VirusTotal behavior question

Question

VirusTotal behavior question

Closed this issue a month ago · 7 comments

Hi there!
First of all, let me thank you for creating this launcher. It's not that common to find such passionate people that fully create a new launcher with fixes, for a 17 years old game.

I'm always a bit suspicious to try any new executables, so I decided to push your release to VirusTotal. You can see the results here.

Can you help me with a couple questions?

the launcher creates the process C:\Windows\System32\7za.exe with the arguments x -pinfected. I'm particularly curious about the -pinfected argument because AFAIK "-p" is for the decryption password and "infected" is usually the password for malicious files.
The file extracted is C:\Users[user]\AppData\Local\Temp\q4x40ebu.tmp, but I don't have access to that file as it's in a virtual machine I can't access.
then it forcefully starts Conhost.exe in a hidden PowerShell (V1) window:
C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

You can find some answers here on why a program might wanna do this.

Could this be caused by something else? Like the compiler, or the .exe builder.

Thanks

Answer 1 · 2024-12-01T07:49:52.000Z

The 7za thing is the sandbox extracting the file to be analyzed. It's not the launcher that created the process.

Answer 2 · 2024-12-01T08:41:23.000Z

Hello,

The mentioned 7za.exe and conhost.exe are not used by the launcher at all. After each release, i also briefly inspect disassembly of each executable to make sure there isn't some unnecessary mess inside. I can confirm that any of the mentioned activity isn't done by the launcher itself. It must be something external.

The 7za thing is the sandbox extracting the file to be analyzed. It's not the launcher that created the process.

Yes, that's probably the case here.

Nevertheless, being suspicious about random executables from the internet is always good. It's one of the reasons why a complete source code is provided here. People can check that the launcher is a legit thing and even build it themselves. 🙂

Answer 3 · 2024-12-01T19:57:27.000Z

Hey guys,
Thank you for responding so quickly.

The reason I'm hesitant to dismiss this as a sandbox behavior is because no other game executable (or any executable at all) I tried does this, and this includes the original Crysis binaries.

The "Processes Created" part isn't part of the sandbox and only displays what the executable itself does.

As an example, here's Assetto Corsa's game executable.
And here's CS2's executable.

Answer 4 · 2024-12-01T20:46:48.000Z

Hmmmm does the suspicious activity disappear if you upload directly one of the executables instead of the whole zip?

Answer 5 · 2024-12-01T22:03:41.000Z

You're right, it does :)

So my guess is that this was in fact a sandbox thing. When I upload it as a compressed archive, the sandbox decompresses it using 7z, and the "infected" password is used exactly for the reason that it's a common password for infected archives.

So the suspicious behavior doesn't happen if I upload the executable directly.

My apologies if I made any hearts race today! hehehe. And thank you for the patience and quick response times.
I'm gonna start using the launcher from now on ;-)

Answer 6 · 2024-12-05T01:22:52.000Z

Just wanted to say that your launcher is amazing! Is there any way I can donate to the project? It's not much (converting from BRL to USD) but it's a small action of appreciation.

Answer 7 · 2024-12-05T19:24:40.000Z

Thank you, i appreciate, but money isn't a problem. Time is. 🙂