| File name: | SteamActivation.exe |
| Full analysis: | https://app.any.run/tasks/bd0beb93-7f82-4a7e-9142-4fbbad4f1855 |
| Verdict: | Malicious activity |
| Analysis date: | June 07, 2025, 17:34:45 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections |
| MD5: | AD11E1694B6FE39446A4143EC3253A27 |
| SHA1: | D936466AE48A6CD91FD21C1CA17391EDEDA9DA83 |
| SHA256: | ECB0119A3D62BEB05B60DDC29E4788140026B93D5B8E1546116A93CBE857BD10 |
| SSDEEP: | 98304:lvPNWpslebEK9cNrZ7+/VFhI5YPES4XqyFex5z3688zzVCTHJMNHkTVUiVLdREBX:dL6FxVquTjO8uNG4 |
MALICIOUS
Executing a file with an untrusted certificate
- SteamActivation.exe (PID: 1052)
SUSPICIOUS
Executable content was dropped or overwritten
- SteamActivation.exe (PID: 1052)
Reads the Windows owner or organization settings
- SteamActivation.exe (PID: 1052)
INFO
Reads the computer name
- SteamActivation.exe (PID: 1052)
Creates files or folders in the user directory
- SteamActivation.exe (PID: 1052)
Checks supported languages
- SteamActivation.exe (PID: 1052)
Reads Environment values
- SteamActivation.exe (PID: 1052)
Create files in a temporary directory
- SteamActivation.exe (PID: 1052)
Checks proxy server information
- slui.exe (PID: 3828)
Reads the software policy settings
- slui.exe (PID: 3828)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Generic Win/DOS Executable (50) |
|---|---|---|
| .exe | | | DOS Executable Generic (49.9) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2008:11:01 23:19:44+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 8 |
| CodeSize: | 6909952 |
| InitializedDataSize: | 3592192 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x64fa10 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Total processes
123
Monitored processes
2
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1052 | "C:\Users\admin\Desktop\SteamActivation.exe" | C:\Users\admin\Desktop\SteamActivation.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 1 Modules
| |||||||||||||||
| 3828 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
3 697
Read events
3 689
Write events
8
Delete events
0
Modification events
| (PID) Process: | (1052) SteamActivation.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\SecuROM\UserData |
| Operation: | write | Name: | securom_v7_01.tmp |
Value: 0F40618E4986F6DF6443CC73A9B4017D | |||
| (PID) Process: | (1052) SteamActivation.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\SecuROM\UserData |
| Operation: | write | Name: | securom_v7_01.dat |
Value: 0F40618E4986F6DF6443CC73A9B4017D | |||
| (PID) Process: | (1052) SteamActivation.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\SecuROM\License information |
| Operation: | write | Name: | datasecu |
Value: 0E2FB2E9D5D4772BD53B5476EB910898BF53E0CEAEED86678849CCB9D0107CD1D2CF69232653776683B1E847072350A97725EF62E4D16CB7B65AD5DE088243C0AA7F30BE0F09DE5D7DA9C08784694BBC2F92D1428184CC60AAB501F12ED18D27CFC815B0B49A5BB1714498CEE19F82348378F5CCBD1E901FEF2A04951A58A1C83A56280448672B52CBE2B51F99A4AFB9B856A58A518A87764EB3F3451B9F9C2FA75F6BDDED1A5F61B5D8AE3824BE8F2CF6D3A62BA185CFAC5A2F18ABD6B296D40CC87EC95D7B6D1F39FAC88A58C9BA9BA70F7280EEDC96C4708753F99CBAC653197EC51B7658D45EC720301CEE5AE052F36FC3CBE8419DBC36082F2AAC212DDD4782452D92D796C4DFB823A3CDD3750D2488C76A8AA17C0B33AD5D8688542841EAA5735672F34055C37E060C259630E03407108857F5733BDF9FC9FA679654408DB7AB91BF369D90C4DF5FEBCC4FCA45921785522E1F5914F9581B7AB71B47484C385B4010ADBAA5C8B0AA730FADE2E807558ED04F24B05AE514A6B2D9E0EEB4C4E8B8DE81B0C8D4D17272AA9AE655914C18BEF25381E1888D86A80DD292D1CEA944D7C2712983CA0FC8F03567DAA40A97DDE301AFA5E301B7ADE301 | |||
| (PID) Process: | (1052) SteamActivation.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\SecuROM\License information |
| Operation: | write | Name: | rkeysecu |
Value: 0F40618E4986F6DF6443CC73A9B4017D | |||
| (PID) Process: | (1052) SteamActivation.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\SecuROM\Readme |
| Operation: | write | Name: | Readme |
Value: The registry folder 'SecuROM' contains License Information created by SecuROM Digital Rights Management. Please see www.securom.com/license-information.html for further information. | |||
| (PID) Process: | (1052) SteamActivation.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\SecuROM\UserData |
| Operation: | write | Name: | securom_v7_01.bak |
Value: 0F40618E4986F6DF6443CC73A9B4017D | |||
| (PID) Process: | (1052) SteamActivation.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\SecuROM\UserData\Backup |
| Operation: | write | Name: | securom_v7_01_sec.bak |
Value: 0E2FB2E9D5D4772BD53B5476EB910898BF53E0CEAEED86678849CCB9D0107CD1D2CF69232653776683B1E847072350A97725EF62E4D16CB7B65AD5DE088243C0AA7F30BE0F09DE5D7DA9C08784694BBC2F92D1428184CC60AAB501F12ED18D27CFC815B0B49A5BB1714498CEE19F82348378F5CCBD1E901FEF2A04951A58A1C83A56280448672B52CBE2B51F99A4AFB9B856A58A518A87764EB3F3451B9F9C2FA75F6BDDED1A5F61B5D8AE3824BE8F2CF6D3A62BA185CFAC5A2F18ABD6B296D40CC87EC95D7B6D1F39FAC88A58C9BA9BA70F7280EEDC96C4708753F99CBAC653197EC51B7658D45EC720301CEE5AE052F36FC3CBE8419DBC36082F2AAC212DDD4782452D92D796C4DFB823A3CDD3750D2488C76A8AA17C0B33AD5D8688542841EAA5735672F34055C37E060C259630E03407108857F5733BDF9FC9FA679654408DB7AB91BF369D90C4DF5FEBCC4FCA45921785522E1F5914F9581B7AB71B47484C385B4010ADBAA5C8B0AA730FADE2E807558ED04F24B05AE514A6B2D9E0EEB4C4E8B8DE81B0C8D4D17272AA9AE655914C18BEF25381E1888D86A80DD292D1CEA944D7C2712983CA0FC8F03567DAA40A97DDE301AFA5E301B7ADE301 | |||
Executable files
2
Suspicious files
3
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1052 | SteamActivation.exe | C:\Users\admin\AppData\Local\Temp\drm_dyndata_7370014.dll | executable | |
MD5:251940E083E8DE21B1A65940A49ACA28 | SHA256:C07F34ADD8E57980D4AE30541C996CD17B4A99DB183202CAA6DC627C1557002C | |||
| 1052 | SteamActivation.exe | C:\Users\admin\AppData\Roaming\SecuROM\UserData\securom_v7_01.bak | binary | |
MD5:C796A76A13EB72B1A5B6A35EBE8D83CB | SHA256:0082B2A1263D7DADC44F3BE4573F59DF8DD6DF8C1A23B2999B9824E0CBA8C823 | |||
| 1052 | SteamActivation.exe | C:\Users\admin\AppData\Local\Temp\CmdLineExtInstallerExe.exe | executable | |
MD5:81D9BD57B477FC11226DF15DDC37A194 | SHA256:670CFFE6204E4380C2E6D56D09CBE3D6DE34890310DB70B3B2E17404604E543D | |||
| 1052 | SteamActivation.exe | C:\Users\admin\AppData\Roaming\SecuROM\UserData\securom_v7_01.dat | binary | |
MD5:C796A76A13EB72B1A5B6A35EBE8D83CB | SHA256:0082B2A1263D7DADC44F3BE4573F59DF8DD6DF8C1A23B2999B9824E0CBA8C823 | |||
| 1052 | SteamActivation.exe | C:\Users\admin\AppData\Roaming\SecuROM\UserData\securom_v7_01.tmp | binary | |
MD5:C796A76A13EB72B1A5B6A35EBE8D83CB | SHA256:0082B2A1263D7DADC44F3BE4573F59DF8DD6DF8C1A23B2999B9824E0CBA8C823 | |||
| 1052 | SteamActivation.exe | C:\Users\admin\AppData\Roaming\SecuROM\UserData\readme.txt | text | |
MD5:1E802E3CF5341EC5BBDE7DF56A92DA7B | SHA256:89230C1BEBF08F25EE9E405329500336465E8DEF6F3D6E5E00C2C3C4ADCF628F | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
20
DNS requests
6
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5260 | RUXIMICS.exe | GET | 200 | 2.16.253.202:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | NL | binary | 868 b | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | US | xml | 512 b | whitelisted |
5260 | RUXIMICS.exe | GET | 200 | 23.216.77.42:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | DE | binary | 825 b | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | US | xml | 512 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5260 | RUXIMICS.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5260 | RUXIMICS.exe | 23.216.77.42:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5260 | RUXIMICS.exe | 2.16.253.202:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
3364 | slui.exe | 20.83.72.98:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
3828 | slui.exe | 20.83.72.98:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |