File name:

Steam.zip

Full analysis: https://app.any.run/tasks/dab3eae8-bee3-4bc2-9230-e0235eb52d09
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 30, 2024, 12:10:48
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
arch-doc
loader
reflection
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

383131601399B1467CD1018697DBB1E5

SHA1:

F467FF20892D9B3F82AD306143CA61ED7F94591C

SHA256:

070467CAAF365036AA351AB8C1E28A1895FA055B1DCAEDBF12D9D59C7A9AADF8

SSDEEP:

98304:xoM0eZrDVw2nKhX7WWiVG0yA2LTTj5IjHgSmZ550CpKuQCJIAQDO6OQfa/yPokna:+QfaLcy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 1156)

  • SUSPICIOUS

    • The process executes via Task Scheduler

      • powershell.exe (PID: 6544)

    • Gets path to any of the special folders (POWERSHELL)

      • powershell.exe (PID: 6544)

    • Detects reflection assembly loader (YARA)

      • powershell.exe (PID: 6544)

    • Checks a user's role membership (POWERSHELL)

      • powershell.exe (PID: 6544)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 6544)

    • Potential Corporate Privacy Violation

      • powershell.exe (PID: 6544)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 6544)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1156)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 1156)

    • Reads the computer name

      • Steam.exe (PID: 6920)

    • The process uses the downloaded file

      • WinRAR.exe (PID: 1156)
      • powershell.exe (PID: 6544)

    • Checks supported languages

      • Steam.exe (PID: 6920)
      • Steam.exe (PID: 2436)

    • The sample compiled with bulgarian language support

      • WinRAR.exe (PID: 1156)

    • Manual execution by a user

      • Steam.exe (PID: 6920)
      • Steam.exe (PID: 2436)

    • Checks proxy server information

      • Steam.exe (PID: 6920)

    • Reads the software policy settings

      • Steam.exe (PID: 6920)
      • Steam.exe (PID: 2436)

    • Reads the machine GUID from the registry

      • Steam.exe (PID: 6920)
      • Steam.exe (PID: 2436)

    • Creates files or folders in the user directory

      • Steam.exe (PID: 6920)

    • Reads CPU info

      • Steam.exe (PID: 6920)

    • Checks current location (POWERSHELL)

      • powershell.exe (PID: 6544)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6544)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xpi | Mozilla Firefox browser extension (66.6)
.zip | ZIP compressed archive (33.3)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:12:24 19:18:48
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: Steam/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
8
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe rundll32.exe no specs steam.exe powershell.exe conhost.exe no specs openwith.exe no specs steam.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1156"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Steam.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\windows\system32\edputil.dll
1328C:\WINDOWS\system32\OpenWith.exe -EmbeddingC:\Windows\System32\OpenWith.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Pick an app
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2436"C:\Users\admin\Desktop\Steam\Steam.exe" C:\Users\admin\Desktop\Steam\Steam.exe
explorer.exe
User:
admin
Company:
Valve Corporation
Integrity Level:
MEDIUM
Description:
Steam
Version:
08.90.88.32
Modules
Images
c:\users\admin\desktop\steam\steam.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
6544"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
RuntimeBroker.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6656\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6880C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
6920"C:\Users\admin\Desktop\Steam\Steam.exe" C:\Users\admin\Desktop\Steam\Steam.exe
explorer.exe
User:
admin
Company:
Valve Corporation
Integrity Level:
MEDIUM
Description:
Steam
Exit code:
4294967295
Version:
08.90.88.32
Modules
Images
c:\users\admin\desktop\steam\steam.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
Total events
14 435
Read events
14 418
Write events
17
Delete events
0

Modification events

(PID) Process:(1156) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
(PID) Process:(1156) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
256
(PID) Process:(1156) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1156) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:psize
Value:
80
(PID) Process:(1156) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1156) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1156) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:crc
Value:
70
(PID) Process:(1156) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\General\Toolbar\Layout
Operation:writeName:Band76_0
Value:
4C000000730100000402000000000000F0F0F00000000000000000000000000000000000000000000C03040000000000000000003B000000B402000000000000000000000000000001000000
(PID) Process:(1156) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\General\Toolbar\Layout
Operation:writeName:Band76_1
Value:
4C000000730100000500000000000000F0F0F0000000000000000000000000000000000000000000C00207000000000000000000180000002A00000000000000000000000000000002000000
(PID) Process:(1156) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\General\Toolbar\Layout
Operation:writeName:Band76_2
Value:
4C000000730100000400000000000000F0F0F0000000000000000000000000000000000000000000180304000000000000000000180000006400000000000000000000000000000003000000
Executable files
4
Suspicious files
31
Text files
1 477
Unknown types
2

Dropped files

PID
Process
Filename
Type
1156WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1156.47312\Steam\bin\SteamService.exeexecutable
MD5:BA0EA9249DA4AB8F62432617489AE5A6
SHA256:CE177DC8CF42513FF819C7B8597C7BE290F9E98632A34ECD868DC76003421F0D
1156WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1156.47312\Steam\Steam.exeexecutable
MD5:33BCB1C8975A4063A134A72803E0CA16
SHA256:12222B0908EB69581985F7E04AA6240E928FB08AA5A3EC36ACAE3440633C9EB1
1156WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1156.47312\Steam\public\steambootstrapper_latam.txttext
MD5:7913F3F33839E3AF9E10455DF69866C2
SHA256:05BC1F4973C6D36002AC1B37CE46B1F941FCB4338282E0EC1EC83FB558D1A88C
1156WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1156.47312\Steam\public\steambootstrapper_vietnamese.txttext
MD5:F350C8747D77777F456037184AF9212C
SHA256:15B6A564E05857A3D2FD6EEC85A5A30C491A7553D15FFC025156B3665B919185
1156WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1156.47312\Steam\public\steambootstrapper_indonesian.txttext
MD5:1514D082B672B372CDFB8DD85C3437F1
SHA256:3B3C5C615FD82070CC951AB482D3DE8CB12DF0B3DF59FBD11F9D3271FA2FBCA4
1156WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1156.47312\Steam\public\steambootstrapper_tchinese.txttext
MD5:194A73F900A3283DA4CAA6C09FEFCB08
SHA256:5E4F2DE5EE98D5D76F5D76FB925417D6668FBA08E89F7240F923F3378E3E66F6
1156WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1156.47312\Steam\public\steambootstrapper_schinese.txttext
MD5:56DCF7B68F70826262A6FFAFFE6B1C49
SHA256:948CAD1BB27109E008F2457248880C759D3FA98B92C5B4033B94F455CB8AC43F
1156WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1156.47312\Steam\public\steambootstrapper_english.txttext
MD5:DA6CD2483AD8A21E8356E63D036DF55B
SHA256:EBECECD3F691AC20E5B73E5C81861A01531203DF3CF2BAA9E1B6D004733A42A6
1156WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1156.47312\Steam\public\steambootstrapper_greek.txttext
MD5:189BA063D1481528CBD6E0C4AFC3ABAA
SHA256:C0A7A1DF442AC080668762DF795C72AA322E9D415C41BD0A4C676A4DC0551695
1156WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1156.47312\Steam\public\steambootstrapper_spanish.txttext
MD5:66456D2B1085446A9F2DBD9E4632754B
SHA256:C4F821A4903C4E7FAEA2931C7FB1CF261EBA06A9840C78FDCA689F5C784C06C4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
50
DNS requests
27
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6544
powershell.exe
GET
200
61.160.192.100:80
http://steam.work/
CN
text
7.12 Kb
unknown
4712
MoUsoCoreWorker.exe
GET
200
23.37.237.227:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
6920
Steam.exe
GET
200
2.16.206.148:80
http://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgQSChx%2BZEyw2dAYm2rxuAzNAg%3D%3D
DE
binary
504 b
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
US
binary
313 b
whitelisted
6288
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
US
binary
471 b
whitelisted
3812
SIHClient.exe
GET
200
23.37.237.227:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
DE
binary
418 b
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
6544
powershell.exe
GET
200
61.160.192.98:80
http://1.steam.work/api/integral/pwsDownFile
CN
binary
1.27 Mb
malicious
2892
svchost.exe
GET
200
2.23.197.184:80
http://x1.c.lencr.org/
GB
binary
734 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4712
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.37.237.227:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
192.168.100.255:138
whitelisted
2.21.110.146:443
www.bing.com
AKAMAI-AS
DE
whitelisted
23.218.210.69:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted
40.126.32.133:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1076
svchost.exe
23.218.210.69:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 23.37.237.227
whitelisted
google.com
  • 172.217.23.110
whitelisted
www.bing.com
  • 2.21.110.146
  • 2.21.110.139
  • 2.23.209.158
  • 2.23.209.150
  • 2.23.209.179
  • 2.23.209.140
  • 2.23.209.141
  • 2.23.209.161
  • 2.23.209.176
  • 2.23.209.149
  • 2.23.209.177
whitelisted
go.microsoft.com
  • 23.218.210.69
whitelisted
login.live.com
  • 40.126.32.133
  • 40.126.32.72
  • 20.190.160.17
  • 40.126.32.138
  • 20.190.160.20
  • 40.126.32.74
  • 40.126.32.136
  • 20.190.160.14
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
cdn.steamstatic.com
  • 151.101.67.52
  • 151.101.3.52
  • 151.101.195.52
  • 151.101.131.52
whitelisted
r11.o.lencr.org
  • 2.16.206.148
  • 2.16.206.143
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted

Threats

PID
Process
Class
Message
6544
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
6544
powershell.exe
Potentially Bad Traffic
SUSPICIOUS [ANY.RUN] Check Security.Principal.WindowsBuiltInRole has been detected
6544
powershell.exe
Potentially Bad Traffic
SUSPICIOUS [ANY.RUN] Get-CimInstance Cmdlet has been detected
6544
powershell.exe
Misc activity
SUSPICIOUS [ANY.RUN] The Principal.WindowsIdentity in PS.Script has been detected
6544
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
6544
powershell.exe
A Network Trojan was detected
ET MALWARE Possible Windows executable sent when remote host claims to send html content
6544
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
6544
powershell.exe
Misc activity
ET HUNTING Possible EXE Download From Suspicious TLD
6544
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
6544
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Steam.zip