Malware analysis st-setup-1.8.17r2.exe Malicious activity

Add for printing

File name:	st-setup-1.8.17r2.exe
Full analysis:	https://app.any.run/tasks/265a49a0-df16-421f-98b1-3610f4f7d674
Verdict:	Malicious activity
Analysis date:	August 16, 2025, 17:44:58
OS:	Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, 9 sections
MD5:	2B45350F1CFC20CF110B8D16FBE9CA36
SHA1:	C78813CCC683A684092C3287A4EB84136BB6438B
SHA256:	D3B3171D52BC5FD5A41B3775D24E128F39FD9CE2887A6F8684F63BA61FB522CD
SSDEEP:	98304:L+QpfueC8oj9SZyn59/tZHTDTW+j8F1V8uHPAIQsxsjKMSFCNOuiEsA/Vfng9azQ:JiQtSqdt72hRI0Q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Executable content was dropped or overwritten
  - st-setup-1.8.17r2.exe (PID: 2148)
- Uses ICACLS.EXE to modify access control lists
  - st-setup-1.8.17r2.exe (PID: 2148)
- Process drops legitimate windows executable
  - st-setup-1.8.17r2.exe (PID: 2148)
- The process drops C-runtime libraries
  - st-setup-1.8.17r2.exe (PID: 2148)
- Malware-specific behavior (creating "System.dll" in Temp)
  - st-setup-1.8.17r2.exe (PID: 2148)
- The process creates files with name similar to system file names
  - st-setup-1.8.17r2.exe (PID: 2148)
- Creates a software uninstall entry
  - st-setup-1.8.17r2.exe (PID: 2148)
- Explorer used for Indirect Command Execution
  - explorer.exe (PID: 5432)
- Starts CMD.EXE for commands execution
  - explorer.exe (PID: 2292)
- Executing commands from a ".bat" file
  - explorer.exe (PID: 2292)
- There is functionality for taking screenshot (YARA)
  - SteamTools.exe (PID: 3964)
INFO
- Create files in a temporary directory
  - st-setup-1.8.17r2.exe (PID: 2148)
- Reads the computer name
  - st-setup-1.8.17r2.exe (PID: 2148)
  - SteamTools.exe (PID: 3964)
- Creates files in the program directory
  - st-setup-1.8.17r2.exe (PID: 2148)
- The sample compiled with english language support
  - st-setup-1.8.17r2.exe (PID: 2148)
- Checks supported languages
  - st-setup-1.8.17r2.exe (PID: 2148)
  - SteamTools.exe (PID: 1212)
  - SteamTools.exe (PID: 3964)
- Creates files or folders in the user directory
  - st-setup-1.8.17r2.exe (PID: 2148)
- Reads security settings of Internet Explorer
  - explorer.exe (PID: 2292)
- Manual execution by a user
  - SteamTools.exe (PID: 1212)
- Checks proxy server information
  - SteamTools.exe (PID: 3964)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2025:02:08 08:31:08+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, Large address aware, No debug
PEType:	PE32+
LinkerVersion:	2.38
CodeSize:	37376
InitializedDataSize:	51712
UninitializedDataSize:	291328
EntryPoint:	0x43b3
OSVersion:	5.1
ImageVersion:	6
SubsystemVersion:	5.1
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

147

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1148

"C:\Users\admin\AppData\Local\Temp\st-setup-1.8.17r2.exe"

C:\Users\admin\AppData\Local\Temp\st-setup-1.8.17r2.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

3221226540

Modules

Images
c:\users\admin\appdata\local\temp\st-setup-1.8.17r2.exe
c:\windows\system32\ntdll.dll

1212

"C:\Program Files\SteamTools\SteamTools.exe"

C:\Program Files\SteamTools\SteamTools.exe

—

explorer.exe

User:

admin

Company:

steamtools.net

Integrity Level:

MEDIUM

Description:

Steamtools

Exit code:

Version:

1.8.1.5

Modules

Images
c:\program files\steamtools\steamtools.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

2032

icacls "C:\Program Files\SteamTools" /grant:r "*S-1-5-32-545:(OI)(CI)F" /T

C:\Windows\System32\icacls.exe

—

st-setup-1.8.17r2.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

2040

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

icacls.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2148

"C:\Users\admin\AppData\Local\Temp\st-setup-1.8.17r2.exe"

C:\Users\admin\AppData\Local\Temp\st-setup-1.8.17r2.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\st-setup-1.8.17r2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

2292

C:\WINDOWS\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\explorer.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Explorer

Version:

10.0.19041.3758 (WinBuild.160101.0800)

Modules

Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\aepic.dll

3964

"C:\Program Files\SteamTools\SteamTools.exe"

C:\Program Files\SteamTools\SteamTools.exe

cmd.exe

User:

admin

Company:

steamtools.net

Integrity Level:

MEDIUM

Description:

Steamtools

Exit code:

Version:

1.8.1.5

Modules

Images
c:\program files\steamtools\steamtools.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

5432

"C:\WINDOWS\explorer.exe" "C:\Users\admin\AppData\Local\Temp\SteamTools_launcher.bat"

C:\Windows\explorer.exe

—

st-setup-1.8.17r2.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Explorer

Exit code:

Version:

10.0.19041.3758 (WinBuild.160101.0800)

Modules

Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll

5600

C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\SteamTools_launcher.bat" "

C:\Windows\System32\cmd.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll

6224

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

icacls.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

1 711

Read events

1 695

Write events

Delete events

Modification events


(PID) Process:	(2148) st-setup-1.8.17r2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SteamTools
Operation:	write	Name:	DisplayName
Value: SteamTools
(PID) Process:	(2148) st-setup-1.8.17r2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SteamTools
Operation:	write	Name:	UninstallString
Value: "C:\Program Files\SteamTools\Uninstall.exe"
(PID) Process:	(2148) st-setup-1.8.17r2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SteamTools
Operation:	write	Name:	QuietUninstallString
Value: "C:\Program Files\SteamTools\Uninstall.exe" /S
(PID) Process:	(2148) st-setup-1.8.17r2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SteamTools
Operation:	write	Name:	InstallLocation
Value: C:\Program Files\SteamTools
(PID) Process:	(2148) st-setup-1.8.17r2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SteamTools
Operation:	write	Name:	DisplayIcon
Value: C:\Program Files\SteamTools\SteamTools.exe,0
(PID) Process:	(2148) st-setup-1.8.17r2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SteamTools
Operation:	write	Name:	NoModify
Value: 1
(PID) Process:	(2148) st-setup-1.8.17r2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SteamTools
Operation:	write	Name:	NoRepair
Value: 1
(PID) Process:	(2148) st-setup-1.8.17r2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\SteamTools
Operation:	write	Name:	Language
Value: 1033
(PID) Process:	(3964) SteamTools.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Valve\Steamtools
Operation:	write	Name:	SteamPath
Value: C:/Program Files/SteamTools
(PID) Process:	(3964) SteamTools.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Valve\Steamtools
Operation:	write	Name:	fScreenIndex
Value: 0

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2148	st-setup-1.8.17r2.exe	C:\Users\admin\AppData\Local\Temp\nspCC54.tmp\modern-header.bmp		image
		MD5:F1928D020EBD3BF2C54FB46B3253F2A9	SHA256:A928EDA70352B4BF7FE85EBEE91B1CA819AD78A4DBA4547B95A1A3FFF51F89DD
2148	st-setup-1.8.17r2.exe	C:\Program Files\SteamTools\Core.dll		executable
		MD5:22AEB63890B7BC6CAC78E3C0501BEFF0	SHA256:2C32B0318555915DE7A27F92B8B77CF6730F869968924910734B265C516568E8
2148	st-setup-1.8.17r2.exe	C:\Users\admin\AppData\Local\Temp\nspCC54.tmp\nsDialogs.dll		executable
		MD5:9CBB2C67258DF6CFC08E060BD8AB8309	SHA256:4AEC3A5A78295861C8AD96B70B0520C541EA4DF60651615802AD066780CE2296
2148	st-setup-1.8.17r2.exe	C:\Users\admin\AppData\Local\Temp\nspCC54.tmp\modern-wizard.bmp		image
		MD5:3614A4BE6B610F1DAF6C801574F161FE	SHA256:16E0EDC9F47E6E95A9BCAD15ADBDC46BE774FBCD045DD526FC16FC38FDC8D49B
2148	st-setup-1.8.17r2.exe	C:\Program Files\SteamTools\platforms\qwindows.dll		executable
		MD5:4931FCD0E86C4D4F83128DC74E01EAAD	SHA256:3333BA244C97264E3BD19DB5953EFA80A6E47AACED9D337AC3287EC718162B85
2148	st-setup-1.8.17r2.exe	C:\Users\admin\AppData\Local\Temp\nspCC54.tmp\System.dll		executable
		MD5:E74573CE106DD95B148BB8B1EF8E3418	SHA256:D12BC87BF84C51C13F0877949BCD719C5B90D9DF8658A2F8036DDC262CB0D87B
2148	st-setup-1.8.17r2.exe	C:\Program Files\SteamTools\Qt5Core.dll		executable
		MD5:817520432A42EFA345B2D97F5C24510E	SHA256:8D2FF4CE9096DDCCC4F4CD62C2E41FC854CFD1B0D6E8D296645A7F5FD4AE565A
2148	st-setup-1.8.17r2.exe	C:\Program Files\SteamTools\Qt5Network.dll		executable
		MD5:3569693D5BAE82854DE1D88F86C33184	SHA256:4EF341AE9302E793878020F0740B09B0F31CB380408A697F75C69FDBD20FC7A1
2148	st-setup-1.8.17r2.exe	C:\Program Files\SteamTools\Qt5Svg.dll		executable
		MD5:03761F923E52A7269A6E3A7452F6BE93	SHA256:7348CFC6444438B8845FB3F59381227325D40CA2187D463E82FC7B8E93E38DB5
2148	st-setup-1.8.17r2.exe	C:\Program Files\SteamTools\msvcp140_1.dll		executable
		MD5:18A6C1A3D630DFCBC227082D5B06681A	SHA256:AF589D441CD97638B1A0B9192A4014C52B64B35ECF5437CAA65F27B3583E07AA

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1268	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3964	SteamTools.exe	GET	302	122.188.45.182:80	http://new-service.biliapi.net/picture/chatres/update/version2.txt	unknown	—	—	unknown
1268	svchost.exe	GET	200	23.216.77.16:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
3964	SteamTools.exe	GET	200	8.133.135.83:80	http://stools.oss-cn-shanghai.aliyuncs.com/version2.txt	unknown	—	—	unknown
7032	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
7032	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
1488	svchost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
5944	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1268	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5348	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1268	svchost.exe	23.216.77.16:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
3964	SteamTools.exe	122.188.45.182:80	new-service.biliapi.net	CHINA UNICOM China169 Backbone	CN	unknown
3964	SteamTools.exe	8.133.135.83:80	stools.oss-cn-shanghai.aliyuncs.com	Hangzhou Alibaba Advertising Co.,Ltd.	CN	unknown
1488	svchost.exe	40.126.31.131:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 4.231.128.59	whitelisted
google.com	216.58.212.142	whitelisted
crl.microsoft.com	23.216.77.16 23.216.77.18 23.216.77.43 23.216.77.6 23.216.77.12 23.216.77.4 23.216.77.20 23.216.77.13 23.216.77.5	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
steamtools.info	—	unknown
new-service.biliapi.net	122.188.45.182 59.83.212.226 60.221.17.73 122.192.127.62 118.212.139.66 122.188.45.140 122.188.44.51	unknown
stools.oss-cn-shanghai.aliyuncs.com	8.133.135.83	unknown
login.live.com	40.126.31.131 40.126.31.129 20.190.159.73 20.190.159.128 20.190.159.0 40.126.31.128 20.190.159.75 20.190.159.71	whitelisted
ocsp.digicert.com	184.30.131.245	whitelisted
slscr.update.microsoft.com	20.165.94.63	whitelisted

Threats

PID	Process	Class	Message
—	—	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
3964	SteamTools.exe	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
2200	svchost.exe	Misc activity	ET INFO DNS Query to Alibaba Cloud CDN Domain (aliyuncs .com)
3964	SteamTools.exe	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)

Add for printing

Process	Message
SteamTools.exe	QCoreApplication::applicationFilePath: Please instantiate the QApplication object first
SteamTools.exe	"steamPath:"
SteamTools.exe	?????????????? "Host steamtools.info not found"
SteamTools.exe	?????????????? "Unknown error"
SteamTools.exe	Left Click - Action: "Launch Steam" ""
SteamTools.exe	Left Click - Action: "Exit" ""

General Info

st-setup-1.8.17r2.exe

2B45350F1CFC20CF110B8D16FBE9CA36

C78813CCC683A684092C3287A4EB84136BB6438B

D3B3171D52BC5FD5A41B3775D24E128F39FD9CE2887A6F8684F63BA61FB522CD

98304:L+QpfueC8oj9SZyn59/tZHTDTW+j8F1V8uHPAIQsxsjKMSFCNOuiEsA/Vfng9azQ:JiQtSqdt72hRI0Q

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Executable content was dropped or overwritten

Uses ICACLS.EXE to modify access control lists

Process drops legitimate windows executable

The process drops C-runtime libraries

Malware-specific behavior (creating "System.dll" in Temp)

The process creates files with name similar to system file names

Creates a software uninstall entry

Explorer used for Indirect Command Execution

Starts CMD.EXE for commands execution

Executing commands from a ".bat" file

There is functionality for taking screenshot (YARA)

INFO

Create files in a temporary directory

Reads the computer name

Creates files in the program directory

The sample compiled with english language support

Checks supported languages

Creates files or folders in the user directory

Reads security settings of Internet Explorer

Manual execution by a user

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings