File name:

Steam Repack.exe

Full analysis: https://app.any.run/tasks/da8e0a51-bb18-4007-9cf8-25f1ef27da02
Verdict: Malicious activity
Analysis date: February 08, 2025, 18:37:46
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
github
arch-exec
discord
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 5 sections
MD5:

DE576F19151EC19B030A1A0D189EBFA8

SHA1:

3FE3AE5E4E6DD4E6CC14F7F6BD9FBFC9359E9FB0

SHA256:

98B4CBA6F134001EC7933AB5C394EA6C6ABA76638C99E99FDDDF48E0228EC7FF

SSDEEP:

98304:4UIjaSJAtq39gRAEAHjAktHQb1cVVfvY15j4/FieNPRfS4utGrv33/H6mRwLBdNI:IqloYq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • SteamSetup.exe (PID: 6820)
      • windowsdesktop-runtime-8.0.12-win-x64.exe (PID: 7996)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Steam Repack.exe (PID: 6400)
      • Steam Repack.exe (PID: 6648)
      • SWASetup.exe (PID: 3092)
      • SWA V2.exe (PID: 5748)
      • windowsdesktop-runtime-8.0.12-win-x64.exe (PID: 7712)
      • SWA V2.exe (PID: 6636)

    • Reads the date of Windows installation

      • Steam Repack.exe (PID: 6400)
      • Steam Repack.exe (PID: 6648)
      • SWASetup.exe (PID: 3092)

    • Executable content was dropped or overwritten

      • Steam Repack.exe (PID: 6648)
      • SteamSetup.exe (PID: 6820)
      • SteamService.exe (PID: 7144)
      • SWASetup.exe (PID: 3092)
      • windowsdesktop-runtime-8.0.12-win-x64.exe (PID: 7688)
      • windowsdesktop-runtime-8.0.12-win-x64.exe (PID: 7712)
      • windowsdesktop-runtime-8.0.12-win-x64.exe (PID: 7996)

    • Starts CMD.EXE for commands execution

      • Steam Repack.exe (PID: 6648)

    • Executing commands from a ".bat" file

      • Steam Repack.exe (PID: 6648)

    • The executable file from the user directory is run by the CMD process

      • SteamSetup.exe (PID: 6820)
      • SWASetup.exe (PID: 3092)

    • The process creates files with name similar to system file names

      • SteamSetup.exe (PID: 6820)
      • msiexec.exe (PID: 8124)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • SteamSetup.exe (PID: 6820)

    • There is functionality for taking screenshot (YARA)

      • Steam Repack.exe (PID: 6400)

    • Creates a software uninstall entry

      • SteamSetup.exe (PID: 6820)
      • windowsdesktop-runtime-8.0.12-win-x64.exe (PID: 7996)

    • Process drops legitimate windows executable

      • SWASetup.exe (PID: 3092)
      • windowsdesktop-runtime-8.0.12-win-x64.exe (PID: 7688)
      • windowsdesktop-runtime-8.0.12-win-x64.exe (PID: 7712)
      • windowsdesktop-runtime-8.0.12-win-x64.exe (PID: 7996)
      • msiexec.exe (PID: 8124)

    • Starts a Microsoft application from unusual location

      • windowsdesktop-runtime-8.0.12-win-x64.exe (PID: 7712)
      • windowsdesktop-runtime-8.0.12-win-x64.exe (PID: 7996)

    • Searches for installed software

      • windowsdesktop-runtime-8.0.12-win-x64.exe (PID: 7712)
      • windowsdesktop-runtime-8.0.12-win-x64.exe (PID: 7996)

    • Starts itself from another location

      • windowsdesktop-runtime-8.0.12-win-x64.exe (PID: 7712)

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 8124)

    • Application launched itself

      • Steam Repack.exe (PID: 6400)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 8124)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 8124)

  • INFO

    • Reads the computer name

      • Steam Repack.exe (PID: 6400)
      • Steam Repack.exe (PID: 6648)
      • SteamService.exe (PID: 7144)
      • SWASetup.exe (PID: 3092)
      • SteamSetup.exe (PID: 6820)
      • SWA V2.exe (PID: 5748)
      • windowsdesktop-runtime-8.0.12-win-x64.exe (PID: 7712)
      • identity_helper.exe (PID: 7008)
      • msiexec.exe (PID: 8124)
      • windowsdesktop-runtime-8.0.12-win-x64.exe (PID: 7996)
      • msiexec.exe (PID: 7256)
      • msiexec.exe (PID: 7344)
      • SWA V2.exe (PID: 6636)
      • msiexec.exe (PID: 7516)
      • msiexec.exe (PID: 7392)

    • Checks supported languages

      • Steam Repack.exe (PID: 6648)
      • Steam Repack.exe (PID: 6400)
      • SteamSetup.exe (PID: 6820)
      • SteamService.exe (PID: 7144)
      • SWASetup.exe (PID: 3092)
      • SWA V2.exe (PID: 5748)
      • identity_helper.exe (PID: 7008)
      • windowsdesktop-runtime-8.0.12-win-x64.exe (PID: 7712)
      • windowsdesktop-runtime-8.0.12-win-x64.exe (PID: 7688)
      • windowsdesktop-runtime-8.0.12-win-x64.exe (PID: 7996)
      • msiexec.exe (PID: 8124)
      • msiexec.exe (PID: 7392)
      • msiexec.exe (PID: 7344)
      • msiexec.exe (PID: 7256)
      • msiexec.exe (PID: 7516)
      • SWA V2.exe (PID: 6636)

    • The sample compiled with bulgarian language support

      • Steam Repack.exe (PID: 6648)
      • SteamSetup.exe (PID: 6820)

    • Create files in a temporary directory

      • Steam Repack.exe (PID: 6648)
      • SteamSetup.exe (PID: 6820)
      • windowsdesktop-runtime-8.0.12-win-x64.exe (PID: 7688)
      • windowsdesktop-runtime-8.0.12-win-x64.exe (PID: 7712)
      • windowsdesktop-runtime-8.0.12-win-x64.exe (PID: 7996)

    • Process checks computer location settings

      • Steam Repack.exe (PID: 6648)
      • SWASetup.exe (PID: 3092)
      • windowsdesktop-runtime-8.0.12-win-x64.exe (PID: 7712)
      • Steam Repack.exe (PID: 6400)
      • SWA V2.exe (PID: 6636)

    • Creates files in the program directory

      • SteamSetup.exe (PID: 6820)
      • SteamService.exe (PID: 7144)
      • windowsdesktop-runtime-8.0.12-win-x64.exe (PID: 7996)
      • SWA V2.exe (PID: 6636)

    • The sample compiled with english language support

      • SteamService.exe (PID: 7144)
      • SteamSetup.exe (PID: 6820)
      • windowsdesktop-runtime-8.0.12-win-x64.exe (PID: 7688)
      • windowsdesktop-runtime-8.0.12-win-x64.exe (PID: 7712)
      • windowsdesktop-runtime-8.0.12-win-x64.exe (PID: 7996)
      • msiexec.exe (PID: 8124)

    • Disables trace logs

      • SWASetup.exe (PID: 3092)

    • Checks proxy server information

      • SWASetup.exe (PID: 3092)
      • SWA V2.exe (PID: 6636)

    • Reads the machine GUID from the registry

      • SWASetup.exe (PID: 3092)
      • windowsdesktop-runtime-8.0.12-win-x64.exe (PID: 7996)
      • msiexec.exe (PID: 8124)

    • Manual execution by a user

      • msedge.exe (PID: 7040)
      • SWA V2.exe (PID: 6636)

    • Application launched itself

      • msedge.exe (PID: 5540)
      • msedge.exe (PID: 7040)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 7040)
      • msiexec.exe (PID: 8124)

    • Reads Environment values

      • identity_helper.exe (PID: 7008)
      • SWASetup.exe (PID: 3092)

    • Reads the software policy settings

      • SWASetup.exe (PID: 3092)
      • msiexec.exe (PID: 8124)
      • SWA V2.exe (PID: 6636)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 8124)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win16/32 Executable Delphi generic (34.1)
.exe | Generic Win/DOS Executable (32.9)
.exe | DOS Executable Generic (32.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2016:04:02 22:16:33+00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware
PEType: PE32+
LinkerVersion: 8
CodeSize: 146944
InitializedDataSize: 59392
UninitializedDataSize: -
EntryPoint: 0x242ac
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 2.10.91.91
ProductVersionNumber: 2.10.91.91
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
LegalCopyright: © Valve Corporation
FileVersion: 2.10.91.91
ProductName: Steam
ProductVersion: 2.10.91.91
FileDescription: Steam
Created: 7z SFX Constructor 4.6 | Repack by hydraponique
Builder: Sirenity 21:36:49 08/02/2025
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
204
Monitored processes
68
Malicious processes
7
Suspicious processes
3

Behavior graph

Click at the process to see the details
start steam repack.exe no specs steam repack.exe cmd.exe no specs conhost.exe no specs steamsetup.exe steamservice.exe conhost.exe no specs swasetup.exe swa v2.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs windowsdesktop-runtime-8.0.12-win-x64.exe windowsdesktop-runtime-8.0.12-win-x64.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs windowsdesktop-runtime-8.0.12-win-x64.exe msiexec.exe msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msedge.exe no specs msedge.exe no specs swa v2.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2136"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=5840 --field-trial-handle=2112,i,191171664074622523,7202457189896740406,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2600"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --mojo-platform-channel-handle=6288 --field-trial-handle=2112,i,191171664074622523,7202457189896740406,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2612"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6436 --field-trial-handle=2112,i,191171664074622523,7202457189896740406,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2796"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=5832 --field-trial-handle=2112,i,191171664074622523,7202457189896740406,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3092SWASetup.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\SWASetup.exe
cmd.exe
User:
admin
Company:
SWASetup
Integrity Level:
HIGH
Description:
SWASetup
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\7zipsfx.000\swasetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3688"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x298,0x29c,0x2a0,0x290,0x28c,0x7ff821195fd8,0x7ff821195fe4,0x7ff821195ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3952"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x310,0x314,0x318,0x308,0x320,0x7ff821195fd8,0x7ff821195fe4,0x7ff821195ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
4044"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5376 --field-trial-handle=2112,i,191171664074622523,7202457189896740406,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4320"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4128 --field-trial-handle=2112,i,191171664074622523,7202457189896740406,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4932"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2368 --field-trial-handle=2112,i,191171664074622523,7202457189896740406,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
24 662
Read events
23 670
Write events
945
Delete events
47

Modification events

(PID) Process:(6820) SteamSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Steam
Value:
"C:\Program Files (x86)\Steam\steam.exe" -silent
(PID) Process:(6820) SteamSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Valve\Steam
Operation:writeName:SteamInstaller
Value:
SteamSetup.exe
(PID) Process:(6820) SteamSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Valve\Steam
Operation:writeName:Language
Value:
english
(PID) Process:(6820) SteamSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Valve\Steam
Operation:writeName:Language
Value:
english
(PID) Process:(7144) SteamService.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Valve\SteamService
Operation:writeName:installpath_default
Value:
C:\Program Files (x86)\Steam
(PID) Process:(7144) SteamService.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Valve\Steam
Operation:writeName:InstallPath
Value:
C:\Program Files (x86)\Steam
(PID) Process:(6820) SteamSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Valve\Steam\NSIS
Operation:writeName:Path
Value:
C:\Program Files (x86)\Steam
(PID) Process:(6820) SteamSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Valve\Steam
Operation:writeName:InstallPath
Value:
C:\Program Files (x86)\Steam
(PID) Process:(6820) SteamSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Valve\SteamService
Operation:writeName:installpath_default
Value:
C:\Program Files (x86)\Steam
(PID) Process:(7144) SteamService.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\steam
Operation:writeName:URL Protocol
Value:
Executable files
511
Suspicious files
492
Text files
97
Unknown types
0

Dropped files

PID
Process
Filename
Type
6648Steam Repack.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\SteamSetup.exeexecutable
MD5:1B54B70BEEF8EB240DB31718E8F7EB5D
SHA256:7D3654531C32D941B8CAE81C4137FC542172BFA9635F169CB392F245A0A12BCB
6648Steam Repack.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\start.battext
MD5:6C4BFDADA84DAC4E9D895D6D7AEFFC35
SHA256:2B67E951C1D2FEDCE8B587769E283D6BA633345099B96B78C1DF0F2A27802E75
6648Steam Repack.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\SWASetup.exeexecutable
MD5:6D2E8CFDCE9B86E182F93F221C0D4DD8
SHA256:73CC59A0BEF20C30D7E0ACE4526A417273754298BA8B78959BB60055F9D72598
6820SteamSetup.exeC:\Users\admin\AppData\Local\Temp\nsa6566.tmp\modern-wizard.bmpimage
MD5:3614A4BE6B610F1DAF6C801574F161FE
SHA256:16E0EDC9F47E6E95A9BCAD15ADBDC46BE774FBCD045DD526FC16FC38FDC8D49B
6820SteamSetup.exeC:\Users\admin\AppData\Local\Temp\nsa6566.tmp\nsDialogs.dllexecutable
MD5:4E5BC4458AFA770636F2806EE0A1E999
SHA256:91A484DC79BE64DD11BF5ACB62C893E57505FCD8809483AA92B04F10D81F9DE0
6820SteamSetup.exeC:\Program Files (x86)\Steam\bin\SteamService.exeexecutable
MD5:BA0EA9249DA4AB8F62432617489AE5A6
SHA256:CE177DC8CF42513FF819C7B8597C7BE290F9E98632A34ECD868DC76003421F0D
6820SteamSetup.exeC:\Users\admin\AppData\Local\Temp\nsa6566.tmp\System.dllexecutable
MD5:A36FBE922FFAC9CD85A845D7A813F391
SHA256:FA367AE36BFBE7C989C24C7ABBB13482FC20BC35E7812DC377AA1C281EE14CC0
6820SteamSetup.exeC:\Program Files (x86)\Steam\public\steambootstrapper_czech.txttext
MD5:2158881817B9163BF0FD4724D549AED4
SHA256:650A265DFFDC5DC50200BB82D56F416A3A423EECC08C962CFD1BA2D40A1FF3F7
6820SteamSetup.exeC:\Program Files (x86)\Steam\Steam.exeexecutable
MD5:33BCB1C8975A4063A134A72803E0CA16
SHA256:12222B0908EB69581985F7E04AA6240E928FB08AA5A3EC36ACAE3440633C9EB1
6820SteamSetup.exeC:\Users\admin\AppData\Local\Temp\nsa6566.tmp\modern-header.bmpimage
MD5:DA3486D12BB4C8AEC16BD9E0D363D23F
SHA256:D93B76D51BD2214FA6E999C1BF70B4AFF5165A6542F9B9B2A92B5672601F4624
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
19
TCP/UDP connections
85
DNS requests
84
Threats
13

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1176
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6216
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
3664
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
3664
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7040
msedge.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7040
msedge.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
whitelisted
7636
svchost.exe
HEAD
200
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/68591036-2289-4858-9f7f-9149e89c8a08?P1=1739537046&P2=404&P3=2&P4=KwWyZGkOEd8DlbfBUJl%2bArpBfN1NSxAw2pcCMwhjs%2fmhSZKb8Hm0M3r25cwa9VensyBUozAXKZT1rjSGEpOT7g%3d%3d
unknown
whitelisted
7636
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/68591036-2289-4858-9f7f-9149e89c8a08?P1=1739537046&P2=404&P3=2&P4=KwWyZGkOEd8DlbfBUJl%2bArpBfN1NSxAw2pcCMwhjs%2fmhSZKb8Hm0M3r25cwa9VensyBUozAXKZT1rjSGEpOT7g%3d%3d
unknown
whitelisted
7636
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/68591036-2289-4858-9f7f-9149e89c8a08?P1=1739537046&P2=404&P3=2&P4=KwWyZGkOEd8DlbfBUJl%2bArpBfN1NSxAw2pcCMwhjs%2fmhSZKb8Hm0M3r25cwa9VensyBUozAXKZT1rjSGEpOT7g%3d%3d
unknown
whitelisted
7636
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/68591036-2289-4858-9f7f-9149e89c8a08?P1=1739537046&P2=404&P3=2&P4=KwWyZGkOEd8DlbfBUJl%2bArpBfN1NSxAw2pcCMwhjs%2fmhSZKb8Hm0M3r25cwa9VensyBUozAXKZT1rjSGEpOT7g%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1176
svchost.exe
40.126.32.138:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1176
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1076
svchost.exe
23.35.238.131:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3092
SWASetup.exe
140.82.121.4:443
github.com
GITHUB
US
whitelisted
3092
SWASetup.exe
185.199.110.133:443
raw.githubusercontent.com
FASTLY
US
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
login.live.com
  • 40.126.32.138
  • 20.190.160.132
  • 40.126.32.134
  • 20.190.160.128
  • 20.190.160.130
  • 20.190.160.4
  • 20.190.160.131
  • 40.126.32.68
whitelisted
go.microsoft.com
  • 23.35.238.131
  • 184.28.89.167
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
github.com
  • 140.82.121.4
whitelisted
raw.githubusercontent.com
  • 185.199.110.133
  • 185.199.111.133
  • 185.199.109.133
  • 185.199.108.133
whitelisted
arc.msn.com
  • 20.74.47.205
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
fd.api.iris.microsoft.com
  • 20.74.47.205
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
4932
msedge.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
4932
msedge.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
4932
msedge.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
4932
msedge.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
4932
msedge.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
4932
msedge.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
4932
msedge.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
4932
msedge.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
4932
msedge.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
Process
Message
SWA V2.exe
You must install .NET to run this application. App: C:\GFK\SWAv2\SWA V2.exe Architecture: x64 App host version: 8.0.11 .NET location: Not found Learn more: https://aka.ms/dotnet/app-launch-failed Download the .NET runtime: https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win-x64&os=win10&apphost_version=8.0.11
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Steam Repack.exe