File name:

SteamtoolsSetup.exe

Full analysis: https://app.any.run/tasks/9648e078-57e2-4f17-b4de-b391bfac9e0b
Verdict: Malicious activity
Analysis date: August 14, 2024, 17:20:39
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (console) x86-64, for MS Windows
MD5:

DD410C316152077EB8A683ED981FC787

SHA1:

360B90CD99DD9EAD20B21E50C73A3D0FE10123C1

SHA256:

036128CA60C543609BF2C6C362E2F909C85F1760D4A8D6B07C55B73D36D9DF0B

SSDEEP:

49152:HTg9BxzlUNtSQm4YU9HvA0OizN+a5niYP3FCB/JIM:HTOBtkI4s0Oica0iCI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • SteamSetup(1).exe (PID: 6500)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • SteamtoolsSetup.exe (PID: 6488)
      • SteamSetup(1).exe (PID: 6500)
      • SteamService.exe (PID: 6328)

    • The process creates files with name similar to system file names

      • SteamSetup(1).exe (PID: 6500)

    • Executable content was dropped or overwritten

      • SteamSetup(1).exe (PID: 6500)
      • SteamService.exe (PID: 6328)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • SteamSetup(1).exe (PID: 6500)

    • Creates a software uninstall entry

      • SteamSetup(1).exe (PID: 6500)

  • INFO

    • Checks supported languages

      • SteamtoolsSetup.exe (PID: 6488)
      • SteamSetup(1).exe (PID: 6500)
      • Steam.exe (PID: 6548)
      • SteamService.exe (PID: 6328)

    • Manual execution by a user

      • SteamSetup(1).exe (PID: 2064)
      • SteamSetup(1).exe (PID: 6500)
      • Steam.exe (PID: 6548)

    • Reads the computer name

      • SteamSetup(1).exe (PID: 6500)
      • SteamService.exe (PID: 6328)
      • Steam.exe (PID: 6548)

    • Creates files in the program directory

      • Steam.exe (PID: 6548)
      • SteamSetup(1).exe (PID: 6500)
      • SteamService.exe (PID: 6328)

    • Create files in a temporary directory

      • SteamSetup(1).exe (PID: 6500)

    • Checks proxy server information

      • Steam.exe (PID: 6548)

    • Reads the software policy settings

      • Steam.exe (PID: 6548)

    • Reads the machine GUID from the registry

      • Steam.exe (PID: 6548)

    • Creates files or folders in the user directory

      • Steam.exe (PID: 6548)

    • Reads CPU info

      • Steam.exe (PID: 6548)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2023:12:19 13:45:21+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.38
CodeSize: 1159168
InitializedDataSize: 626688
UninitializedDataSize: -
EntryPoint: 0x1060ec
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
141
Monitored processes
7
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start steamtoolssetup.exe no specs conhost.exe no specs steamsetup(1).exe no specs steamsetup(1).exe steamservice.exe conhost.exe no specs steam.exe

Process information

PID
CMD
Path
Indicators
Parent process
2064"C:\Users\admin\Desktop\SteamSetup(1).exe" C:\Users\admin\Desktop\SteamSetup(1).exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Steam
Exit code:
3221226540
Version:
2.10.91.91
Modules
Images
c:\users\admin\desktop\steamsetup(1).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6328"C:\Program Files (x86)\Steam\bin\steamservice.exe" /InstallC:\Program Files (x86)\Steam\bin\SteamService.exe
SteamSetup(1).exe
User:
admin
Company:
Valve Corporation
Integrity Level:
HIGH
Description:
Steam Client Service
Exit code:
0
Version:
08.90.88.32
Modules
Images
c:\program files (x86)\steam\bin\steamservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6396\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSteamService.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6488"C:\Users\admin\AppData\Local\Temp\SteamtoolsSetup.exe" C:\Users\admin\AppData\Local\Temp\SteamtoolsSetup.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225786
Modules
Images
c:\users\admin\appdata\local\temp\steamtoolssetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6496\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSteamtoolsSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6500"C:\Users\admin\Desktop\SteamSetup(1).exe" C:\Users\admin\Desktop\SteamSetup(1).exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Steam
Exit code:
0
Version:
2.10.91.91
Modules
Images
c:\users\admin\desktop\steamsetup(1).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6548"C:\Program Files (x86)\Steam\steam.exe" C:\Program Files (x86)\Steam\Steam.exe
explorer.exe
User:
admin
Company:
Valve Corporation
Integrity Level:
MEDIUM
Description:
Steam
Version:
08.90.88.32
Modules
Images
c:\program files (x86)\steam\steam.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
Total events
5 322
Read events
5 291
Write events
29
Delete events
2

Modification events

(PID) Process:(6500) SteamSetup(1).exeKey:HKEY_CURRENT_USER\SOFTWARE\Valve\Steam
Operation:writeName:Language
Value:
english
(PID) Process:(6500) SteamSetup(1).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Valve\Steam
Operation:writeName:Language
Value:
english
(PID) Process:(6500) SteamSetup(1).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Steam
Value:
"C:\Program Files (x86)\Steam\steam.exe" -silent
(PID) Process:(6500) SteamSetup(1).exeKey:HKEY_CURRENT_USER\SOFTWARE\Valve\Steam
Operation:writeName:SteamInstaller
Value:
SteamSetup(1).exe
(PID) Process:(6328) SteamService.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Valve\SteamService
Operation:writeName:installpath_default
Value:
C:\Program Files (x86)\Steam
(PID) Process:(6328) SteamService.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Valve\Steam
Operation:writeName:InstallPath
Value:
C:\Program Files (x86)\Steam
(PID) Process:(6328) SteamService.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\steam
Operation:writeName:URL Protocol
Value:
(PID) Process:(6328) SteamService.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\steamlink
Operation:writeName:URL Protocol
Value:
(PID) Process:(6328) SteamService.exeKey:HKEY_CLASSES_ROOT\steam
Operation:writeName:URL Protocol
Value:
(PID) Process:(6328) SteamService.exeKey:HKEY_CLASSES_ROOT\steamlink
Operation:writeName:URL Protocol
Value:
Executable files
9
Suspicious files
15
Text files
858
Unknown types
3

Dropped files

PID
Process
Filename
Type
6500SteamSetup(1).exeC:\Users\admin\AppData\Local\Temp\nsyDA8A.tmp\modern-wizard.bmpimage
MD5:3614A4BE6B610F1DAF6C801574F161FE
SHA256:16E0EDC9F47E6E95A9BCAD15ADBDC46BE774FBCD045DD526FC16FC38FDC8D49B
6500SteamSetup(1).exeC:\Program Files (x86)\Steam\public\steambootstrapper_english.txttext
MD5:DA6CD2483AD8A21E8356E63D036DF55B
SHA256:EBECECD3F691AC20E5B73E5C81861A01531203DF3CF2BAA9E1B6D004733A42A6
6500SteamSetup(1).exeC:\Program Files (x86)\Steam\public\steambootstrapper_bulgarian.txttext
MD5:4C81277A127E3D65FB5065F518FFE9C2
SHA256:76A6BD74194EFD819D33802DECDFDDAAE893069D7000E44944DDA05022CFA6D9
6500SteamSetup(1).exeC:\Program Files (x86)\Steam\public\steambootstrapper_danish.txttext
MD5:03B664BD98485425C21CDF83BC358703
SHA256:FDF7B42B3B027A12E1B79CB10AB9E6E34C668B04EB9E8A907D8611BA46473115
6500SteamSetup(1).exeC:\Program Files (x86)\Steam\public\steambootstrapper_finnish.txttext
MD5:9E62FC923C65BFC3F40AAF6EC4FD1010
SHA256:8FF0F3CBDF28102FF037B9CDA90590E4B66E1E654B90F9AEA2CD5364494D02B7
6500SteamSetup(1).exeC:\Program Files (x86)\Steam\public\steambootstrapper_dutch.txttext
MD5:31A29061E51E245F74BB26D103C666AD
SHA256:56C8A86FA95EAB0D8F34F498E079B5516B96D2A2F1AD9C2A888555E50E47F192
6500SteamSetup(1).exeC:\Program Files (x86)\Steam\bin\SteamService.exeexecutable
MD5:BA0EA9249DA4AB8F62432617489AE5A6
SHA256:CE177DC8CF42513FF819C7B8597C7BE290F9E98632A34ECD868DC76003421F0D
6500SteamSetup(1).exeC:\Users\admin\AppData\Local\Temp\nsyDA8A.tmp\nsProcess.dllexecutable
MD5:08072DC900CA0626E8C079B2C5BCFCF3
SHA256:BB6CE83DDAAD4F530A66A1048FAC868DFC3B86F5E7B8E240D84D1633E385AEE8
6500SteamSetup(1).exeC:\Program Files (x86)\Steam\Steam.exeexecutable
MD5:33BCB1C8975A4063A134A72803E0CA16
SHA256:12222B0908EB69581985F7E04AA6240E928FB08AA5A3EC36ACAE3440633C9EB1
6500SteamSetup(1).exeC:\Users\admin\AppData\Local\Temp\nsyDA8A.tmp\nsDialogs.dllexecutable
MD5:4E5BC4458AFA770636F2806EE0A1E999
SHA256:91A484DC79BE64DD11BF5ACB62C893E57505FCD8809483AA92B04F10D81F9DE0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
45
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1360
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1360
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
2968
svchost.exe
GET
304
104.75.89.31:80
http://x1.c.lencr.org/
unknown
whitelisted
6856
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6820
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6548
Steam.exe
GET
200
2.16.202.121:80
http://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgS7Tvyktds%2BiLclC0nnQdHBKA%3D%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3044
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
2872
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3044
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5336
SearchApp.exe
184.86.251.24:443
www.bing.com
Akamai International B.V.
DE
unknown
5336
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
3260
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1360
svchost.exe
20.190.159.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.78
whitelisted
www.bing.com
  • 184.86.251.24
  • 184.86.251.23
  • 184.86.251.14
  • 184.86.251.28
  • 184.86.251.9
  • 184.86.251.21
  • 184.86.251.11
  • 184.86.251.17
  • 184.86.251.7
  • 184.86.251.10
  • 184.86.251.27
  • 184.86.251.5
  • 184.86.251.22
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.73
  • 20.190.159.64
  • 20.190.159.75
  • 40.126.31.71
  • 20.190.159.0
  • 40.126.31.73
  • 20.190.159.2
  • 20.190.159.23
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
th.bing.com
  • 184.86.251.9
  • 184.86.251.21
  • 184.86.251.11
  • 184.86.251.14
  • 184.86.251.28
  • 184.86.251.24
  • 184.86.251.23
whitelisted
fd.api.iris.microsoft.com
  • 20.103.156.88
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
slscr.update.microsoft.com
  • 13.85.23.86
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SteamtoolsSetup.exe