Windows Analysis Report
SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Analysis ID:	1417026
MD5:	827c2735811297a85b5115cdc701b868
SHA1:	0597c01af54d280b883c003cd46df13d861c22bc
SHA256:	f7ea997ecb3f1b3d9669ead7539d2b0b7da60ac08279e5bb09aaed20a97efa9d
Tags:	exe
Infos:

Detection

Score:	26
Range:	0 - 100
Whitelisted:	false
Confidence:	0%

Signatures

Queries disk data (e.g. SMART data)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

AV process strings found (often used to terminate AV products)

Contains capabilities to detect virtual machines

Detected potential crypto function

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May use bcdedit to modify the Windows boot settings

PE file contains executable resources (Code or Archives)

Queries disk information (often used to detect virtual machines)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

File created: C:\Users\user\AppData\Roaming\360Safe\360safe.setup.log

Jump to behavior

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\vmagent_new\bin\joblist\255425\out\Release\MiniUI.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219491883.000000006CD1C000.00000002.00000001.01000000.00000009.sdmp, MiniUI.dll.0.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\728886\out\Release_tr\Setup.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source:	Binary string: e:\build\SetupNew\Release\360SafeAssist.pdb<`B source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2001863771.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002092871.0000000004250000.00000004.00001000.00020000.00000000.sdmp, 360SafeAssist.exe.0.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\255425\out\Release\MiniUI.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219491883.000000006CD1C000.00000002.00000001.01000000.00000009.sdmp, MiniUI.dll.0.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\289364\out\Release\CrashReport.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219793928.000000006E428000.00000002.00000001.01000000.0000000A.sdmp, CrashReport.dll.0.dr
Source:	Binary string: e:\build\SetupNew\Release\360SafeAssist.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2001863771.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002092871.0000000004250000.00000004.00001000.00020000.00000000.sdmp, 360SafeAssist.exe.0.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\743838\out\Release\7z.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219662742.000000006CEDB000.00000002.00000001.01000000.00000008.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\146708\out\Release\DumpUper.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\146708\out\Release\DumpUper.pdbP source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\417673\out\Release\360Base.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219344223.000000006CC2F000.00000002.00000001.01000000.0000000B.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, 360Base.dll.0.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File opened: C:\Users\user\AppData	Jump to behavior

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /wsin/think?ipartner=0&m2=d0976767e6a203af75488f9609371383094a7b7d29b3&mid=59cd53708ed730f0ef42bb01f668d936&rand=104759&timestamp=1711632600&ver=13.0.0.2199&sign=da0c9f29d00aa1f62d1472307f9415f2 HTTP/1.1Host: inf.safe.360.cnAccept: /Pragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wsin/think?ipartner=0&m2=d0976767e6a203af75488f9609371383094a7b7d29b3&mid=59cd53708ed730f0ef42bb01f668d936&rand=104759&timestamp=1711632600&ver=13.0.0.2199&sign=da0c9f29d00aa1f62d1472307f9415f2 HTTP/1.1Host: inf.safe.360.cnAccept: /Pragma: no-cacheCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 171.13.14.66 171.13.14.66

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&status=101&usetime=4013656&zt=2862 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&status=188&usetime=0&zt=3626 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&installtype=1&status=109&usetime=0&zt=10565 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&installtype=1&status=147&usetime=0&zt=23680 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&installtype=1&status=189&usetime=0&zt=23732 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&installtype=1&status=136&usetime=0&zt=24803 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&status=101&usetime=4013656&zt=2862 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&status=188&usetime=0&zt=3626 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&installtype=1&status=109&usetime=0&zt=10565 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wsin/think?ipartner=0&m2=d0976767e6a203af75488f9609371383094a7b7d29b3&mid=59cd53708ed730f0ef42bb01f668d936&rand=104759&timestamp=1711632600&ver=13.0.0.2199&sign=da0c9f29d00aa1f62d1472307f9415f2 HTTP/1.1Host: inf.safe.360.cnAccept: /Pragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wsin/think?ipartner=0&m2=d0976767e6a203af75488f9609371383094a7b7d29b3&mid=59cd53708ed730f0ef42bb01f668d936&rand=104759&timestamp=1711632600&ver=13.0.0.2199&sign=da0c9f29d00aa1f62d1472307f9415f2 HTTP/1.1Host: inf.safe.360.cnAccept: /Pragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&installtype=1&status=147&usetime=0&zt=23680 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&installtype=1&status=189&usetime=0&zt=23732 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&installtype=1&status=136&usetime=0&zt=24803 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: s.360.cn

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://bbs.360safe.com/thread-4985800-1-1.html
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://bbs.360safe.com/thread-4985800-1-1.htmlQ
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1988969412.00000000044BA000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1988969412.00000000044BA000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, CrashReport.dll.0.dr, MiniUI.dll.0.dr, 360Base.dll.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, CrashReport.dll.0.dr, MiniUI.dll.0.dr, 360Base.dll.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1988969412.00000000044BA000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1988969412.00000000044BA000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1988969412.00000000044BA000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, CrashReport.dll.0.dr, MiniUI.dll.0.dr, 360Base.dll.0.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, CrashReport.dll.0.dr, MiniUI.dll.0.dr, 360Base.dll.0.dr	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://down.360safe.com/360compkill64.zip
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://down.360safe.com/360compkill64.ziphttp://www.360.cn/jijiuxiang/360sd_download.htmlDeleteUrlCa
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://down.360safe.com/safesetup_2000.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://down.360safe.com/safesetup_2000.exechs
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3216969609.00000000009D2000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://down.360safe.com/setup.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://down.360safe.com/setup.exePathSOFTWARE
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, MiniUI.dll.0.dr	String found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe360
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3216969609.00000000009D2000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000000.1973850844.00000000009CC000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exeG
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exeGO360
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219491883.000000006CD1C000.00000002.00000001.01000000.00000009.sdmp, MiniUI.dll.0.dr	String found in binary or memory: http://down.360safe.com/setup.exexv
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3216989427.00000000009D4000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://down.360safe.com/setupbeta.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://down.360safe.com/superkiller/superkillerexe_880765522ded7527821ce7448af08018_5.1.64.1181.cab
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://down.360safe.com/superkiller/superkillerexe_880765522ded7527821ce7448af08018_5.1.64.1181.cabh
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://down.360safe.com/superkiller/superkillerexe_ce61817f687d599de13ee9deb1af83e2_5.1.0.1181.cab
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://inf.safe.360.cn/sein/think
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://inf.safe.360.cn/wsin/think
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://inf.safe.360.cn/wsin/thinkhttp://inf.safe.360.cn/sein/thinkx
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://my.360.cn
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://my.360safe.com
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://my.360safe.comuseridconfig
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://ocsp.digicert.com0L
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://ocsp.digicert.com0N
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1988969412.00000000044BA000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1988969412.00000000044BA000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1988969412.00000000044BA000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, CrashReport.dll.0.dr, MiniUI.dll.0.dr, 360Base.dll.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1988969412.00000000044BA000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1988969412.00000000044BA000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://s.360.cn/safe/install.html?mid=%s&
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://s.360.cn/safe/instcomp.htm?soft=923&status=%d&mid=%s&ver=%s&usetime=%d&zt=%d&pid=%sehttp://s.
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://s.360.cn/safe/instcomp.htm?soft=923&ver=%s&pid=%s&hips=%d&mid=%s&mid2=%s&w=%I64d&b=%I64d&o=%d
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1998954479.0000000001764000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3218840916.0000000005009000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360.cn/safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef4
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://s.360.cn/safe/setupsperr.htm?mid=%s
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://s.360.cn/safe/setupsperr.htm?mid=%sIsInstallInNetBar&hand=explorer.exe&oldinstalltype=&hips=h
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DF8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.0000000005178000.00000004.00001000.00020000.00000000.sdmp, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.dr, 360Base.dll.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DF8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.0000000005178000.00000004.00001000.00020000.00000000.sdmp, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.dr, 360Base.dll.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.dr	String found in binary or memory: http://safe.crash.browser.360.cn
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.dr	String found in binary or memory: http://safe.crash.browser.360.cndumpInfoSitecrashInfoSitehomeSiteNCSdomainNameshowtipdlgshowdlguseri
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.dr	String found in binary or memory: http://sdl.360safe.com/dbghelp_dll.cabpkH-1C
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1988969412.00000000044BA000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1988969412.00000000044BA000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, CrashReport.dll.0.dr, MiniUI.dll.0.dr, 360Base.dll.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, CrashReport.dll.0.dr, MiniUI.dll.0.dr, 360Base.dll.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1988969412.00000000044BA000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, 360Base.dll.0.dr	String found in binary or memory: http://sf.symcb.com/sf.crl0a
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DF8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.0000000005178000.00000004.00001000.00020000.00000000.sdmp, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.dr	String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DF8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.0000000005178000.00000004.00001000.00020000.00000000.sdmp, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.dr, 360Base.dll.0.dr	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DF8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.0000000005178000.00000004.00001000.00020000.00000000.sdmp, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.dr, 360Base.dll.0.dr	String found in binary or memory: http://sf.symcd.com0&
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, 360Base.dll.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DF8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.0000000005178000.00000004.00001000.00020000.00000000.sdmp, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DF8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.0000000005178000.00000004.00001000.00020000.00000000.sdmp, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.dr, 360Base.dll.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DF8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.0000000005178000.00000004.00001000.00020000.00000000.sdmp, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.dr, 360Base.dll.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: DumpUper.exe.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://update.360safe.com/instcomp.htm?soft=509&status=%d&mid=%s&ver=%s&usetime=%d&zt=%d
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://update.360safe.com/instcomp.htm?soft=509&status=%d&mid=%s&ver=%s&usetime=%d&zt=%d&instver=%sL
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 360SafeAssist.exe.0.dr, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.dr, 360Base.dll.0.dr	String found in binary or memory: http://www.360.cn
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2001863771.00000000043D4000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.00000000016DE000.00000004.00000020.00020000.00000000.sdmp, 360SafeAssist.exe.0.dr	String found in binary or memory: http://www.360.cn/
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://www.360.cn/jijiuxiang/360sd_download.html
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://www.360.cn/privacy/v3/360anquanweishi.html
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://www.360.cn/userexperienceimprovement.html
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://www.360.cn/xukexieyi.htmlT
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://www.360.cn4
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://www.360.cn;color=rgb(60
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://www.360.cnhttp://www.360safe.com
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://www.360safe.com
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.00000000016DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360safe.com/
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 360Base.dll.0.dr	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DF8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.0000000005178000.00000004.00001000.00020000.00000000.sdmp, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.dr, 360Base.dll.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DF8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.0000000005178000.00000004.00001000.00020000.00000000.sdmp, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.dr, 360Base.dll.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: https://bbs.360.cn/thread-15735708-1-1.html;color=rgb(60
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: https://bbs.360.cn/thread-16079507-1-1.html
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: https://bbs.360.cn/thread-16079507-1-1.htmlD
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DF8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.0000000005178000.00000004.00001000.00020000.00000000.sdmp, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.dr, 360Base.dll.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DF8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.0000000005178000.00000004.00001000.00020000.00000000.sdmp, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.dr, 360Base.dll.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: https://dl.360safe.com/instbeta.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: https://dl.360safe.com/instbeta.exedk
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: https://hao.360.com
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: https://hao.360.com/
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1996344133.0000000001744000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1998954479.0000000001743000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.000000000173D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.00000000016DE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1999310616.0000000001752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hao.360.com/?installer
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: https://hao.360.com/?installer/https://hao.360.comhttps://http://https://hao.360.com/%s
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.00000000016DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hao.360.com/?installerT
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: https://hao.360.com/?safe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: https://hao.360.com/?src=lm&ls=%s
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: https://hao.360.com/?src=lm&ls=%sStart
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1996344133.0000000001744000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1998954479.0000000001743000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.000000000173D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1999310616.0000000001752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: https://www.digicert.com/CPS0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, CrashReport.dll.0.dr, MiniUI.dll.0.dr, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.dr, 360Base.dll.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, CrashReport.dll.0.dr, MiniUI.dll.0.dr, 360Base.dll.0.dr	String found in binary or memory: https://www.globalsign.com/repository/03
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, CrashReport.dll.0.dr, MiniUI.dll.0.dr, 360Base.dll.0.dr	String found in binary or memory: https://www.globalsign.com/repository/06

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04F8E2AF	0_3_04F8E2AF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04F8EB1F	0_3_04F8EB1F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04F8D70C	0_3_04F8D70C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FF60DD	0_3_04FF60DD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FF44D5	0_3_04FF44D5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FF4A99	0_3_04FF4A99
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FF6E80	0_3_04FF6E80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FFE87B	0_3_04FFE87B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FFF050	0_3_04FFF050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FF8024	0_3_04FF8024
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FF85FD	0_3_04FF85FD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FFD1FD	0_3_04FFD1FD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FF63F5	0_3_04FF63F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FF61E5	0_3_04FF61E5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FFD5BD	0_3_04FFD5BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FF65A7	0_3_04FF65A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FFE5A7	0_3_04FFE5A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FF477D	0_3_04FF477D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FFD365	0_3_04FFD365
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FF8918	0_3_04FF8918
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C034	0_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C034	0_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C034	0_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C034	0_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C034	0_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C034	0_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04698B08	0_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04698B08	0_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04698B08	0_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04698B08	0_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04698B08	0_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04698B08	0_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A9D	0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A9D	0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A9D	0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A9D	0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A9D	0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A9D	0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C034	0_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C034	0_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C034	0_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C034	0_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C034	0_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C034	0_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04698B08	0_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04698B08	0_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04698B08	0_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04698B08	0_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04698B08	0_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04698B08	0_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A9D	0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A9D	0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A9D	0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A9D	0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A9D	0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A9D	0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C034	0_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C034	0_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C034	0_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C034	0_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C034	0_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C034	0_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04698B08	0_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04698B08	0_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04698B08	0_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04698B08	0_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04698B08	0_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04698B08	0_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A9D	0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A9D	0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A9D	0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A9D	0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A9D	0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A9D	0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD

PE file contains executable resources (Code or Archives)

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Resource name: ANIMATION type: 7-zip archive data, version 0.4
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Resource name: BASE360 type: 7-zip archive data, version 0.4
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Resource name: CRASH type: 7-zip archive data, version 0.4
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Resource name: CRASHREPORT type: 7-zip archive data, version 0.4
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Resource name: DLL type: 7-zip archive data, version 0.4
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 967545 bytes, 1 file, at 0x2c +A "7z.dll", number 1, 57 datablocks, 0x1 compression
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Resource name: DRIVERDLL type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Resource name: LICENCE type: Microsoft Cabinet archive data, Windows 2000/XP setup, 10696 bytes, 1 file, at 0x2c +A "licence.rtf", number 1, 1 datablock, 0x1 compression
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Resource name: NETUL type: 7-zip archive data, version 0.4
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Resource name: OEMDATA type: 7-zip archive data, version 0.3
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Resource name: PRIVACY type: Microsoft Cabinet archive data, Windows 2000/XP setup, 11525 bytes, 1 file, at 0x2c +A "privacy.rtf", number 1, 1 datablock, 0x1 compression
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Resource name: ROOTSUPD type: 7-zip archive data, version 0.4
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Resource name: SETUPCONFIG type: 7-zip archive data, version 0.4
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Resource name: SKIN type: 7-zip archive data, version 0.4
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Resource name: URLPROC type: 7-zip archive data, version 0.4
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Resource name: VIEWER type: Microsoft Cabinet archive data, Windows 2000/XP setup, 749756 bytes, 1 file, at 0x2c "AgreementViewer.exe", number 1, 53 datablocks, 0x1 compression
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Resource name: WSCREG type: 7-zip archive data, version 0.4
Source: 360SafeAssist.exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: textshaping.dll	Jump to behavior

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Binary string: ZOTAC ZENFASTZENFAS XSTAR XS TAK VASEKY UKINGS TYH TXRUI TURXUN TEKISM TEELKOOUTAISU SS DSUPERSSPSTARSWAYSTARRAM SPCC SHINEDOE SHINEDIS SHINEDISKSAMSWEETREEINNO REEINN RUNENG RAMSTA S QIDAN POWERSSD NETAC SSNETAC SMICROFLA SH MICROFLASH MICROFLAS MERELAIR MAXSUNMACMEMOR LENOVO SLENOVO SLANSHIKUAIKAKINGSTEKKINGSSD_ACSC4MACSC2MACJC2MKINGSPECKINGSHARE KINGSHAR EKING SHAREKING SHAREKING SHA REKINGSANDKINGRICHKINGBANKKINGDINGKINGDIANKDATAJUNSHI INTEIFUNKIFOUNDI-FLASHHY SPEED HY SDEED HISTOR HIGHXGOWE GEIL ZENITHGAMERGALAIRD GALA GAINWARDGLOWAYGLOWA FORSAFASTDISKFASPEE FASPEEDEVTRANEEKOOEAGET SS DDOMONDERLERDRAGONDICABOFITBIOSTAR BIOSTA ASGARD ASINT ASIN APACER ANUCELL GENERIC NCARDHYNIXTECLASTTECLAS KINGFAST COLORFUL COLORFUL SSD NVME ATA KINGSTONPLEXTOR PX-PLEXTO PX-PLEXTO PX-GALAXMICRON MICRON_MLITEONITLITEONSANDISK SANDIS MKNSSDCRUNCOREEDGEPLEXTORMTFDV4-CTM4-CTCRUCIAL ADATA ADATA ADAT PNYAPACERG.SKILLOCZKINGSTONCORSAIRINTELFUJITSUTOSHIB TOSHIBASAMXUNG SAMSUNG1SAMSUN SAMSUNGWDSEAGATESTATA AVD ASDK APPLE HDD ModelASSOCIATORS OF {Win32_DiskPartition.DeviceID='%s'} where ResultClass = Win32_DiskDriveDeviceIDASSOCIATORS OF {Win32_LogicalDisk.DeviceID='%s'} where ResultClass = Win32_DiskPartition:ROOT\CIMV2Index\Device\Harddiskc:Setup\setup_logo_animate.pngHEADBeacon@

Source: classification engine

Classification label: sus26.spyw.evad.winEXE@1/26@2/2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

File created: C:\Program Files (x86)\360

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\instcomp[1].htm

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Mutant created: \Sessions\1\BaseNamedObjects\1830B7BD-F7A3-4c4d-989B-C004DE465EDE 4268
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Mutant created: \Sessions\1\BaseNamedObjects\Q360MonMutex
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Mutant created: \Sessions\1\BaseNamedObjects\Q360SafeSetup

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

File created: C:\Users\user\AppData\Local\Temp\{925474AB-9BD3-47b4-BA43-AB6BFD29DB7E}.tmp\

Jump to behavior

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: "Exe" File="deepscan\zhudongfangyu.exe" Param="/Install" WaitForExit="true" /> <Item Type="SimpleDll" File="deepscan\bapi.dll
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: itForExit="true" /> <Item Type="Exe" File="softmgr\EaInstHelper64.exe" Param="/Install" WaitForExit="true" /> <Item Type
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: \PopWndTracker.exe" Param="/query" WaitForExit="false" /> <Item Type="Exe" File="softmgr\EaInstHelper.exe" Param="/Install" W
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: _LOCAL_MACHINE" SubKey="SOFTWARE\360Safe\stat" > <Item Name="SetupType" Type="DWORD" Value="0" /> </KeyInfo> </Install
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: Register/Install
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://s.360.cn/safe/install.html?mid=%s&
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: /install
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: /install
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: /INSTALLER=
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: /reinstall
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: Cmodules\360vulsetup.exemobilemgr\SoftUpdateM.dllSoftware\360Safe\safemonsafemon\safemon.dll360MicroExamin.exesafemon\MicroExamin.tpiFixRegSrvOnInstallRegister dll mobilemgr\SoftUpdateM.dll/install /installSelfProtectAPI2avp.exeSOFTWARE\KasperskyLab\SetupFoldersinsttimepid_InstalledPartnerName_bkipartner_sh_refreshipartnerregisttimebidPartnerNamePrePartner360se360SD360Safebox360SEAntiSectionrepairicondirInstLogUtilsupdatesweepersafemonnetmonmodulesLiveUpdateLogLiveUpdate360skinipcfirstaiddeepscanconfigantiarplinksSOFTWARE\Microsoft\Windows\CurrentVersion\Run\360DisabledSoftware\360Safe\scanTipDisable
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: QD\360UCenter.dll\360MobileAssistant_theme.ui\sites.dll\AdvToolsEx.dll\360ExamineEx.dll\360Safe.exe\360Protect.dll\newui\360SafeNew.xml\newui\themes\default\default_theme.ui\360ExamineUIEx.dll\newui\themes\default\theme.xml\ExamineUIConfig.xml\ExaminePluginEx.xmlSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exePathsafemon\360tray.exe /disablesp %d /loadrulesp %dsafemon\param.inisafemon\360procmon.dll\\.\360SelfProtection<!--360skin ver="\updatecfg.ini/reinstallSoftware\Microsoft\Windows\CurrentVersion\360JJXSoftware\Microsoft\Windows\CurrentVersion\360Clear360tray.exeSYSTEM\CurrentControlSet\Control\Session ManagerDisableAutorunmodify %s time failver="Copy From %s to %s Failed Error Code = %dMove File '%s' failed, replace until rebootMove File '%s' to temp dirDelete File '%s' failedFile '%s' exist
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: QD\360UCenter.dll\360MobileAssistant_theme.ui\sites.dll\AdvToolsEx.dll\360ExamineEx.dll\360Safe.exe\360Protect.dll\newui\360SafeNew.xml\newui\themes\default\default_theme.ui\360ExamineUIEx.dll\newui\themes\default\theme.xml\ExamineUIConfig.xml\ExaminePluginEx.xmlSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exePathsafemon\360tray.exe /disablesp %d /loadrulesp %dsafemon\param.inisafemon\360procmon.dll\\.\360SelfProtection<!--360skin ver="\updatecfg.ini/reinstallSoftware\Microsoft\Windows\CurrentVersion\360JJXSoftware\Microsoft\Windows\CurrentVersion\360Clear360tray.exeSYSTEM\CurrentControlSet\Control\Session ManagerDisableAutorunmodify %s time failver="Copy From %s to %s Failed Error Code = %dMove File '%s' failed, replace until rebootMove File '%s' to temp dirDelete File '%s' failedFile '%s' exist
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exePathsafemon\360tray.exe /disablesp %d /loadrulesp %dsafemon\param.inisafemon\360procmon.dll\\.\360SelfProtectionANIMATION360FsFltsafemon\360Tray.exe.local360Safe.exe.localsafemon\360Tray.exe.Manifest
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: R%%%2xsp exist16.0.0.015.0.0.0%s\safemon\FreeSaaS.tpi%s\360leakfixer.exe/silent=3 /id=%s /p=0NULL\360Safe%d\360safeNon-existent ProcessSETUPCONFIG&s1=%d&s0=%d&pid=&OAV=%d&PPID0=&PPID1=http://s.360.cn/safe/setupsperr.htm?mid=%sIsInstallInNetBar&hand=explorer.exe&oldinstalltype=&hips=http://s.360.cn/safe/install.html?mid=%s&video\info.iniend.pngstart.pnganimation.wmvSKIN
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: "KUnrecognized content encoding type. libcurl understands %s content encodings.chunked\/LoadLibraryExAkernel320123456789abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ(nil)(nil)I64I32.%ld$@%ld0123456789schannel
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: Q360SafeMonClass360TRAY.EXESOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exePathsafemon\360tray.exe /disablesp %d /loadrulesp %dsafemon\param.inisafemon\360procmon.dll\\.\360SelfProtection
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: TargetDir%d.%d.%d.%dExeSimpleDllExtendDllWM_CLOSEWM_QUITWM_ANTIARPEXITDWORDString%02xZwQuerySystemInformationengchtchsuninstbackupSetup/MainNameTitleUninstallTitleProductVersionRebootFlagNameMutexNameMinimizeSpaceDefaultSkinIsBetaSetup/FileListListSetup/UninstallRootDirFileListFileSetup/PluginSetup/RegisterSetup/NotPEFileVersion9.5.0.1001Setup/RegAppPathHKEYSubKeyValueSetup/ApplicationMainAppVersionBaseFileSetup/DefaultPathRootDirForceCreateFolderCanChange1.0.0.1001safemon\360tray.exeSetup/CloseAllPrograms/ProgramWindowClassMessageWPARAMLPARAMTimeoutQ360SafeMonClassSetup/RebootReplaceFile/FileExitIfCopyFailRegister/InstallRegister/Uninstalli18n\i18n.iniLanguageMainQIBeginSOFTWARE\360Safe360\360Safe\
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: lN.?AVCAppModuleEx@@/S/SMARTSILENCE/FORCESTART/FORCECOVER/360EntAdminJoin/INSTVER=/D=/PID=/NOREBOOT=/NOTRAY=/NOENTCLIENT=/SAFENOSTART=/INSTALLER=/NOTIFYWND=/NotJoinUE/NotJoinCloudSafe/CREATEDSS/DEBUGFILE=/LOGFILE=/DISABLE=/SETHOMEPAGE=/NOZF/LM=/NOPOP/NoSoftMgrDesktopLnk/NoSafeDesktopLnk/NotLockIEEdge360/NotLockOther360

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Window detected: Number of UI elements: 12

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Static file information: File size 99314064 > 1048576

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x78b600

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Static PE information: More than 200 imports for KERNEL32.dll

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\vmagent_new\bin\joblist\255425\out\Release\MiniUI.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219491883.000000006CD1C000.00000002.00000001.01000000.00000009.sdmp, MiniUI.dll.0.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\728886\out\Release_tr\Setup.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source:	Binary string: e:\build\SetupNew\Release\360SafeAssist.pdb<`B source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2001863771.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002092871.0000000004250000.00000004.00001000.00020000.00000000.sdmp, 360SafeAssist.exe.0.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\255425\out\Release\MiniUI.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219491883.000000006CD1C000.00000002.00000001.01000000.00000009.sdmp, MiniUI.dll.0.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\289364\out\Release\CrashReport.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219793928.000000006E428000.00000002.00000001.01000000.0000000A.sdmp, CrashReport.dll.0.dr
Source:	Binary string: e:\build\SetupNew\Release\360SafeAssist.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2001863771.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002092871.0000000004250000.00000004.00001000.00020000.00000000.sdmp, 360SafeAssist.exe.0.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\743838\out\Release\7z.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219662742.000000006CEDB000.00000002.00000001.01000000.00000008.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\146708\out\Release\DumpUper.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\146708\out\Release\DumpUper.pdbP source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\417673\out\Release\360Base.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219344223.000000006CC2F000.00000002.00000001.01000000.0000000B.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, 360Base.dll.0.dr

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04F95426 push cs; iretd	0_3_04F953FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04F90A02 push edi; retf	0_3_04F90A15
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04F955D6 push ebx; ret	0_3_04F955D7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04F90167 push eax; retf	0_3_04F90168
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04F95324 push cs; iretd	0_3_04F953FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04F91F1E push E01004CFh; iretd	0_3_04F91F29
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FF0CF5 push edi; retf	0_3_04FF1013
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FF22DD push ebp; retf	0_3_04FF249B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FFD4A5 push ebp; retf	0_3_04FFD4CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FFA49F push cs; retf	0_3_04FFA613
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FF249D pushad ; retf	0_3_04FF2543
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FFD47D push ebp; retf	0_3_04FFD4CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FFD1D5 push cs; retf	0_3_04FFD1FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF0A pushfd ; ret	0_3_0469BF59
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF0A pushfd ; ret	0_3_0469BF59
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF0A pushfd ; ret	0_3_0469BF59
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF0A pushfd ; ret	0_3_0469BF59
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF0A pushfd ; ret	0_3_0469BF59
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF0A pushfd ; ret	0_3_0469BF59
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF0A pushfd ; ret	0_3_0469BF59
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF0A pushfd ; ret	0_3_0469BF59
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C7C8 push eax; iretd	0_3_0469C7CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C7C8 push eax; iretd	0_3_0469C7CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C7C8 push eax; iretd	0_3_0469C7CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C7C8 push eax; iretd	0_3_0469C7CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C7C8 push eax; iretd	0_3_0469C7CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C7C8 push eax; iretd	0_3_0469C7CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C7C8 push eax; iretd	0_3_0469C7CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C7C8 push eax; iretd	0_3_0469C7CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BDCB pushfd ; ret	0_3_0469BF59
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BDCB pushfd ; ret	0_3_0469BF59

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File created: C:\Users\user\AppData\Local\Temp\{EE053F58-EF8C-43c4-A3D9-1E4B2965E691}.tmp\7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File created: C:\Users\user\AppData\Local\Temp\{64B7E796-9F86-408b-9BE8-85DF5E630C37}.tmp\360SafeAssist.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File created: C:\Users\user\AppData\Local\Temp\{FCFF958A-AC44-4612-807B-C8AA21571E8A}.tmp\360Base.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File created: C:\Users\user\AppData\Local\Temp\{6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File created: C:\Users\user\AppData\Local\Temp\{DBA7F686-6D1C-4a46-82CF-0AD83670E845}.tmp\MiniUI.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File created: C:\Users\user\AppData\Local\Temp\{FCFF958A-AC44-4612-807B-C8AA21571E8A}.tmp\CrashReport.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File created: C:\Users\user\AppData\Local\Temp\{FCFF958A-AC44-4612-807B-C8AA21571E8A}.tmp\DumpUper.exe	Jump to dropped file

May use bcdedit to modify the Windows boot settings

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Binary or memory string: Setuphttps://hao.360.com/?src=lm&ls=%sStart SetHomePage/set flightsigning on/set {bootmgr} flightsigning onbcdedit.exeSysnativeBcdeditEnd CheckHomePageForOldVerStart CheckHomePageForOldVerEnd ClearOldSkinStart ClearOldSkinEnd SetLowConfigurationPCFlagStart SetLowConfigurationPCFlagSetupOffline_H

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

File created: C:\Users\user\AppData\Roaming\360Safe\360safe.setup.log

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : ASSOCIATORS OF {Win32_DiskPartition.DeviceID='Disk #0, Partition #1'} where ResultClass = Win32_DiskDrive
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_DiskDriveToDiskPartition where Dependent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : ASSOCIATORS OF {Win32_DiskPartition.DeviceID='Disk #0, Partition #1'} where ResultClass = Win32_DiskDrive
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_DiskDriveToDiskPartition where Dependent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : ASSOCIATORS OF {Win32_LogicalDisk.DeviceID='C:'} where ResultClass = Win32_DiskPartition
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_LogicalDiskToPartition where Dependent="Win32_LogicalDisk.DeviceID=\"C:\""
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : ASSOCIATORS OF {Win32_LogicalDisk.DeviceID='C:'} where ResultClass = Win32_DiskPartition
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_LogicalDiskToPartition where Dependent="Win32_LogicalDisk.DeviceID=\"C:\""

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001 name: DriverDesc

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{EE053F58-EF8C-43c4-A3D9-1E4B2965E691}.tmp\7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{64B7E796-9F86-408b-9BE8-85DF5E630C37}.tmp\360SafeAssist.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{FCFF958A-AC44-4612-807B-C8AA21571E8A}.tmp\360Base.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{DBA7F686-6D1C-4a46-82CF-0AD83670E845}.tmp\MiniUI.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{FCFF958A-AC44-4612-807B-C8AA21571E8A}.tmp\CrashReport.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{FCFF958A-AC44-4612-807B-C8AA21571E8A}.tmp\DumpUper.exe	Jump to dropped file

Queries disk information (often used to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.0000000001790000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Binary or memory string: vVIRTUAL SCSIVIRTUAL HDVIRTUAL DISKISCSIRED HAT VIRTIORAMDISKRAM-DISKRAM DISKRAID ARRAYRAID10RAID5RAID1XENSRC XEN VMWAREVBOX HARDDISKQEMU HARDDISKPROMISE 1+0MSFT VIRTUALMICROSOFTMARVELL RAIDLSILOGICLSI MR92LSI MEGALENOVO_RAIDINTEL RAIDIBM SERVERAIDDELL PERCAMD-RAID ARRAYADAPTECRAID0SOFTWARE\360Safe\softmgr\dioraidRAIDIM2S313BR240G BR128G BR120G BR60G 256GB 256GB 256G 256G 240GB 128GB 128GB 128G 128G 120GB 120G
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.0000000001762000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1996499917.0000000001774000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1999106553.0000000001772000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1996594697.0000000001776000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.00000000016DE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1999226653.0000000001776000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1998954479.0000000001764000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.0000000001790000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MSFT_PhysicalDisk{1}\\user-PC\root/Microsoft/Windows/Storage/Providers_v2\SPACES_PhysicalDisk.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PD:{baefc400-1cb2-6d19-d2b5-4ac4ae014b83}"6000C292B65879FF477A6AF604113F58VMware Virtual diskVMwareVirtual disk6000c292b65879ff477a6af604113f58PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.0000000001790000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1996344133.0000000001744000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1998954479.0000000001743000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.000000000173D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWndow Class

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Process token adjusted: Debug			Jump to behavior

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219491883.000000006CD1C000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: lShell_traywnd
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.00000000050B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Shell_traywnd

AV process strings found (often used to terminate AV products)

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000000.1973823276.0000000000996000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3216885883.0000000000996000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: http://down.360safe.com/360compkill64.ziphttp://www.360.cn/jijiuxiang/360sd_download.htmlDeleteUrlCacheEntryWURLDownloadToFileWurlmon.dll\system32\urlmon.dll.zipSuperKiller.exe//////PromptCP\360SuperKiller\SuperKiller.ini\\\SuperKiller.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Binary or memory string: SuperKiller.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Binary or memory string: \safemon\360tray.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3218840916.000000000501F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 360HOTFIX.EXE
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Binary or memory string: \360Safe.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Binary or memory string: 360TRAY.EXE
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2000096712.0000000004FED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2000739918.000000000501C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2000650780.0000000004FFE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2000134647.0000000004FF2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1998910576.0000000004FD1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2000055003.0000000004FE0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3218840916.000000000501F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 360SAFE.EXE
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360Safe.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219491883.000000006CD1C000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: lIsBetaVersion360ver.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000000.1973823276.0000000000996000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3216885883.0000000000996000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: 360sd\Safemon\SelfProtectAPI2.dll360sd\Safemon\360Procmon.dll360sd\Safemon\360tray.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Binary or memory string: \SuperKiller.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.00000000016DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Binary or memory string: firstaid\superkiller.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2000096712.0000000004FED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2000723983.0000000004FF5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2000134647.0000000004FF2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1998910576.0000000004FD1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2000055003.0000000004FE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &safemon\360Tray.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Binary or memory string: Software\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Binary or memory string: avp.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1999226653.0000000001790000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2000180337.00000000017B0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1999412645.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.0000000001790000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1999106553.0000000001790000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 360safe.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3218258565.00000000036F7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1999226653.0000000001790000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2000180337.00000000017B0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1999412645.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1999106553.0000000001790000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 360Safe.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, MiniUI.dll.0.dr	Binary or memory string: IsBetaVersion360ver.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Binary or memory string: 360tray.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000000.1973823276.0000000000996000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3216885883.0000000000996000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\Run360Safetray"%s" /startsafemon\360Tray.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.dr	Binary or memory string: A%I64dPathSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe\firstaid\SuperKiller.exefirstaid\SuperKiller.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000000.1973823276.0000000000996000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3216885883.0000000000996000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: 360safeUtils\360MedalWall.dllSoftware\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Binary or memory string: 360Tray.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Binary or memory string: safemon\360tray.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3218491026.00000000044A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: safemon\360Tray.exe

Stealing of Sensitive Information

Queries disk data (e.g. SMART data)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Device IO: \Device\Harddisk0\DR0			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Device IO: \Device\Harddisk0\DR0			Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
180.163.237.185	inf.safe.360.cn	China		4812	CHINANET-SH-APChinaTelecomGroupCN	false
171.13.14.66	s.360.cn	China		4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false

Contacted Domains

Name	IP	Active
s.360.cn	171.13.14.66	true
inf.safe.360.cn	180.163.237.185	true

Contacted URLs

Name	Malicious	Reputation
http://s.360.cn/safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&installtype=1&status=109&usetime=0&zt=10565	false	high
http://s.360.cn/safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&status=101&usetime=4013656&zt=2862	false	high
http://s.360.cn/safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&installtype=1&status=189&usetime=0&zt=23732	false	high
http://s.360.cn/safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&installtype=1&status=147&usetime=0&zt=23680	false	high
http://s.360.cn/safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&status=188&usetime=0&zt=3626	false	high
http://s.360.cn/safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&installtype=1&status=136&usetime=0&zt=24803	false	high
http://inf.safe.360.cn/wsin/think?ipartner=0&m2=d0976767e6a203af75488f9609371383094a7b7d29b3&mid=59cd53708ed730f0ef42bb01f668d936&rand=104759&timestamp=1711632600&ver=13.0.0.2199&sign=da0c9f29d00aa1f62d1472307f9415f2	false	high

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

File created: C:\Users\user\AppData\Roaming\360Safe\360safe.setup.log

Jump to behavior

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\vmagent_new\bin\joblist\255425\out\Release\MiniUI.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219491883.000000006CD1C000.00000002.00000001.01000000.00000009.sdmp, MiniUI.dll.0.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\728886\out\Release_tr\Setup.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source:	Binary string: e:\build\SetupNew\Release\360SafeAssist.pdb<`B source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2001863771.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002092871.0000000004250000.00000004.00001000.00020000.00000000.sdmp, 360SafeAssist.exe.0.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\255425\out\Release\MiniUI.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219491883.000000006CD1C000.00000002.00000001.01000000.00000009.sdmp, MiniUI.dll.0.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\289364\out\Release\CrashReport.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219793928.000000006E428000.00000002.00000001.01000000.0000000A.sdmp, CrashReport.dll.0.dr
Source:	Binary string: e:\build\SetupNew\Release\360SafeAssist.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2001863771.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002092871.0000000004250000.00000004.00001000.00020000.00000000.sdmp, 360SafeAssist.exe.0.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\743838\out\Release\7z.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219662742.000000006CEDB000.00000002.00000001.01000000.00000008.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\146708\out\Release\DumpUper.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\146708\out\Release\DumpUper.pdbP source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\417673\out\Release\360Base.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219344223.000000006CC2F000.00000002.00000001.01000000.0000000B.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, 360Base.dll.0.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File opened: C:\Users\user\AppData	Jump to behavior

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /wsin/think?ipartner=0&m2=d0976767e6a203af75488f9609371383094a7b7d29b3&mid=59cd53708ed730f0ef42bb01f668d936&rand=104759&timestamp=1711632600&ver=13.0.0.2199&sign=da0c9f29d00aa1f62d1472307f9415f2 HTTP/1.1Host: inf.safe.360.cnAccept: /Pragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wsin/think?ipartner=0&m2=d0976767e6a203af75488f9609371383094a7b7d29b3&mid=59cd53708ed730f0ef42bb01f668d936&rand=104759&timestamp=1711632600&ver=13.0.0.2199&sign=da0c9f29d00aa1f62d1472307f9415f2 HTTP/1.1Host: inf.safe.360.cnAccept: /Pragma: no-cacheCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 171.13.14.66 171.13.14.66

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&status=101&usetime=4013656&zt=2862 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&status=188&usetime=0&zt=3626 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&installtype=1&status=109&usetime=0&zt=10565 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&installtype=1&status=147&usetime=0&zt=23680 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&installtype=1&status=189&usetime=0&zt=23732 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&installtype=1&status=136&usetime=0&zt=24803 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&status=101&usetime=4013656&zt=2862 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&status=188&usetime=0&zt=3626 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&installtype=1&status=109&usetime=0&zt=10565 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wsin/think?ipartner=0&m2=d0976767e6a203af75488f9609371383094a7b7d29b3&mid=59cd53708ed730f0ef42bb01f668d936&rand=104759&timestamp=1711632600&ver=13.0.0.2199&sign=da0c9f29d00aa1f62d1472307f9415f2 HTTP/1.1Host: inf.safe.360.cnAccept: /Pragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wsin/think?ipartner=0&m2=d0976767e6a203af75488f9609371383094a7b7d29b3&mid=59cd53708ed730f0ef42bb01f668d936&rand=104759&timestamp=1711632600&ver=13.0.0.2199&sign=da0c9f29d00aa1f62d1472307f9415f2 HTTP/1.1Host: inf.safe.360.cnAccept: /Pragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&installtype=1&status=147&usetime=0&zt=23680 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&installtype=1&status=189&usetime=0&zt=23732 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&installtype=1&status=136&usetime=0&zt=24803 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: s.360.cn

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://bbs.360safe.com/thread-4985800-1-1.html
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://bbs.360safe.com/thread-4985800-1-1.htmlQ
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1988969412.00000000044BA000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1988969412.00000000044BA000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, CrashReport.dll.0.dr, MiniUI.dll.0.dr, 360Base.dll.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, CrashReport.dll.0.dr, MiniUI.dll.0.dr, 360Base.dll.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1988969412.00000000044BA000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1988969412.00000000044BA000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1988969412.00000000044BA000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, CrashReport.dll.0.dr, MiniUI.dll.0.dr, 360Base.dll.0.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, CrashReport.dll.0.dr, MiniUI.dll.0.dr, 360Base.dll.0.dr	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://down.360safe.com/360compkill64.zip
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://down.360safe.com/360compkill64.ziphttp://www.360.cn/jijiuxiang/360sd_download.htmlDeleteUrlCa
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://down.360safe.com/safesetup_2000.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://down.360safe.com/safesetup_2000.exechs
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3216969609.00000000009D2000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://down.360safe.com/setup.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://down.360safe.com/setup.exePathSOFTWARE
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, MiniUI.dll.0.dr	String found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe360
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3216969609.00000000009D2000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000000.1973850844.00000000009CC000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exeG
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exeGO360
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219491883.000000006CD1C000.00000002.00000001.01000000.00000009.sdmp, MiniUI.dll.0.dr	String found in binary or memory: http://down.360safe.com/setup.exexv
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3216989427.00000000009D4000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://down.360safe.com/setupbeta.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://down.360safe.com/superkiller/superkillerexe_880765522ded7527821ce7448af08018_5.1.64.1181.cab
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://down.360safe.com/superkiller/superkillerexe_880765522ded7527821ce7448af08018_5.1.64.1181.cabh
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://down.360safe.com/superkiller/superkillerexe_ce61817f687d599de13ee9deb1af83e2_5.1.0.1181.cab
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://inf.safe.360.cn/sein/think
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://inf.safe.360.cn/wsin/think
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://inf.safe.360.cn/wsin/thinkhttp://inf.safe.360.cn/sein/thinkx
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://my.360.cn
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://my.360safe.com
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://my.360safe.comuseridconfig
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://ocsp.digicert.com0L
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://ocsp.digicert.com0N
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1988969412.00000000044BA000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1988969412.00000000044BA000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1988969412.00000000044BA000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, CrashReport.dll.0.dr, MiniUI.dll.0.dr, 360Base.dll.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1988969412.00000000044BA000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1988969412.00000000044BA000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://s.360.cn/safe/install.html?mid=%s&
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://s.360.cn/safe/instcomp.htm?soft=923&status=%d&mid=%s&ver=%s&usetime=%d&zt=%d&pid=%sehttp://s.
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://s.360.cn/safe/instcomp.htm?soft=923&ver=%s&pid=%s&hips=%d&mid=%s&mid2=%s&w=%I64d&b=%I64d&o=%d
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1998954479.0000000001764000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3218840916.0000000005009000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360.cn/safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef4
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://s.360.cn/safe/setupsperr.htm?mid=%s
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://s.360.cn/safe/setupsperr.htm?mid=%sIsInstallInNetBar&hand=explorer.exe&oldinstalltype=&hips=h
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DF8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.0000000005178000.00000004.00001000.00020000.00000000.sdmp, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.dr, 360Base.dll.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DF8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.0000000005178000.00000004.00001000.00020000.00000000.sdmp, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.dr, 360Base.dll.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.dr	String found in binary or memory: http://safe.crash.browser.360.cn
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.dr	String found in binary or memory: http://safe.crash.browser.360.cndumpInfoSitecrashInfoSitehomeSiteNCSdomainNameshowtipdlgshowdlguseri
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.dr	String found in binary or memory: http://sdl.360safe.com/dbghelp_dll.cabpkH-1C
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1988969412.00000000044BA000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1988969412.00000000044BA000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, CrashReport.dll.0.dr, MiniUI.dll.0.dr, 360Base.dll.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, CrashReport.dll.0.dr, MiniUI.dll.0.dr, 360Base.dll.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1988969412.00000000044BA000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, 360Base.dll.0.dr	String found in binary or memory: http://sf.symcb.com/sf.crl0a
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DF8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.0000000005178000.00000004.00001000.00020000.00000000.sdmp, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.dr	String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DF8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.0000000005178000.00000004.00001000.00020000.00000000.sdmp, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.dr, 360Base.dll.0.dr	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DF8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.0000000005178000.00000004.00001000.00020000.00000000.sdmp, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.dr, 360Base.dll.0.dr	String found in binary or memory: http://sf.symcd.com0&
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, 360Base.dll.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DF8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.0000000005178000.00000004.00001000.00020000.00000000.sdmp, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DF8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.0000000005178000.00000004.00001000.00020000.00000000.sdmp, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.dr, 360Base.dll.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DF8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.0000000005178000.00000004.00001000.00020000.00000000.sdmp, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.dr, 360Base.dll.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: DumpUper.exe.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://update.360safe.com/instcomp.htm?soft=509&status=%d&mid=%s&ver=%s&usetime=%d&zt=%d
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://update.360safe.com/instcomp.htm?soft=509&status=%d&mid=%s&ver=%s&usetime=%d&zt=%d&instver=%sL
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 360SafeAssist.exe.0.dr, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.dr, 360Base.dll.0.dr	String found in binary or memory: http://www.360.cn
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2001863771.00000000043D4000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.00000000016DE000.00000004.00000020.00020000.00000000.sdmp, 360SafeAssist.exe.0.dr	String found in binary or memory: http://www.360.cn/
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://www.360.cn/jijiuxiang/360sd_download.html
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://www.360.cn/privacy/v3/360anquanweishi.html
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://www.360.cn/userexperienceimprovement.html
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://www.360.cn/xukexieyi.htmlT
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://www.360.cn4
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://www.360.cn;color=rgb(60
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://www.360.cnhttp://www.360safe.com
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://www.360safe.com
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.00000000016DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360safe.com/
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 360Base.dll.0.dr	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DF8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.0000000005178000.00000004.00001000.00020000.00000000.sdmp, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.dr, 360Base.dll.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DF8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.0000000005178000.00000004.00001000.00020000.00000000.sdmp, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.dr, 360Base.dll.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: https://bbs.360.cn/thread-15735708-1-1.html;color=rgb(60
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: https://bbs.360.cn/thread-16079507-1-1.html
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: https://bbs.360.cn/thread-16079507-1-1.htmlD
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DF8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.0000000005178000.00000004.00001000.00020000.00000000.sdmp, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.dr, 360Base.dll.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DF8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.0000000005178000.00000004.00001000.00020000.00000000.sdmp, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.dr, 360Base.dll.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: https://dl.360safe.com/instbeta.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: https://dl.360safe.com/instbeta.exedk
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: https://hao.360.com
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: https://hao.360.com/
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1996344133.0000000001744000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1998954479.0000000001743000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.000000000173D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.00000000016DE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1999310616.0000000001752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hao.360.com/?installer
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: https://hao.360.com/?installer/https://hao.360.comhttps://http://https://hao.360.com/%s
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.00000000016DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hao.360.com/?installerT
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: https://hao.360.com/?safe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: https://hao.360.com/?src=lm&ls=%s
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: https://hao.360.com/?src=lm&ls=%sStart
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1996344133.0000000001744000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1998954479.0000000001743000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.000000000173D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1999310616.0000000001752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: https://www.digicert.com/CPS0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, CrashReport.dll.0.dr, MiniUI.dll.0.dr, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.dr, 360Base.dll.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, CrashReport.dll.0.dr, MiniUI.dll.0.dr, 360Base.dll.0.dr	String found in binary or memory: https://www.globalsign.com/repository/03
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, CrashReport.dll.0.dr, MiniUI.dll.0.dr, 360Base.dll.0.dr	String found in binary or memory: https://www.globalsign.com/repository/06

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04F8E2AF	0_3_04F8E2AF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04F8EB1F	0_3_04F8EB1F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04F8D70C	0_3_04F8D70C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FF60DD	0_3_04FF60DD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FF44D5	0_3_04FF44D5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FF4A99	0_3_04FF4A99
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FF6E80	0_3_04FF6E80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FFE87B	0_3_04FFE87B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FFF050	0_3_04FFF050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FF8024	0_3_04FF8024
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FF85FD	0_3_04FF85FD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FFD1FD	0_3_04FFD1FD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FF63F5	0_3_04FF63F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FF61E5	0_3_04FF61E5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FFD5BD	0_3_04FFD5BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FF65A7	0_3_04FF65A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FFE5A7	0_3_04FFE5A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FF477D	0_3_04FF477D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FFD365	0_3_04FFD365
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FF8918	0_3_04FF8918
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C034	0_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C034	0_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C034	0_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C034	0_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C034	0_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C034	0_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04698B08	0_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04698B08	0_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04698B08	0_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04698B08	0_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04698B08	0_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04698B08	0_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A9D	0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A9D	0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A9D	0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A9D	0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A9D	0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A9D	0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C034	0_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C034	0_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C034	0_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C034	0_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C034	0_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C034	0_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04698B08	0_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04698B08	0_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04698B08	0_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04698B08	0_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04698B08	0_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04698B08	0_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A9D	0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A9D	0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A9D	0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A9D	0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A9D	0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A9D	0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF5B	0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A2B4	0_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C034	0_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C034	0_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C034	0_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C034	0_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C034	0_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C034	0_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04698B08	0_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04698B08	0_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04698B08	0_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04698B08	0_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04698B08	0_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04698B08	0_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A9D	0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A9D	0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A9D	0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A9D	0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A9D	0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A9D	0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469A348	0_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04699A4A	0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_046987CD	0_3_046987CD

PE file contains executable resources (Code or Archives)

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Resource name: ANIMATION type: 7-zip archive data, version 0.4
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Resource name: BASE360 type: 7-zip archive data, version 0.4
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Resource name: CRASH type: 7-zip archive data, version 0.4
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Resource name: CRASHREPORT type: 7-zip archive data, version 0.4
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Resource name: DLL type: 7-zip archive data, version 0.4
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 967545 bytes, 1 file, at 0x2c +A "7z.dll", number 1, 57 datablocks, 0x1 compression
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Resource name: DRIVERDLL type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Resource name: LICENCE type: Microsoft Cabinet archive data, Windows 2000/XP setup, 10696 bytes, 1 file, at 0x2c +A "licence.rtf", number 1, 1 datablock, 0x1 compression
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Resource name: NETUL type: 7-zip archive data, version 0.4
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Resource name: OEMDATA type: 7-zip archive data, version 0.3
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Resource name: PRIVACY type: Microsoft Cabinet archive data, Windows 2000/XP setup, 11525 bytes, 1 file, at 0x2c +A "privacy.rtf", number 1, 1 datablock, 0x1 compression
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Resource name: ROOTSUPD type: 7-zip archive data, version 0.4
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Resource name: SETUPCONFIG type: 7-zip archive data, version 0.4
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Resource name: SKIN type: 7-zip archive data, version 0.4
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Resource name: URLPROC type: 7-zip archive data, version 0.4
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Resource name: VIEWER type: Microsoft Cabinet archive data, Windows 2000/XP setup, 749756 bytes, 1 file, at 0x2c "AgreementViewer.exe", number 1, 53 datablocks, 0x1 compression
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Resource name: WSCREG type: 7-zip archive data, version 0.4
Source: 360SafeAssist.exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Section loaded: textshaping.dll	Jump to behavior

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Source: classification engine

Classification label: sus26.spyw.evad.winEXE@1/26@2/2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

File created: C:\Program Files (x86)\360

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\instcomp[1].htm

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Mutant created: \Sessions\1\BaseNamedObjects\1830B7BD-F7A3-4c4d-989B-C004DE465EDE 4268
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Mutant created: \Sessions\1\BaseNamedObjects\Q360MonMutex
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Mutant created: \Sessions\1\BaseNamedObjects\Q360SafeSetup

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

File created: C:\Users\user\AppData\Local\Temp\{925474AB-9BD3-47b4-BA43-AB6BFD29DB7E}.tmp\

Jump to behavior

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: "Exe" File="deepscan\zhudongfangyu.exe" Param="/Install" WaitForExit="true" /> <Item Type="SimpleDll" File="deepscan\bapi.dll
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: itForExit="true" /> <Item Type="Exe" File="softmgr\EaInstHelper64.exe" Param="/Install" WaitForExit="true" /> <Item Type
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: \PopWndTracker.exe" Param="/query" WaitForExit="false" /> <Item Type="Exe" File="softmgr\EaInstHelper.exe" Param="/Install" W
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: _LOCAL_MACHINE" SubKey="SOFTWARE\360Safe\stat" > <Item Name="SetupType" Type="DWORD" Value="0" /> </KeyInfo> </Install
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: Register/Install
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: http://s.360.cn/safe/install.html?mid=%s&
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: /install
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: /install
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: /INSTALLER=
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: /reinstall
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: Cmodules\360vulsetup.exemobilemgr\SoftUpdateM.dllSoftware\360Safe\safemonsafemon\safemon.dll360MicroExamin.exesafemon\MicroExamin.tpiFixRegSrvOnInstallRegister dll mobilemgr\SoftUpdateM.dll/install /installSelfProtectAPI2avp.exeSOFTWARE\KasperskyLab\SetupFoldersinsttimepid_InstalledPartnerName_bkipartner_sh_refreshipartnerregisttimebidPartnerNamePrePartner360se360SD360Safebox360SEAntiSectionrepairicondirInstLogUtilsupdatesweepersafemonnetmonmodulesLiveUpdateLogLiveUpdate360skinipcfirstaiddeepscanconfigantiarplinksSOFTWARE\Microsoft\Windows\CurrentVersion\Run\360DisabledSoftware\360Safe\scanTipDisable
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: QD\360UCenter.dll\360MobileAssistant_theme.ui\sites.dll\AdvToolsEx.dll\360ExamineEx.dll\360Safe.exe\360Protect.dll\newui\360SafeNew.xml\newui\themes\default\default_theme.ui\360ExamineUIEx.dll\newui\themes\default\theme.xml\ExamineUIConfig.xml\ExaminePluginEx.xmlSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exePathsafemon\360tray.exe /disablesp %d /loadrulesp %dsafemon\param.inisafemon\360procmon.dll\\.\360SelfProtection<!--360skin ver="\updatecfg.ini/reinstallSoftware\Microsoft\Windows\CurrentVersion\360JJXSoftware\Microsoft\Windows\CurrentVersion\360Clear360tray.exeSYSTEM\CurrentControlSet\Control\Session ManagerDisableAutorunmodify %s time failver="Copy From %s to %s Failed Error Code = %dMove File '%s' failed, replace until rebootMove File '%s' to temp dirDelete File '%s' failedFile '%s' exist
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: QD\360UCenter.dll\360MobileAssistant_theme.ui\sites.dll\AdvToolsEx.dll\360ExamineEx.dll\360Safe.exe\360Protect.dll\newui\360SafeNew.xml\newui\themes\default\default_theme.ui\360ExamineUIEx.dll\newui\themes\default\theme.xml\ExamineUIConfig.xml\ExaminePluginEx.xmlSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exePathsafemon\360tray.exe /disablesp %d /loadrulesp %dsafemon\param.inisafemon\360procmon.dll\\.\360SelfProtection<!--360skin ver="\updatecfg.ini/reinstallSoftware\Microsoft\Windows\CurrentVersion\360JJXSoftware\Microsoft\Windows\CurrentVersion\360Clear360tray.exeSYSTEM\CurrentControlSet\Control\Session ManagerDisableAutorunmodify %s time failver="Copy From %s to %s Failed Error Code = %dMove File '%s' failed, replace until rebootMove File '%s' to temp dirDelete File '%s' failedFile '%s' exist
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exePathsafemon\360tray.exe /disablesp %d /loadrulesp %dsafemon\param.inisafemon\360procmon.dll\\.\360SelfProtectionANIMATION360FsFltsafemon\360Tray.exe.local360Safe.exe.localsafemon\360Tray.exe.Manifest
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: R%%%2xsp exist16.0.0.015.0.0.0%s\safemon\FreeSaaS.tpi%s\360leakfixer.exe/silent=3 /id=%s /p=0NULL\360Safe%d\360safeNon-existent ProcessSETUPCONFIG&s1=%d&s0=%d&pid=&OAV=%d&PPID0=&PPID1=http://s.360.cn/safe/setupsperr.htm?mid=%sIsInstallInNetBar&hand=explorer.exe&oldinstalltype=&hips=http://s.360.cn/safe/install.html?mid=%s&video\info.iniend.pngstart.pnganimation.wmvSKIN
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: "KUnrecognized content encoding type. libcurl understands %s content encodings.chunked\/LoadLibraryExAkernel320123456789abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ(nil)(nil)I64I32.%ld$@%ld0123456789schannel
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: Q360SafeMonClass360TRAY.EXESOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exePathsafemon\360tray.exe /disablesp %d /loadrulesp %dsafemon\param.inisafemon\360procmon.dll\\.\360SelfProtection
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: TargetDir%d.%d.%d.%dExeSimpleDllExtendDllWM_CLOSEWM_QUITWM_ANTIARPEXITDWORDString%02xZwQuerySystemInformationengchtchsuninstbackupSetup/MainNameTitleUninstallTitleProductVersionRebootFlagNameMutexNameMinimizeSpaceDefaultSkinIsBetaSetup/FileListListSetup/UninstallRootDirFileListFileSetup/PluginSetup/RegisterSetup/NotPEFileVersion9.5.0.1001Setup/RegAppPathHKEYSubKeyValueSetup/ApplicationMainAppVersionBaseFileSetup/DefaultPathRootDirForceCreateFolderCanChange1.0.0.1001safemon\360tray.exeSetup/CloseAllPrograms/ProgramWindowClassMessageWPARAMLPARAMTimeoutQ360SafeMonClassSetup/RebootReplaceFile/FileExitIfCopyFailRegister/InstallRegister/Uninstalli18n\i18n.iniLanguageMainQIBeginSOFTWARE\360Safe360\360Safe\
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	String found in binary or memory: lN.?AVCAppModuleEx@@/S/SMARTSILENCE/FORCESTART/FORCECOVER/360EntAdminJoin/INSTVER=/D=/PID=/NOREBOOT=/NOTRAY=/NOENTCLIENT=/SAFENOSTART=/INSTALLER=/NOTIFYWND=/NotJoinUE/NotJoinCloudSafe/CREATEDSS/DEBUGFILE=/LOGFILE=/DISABLE=/SETHOMEPAGE=/NOZF/LM=/NOPOP/NoSoftMgrDesktopLnk/NoSafeDesktopLnk/NotLockIEEdge360/NotLockOther360

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Window detected: Number of UI elements: 12

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Static file information: File size 99314064 > 1048576

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x78b600

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Static PE information: More than 200 imports for KERNEL32.dll

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\vmagent_new\bin\joblist\255425\out\Release\MiniUI.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219491883.000000006CD1C000.00000002.00000001.01000000.00000009.sdmp, MiniUI.dll.0.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\728886\out\Release_tr\Setup.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source:	Binary string: e:\build\SetupNew\Release\360SafeAssist.pdb<`B source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2001863771.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002092871.0000000004250000.00000004.00001000.00020000.00000000.sdmp, 360SafeAssist.exe.0.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\255425\out\Release\MiniUI.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219491883.000000006CD1C000.00000002.00000001.01000000.00000009.sdmp, MiniUI.dll.0.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\289364\out\Release\CrashReport.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219793928.000000006E428000.00000002.00000001.01000000.0000000A.sdmp, CrashReport.dll.0.dr
Source:	Binary string: e:\build\SetupNew\Release\360SafeAssist.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2001863771.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002092871.0000000004250000.00000004.00001000.00020000.00000000.sdmp, 360SafeAssist.exe.0.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\743838\out\Release\7z.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219662742.000000006CEDB000.00000002.00000001.01000000.00000008.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\146708\out\Release\DumpUper.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\146708\out\Release\DumpUper.pdbP source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\417673\out\Release\360Base.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219344223.000000006CC2F000.00000002.00000001.01000000.0000000B.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, 360Base.dll.0.dr

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04F95426 push cs; iretd	0_3_04F953FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04F90A02 push edi; retf	0_3_04F90A15
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04F955D6 push ebx; ret	0_3_04F955D7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04F90167 push eax; retf	0_3_04F90168
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04F95324 push cs; iretd	0_3_04F953FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04F91F1E push E01004CFh; iretd	0_3_04F91F29
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FF0CF5 push edi; retf	0_3_04FF1013
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FF22DD push ebp; retf	0_3_04FF249B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FFD4A5 push ebp; retf	0_3_04FFD4CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FFA49F push cs; retf	0_3_04FFA613
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FF249D pushad ; retf	0_3_04FF2543
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FFD47D push ebp; retf	0_3_04FFD4CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_04FFD1D5 push cs; retf	0_3_04FFD1FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF0A pushfd ; ret	0_3_0469BF59
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF0A pushfd ; ret	0_3_0469BF59
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF0A pushfd ; ret	0_3_0469BF59
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF0A pushfd ; ret	0_3_0469BF59
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF0A pushfd ; ret	0_3_0469BF59
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF0A pushfd ; ret	0_3_0469BF59
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF0A pushfd ; ret	0_3_0469BF59
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BF0A pushfd ; ret	0_3_0469BF59
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C7C8 push eax; iretd	0_3_0469C7CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C7C8 push eax; iretd	0_3_0469C7CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C7C8 push eax; iretd	0_3_0469C7CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C7C8 push eax; iretd	0_3_0469C7CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C7C8 push eax; iretd	0_3_0469C7CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C7C8 push eax; iretd	0_3_0469C7CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C7C8 push eax; iretd	0_3_0469C7CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469C7C8 push eax; iretd	0_3_0469C7CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BDCB pushfd ; ret	0_3_0469BF59
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Code function: 0_3_0469BDCB pushfd ; ret	0_3_0469BF59

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File created: C:\Users\user\AppData\Local\Temp\{EE053F58-EF8C-43c4-A3D9-1E4B2965E691}.tmp\7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File created: C:\Users\user\AppData\Local\Temp\{64B7E796-9F86-408b-9BE8-85DF5E630C37}.tmp\360SafeAssist.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File created: C:\Users\user\AppData\Local\Temp\{FCFF958A-AC44-4612-807B-C8AA21571E8A}.tmp\360Base.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File created: C:\Users\user\AppData\Local\Temp\{6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File created: C:\Users\user\AppData\Local\Temp\{DBA7F686-6D1C-4a46-82CF-0AD83670E845}.tmp\MiniUI.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File created: C:\Users\user\AppData\Local\Temp\{FCFF958A-AC44-4612-807B-C8AA21571E8A}.tmp\CrashReport.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File created: C:\Users\user\AppData\Local\Temp\{FCFF958A-AC44-4612-807B-C8AA21571E8A}.tmp\DumpUper.exe	Jump to dropped file

May use bcdedit to modify the Windows boot settings

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

File created: C:\Users\user\AppData\Roaming\360Safe\360safe.setup.log

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : ASSOCIATORS OF {Win32_DiskPartition.DeviceID='Disk #0, Partition #1'} where ResultClass = Win32_DiskDrive
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_DiskDriveToDiskPartition where Dependent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : ASSOCIATORS OF {Win32_DiskPartition.DeviceID='Disk #0, Partition #1'} where ResultClass = Win32_DiskDrive
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_DiskDriveToDiskPartition where Dependent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : ASSOCIATORS OF {Win32_LogicalDisk.DeviceID='C:'} where ResultClass = Win32_DiskPartition
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_LogicalDiskToPartition where Dependent="Win32_LogicalDisk.DeviceID=\"C:\""
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : ASSOCIATORS OF {Win32_LogicalDisk.DeviceID='C:'} where ResultClass = Win32_DiskPartition
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_LogicalDiskToPartition where Dependent="Win32_LogicalDisk.DeviceID=\"C:\""

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001 name: DriverDesc

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{EE053F58-EF8C-43c4-A3D9-1E4B2965E691}.tmp\7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{64B7E796-9F86-408b-9BE8-85DF5E630C37}.tmp\360SafeAssist.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{FCFF958A-AC44-4612-807B-C8AA21571E8A}.tmp\360Base.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{DBA7F686-6D1C-4a46-82CF-0AD83670E845}.tmp\MiniUI.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{FCFF958A-AC44-4612-807B-C8AA21571E8A}.tmp\CrashReport.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{FCFF958A-AC44-4612-807B-C8AA21571E8A}.tmp\DumpUper.exe	Jump to dropped file

Queries disk information (often used to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.0000000001790000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Binary or memory string: vVIRTUAL SCSIVIRTUAL HDVIRTUAL DISKISCSIRED HAT VIRTIORAMDISKRAM-DISKRAM DISKRAID ARRAYRAID10RAID5RAID1XENSRC XEN VMWAREVBOX HARDDISKQEMU HARDDISKPROMISE 1+0MSFT VIRTUALMICROSOFTMARVELL RAIDLSILOGICLSI MR92LSI MEGALENOVO_RAIDINTEL RAIDIBM SERVERAIDDELL PERCAMD-RAID ARRAYADAPTECRAID0SOFTWARE\360Safe\softmgr\dioraidRAIDIM2S313BR240G BR128G BR120G BR60G 256GB 256GB 256G 256G 240GB 128GB 128GB 128G 128G 120GB 120G
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.0000000001762000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1996499917.0000000001774000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1999106553.0000000001772000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1996594697.0000000001776000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.00000000016DE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1999226653.0000000001776000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1998954479.0000000001764000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.0000000001790000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MSFT_PhysicalDisk{1}\\user-PC\root/Microsoft/Windows/Storage/Providers_v2\SPACES_PhysicalDisk.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PD:{baefc400-1cb2-6d19-d2b5-4ac4ae014b83}"6000C292B65879FF477A6AF604113F58VMware Virtual diskVMwareVirtual disk6000c292b65879ff477a6af604113f58PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.0000000001790000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1996344133.0000000001744000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1998954479.0000000001743000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.000000000173D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWndow Class

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Process token adjusted: Debug			Jump to behavior

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219491883.000000006CD1C000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: lShell_traywnd
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.00000000050B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Shell_traywnd

AV process strings found (often used to terminate AV products)

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000000.1973823276.0000000000996000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3216885883.0000000000996000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: http://down.360safe.com/360compkill64.ziphttp://www.360.cn/jijiuxiang/360sd_download.htmlDeleteUrlCacheEntryWURLDownloadToFileWurlmon.dll\system32\urlmon.dll.zipSuperKiller.exe//////PromptCP\360SuperKiller\SuperKiller.ini\\\SuperKiller.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Binary or memory string: SuperKiller.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Binary or memory string: \safemon\360tray.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3218840916.000000000501F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 360HOTFIX.EXE
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Binary or memory string: \360Safe.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Binary or memory string: 360TRAY.EXE
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2000096712.0000000004FED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2000739918.000000000501C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2000650780.0000000004FFE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2000134647.0000000004FF2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1998910576.0000000004FD1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2000055003.0000000004FE0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3218840916.000000000501F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 360SAFE.EXE
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360Safe.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219491883.000000006CD1C000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: lIsBetaVersion360ver.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000000.1973823276.0000000000996000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3216885883.0000000000996000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: 360sd\Safemon\SelfProtectAPI2.dll360sd\Safemon\360Procmon.dll360sd\Safemon\360tray.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Binary or memory string: \SuperKiller.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.00000000016DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Binary or memory string: firstaid\superkiller.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2000096712.0000000004FED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2000723983.0000000004FF5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2000134647.0000000004FF2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1998910576.0000000004FD1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2000055003.0000000004FE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &safemon\360Tray.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Binary or memory string: Software\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Binary or memory string: avp.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1999226653.0000000001790000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2000180337.00000000017B0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1999412645.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.0000000001790000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1999106553.0000000001790000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 360safe.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3218258565.00000000036F7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1999226653.0000000001790000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2000180337.00000000017B0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1999412645.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1999106553.0000000001790000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 360Safe.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, MiniUI.dll.0.dr	Binary or memory string: IsBetaVersion360ver.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Binary or memory string: 360tray.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000000.1973823276.0000000000996000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3216885883.0000000000996000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\Run360Safetray"%s" /startsafemon\360Tray.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.dr	Binary or memory string: A%I64dPathSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe\firstaid\SuperKiller.exefirstaid\SuperKiller.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000000.1973823276.0000000000996000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3216885883.0000000000996000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: 360safeUtils\360MedalWall.dllSoftware\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Binary or memory string: 360Tray.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Binary or memory string: safemon\360tray.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3218491026.00000000044A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: safemon\360Tray.exe

Stealing of Sensitive Information

Queries disk data (e.g. SMART data)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Device IO: \Device\Harddisk0\DR0			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Device IO: \Device\Harddisk0\DR0			Jump to behavior

ID:	1417026
Product:	CloudBasic
Start time:	14:29:12
Start date:	28.03.2024
Sample:	SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	827c2735811297a85b5115cdc701b868
SHA1:	0597c01af54d280b883c003cd46df13d861c22bc
SHA256:	f7ea997ecb3f1b3d9669ead7539d2b0b7da60ac08279e5bb09aaed20a97efa9d
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Program Files (x86)\360\360Safe\{17063755-E69A-41ad-B548-5A4EB6574E6F}.tf	data	55198F0D4788ACBD9BD5D7025FA8D8EE	0B8B67161171C090DAB209682E1D97721EF046D8	86FDF515180ACA40503B79D2448A34E7797871941383C8DE3B9E88BE0154B5C9
C:\Program Files (x86)\360\360Safe\{EF88AA5B-3AA1-466c-98B7-FB3A03CDE56D}.tf	data	AB1EA1AC19814F0CE9BAEF895354FCB3	1AE487688CD841BDA0E5C32B671A2C40C4B2179B	AD92B8ED482C5A95DC0F3F4B7AB347EA202C820A3B289B114F7C6D2683DD844B
C:\Users\user\AppData\Local\Temp\{051B87EE-6ED6-4d2d-987B-51E827DD9B4E}.tmp	7-zip archive data, version 0.4	368CE7995A1B4F5B72C233DFE39D9AF1	FDC459645F4968D791E080CEC2BDCD988EAE04C0	D9EA41041FAFC8E464FE3AD408EF062D3448E7CA4CD3A77CFCEF18C83A61032A
C:\Users\user\AppData\Local\Temp\{2CFC86D2-B0FA-4e6e-98B3-DFB8DFD9FFA0}.tmp	7-zip archive data, version 0.4	C5F7D2DD13EA358F3D12BE23E73C0FF8	59FF001F89BE4B8D37D28E493D1E62D10B9A1480	24D356D828A467571376EE53A63E8EBB249200B157698339D85417FB3232393F
C:\Users\user\AppData\Local\Temp\{5B8C0D48-69CE-4729-9E6B-5FBACFFEC52C}.tmp\defaultskin.ui	Zip archive data, at least v2.0 to extract, compression method=store	F544BE4BCA61DCFF43B0B33F7A4749A9	3795EE596E1E35F2F640734CC627E25FA0FBA537	03885F6B4D986C33227C1796119DBA82EC43854B3A863F7A3892B9D6913AD083
C:\Users\user\AppData\Local\Temp\{5B8C0D48-69CE-4729-9E6B-5FBACFFEC52C}.tmp\miniui.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (549), with CRLF line terminators	AF1CD79EF667FB3CD3B5CC49337BD89D	63DC8F9BB045C663C47ED095A83FE9DE62D41E43	0678544ADB8067160D76BFFE15A80CDE62885B1C58A557A21525A79917B3CDAE
C:\Users\user\AppData\Local\Temp\{64B7E796-9F86-408b-9BE8-85DF5E630C37}.tmp\360SafeAssist.exe	PE32 executable (GUI) Intel 80386, for MS Windows	2E1C7C69BEA7A3A0022ADC6A966395CA	1D750D40EA40A44192F1AF0A7734119E1C49A34F	B9D6E08A1D75F3B5A86CE0D68CC57556CCEC9EEFDDEA0588DA36DB4BBFAB6B0E
C:\Users\user\AppData\Local\Temp\{6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	EA47D98DD9CB1772A409C11B818A9A02	02A952F3AA72A61A113C9D7EBAE18DA86E2CC500	F9E81781A3484A6732B03B3A22A0388DB03B4311BE2874ABBEE276BD9E82C854
C:\Users\user\AppData\Local\Temp\{6FD37900-E9BF-45df-85D3-FB776C2A71DA}.tmp	Microsoft Cabinet archive data, Windows 2000/XP setup, 967545 bytes, 1 file, at 0x2c +A "7z.dll", number 1, 57 datablocks, 0x1 compression	B3F9C1C9CDA9D36BC599BD8D6A16E4C2	F90A4C9CB453CC8F974475E42A91877C04F5C314	CF444E2605008DA8AF04D57532A8FE9288B0CDE548545A13C680A46177889184
C:\Users\user\AppData\Local\Temp\{79304762-3434-49ff-84E1-FF1F273C851E}.tmp	7-zip archive data, version 0.4	6596B3D802F58EE173DD32D16F3AA534	E734B2E3A30F55110F3C4D0CEE5C5EAFC7E21CF8	E1774AECC3F8CB6AEBA1B18E2B63774E17F5497EBDBF6A89917C40594155054D
C:\Users\user\AppData\Local\Temp\{AA962B91-6711-4ed4-BEF7-C8BE525ACBE1}.tmp\360safe.setup	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	3188514E4EFC2AC2168639B59C3E4997	A9549BE5893AFB892B45568044AC4BB70BEE1B1D	674B421AEA7D8FCF5B09A26FD9BEB248FA28A44C3A05DDA78926B3E1F08EAB47
C:\Users\user\AppData\Local\Temp\{AA962B91-6711-4ed4-BEF7-C8BE525ACBE1}.tmp\Plugin.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	F4096BDE26A010AD6B2092F57BEA4296	16B1C5781A5D2B9C8D3AE9B951A2D7E0B1EC5926	06691747DA62AB0A1DB54C109EA85E345407AA0B3AA32A57EA40F29CE26BB875
C:\Users\user\AppData\Local\Temp\{AA962B91-6711-4ed4-BEF7-C8BE525ACBE1}.tmp\Register.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	4F0C40029890740C6CB55F6FDCC226E2	E092DA21B076D433B168D121EFAB344EAA6BB530	018FD1BF992296F70AF5CE69C77E1ACA3CE18544B7CB804E74CC406EA42A56E3
C:\Users\user\AppData\Local\Temp\{AA962B91-6711-4ed4-BEF7-C8BE525ACBE1}.tmp\UninstallRootDirFileList.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	3F2FCC037AE18642D1051F4ECD8D4810	8F150031EF8E3F7B41D53C0BB46040C762A105E6	67BB2ED2A241E1CEF9D228689559E6B9399194A53F20E215348FE2AFFFDF89B7
C:\Users\user\AppData\Local\Temp\{AA962B91-6711-4ed4-BEF7-C8BE525ACBE1}.tmp\filelist.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	8EF0358B9901EBFF168DDDFFE1FB703A	0B587BD9BB319FFC695F0FBF7E6E91F85FF68C0A	FE664D6739AB93EE3EADE74192A9DE7F4C8624F41632769E07700E9A3E0CAE06
C:\Users\user\AppData\Local\Temp\{BF53C6A3-C3C2-45ef-89A2-A714F4D6AEF2}.tmp	7-zip archive data, version 0.4	DEF0D6F2B65334FB612A8C5655C84907	FF2D02927E0E76C8B8F038944601E879C8C74915	7158B5FFE6469B219A054C5E5FCCB79C48835E756236E2B5CC265DFFCDE027A0
C:\Users\user\AppData\Local\Temp\{C495A8A5-4524-4e25-94AD-AD309AF51F49}.tmp	7-zip archive data, version 0.4	499BE8DB3362F9AB849C6996716DCE7E	0A383B0356C5E4F8F3B1E05209E3AE5B56ED5CF3	6F30A78E0C9A0A09E835D7FBB8B24E56FAACC2C1446258E8CE3C875CDED3B242
C:\Users\user\AppData\Local\Temp\{DBA7F686-6D1C-4a46-82CF-0AD83670E845}.tmp\MiniUI.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	5123C3B8ADEB6192D5A6B9DC50C867B1	6D142074A21AA50C240CE57CA19A61E104BBDF41	273CE954C8D33ABAAC3A0FD8546719F09718C1D91317ECF5B99181DFFA3FE26A
C:\Users\user\AppData\Local\Temp\{E934DA3F-9812-46cb-9794-5DDE9C05D0D2}.tmp	7-zip archive data, version 0.4	B77BEA2A7D9879C2BF649AEAD978B866	F809207D12E8AAEC1F7DFC7A02160888E942C9A5	16DF4B0F99165D0441A7129815DE9868117691B84F5898419DA6C5BA78709C8D
C:\Users\user\AppData\Local\Temp\{EE053F58-EF8C-43c4-A3D9-1E4B2965E691}.tmp\7z.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	EA47D98DD9CB1772A409C11B818A9A02	02A952F3AA72A61A113C9D7EBAE18DA86E2CC500	F9E81781A3484A6732B03B3A22A0388DB03B4311BE2874ABBEE276BD9E82C854
C:\Users\user\AppData\Local\Temp\{F4D58348-6C21-4a08-8085-0D8F6BAB44B3}.tmp	7-zip archive data, version 0.4	FC7F71794E714D9608121DB50AF63079	785398E86542783EAA2BA103AE084C27595CB53E	D89C88C203C9BC2641075D1E0D2410F6F649E2AB31130268D75A2FA8392C3665
C:\Users\user\AppData\Local\Temp\{FCFF958A-AC44-4612-807B-C8AA21571E8A}.tmp\360Base.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	7E519ACA128E7C13921FF1CE28C6F464	16AEB633BA8BC52C8FEE2187D307B9389A78824E	B4348C968E41541A849FD7EC54A059330157598FC34437C4356875BA76FA4A5D
C:\Users\user\AppData\Local\Temp\{FCFF958A-AC44-4612-807B-C8AA21571E8A}.tmp\CrashReport.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	361EE0170374127E396E7AB4D839BDB3	44430877438CA137B0386DE1223349B8E86A3270	BB393EBAE1FD656B019CD086C05FCECE979405C4616989BFDDE6D60044D08B8D
C:\Users\user\AppData\Local\Temp\{FCFF958A-AC44-4612-807B-C8AA21571E8A}.tmp\DumpUper.exe	PE32 executable (GUI) Intel 80386, for MS Windows	8D8D5DD4009C92E47D0B22770CFC327B	8C5E00CB63D551019070B5B70B7A422E6DB438DD	4E8351E52CF2493492A66F1B66799B2A65AA8CE27D6275A73773091CBF8A9BE5
C:\Users\user\AppData\Local\Temp\~xm2710.tmp	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	9C226095649E8D58E778EA58221B066D	30EF227A83310427F58BA6BB1F8EB57A7CCF292B	75E3B13C119BD4025F3FBF97B29F31D8E215A8D177EF854994A8BA2CBBAC4F44
C:\Users\user\AppData\Roaming\360Safe\360safe.setup.log	ASCII text, with CRLF, CR line terminators	E68007C594AABA13DBF40EB1537AB10C	6F77476F1B7C93E6FA94C7076639C9BC3AEC3E8C	036C1A7DA2B3CBF295247AA9771E8FB897192CC49723CC8BC68413A3D8DFE4A0

Windows Analysis Report
SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219530070.000000006CD4B000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilenameMiniUI.dll0 vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219530070.000000006CD4B000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilenameMiniUI.dllF vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F70000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMiniUI.dll0 vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F70000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMiniUI.dllF vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: %d/%16VS_VERSION_INFOCommentsCompanyNameFileDescriptionFileVersionInternalNameLegalCopyrightLegalTrademarksOriginalFilenamePrivateBuildProductNameProductVersionSpecialBuild\VarFileInfo\Translation\StringFileInfo\%04x%04x\\StringFileInfo%04hx%04hx%i/%%%u/%%%u vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename360Base.dll0 vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDumpUper.exe, vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219344223.000000006CC2F000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: l%d/%16VS_VERSION_INFOCommentsCompanyNameFileDescriptionFileVersionInternalNameLegalCopyrightLegalTrademarksOriginalFilenamePrivateBuildProductNameProductVersionSpecialBuild\VarFileInfo\Translation\StringFileInfo\%04x%04x\\StringFileInfo%04hx%04hx%i/%%%u/%%%u vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: %d/%16VS_VERSION_INFOCommentsCompanyNameFileDescriptionFileVersionInternalNameLegalCopyrightLegalTrademarksOriginalFilenamePrivateBuildProductNameProductVersionSpecialBuild\VarFileInfo\Translation\StringFileInfo\%04x%04x\\StringFileInfo%04hx%04hx%i/%%%u/%%%u vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename360Base.dll0 vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2001863771.00000000043A0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetupAssistant.exe8 vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMiniUI.dll0 vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMiniUI.dllF vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219662742.000000006CEDB000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219662742.000000006CEDB000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: lTEteCURSORBITMAPICONMENUDIALOGSTRINGFONTDIRFONTACCELERATORRCDATAMESSAGETABLEGROUP_CURSORGROUP_ICONVERSIONDLGINCLUDEPLUGPLAYVXDANICURSORANIICONHTMLMANIFESTChecksum errorefi[]string.txtversion.txt.bmp.icoalign_.debugPRERELEASEPATCHEDPRIVATEBUILDINFOINFERREDSPECIALBUILDVOS_UNKNOWNVOS_DOSVOS_OS216VOS_OS232VOS_NTVOS_WINCEVOS__BASEVOS__WINDOWS16VOS__PM16VOS__PM32VOS__WINDOWS32VFT_UNKNOWNVFT_APPVFT_DLLVFT_DRVVFT_FONTVFT_VXD0x6VFT_STATIC_LIBPRINTERKEYBOARDDISPLAYMOUSESYSTEMINSTALLABLESOUNDCOMMINPUTMETHODVERSIONED_PRINTERVFT2_FONT_RASTERVFT2_FONT_VECTORVFT2_FONT_TRUETYPEFILEVERSION PRODUCTVERSION FileVersionProductVersionFILEFLAGSMASK FILEFLAGS \| VS_FF_FILEOS FILETYPE FILESUBTYPE VFT2_DRV_VS_VERSION_INFOBLOCKVarFileInfoVALUETranslation, StringFileInfo.rsrc_1CERTIFICATECOFF_SYMBOLS.rsrc_winzip_OriginalFilenameFileDescriptionFileVersion vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDumpUper.exe, vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219823872.000000006E432000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilenameCrashReport.dll, vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.00000000050B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMiniUI.dll0 vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.00000000050B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMiniUI.dllF vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7z.dll, vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3218491026.00000000044A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCrashReport.dll, vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCrashReport.dll, vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCrashReport.dll, vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002092871.0000000004250000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetupAssistant.exe8 vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219416958.000000006CC68000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilename360Base.dll0 vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219740136.000000006CF2E000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilename7z.dll, vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe	Binary or memory string: OriginalFilenameSetup.exe2 vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Windows Analysis Report SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe