Malware analysis SteamSetup.exe Malicious activity | ANY.RUN

Add for printing

download:	SteamSetup.exe
Full analysis:	https://app.any.run/tasks/08ec9de1-4407-4e83-b3da-0df78e800949
Verdict:	Malicious activity
Analysis date:	November 08, 2019, 16:28:49
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:	81448C2E730B50B597BBD5E43007CE6A
SHA1:	4B1B85EC2499A4CE07C89609B256923A4FC479E5
SHA256:	3BC6942FE09F10ED3447BCCDCF4A70ED369366FEF6B2C7F43B541F1A3C5D1C51
SSDEEP:	24576:QDliBd5TyliR0gWwOvTCU1z3zk51iq449nkU0/1COmcrOqpXzzE2YeshfLKB7:QD8tylwXoTCWi1iq1nkU09lRENhJLKB7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Loads dropped or rewritten executable
  - SteamSetup.exe (PID: 784)
- Changes the autorun value in the registry
  - SteamSetup.exe (PID: 784)
- Application was dropped or rewritten from another process
  - steamservice.exe (PID: 2872)
  - nsF54A.tmp (PID: 1596)
  - steam.exe (PID: 3604)
SUSPICIOUS
- Starts application with an unusual extension
  - SteamSetup.exe (PID: 784)
- Creates files in the program directory
  - SteamSetup.exe (PID: 784)
  - steam.exe (PID: 3604)
- Executable content was dropped or overwritten
  - SteamSetup.exe (PID: 784)
  - steamservice.exe (PID: 2872)
- Creates a software uninstall entry
  - SteamSetup.exe (PID: 784)
- Modifies the open verb of a shell class
  - steamservice.exe (PID: 2872)
INFO
- Manual execution by user
  - steam.exe (PID: 3604)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

ProductName:	Steam
LegalCopyright:	© Valve Corporation
FileVersion:	2.10.91.91
FileDescription:	Steam
CharacterSet:	Windows, Cyrillic
LanguageCode:	Bulgarian
FileSubtype:	-
ObjectFileType:	Executable application
FileOS:	Win32
FileFlags:	(none)
FileFlagsMask:	0x0000
ProductVersionNumber:	2.10.91.91
FileVersionNumber:	2.10.91.91
Subsystem:	Windows GUI
SubsystemVersion:	4
ImageVersion:	6
OSVersion:	4
EntryPoint:	0x33b6
UninitializedDataSize:	2048
InitializedDataSize:	141824
CodeSize:	25088
LinkerVersion:	6
PEType:	PE32
TimeStamp:	2016:07:25 02:55:51+02:00
MachineType:	Intel 386 or later, and compatibles

Summary

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	25-Jul-2016 00:55:51
Detected languages:	Bulgarian - Bulgaria Chinese - PRC Chinese - Taiwan Czech - Czech Republic Danish - Denmark Dutch - Netherlands English - United States Finnish - Finland French - France German - Germany Greek - Greece Hungarian - Hungary Italian - Italy Japanese - Japan Korean - Korea Norwegian - Norway (Bokmal) Polish - Poland Portuguese - Brazil Portuguese - Portugal Romanian - Romania Russian - Russia Spanish - Spain (Traditional sort) Swedish - Sweden Thai - Thailand Turkish - Turkey Ukrainian - Ukraine
FileDescription:	Steam
FileVersion:	2.10.91.91
LegalCopyright:	© Valve Corporation
ProductName:	Steam

DOS Header

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x000000C8

PE Headers

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	5
Time date stamp:	25-Jul-2016 00:55:51
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE IMAGE_FILE_LINE_NUMS_STRIPPED IMAGE_FILE_LOCAL_SYMS_STRIPPED IMAGE_FILE_RELOCS_STRIPPED

Sections

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00001000	0x0000615D	0x00006200	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.45023
.rdata	0x00008000	0x000013A4	0x00001400	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.163
.data	0x0000A000	0x00020338	0x00000600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	3.9824
.ndata	0x0002B000	0x00036000	0x00000000	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	0
.rsrc	0x00061000	0x00012868	0x00012A00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	6.2422

Resources

Title	Entropy	Size	Codepage	Language	Type
1	5.28717	1069	UNKNOWN	English - United States	RT_MANIFEST
2	5.48879	9640	UNKNOWN	English - United States	RT_ICON
3	4.72962	7336	UNKNOWN	English - United States	RT_ICON
4	5.942	4264	UNKNOWN	English - United States	RT_ICON
5	4.91233	3240	UNKNOWN	English - United States	RT_ICON
6	4.19177	1384	UNKNOWN	English - United States	RT_ICON
7	5.69139	1128	UNKNOWN	English - United States	RT_ICON
8	5.71619	872	UNKNOWN	English - United States	RT_ICON
9	2.35861	176	UNKNOWN	English - United States	RT_ICON
103	2.77822	132	UNKNOWN	English - United States	RT_GROUP_ICON

Imports


ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
ole32.dll

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
2828	"C:\Users\admin\AppData\Local\Temp\SteamSetup.exe"	C:\Users\admin\AppData\Local\Temp\SteamSetup.exe	—	explorer.exe
User: admin Integrity Level: MEDIUM Description: Steam Exit code: 3221226540 Version: 2.10.91.91
784	"C:\Users\admin\AppData\Local\Temp\SteamSetup.exe"	C:\Users\admin\AppData\Local\Temp\SteamSetup.exe		explorer.exe
User: admin Integrity Level: HIGH Description: Steam Exit code: 0 Version: 2.10.91.91
1596	"C:\Users\admin\AppData\Local\Temp\nswAFF3.tmp\nsF54A.tmp" "C:\Program Files\Steam\bin\steamservice.exe" /Install	C:\Users\admin\AppData\Local\Temp\nswAFF3.tmp\nsF54A.tmp	—	SteamSetup.exe
User: admin Integrity Level: HIGH Exit code: 0
2872	"C:\Program Files\Steam\bin\steamservice.exe" /Install	C:\Program Files\Steam\bin\steamservice.exe		nsF54A.tmp
User: admin Company: Valve Corporation Integrity Level: HIGH Description: Steam Client Service Exit code: 0 Version: 04.52.21.91
3604	"C:\Program Files\Steam\steam.exe"	C:\Program Files\Steam\steam.exe		explorer.exe
User: admin Company: Valve Corporation Integrity Level: MEDIUM Description: Steam Client Bootstrapper Version: 04.52.21.91

Add for printing

Total events

394

Read events

363

Write events

Delete events

Modification events


(PID) Process:	(784) SteamSetup.exe	Key:	HKEY_CURRENT_USER\Software\Valve\Steam
Operation:	write	Name:	Language
Value: english
(PID) Process:	(784) SteamSetup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Valve\Steam
Operation:	write	Name:	Language
Value: english
(PID) Process:	(784) SteamSetup.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Steam
Value: "C:\Program Files\Steam\steam.exe" -silent
(PID) Process:	(784) SteamSetup.exe	Key:	HKEY_CURRENT_USER\Software\Valve\Steam
Operation:	write	Name:	SteamInstaller
Value: SteamSetup.exe
(PID) Process:	(2872) steamservice.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application\Steam Client Service
Operation:	write	Name:	EventMessageFile
Value: C:\Program Files\Steam\bin\steamservice.exe
(PID) Process:	(2872) steamservice.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application\Steam Client Service
Operation:	write	Name:	TypesSupported
Value: 7
(PID) Process:	(2872) steamservice.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Valve\Steam
Operation:	write	Name:	InstallPath
Value: C:\Program Files\Steam
(PID) Process:	(2872) steamservice.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\steam
Operation:	write	Name:
Value: URL:steam protocol
(PID) Process:	(2872) steamservice.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\steam
Operation:	write	Name:	URL Protocol
Value:
(PID) Process:	(2872) steamservice.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\steam\DefaultIcon
Operation:	write	Name:
Value: steam.exe

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
784	SteamSetup.exe	C:\Program Files\Steam\Steam.exe		executable
		MD5:565D90CDC73F2CBC03D5C184C70FC524	SHA256:70BDE9E88AA386AA5139CAC0C8A78B5576F1BED9E5F719C4E620D5C0CF7D5CBF
784	SteamSetup.exe	C:\Program Files\Steam\public\steambootstrapper_japanese.txt		text
		MD5:9C00F0CF5F52C9B6E1288ABED68219B2	SHA256:3E3CD5B49164D7FBFB16E1B0896955F2A8C50E1B1A0264F5B542DF5BE60D22ED
784	SteamSetup.exe	C:\Users\admin\AppData\Local\Temp\nswAFF3.tmp\nsProcess.dll		executable
		MD5:F0438A894F3A7E01A4AAE8D1B5DD0289	SHA256:30C6C3DD3CC7FCEA6E6081CE821ADC7B2888542DAE30BF00E881C0A105EB4D11
784	SteamSetup.exe	C:\Users\admin\AppData\Local\Temp\nswAFF3.tmp\nsDialogs.dll		executable
		MD5:0D45588070CF728359055F776AF16EC4	SHA256:067C77D51DF034B4A614F83803140FBF4CD2F8684B88EA8C8ACDF163EDAD085A
784	SteamSetup.exe	C:\Users\admin\AppData\Local\Temp\nswAFF3.tmp\System.dll		executable
		MD5:A4DD044BCD94E9B3370CCF095B31F896	SHA256:2E226715419A5882E2E14278940EE8EF0AA648A3EF7AF5B3DC252674111962BC
784	SteamSetup.exe	C:\Users\admin\AppData\Local\Temp\nswAFF3.tmp\modern-header.bmp		image
		MD5:DA3486D12BB4C8AEC16BD9E0D363D23F	SHA256:D93B76D51BD2214FA6E999C1BF70B4AFF5165A6542F9B9B2A92B5672601F4624
784	SteamSetup.exe	C:\Program Files\Steam\public\steambootstrapper_czech.txt		text
		MD5:B02DDD5E3B43E43EE9E51E13968B7A21	SHA256:81A445A3CEB495564829CC7B0280FA993974B33476B85EDCDF87F738CA82705B
784	SteamSetup.exe	C:\Program Files\Steam\public\steambootstrapper_english.txt		text
		MD5:6DF4E3EBC6D7C96FE41C4C5213F17EFA	SHA256:6387F9AFF0226A5226D5D4F0FBE77AC80797CA621F0892034F38F0BF2370E4E1
784	SteamSetup.exe	C:\Program Files\Steam\bin\SteamService.exe		executable
		MD5:3E654318B9C1203BEB7F4AEFB2F6D839	SHA256:2CDB8A21456DF3DBC46C23460BE079BF285B1352BD6B131F572D4CB52BACF252
784	SteamSetup.exe	C:\Program Files\Steam\public\steambootstrapper_brazilian.txt		text
		MD5:0FAD7D2F29C625003FF68E645593F27E	SHA256:E4149F2D2E2FE362241717E161838E6177A1CCC522E1B95746FBD7D05BB0749F

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3604	steam.exe	GET	—	2.16.186.59:80	http://media4.steampowered.com/client/tenfoot_dicts_all.zip.33245b7d523f68418283e93b0572508fa127ee8f	unknown	—	—	whitelisted
3604	steam.exe	GET	302	155.133.250.108:80	http://client-download.steampowered.com/client/steam_client_win32	PE	—	—	whitelisted
3604	steam.exe	GET	—	2.16.186.59:80	http://media4.steampowered.com/client/tenfoot_ambientsounds_all.zip.89b80bcfdd11b2b99257ddbbdc374e2df54e2738	unknown	—	—	whitelisted
3604	steam.exe	GET	200	2.16.186.59:80	http://media4.steampowered.com/client/tenfoot_fonts_all.zip.vz.7673e4cd32b6752bc621d8bc1a7118a9af19b64a_12077027	unknown	binary	11.5 Mb	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3604	steam.exe	155.133.250.108:80	client-download.steampowered.com	—	PE	suspicious
3604	steam.exe	2.16.186.59:80	media4.steampowered.com	Akamai International B.V.	—	whitelisted

DNS requests

Domain	IP	Reputation
client-download.steampowered.com	155.133.250.108 155.133.250.76 155.133.250.107 155.133.250.75	whitelisted
media4.steampowered.com	2.16.186.59	whitelisted

Threats

PID	Process	Class	Message
3604	steam.exe	Potential Corporate Privacy Violation	ET USER_AGENTS Steam HTTP Client User-Agent

Add for printing

No debug info

General Info

SteamSetup.exe

81448C2E730B50B597BBD5E43007CE6A

4B1B85EC2499A4CE07C89609B256923A4FC479E5

3BC6942FE09F10ED3447BCCDCF4A70ED369366FEF6B2C7F43B541F1A3C5D1C51

24576:QDliBd5TyliR0gWwOvTCU1z3zk51iq449nkU0/1COmcrOqpXzzE2YeshfLKB7:QD8tylwXoTCWi1iq1nkU09lRENhJLKB7

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Loads dropped or rewritten executable

Changes the autorun value in the registry

Application was dropped or rewritten from another process

SUSPICIOUS

Starts application with an unusual extension

Creates files in the program directory

Executable content was dropped or overwritten

Creates a software uninstall entry

Modifies the open verb of a shell class

INFO

Manual execution by user

Malware configuration

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings