Safe
Widely distributed, properly signed Steam installer with zero malicious engine detections and clean sandbox outcome.
7d3654531c32d941b8…45a0a12bcbThe verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The complete absence of malicious detections from every engine tier, including 17 tier-1 engines, combined with verified Valve Corp. signing and massive historical prevalence, strongly indicates a legitimate Steam installer. Sandbox execution returned no malicious verdict and no malicious children or contacted hosts were identified. While synthesis heuristics flagged persistence and direct-IP contact, these behaviours align with NSIS installer mechanics and certificate CRL checks rather than malware activity. The four YARA rules target installer structure, not malicious payloads.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines.malicious=0 with tier1Malicious=0 and tier1ReportedClean=17
signing.verified=true, signer='Valve Corp.'
prevalence.classification='common_old' (204448 submissions)
hasMaliciousSandboxVerdict=false, droppedChildren.hasMaliciousChild=false
yaraify rules are NSIS installer detectors only
- Zero malicious detections across 73 engines
- Verified Valve Corp. digital signature
- Hundreds of thousands of prior clean submissions
- Clean sandbox verdict with no malicious children
Treat as safe; download only from the official Steam website and verify the digital signature before execution.
NSIS Nullsoft Installer corroborated by 1 source
- 4 YARA rulesDetect_NSIS_Nullsoft_Installer, PE_Digital_Certificate, NSIS_April_2024
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 199.232.215.52
- 104.18.20.213
- 199.232.215.82
- 104.18.21.213
- 192.168.0.51
- 20.99.186.246
- 23.216.81.152
- 23.216.147.76
- 192.168.0.5
- 23.216.147.64
- http://r13.c.lencr.org/113.crl
- http://r12.c.lencr.org/10.crl
- http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
- http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
- http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt
- http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt
- Steam Client Service
- C:\Users\<USER>\AppData\Local\Temp\nswCE6C.tmp
- C:\Users\<USER>\AppData\Local\Temp\nsrCE8D.tmp\System.dll
- C:\Users\<USER>\AppData\Local\Temp\nsrCE8D.tmp\modern-header.bmp
- C:\Users\<USER>\AppData\Local\Temp\nsrCE8D.tmp\modern-wizard.bmp
- C:\Users\<USER>\AppData\Local\Temp\nsrCE8D.tmp\nsDialogs.dll
- C:\Users\<USER>\AppData\Local\Temp\nsrCE8D.tmp\modern-header.bmp
- C:\Users\<USER>\AppData\Local\Temp\nsrCE8D.tmp\modern-wizard.bmp
- C:\Users\<USER>\AppData\Local\Temp\nsrCE8D.tmp\nsDialogs.dll
- C:\Users\<USER>\AppData\Local\Temp\nsrCE8D.tmp\nsExec.dll
- C:\Users\<USER>\AppData\Local\Temp\nsrCE8D.tmp\nsProcess.dll
- SteamSingleInstance
- Local\InternetShortcutMutex
- cversions.3.m
- Global\OneSettingQueryMutex+compat+encapsulation
- NULL
Files this sample writes at runtime
This file drops 10 children at runtime. None are currently flagged malicious in our cache.
- fbc09c1b9a55d04b57be…91b05bNever scannednever seen before
- f4370281335c1b45718d…eb4107Never scannednever seen before
- d8a20dd2c9bf3abcd163…b3a314Never scannednever seen before
- ba82765c4e15026a8ffb…2db06eNever scannednever seen before
- 7c192b81ab67e34c8463…4ab043Never scannednever seen before
- ac3706ebbb78cfba74e5…0aba8fNever scannednever seen before
- e279c71136a3969cdec8…eb1132Never scannednever seen before
- 3d18d59ed87bd6ebcf76…55f3daNever scannednever seen before
- f4343274a97389f3e55a…788503Never scannednever seen before
- 4246c0b859204919663e…faeb9bNever scannednever seen before
2 corroborating signals from researcher-curated sources
- Detect_NSIS_Nullsoft_Installerby Obscurity Labs LLCDetects NSIS installers by .ndata section + NSIS header string
- PE_Digital_Certificateby albertzsigovits
- NSIS_April_2024by NDA0NDetects NSIS installers
- PE_Potentially_Signed_Digital_Certificateby albertzsigovits
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
- Detect_NSIS_Nullsoft_Installer
- PE_Digital_Certificate
- NSIS_April_2024
- PE_Potentially_Signed_Digital_Certificate
Sandbox flagged persistence indicators (registry Run keys / services / scheduled tasks).
EvidenceSteam Client ServiceMITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
EvidenceC:\Windows\Explorer.EXESandbox observed process activity targeting LSASS (Windows credential store). Legitimate software has no business reading LSASS memory — this is Mimikatz-shape behaviour.
EvidenceC:\Windows\system32\lsass.exeSample contacted 14 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence199.232.215.52 · 104.18.20.213 · 199.232.215.82
0 detections across 73 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.
Forensic fingerprint
- File name
- SteamSetup.exe
- Size
- 2.27 MB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- 7d3654531c32d941b8cae81c4137fc542172bfa9635f169cb392f245a0a12bcb
- MD5
- 1b54b70beef8eb240db31718e8f7eb5d
- SHA-1
- da5995070737ec655824c92622333c489eb6bce4
- PE imphash
- 4ea4df5d94204fc550be1874e1b77ea7
- First seen (VT)
- 5/20/2024, 7:00:00 PM
- Last analysis (VT)
- 7/7/2026, 1:41:21 PM
- First scan (MalwareTips)
- 7/7/2026, 2:29:28 PM
- Last scan (MalwareTips)
- 7/7/2026, 2:29:28 PM
- Code signer
- Valve Corp.verified
- Community reputation
- +105trusted
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.