File name:

steamsetup.exe

Full analysis: https://app.any.run/tasks/e68b90fc-b926-42e3-9b7b-3f2e70098cf7
Verdict: Malicious activity
Analysis date: July 17, 2025, 23:25:08
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

F5050ACBFDF22210CBA2A18755C3852C

SHA1:

B2A3FDBE4A662F3BF751F5B8BFC61F8D35E050FE

SHA256:

2580320FDED73782D7F2E352C62681753071F6461360C92F1A5758308E08484F

SSDEEP:

49152:B5MLuoTjCXXrCvm3PfYc1/UloMhHwUNLHu7Gafwqd8rmI7Bvg0kXI1DNqQ0cOogi:B2LuoTuRd9MiUdu7x8r60kY1hb0xJai6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • steamsetup.exe (PID: 3876)
      • SteamService.exe (PID: 856)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • steamsetup.exe (PID: 3876)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • steamsetup.exe (PID: 3876)

    • There is functionality for taking screenshot (YARA)

      • steamsetup.exe (PID: 3876)

    • Executable content was dropped or overwritten

      • steamsetup.exe (PID: 3876)
      • SteamService.exe (PID: 856)

    • Creates a software uninstall entry

      • steamsetup.exe (PID: 3876)

    • The process executes via Task Scheduler

      • updater.exe (PID: 4228)

    • Application launched itself

      • updater.exe (PID: 4228)

  • INFO

    • Checks supported languages

      • steamsetup.exe (PID: 3876)
      • SteamService.exe (PID: 856)
      • updater.exe (PID: 4228)
      • updater.exe (PID: 3108)

    • The sample compiled with bulgarian language support

      • steamsetup.exe (PID: 3876)

    • Reads the computer name

      • steamsetup.exe (PID: 3876)
      • SteamService.exe (PID: 856)
      • updater.exe (PID: 4228)

    • The sample compiled with english language support

      • steamsetup.exe (PID: 3876)
      • SteamService.exe (PID: 856)

    • Create files in a temporary directory

      • steamsetup.exe (PID: 3876)

    • Creates files in the program directory

      • steamsetup.exe (PID: 3876)
      • SteamService.exe (PID: 856)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 4228)

    • Checks proxy server information

      • slui.exe (PID: 6268)

    • Reads the software policy settings

      • slui.exe (PID: 6268)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:02:24 19:19:59+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 28672
InitializedDataSize: 445952
UninitializedDataSize: 16896
EntryPoint: 0x39e3
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 2.0.0.0
ProductVersionNumber: 2.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Bulgarian
CharacterSet: Windows, Cyrillic
FileDescription: Steam
FileVersion: 2.0.0.0
LegalCopyright: © Valve Corporation
ProductName: Steam
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
7
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start steamsetup.exe steamservice.exe conhost.exe no specs updater.exe no specs updater.exe no specs slui.exe steamsetup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
856"C:\Program Files (x86)\Steam\bin\steamservice.exe" /InstallC:\Program Files (x86)\Steam\bin\SteamService.exe
steamsetup.exe
User:
admin
Company:
Valve Corporation
Integrity Level:
HIGH
Description:
Steam Client Service
Exit code:
0
Version:
02.10.92.36
Modules
Images
c:\program files (x86)\steam\bin\steamservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
1976"C:\Users\admin\Desktop\steamsetup.exe" C:\Users\admin\Desktop\steamsetup.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Steam
Exit code:
3221226540
Version:
2.0.0.0
Modules
Images
c:\users\admin\desktop\steamsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
3108"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=134.0.6985.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x111c460,0x111c46c,0x111c478C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
3556\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSteamService.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3876"C:\Users\admin\Desktop\steamsetup.exe" C:\Users\admin\Desktop\steamsetup.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Steam
Exit code:
0
Version:
2.0.0.0
Modules
Images
c:\users\admin\desktop\steamsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4228"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --wake --systemC:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exesvchost.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
6268C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 900
Read events
3 882
Write events
18
Delete events
0

Modification events

(PID) Process:(856) SteamService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\Steam Client Service
Operation:writeName:EventMessageFile
Value:
C:\Program Files (x86)\Steam\bin\steamservice.exe
(PID) Process:(856) SteamService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\Steam Client Service
Operation:writeName:TypesSupported
Value:
7
(PID) Process:(3876) steamsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Valve\Steam
Operation:writeName:Language
Value:
english
(PID) Process:(3876) steamsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Valve\Steam
Operation:writeName:Language
Value:
english
(PID) Process:(856) SteamService.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Valve\Steam
Operation:writeName:InstallPath
Value:
C:\Program Files (x86)\Steam
(PID) Process:(856) SteamService.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\steam
Operation:writeName:URL Protocol
Value:
(PID) Process:(856) SteamService.exeKey:HKEY_CLASSES_ROOT\steam
Operation:writeName:URL Protocol
Value:
(PID) Process:(3876) steamsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Steam
Operation:writeName:DisplayName
Value:
Steam
(PID) Process:(3876) steamsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Steam
Operation:writeName:Publisher
Value:
Valve Corporation
(PID) Process:(3876) steamsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Steam
Operation:writeName:URLInfoAbout
Value:
http://www.steampowered.com/
Executable files
7
Suspicious files
1
Text files
29
Unknown types
3

Dropped files

PID
Process
Filename
Type
3876steamsetup.exeC:\Users\admin\AppData\Local\Temp\nsuE368.tmp\modern-wizard.bmpimage
MD5:3614A4BE6B610F1DAF6C801574F161FE
SHA256:16E0EDC9F47E6E95A9BCAD15ADBDC46BE774FBCD045DD526FC16FC38FDC8D49B
3876steamsetup.exeC:\Program Files (x86)\Steam\Steam.exeexecutable
MD5:F0D601C183251E438B2CA49FF888DB09
SHA256:DB4F30E77BEE6F4E7BCF25EEF8528FC3075C3A1C81C0ED13B8E71B2C24F20836
3876steamsetup.exeC:\Program Files (x86)\Steam\public\steambootstrapper_danish.txttext
MD5:D01A820B7BE78E208952A7BDEA47E2A8
SHA256:A6CE02CD2A342A2E2E60B42B18417B006C681CF233877B51B59DB44AEA0ED620
3876steamsetup.exeC:\Users\admin\AppData\Local\Temp\nsuE368.tmp\System.dllexecutable
MD5:BF712F32249029466FA86756F5546950
SHA256:7851CB12FA4131F1FEE5DE390D650EF65CAC561279F1CFE70AD16CC9780210AF
3876steamsetup.exeC:\Program Files (x86)\Steam\bin\SteamService.exeexecutable
MD5:3F0826F632F66906CB3ED62202A6BAD7
SHA256:CA21B038DD1A1BED7293A8DEEBE19D43D1C12378ED5C6B82D36900CD4FFF23B7
3876steamsetup.exeC:\Program Files (x86)\Steam\public\steambootstrapper_czech.txttext
MD5:B02DDD5E3B43E43EE9E51E13968B7A21
SHA256:81A445A3CEB495564829CC7B0280FA993974B33476B85EDCDF87F738CA82705B
3876steamsetup.exeC:\Program Files (x86)\Steam\public\steambootstrapper_english.txttext
MD5:6DF4E3EBC6D7C96FE41C4C5213F17EFA
SHA256:6387F9AFF0226A5226D5D4F0FBE77AC80797CA621F0892034F38F0BF2370E4E1
3876steamsetup.exeC:\Program Files (x86)\Steam\public\steambootstrapper_dutch.txttext
MD5:5AA4BCA4ED227C16A1B04CF4D686EDEF
SHA256:8F6EBA28DF30196849EE40BDFF96F90D27649BA6D32ACED680A9F7E1BF1262D9
3876steamsetup.exeC:\Users\admin\AppData\Local\Temp\nsuE368.tmp\modern-header.bmpimage
MD5:DA3486D12BB4C8AEC16BD9E0D363D23F
SHA256:D93B76D51BD2214FA6E999C1BF70B4AFF5165A6542F9B9B2A92B5672601F4624
3876steamsetup.exeC:\Program Files (x86)\Steam\public\steambootstrapper_hungarian.txttext
MD5:014BD1A8A28CCBA5C57E303CE48031BF
SHA256:3074B8EE27351A83B15F85E976B4A842657F877427205ADF9E7271ABF91D2FB2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
34
TCP/UDP connections
48
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3480
RUXIMICS.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3480
RUXIMICS.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
304
20.109.210.53:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
20.109.210.53:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
4476
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
4476
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3480
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3480
RUXIMICS.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3480
RUXIMICS.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 172.217.23.110
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
login.live.com
  • 20.190.160.130
  • 40.126.32.76
  • 40.126.32.133
  • 20.190.160.64
  • 20.190.160.5
  • 20.190.160.65
  • 20.190.160.4
  • 20.190.160.22
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
self.events.data.microsoft.com
  • 20.189.173.1
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
steamsetup.exe