File name:

Steam Repack.exe

Full analysis: https://app.any.run/tasks/3f9d0ae7-7dc0-4f17-a329-f7184ba912c8
Verdict: Malicious activity
Analysis date: February 08, 2025, 18:30:22
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 5 sections
MD5:

97B5597626863C7FB5675416C98936C0

SHA1:

46987AB5A1A17D28A2475604642DE3356D7BC938

SHA256:

3A7A1C13182F0A1A6A6D6235EE1EA266935EC4B68B3206E276350A27337981D6

SSDEEP:

98304:KUuNUrDvoHunx9qRCVnDXWfSKpOK2reCgPGzUMP5v0L8VFtJ5p/dL4JNzQfJWhsj:PS1xvm/Jx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • SteamSetup.exe (PID: 6724)

    • Executing a file with an untrusted certificate

      • Steam Repack.exe (PID: 1856)
      • Steam Repack.exe (PID: 4120)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • Steam Repack.exe (PID: 6296)
      • Steam Repack.exe (PID: 6644)
      • Steam Repack.exe (PID: 1856)
      • Steam Repack.exe (PID: 4120)

    • Reads security settings of Internet Explorer

      • Steam Repack.exe (PID: 6296)
      • Steam Repack.exe (PID: 6644)
      • Steam Repack.exe (PID: 1856)
      • Steam Repack.exe (PID: 4120)

    • Application launched itself

      • Steam Repack.exe (PID: 6296)
      • Steam Repack.exe (PID: 1856)

    • Executable content was dropped or overwritten

      • Steam Repack.exe (PID: 6644)
      • SteamSetup.exe (PID: 6724)
      • SteamService.exe (PID: 7144)
      • Steam Repack.exe (PID: 4120)
      • SteamSetup.exe (PID: 6996)

    • The process creates files with name similar to system file names

      • SteamSetup.exe (PID: 6724)
      • SteamSetup.exe (PID: 6996)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • SteamSetup.exe (PID: 6724)
      • SteamSetup.exe (PID: 6996)

    • Creates a software uninstall entry

      • SteamSetup.exe (PID: 6724)

    • There is functionality for taking screenshot (YARA)

      • Steam Repack.exe (PID: 6296)

  • INFO

    • Reads the computer name

      • Steam Repack.exe (PID: 6644)
      • Steam Repack.exe (PID: 6296)
      • SteamSetup.exe (PID: 6724)
      • SteamService.exe (PID: 7144)
      • Steam.exe (PID: 6692)
      • Steam Repack.exe (PID: 1856)
      • Steam Repack.exe (PID: 4120)
      • SteamSetup.exe (PID: 6996)

    • Checks supported languages

      • Steam Repack.exe (PID: 6644)
      • Steam Repack.exe (PID: 6296)
      • SteamSetup.exe (PID: 6724)
      • SteamService.exe (PID: 7144)
      • Steam.exe (PID: 6692)
      • Steam Repack.exe (PID: 1856)
      • Steam Repack.exe (PID: 4120)
      • SteamSetup.exe (PID: 6996)

    • Process checks computer location settings

      • Steam Repack.exe (PID: 6296)
      • Steam Repack.exe (PID: 6644)
      • Steam Repack.exe (PID: 1856)
      • Steam Repack.exe (PID: 4120)

    • Create files in a temporary directory

      • Steam Repack.exe (PID: 6644)
      • SteamSetup.exe (PID: 6724)
      • Steam Repack.exe (PID: 4120)
      • SteamSetup.exe (PID: 6996)

    • The sample compiled with bulgarian language support

      • Steam Repack.exe (PID: 6644)
      • SteamSetup.exe (PID: 6724)
      • Steam Repack.exe (PID: 4120)

    • The sample compiled with english language support

      • SteamSetup.exe (PID: 6724)
      • SteamService.exe (PID: 7144)

    • Creates files in the program directory

      • SteamSetup.exe (PID: 6724)
      • SteamService.exe (PID: 7144)
      • Steam.exe (PID: 6692)

    • Manual execution by a user

      • Steam.exe (PID: 6692)
      • Steam Repack.exe (PID: 1856)

    • Reads the machine GUID from the registry

      • Steam.exe (PID: 6692)

    • Reads the software policy settings

      • Steam.exe (PID: 6692)

    • Checks proxy server information

      • Steam.exe (PID: 6692)

    • Creates files or folders in the user directory

      • Steam.exe (PID: 6692)

    • Reads CPU info

      • Steam.exe (PID: 6692)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win16/32 Executable Delphi generic (34.1)
.exe | Generic Win/DOS Executable (32.9)
.exe | DOS Executable Generic (32.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2016:04:02 22:16:33+00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware
PEType: PE32+
LinkerVersion: 8
CodeSize: 146944
InitializedDataSize: 59392
UninitializedDataSize: -
EntryPoint: 0x242ac
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 2.10.91.91
ProductVersionNumber: 2.10.91.91
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
LegalCopyright: © Valve Corporation
ProductName: Steam
FileVersion: 2.10.91.91
FileDescription: Steam
ProductVersion: 2.10.91.91
Created: 7z SFX Constructor 4.6 | Repack by hydraponique
Builder: Sirenity 21:28:55 08/02/2025
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
9
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start steam repack.exe no specs steam repack.exe steamsetup.exe steamservice.exe conhost.exe no specs steam.exe steam repack.exe no specs steam repack.exe steamsetup.exe

Process information

PID
CMD
Path
Indicators
Parent process
1856"C:\Users\admin\Desktop\Steam Repack.exe" C:\Users\admin\Desktop\Steam Repack.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Steam
Version:
2.10.91.91
Modules
Images
c:\users\admin\desktop\steam repack.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_60b6a03d71f818d5\comctl32.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcrt.dll
4120"C:\Users\admin\Desktop\Steam Repack.exe" -sfxelevation C:\Users\admin\Desktop\Steam Repack.exe
Steam Repack.exe
User:
admin
Integrity Level:
HIGH
Description:
Steam
Version:
2.10.91.91
Modules
Images
c:\users\admin\desktop\steam repack.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
6296"C:\Users\admin\Desktop\Steam Repack.exe" C:\Users\admin\Desktop\Steam Repack.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Steam
Exit code:
0
Version:
2.10.91.91
Modules
Images
c:\users\admin\desktop\steam repack.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
6644"C:\Users\admin\Desktop\Steam Repack.exe" -sfxelevation C:\Users\admin\Desktop\Steam Repack.exe
Steam Repack.exe
User:
admin
Integrity Level:
HIGH
Description:
Steam
Exit code:
0
Version:
2.10.91.91
Modules
Images
c:\users\admin\desktop\steam repack.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_60b6a03d71f818d5\comctl32.dll
c:\windows\system32\user32.dll
6692"C:\Program Files (x86)\Steam\steam.exe" C:\Program Files (x86)\Steam\Steam.exe
explorer.exe
User:
admin
Company:
Valve Corporation
Integrity Level:
MEDIUM
Description:
Steam
Version:
08.90.88.32
Modules
Images
c:\program files (x86)\steam\steam.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
6724"C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\SteamSetup.exe" C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\SteamSetup.exe
Steam Repack.exe
User:
admin
Integrity Level:
HIGH
Description:
Steam
Exit code:
0
Version:
2.10.91.91
Modules
Images
c:\users\admin\appdata\local\temp\7zipsfx.000\steamsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6996"C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\SteamSetup.exe" C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\SteamSetup.exe
Steam Repack.exe
User:
admin
Integrity Level:
HIGH
Description:
Steam
Version:
2.10.91.91
Modules
Images
c:\users\admin\appdata\local\temp\7zipsfx.000\steamsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7144"C:\Program Files (x86)\Steam\bin\steamservice.exe" /InstallC:\Program Files (x86)\Steam\bin\SteamService.exe
SteamSetup.exe
User:
admin
Company:
Valve Corporation
Integrity Level:
HIGH
Description:
Steam Client Service
Exit code:
0
Version:
08.90.88.32
Modules
Images
c:\program files (x86)\steam\bin\steamservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7152\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSteamService.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
5 669
Read events
5 640
Write events
27
Delete events
2

Modification events

(PID) Process:(6724) SteamSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Valve\Steam
Operation:writeName:Language
Value:
english
(PID) Process:(6724) SteamSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Valve\Steam
Operation:writeName:Language
Value:
english
(PID) Process:(6724) SteamSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Steam
Value:
"C:\Program Files (x86)\Steam\steam.exe" -silent
(PID) Process:(6724) SteamSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Valve\Steam
Operation:writeName:SteamInstaller
Value:
SteamSetup.exe
(PID) Process:(7144) SteamService.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Valve\SteamService
Operation:writeName:installpath_default
Value:
C:\Program Files (x86)\Steam
(PID) Process:(7144) SteamService.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Valve\Steam
Operation:writeName:InstallPath
Value:
C:\Program Files (x86)\Steam
(PID) Process:(7144) SteamService.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\steam
Operation:writeName:URL Protocol
Value:
(PID) Process:(7144) SteamService.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\steamlink
Operation:writeName:URL Protocol
Value:
(PID) Process:(7144) SteamService.exeKey:HKEY_CLASSES_ROOT\steam
Operation:writeName:URL Protocol
Value:
(PID) Process:(7144) SteamService.exeKey:HKEY_CLASSES_ROOT\steamlink
Operation:writeName:URL Protocol
Value:
Executable files
17
Suspicious files
13
Text files
36
Unknown types
0

Dropped files

PID
Process
Filename
Type
6644Steam Repack.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\start.battext
MD5:A7CAE975338CE6A10A52EFC4134F8393
SHA256:4ACB1E333117D145E14E78D42A88FD2A1E9C676B20FAB074BEA7F1DDD37D17C0
6724SteamSetup.exeC:\Users\admin\AppData\Local\Temp\nsh5B93.tmp\nsDialogs.dllexecutable
MD5:4E5BC4458AFA770636F2806EE0A1E999
SHA256:91A484DC79BE64DD11BF5ACB62C893E57505FCD8809483AA92B04F10D81F9DE0
6724SteamSetup.exeC:\Program Files (x86)\Steam\public\steambootstrapper_finnish.txttext
MD5:9E62FC923C65BFC3F40AAF6EC4FD1010
SHA256:8FF0F3CBDF28102FF037B9CDA90590E4B66E1E654B90F9AEA2CD5364494D02B7
6724SteamSetup.exeC:\Users\admin\AppData\Local\Temp\nsh5B93.tmp\modern-wizard.bmpimage
MD5:3614A4BE6B610F1DAF6C801574F161FE
SHA256:16E0EDC9F47E6E95A9BCAD15ADBDC46BE774FBCD045DD526FC16FC38FDC8D49B
6724SteamSetup.exeC:\Program Files (x86)\Steam\Steam.exeexecutable
MD5:33BCB1C8975A4063A134A72803E0CA16
SHA256:12222B0908EB69581985F7E04AA6240E928FB08AA5A3EC36ACAE3440633C9EB1
6724SteamSetup.exeC:\Program Files (x86)\Steam\public\steambootstrapper_brazilian.txttext
MD5:0340D1A0BBDB8F3017D2326F4E351E0A
SHA256:0FCD7AE491B467858F2A8745C5ECDD55451399778C2119517EE686D1F264B544
6724SteamSetup.exeC:\Program Files (x86)\Steam\public\steambootstrapper_english.txttext
MD5:DA6CD2483AD8A21E8356E63D036DF55B
SHA256:EBECECD3F691AC20E5B73E5C81861A01531203DF3CF2BAA9E1B6D004733A42A6
6724SteamSetup.exeC:\Program Files (x86)\Steam\public\steambootstrapper_french.txttext
MD5:10C429EB58B4274AF6B6EF08F376D46C
SHA256:A1F6BA57EE41E009D904905C0CE5E75A59EE6790E08542561303109E1FAAFA13
6724SteamSetup.exeC:\Program Files (x86)\Steam\public\steambootstrapper_dutch.txttext
MD5:31A29061E51E245F74BB26D103C666AD
SHA256:56C8A86FA95EAB0D8F34F498E079B5516B96D2A2F1AD9C2A888555E50E47F192
6724SteamSetup.exeC:\Program Files (x86)\Steam\public\steambootstrapper_bulgarian.txttext
MD5:4C81277A127E3D65FB5065F518FFE9C2
SHA256:76A6BD74194EFD819D33802DECDFDDAAE893069D7000E44944DDA05022CFA6D9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
34
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5064
SearchApp.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6692
Steam.exe
GET
200
2.16.241.8:80
http://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgREITtHE%2B2v4%2FuBsvX81ShSCA%3D%3D
unknown
whitelisted
6692
Steam.exe
GET
200
2.23.197.184:80
http://x1.c.lencr.org/
unknown
whitelisted
6380
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
2796
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2796
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
104.126.37.186:443
www.bing.com
Akamai International B.V.
DE
whitelisted
1176
svchost.exe
20.190.160.22:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1176
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
5064
SearchApp.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
1076
svchost.exe
23.218.210.69:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.238
whitelisted
www.bing.com
  • 104.126.37.186
  • 104.126.37.139
  • 104.126.37.136
  • 104.126.37.123
  • 104.126.37.128
  • 104.126.37.185
  • 104.126.37.179
  • 104.126.37.131
  • 104.126.37.137
whitelisted
login.live.com
  • 20.190.160.22
  • 20.190.160.128
  • 40.126.32.74
  • 20.190.160.3
  • 40.126.32.72
  • 40.126.32.140
  • 20.190.160.14
  • 20.190.160.65
whitelisted
ocsp.digicert.com
  • 184.30.131.245
  • 2.23.77.188
whitelisted
go.microsoft.com
  • 23.218.210.69
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.119.249.228
whitelisted
cdn.steamstatic.com
  • 151.101.3.52
  • 151.101.67.52
  • 151.101.131.52
  • 151.101.195.52
whitelisted
x1.c.lencr.org
  • 2.23.197.184
whitelisted
r11.o.lencr.org
  • 2.16.241.8
  • 2.16.241.15
whitelisted
arc.msn.com
  • 20.199.58.43
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Steam Repack.exe