changes settings of System certificates

Loads dropped or rewritten executable

SUSPICIOUS

Executable content was dropped or overwritten

Reads Windows owner settings

Reads the Windows organization settings

Uses TASKKILL.EXE to kill process

Creates files in the program directory

Modifies the open verb of a shell class

Reads internet explorer settings

Adds / modifies Windows certificates

Creates files in the user directory

Application launched itself

INFO

Application was dropped or rewritten from another process

Creates files in the program directory

Creates a software uninstall entry

Reads settings of System Certificates

Dropped object may contain Bitcoin addresses

Malware configuration

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings