File name:

AutoHotkeyA32.exe

Full analysis: https://app.any.run/tasks/a1d255ed-6fb1-42be-9630-960c4eebbcb4
Verdict: Malicious activity
Analysis date: August 01, 2018, 02:34:08
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

E6AF3D7255C2E74B4A589E043BA1D75D

SHA1:

0D29322A2F1CC64D93F75B4096B75BA940AAC011

SHA256:

CF6FBFBF27512AB6ECBF6E2B0DFAEEFF96C8F90F844156A5621BF2B23838653E

SSDEEP:

12288:Xm5298dVppFQ2FeANfkMhvlYtM9uErbQR1GkuVt/+Pg9PHUK1D5YeBoNntihGCSx:Xm52QVRNfLlYtguEYeBoNtiTSYgg3nAN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Creates files in the program directory

      • Steam.exe (PID: 3016)

    • Executable content was dropped or overwritten

      • steamwebhelper.exe (PID: 1716)

    • Creates or modifies windows services

      • SteamService.exe (PID: 3264)

    • Application launched itself

      • steamwebhelper.exe (PID: 1716)

    • Creates files in the Windows directory

      • SteamService.exe (PID: 3264)

    • Removes files from Windows directory

      • SteamService.exe (PID: 3264)

    • Modifies the open verb of a shell class

      • SteamService.exe (PID: 3264)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1512)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 1512)

    • Dropped object may contain URL's

      • steamwebhelper.exe (PID: 1716)
      • Steam.exe (PID: 3016)
      • SteamService.exe (PID: 3264)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (35.8)
.exe | Win64 Executable (generic) (31.7)
.scr | Windows screen saver (15)
.dll | Win32 Dynamic Link Library (generic) (7.5)
.exe | Win32 Executable (generic) (5.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:04:07 04:36:31+02:00
PEType: PE32
LinkerVersion: 10
CodeSize: 656384
InitializedDataSize: 145408
UninitializedDataSize: -
EntryPoint: 0x92b1a
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.1.28.2
ProductVersionNumber: 1.1.28.2
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: AutoHotkey ANSI 32-bit
FileVersion: 1.1.28.02
InternalName: AutoHotkey
LegalCopyright: Copyright (C) 2003-2013
OriginalFileName: AutoHotkey.exe
ProductName: AutoHotkey
ProductVersion: 1.1.28.02

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 07-Apr-2018 02:36:31
Detected languages:
  • English - United States
FileDescription: AutoHotkey ANSI 32-bit
FileVersion: 1.1.28.02
InternalName: AutoHotkey
LegalCopyright: Copyright (C) 2003-2013
OriginalFilename: AutoHotkey.exe
ProductName: AutoHotkey
ProductVersion: 1.1.28.02

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 07-Apr-2018 02:36:31
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000A0211
0x000A0400
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.639
.rdata
0x000A2000
0x000106C6
0x00010800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.46125
.data
0x000B3000
0x000099D8
0x00003400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.99457
.rsrc
0x000BD000
0x000095F8
0x00009600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.67075

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.33598
1159
UNKNOWN
English - United States
RT_MANIFEST
2
5.37027
9640
UNKNOWN
English - United States
RT_ICON
3
5.67639
1128
UNKNOWN
English - United States
RT_ICON
4
5.84157
1128
UNKNOWN
English - United States
RT_ICON
5
5.3349
1128
UNKNOWN
English - United States
RT_ICON
6
5.46964
1128
UNKNOWN
English - United States
RT_ICON
7
4.60719
4264
UNKNOWN
English - United States
RT_ICON
8
4.60406
9640
UNKNOWN
English - United States
RT_ICON
9
4.72735
1128
UNKNOWN
English - United States
RT_ICON
10
4.19142
744
UNKNOWN
English - United States
RT_ICON

Imports

ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
KERNEL32.dll
OLEAUT32.dll
PSAPI.DLL
SHELL32.dll
USER32.dll
VERSION.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
11
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start autohotkeya32.exe no specs winword.exe no specs steam.exe steamwebhelper.exe steamservice.exe steamwebhelper.exe no specs steamwebhelper.exe no specs steamwebhelper.exe no specs steamwebhelper.exe no specs steamwebhelper.exe no specs gldriverquery.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
940"C:\Program Files\Steam\bin\cef\cef.win7\steamwebhelper.exe" --type=renderer --disable-features=AsyncWheelEvents,TouchpadAndWheelScrollLatching --disable-gpu-compositing --service-pipe-token=883838E07D42B7CC3CB68D24CBA69CAA --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --lang=en-US --log-file="C:\Program Files\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --webview-urls=http://localhost/*,http://steamloopback.host/*,https://steamloopback.host/*,https://localhost/* --disable-spell-checking --buildid=1528497815 --steamid=0 --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=883838E07D42B7CC3CB68D24CBA69CAA --renderer-client-id=5 --mojo-platform-channel-handle=1656 /prefetch:1C:\Program Files\Steam\bin\cef\cef.win7\steamwebhelper.exesteamwebhelper.exe
User:
admin
Company:
Valve Corporation
Integrity Level:
LOW
Description:
Steam Client WebHelper
Exit code:
0
Version:
04.55.34.56
Modules
Images
c:\program files\steam\bin\cef\cef.win7\steamwebhelper.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
1512"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\probablydev.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
1716"C:\Program Files\Steam\bin\cef\cef.win7\steamwebhelper.exe" "-lang=en_US" "-cachedir=C:\Users\admin\AppData\Local\Steam\htmlcache" "-steampid=3016" "-buildid=1528497815" "-steamid=0" "-clientui=C:\Program Files\Steam\clientui" --disable-spell-checking --disable-out-of-process-pac --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --disable-features=TouchpadAndWheelScrollLatching,AsyncWheelEvents --enable-media-stream --disable-smooth-scrolling --disable-gpu-compositing --disable-gpu --enable-direct-write "--log-file=C:\Program Files\Steam\logs\cef_log.txt"C:\Program Files\Steam\bin\cef\cef.win7\steamwebhelper.exe
Steam.exe
User:
admin
Company:
Valve Corporation
Integrity Level:
MEDIUM
Description:
Steam Client WebHelper
Exit code:
0
Version:
04.55.34.56
Modules
Images
c:\program files\steam\bin\cef\cef.win7\steamwebhelper.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
1888"C:\Program Files\Steam\bin\cef\cef.win7\steamwebhelper.exe" --type=renderer --disable-features=AsyncWheelEvents,TouchpadAndWheelScrollLatching --disable-gpu-compositing --service-pipe-token=A97863497F1B4C00B3FB14C30FB33BC9 --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --lang=en-US --log-file="C:\Program Files\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --webview-urls=http://localhost/*,http://steamloopback.host/*,https://steamloopback.host/*,https://localhost/* --disable-spell-checking --buildid=1528497815 --steamid=0 --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=A97863497F1B4C00B3FB14C30FB33BC9 --renderer-client-id=2 --mojo-platform-channel-handle=1284 /prefetch:1C:\Program Files\Steam\bin\cef\cef.win7\steamwebhelper.exesteamwebhelper.exe
User:
admin
Company:
Valve Corporation
Integrity Level:
LOW
Description:
Steam Client WebHelper
Exit code:
0
Version:
04.55.34.56
Modules
Images
c:\program files\steam\bin\cef\cef.win7\steamwebhelper.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2560"C:\Program Files\Steam\bin\cef\cef.win7\steamwebhelper.exe" --type=gpu-process --disable-features=AsyncWheelEvents,TouchpadAndWheelScrollLatching --log-file="C:\Program Files\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --webview-urls=http://localhost/*,http://steamloopback.host/*,https://steamloopback.host/*,https://localhost/* --lang=en-US --buildid=1528497815 --steamid=0 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --log-file="C:\Program Files\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --webview-urls=http://localhost/*,http://steamloopback.host/*,https://steamloopback.host/*,https://localhost/* --lang=en-US --buildid=1528497815 --steamid=0 --service-request-channel-token=B5A4DAD8DE8CCE3A4EFA8642AEE0B31D --mojo-platform-channel-handle=1292 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Steam\bin\cef\cef.win7\steamwebhelper.exesteamwebhelper.exe
User:
admin
Company:
Valve Corporation
Integrity Level:
LOW
Description:
Steam Client WebHelper
Exit code:
0
Version:
04.55.34.56
Modules
Images
c:\program files\steam\bin\cef\cef.win7\steamwebhelper.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2728.\bin\gldriverquery.exeC:\Program Files\Steam\bin\gldriverquery.exeSteam.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\program files\steam\bin\gldriverquery.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\steam\sdl2.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
2780"C:\Program Files\Steam\bin\cef\cef.win7\steamwebhelper.exe" --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\CEF\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\CEF\User Data" --url=http://crash.steampowered.com/submit --annotation=platform=win32 --annotation=product=cefwebhelper --annotation=version=1.0 --initial-client-data=0x14c,0x150,0x154,0x148,0x158,0x645a86f0,0x645a8700,0x645a870cC:\Program Files\Steam\bin\cef\cef.win7\steamwebhelper.exesteamwebhelper.exe
User:
admin
Company:
Valve Corporation
Integrity Level:
MEDIUM
Description:
Steam Client WebHelper
Exit code:
0
Version:
04.55.34.56
Modules
Images
c:\program files\steam\bin\cef\cef.win7\steamwebhelper.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3016"C:\Program Files\Steam\Steam.exe" C:\Program Files\Steam\Steam.exe
explorer.exe
User:
admin
Company:
Valve Corporation
Integrity Level:
MEDIUM
Description:
Steam Client Bootstrapper
Exit code:
0
Version:
04.55.34.56
Modules
Images
c:\program files\steam\steam.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3192"C:\Program Files\Steam\bin\cef\cef.win7\steamwebhelper.exe" --type=renderer --disable-features=AsyncWheelEvents,TouchpadAndWheelScrollLatching --disable-gpu-compositing --service-pipe-token=56358EDF5145325903FF398C2A79A45C --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --lang=en-US --log-file="C:\Program Files\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --webview-urls=http://localhost/*,http://steamloopback.host/*,https://steamloopback.host/*,https://localhost/* --disable-spell-checking --buildid=1528497815 --steamid=0 --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=56358EDF5145325903FF398C2A79A45C --renderer-client-id=4 --mojo-platform-channel-handle=1644 /prefetch:1C:\Program Files\Steam\bin\cef\cef.win7\steamwebhelper.exesteamwebhelper.exe
User:
admin
Company:
Valve Corporation
Integrity Level:
LOW
Description:
Steam Client WebHelper
Exit code:
0
Version:
04.55.34.56
Modules
Images
c:\program files\steam\bin\cef\cef.win7\steamwebhelper.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3264"C:\Program Files\Common Files\Steam\SteamService.exe" /RunAsServiceC:\Program Files\Common Files\Steam\SteamService.exe
services.exe
User:
SYSTEM
Company:
Valve Corporation
Integrity Level:
SYSTEM
Description:
Steam Client Service
Exit code:
0
Version:
04.55.34.56
Modules
Images
c:\program files\common files\steam\steamservice.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
Total events
821
Read events
714
Write events
96
Delete events
11

Modification events

(PID) Process:(1512) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:guo
Value:
67756F00E8050000010000000000000000000000
(PID) Process:(1512) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(1512) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(1512) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1291911190
(PID) Process:(1512) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1291911272
(PID) Process:(1512) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1291911273
(PID) Process:(1512) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:FontInfoCacheW
Value:
6000000060000000F5FFFFFF000000000000000000000000BC02000000000000004000225400610068006F006D006100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005400610068006F006D00610000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000D0000000B000000020000000200000000000000060000001A000000BC0200000000000060000000600000002000FDFF1F0020000000002700000000FF2E00E15B6000C0290000000000000001000000000028200700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005400610068006F006D00610000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000D0000000B0000000200000002000000000000000500000017000000900100000000000060000000600000002000FDFF1F0020000000002700000000FF2E00E15B6000C02900000000000000010000000000282006000000F7FFFFFF0000000000000000000000009001000000000000004000225400610068006F006D006100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005400610068006F006D00610000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000B000000090000000200000002000000000000000400000013000000900100000000000060000000600000002000FDFF1F0020000000002700000000FF2E00E15B6000C02900000000000000010000000000282005000000
(PID) Process:(1512) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
E80500009462E93F4029D40100000000
(PID) Process:(1512) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:bvo
Value:
62766F00E805000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(1512) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:bvo
Value:
62766F00E805000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
Executable files
1
Suspicious files
18
Text files
6
Unknown types
6

Dropped files

PID
Process
Filename
Type
1512WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRCD67.tmp.cvr
MD5:
SHA256:
1512WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6133A0D8-B6CC-427F-8C38-1CDE293DCBCF}.tmp
MD5:
SHA256:
1512WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4813CBEC-9125-4718-AA74-7B24FA2A7975}.tmp
MD5:
SHA256:
3016Steam.exeC:\Program Files\Steam\package\tenfoot_dicts_all.zip.33245b7d523f68418283e93b0572508fa127ee8f
MD5:
SHA256:
3016Steam.exeC:\Program Files\Steam\package\tenfoot_misc_all.zip.1ca83d76835b4613170f5cead778b176b11f2b0c
MD5:
SHA256:
3016Steam.exeC:\Program Files\Steam\package\tenfoot_fonts_all.zip.vz.7673e4cd32b6752bc621d8bc1a7118a9af19b64a_12077027
MD5:
SHA256:
3016Steam.exeC:\Program Files\Steam\package\tenfoot_ambientsounds_all.zip.89b80bcfdd11b2b99257ddbbdc374e2df54e2738
MD5:
SHA256:
3016Steam.exeC:\Users\admin\AppData\Local\Temp\Cab1EA4.tmp
MD5:
SHA256:
3016Steam.exeC:\Users\admin\AppData\Local\Temp\Tar1EA5.tmp
MD5:
SHA256:
1512WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\probablydev.LNKlnk
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
28
TCP/UDP connections
110
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3016
Steam.exe
GET
302
162.254.197.14:80
http://client-download.steampowered.com/client/steam_client_win32
DE
whitelisted
3016
Steam.exe
GET
200
2.16.186.59:80
http://media4.steampowered.com/client/steam_client_win32?1532462426
unknown
text
8.13 Kb
whitelisted
3016
Steam.exe
GET
200
2.16.186.59:80
http://media4.steampowered.com/client/tenfoot_dicts_all.zip.33245b7d523f68418283e93b0572508fa127ee8f
unknown
binary
11.7 Mb
whitelisted
3016
Steam.exe
GET
200
2.16.186.59:80
http://media4.steampowered.com/client/tenfoot_ambientsounds_all.zip.89b80bcfdd11b2b99257ddbbdc374e2df54e2738
unknown
ini
7.60 Mb
whitelisted
3016
Steam.exe
GET
200
2.16.186.59:80
http://media4.steampowered.com/client/tenfoot_images_all.zip.vz.8ab2c10a202a129283ce713602e1025367c7875e_31197583
unknown
binary
29.7 Mb
whitelisted
3016
Steam.exe
GET
200
2.16.186.59:80
http://media4.steampowered.com/client/tenfoot_misc_all.zip.1ca83d76835b4613170f5cead778b176b11f2b0c
unknown
binary
12.5 Mb
whitelisted
3016
Steam.exe
GET
200
2.16.186.59:80
http://media4.steampowered.com/client/friendsui_all.zip.vz.766ef9a5404edcbd07eab237057dbbbf31236288_2328292
unknown
binary
2.22 Mb
whitelisted
3016
Steam.exe
GET
200
2.16.186.59:80
http://media4.steampowered.com/client/tenfoot_all.zip.vz.099b3e094c4b54b30fee20e76c0d3d511d559c76_2547889
unknown
binary
2.43 Mb
whitelisted
3016
Steam.exe
GET
200
2.16.186.59:80
http://media4.steampowered.com/client/strings_all.zip.vz.e0f5573839697e1ead61fa3dcf8ed533d4ffc262_2254570
unknown
binary
2.15 Mb
whitelisted
3016
Steam.exe
GET
200
2.16.186.59:80
http://media4.steampowered.com/client/tenfoot_fonts_all.zip.vz.7673e4cd32b6752bc621d8bc1a7118a9af19b64a_12077027
unknown
binary
11.5 Mb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
155.133.248.50:27018
Valve Corporation
NL
unknown
3016
Steam.exe
162.254.197.14:80
client-download.steampowered.com
Valve Corporation
DE
suspicious
3016
Steam.exe
2.16.186.59:80
media4.steampowered.com
Akamai International B.V.
whitelisted
3264
SteamService.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3016
Steam.exe
216.58.215.238:443
redirector.gvt1.com
Google Inc.
US
whitelisted
3016
Steam.exe
216.58.215.238:80
redirector.gvt1.com
Google Inc.
US
whitelisted
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
104.111.244.180:443
api.steampowered.com
Akamai International B.V.
NL
whitelisted
155.133.248.52:27018
Valve Corporation
NL
unknown
155.133.248.50:27017
Valve Corporation
NL
unknown

DNS requests

Domain
IP
Reputation
client-download.steampowered.com
  • 162.254.197.14
  • 162.254.197.16
  • 162.254.197.18
  • 162.254.197.21
  • 162.254.197.15
  • 162.254.197.110
  • 162.254.197.17
  • 162.254.197.19
whitelisted
media4.steampowered.com
  • 2.16.186.59
  • 2.16.186.64
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
redirector.gvt1.com
  • 216.58.215.238
whitelisted
ocsp.pki.goog
  • 216.58.215.238
whitelisted
r2---sn-5hne6nsd.gvt1.com
  • 172.217.132.7
whitelisted
api.steampowered.com
  • 104.111.244.180
suspicious

Threats

No threats detected
Process
Message
steamwebhelper.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\CEF\User Data directory exists )
steamwebhelper.exe
[0801/033516.811:INFO:crash_reporting.cc(215)] Crash reporting enabled for process: browser
steamwebhelper.exe
[0801/033516.889:ERROR:gpu_process_transport_factory.cc(1029)] Lost UI shared context.
Steam.exe
CAppInfoCacheReadFromDiskThread took 0 milliseconds to initialize
Steam.exe
CApplicationManagerPopulateThread took 2 milliseconds to initialize (will have waited on CAppInfoCacheReadFromDiskThread)
Steam.exe
CHTTPRequestCache took 125 milliseconds to initialize
steamwebhelper.exe
Found unsupported CDM version 1.4.9.1088, using last known good version 1.4.8.1008
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AutoHotkeyA32.exe