Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe

Overview

General Information

Sample name:SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Analysis ID:1417026
MD5:827c2735811297a85b5115cdc701b868
SHA1:0597c01af54d280b883c003cd46df13d861c22bc
SHA256:f7ea997ecb3f1b3d9669ead7539d2b0b7da60ac08279e5bb09aaed20a97efa9d
Tags:exe
Infos:

Detection

Score:26
Range:0 - 100
Whitelisted:false
Confidence:0%

Signatures

Queries disk data (e.g. SMART data)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
AV process strings found (often used to terminate AV products)
Contains capabilities to detect virtual machines
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May use bcdedit to modify the Windows boot settings
PE file contains executable resources (Code or Archives)
Queries disk information (often used to detect virtual machines)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample searches for specific file, try point organization specific fake files to the analysis machine

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeFile created: C:\Users\user\AppData\Roaming\360Safe\360safe.setup.logJump to behavior
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeStatic PE information: certificate valid
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\vmagent_new\bin\joblist\255425\out\Release\MiniUI.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219491883.000000006CD1C000.00000002.00000001.01000000.00000009.sdmp, MiniUI.dll.0.dr
Source: Binary string: C:\vmagent_new\bin\joblist\728886\out\Release_tr\Setup.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: Binary string: e:\build\SetupNew\Release\360SafeAssist.pdb<`B source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2001863771.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002092871.0000000004250000.00000004.00001000.00020000.00000000.sdmp, 360SafeAssist.exe.0.dr
Source: Binary string: C:\vmagent_new\bin\joblist\255425\out\Release\MiniUI.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219491883.000000006CD1C000.00000002.00000001.01000000.00000009.sdmp, MiniUI.dll.0.dr
Source: Binary string: C:\vmagent_new\bin\joblist\289364\out\Release\CrashReport.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219793928.000000006E428000.00000002.00000001.01000000.0000000A.sdmp, CrashReport.dll.0.dr
Source: Binary string: e:\build\SetupNew\Release\360SafeAssist.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2001863771.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002092871.0000000004250000.00000004.00001000.00020000.00000000.sdmp, 360SafeAssist.exe.0.dr
Source: Binary string: C:\vmagent_new\bin\joblist\743838\out\Release\7z.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219662742.000000006CEDB000.00000002.00000001.01000000.00000008.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.dr
Source: Binary string: C:\vmagent_new\bin\joblist\146708\out\Release\DumpUper.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.dr
Source: Binary string: C:\vmagent_new\bin\joblist\146708\out\Release\DumpUper.pdbP source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.dr
Source: Binary string: C:\vmagent_new\bin\joblist\417673\out\Release\360Base.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219344223.000000006CC2F000.00000002.00000001.01000000.0000000B.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, 360Base.dll.0.dr
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: global trafficHTTP traffic detected: GET /wsin/think?ipartner=0&m2=d0976767e6a203af75488f9609371383094a7b7d29b3&mid=59cd53708ed730f0ef42bb01f668d936&rand=104759&timestamp=1711632600&ver=13.0.0.2199&sign=da0c9f29d00aa1f62d1472307f9415f2 HTTP/1.1Host: inf.safe.360.cnAccept: */*Pragma: no-cacheCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /wsin/think?ipartner=0&m2=d0976767e6a203af75488f9609371383094a7b7d29b3&mid=59cd53708ed730f0ef42bb01f668d936&rand=104759&timestamp=1711632600&ver=13.0.0.2199&sign=da0c9f29d00aa1f62d1472307f9415f2 HTTP/1.1Host: inf.safe.360.cnAccept: */*Pragma: no-cacheCache-Control: no-cache
Source: Joe Sandbox ViewIP Address: 171.13.14.66 171.13.14.66
Source: global trafficHTTP traffic detected: GET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&status=101&usetime=4013656&zt=2862 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&status=188&usetime=0&zt=3626 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&installtype=1&status=109&usetime=0&zt=10565 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&installtype=1&status=147&usetime=0&zt=23680 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&installtype=1&status=189&usetime=0&zt=23732 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&installtype=1&status=136&usetime=0&zt=24803 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&status=101&usetime=4013656&zt=2862 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&status=188&usetime=0&zt=3626 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&installtype=1&status=109&usetime=0&zt=10565 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /wsin/think?ipartner=0&m2=d0976767e6a203af75488f9609371383094a7b7d29b3&mid=59cd53708ed730f0ef42bb01f668d936&rand=104759&timestamp=1711632600&ver=13.0.0.2199&sign=da0c9f29d00aa1f62d1472307f9415f2 HTTP/1.1Host: inf.safe.360.cnAccept: */*Pragma: no-cacheCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /wsin/think?ipartner=0&m2=d0976767e6a203af75488f9609371383094a7b7d29b3&mid=59cd53708ed730f0ef42bb01f668d936&rand=104759&timestamp=1711632600&ver=13.0.0.2199&sign=da0c9f29d00aa1f62d1472307f9415f2 HTTP/1.1Host: inf.safe.360.cnAccept: */*Pragma: no-cacheCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&installtype=1&status=147&usetime=0&zt=23680 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&installtype=1&status=189&usetime=0&zt=23732 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&installtype=1&status=136&usetime=0&zt=24803 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: unknownDNS traffic detected: queries for: s.360.cn
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://bbs.360safe.com/thread-4985800-1-1.html
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://bbs.360safe.com/thread-4985800-1-1.htmlQ
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1988969412.00000000044BA000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1988969412.00000000044BA000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.drString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, CrashReport.dll.0.dr, MiniUI.dll.0.dr, 360Base.dll.0.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, CrashReport.dll.0.dr, MiniUI.dll.0.dr, 360Base.dll.0.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1988969412.00000000044BA000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.drString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1988969412.00000000044BA000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1988969412.00000000044BA000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, CrashReport.dll.0.dr, MiniUI.dll.0.dr, 360Base.dll.0.drString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, CrashReport.dll.0.dr, MiniUI.dll.0.dr, 360Base.dll.0.drString found in binary or memory: http://crl.globalsign.net/root.crl0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://down.360safe.com/360compkill64.zip
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://down.360safe.com/360compkill64.ziphttp://www.360.cn/jijiuxiang/360sd_download.htmlDeleteUrlCa
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://down.360safe.com/safesetup_2000.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://down.360safe.com/safesetup_2000.exechs
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3216969609.00000000009D2000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://down.360safe.com/setup.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://down.360safe.com/setup.exePathSOFTWARE
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, MiniUI.dll.0.drString found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe360
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3216969609.00000000009D2000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000000.1973850844.00000000009CC000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exeG
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exeGO360
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219491883.000000006CD1C000.00000002.00000001.01000000.00000009.sdmp, MiniUI.dll.0.drString found in binary or memory: http://down.360safe.com/setup.exexv
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3216989427.00000000009D4000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://down.360safe.com/setupbeta.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://down.360safe.com/superkiller/superkillerexe_880765522ded7527821ce7448af08018_5.1.64.1181.cab
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://down.360safe.com/superkiller/superkillerexe_880765522ded7527821ce7448af08018_5.1.64.1181.cabh
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://down.360safe.com/superkiller/superkillerexe_ce61817f687d599de13ee9deb1af83e2_5.1.0.1181.cab
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://inf.safe.360.cn/sein/think
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://inf.safe.360.cn/wsin/think
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://inf.safe.360.cn/wsin/thinkhttp://inf.safe.360.cn/sein/thinkx
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://my.360.cn
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://my.360safe.com
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://my.360safe.comuseridconfig
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://ocsp.digicert.com0L
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://ocsp.digicert.com0N
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1988969412.00000000044BA000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1988969412.00000000044BA000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.drString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1988969412.00000000044BA000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.drString found in binary or memory: http://ocsp.thawte.com0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, CrashReport.dll.0.dr, MiniUI.dll.0.dr, 360Base.dll.0.drString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1988969412.00000000044BA000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1988969412.00000000044BA000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://s.360.cn/safe/install.html?mid=%s&
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://s.360.cn/safe/instcomp.htm?soft=923&status=%d&mid=%s&ver=%s&usetime=%d&zt=%d&pid=%sehttp://s.
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://s.360.cn/safe/instcomp.htm?soft=923&ver=%s&pid=%s&hips=%d&mid=%s&mid2=%s&w=%I64d&b=%I64d&o=%d
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1998954479.0000000001764000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3218840916.0000000005009000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.360.cn/safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef4
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://s.360.cn/safe/setupsperr.htm?mid=%s
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://s.360.cn/safe/setupsperr.htm?mid=%sIsInstallInNetBar&hand=explorer.exe&oldinstalltype=&hips=h
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DF8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.0000000005178000.00000004.00001000.00020000.00000000.sdmp, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.dr, 360Base.dll.0.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DF8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.0000000005178000.00000004.00001000.00020000.00000000.sdmp, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.dr, 360Base.dll.0.drString found in binary or memory: http://s2.symcb.com0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.drString found in binary or memory: http://safe.crash.browser.360.cn
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.drString found in binary or memory: http://safe.crash.browser.360.cndumpInfoSitecrashInfoSitehomeSiteNCSdomainNameshowtipdlgshowdlguseri
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.drString found in binary or memory: http://sdl.360safe.com/dbghelp_dll.cabpkH-1C
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1988969412.00000000044BA000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.drString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1988969412.00000000044BA000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, CrashReport.dll.0.dr, MiniUI.dll.0.dr, 360Base.dll.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, CrashReport.dll.0.dr, MiniUI.dll.0.dr, 360Base.dll.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1988969412.00000000044BA000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, 360Base.dll.0.drString found in binary or memory: http://sf.symcb.com/sf.crl0a
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DF8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.0000000005178000.00000004.00001000.00020000.00000000.sdmp, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.drString found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DF8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.0000000005178000.00000004.00001000.00020000.00000000.sdmp, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.dr, 360Base.dll.0.drString found in binary or memory: http://sf.symcb.com/sf.crt0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DF8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.0000000005178000.00000004.00001000.00020000.00000000.sdmp, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.dr, 360Base.dll.0.drString found in binary or memory: http://sf.symcd.com0&
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, 360Base.dll.0.drString found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DF8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.0000000005178000.00000004.00001000.00020000.00000000.sdmp, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.drString found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DF8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.0000000005178000.00000004.00001000.00020000.00000000.sdmp, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.dr, 360Base.dll.0.drString found in binary or memory: http://sv.symcb.com/sv.crt0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DF8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.0000000005178000.00000004.00001000.00020000.00000000.sdmp, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.dr, 360Base.dll.0.drString found in binary or memory: http://sv.symcd.com0&
Source: DumpUper.exe.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://update.360safe.com/instcomp.htm?soft=509&status=%d&mid=%s&ver=%s&usetime=%d&zt=%d
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://update.360safe.com/instcomp.htm?soft=509&status=%d&mid=%s&ver=%s&usetime=%d&zt=%d&instver=%sL
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 360SafeAssist.exe.0.dr, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.dr, 360Base.dll.0.drString found in binary or memory: http://www.360.cn
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2001863771.00000000043D4000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.00000000016DE000.00000004.00000020.00020000.00000000.sdmp, 360SafeAssist.exe.0.drString found in binary or memory: http://www.360.cn/
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://www.360.cn/jijiuxiang/360sd_download.html
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://www.360.cn/privacy/v3/360anquanweishi.html
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://www.360.cn/userexperienceimprovement.html
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://www.360.cn/xukexieyi.htmlT
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://www.360.cn4
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://www.360.cn;color=rgb(60
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://www.360.cnhttp://www.360safe.com
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://www.360safe.com
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.00000000016DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.360safe.com/
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 360Base.dll.0.drString found in binary or memory: http://www.openssl.org/support/faq.html
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DF8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.0000000005178000.00000004.00001000.00020000.00000000.sdmp, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.dr, 360Base.dll.0.drString found in binary or memory: http://www.symauth.com/cps0(
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DF8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.0000000005178000.00000004.00001000.00020000.00000000.sdmp, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.dr, 360Base.dll.0.drString found in binary or memory: http://www.symauth.com/rpa00
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: https://bbs.360.cn/thread-15735708-1-1.html;color=rgb(60
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: https://bbs.360.cn/thread-16079507-1-1.html
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: https://bbs.360.cn/thread-16079507-1-1.htmlD
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DF8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.0000000005178000.00000004.00001000.00020000.00000000.sdmp, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.dr, 360Base.dll.0.drString found in binary or memory: https://d.symcb.com/cps0%
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DF8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.0000000005178000.00000004.00001000.00020000.00000000.sdmp, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.dr, 360Base.dll.0.drString found in binary or memory: https://d.symcb.com/rpa0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: https://dl.360safe.com/instbeta.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: https://dl.360safe.com/instbeta.exedk
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: https://hao.360.com
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: https://hao.360.com/
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1996344133.0000000001744000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1998954479.0000000001743000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.000000000173D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.00000000016DE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1999310616.0000000001752000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hao.360.com/?installer
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: https://hao.360.com/?installer/https://hao.360.comhttps://http://https://hao.360.com/%s
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.00000000016DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hao.360.com/?installerT
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: https://hao.360.com/?safe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: https://hao.360.com/?src=lm&ls=%s
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: https://hao.360.com/?src=lm&ls=%sStart
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1996344133.0000000001744000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1998954479.0000000001743000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.000000000173D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1999310616.0000000001752000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: https://www.digicert.com/CPS0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, CrashReport.dll.0.dr, MiniUI.dll.0.dr, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.dr, 360Base.dll.0.drString found in binary or memory: https://www.globalsign.com/repository/0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, CrashReport.dll.0.dr, MiniUI.dll.0.dr, 360Base.dll.0.drString found in binary or memory: https://www.globalsign.com/repository/03
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, CrashReport.dll.0.dr, MiniUI.dll.0.dr, 360Base.dll.0.drString found in binary or memory: https://www.globalsign.com/repository/06
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04F8E2AF0_3_04F8E2AF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04F8EB1F0_3_04F8EB1F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04F8D70C0_3_04F8D70C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04FF60DD0_3_04FF60DD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04FF44D50_3_04FF44D5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04FF4A990_3_04FF4A99
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04FF6E800_3_04FF6E80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04FFE87B0_3_04FFE87B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04FFF0500_3_04FFF050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04FF80240_3_04FF8024
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04FF85FD0_3_04FF85FD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04FFD1FD0_3_04FFD1FD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04FF63F50_3_04FF63F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04FF61E50_3_04FF61E5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04FFD5BD0_3_04FFD5BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04FF65A70_3_04FF65A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04FFE5A70_3_04FFE5A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04FF477D0_3_04FF477D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04FFD3650_3_04FFD365
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04FF89180_3_04FF8918
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A2B40_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A2B40_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A2B40_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A2B40_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A2B40_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A2B40_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A2B40_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A2B40_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF5B0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF5B0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF5B0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF5B0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF5B0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF5B0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF5B0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF5B0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A2B40_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A2B40_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A2B40_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A2B40_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A2B40_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A2B40_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A2B40_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A2B40_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF5B0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF5B0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF5B0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF5B0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF5B0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF5B0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF5B0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF5B0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A3480_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A3480_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A3480_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A3480_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A3480_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A3480_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF5B0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF5B0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF5B0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF5B0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF5B0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF5B0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF5B0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF5B0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A2B40_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A2B40_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A2B40_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A2B40_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A2B40_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A2B40_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A2B40_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A2B40_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469C0340_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469C0340_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469C0340_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469C0340_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469C0340_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469C0340_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04698B080_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04698B080_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04698B080_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04698B080_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04698B080_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04698B080_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A9D0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A9D0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A9D0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A9D0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A9D0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A9D0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A3480_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A3480_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A3480_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A3480_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A3480_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A3480_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF5B0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF5B0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF5B0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF5B0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF5B0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF5B0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF5B0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF5B0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A2B40_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A2B40_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A2B40_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A2B40_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A2B40_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A2B40_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A2B40_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A2B40_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469C0340_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469C0340_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469C0340_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469C0340_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469C0340_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469C0340_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04698B080_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04698B080_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04698B080_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04698B080_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04698B080_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04698B080_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A9D0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A9D0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A9D0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A9D0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A9D0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A9D0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A3480_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A3480_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A3480_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A3480_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A3480_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A3480_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF5B0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF5B0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF5B0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF5B0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF5B0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF5B0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF5B0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF5B0_3_0469BF5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A2B40_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A2B40_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A2B40_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A2B40_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A2B40_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A2B40_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A2B40_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A2B40_3_0469A2B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469C0340_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469C0340_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469C0340_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469C0340_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469C0340_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469C0340_3_0469C034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04698B080_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04698B080_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04698B080_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04698B080_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04698B080_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04698B080_3_04698B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A9D0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A9D0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A9D0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A9D0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A9D0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A9D0_3_04699A9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A3480_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A3480_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A3480_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A3480_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A3480_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469A3480_3_0469A348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04699A4A0_3_04699A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_046987CD0_3_046987CD
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeStatic PE information: Resource name: ANIMATION type: 7-zip archive data, version 0.4
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeStatic PE information: Resource name: BASE360 type: 7-zip archive data, version 0.4
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeStatic PE information: Resource name: CRASH type: 7-zip archive data, version 0.4
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeStatic PE information: Resource name: CRASHREPORT type: 7-zip archive data, version 0.4
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeStatic PE information: Resource name: DLL type: 7-zip archive data, version 0.4
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeStatic PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 967545 bytes, 1 file, at 0x2c +A "7z.dll", number 1, 57 datablocks, 0x1 compression
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeStatic PE information: Resource name: DRIVERDLL type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeStatic PE information: Resource name: LICENCE type: Microsoft Cabinet archive data, Windows 2000/XP setup, 10696 bytes, 1 file, at 0x2c +A "licence.rtf", number 1, 1 datablock, 0x1 compression
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeStatic PE information: Resource name: NETUL type: 7-zip archive data, version 0.4
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeStatic PE information: Resource name: OEMDATA type: 7-zip archive data, version 0.3
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeStatic PE information: Resource name: PRIVACY type: Microsoft Cabinet archive data, Windows 2000/XP setup, 11525 bytes, 1 file, at 0x2c +A "privacy.rtf", number 1, 1 datablock, 0x1 compression
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeStatic PE information: Resource name: ROOTSUPD type: 7-zip archive data, version 0.4
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeStatic PE information: Resource name: SETUPCONFIG type: 7-zip archive data, version 0.4
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeStatic PE information: Resource name: SKIN type: 7-zip archive data, version 0.4
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeStatic PE information: Resource name: URLPROC type: 7-zip archive data, version 0.4
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeStatic PE information: Resource name: VIEWER type: Microsoft Cabinet archive data, Windows 2000/XP setup, 749756 bytes, 1 file, at 0x2c "AgreementViewer.exe", number 1, 53 datablocks, 0x1 compression
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeStatic PE information: Resource name: WSCREG type: 7-zip archive data, version 0.4
Source: 360SafeAssist.exe.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219530070.000000006CD4B000.00000002.00000001.01000000.00000009.sdmpBinary or memory string: OriginalFilenameMiniUI.dll0 vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219530070.000000006CD4B000.00000002.00000001.01000000.00000009.sdmpBinary or memory string: OriginalFilenameMiniUI.dllF vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F70000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMiniUI.dll0 vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F70000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMiniUI.dllF vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: %d/%16VS_VERSION_INFOCommentsCompanyNameFileDescriptionFileVersionInternalNameLegalCopyrightLegalTrademarksOriginalFilenamePrivateBuildProductNameProductVersionSpecialBuild\VarFileInfo\Translation\StringFileInfo\%04x%04x\\StringFileInfo%04hx%04hx%i/%%%u/%%%u vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename360Base.dll0 vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDumpUper.exe, vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219344223.000000006CC2F000.00000002.00000001.01000000.0000000B.sdmpBinary or memory string: l%d/%16VS_VERSION_INFOCommentsCompanyNameFileDescriptionFileVersionInternalNameLegalCopyrightLegalTrademarksOriginalFilenamePrivateBuildProductNameProductVersionSpecialBuild\VarFileInfo\Translation\StringFileInfo\%04x%04x\\StringFileInfo%04hx%04hx%i/%%%u/%%%u vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: %d/%16VS_VERSION_INFOCommentsCompanyNameFileDescriptionFileVersionInternalNameLegalCopyrightLegalTrademarksOriginalFilenamePrivateBuildProductNameProductVersionSpecialBuild\VarFileInfo\Translation\StringFileInfo\%04x%04x\\StringFileInfo%04hx%04hx%i/%%%u/%%%u vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename360Base.dll0 vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2001863771.00000000043A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSetupAssistant.exe8 vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMiniUI.dll0 vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMiniUI.dllF vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219662742.000000006CEDB000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219662742.000000006CEDB000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: lTEteCURSORBITMAPICONMENUDIALOGSTRINGFONTDIRFONTACCELERATORRCDATAMESSAGETABLEGROUP_CURSORGROUP_ICONVERSIONDLGINCLUDEPLUGPLAYVXDANICURSORANIICONHTMLMANIFESTChecksum errorefi[]string.txtversion.txt.bmp.icoalign_.debugPRERELEASEPATCHEDPRIVATEBUILDINFOINFERREDSPECIALBUILDVOS_UNKNOWNVOS_DOSVOS_OS216VOS_OS232VOS_NTVOS_WINCEVOS__BASEVOS__WINDOWS16VOS__PM16VOS__PM32VOS__WINDOWS32VFT_UNKNOWNVFT_APPVFT_DLLVFT_DRVVFT_FONTVFT_VXD0x6VFT_STATIC_LIBPRINTERKEYBOARDDISPLAYMOUSESYSTEMINSTALLABLESOUNDCOMMINPUTMETHODVERSIONED_PRINTERVFT2_FONT_RASTERVFT2_FONT_VECTORVFT2_FONT_TRUETYPEFILEVERSION PRODUCTVERSION FileVersionProductVersionFILEFLAGSMASK FILEFLAGS | VS_FF_FILEOS FILETYPE FILESUBTYPE VFT2_DRV_VS_VERSION_INFOBLOCKVarFileInfoVALUETranslation, StringFileInfo.rsrc_1CERTIFICATECOFF_SYMBOLS.rsrc_winzip_OriginalFilenameFileDescriptionFileVersion vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDumpUper.exe, vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219823872.000000006E432000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: OriginalFilenameCrashReport.dll, vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.00000000050B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMiniUI.dll0 vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.00000000050B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMiniUI.dllF vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename7z.dll, vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3218491026.00000000044A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCrashReport.dll, vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCrashReport.dll, vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCrashReport.dll, vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002092871.0000000004250000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSetupAssistant.exe8 vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219416958.000000006CC68000.00000002.00000001.01000000.0000000B.sdmpBinary or memory string: OriginalFilename360Base.dll0 vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219740136.000000006CF2E000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilename7z.dll, vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeBinary or memory string: OriginalFilenameSetup.exe2 vs SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeSection loaded: textshaping.dllJump to behavior
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeBinary string: ZOTAC ZENFASTZENFAS XSTAR XS TAK VASEKY UKINGS TYH TXRUI TURXUN TEKISM TEELKOOUTAISU SS DSUPERSSPSTARSWAYSTARRAM SPCC SHINEDOE SHINEDIS SHINEDISKSAMSWEETREEINNO REEINN RUNENG RAMSTA S QIDAN POWERSSD NETAC SSNETAC SMICROFLA SH MICROFLASH MICROFLAS MERELAIR MAXSUNMACMEMOR LENOVO SLENOVO SLANSHIKUAIKAKINGSTEKKINGSSD_ACSC4MACSC2MACJC2MKINGSPECKINGSHARE KINGSHAR EKING SHAREKING SHAREKING SHA REKINGSANDKINGRICHKINGBANKKINGDINGKINGDIANKDATAJUNSHI INTEIFUNKIFOUNDI-FLASHHY SPEED HY SDEED HISTOR HIGHXGOWE GEIL ZENITHGAMERGALAIRD GALA GAINWARDGLOWAYGLOWA FORSAFASTDISKFASPEE FASPEEDEVTRANEEKOOEAGET SS DDOMONDERLERDRAGONDICABOFITBIOSTAR BIOSTA ASGARD ASINT ASIN APACER ANUCELL GENERIC NCARDHYNIXTECLASTTECLAS KINGFAST COLORFUL COLORFUL SSD NVME ATA KINGSTONPLEXTOR PX-PLEXTO PX-PLEXTO PX-GALAXMICRON MICRON_MLITEONITLITEONSANDISK SANDIS MKNSSDCRUNCOREEDGEPLEXTORMTFDV4-CTM4-CTCRUCIAL ADATA ADATA ADAT PNYAPACERG.SKILLOCZKINGSTONCORSAIRINTELFUJITSUTOSHIB TOSHIBASAMXUNG SAMSUNG1SAMSUN SAMSUNGWDSEAGATESTATA AVD ASDK APPLE HDD ModelASSOCIATORS OF {Win32_DiskPartition.DeviceID='%s'} where ResultClass = Win32_DiskDriveDeviceIDASSOCIATORS OF {Win32_LogicalDisk.DeviceID='%s'} where ResultClass = Win32_DiskPartition:ROOT\CIMV2Index\Device\Harddiskc:Setup\setup_logo_animate.pngHEADBeacon@
Source: classification engineClassification label: sus26.spyw.evad.winEXE@1/26@2/2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeFile created: C:\Program Files (x86)\360Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\instcomp[1].htmJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeMutant created: \Sessions\1\BaseNamedObjects\1830B7BD-F7A3-4c4d-989B-C004DE465EDE 4268
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeMutant created: \Sessions\1\BaseNamedObjects\Q360MonMutex
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeMutant created: \Sessions\1\BaseNamedObjects\Q360SafeSetup
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeFile created: C:\Users\user\AppData\Local\Temp\{925474AB-9BD3-47b4-BA43-AB6BFD29DB7E}.tmp\Jump to behavior
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: "Exe" File="deepscan\zhudongfangyu.exe" Param="/Install" WaitForExit="true" /> <Item Type="SimpleDll" File="deepscan\bapi.dll
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: itForExit="true" /> <Item Type="Exe" File="softmgr\EaInstHelper64.exe" Param="/Install" WaitForExit="true" /> <Item Type
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: \PopWndTracker.exe" Param="/query" WaitForExit="false" /> <Item Type="Exe" File="softmgr\EaInstHelper.exe" Param="/Install" W
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: _LOCAL_MACHINE" SubKey="SOFTWARE\360Safe\stat" > <Item Name="SetupType" Type="DWORD" Value="0" /> </KeyInfo> </Install
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: Register/Install
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: http://s.360.cn/safe/install.html?mid=%s&
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: /install
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: /install
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: /INSTALLER=
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: /reinstall
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: Cmodules\360vulsetup.exemobilemgr\SoftUpdateM.dllSoftware\360Safe\safemonsafemon\safemon.dll360MicroExamin.exesafemon\MicroExamin.tpiFixRegSrvOnInstallRegister dll mobilemgr\SoftUpdateM.dll/install /installSelfProtectAPI2avp.exeSOFTWARE\KasperskyLab\SetupFoldersinsttimepid_InstalledPartnerName_bkipartner_sh_refreshipartnerregisttimebidPartnerNamePrePartner360se360SD360Safebox360SEAntiSectionrepairicondirInstLogUtilsupdatesweepersafemonnetmonmodulesLiveUpdateLogLiveUpdate360skinipcfirstaiddeepscanconfigantiarplinksSOFTWARE\Microsoft\Windows\CurrentVersion\Run\360DisabledSoftware\360Safe\scanTipDisable
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: QD\360UCenter.dll\360MobileAssistant_theme.ui\sites.dll\AdvToolsEx.dll\360ExamineEx.dll\360Safe.exe\360Protect.dll\newui\360SafeNew.xml\newui\themes\default\default_theme.ui\360ExamineUIEx.dll\newui\themes\default\theme.xml\ExamineUIConfig.xml\ExaminePluginEx.xmlSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exePathsafemon\360tray.exe /disablesp %d /loadrulesp %dsafemon\param.inisafemon\360procmon.dll\\.\360SelfProtection<!--360skin ver="\updatecfg.ini/reinstallSoftware\Microsoft\Windows\CurrentVersion\360JJXSoftware\Microsoft\Windows\CurrentVersion\360Clear360tray.exeSYSTEM\CurrentControlSet\Control\Session ManagerDisableAutorunmodify %s time failver="Copy From %s to %s Failed Error Code = %dMove File '%s' failed, replace until rebootMove File '%s' to temp dirDelete File '%s' failedFile '%s' exist
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: QD\360UCenter.dll\360MobileAssistant_theme.ui\sites.dll\AdvToolsEx.dll\360ExamineEx.dll\360Safe.exe\360Protect.dll\newui\360SafeNew.xml\newui\themes\default\default_theme.ui\360ExamineUIEx.dll\newui\themes\default\theme.xml\ExamineUIConfig.xml\ExaminePluginEx.xmlSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exePathsafemon\360tray.exe /disablesp %d /loadrulesp %dsafemon\param.inisafemon\360procmon.dll\\.\360SelfProtection<!--360skin ver="\updatecfg.ini/reinstallSoftware\Microsoft\Windows\CurrentVersion\360JJXSoftware\Microsoft\Windows\CurrentVersion\360Clear360tray.exeSYSTEM\CurrentControlSet\Control\Session ManagerDisableAutorunmodify %s time failver="Copy From %s to %s Failed Error Code = %dMove File '%s' failed, replace until rebootMove File '%s' to temp dirDelete File '%s' failedFile '%s' exist
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exePathsafemon\360tray.exe /disablesp %d /loadrulesp %dsafemon\param.inisafemon\360procmon.dll\\.\360SelfProtectionANIMATION360FsFltsafemon\360Tray.exe.local360Safe.exe.localsafemon\360Tray.exe.Manifest
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: R%%%2xsp exist16.0.0.015.0.0.0%s\safemon\FreeSaaS.tpi%s\360leakfixer.exe/silent=3 /id=%s /p=0NULL\360Safe%d\360safeNon-existent ProcessSETUPCONFIG&s1=%d&s0=%d&pid=&OAV=%d&PPID0=&PPID1=http://s.360.cn/safe/setupsperr.htm?mid=%sIsInstallInNetBar&hand=explorer.exe&oldinstalltype=&hips=http://s.360.cn/safe/install.html?mid=%s&video\info.iniend.pngstart.pnganimation.wmvSKIN
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: "KUnrecognized content encoding type. libcurl understands %s content encodings.chunked\/LoadLibraryExAkernel320123456789abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ(nil)(nil)I64I32.%ld$@%ld0123456789schannel
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: Q360SafeMonClass360TRAY.EXESOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exePathsafemon\360tray.exe /disablesp %d /loadrulesp %dsafemon\param.inisafemon\360procmon.dll\\.\360SelfProtection
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: TargetDir%d.%d.%d.%dExeSimpleDllExtendDllWM_CLOSEWM_QUITWM_ANTIARPEXITDWORDString%02xZwQuerySystemInformationengchtchsuninstbackupSetup/MainNameTitleUninstallTitleProductVersionRebootFlagNameMutexNameMinimizeSpaceDefaultSkinIsBetaSetup/FileListListSetup/UninstallRootDirFileListFileSetup/PluginSetup/RegisterSetup/NotPEFileVersion9.5.0.1001Setup/RegAppPathHKEYSubKeyValueSetup/ApplicationMainAppVersionBaseFileSetup/DefaultPathRootDirForceCreateFolderCanChange1.0.0.1001safemon\360tray.exeSetup/CloseAllPrograms/ProgramWindowClassMessageWPARAMLPARAMTimeoutQ360SafeMonClassSetup/RebootReplaceFile/FileExitIfCopyFailRegister/InstallRegister/Uninstalli18n\i18n.iniLanguageMainQIBeginSOFTWARE\360Safe360\360Safe\
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeString found in binary or memory: lN.?AVCAppModuleEx@@/S/SMARTSILENCE/FORCESTART/FORCECOVER/360EntAdminJoin/INSTVER=/D=/PID=/NOREBOOT=/NOTRAY=/NOENTCLIENT=/SAFENOSTART=/INSTALLER=/NOTIFYWND=/NotJoinUE/NotJoinCloudSafe/CREATEDSS/DEBUGFILE=/LOGFILE=/DISABLE=/SETHOMEPAGE=/NOZF/LM=/NOPOP/NoSoftMgrDesktopLnk/NoSafeDesktopLnk/NotLockIEEdge360/NotLockOther360
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeWindow detected: Number of UI elements: 12
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeStatic PE information: certificate valid
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeStatic file information: File size 99314064 > 1048576
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x78b600
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeStatic PE information: More than 200 imports for KERNEL32.dll
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\vmagent_new\bin\joblist\255425\out\Release\MiniUI.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219491883.000000006CD1C000.00000002.00000001.01000000.00000009.sdmp, MiniUI.dll.0.dr
Source: Binary string: C:\vmagent_new\bin\joblist\728886\out\Release_tr\Setup.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
Source: Binary string: e:\build\SetupNew\Release\360SafeAssist.pdb<`B source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2001863771.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002092871.0000000004250000.00000004.00001000.00020000.00000000.sdmp, 360SafeAssist.exe.0.dr
Source: Binary string: C:\vmagent_new\bin\joblist\255425\out\Release\MiniUI.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219491883.000000006CD1C000.00000002.00000001.01000000.00000009.sdmp, MiniUI.dll.0.dr
Source: Binary string: C:\vmagent_new\bin\joblist\289364\out\Release\CrashReport.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219793928.000000006E428000.00000002.00000001.01000000.0000000A.sdmp, CrashReport.dll.0.dr
Source: Binary string: e:\build\SetupNew\Release\360SafeAssist.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2001863771.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002092871.0000000004250000.00000004.00001000.00020000.00000000.sdmp, 360SafeAssist.exe.0.dr
Source: Binary string: C:\vmagent_new\bin\joblist\743838\out\Release\7z.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219662742.000000006CEDB000.00000002.00000001.01000000.00000008.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990099902.0000000001783000.00000004.00000020.00020000.00000000.sdmp, 7z.dll.0.dr, {6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp.0.dr
Source: Binary string: C:\vmagent_new\bin\joblist\146708\out\Release\DumpUper.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.dr
Source: Binary string: C:\vmagent_new\bin\joblist\146708\out\Release\DumpUper.pdbP source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.dr
Source: Binary string: C:\vmagent_new\bin\joblist\417673\out\Release\360Base.pdb source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219344223.000000006CC2F000.00000002.00000001.01000000.0000000B.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, 360Base.dll.0.dr
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04F95426 push cs; iretd 0_3_04F953FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04F90A02 push edi; retf 0_3_04F90A15
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04F955D6 push ebx; ret 0_3_04F955D7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04F90167 push eax; retf 0_3_04F90168
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04F95324 push cs; iretd 0_3_04F953FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04F91F1E push E01004CFh; iretd 0_3_04F91F29
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04FF0CF5 push edi; retf 0_3_04FF1013
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04FF22DD push ebp; retf 0_3_04FF249B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04FFD4A5 push ebp; retf 0_3_04FFD4CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04FFA49F push cs; retf 0_3_04FFA613
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04FF249D pushad ; retf 0_3_04FF2543
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04FFD47D push ebp; retf 0_3_04FFD4CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_04FFD1D5 push cs; retf 0_3_04FFD1FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF0A pushfd ; ret 0_3_0469BF59
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF0A pushfd ; ret 0_3_0469BF59
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF0A pushfd ; ret 0_3_0469BF59
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF0A pushfd ; ret 0_3_0469BF59
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF0A pushfd ; ret 0_3_0469BF59
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF0A pushfd ; ret 0_3_0469BF59
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF0A pushfd ; ret 0_3_0469BF59
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BF0A pushfd ; ret 0_3_0469BF59
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469C7C8 push eax; iretd 0_3_0469C7CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469C7C8 push eax; iretd 0_3_0469C7CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469C7C8 push eax; iretd 0_3_0469C7CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469C7C8 push eax; iretd 0_3_0469C7CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469C7C8 push eax; iretd 0_3_0469C7CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469C7C8 push eax; iretd 0_3_0469C7CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469C7C8 push eax; iretd 0_3_0469C7CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469C7C8 push eax; iretd 0_3_0469C7CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BDCB pushfd ; ret 0_3_0469BF59
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeCode function: 0_3_0469BDCB pushfd ; ret 0_3_0469BF59
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeFile created: C:\Users\user\AppData\Local\Temp\{EE053F58-EF8C-43c4-A3D9-1E4B2965E691}.tmp\7z.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeFile created: C:\Users\user\AppData\Local\Temp\{64B7E796-9F86-408b-9BE8-85DF5E630C37}.tmp\360SafeAssist.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeFile created: C:\Users\user\AppData\Local\Temp\{FCFF958A-AC44-4612-807B-C8AA21571E8A}.tmp\360Base.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeFile created: C:\Users\user\AppData\Local\Temp\{6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmpJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeFile created: C:\Users\user\AppData\Local\Temp\{DBA7F686-6D1C-4a46-82CF-0AD83670E845}.tmp\MiniUI.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeFile created: C:\Users\user\AppData\Local\Temp\{FCFF958A-AC44-4612-807B-C8AA21571E8A}.tmp\CrashReport.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeFile created: C:\Users\user\AppData\Local\Temp\{FCFF958A-AC44-4612-807B-C8AA21571E8A}.tmp\DumpUper.exeJump to dropped file
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeBinary or memory string: Setuphttps://hao.360.com/?src=lm&ls=%sStart SetHomePage/set flightsigning on/set {bootmgr} flightsigning onbcdedit.exeSysnativeBcdeditEnd CheckHomePageForOldVerStart CheckHomePageForOldVerEnd ClearOldSkinStart ClearOldSkinEnd SetLowConfigurationPCFlagStart SetLowConfigurationPCFlagSetupOffline_H
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeFile created: C:\Users\user\AppData\Roaming\360Safe\360safe.setup.logJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : ASSOCIATORS OF {Win32_DiskPartition.DeviceID=&apos;Disk #0, Partition #1&apos;} where ResultClass = Win32_DiskDrive
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_DiskDriveToDiskPartition where Dependent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : ASSOCIATORS OF {Win32_DiskPartition.DeviceID=&apos;Disk #0, Partition #1&apos;} where ResultClass = Win32_DiskDrive
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_DiskDriveToDiskPartition where Dependent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : ASSOCIATORS OF {Win32_LogicalDisk.DeviceID=&apos;C:&apos;} where ResultClass = Win32_DiskPartition
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_LogicalDiskToPartition where Dependent=&quot;Win32_LogicalDisk.DeviceID=\&quot;C:\&quot;&quot;
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : ASSOCIATORS OF {Win32_LogicalDisk.DeviceID=&apos;C:&apos;} where ResultClass = Win32_DiskPartition
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_LogicalDiskToPartition where Dependent=&quot;Win32_LogicalDisk.DeviceID=\&quot;C:\&quot;&quot;
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{EE053F58-EF8C-43c4-A3D9-1E4B2965E691}.tmp\7z.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{64B7E796-9F86-408b-9BE8-85DF5E630C37}.tmp\360SafeAssist.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{FCFF958A-AC44-4612-807B-C8AA21571E8A}.tmp\360Base.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmpJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{DBA7F686-6D1C-4a46-82CF-0AD83670E845}.tmp\MiniUI.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{FCFF958A-AC44-4612-807B-C8AA21571E8A}.tmp\CrashReport.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{FCFF958A-AC44-4612-807B-C8AA21571E8A}.tmp\DumpUper.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.0000000001790000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeBinary or memory string: vVIRTUAL SCSIVIRTUAL HDVIRTUAL DISKISCSIRED HAT VIRTIORAMDISKRAM-DISKRAM DISKRAID ARRAYRAID10RAID5RAID1XENSRC XEN VMWAREVBOX HARDDISKQEMU HARDDISKPROMISE 1+0MSFT VIRTUALMICROSOFTMARVELL RAIDLSILOGICLSI MR92LSI MEGALENOVO_RAIDINTEL RAIDIBM SERVERAIDDELL PERCAMD-RAID ARRAYADAPTECRAID0SOFTWARE\360Safe\softmgr\dioraidRAIDIM2S313BR240G BR128G BR120G BR60G 256GB 256GB 256G 256G 240GB 128GB 128GB 128G 128G 120GB 120G
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.0000000001762000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1996499917.0000000001774000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1999106553.0000000001772000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1996594697.0000000001776000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.00000000016DE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1999226653.0000000001776000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1998954479.0000000001764000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.0000000001790000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MSFT_PhysicalDisk{1}\\user-PC\root/Microsoft/Windows/Storage/Providers_v2\SPACES_PhysicalDisk.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PD:{baefc400-1cb2-6d19-d2b5-4ac4ae014b83}"6000C292B65879FF477A6AF604113F58VMware Virtual diskVMwareVirtual disk6000c292b65879ff477a6af604113f58PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.0000000001790000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1996344133.0000000001744000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1998954479.0000000001743000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.000000000173D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWndow Class
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeProcess token adjusted: DebugJump to behavior
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219491883.000000006CD1C000.00000002.00000001.01000000.00000009.sdmpBinary or memory string: lShell_traywnd
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.00000000050B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Shell_traywnd
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000000.1973823276.0000000000996000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3216885883.0000000000996000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: http://down.360safe.com/360compkill64.ziphttp://www.360.cn/jijiuxiang/360sd_download.htmlDeleteUrlCacheEntryWURLDownloadToFileWurlmon.dll\system32\urlmon.dll.zipSuperKiller.exe//////PromptCP\360SuperKiller\SuperKiller.ini\\\SuperKiller.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeBinary or memory string: SuperKiller.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeBinary or memory string: \safemon\360tray.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3218840916.000000000501F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 360HOTFIX.EXE
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeBinary or memory string: \360Safe.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeBinary or memory string: 360TRAY.EXE
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2000096712.0000000004FED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2000739918.000000000501C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2000650780.0000000004FFE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2000134647.0000000004FF2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1998910576.0000000004FD1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2000055003.0000000004FE0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3218840916.000000000501F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 360SAFE.EXE
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeBinary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360Safe.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219491883.000000006CD1C000.00000002.00000001.01000000.00000009.sdmpBinary or memory string: lIsBetaVersion360ver.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000000.1973823276.0000000000996000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3216885883.0000000000996000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: 360sd\Safemon\SelfProtectAPI2.dll360sd\Safemon\360Procmon.dll360sd\Safemon\360tray.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeBinary or memory string: \SuperKiller.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.00000000016DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeBinary or memory string: firstaid\superkiller.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2000096712.0000000004FED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2000723983.0000000004FF5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2000134647.0000000004FF2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1998910576.0000000004FD1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2000055003.0000000004FE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &safemon\360Tray.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeBinary or memory string: Software\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeBinary or memory string: avp.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1999226653.0000000001790000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2000180337.00000000017B0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1999412645.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.0000000001790000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1999106553.0000000001790000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 360safe.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3218258565.00000000036F7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1999226653.0000000001790000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2000180337.00000000017B0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1999412645.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1999106553.0000000001790000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 360Safe.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, MiniUI.dll.0.drBinary or memory string: IsBetaVersion360ver.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeBinary or memory string: 360tray.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000000.1973823276.0000000000996000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3216885883.0000000000996000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\Run360Safetray"%s" /startsafemon\360Tray.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.drBinary or memory string: A%I64dPathSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe\firstaid\SuperKiller.exefirstaid\SuperKiller.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000000.1973823276.0000000000996000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3216885883.0000000000996000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: 360safeUtils\360MedalWall.dllSoftware\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeBinary or memory string: 360Tray.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeBinary or memory string: safemon\360tray.exe
Source: SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3218491026.00000000044A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: safemon\360Tray.exe

Stealing of Sensitive Information

barindex
Queries disk data (e.g. SMART data)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeDevice IO: \Device\Harddisk0\DR0Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exeDevice IO: \Device\Harddisk0\DR0Jump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation		1
Bootkit		1
Process Injection		2
Masquerading		OS Credential Dumping231
Security Software Discovery		Remote Services11
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
DLL Side-Loading		12
Virtualization/Sandbox Evasion		LSASS Memory12
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS2
File and Directory Discovery		Distributed Component Object ModelInput Capture12
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Bootkit		LSA Secrets212
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe9%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\{64B7E796-9F86-408b-9BE8-85DF5E630C37}.tmp\360SafeAssist.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{64B7E796-9F86-408b-9BE8-85DF5E630C37}.tmp\360SafeAssist.exe0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\{6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\{DBA7F686-6D1C-4a46-82CF-0AD83670E845}.tmp\MiniUI.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{DBA7F686-6D1C-4a46-82CF-0AD83670E845}.tmp\MiniUI.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\{EE053F58-EF8C-43c4-A3D9-1E4B2965E691}.tmp\7z.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{EE053F58-EF8C-43c4-A3D9-1E4B2965E691}.tmp\7z.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\{FCFF958A-AC44-4612-807B-C8AA21571E8A}.tmp\360Base.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{FCFF958A-AC44-4612-807B-C8AA21571E8A}.tmp\360Base.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\{FCFF958A-AC44-4612-807B-C8AA21571E8A}.tmp\CrashReport.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{FCFF958A-AC44-4612-807B-C8AA21571E8A}.tmp\CrashReport.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\{FCFF958A-AC44-4612-807B-C8AA21571E8A}.tmp\DumpUper.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{FCFF958A-AC44-4612-807B-C8AA21571E8A}.tmp\DumpUper.exe0%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://ocsp.thawte.com00%URL Reputationsafe
http://www.360.cnhttp://www.360safe.com0%Avira URL Cloudsafe
http://www.360.cn;color=rgb(600%Avira URL Cloudsafe
http://safe.crash.browser.360.cndumpInfoSitecrashInfoSitehomeSiteNCSdomainNameshowtipdlgshowdlguseri0%Avira URL Cloudsafe
http://www.360.cn40%Avira URL Cloudsafe
http://my.360safe.comuseridconfig0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s.360.cn
171.13.14.66
truefalse
    		high
    inf.safe.360.cn
    		180.163.237.185
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://s.360.cn/safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&installtype=1&status=109&usetime=0&zt=10565false
        		high
        http://s.360.cn/safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&status=101&usetime=4013656&zt=2862false
          		high
          http://s.360.cn/safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&installtype=1&status=189&usetime=0&zt=23732false
            		high
            http://s.360.cn/safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&installtype=1&status=147&usetime=0&zt=23680false
              		high
              http://s.360.cn/safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&status=188&usetime=0&zt=3626false
                		high
                http://s.360.cn/safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&installtype=1&status=136&usetime=0&zt=24803false
                  		high
                  http://inf.safe.360.cn/wsin/think?ipartner=0&m2=d0976767e6a203af75488f9609371383094a7b7d29b3&mid=59cd53708ed730f0ef42bb01f668d936&rand=104759&timestamp=1711632600&ver=13.0.0.2199&sign=da0c9f29d00aa1f62d1472307f9415f2false
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://hao.360.com/?installerSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1996344133.0000000001744000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1998954479.0000000001743000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.000000000173D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.00000000016DE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1999310616.0000000001752000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://down.360safe.com/setup.exeSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3216969609.00000000009D2000.00000004.00000001.01000000.00000003.sdmpfalse
                        		high
                        https://hao.360.com/?src=lm&ls=%sStartSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                          		high
                          http://s.360.cn/safe/install.html?mid=%s&SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                            		high
                            http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exeGSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3216969609.00000000009D2000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000000.1973850844.00000000009CC000.00000008.00000001.01000000.00000003.sdmpfalse
                              		high
                              http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exeSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, MiniUI.dll.0.drfalse
                                		high
                                http://inf.safe.360.cn/wsin/thinkhttp://inf.safe.360.cn/sein/thinkxSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                  		high
                                  http://update.360safe.com/instcomp.htm?soft=509&status=%d&mid=%s&ver=%s&usetime=%d&zt=%dSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                    		high
                                    http://www.360.cn4SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://safe.crash.browser.360.cndumpInfoSitecrashInfoSitehomeSiteNCSdomainNameshowtipdlgshowdlguseriSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.drfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://hao.360.comSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                      		high
                                      http://www.360.cn/SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2001863771.00000000043D4000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.00000000016DE000.00000004.00000020.00020000.00000000.sdmp, 360SafeAssist.exe.0.drfalse
                                        		high
                                        http://www.360.cn;color=rgb(60SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                        • Avira URL Cloud: safe
                                        		low
                                        http://down.360safe.com/safesetup_2000.exechsSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                          		high
                                          http://www.360.cn/jijiuxiang/360sd_download.htmlSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                            		high
                                            http://down.360safe.com/360compkill64.ziphttp://www.360.cn/jijiuxiang/360sd_download.htmlDeleteUrlCaSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                              		high
                                              http://down.360safe.com/360compkill64.zipSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                                		high
                                                https://curl.haxx.se/docs/http-cookies.htmlSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                                  		high
                                                  http://www.openssl.org/support/faq.html360Base.dll.0.drfalse
                                                    		high
                                                    https://hao.360.com/?installer/https://hao.360.comhttps://http://https://hao.360.com/%sSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                                      		high
                                                      http://down.360safe.com/superkiller/superkillerexe_ce61817f687d599de13ee9deb1af83e2_5.1.0.1181.cabSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                                        		high
                                                        http://my.360safe.comuseridconfigSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://crl.thawte.com/ThawteTimestampingCA.crl0SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.drfalse
                                                          		high
                                                          http://down.360safe.com/safesetup_2000.exeSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                                            		high
                                                            http://bbs.360safe.com/thread-4985800-1-1.htmlQSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                                              		high
                                                              http://www.360safe.com/SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.00000000016DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://bbs.360.cn/thread-16079507-1-1.htmlDSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                                                  		high
                                                                  http://update.360safe.com/instcomp.htm?soft=509&status=%d&mid=%s&ver=%s&usetime=%d&zt=%d&instver=%sLSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                                                    		high
                                                                    https://dl.360safe.com/instbeta.exeSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                                                      		high
                                                                      http://bbs.360safe.com/thread-4985800-1-1.htmlSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                                                        		high
                                                                        http://www.360.cnhttp://www.360safe.comSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://down.360safe.com/superkiller/superkillerexe_880765522ded7527821ce7448af08018_5.1.64.1181.cabhSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                                                          		high
                                                                          http://s.360.cn/safe/instcomp.htm?soft=923&ver=%s&pid=%s&hips=%d&mid=%s&mid2=%s&w=%I64d&b=%I64d&o=%dSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                                                            		high
                                                                            http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe360SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                                                              		high
                                                                              https://dl.360safe.com/instbeta.exedkSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                                                                		high
                                                                                http://my.360.cnSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                                                                  		high
                                                                                  http://s.360.cn/safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef4SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1998954479.0000000001764000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3218840916.0000000005009000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://down.360safe.com/setupbeta.exeSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3216989427.00000000009D4000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                      		high
                                                                                      http://sdl.360safe.com/dbghelp_dll.cabpkH-1CSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.drfalse
                                                                                        		high
                                                                                        http://www.360safe.comSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                                                                          		high
                                                                                          http://ocsp.thawte.com0SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.drfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          http://my.360safe.comSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                                                                            		high
                                                                                            http://down.360safe.com/setup.exexvSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3219491883.000000006CD1C000.00000002.00000001.01000000.00000009.sdmp, MiniUI.dll.0.drfalse
                                                                                              		high
                                                                                              https://bbs.360.cn/thread-15735708-1-1.html;color=rgb(60SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                                                                                		high
                                                                                                http://safe.crash.browser.360.cnSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, DumpUper.exe.0.drfalse
                                                                                                  		high
                                                                                                  https://hao.360.com/?installerTSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000002.3217783008.00000000016DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.360.cn/privacy/v3/360anquanweishi.htmlSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                                                                                      		high
                                                                                                      http://www.symauth.com/cps0(SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DF8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.0000000005178000.00000004.00001000.00020000.00000000.sdmp, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.dr, 360Base.dll.0.drfalse
                                                                                                        		high
                                                                                                        http://s.360.cn/safe/instcomp.htm?soft=923&status=%d&mid=%s&ver=%s&usetime=%d&zt=%d&pid=%sehttp://s.SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                                                                                          		high
                                                                                                          https://hao.360.com/?safeSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                                                                                            		high
                                                                                                            http://down.360safe.com/setup.exePathSOFTWARESecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                                                                                              		high
                                                                                                              http://s.360.cn/safe/setupsperr.htm?mid=%sSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                                                                                                		high
                                                                                                                https://bbs.360.cn/thread-16079507-1-1.htmlSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                                                                                                  		high
                                                                                                                  https://hao.360.com/?src=lm&ls=%sSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                                                                                                    		high
                                                                                                                    http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exeGO360SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                                                                                                      		high
                                                                                                                      http://www.symauth.com/rpa00SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2003548573.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007689626.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1990959804.0000000004DF8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2005095652.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2007151306.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002687939.0000000004250000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.2002565980.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 00000000.00000003.1991228166.0000000005178000.00000004.00001000.00020000.00000000.sdmp, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.dr, 360Base.dll.0.drfalse
                                                                                                                        		high
                                                                                                                        http://inf.safe.360.cn/wsin/thinkSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                                                                                                          		high
                                                                                                                          http://down.360safe.com/superkiller/superkillerexe_880765522ded7527821ce7448af08018_5.1.64.1181.cabSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                                                                                                            		high
                                                                                                                            http://www.360.cn/xukexieyi.htmlTSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                                                                                                              		high
                                                                                                                              https://hao.360.com/SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                                                                                                                		high
                                                                                                                                http://www.360.cnSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, 360SafeAssist.exe.0.dr, CrashReport.dll.0.dr, MiniUI.dll.0.dr, DumpUper.exe.0.dr, 360Base.dll.0.drfalse
                                                                                                                                  		high
                                                                                                                                  http://inf.safe.360.cn/sein/thinkSecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exefalse
                                                                                                                                    		high

                                                                                                                                    World Map of Contacted IPs

                                                                                                                                    • No. of IPs < 25%
                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                    • 75% < No. of IPs

                                                                                                                                    Public IPs

                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                    180.163.237.185
                                                                                                                                    		inf.safe.360.cnChina
                                                                                                                                    		4812CHINANET-SH-APChinaTelecomGroupCNfalse
                                                                                                                                    171.13.14.66
                                                                                                                                    		s.360.cnChina
                                                                                                                                    		4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse

                                                                                                                                    General Information

                                                                                                                                    Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                    Analysis ID:1417026
                                                                                                                                    Start date and time:2024-03-28 14:29:12 +01:00
                                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                                    Overall analysis duration:0h 7m 52s
                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                    Report type:full
                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                    Number of analysed new started processes analysed:5
                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                    Technologies:
                                                                                                                                    • HCA enabled
                                                                                                                                    • EGA enabled
                                                                                                                                    • AMSI enabled
                                                                                                                                    Analysis Mode:default
                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                    Sample name:SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
                                                                                                                                    Detection:SUS
                                                                                                                                    Classification:sus26.spyw.evad.winEXE@1/26@2/2
                                                                                                                                    EGA Information:Failed
                                                                                                                                    HCA Information:
                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                    • Number of executed functions: 0
                                                                                                                                    • Number of non-executed functions: 28
                                                                                                                                    Cookbook Comments:
                                                                                                                                    • Found application associated with file extension: .exe

                                                                                                                                    Warnings

                                                                                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                    • Execution Graph export aborted for target SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe, PID 4268 because there are no executed function
                                                                                                                                    • Report size getting too big, too many NtEnumerateValueKey calls found.
                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                    Simulations

                                                                                                                                    Behavior and APIs

                                                                                                                                    No simulations

                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                    IPs

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    180.163.237.185_____NCM______2_10042231.exeGet hashmaliciousUnknownBrowse
                                                                                                                                      171.13.14.66SecuriteInfo.com.Trojan.Click2.57467.3204.14689.exeGet hashmaliciousUnknownBrowse
                                                                                                                                      • s.360.cn/dt/s.htm?pid=h_home&fun=inst&act=1000&res=2&mid=08bcc5cf9e3fc589107741a5e999ecfa&ver=2.6.0.1110&r1=0&r2=18192

                                                                                                                                      Domains

                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                      s.360.cnhttp://mylovelybluesky.comGet hashmaliciousUnknownBrowse
                                                                                                                                      • 171.8.167.89
                                                                                                                                      SecuriteInfo.com.Trojan.Click2.57467.3204.14689.exeGet hashmaliciousUnknownBrowse
                                                                                                                                      • 171.8.167.89
                                                                                                                                      SecuriteInfo.com.Trojan.Click2.57467.3204.14689.exeGet hashmaliciousUnknownBrowse
                                                                                                                                      • 171.13.14.66
                                                                                                                                      _____NCM______2_10042231.exeGet hashmaliciousUnknownBrowse
                                                                                                                                      • 180.163.251.230
                                                                                                                                      _____NCM______2_10042231.exeGet hashmaliciousUnknownBrowse
                                                                                                                                      • 180.163.251.230
                                                                                                                                      http://www.gourmethousemacau.com/Get hashmaliciousUnknownBrowse
                                                                                                                                      • 171.8.167.89
                                                                                                                                      http://china.cnGet hashmaliciousUnknownBrowse
                                                                                                                                      • 101.198.2.147
                                                                                                                                      Inst7__9510085.exeGet hashmaliciousUnknownBrowse
                                                                                                                                      • 180.163.251.231
                                                                                                                                      A1FsbRkm5m.exeGet hashmaliciousUnknownBrowse
                                                                                                                                      • 171.8.167.89
                                                                                                                                      inf.safe.360.cn_____NCM______2_10042231.exeGet hashmaliciousUnknownBrowse
                                                                                                                                      • 180.163.237.185
                                                                                                                                      _____NCM______2_10042231.exeGet hashmaliciousUnknownBrowse
                                                                                                                                      • 180.163.237.185

                                                                                                                                      ASNs

                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                      CHINANET-BACKBONENo31Jin-rongStreetCNVJy4TgKlVo.elfGet hashmaliciousMiraiBrowse
                                                                                                                                      • 125.116.72.76
                                                                                                                                      https://colourlyrics.com/fe/KtHc5ruvtRkZFoArrtthaJsvCmg3Rb7X4JToP666Ry87hz3e3rFuRJGAPKBcoBZjAZJZK4pouqXoieozb8x97ijrpxmdxNfsxaBCR2nGFdZnrhtCVLagarbeJ5bjm2rcgeCmZPnkCo2NqoSFB3o6MQGet hashmaliciousUnknownBrowse
                                                                                                                                      • 63.140.38.138
                                                                                                                                      AhbJkpk3Z8.elfGet hashmaliciousUnknownBrowse
                                                                                                                                      • 116.253.134.224
                                                                                                                                      dysrvPhMb0.elfGet hashmaliciousMiraiBrowse
                                                                                                                                      • 27.187.226.210
                                                                                                                                      66yaYNheLa.elfGet hashmaliciousUnknownBrowse
                                                                                                                                      • 49.91.83.194
                                                                                                                                      trxCo4P1wV.elfGet hashmaliciousMiraiBrowse
                                                                                                                                      • 49.112.11.26
                                                                                                                                      XCSBsTmkde.elfGet hashmaliciousMiraiBrowse
                                                                                                                                      • 115.219.202.5
                                                                                                                                      CGlwOBF2cH.elfGet hashmaliciousUnknownBrowse
                                                                                                                                      • 183.154.11.149
                                                                                                                                      lYMzLERz9v.elfGet hashmaliciousUnknownBrowse
                                                                                                                                      • 114.135.188.234
                                                                                                                                      CrucialUKScan(1).exeGet hashmaliciousUnknownBrowse
                                                                                                                                      • 63.140.39.93
                                                                                                                                      CHINANET-SH-APChinaTelecomGroupCNAhbJkpk3Z8.elfGet hashmaliciousUnknownBrowse
                                                                                                                                      • 180.152.101.141
                                                                                                                                      trxCo4P1wV.elfGet hashmaliciousMiraiBrowse
                                                                                                                                      • 180.164.82.64
                                                                                                                                      https://www.scff.org.cnGet hashmaliciousUnknownBrowse
                                                                                                                                      • 114.80.156.7
                                                                                                                                      Whj7PiS4fK.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                      • 222.70.57.50
                                                                                                                                      https://eki.co.jp-longin.qvpo8e.cn/IP:Get hashmaliciousUnknownBrowse
                                                                                                                                      • 61.170.77.227
                                                                                                                                      https://n1h8wf.cn/IP:Get hashmaliciousUnknownBrowse
                                                                                                                                      • 61.170.79.237
                                                                                                                                      bfpRfi6WQB.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                      • 58.38.62.236
                                                                                                                                      https://221d.cn/IP:Get hashmaliciousUnknownBrowse
                                                                                                                                      • 114.80.179.239
                                                                                                                                      Skz3Za2u6i.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                      • 101.83.126.42
                                                                                                                                      IDTVfeIKcu.elfGet hashmaliciousUnknownBrowse
                                                                                                                                      • 114.28.76.131

                                                                                                                                      JA3 Fingerprints

                                                                                                                                      No context

                                                                                                                                      Dropped Files

                                                                                                                                      No context

                                                                                                                                      Created / dropped Files

                                                                                                                                      C:\Program Files (x86)\360\360Safe\{17063755-E69A-41ad-B548-5A4EB6574E6F}.tf

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):38
                                                                                                                                      Entropy (8bit):2.8608058619849506
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:mlWd8GRTl:SWdzv
                                                                                                                                      MD5:55198F0D4788ACBD9BD5D7025FA8D8EE
                                                                                                                                      SHA1:0B8B67161171C090DAB209682E1D97721EF046D8
                                                                                                                                      SHA-256:86FDF515180ACA40503B79D2448A34E7797871941383C8DE3B9E88BE0154B5C9
                                                                                                                                      SHA-512:B335927A51ABBC1A2F07FE3EEADC563568AB9B934AECE6B2C214E6B2BF2FC67CA97A4665084A6BE09A5931154997023942031823A1CCC570CF32380622D1AFBA
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview:{.1.7.0.6.3.7.5.5.-.E.6.9.A.-.4.1.a.d.

                                                                                                                                      C:\Program Files (x86)\360\360Safe\{EF88AA5B-3AA1-466c-98B7-FB3A03CDE56D}.tf

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):38
                                                                                                                                      Entropy (8bit):2.7555427040902134
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:FAR+abDHGl:k+abal
                                                                                                                                      MD5:AB1EA1AC19814F0CE9BAEF895354FCB3
                                                                                                                                      SHA1:1AE487688CD841BDA0E5C32B671A2C40C4B2179B
                                                                                                                                      SHA-256:AD92B8ED482C5A95DC0F3F4B7AB347EA202C820A3B289B114F7C6D2683DD844B
                                                                                                                                      SHA-512:F31DCDDC112A812EA2D2E5E80E367611040A35A1A6B9BF8FC6231B1F3FE87E0D73FAAFCE7F6551023AC0322DF719F731F0527CEA7470091203B5517228CA3FB4
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview:{.E.F.8.8.A.A.5.B.-.3.A.A.1.-.4.6.6.c.

                                                                                                                                      C:\Users\user\AppData\Local\Temp\{051B87EE-6ED6-4d2d-987B-51E827DD9B4E}.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
                                                                                                                                      File Type:7-zip archive data, version 0.4
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):348828
                                                                                                                                      Entropy (8bit):7.999460385457861
                                                                                                                                      Encrypted:true
                                                                                                                                      SSDEEP:6144:Oqthr+U96oCAOiWKfJFPS18SAHY0ZhL8tPP/n7x8h3FUjUNdkXbP:Xp9TDO+RY1TAHY0/IH/7C9FUjUNdkT
                                                                                                                                      MD5:368CE7995A1B4F5B72C233DFE39D9AF1
                                                                                                                                      SHA1:FDC459645F4968D791E080CEC2BDCD988EAE04C0
                                                                                                                                      SHA-256:D9EA41041FAFC8E464FE3AD408EF062D3448E7CA4CD3A77CFCEF18C83A61032A
                                                                                                                                      SHA-512:46E19AEE7EDC5EE4B9E84835418831A198F3839648EBECE2BC4DFD73A39A7EF174B976292C4C657716A0E74527FD1014F760B8708BDD204A602A9E9E5C77EAEA
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview:7z..'........Q......................].&..p.........../D.|.......`1...~ a{R..T...[..qN.U..t...f..X..Oy..kM<...2[J.O....MD.E1.5.B;....."..?t4x..Z...;.l.1i$z'.C.{....{.g...j.).._.r..le..........p...tb..*I.....8.g...F.I....+~..q..K.\....S..`q...?..._.........j...N....w...M...Hd..........)..O1?.<+.......v......7..7C.e..3..;.?.2l.nt..E...,B.E....jT/....L...u:K.1..._l2......^.Q..|zJS.K.....n..S..^(^.).&....#(|.`7...{OJ...V.i.A*..'*..`hq..b.K5........|.L....yV)L@.F...d.l:y<.X.h.....3ONC.....i.."...l.!...uK.....2..c....1......z..J......c.G&L.U.D.3...FG.G.W.AT...ff....F..q..U..+.....FIxP..........jm....Y.E./G.~..?..D..jR.6X.......g......cZU...n.c...........]4..8Xj..A...l..^cH..8...SL...@.g.BW.vK,O..x...[.............0-!.......J....Dj..?F'...ue.JK#...m.../...m6.KS........h..t.X..Ez......q84....#.....x....#|'l.Y.0&s.V..#6.K.......,.E...f{..b.E..Q<.......&...t..#....`.ftGQO .g..:\.t.6....W.B@...T.dj.E.k..-zg~\cLX..8...WOH.l\.L.~Mm+....h..6..}....R-

                                                                                                                                      C:\Users\user\AppData\Local\Temp\{2CFC86D2-B0FA-4e6e-98B3-DFB8DFD9FFA0}.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
                                                                                                                                      File Type:7-zip archive data, version 0.4
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):152724
                                                                                                                                      Entropy (8bit):7.9988999195780695
                                                                                                                                      Encrypted:true
                                                                                                                                      SSDEEP:3072:PlND0BurPvd4YJabAd5JFB+MvcTnLGWjgWEQc9iOwgdDk+X0syarUmoB9EdG:dNDOubaMFn2wczrmQ+9DD0parLkKG
                                                                                                                                      MD5:C5F7D2DD13EA358F3D12BE23E73C0FF8
                                                                                                                                      SHA1:59FF001F89BE4B8D37D28E493D1E62D10B9A1480
                                                                                                                                      SHA-256:24D356D828A467571376EE53A63E8EBB249200B157698339D85417FB3232393F
                                                                                                                                      SHA-512:F677F7567BDC3371911C4CB18F7CEB4B0DE01BB52C49E7F2B784AC92C14D558FE3683990E55190FC12A763EEBD4406CA30F0DBD6C5FB1DCB1860277AB79D69C4
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview:7z..'.....@.QT......#.......Y;.Q....]....D.....%..k.I...d.4.;tK.....f.*........$3\.A.igyd...*..w`2.gE..".U....,(.?..&......$?.+...|:.<...%..h.|......^...)..J.G%.l.L..I.gR.....w.@7..&i,..N~...q9..*~f....K.<\.;&.n..M.d..a....++..R;.Cl3..g.|.....PM.".&!....EHc..2pa..t;.mIU.lz.....u2Yj4k..=.`b.n.'........HP..9#+j2..{xf.).b..G.P.c.Q.(A.|$..`...+.A...ve$...4...r...x.......".j.S=.h...z.....xe.....K3 ..wz].+..V............sD.I.U!.<I.bTB!7.,z.sF4.m.ky...HF..X..9.._. ..ec .............d..fd.w.D;1.j..Z..-(.-%3$.U(...W....#....P.s.K.#1.D....G...ry.9mlY.K...;.J|...(.[3.w....-*c..'d.~..M6...)....@'.......\ph.....'.C..~.5.~.S>h.g.wc...X.....{_...........p....,v.O."v.G.O!.M..b:...EZ(QZt.t3.{Y....*.t....?..g.v.S).....r).l....+..:e..6<5..x..jW.X.J)n.>.....7...hY....._...[.xR6[.....x"..Z9.]}Q.....OE.F.#.....T.....*..,..........F.+ V_...L4TQ|4.8.w$H.O...5..,......R./.k.i....m...]#..S.e.B.....].!;..r.*wy.....H..b..c..en,.hZ....._&O.8H.12M.....a.....R...s</.

                                                                                                                                      C:\Users\user\AppData\Local\Temp\{5B8C0D48-69CE-4729-9E6B-5FBACFFEC52C}.tmp\defaultskin.ui

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
                                                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):206235
                                                                                                                                      Entropy (8bit):7.834586619924811
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:CS+zC15jkRjCzcFijcQLdElmF7v2rM55wPVuELi08IwnQfIpsE:CSXvA1qcFizElmFj55VdnQu
                                                                                                                                      MD5:F544BE4BCA61DCFF43B0B33F7A4749A9
                                                                                                                                      SHA1:3795EE596E1E35F2F640734CC627E25FA0FBA537
                                                                                                                                      SHA-256:03885F6B4D986C33227C1796119DBA82EC43854B3A863F7A3892B9D6913AD083
                                                                                                                                      SHA-512:67899D5CB2C5389E79E00745376F54E55445838118B0FC2BE6B6A3C0B0439C4F5D962D84EC559F02CEA1B89CCDAC737318A0EF46FB4D59C608B420630521DCBC
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview:PK........<.vV................Common/PK........<.vV).S.............Common/button_bg.png.PNG........IHDR...`... ......`......PLTE.............x....T...(....YIDATX.....0.E.8........`..)...Y..2.....~.O.&j.J./>].-.^.p.r.....................g..v.v]Sw..K.J....IEND.B`.PK........<.vVP.:L...L.......Common/button_middle.png.PNG........IHDR.............h..Y...uPLTE...................................................................................................................+..@....tRNS.aaaaaa5..a..Rj-...#.......rIDATX....r.0.@.@.6..I ..B.....A.^p./.;..."..3.fj.-;..f..7r.U4}z..3.....K...E*n.......{]....."~......ip/...2...6..-4..........NP..?.-..B.-8........5xj.I$<.`..0......hm...t7.7...vx.A......=td.@.-x.C..'....0B...:4x.l........g..._.M.C...L....(V....OxG.wP....+d...w.....TB...w.&48Q......,7-.`~.d.a?B..je.k%....H.B4.......r.." .>.2wZg...*z.|!...6..SyO#N..Y....._ .'.....IEND.B`.PK........<.vV...T...T.......Common/button_orange.png.PNG........IHDR....... .....c/\....]P

                                                                                                                                      C:\Users\user\AppData\Local\Temp\{5B8C0D48-69CE-4729-9E6B-5FBACFFEC52C}.tmp\miniui.xml

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (549), with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):4012
                                                                                                                                      Entropy (8bit):3.727263927351284
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:uqaDiDjTHCID5438Scc0LoSd8jVcRuwScd6deAYRgPaHh8:8uLJrLo7VSk
                                                                                                                                      MD5:AF1CD79EF667FB3CD3B5CC49337BD89D
                                                                                                                                      SHA1:63DC8F9BB045C663C47ED095A83FE9DE62D41E43
                                                                                                                                      SHA-256:0678544ADB8067160D76BFFE15A80CDE62885B1C58A557A21525A79917B3CDAE
                                                                                                                                      SHA-512:8C6ACB109E78444DA76F3523C9C08DDB885F8CD67EDB773E700DA0F586273DE6866B83C5A9F30884C24564CACF50DDA67DAE5C678718113D2A253461E134BBC6
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.M.i.n.i.U.I...C.o.n.f.i.g.>..... . .<.D.e.f.a.u.l.t. .R.e.s.P.a.t.h.=.".C.o.m.m.o.n.". .M.s.g.I.c.o.n.I.n.f.o.m.a.t.i.o.n.=.".m.s.g.b.o.x._.i.c.o.n.i.n.f.o...p.n.g.". .M.s.g.I.c.o.n.W.a.r.n.i.n.g.=.".m.s.g.b.o.x._.i.c.o.n.i.n.f.o...p.n.g.". .X.p.F.o.n.t.=."..[SO". .S.k.i.n.N.a.m.e.=.".....v..". .D.e.f.F.o.n.t.=."..[SO". .r.s.s.V.i.e.w.S.h.a.d.e.C.o.l.F.r.o.m.=.".R.G.B.(.2.5.5.,.2.5.5.,.2.5.5.).". .r.s.s.V.i.e.w.S.h.a.d.e.C.o.l.T.o.=.".R.G.B.(.2.3.8.,.2.4.6.,.2.4.9.).". .r.s.s.V.i.e.w.S.h.a.d.e.C.o.l.H.e.i.g.h.t.=.".5.0.". .B.a.c.k.g.o.u.n.d.P.n.g.=.".".>.<./.D.e.f.a.u.l.t.>..... . .<.D.Y.N.A.M.I.C.T.I.T.L.E.B.A.R. .S.y.s.M.e.n.u.B.i.t.m.a.p.=.".3.6.0.S.a.f.e.-.1.6.n.e.w...p.n.g.". .F.o.n.t.I.D.=.".N.o.r.m.a.l.B.o.l.d.". .H.o.v.e.r.T.e.x.t.C.o.l.o.r.=.".0.x.f.f.f.7.e.c.". .C.l.o.s.e.B.u.t.t.o.n.=.".s.y.s._.b.u.t.t.o.n._.c.l.o.s.e._.u.n.i.n.s.t.a.l.l...p.n.g.". .T.e.x.t.C.o.l.o.r.=.".0.x.f.f.f.7.e.c.".

                                                                                                                                      C:\Users\user\AppData\Local\Temp\{64B7E796-9F86-408b-9BE8-85DF5E630C37}.tmp\360SafeAssist.exe

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):220760
                                                                                                                                      Entropy (8bit):6.800164950764757
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:aE03/aXRtj71+Ph42X7VniE6PZ8Ldt4GV5YKDr5Hm8Bdh3LYOBzNQ:js/ar1OT7AmLj4GV+0mEh31NQ
                                                                                                                                      MD5:2E1C7C69BEA7A3A0022ADC6A966395CA
                                                                                                                                      SHA1:1D750D40EA40A44192F1AF0A7734119E1C49A34F
                                                                                                                                      SHA-256:B9D6E08A1D75F3B5A86CE0D68CC57556CCEC9EEFDDEA0588DA36DB4BBFAB6B0E
                                                                                                                                      SHA-512:FF42C3A5587D88864F7692715019733E8E24DE0F28C0643D5B952408C4700D7927A0833AE4FEDD284FDD8EDEB425450980F9DCB21C9FBF7C4D811636A5D3E51C
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                      Reputation:low
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........a.{..`(..`(..`(.x.(..`(.x.(..`(.R.(..`(...(..`(...(..`(..a(..`(.x.(..`(.R.(..`(.x.(..`(Rich..`(................PE..L.....<S.....................l......".............@.................................]L....@.................................L9......................B.......`......................................p...@...............,............................text............................... ..`.rdata..bp.......r..................@..@.data....F...`...(...F..............@....rsrc...............n..............@..@.reloc..>....`...0..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Local\Temp\{6DB16085-FD3D-42ad-BB1A-F0BFDECF0508}.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1863912
                                                                                                                                      Entropy (8bit):6.6716719438287955
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:49152:LwwwwscL5d2ymw4p1ss3fcAjvSBYRwRKaY/I6aU96Jlgmg5oJCaImiWpRwf9nHTQ:t9Uymw4p1BUK1wRKaY/I5U96Jl9CaIm/
                                                                                                                                      MD5:EA47D98DD9CB1772A409C11B818A9A02
                                                                                                                                      SHA1:02A952F3AA72A61A113C9D7EBAE18DA86E2CC500
                                                                                                                                      SHA-256:F9E81781A3484A6732B03B3A22A0388DB03B4311BE2874ABBEE276BD9E82C854
                                                                                                                                      SHA-512:CBDEDBAFC598D75FB4B854DB4BFB376363C801DCA4BD7D8C79DF784CB5402F48A8AAA64899AD4D75F2D40A6625DB37D2A5CBC8FBC3696D7CEAC6C938FBD31788
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                      Reputation:low
                                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......>.h.z.._z.._z.._.9._v.._.9._..._.9._b.._(..^Y.._(..^k.._(..^l.._s._{.._s._q.._z.._..._...^U.._...^|.._...^{.._..._{.._z.._{.._...^{.._Richz.._................PE..L......d...........!................=.....................................................@.....................................x....................D..P,......8....)..T...........................h)..@...............0............................text...o........................... ..`.rdata..8L.......N..................@..@.data............B..................@....rsrc................&..............@..@.reloc..8............0..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Local\Temp\{6FD37900-E9BF-45df-85D3-FB776C2A71DA}.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
                                                                                                                                      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 967545 bytes, 1 file, at 0x2c +A "7z.dll", number 1, 57 datablocks, 0x1 compression
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):967545
                                                                                                                                      Entropy (8bit):7.998580225352397
                                                                                                                                      Encrypted:true
                                                                                                                                      SSDEEP:24576:Uoej+CaxwGSDWScQ/R2R2/ieUMqbAmvxYTf34GKvgyl:UoeaCaxTGR2qiJMqMmg4Dl
                                                                                                                                      MD5:B3F9C1C9CDA9D36BC599BD8D6A16E4C2
                                                                                                                                      SHA1:F90A4C9CB453CC8F974475E42A91877C04F5C314
                                                                                                                                      SHA-256:CF444E2605008DA8AF04D57532A8FE9288B0CDE548545A13C680A46177889184
                                                                                                                                      SHA-512:353761B4D4B601EF3A474B5F0203634AFC3D4BB4793724769E529141802EC8CA4F3A7822A51AE7186B9C15F2920016F089AC72F1AD5DE67F4381C51C7D7787CE
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview:MSCF....y.......,...................C...9....p.........VDY .7z.dll..f..\J..CK..xT.(.g.N2..=.."D....P.:iK..L....DH"b.l.R*....A.f0+..b{.#.x....s..j..t~0....x! .....0%.....k.........<..........w..W.........?..&N.........M...T.I...[..].7......?.~|....?..=..=i......i...,.~...O.2y^..G6...UrU..[.`.V..s.u.....<3?.+....G.T..<k....{...`.T.........W..5|&W..._c......w..?...o......q+tI....H.us..RuSM.....X..]i.g...3....z.K..I<9.......\.kd.hO...l.'@...Y.3...\.a.._.....c....4.g.7.[...j....S.3..u..=O>............._....9n..A.{.<_.1....{.V.k?.9.9...=....._]S.}H......g...|..P..4.n.g.M....l.....7.3.v..a........@...^.T7.6r..=.q...g.bk.e1<....\....Y.......7...V.B+[...XY....w.....)..}.D..M1s.M.......w...~...m...(.~...!U..H..Va..NH-.T.)H=..W0.mL}.)+..uA..L.9.........@jC..g..}i........w@9.....So..R.`*....`j.S'0.0...1..n...]L..H..S.'A._1.'.R.1...c....E.P2...y.c.#...0....aj..H=..CfH.c.`&..1%.C*..q'.r0...H}.a?.Rwc..S....J......>../.......zf...z.S..0q..:.y..

                                                                                                                                      C:\Users\user\AppData\Local\Temp\{79304762-3434-49ff-84E1-FF1F273C851E}.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
                                                                                                                                      File Type:7-zip archive data, version 0.4
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):69701
                                                                                                                                      Entropy (8bit):7.99693973542884
                                                                                                                                      Encrypted:true
                                                                                                                                      SSDEEP:1536:dzA6K409wdNw5Syu9v5Ft4kYfv4wsX6TtMfPzWCS:+wdqcJ9vXt4kmv4NX6s7y
                                                                                                                                      MD5:6596B3D802F58EE173DD32D16F3AA534
                                                                                                                                      SHA1:E734B2E3A30F55110F3C4D0CEE5C5EAFC7E21CF8
                                                                                                                                      SHA-256:E1774AECC3F8CB6AEBA1B18E2B63774E17F5497EBDBF6A89917C40594155054D
                                                                                                                                      SHA-512:4D4492D8EEF3826B6F53196A9C48B8B325533BF81BC8F395000ABF30B5059C583A995E9DE2CD2AAAD5A2FFA4A5DD2C7A54B06256ECABD8C986633CB5037FDA2E
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview:7z..'......{........j.......5aS......].&..p.........../D.N..iO...T..w{...]..s...R..}.;W.^..HN.g..2.3......t..#Ft.4..2.5.....3.v...".=.P.;.\..$. .[!me.....K.#...u.G)..[..."...M...........c.N..z.....;.4i.cE.Z!w.`...T. .t.....O...y......1./]!..9.+..OZ.q....n..h.%..J..Y...$.+..D.N...U5.....TB.;.B(.HO.GR.",...8j.8.z>~0....|L.>..`.KE4.d.)c.....>&....~....s`...z.W....5.u....(....svY..H..h%%._..z*.<.,T..,A......'..q-....l[.d.v."z..4A. /..nG0.Q.e.[..:..R.L.]....KT...S.E...A...sq..B\.Ts...On.....=.kl.._.q..8..."...4E.@.J2.{..e....=c....&..a.)..{.'<.c..'...Jf..T..s.s....=.]..=......%...3.G....|...9.CD....$......Sm..rvGA..f.....qB.s.t......l...3A....;...76`.p.l...E...V./..5.......G|.l..<...Pp.U..O......?^.W...p...=..^(................Xo.I..A.0.B...H.....^...T....(+.\.....".D....M..&........k.5l`....p..?..,.o.!co......fz3.7..yaB/.2..?.8......H.q>f....n.........+.C....%...%..m.t&......!5.#`..a....3.9..f.....#k.+#.{...]...B6EtW4*.xs.t.t..(.....p.eQ.

                                                                                                                                      C:\Users\user\AppData\Local\Temp\{AA962B91-6711-4ed4-BEF7-C8BE525ACBE1}.tmp\360safe.setup

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):6162
                                                                                                                                      Entropy (8bit):4.07978943241522
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:9/lzuwltPRVW6fykOMBg1pMghgHRdfqkEADY5b4YC4LtNv+6JGQQGvJU6Irtg5hv:5j9ykOQcXlLp3M30JV6tHSpJ/j
                                                                                                                                      MD5:3188514E4EFC2AC2168639B59C3E4997
                                                                                                                                      SHA1:A9549BE5893AFB892B45568044AC4BB70BEE1B1D
                                                                                                                                      SHA-256:674B421AEA7D8FCF5B09A26FD9BEB248FA28A44C3A05DDA78926B3E1F08EAB47
                                                                                                                                      SHA-512:1309D6C8C80A0AEFEFA009F2938C9D895669F57486E707EBB44B86F67A7196F47EC1791B4EFCDDE574300D55901454ADFFDE0434EB947C756939FED4EBED9B4E
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p.>..... . .<.M.a.i.n. .N.a.m.e.=.".3.6.0..[hQkS.X". .P.r.o.d.u.c.t.V.e.r.s.i.o.n.=.".1.3...0...0...2.0.0.6.". .V.e.r.s.i.o.n.=.".1.3...0...0...2.1.9.9.". .E.x.e.c.u.t.a.b.l.e.=.".s.e.t.u.p...e.x.e.". .T.i.t.l.e.=.".3.6.0..[hQkS.X .%.V.E.R.%..[.". .U.n.i.n.s.t.a.l.l.T.i.t.l.e.=.".3.6.0..[hQkS.X .%.V.E.R.%.xS}.". .M.i.n.i.m.i.z.e.S.p.a.c.e.=.".2.4.0.". .R.e.b.o.o.t.F.l.a.g.N.a.m.e.=.".{.3.6.0.1.2.2.F.F.-.1.3.C.3.-.3.f.3.0.-.A.1.7.7.-.3.B.9.C.A.9.B.F.7.B.3.3.}.". .M.u.t.e.x.N.a.m.e.=.".Q.3.6.0.S.a.f.e.S.e.t.u.p.". .I.s.B.e.t.a.=.".1.". .D.e.f.a.u.l.t.S.k.i.n.=.".d.e.f.a.u.l.t.s.k.i.n."./.>..... . .<.A.p.p.l.i.c.a.t.i.o.n. .M.a.i.n.A.p.p.=.".3.6.0.s.a.f.e...e.x.e.". .V.e.r.s.i.o.n.B.a.s.e.F.i.l.e.=.".3.6.0.v.e.r...d.l.l."./.>..... . .<.R.e.g.A.p.p.P.a.t.h. .H.K.E.Y.=.".H.K.E.Y._.L.O.C.A.L._.M.A.C.H.I.N.E.". .S.u.b.K.e.y.=.".S.O.F.T.W.A.R.E.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.C.u.r.r.e.n.t.V.e.

                                                                                                                                      C:\Users\user\AppData\Local\Temp\{AA962B91-6711-4ed4-BEF7-C8BE525ACBE1}.tmp\Plugin.xml

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):12918
                                                                                                                                      Entropy (8bit):3.533306822644217
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:Yr01Oyv0HGEETZJADr/WUxAAcxc7Yz2iB:YaNSG
                                                                                                                                      MD5:F4096BDE26A010AD6B2092F57BEA4296
                                                                                                                                      SHA1:16B1C5781A5D2B9C8D3AE9B951A2D7E0B1EC5926
                                                                                                                                      SHA-256:06691747DA62AB0A1DB54C109EA85E345407AA0B3AA32A57EA40F29CE26BB875
                                                                                                                                      SHA-512:0FC6E71F4C8C9CC9FB517E90FB8D8C2F10D4268472A67E0EBE8009CD31EBE2A2382939E945CADB598FC9486A2A31B9E3B5E636E86496B8A11844E80D3F4E2820
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.P.l.u.g.i.n.>..... . .<.B.e.f.o.r.e.S.e.t.u.p.>..... . .<./.B.e.f.o.r.e.S.e.t.u.p.>..... . .<.A.f.t.e.r.S.e.t.u.p.>..... . . . .<.I.t.e.m. .T.y.p.e.=.".E.x.e.". .F.i.l.e.=.".U.t.i.l.s.\.3.6.0.s.e.c.l.o.g.o.n.\.3.6.0.S.e.c.L.o.g.o.n.H.e.l.p.e.r...e.x.e."./.>..... . . . .<.I.t.e.m. .T.y.p.e.=.".S.i.m.p.l.e.D.l.l.". .F.i.l.e.=.".s.a.f.e.m.o.n.\.D.i.a.g.S.c.a.n.T.i.p.s...t.p.i.". .E.n.t.r.y.=.".T.p.i.I.n.s.t.a.l.l.". ./.>..... . . . .<.I.t.e.m. .T.y.p.e.=.".S.i.m.p.l.e.D.l.l.". .F.i.l.e.=.".S.a.f.e.m.o.n.\.N.e.t.m...t.p.i.". .E.n.t.r.y.=.".D.l.l.R.e.g.i.s.t.e.r.S.e.r.v.e.r.". ./.>..... . . . .<.I.t.e.m. .T.y.p.e.=.".S.i.m.p.l.e.D.l.l.". .F.i.l.e.=.".s.o.f.t.m.g.r.\.3.6.0.S.o.f.t.M.g.r.S...d.l.l.". .E.n.t.r.y.=.".D.l.l.R.e.g.i.s.t.e.r.S.e.r.v.e.r.". ./.>..... . . . .<.I.t.e.m. .T.y.p.e.=.".S.i.m.p.l.e.D.l.l.". .F.i.l.e.=.".n.e.t.m.o.n.\.3.6.0.A.s.k.M.s.g...d.l.l.". .E.n.t.r.y.=.".D.l.l.R.e.g.i.s.t.e.r.S.e.

                                                                                                                                      C:\Users\user\AppData\Local\Temp\{AA962B91-6711-4ed4-BEF7-C8BE525ACBE1}.tmp\Register.xml

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):4558
                                                                                                                                      Entropy (8bit):3.5968553600065434
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:y+/4R9zr4RFjr4RtqmVQ5LNrtzr4R+t7uJWg3oMDgVir4RKMQaRkqr4RkwizeV4c:w6c3P7KvY
                                                                                                                                      MD5:4F0C40029890740C6CB55F6FDCC226E2
                                                                                                                                      SHA1:E092DA21B076D433B168D121EFAB344EAA6BB530
                                                                                                                                      SHA-256:018FD1BF992296F70AF5CE69C77E1ACA3CE18544B7CB804E74CC406EA42A56E3
                                                                                                                                      SHA-512:2E4D5860256F6FD5B0C42968EC8A1961E47038D4BFF630FE9B053745CB7E40A836C8C799158D2FF100D2E58DE2E87FCDA5626949E4D8382374A756AD40FA5E6D
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.R.e.g.i.s.t.e.r.>..... . .<.I.n.s.t.a.l.l.>..... . . . .<.K.e.y.I.n.f.o. .H.K.E.Y.=.".H.K.E.Y._.L.O.C.A.L._.M.A.C.H.I.N.E.". .S.u.b.K.e.y.=.".S.O.F.T.W.A.R.E.\.3.6.0.S.a.f.e.\.K.e.e.p.A.l.i.v.e.\.3.6.0.G.e.n.R.o.a.d.". .>..... . . . . . . . . .<.I.t.e.m. .N.a.m.e.=.".I.m.a.g.e.P.a.t.h.". .T.y.p.e.=.".P.a.t.h.". .F.o.l.d.e.r.=.".T.a.r.g.e.t.D.i.r.". .V.a.l.u.e.=.".U.t.i.l.s.\.3.6.0.G.e.n.R.o.a.d.M.s.g...d.l.l.". ./.>..... . . . .<./.K.e.y.I.n.f.o.>..... . . . .<.K.e.y.I.n.f.o. .H.K.E.Y.=.".H.K.E.Y._.L.O.C.A.L._.M.A.C.H.I.N.E.". .S.u.b.K.e.y.=.".S.O.F.T.W.A.R.E.\.3.6.0.S.a.f.e.\.3.6.0.M.e.d.a.l.W.a.l.l.".>..... . . . . . . . .<.I.t.e.m. .N.a.m.e.=.".F.i.r.s.t.R.u.n.". .T.y.p.e.=.".D.W.O.R.D.". .V.a.l.u.e.=.".1."./.>..... . . . .<./.K.e.y.I.n.f.o.>..... . . . .<.K.e.y.I.n.f.o. .H.K.E.Y.=.".H.K.E.Y._.L.O.C.A.L._.M.A.C.H.I.N.E.". .S.u.b.K.e.y.=.".S.O.F.T.W.A.R.E.\.3.6.0.S.a.f.e.\.3.6.0.r.o.s.". .>..... . .

                                                                                                                                      C:\Users\user\AppData\Local\Temp\{AA962B91-6711-4ed4-BEF7-C8BE525ACBE1}.tmp\UninstallRootDirFileList.xml

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):12258
                                                                                                                                      Entropy (8bit):3.4109507475965097
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:Qje/1xwTSYUx5yweNMj60K6w9Jw9AxtDBXdZXm8A69wI69wYc11MAGX/MgJlf7bD:RMV9EldVKu1
                                                                                                                                      MD5:3F2FCC037AE18642D1051F4ECD8D4810
                                                                                                                                      SHA1:8F150031EF8E3F7B41D53C0BB46040C762A105E6
                                                                                                                                      SHA-256:67BB2ED2A241E1CEF9D228689559E6B9399194A53F20E215348FE2AFFFDF89B7
                                                                                                                                      SHA-512:23D9B218BBC5627BEFC773926CC481FEE5AFB748F998C13B60134D0A1C1B84B30B989C22AB1058AC6C4E6EE8F16672FA87958F9BFB595BA0C58E80B4D92992C3
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.R.o.o.t.D.i.r.F.i.l.e.s.>..... . .<.D.i.r.>..... . . . .<.I.t.e.m. .N.a.m.e.=.".3.6.0.S.a.f.e.b.o.x.". ./.>..... . . . .<.I.t.e.m. .N.a.m.e.=.".3.6.0.S.D.". ./.>..... . . . .<.I.t.e.m. .N.a.m.e.=.".3.6.0.S.E.". ./.>..... . . . .<.I.t.e.m. .N.a.m.e.=.".a.n.t.i.a.r.p.". ./.>..... . . . .<.I.t.e.m. .N.a.m.e.=.".A.n.t.i.S.e.c.t.i.o.n.". ./.>..... . . . .<.I.t.e.m. .N.a.m.e.=.".c.o.n.f.i.g.". ./.>..... . . . .<.I.t.e.m. .N.a.m.e.=.".d.e.e.p.s.c.a.n.". ./.>..... . . . .<.I.t.e.m. .N.a.m.e.=.".f.i.r.s.t.a.i.d.". ./.>..... . . . .<.I.t.e.m. .N.a.m.e.=.".i.1.8.n.". ./.>..... . . . .<.I.t.e.m. .N.a.m.e.=.".i.p.c.". ./.>..... . . . .<.I.t.e.m. .N.a.m.e.=.".l.i.n.k.s.". ./.>..... . . . .<.I.t.e.m. .N.a.m.e.=.".L.i.v.e.U.p.d.a.t.e.3.6.0.s.k.i.n.". ./.>..... . . . .<.I.t.e.m. .N.a.m.e.=.".L.i.v.e.U.p.d.a.t.e.L.o.g.". ./.>..... . . . .<.I.t.e.m. .N.a.m.e.=.".L.S.P.". ./.>..... . . . .<.I.t.e.m. .N.a.m.e.=.".m.i.p.a.

                                                                                                                                      C:\Users\user\AppData\Local\Temp\{AA962B91-6711-4ed4-BEF7-C8BE525ACBE1}.tmp\filelist.xml

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):371288
                                                                                                                                      Entropy (8bit):3.730585692895992
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:Y1LNtygcfqEx7fCprLkc1IL+FIR7dkC1yM5Ha1eNwbMU345rO9PDs5I9PndOYAFG:kEH0m1ZHMcio668TBpvTHlYnTnEfe6QK
                                                                                                                                      MD5:8EF0358B9901EBFF168DDDFFE1FB703A
                                                                                                                                      SHA1:0B587BD9BB319FFC695F0FBF7E6E91F85FF68C0A
                                                                                                                                      SHA-256:FE664D6739AB93EE3EADE74192A9DE7F4C8624F41632769E07700E9A3E0CAE06
                                                                                                                                      SHA-512:25596F1812E8C326500EB8E51F00BC7A10EAFB1893001D4E0C204364CC5853E260BC82C4B46EA0EA58C8E5D009EB7DB57CD1034B33D1EB004BC177BFD7218D6E
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.F.i.l.e.L.i.s.t.>.......<.F.i.l.e. .N.a.m.e.=.".3.6.0.A.p.p.L.o.a.d.e.r...e.x.e.". .I.s.P.E.=.".t.r.u.e.". .V.e.r.s.i.o.n.=.".7...5...0...1.3.9.0.". .S.i.z.e.=.".4.9.4.8.2.4.". .M.D.5.=.".1.A.6.2.2.0.D.B.A.7.1.3.A.8.E.C.4.3.1.0.1.8.2.8.D.9.D.A.5.F.A.8."./.>.......<.F.i.l.e. .N.a.m.e.=.".3.6.0.B.a.s.e...d.l.l.". .I.s.P.E.=.".t.r.u.e.". .V.e.r.s.i.o.n.=.".1...0...0...1.3.5.0.". .S.i.z.e.=.".1.0.6.1.6.0.8.". .M.D.5.=.".B.1.9.2.F.3.4.D.9.9.4.2.1.D.C.3.2.0.7.F.2.3.2.8.F.F.E.6.2.B.D.0."./.>.......<.F.i.l.e. .N.a.m.e.=.".3.6.0.b.p.s...d.a.t.". .I.s.P.E.=.".f.a.l.s.e.". .V.e.r.s.i.o.n.=.".1...0...0...1.0.5.9.". .S.i.z.e.=.".2.1.8.8.". .M.D.5.=.".6.F.7.E.F.1.C.1.7.7.2.C.1.2.5.9.9.A.D.8.2.6.A.0.4.E.2.5.6.5.6.C."./.>.......<.F.i.l.e. .N.a.m.e.=.".3.6.0.C.o.m.m.o.n...d.l.l.". .I.s.P.E.=.".t.r.u.e.". .V.e.r.s.i.o.n.=.".1.3...0...0...1.0.2.1.". .S.i.z.e.=.".5.2.7.3.2.8.". .M.D.5.=.".2.6.F.C.0.8.E.5.2.D.1.6.4.C.2.9.

                                                                                                                                      C:\Users\user\AppData\Local\Temp\{BF53C6A3-C3C2-45ef-89A2-A714F4D6AEF2}.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
                                                                                                                                      File Type:7-zip archive data, version 0.4
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):372865
                                                                                                                                      Entropy (8bit):7.999430718169134
                                                                                                                                      Encrypted:true
                                                                                                                                      SSDEEP:6144:yerU8/t8rmu8b1xgY+rEpdEK0HwZt4f7+JYiG2gtuXeBC8JOnq46TTk9deNdkqQb:yeL/Ju8b1xgfgdEKGwu7+CfnuXW1OnnP
                                                                                                                                      MD5:DEF0D6F2B65334FB612A8C5655C84907
                                                                                                                                      SHA1:FF2D02927E0E76C8B8F038944601E879C8C74915
                                                                                                                                      SHA-256:7158B5FFE6469B219A054C5E5FCCB79C48835E756236E2B5CC265DFFCDE027A0
                                                                                                                                      SHA-512:9B4EE936BD3F30CC4BA47A560C578130857F10686A5AD5EF0699AE07DC61BB5098722E24E68B9A11323A668D2EF95F744E07DB3670E48B8A2512B38A6C111FC3
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:7z..'....)..........b..............].&..p.........../D.N.......'((.P.Bk...,LqyB.U.Z^..h..k...7...U.....c.t...2.`.#,.l.......J.;+..W...`.Cq...?.9..7'.yw}.6.)......<.;...$.Z..I...,6..w.N7R".............U#.^.u..*Mr.Zdq...J.......E.9,....Cd....?.|$Hts........X...cvD......z.sM. zu.g.........8.L..M.F.1V....a.I.vP/.{..h..i./.w..q../.il.y=.._....y..........".;..}Y...+..TL..h.H...../....$-i3.......c=....m..n..a0;.Q.d.b../G.2{....;.O..RM......]K....U.a4S...1.+?%........./..X.6.].pN...8..4.+.....1.X..m7E..FP....r....p.....o..O...}...............Bj.@.9.'..7.R.v.....]s...!&..........w..I...\.K\.;.t.Z=....)..=%....g/..v....WF7q.3.0[..........@od..a1..y.@.I.U.=@..<..\A/..o ..c......K.....'..-~.........6.m.....o".v...!.&...:.....qb-.+N.....]V9.X.}..{.4..I..J)........P6..".i.iI;.._..P.B.p.J..-.=..M....9......q..8.}...C<7...Q......n...u>EfV*.r.v..l&.........Z.4u.c.0.E.-L}zTHs.........T......|H#].#...X..KN!..Td...#?.4..|;.z!T.vS....{..u..z.

                                                                                                                                      C:\Users\user\AppData\Local\Temp\{C495A8A5-4524-4e25-94AD-AD309AF51F49}.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
                                                                                                                                      File Type:7-zip archive data, version 0.4
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):50836
                                                                                                                                      Entropy (8bit):7.9964435126391695
                                                                                                                                      Encrypted:true
                                                                                                                                      SSDEEP:1536:9QzQ21i5PGDgALEaidksjJXwYiV1C83N+XJY:9+K5PG1GFwYiV1CGNCY
                                                                                                                                      MD5:499BE8DB3362F9AB849C6996716DCE7E
                                                                                                                                      SHA1:0A383B0356C5E4F8F3B1E05209E3AE5B56ED5CF3
                                                                                                                                      SHA-256:6F30A78E0C9A0A09E835D7FBB8B24E56FAACC2C1446258E8CE3C875CDED3B242
                                                                                                                                      SHA-512:A88D20CC1B83F2D88257EE9AB4A57A5F268E5ADCE33DF83BE82870BBAD71B55F3660C9E14E1649289EBEDDCAC3D2D5C6707AD8768B5C25431B4FE7714A2D3E6C
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:7z..'...[~..P.......$.......|..$.6..p]....D.....%..k.I...d.4.;tK.....f.*........$3\.A.igyd...*..w`2.gE.."....(RK....../U....$L_...eh....S.f.....E.lr7...C...k...M.......7.....A.g.......U%:Lp..3.C......e.E..6.d\- .I...0.L.!.s..8.B.Y1..{...+.[...M ..8.[...>.u.J...V..m...LL...|........J..~.1I9.....0.. ...p.^...V.|M...h.......s_|.....4..G..pq.....+$?..N...*..Z.({..7]...s ..15.....>c...6p....gF.3..Lg.....L=.|..|Xq........l....t....W...M.p|..H.38+q.=y...+....L..?.Q..<..s\....+0...B....v.|8..].oP....._-..... ...|..>..O...D...JK.#.AN..]....!X~v...A..w.....!..{..oH....Z.I.1.{U.7x..>.p.`A.....l..q.MM0...A...H.*..C........[J.g.|pa..Q}.-.4 ..d*...J..;.K.......k._..dX`XP#.....l..:..&..^x.H..wC8...4e....&%..._B...}.ke.Mqjmk.q.....pCM)'sq..V..@.Y..M0m..1.F..^.g.......k#...#$....*.y_.....6....4..K..aV\wR.....P...9.2...Ea.m.-.Rp3.........j..8..,.~.....S.F...9_....n...a..N/....4O^+..B1.._.\..Q^p..A....{..;{...:...K....m.Y.;....S.....f}Xs.PjLUj..].\b

                                                                                                                                      C:\Users\user\AppData\Local\Temp\{DBA7F686-6D1C-4a46-82CF-0AD83670E845}.tmp\MiniUI.dll

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):921160
                                                                                                                                      Entropy (8bit):6.7626587126151065
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24576:nJtdTUbI0Ig/fMiK6hRN/IgOoWtT9nQnap:nJjUbIU/fPHhrIgBWtTFQnap
                                                                                                                                      MD5:5123C3B8ADEB6192D5A6B9DC50C867B1
                                                                                                                                      SHA1:6D142074A21AA50C240CE57CA19A61E104BBDF41
                                                                                                                                      SHA-256:273CE954C8D33ABAAC3A0FD8546719F09718C1D91317ECF5B99181DFFA3FE26A
                                                                                                                                      SHA-512:067305A8F09C480FE4A4C8609638C9A490C4EBE2782BD13C10B380DF14F76D4748EB785F44E7BCB86514718F99D07C3C6A4B43928A294B18020CB0FA589EE2A0
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S...2...2...2..f}M..2...JN..2...JR..2.......2.......2...2..3...`_..2...J_.y2...JX.%2...JI..2...`O..2...JJ..2..Rich.2..........PE..L...h..Z...........!......... ......Q........................................ .......G....@..............................................................7...P..$....................................'..@.......................@....................text............................... ..`.rdata...].......^..................@..@.data...X.... ...X..................@....rsrc................j..............@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Local\Temp\{E934DA3F-9812-46cb-9794-5DDE9C05D0D2}.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
                                                                                                                                      File Type:7-zip archive data, version 0.4
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):114950
                                                                                                                                      Entropy (8bit):7.998312739188288
                                                                                                                                      Encrypted:true
                                                                                                                                      SSDEEP:1536:MrQmrPaSe7jFeFvZju1j/6yM7BDfYlHx2bJdBS/V1SVgYBJ2J4rRpisvkmqv3Bp8:sL1HWjCF/tdMiCYBICRpAUZKqXv
                                                                                                                                      MD5:B77BEA2A7D9879C2BF649AEAD978B866
                                                                                                                                      SHA1:F809207D12E8AAEC1F7DFC7A02160888E942C9A5
                                                                                                                                      SHA-256:16DF4B0F99165D0441A7129815DE9868117691B84F5898419DA6C5BA78709C8D
                                                                                                                                      SHA-512:EA66349558FBB8B688002098DCF1D573F6CB7AA54D2670305211F948FB3E37EC0EDC062FF831A5E55B053CEED9D08ED244FAD1704697E0296388996E113BFBF4
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:7z..'......|.......j.......W.B...h.%].&..p.........../D.N..iO...T..w{...]..s...R..}.;W.^..HN.g..2.3......t..#Ft.4..2.5....O..e.t..Fe.i.D.S....=.b.....w@P.o.[.J...t..C=...!...'...y.x.......~....) x.Y6a...nX.....)G(.(.F.....xQ..?...z'S)@n.....I.......db=^\.3.].>..b..W.....q%.0.U..u).."7.......k.O....w%N..ng...).%.....T......h*..9(.0{s1..W6.D...+.q......b...,..s'U..^..v)Z.I;.-......#h....~..P.$.....p.w.(.Iw......v.n..+....d...iM..X.~..py.C(.i...9k...j&...`...]N..._..c.....{e..*S..>.Z\6K.....Df..5zj.]..1.%ZR[C.Q....|..R.:..k...H?.@.-.....>.A..&.6G.......*.......9.U.9o.C..|[n.i.Fjy..X4.G.<....z....o.tT.Q.Z.'....N...\.b;d!..w....NYp....}.:6....,z ..hV...h..o..W?.hc..M..Z:. .....GN...x6Bq.9.N.o..Jo.cw...CS...5.7.zx.Vf..i......r.+...K...S..}'.0w......._m.$;v..K.....T...8........L.G..u.'..O.3a.H..AF.T..=.|....^..R>...g2..)>M...+.P.6.v,..f....5.<..p...........E4I..1Q.n.g.D.NI)+T.Z..8q...X.>.;..,......|#....27.8?........CHS.3/).-..M.$....Q..

                                                                                                                                      C:\Users\user\AppData\Local\Temp\{EE053F58-EF8C-43c4-A3D9-1E4B2965E691}.tmp\7z.dll

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1863912
                                                                                                                                      Entropy (8bit):6.6716719438287955
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:49152:LwwwwscL5d2ymw4p1ss3fcAjvSBYRwRKaY/I6aU96Jlgmg5oJCaImiWpRwf9nHTQ:t9Uymw4p1BUK1wRKaY/I5U96Jl9CaIm/
                                                                                                                                      MD5:EA47D98DD9CB1772A409C11B818A9A02
                                                                                                                                      SHA1:02A952F3AA72A61A113C9D7EBAE18DA86E2CC500
                                                                                                                                      SHA-256:F9E81781A3484A6732B03B3A22A0388DB03B4311BE2874ABBEE276BD9E82C854
                                                                                                                                      SHA-512:CBDEDBAFC598D75FB4B854DB4BFB376363C801DCA4BD7D8C79DF784CB5402F48A8AAA64899AD4D75F2D40A6625DB37D2A5CBC8FBC3696D7CEAC6C938FBD31788
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......>.h.z.._z.._z.._.9._v.._.9._..._.9._b.._(..^Y.._(..^k.._(..^l.._s._{.._s._q.._z.._..._...^U.._...^|.._...^{.._..._{.._z.._{.._...^{.._Richz.._................PE..L......d...........!................=.....................................................@.....................................x....................D..P,......8....)..T...........................h)..@...............0............................text...o........................... ..`.rdata..8L.......N..................@..@.data............B..................@....rsrc................&..............@..@.reloc..8............0..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Local\Temp\{F4D58348-6C21-4a08-8085-0D8F6BAB44B3}.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
                                                                                                                                      File Type:7-zip archive data, version 0.4
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):234155
                                                                                                                                      Entropy (8bit):7.999335859660209
                                                                                                                                      Encrypted:true
                                                                                                                                      SSDEEP:6144:RrRu6v0Z95axJ5NzDWP/oCtkarFfFll5xWGv4Zi6R:Rrx05atpD2ofaB95x/M
                                                                                                                                      MD5:FC7F71794E714D9608121DB50AF63079
                                                                                                                                      SHA1:785398E86542783EAA2BA103AE084C27595CB53E
                                                                                                                                      SHA-256:D89C88C203C9BC2641075D1E0D2410F6F649E2AB31130268D75A2FA8392C3665
                                                                                                                                      SHA-512:B1AB70921AC1A8D2980AE1D6DE64337B69F8BE5A325A8602093E958ECBD52AD83BF99DDA082F1678665EF2CE64966EC8C4EE8554127CDAE8E72EDACC39BBB503
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:7z..'...q8..).......b.............].&..p.........../D.N..iO...T..w{...]..s...R..}.;W.^..HN.g..2.3......t..#Ft.4..2.5..c......k..p.....#..j...y6OS..5....~q.`.-...v...;..Q)..7...k.4lp.......&=..;J.1.3..B.....h..N..is..W>.X..*.........8.U..v...i.B.1.... ..9hht.y.3..a.).r.}.Q....,=.o.P/D........l6.7.+|.Vj.N.-..d,.ft..OI$.........Cr'/S.N....&...a..m.'...._...E>FB..5.l.c..o..i$`..GaiV}..x^....h. S.....C....#+..7.....{.:......E.J.j..F..+.O..q.S.......|.......G.Z.=...."I.k3..].S....b$.$.A14~....tB...n3.72...(.kYD......sm....#...@./.ej.. ....O...f{..r.....e.'...nS.gMt_Fn?.0..=.#.$..2j...N.....z....h...+<.$.2...p.M..r.w....?.{..1'..cm...........2y...u.4..OmUR1?_.b.}Z....Y....lLD.DW..D.........j...0..[....).L^n....A..........7.......Gf'<..N.....B$._R...Z.6.g.8&.7/lozYFAX.H.zW..\6&.1....../a.............._.d..q.W<S.J}>...\.%..].i.R....=z....A..(.G....c.M...+.}QP./..:...C.O0..p:.ED.6.ul<h.p-.l..C{pzI.m.!V[0Z.5c.5..+.wb)9.6X..R.a...F../.......M.{...I

                                                                                                                                      C:\Users\user\AppData\Local\Temp\{FCFF958A-AC44-4612-807B-C8AA21571E8A}.tmp\360Base.dll

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):980480
                                                                                                                                      Entropy (8bit):6.7090242568369245
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24576:TQbKp0HCnT7JBd84JY98aojgk27JP4TwGGLTB8l:kqqCfx84OShck27N4TnGLTB8l
                                                                                                                                      MD5:7E519ACA128E7C13921FF1CE28C6F464
                                                                                                                                      SHA1:16AEB633BA8BC52C8FEE2187D307B9389A78824E
                                                                                                                                      SHA-256:B4348C968E41541A849FD7EC54A059330157598FC34437C4356875BA76FA4A5D
                                                                                                                                      SHA-512:7D7B1F3B55721812C9265ACD7005CF1D1709F1003A1C198F8AB2F1ADE5391900559BA12AA274C900415B0D4D0C02441A21498EEE3C712897074834FA83F59934
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                      Preview:MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$........Ti..5...5...5..g....5..g...w5..g....5...V...5..]...5..4Q...5..]...5...5...5..]...4..]...5..]...5...M...5...M...5...5..85..C\...5..C\...5..H\...5..H\...5..H\...5...5...5..H\...5..Rich.5..........PE..L.....&^...........!................Mv....................................... ......D.....@.............................`...............................h7...........Y..T...........................XY..@...............(............................text............................... ..`.rdata..T".......$..................@..@.data....Q... ...(..................@....rsrc................*..............@..@.reloc...............0..............@..B................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Local\Temp\{FCFF958A-AC44-4612-807B-C8AA21571E8A}.tmp\CrashReport.dll

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):153160
                                                                                                                                      Entropy (8bit):6.506985241053858
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:7CW06YPlpa40p0CLumAtfoJhJcf5Sqw5RD:+7X1Fm4qPv5
                                                                                                                                      MD5:361EE0170374127E396E7AB4D839BDB3
                                                                                                                                      SHA1:44430877438CA137B0386DE1223349B8E86A3270
                                                                                                                                      SHA-256:BB393EBAE1FD656B019CD086C05FCECE979405C4616989BFDDE6D60044D08B8D
                                                                                                                                      SHA-512:617B80214537675A5964F0CBC3D8E5BEC53AFB7CE8C5A7DE18AD4EA9389767294C11407F85C72A08DD400020ED06F37E6898C85BCEA74C06E9D43F84CC4CAAFA
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^.JO.}$..}$..}$..2...}$......}$.....t}$.....(}$.=._..}$..}%..}$......}$......}$../...}$......}$.Rich.}$.........PE..L...!..[...........!.....l..........6........................................p.......)....@.....................................d.... .../...............7...P......0...............................8...@............................................text...Xk.......l.................. ..`.rdata..;D.......F...p..............@..@.data....A..........................@....rsrc..../... ...0..................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Local\Temp\{FCFF958A-AC44-4612-807B-C8AA21571E8A}.tmp\DumpUper.exe

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):635304
                                                                                                                                      Entropy (8bit):6.760403262925791
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:SF59XvVhuu5BP/pjmFtrUiSndjA7V9rYFdN6Af5lHctj0bLCqn6dMTsoaaxCk1:UHhItUiGjAnrAf5Faj0fC+6dMTJaaH
                                                                                                                                      MD5:8D8D5DD4009C92E47D0B22770CFC327B
                                                                                                                                      SHA1:8C5E00CB63D551019070B5B70B7A422E6DB438DD
                                                                                                                                      SHA-256:4E8351E52CF2493492A66F1B66799B2A65AA8CE27D6275A73773091CBF8A9BE5
                                                                                                                                      SHA-512:8CF7F31E61D210B630DBE6FBE2CADBC4ABF400788F55AC304E6E2622F0850B4AFCE1E7E82F834C928CDC5EC2FE3FFEA708ED05A70B06F3BF7F2651CA394EB7A9
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2|.LS..LS..LS......IS..E+..QS..k...MS..k.i.QS..LS..S..E+...S..E+..)S..R...MS..E+..MS..RichLS..................PE..L...)'.X.................N...X......5........`....@..................................j....@.....................................,....P..@............|...5...p...^..pd...............................^..@............`...............................text...VM.......N.................. ..`.rdata......`.......R..............@..@.data...hR.......$..................@....rsrc...@....P......................@..@.reloc..._...p...`..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Local\Temp\~xm2710.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):620
                                                                                                                                      Entropy (8bit):3.981783181981429
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:QF/LXYRWe8H3lUe5Ss+eAHmKDZaW+ANsNrOmqAl+iZPF9OHpeHBkUG:QlL+cVpSve4mKsANmOmLBP3OHpeHOp
                                                                                                                                      MD5:9C226095649E8D58E778EA58221B066D
                                                                                                                                      SHA1:30EF227A83310427F58BA6BB1F8EB57A7CCF292B
                                                                                                                                      SHA-256:75E3B13C119BD4025F3FBF97B29F31D8E215A8D177EF854994A8BA2CBBAC4F44
                                                                                                                                      SHA-512:3E7731F2C65A26ABC6A2704D4DD83443B5A7638CE9BEE74B2A763355EFF645B801F1A32516100FB63CCD988007C72F73E5CE62646E5CAB5906705DB01F985F60
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.C.o.m.p.a.t.i.b.i.l.i.t.y.>..... . .<.I.t.e.m.s.>..... . . . .<.I.t.e.m.>..... . . . . . .<.C.h.e.c.k. .H.K.E.Y.=.".H.K.E.Y._.L.O.C.A.L._.M.A.C.H.I.N.E.". .S.u.b.K.e.y.=.".S.O.F.T.W.A.R.E.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.C.u.r.r.e.n.t.V.e.r.s.i.o.n.\.A.p.p. .P.a.t.h.s.\.Q.H.S.a.f.e.T.r.a.y...e.x.e.". .V.a.l.u.e.=.".". .E.n.t.r.y.F.i.l.e.=.".". ./.>..... . . . . . .<.M.s.g. .T.e.x.t.=."..].[..VE.Hr.[hQkS.X....HQxS}..T.[.". ./.>..... . . . .<./.I.t.e.m.>. . . ..... . .<./.I.t.e.m.s.>.....<./.C.o.m.p.a.t.i.b.i.l.i.t.y.>.....

                                                                                                                                      C:\Users\user\AppData\Roaming\360Safe\360safe.setup.log

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
                                                                                                                                      File Type:ASCII text, with CRLF, CR line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):466
                                                                                                                                      Entropy (8bit):5.265101413171959
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:gQjc88qswHI6KDczy4mmDLKOTbWNKjUJIks4tiWe:gQ38lwo/Yzy4mmn1Hgenks4ti/
                                                                                                                                      MD5:E68007C594AABA13DBF40EB1537AB10C
                                                                                                                                      SHA1:6F77476F1B7C93E6FA94C7076639C9BC3AEC3E8C
                                                                                                                                      SHA-256:036C1A7DA2B3CBF295247AA9771E8FB897192CC49723CC8BC68413A3D8DFE4A0
                                                                                                                                      SHA-512:7214AE6180BA30D4299531F9041CF1902744CB1A4A75AD4265DA0B27DC59B3D0AEACF2E1A50FA28040D3DAFE90ED96EE07D98DD76B69F805DBF3AB2011472DB7
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:2024/3/28 14:29:58:168 <start>Initial setup information...2024/3/28 14:29:58:168 Command Line: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe"..2024/3/28 14:29:58:168 SetupTemplate version : 13.0.0.1341 Base Revision 2586855..2024/3/28 14:30:00:433 *IsNewTianQingExist safedir=C:\Program Files (x86)\360\360Safe not exist, out!..2024/3/28 14:30:02:230 allow = 1..2024/3/28 14:30:02:230 FullDir : C:\Program Files (x86)\360\360Safe..

                                                                                                                                      Static File Info

                                                                                                                                      General

                                                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Entropy (8bit):7.997750692629283
                                                                                                                                      TrID:
                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                      File name:SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
                                                                                                                                      File size:99'314'064 bytes
                                                                                                                                      MD5:827c2735811297a85b5115cdc701b868
                                                                                                                                      SHA1:0597c01af54d280b883c003cd46df13d861c22bc
                                                                                                                                      SHA256:f7ea997ecb3f1b3d9669ead7539d2b0b7da60ac08279e5bb09aaed20a97efa9d
                                                                                                                                      SHA512:4be0e9ecde5df53036a1db3523fbb14f781be1b2575db091e5a46474930d3b94786c1964c9c6728192a710532dd6371686a4f3598a56d2b3b2e5c843d1273c2e
                                                                                                                                      SSDEEP:1572864:LPaJRyFcjmUMDt4nVFQuY84u2inv9uVdG1IXHDkPZLDL8wrPyTgrB:09joWVKXTinvQQ1IXeLDL8wrysrB
                                                                                                                                      TLSH:0328333177E2C132F37712386AAC862B4876A83893638DDB92C1599D6F34590DB7DB13
                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........j...j...j.....K.c...c.H.M...t.Y.o...c.W.G...M...b...M...E...j...>...c.Y.....c.^.D...t.I.k...c.L.k...Richj..................

                                                                                                                                      File Icon

                                                                                                                                      Icon Hash:13394d4da84d6117

                                                                                                                                      Static PE Info

                                                                                                                                      General

                                                                                                                                      Entrypoint:0x48425e
                                                                                                                                      Entrypoint Section:.text
                                                                                                                                      Digitally signed:true
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      Subsystem:windows gui
                                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                      Time Stamp:0x6458C7AB [Mon May 8 09:58:03 2023 UTC]
                                                                                                                                      TLS Callbacks:
                                                                                                                                      CLR (.Net) Version:
                                                                                                                                      OS Version Major:5
                                                                                                                                      OS Version Minor:0
                                                                                                                                      File Version Major:5
                                                                                                                                      File Version Minor:0
                                                                                                                                      Subsystem Version Major:5
                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                      Import Hash:f3bc7307a737af2e91a18c2deb1d81cc

                                                                                                                                      Authenticode Signature

                                                                                                                                      Signature Valid:true
                                                                                                                                      Signature Issuer:CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
                                                                                                                                      Signature Validation Error:The operation completed successfully
                                                                                                                                      Error Number:0
                                                                                                                                      Not Before, Not After
                                                                                                                                      • 26/04/2023 05:04:42 26/04/2026 05:04:42
                                                                                                                                      Subject Chain
                                                                                                                                      • CN="Beijing Qihu Technology Co., Ltd.", O="Beijing Qihu Technology Co., Ltd.", STREET=\u671d\u9633\u533a\u9152\u4ed9\u6865\u8def6\u53f7\u96622\u53f7\u697c1\u81f319\u5c42104\u53f7\u51858\u5c42801, L=Beijing, S=Beijing, C=CN, OID.1.3.6.1.4.1.311.60.2.1.2=Beijing, OID.1.3.6.1.4.1.311.60.2.1.3=CN, SERIALNUMBER=911101026662879416, OID.2.5.4.15=Private Organization
                                                                                                                                      Version:3
                                                                                                                                      Thumbprint MD5:ED6447027944D8993775AB533294460C
                                                                                                                                      Thumbprint SHA-1:7913DE9D7ED4EEEE790FF0680A4C802C1BC832AB
                                                                                                                                      Thumbprint SHA-256:24E8DD56E4359351EEF5C22D201FFB991E923343D8DB03398C6DE05656F7EF4C
                                                                                                                                      Serial:295BF86E852653403313837B

                                                                                                                                      Entrypoint Preview

                                                                                                                                      Instruction
                                                                                                                                      call 00007FE44D273DA8h
                                                                                                                                      jmp 00007FE44D262C7Eh
                                                                                                                                      int3
                                                                                                                                      int3
                                                                                                                                      int3
                                                                                                                                      int3
                                                                                                                                      int3
                                                                                                                                      int3
                                                                                                                                      int3
                                                                                                                                      int3
                                                                                                                                      push edi
                                                                                                                                      mov edi, dword ptr [esp+08h]
                                                                                                                                      jmp 00007FE44D262E70h
                                                                                                                                      lea esp, dword ptr [esp+00000000h]
                                                                                                                                      mov edi, edi
                                                                                                                                      mov ecx, dword ptr [esp+04h]
                                                                                                                                      push edi
                                                                                                                                      test ecx, 00000003h
                                                                                                                                      je 00007FE44D262E15h
                                                                                                                                      mov al, byte ptr [ecx]
                                                                                                                                      add ecx, 01h
                                                                                                                                      test al, al
                                                                                                                                      je 00007FE44D262E3Fh
                                                                                                                                      test ecx, 00000003h
                                                                                                                                      jne 00007FE44D262DF1h
                                                                                                                                      mov edi, edi
                                                                                                                                      mov eax, dword ptr [ecx]
                                                                                                                                      mov edx, 7EFEFEFFh
                                                                                                                                      add edx, eax
                                                                                                                                      xor eax, FFFFFFFFh
                                                                                                                                      xor eax, edx
                                                                                                                                      add ecx, 04h
                                                                                                                                      test eax, 81010100h
                                                                                                                                      je 00007FE44D262DEAh
                                                                                                                                      mov eax, dword ptr [ecx-04h]
                                                                                                                                      test al, al
                                                                                                                                      je 00007FE44D262E25h
                                                                                                                                      test ah, ah
                                                                                                                                      je 00007FE44D262E1Ch
                                                                                                                                      test eax, 00FF0000h
                                                                                                                                      je 00007FE44D262E10h
                                                                                                                                      test eax, FF000000h
                                                                                                                                      je 00007FE44D262E04h
                                                                                                                                      jmp 00007FE44D262DCFh
                                                                                                                                      lea edi, dword ptr [ecx-01h]
                                                                                                                                      jmp 00007FE44D262E0Fh
                                                                                                                                      lea edi, dword ptr [ecx-02h]
                                                                                                                                      jmp 00007FE44D262E0Ah
                                                                                                                                      lea edi, dword ptr [ecx-03h]
                                                                                                                                      jmp 00007FE44D262E05h
                                                                                                                                      lea edi, dword ptr [ecx-04h]
                                                                                                                                      mov ecx, dword ptr [esp+0Ch]
                                                                                                                                      test ecx, 00000003h
                                                                                                                                      je 00007FE44D262E1Fh
                                                                                                                                      mov dl, byte ptr [ecx]
                                                                                                                                      add ecx, 01h
                                                                                                                                      test dl, dl
                                                                                                                                      je 00007FE44D262E68h
                                                                                                                                      mov byte ptr [edi], dl
                                                                                                                                      add edi, 01h
                                                                                                                                      test ecx, 00000003h
                                                                                                                                      jne 00007FE44D262DECh
                                                                                                                                      jmp 00007FE44D262E07h
                                                                                                                                      mov dword ptr [edi], edx
                                                                                                                                      add edi, 04h
                                                                                                                                      mov edx, 7EFEFEFFh
                                                                                                                                      mov eax, dword ptr [ecx]
                                                                                                                                      add edx, eax
                                                                                                                                      xor eax, FFFFFFFFh
                                                                                                                                      xor eax, edx
                                                                                                                                      mov edx, dword ptr [ecx]
                                                                                                                                      add ecx, 04h
                                                                                                                                      test eax, 81010100h

                                                                                                                                      Rich Headers

                                                                                                                                      Programming Language:
                                                                                                                                      • [ASM] VS2008 SP1 build 30729
                                                                                                                                      • [C++] VS2008 build 21022
                                                                                                                                      • [ C ] VS2005 build 50727
                                                                                                                                      • [IMP] VS2005 build 50727
                                                                                                                                      • [C++] VS2008 SP1 build 30729
                                                                                                                                      • [ C ] VS2008 SP1 build 30729
                                                                                                                                      • [RES] VS2008 build 21022
                                                                                                                                      • [LNK] VS2008 SP1 build 30729

                                                                                                                                      Data Directories

                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x108a340x1a4.rdata
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x1200000x78b484.rsrc
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x5eb3d400x2c50
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x8ac0000xb018.reloc
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0xd6a500x1c.rdata
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xfa3b00x40.rdata
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0xd60000x8f8.rdata
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                      Sections

                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                      .text0x10000xd4b9c0xd4c00e02a9308e475b8a222f206d1d08e0d2cFalse0.5577560406874266data6.675439745654445IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                      .rdata0xd60000x35cd00x35e00fa9edbd48bf6150d9763edc8a7e48320False0.3718550609048724data5.183931225112169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                      .data0x10c0000x133600xdc001fba4006df5d6f6eca55863dc11d2fdcFalse0.14495738636363636data2.740818908422849IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                      .rsrc0x1200000x78b4840x78b60066b7c1ce0799841b626ce9f73db75cc1unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                      .reloc0x8ac0000x145140x14600ebe41341ff1567fe02c731092debf094False0.3829802530674847data4.490429464738638IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                      Resources

                                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                      ANIMATION0x1211bc0x1c1067-zip archive data, version 0.4ChineseChina1.0003479773814703
                                                                                                                                      BASE3600x13d2c40x5b0817-zip archive data, version 0.4ChineseChina1.0003245142343744
                                                                                                                                      CRASH0x1983480x392ab7-zip archive data, version 0.4ChineseChina1.0003459247079927
                                                                                                                                      CRASHREPORT0x1d15f40x110457-zip archive data, version 0.4ChineseChina1.0004447568901451
                                                                                                                                      DLL0x1e263c0x5529c7-zip archive data, version 0.4ChineseChina1.0002150056761498
                                                                                                                                      DLL0x2378d80xec379Microsoft Cabinet archive data, Windows 2000/XP setup, 967545 bytes, 1 file, at 0x2c +A "7z.dll", number 1, 57 datablocks, 0x1 compressionChineseChina1.0001891384896826
                                                                                                                                      DRIVERDLL0x323c540x3a9a40PE32 executable (DLL) (GUI) Intel 80386, for MS WindowsChineseChina0.9822244644165039
                                                                                                                                      LICENCE0x6cd6940x29c8Microsoft Cabinet archive data, Windows 2000/XP setup, 10696 bytes, 1 file, at 0x2c +A "licence.rtf", number 1, 1 datablock, 0x1 compressionChineseChina1.0010284218399401
                                                                                                                                      NETUL0x6d005c0x19de37-zip archive data, version 0.4ChineseChina1.0003869567269124
                                                                                                                                      OEMDATA0x6e9e400x567-zip archive data, version 0.3ChineseChina0.9069767441860465
                                                                                                                                      PRIVACY0x6e9e980x2d05Microsoft Cabinet archive data, Windows 2000/XP setup, 11525 bytes, 1 file, at 0x2c +A "privacy.rtf", number 1, 1 datablock, 0x1 compressionChineseChina1.0009544468546638
                                                                                                                                      ROOTSUPD0x6ecba00x629347-zip archive data, version 0.4ChineseChina1.0003244469541615
                                                                                                                                      SETUPCONFIG0x74f4d40xc6947-zip archive data, version 0.4ChineseChina1.0005114485797466
                                                                                                                                      SETUPDATA0x75bb680x18dataChineseChina1.375
                                                                                                                                      SETUPPLUGIN0x75bb800x10dataChineseChina0.6875
                                                                                                                                      SKIN0x75bb900x254947-zip archive data, version 0.4ChineseChina1.0003666745239779
                                                                                                                                      URLPROC0x7810240x3d4817-zip archive data, version 0.4ChineseChina1.000342617196993
                                                                                                                                      VIEWER0x7be4a80xb70bcMicrosoft Cabinet archive data, Windows 2000/XP setup, 749756 bytes, 1 file, at 0x2c "AgreementViewer.exe", number 1, 53 datablocks, 0x1 compressionChineseChina1.0000440143193252
                                                                                                                                      WSCREG0x8755640x289717-zip archive data, version 0.4ChineseChina1.0003669018447343
                                                                                                                                      RT_ICON0x89ded80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600ChineseChina0.28692946058091284
                                                                                                                                      RT_ICON0x8a04800x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224ChineseChina0.4054878048780488
                                                                                                                                      RT_ICON0x8a15280x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088ChineseChina0.6143617021276596
                                                                                                                                      RT_ICON0x8a19900x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600ChineseChina0.41815352697095437
                                                                                                                                      RT_ICON0x8a3f380x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224ChineseChina0.4845215759849906
                                                                                                                                      RT_ICON0x8a4fe00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088ChineseChina0.40691489361702127
                                                                                                                                      RT_DIALOG0x8a54480x2cdataChineseChina0.8409090909090909
                                                                                                                                      RT_DIALOG0x8a54740x60cdataChineseChina0.36886304909560724
                                                                                                                                      RT_DIALOG0x8a5a800x9cdataChineseChina0.7307692307692307
                                                                                                                                      RT_DIALOG0x8a5b1c0x1cedataChineseChina0.5822510822510822
                                                                                                                                      RT_DIALOG0x8a5cec0x436dataChineseChina0.4684601113172542
                                                                                                                                      RT_DIALOG0x8a61240x6cdataChineseChina0.75
                                                                                                                                      RT_DIALOG0x8a61900x1fcdataChineseChina0.4271653543307087
                                                                                                                                      RT_DIALOG0x8a638c0x22cdataChineseChina0.31654676258992803
                                                                                                                                      RT_DIALOG0x8a65b80x80dataChineseChina0.671875
                                                                                                                                      RT_DIALOG0x8a66380x80dataChineseChina0.625
                                                                                                                                      RT_DIALOG0x8a66b80x116dataChineseChina0.7158273381294964
                                                                                                                                      RT_DIALOG0x8a67d00x100dataChineseChina0.765625
                                                                                                                                      RT_DIALOG0x8a68d00x4dadataChineseChina0.37600644122383253
                                                                                                                                      RT_DIALOG0x8a6dac0x146dataChineseChina0.5184049079754601
                                                                                                                                      RT_DIALOG0x8a6ef40x4cdataChineseChina0.8289473684210527
                                                                                                                                      RT_DIALOG0x8a6f400x8adataChineseChina0.7391304347826086
                                                                                                                                      RT_DIALOG0x8a6fcc0x170dataChineseChina0.5625
                                                                                                                                      RT_DIALOG0x8a713c0x6cdataChineseChina0.7037037037037037
                                                                                                                                      RT_DIALOG0x8a71a80x180dataChineseChina0.5104166666666666
                                                                                                                                      RT_DIALOG0x8a73280x14cdataChineseChina0.5451807228915663
                                                                                                                                      RT_STRING0x8a74740x446dataChineseChina0.37842778793418647
                                                                                                                                      RT_STRING0x8a78bc0x4f4dataChineseChina0.5977917981072555
                                                                                                                                      RT_STRING0x8a7db00x588dataChineseChina0.5819209039548022
                                                                                                                                      RT_STRING0x8a83380x1a4dataChineseChina0.7857142857142857
                                                                                                                                      RT_STRING0x8a84dc0x1d4dataChineseChina0.7243589743589743
                                                                                                                                      RT_STRING0x8a86b00x51adataChineseChina0.4762633996937213
                                                                                                                                      RT_STRING0x8a8bcc0x59edataChineseChina0.3991655076495132
                                                                                                                                      RT_STRING0x8a916c0x742dataChineseChina0.37082884822389667
                                                                                                                                      RT_STRING0x8a98b00x66adataChineseChina0.4470158343483557
                                                                                                                                      RT_STRING0x8a9f1c0x3cdataChineseChina0.6833333333333333
                                                                                                                                      RT_STRING0x8a9f580x1fcdataChineseChina0.8228346456692913
                                                                                                                                      RT_STRING0x8aa1540x224dataChineseChina0.48722627737226276
                                                                                                                                      RT_STRING0x8aa3780x8cdataChineseChina0.7071428571428572
                                                                                                                                      RT_STRING0x8aa4040x74dataChineseChina0.7155172413793104
                                                                                                                                      RT_STRING0x8aa4780x22dataChineseChina0.38235294117647056
                                                                                                                                      RT_STRING0x8aa49c0x38dataChineseChina0.6607142857142857
                                                                                                                                      RT_STRING0x8aa4d40x68AmigaOS bitmap font "egSb \220\250`\352\201\361]\204v3", 60255 elementsChineseChina0.7980769230769231
                                                                                                                                      RT_STRING0x8aa53c0x24dataChineseChina0.4444444444444444
                                                                                                                                      RT_STRING0x8aa5600x56dataChineseChina0.6511627906976745
                                                                                                                                      RT_STRING0x8aa5b80x2cdataChineseChina0.5454545454545454
                                                                                                                                      RT_STRING0x8aa5e40x494dataChineseChina0.32337883959044367
                                                                                                                                      RT_STRING0x8aaa780xb0dataChineseChina0.7159090909090909
                                                                                                                                      RT_STRING0x8aab280x22dataChineseChina0.38235294117647056
                                                                                                                                      RT_STRING0x8aab4c0x22Windows boot log, header size 0, 0x30 valid bytesChineseChina0.5
                                                                                                                                      RT_ACCELERATOR0x8aab700x70dataChineseChina0.6785714285714286
                                                                                                                                      RT_RCDATA0x8aabe00x80dataEnglishUnited States1.0859375
                                                                                                                                      RT_GROUP_ICON0x8aac600x30dataChineseChina0.8541666666666666
                                                                                                                                      RT_GROUP_ICON0x8aac900x30dataChineseChina0.9375
                                                                                                                                      RT_VERSION0x8aacc00x55cdataChineseChina0.47959183673469385
                                                                                                                                      RT_MANIFEST0x8ab21c0x268ASCII text, with CRLF line terminatorsEnglishUnited States0.5097402597402597

                                                                                                                                      Imports

                                                                                                                                      DLLImport
                                                                                                                                      KERNEL32.dllQueryPerformanceFrequency, lstrlenA, SystemTimeToFileTime, FileTimeToSystemTime, FileTimeToLocalFileTime, GetFileTime, InterlockedExchange, GetCurrentDirectoryA, PeekNamedPipe, GetFullPathNameA, GetDriveTypeA, QueryDosDeviceW, GetVolumeNameForVolumeMountPointW, GetDiskFreeSpaceExW, GlobalAddAtomW, FindAtomW, CreateEventW, GetEnvironmentVariableW, GetLogicalDriveStringsW, GetWindowsDirectoryW, GetDriveTypeW, GetCurrentThreadId, MulDiv, GetCurrentProcess, FlushInstructionCache, GlobalAlloc, GlobalFree, GetTickCount, GetCommandLineW, LoadLibraryExW, MultiByteToWideChar, lstrcmpiW, FormatMessageA, ExpandEnvironmentStringsA, GetSystemDirectoryA, VerSetConditionMask, VerifyVersionInfoA, SleepEx, FreeResource, GetSystemWindowsDirectoryW, lstrcmpiA, lstrcmpA, SetEnvironmentVariableA, CompareStringW, CompareStringA, FlushFileBuffers, GetLocaleInfoW, LeaveCriticalSection, GetConsoleOutputCP, WriteConsoleA, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetStartupInfoA, SetHandleCount, GetFileType, SetStdHandle, GetStringTypeW, GetStringTypeA, IsValidLocale, EnumSystemLocalesA, GetLocaleInfoA, GetUserDefaultLCID, GetTimeZoneInformation, GetModuleHandleA, HeapCreate, InitializeCriticalSectionAndSpinCount, GetModuleFileNameA, IsValidCodePage, GetOEMCP, GetACP, GetCPInfo, LCMapStringW, LCMapStringA, GetConsoleMode, GetConsoleCP, SetEvent, GetSystemTime, TerminateProcess, GetCurrentThread, CreateProcessW, GlobalDeleteAtom, CreateMutexW, PostQueuedCompletionStatus, CreateIoCompletionPort, GetQueuedCompletionStatus, CreateThread, TerminateThread, OutputDebugStringW, GetFileSizeEx, CompareFileTime, QueryPerformanceCounter, GetFullPathNameW, SetLastError, lstrlenW, lstrcpyW, DeleteCriticalSection, InitializeCriticalSection, RaiseException, FindFirstFileW, FindNextFileW, FindClose, LocalAlloc, GetVersionExW, CopyFileW, MoveFileW, MoveFileExW, GetPrivateProfileStringW, GlobalFindAtomW, Sleep, GetFileAttributesW, WriteFile, CreateDirectoryW, GetTempPathW, GetTempFileNameW, WritePrivateProfileStringW, SetFileAttributesW, InterlockedDecrement, RemoveDirectoryW, DeleteFileW, GetLastError, GetProcessHeap, HeapAlloc, HeapFree, GetSystemDirectoryW, ReadFile, SetFilePointer, GetCurrentProcessId, CreateFileW, DeviceIoControl, LoadLibraryW, InterlockedIncrement, GetModuleFileNameW, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, CloseHandle, WaitForSingleObject, GetModuleHandleW, GetProcAddress, GetSystemInfo, GlobalMemoryStatusEx, FreeLibrary, LocalFree, FindResourceExW, FindResourceW, LoadResource, LockResource, GetStartupInfoW, ExitProcess, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlUnwind, ExitThread, TlsFree, ReleaseMutex, HeapWalk, HeapLock, OpenThread, HeapUnlock, SetFilePointerEx, GetSystemTimeAsFileTime, CreateFileA, VirtualAlloc, VirtualFree, IsProcessorFeaturePresent, LoadLibraryA, HeapSize, HeapReAlloc, HeapDestroy, TlsAlloc, LockFile, GetStdHandle, SetConsoleTextAttribute, GetFileInformationByHandle, LocalFileTimeToFileTime, GetFileAttributesA, DosDateTimeToFileTime, TlsGetValue, TlsSetValue, ResetEvent, ReadProcessMemory, OpenMutexW, GetExitCodeProcess, GetLongPathNameW, MapViewOfFile, LockFileEx, GetFileAttributesExW, UnlockFile, FindNextFileA, FindFirstFileA, GetVersion, InterlockedCompareExchange, EnterCriticalSection, OpenProcess, GetVolumeInformationW, FormatMessageW, SetFileTime, SetEndOfFile, WideCharToMultiByte, UnmapViewOfFile, GetFileSize, CreateFileMappingW, GetLocalTime, WriteConsoleW, SizeofResource
                                                                                                                                      USER32.dllInflateRect, wvsprintfW, PostMessageW, GetActiveWindow, SendMessageW, SendMessageTimeoutW, FindWindowW, CharNextW, IsWindow, EnableWindow, GetDlgItem, IsWindowEnabled, ShowWindow, SetDlgItemTextW, IsWindowVisible, SetForegroundWindow, EndDialog, GetWindowLongW, SetWindowTextW, MoveWindow, SetWindowPos, GetClientRect, ScreenToClient, MapWindowPoints, GetMonitorInfoW, MonitorFromWindow, GetWindowRect, GetWindow, GetParent, GetDC, ReleaseDC, SetWindowLongW, UnregisterClassA, ExitWindowsEx, GetWindowTextW, FindWindowExW, InvalidateRect, RedrawWindow, GetDlgCtrlID, SetFocus, MessageBeep, GetWindowTextLengthW, CreateDialogParamW, SetWindowRgn, SetTimer, KillTimer, CopyRect, DefWindowProcW, CallWindowProcW, BeginPaint, EndPaint, wsprintfW, DialogBoxParamW, EnableMenuItem, DestroyWindow, GetSystemMenu, GetClassInfoExW, LoadCursorW, PostQuitMessage, IsIconic, SystemParametersInfoW, LoadIconW, RegisterClassExW, CreateWindowExW, LoadImageW, GetSystemMetrics, PtInRect, GetCursorPos, BringWindowToTop, DispatchMessageW, TrackMouseEvent, GetShellWindow, PostThreadMessageW, UpdateLayeredWindow, GetWindowThreadProcessId, PeekMessageW, GetMessageW, TranslateMessage, MessageBoxW
                                                                                                                                      GDI32.dllCreateSolidBrush, GetDeviceCaps, CreateCompatibleBitmap, SelectObject, BitBlt, DeleteDC, SetBkColor, CombineRgn, CreateRectRgn, SetViewportOrgEx, CreateDIBSection, EnumFontFamiliesW, DeleteObject, CreateCompatibleDC
                                                                                                                                      ADVAPI32.dllRegCloseKey, ImpersonateLoggedOnUser, RevertToSelf, OpenProcessToken, DuplicateTokenEx, OpenSCManagerW, OpenServiceW, QueryServiceStatusEx, CloseServiceHandle, LookupPrivilegeValueW, AdjustTokenPrivileges, OpenThreadToken, ImpersonateSelf, AllocateAndInitializeSid, FreeSid, SetSecurityInfo, GetSecurityInfo, GetSecurityDescriptorSacl, IsValidSid, CopySid, RegQueryValueExW, RegQueryInfoKeyW, GetExplicitEntriesFromAclW, GetTrusteeNameW, DeleteAce, LookupAccountSidW, RegCreateKeyExW, RegSetValueExW, RegOpenKeyW, RegEnumKeyExW, RegOpenKeyExW, RegDeleteValueW, RegEnumValueW, CryptCreateHash, RegDeleteKeyW, GetUserNameW, LookupAccountNameW, GetFileSecurityW, InitializeSecurityDescriptor, GetSecurityDescriptorDacl, GetAclInformation, GetLengthSid, InitializeAcl, GetAce, EqualSid, AddAce, AddAccessAllowedAce, SetSecurityDescriptorDacl, GetSecurityDescriptorControl, SetFileSecurityW, GetNamedSecurityInfoW, BuildExplicitAccessWithNameW, SetEntriesInAclW, SetNamedSecurityInfoW, CryptHashData, RegOpenKeyExA, RegQueryValueExA, RegQueryInfoKeyA, RegEnumKeyExA, RegEnumValueA, ChangeServiceConfigW, ControlService, GetTokenInformation, CryptReleaseContext, CryptGenRandom, CryptAcquireContextA, CryptDestroyHash, CryptGetHashParam
                                                                                                                                      SHELL32.dllSHGetSpecialFolderPathA, CommandLineToArgvW, ShellExecuteW, ShellExecuteExW, SHFileOperationW, SHChangeNotify, SHBrowseForFolderW, SHGetSpecialFolderPathW, SHGetPathFromIDListW, SHGetSpecialFolderLocation, SHGetMalloc, SHCreateDirectoryExW
                                                                                                                                      ole32.dllCoInitializeSecurity, CoSetProxyBlanket, CoInitializeEx, CreateStreamOnHGlobal, CoUninitialize, CoTaskMemFree, CoCreateInstance, CoTaskMemRealloc, CoTaskMemAlloc, CoCreateGuid, CoInitialize, OleRun
                                                                                                                                      OLEAUT32.dllVarUI4FromStr, VariantChangeType, SysAllocStringLen, SysAllocStringByteLen, VariantClear, VariantInit, SysFreeString, SysStringLen, SysAllocString, SysStringByteLen
                                                                                                                                      SHLWAPI.dllPathRemoveExtensionW, PathFindFileNameW, PathAddBackslashW, PathIsDirectoryW, StrStrIA, PathUnquoteSpacesW, PathMatchSpecW, StrRetToStrW, PathIsSameRootW, StrCatW, StrCpyW, PathIsPrefixW, PathIsDirectoryEmptyW, PathCombineA, wnsprintfW, SHSetValueW, PathFileExistsW, SHGetValueW, SHDeleteValueW, PathFileExistsA, SHGetValueA, PathCombineW, PathAppendW, PathIsRelativeW, SHDeleteKeyW, StrStrIW, PathRemoveFileSpecW, StrCmpIW, SHSetValueA, StrTrimA, StrCmpW, PathAppendA, PathRemoveArgsW, StrCmpNIW, PathFindExtensionW, PathCommonPrefixW
                                                                                                                                      COMCTL32.dllInitCommonControlsEx
                                                                                                                                      CRYPT32.dllCertDeleteCertificateFromStore, CertCompareCertificate, CertDuplicateCertificateContext, CertCloseStore, CertGetNameStringW, CertEnumCertificatesInStore, CertOpenStore, CryptStringToBinaryA, CertGetCertificateChain, CertFreeCertificateChainEngine, CertFreeCertificateChain, CertGetNameStringA, CryptQueryObject, CertAddCertificateContextToStore, CertFindCertificateInStore, CertCreateCertificateChainEngine, CertFreeCertificateContext
                                                                                                                                      VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW
                                                                                                                                      PSAPI.DLLEnumProcesses, GetProcessImageFileNameW, GetModuleFileNameExW
                                                                                                                                      RPCRT4.dllNdrServerCall2, RpcBindingFree, RpcStringFreeW, RpcBindingFromStringBindingW, NdrAsyncServerCall, RpcStringBindingComposeW, NdrAsyncClientCall, NdrClientCall2
                                                                                                                                      gdiplus.dllGdipClosePathFigure, GdipCreateSolidFill, GdipAddPathBezierI, GdipSetTextRenderingHint, GdipSetSmoothingMode, GdipTranslateWorldTransform, GdipScaleWorldTransform, GdipRotateWorldTransform, GdipGraphicsClear, GdipSetStringFormatLineAlign, GdipDrawString, GdipDeleteFont, GdipCreateFont, GdipDeleteFontFamily, GdipGetGenericFontFamilySansSerif, GdipCreateFontFamilyFromName, GdipDeletePath, GdipCreatePath, GdipDeleteStringFormat, GdipFillPath, GdipSetStringFormatAlign, GdipSaveGraphics, GdipRestoreGraphics, GdipCloneBrush, GdipCreateStringFormat, GdipDeleteBrush, GdiplusStartup, GdiplusShutdown, GdipDrawImageRectRectI, GdipDrawImagePointRectI, GdipCreateFromHDC, GdipDeleteGraphics, GdipCloneImage, GdipDrawImageRectRect, GdipSetImageAttributesColorMatrix, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipGetImageHeight, GdipGetImageWidth, GdipDisposeImage, GdipDisposeImageAttributes, GdipCreateImageAttributes, GdipAlloc, GdipAddPathArcI, GdipFree
                                                                                                                                      urlmon.dllURLDownloadToFileW, URLDownloadToCacheFileW
                                                                                                                                      IPHLPAPI.DLLGetAdaptersInfo
                                                                                                                                      WININET.dllInternetGetConnectedState, InternetCrackUrlW, InternetOpenW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, InternetQueryOptionW, InternetSetOptionW, HttpQueryInfoW, InternetCloseHandle
                                                                                                                                      NETAPI32.dllNetApiBufferFree, NetWkstaGetInfo
                                                                                                                                      SETUPAPI.dllSetupIterateCabinetW
                                                                                                                                      WS2_32.dll__WSAFDIsSet, WSAGetLastError, select, recv, ioctlsocket, getaddrinfo, freeaddrinfo, WSASetLastError, socket, send, WSAIoctl, setsockopt, getsockname, ntohs, bind, htons, getsockopt, WSAStartup, connect, WSACleanup, closesocket, getpeername

                                                                                                                                      Possible Origin

                                                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                                                      ChineseChina
                                                                                                                                      EnglishUnited States

                                                                                                                                      Network Behavior

                                                                                                                                      Network Port Distribution

                                                                                                                                      TCP Packets

                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                      Mar 28, 2024 14:29:59.757154942 CET4970780192.168.2.5171.13.14.66
                                                                                                                                      Mar 28, 2024 14:29:59.757478952 CET4970880192.168.2.5171.13.14.66
                                                                                                                                      Mar 28, 2024 14:30:00.078417063 CET8049707171.13.14.66192.168.2.5
                                                                                                                                      Mar 28, 2024 14:30:00.078530073 CET4970780192.168.2.5171.13.14.66
                                                                                                                                      Mar 28, 2024 14:30:00.078830957 CET4970780192.168.2.5171.13.14.66
                                                                                                                                      Mar 28, 2024 14:30:00.103352070 CET8049708171.13.14.66192.168.2.5
                                                                                                                                      Mar 28, 2024 14:30:00.103456974 CET4970880192.168.2.5171.13.14.66
                                                                                                                                      Mar 28, 2024 14:30:00.103740931 CET4970880192.168.2.5171.13.14.66
                                                                                                                                      Mar 28, 2024 14:30:00.406379938 CET8049707171.13.14.66192.168.2.5
                                                                                                                                      Mar 28, 2024 14:30:00.406399012 CET8049707171.13.14.66192.168.2.5
                                                                                                                                      Mar 28, 2024 14:30:00.406472921 CET4970780192.168.2.5171.13.14.66
                                                                                                                                      Mar 28, 2024 14:30:00.442286968 CET8049708171.13.14.66192.168.2.5
                                                                                                                                      Mar 28, 2024 14:30:00.442302942 CET8049708171.13.14.66192.168.2.5
                                                                                                                                      Mar 28, 2024 14:30:00.442358017 CET4970880192.168.2.5171.13.14.66
                                                                                                                                      Mar 28, 2024 14:30:01.709811926 CET4970880192.168.2.5171.13.14.66
                                                                                                                                      Mar 28, 2024 14:30:02.053123951 CET8049708171.13.14.66192.168.2.5
                                                                                                                                      Mar 28, 2024 14:30:02.053841114 CET4970880192.168.2.5171.13.14.66
                                                                                                                                      Mar 28, 2024 14:30:02.246525049 CET4970980192.168.2.5180.163.237.185
                                                                                                                                      Mar 28, 2024 14:30:02.549921036 CET8049709180.163.237.185192.168.2.5
                                                                                                                                      Mar 28, 2024 14:30:02.550088882 CET4970980192.168.2.5180.163.237.185
                                                                                                                                      Mar 28, 2024 14:30:02.551016092 CET4970980192.168.2.5180.163.237.185
                                                                                                                                      Mar 28, 2024 14:30:03.198820114 CET4970980192.168.2.5180.163.237.185
                                                                                                                                      Mar 28, 2024 14:30:03.495975018 CET8049709180.163.237.185192.168.2.5
                                                                                                                                      Mar 28, 2024 14:30:03.502759933 CET8049709180.163.237.185192.168.2.5
                                                                                                                                      Mar 28, 2024 14:30:03.502805948 CET8049709180.163.237.185192.168.2.5
                                                                                                                                      Mar 28, 2024 14:30:03.502866983 CET4970980192.168.2.5180.163.237.185
                                                                                                                                      Mar 28, 2024 14:30:03.503027916 CET4970980192.168.2.5180.163.237.185
                                                                                                                                      Mar 28, 2024 14:30:04.401932955 CET4970980192.168.2.5180.163.237.185
                                                                                                                                      Mar 28, 2024 14:30:05.734724045 CET4970880192.168.2.5171.13.14.66
                                                                                                                                      Mar 28, 2024 14:30:05.749253035 CET4970780192.168.2.5171.13.14.66
                                                                                                                                      Mar 28, 2024 14:30:06.080956936 CET8049707171.13.14.66192.168.2.5
                                                                                                                                      Mar 28, 2024 14:30:06.081928015 CET4970780192.168.2.5171.13.14.66
                                                                                                                                      Mar 28, 2024 14:30:06.083453894 CET8049708171.13.14.66192.168.2.5
                                                                                                                                      Mar 28, 2024 14:30:06.083570004 CET4970880192.168.2.5171.13.14.66
                                                                                                                                      Mar 28, 2024 14:30:06.088633060 CET4970780192.168.2.5171.13.14.66
                                                                                                                                      Mar 28, 2024 14:30:06.185873985 CET4970980192.168.2.5180.163.237.185
                                                                                                                                      Mar 28, 2024 14:30:06.399377108 CET8049707171.13.14.66192.168.2.5
                                                                                                                                      Mar 28, 2024 14:30:06.399446011 CET4970780192.168.2.5171.13.14.66
                                                                                                                                      Mar 28, 2024 14:30:06.477653980 CET8049709180.163.237.185192.168.2.5
                                                                                                                                      Mar 28, 2024 14:30:16.084317923 CET8049708171.13.14.66192.168.2.5
                                                                                                                                      Mar 28, 2024 14:30:16.084413052 CET4970880192.168.2.5171.13.14.66
                                                                                                                                      Mar 28, 2024 14:30:16.399305105 CET8049707171.13.14.66192.168.2.5
                                                                                                                                      Mar 28, 2024 14:30:16.399390936 CET4970780192.168.2.5171.13.14.66
                                                                                                                                      Mar 28, 2024 14:31:49.976047039 CET4970880192.168.2.5171.13.14.66
                                                                                                                                      Mar 28, 2024 14:31:49.976049900 CET4970780192.168.2.5171.13.14.66
                                                                                                                                      Mar 28, 2024 14:31:50.573661089 CET4970780192.168.2.5171.13.14.66
                                                                                                                                      Mar 28, 2024 14:31:50.714328051 CET4970880192.168.2.5171.13.14.66
                                                                                                                                      Mar 28, 2024 14:31:51.917772055 CET4970780192.168.2.5171.13.14.66
                                                                                                                                      Mar 28, 2024 14:31:52.105098963 CET4970880192.168.2.5171.13.14.66
                                                                                                                                      Mar 28, 2024 14:31:54.308202982 CET4970780192.168.2.5171.13.14.66
                                                                                                                                      Mar 28, 2024 14:31:54.745695114 CET4970880192.168.2.5171.13.14.66
                                                                                                                                      Mar 28, 2024 14:31:59.089380980 CET4970780192.168.2.5171.13.14.66
                                                                                                                                      Mar 28, 2024 14:32:00.011205912 CET4970880192.168.2.5171.13.14.66

                                                                                                                                      UDP Packets

                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                      Mar 28, 2024 14:29:59.443813086 CET5657953192.168.2.51.1.1.1
                                                                                                                                      Mar 28, 2024 14:29:59.745857000 CET53565791.1.1.1192.168.2.5
                                                                                                                                      Mar 28, 2024 14:30:01.747430086 CET6525053192.168.2.51.1.1.1
                                                                                                                                      Mar 28, 2024 14:30:02.067291021 CET53652501.1.1.1192.168.2.5

                                                                                                                                      DNS Queries

                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                      Mar 28, 2024 14:29:59.443813086 CET192.168.2.51.1.1.10xc0a1Standard query (0)s.360.cnA (IP address)IN (0x0001)false
                                                                                                                                      Mar 28, 2024 14:30:01.747430086 CET192.168.2.51.1.1.10x9993Standard query (0)inf.safe.360.cnA (IP address)IN (0x0001)false

                                                                                                                                      DNS Answers

                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                      Mar 28, 2024 14:29:59.745857000 CET1.1.1.1192.168.2.50xc0a1No error (0)s.360.cn171.13.14.66A (IP address)IN (0x0001)false
                                                                                                                                      Mar 28, 2024 14:29:59.745857000 CET1.1.1.1192.168.2.50xc0a1No error (0)s.360.cn171.8.167.89A (IP address)IN (0x0001)false
                                                                                                                                      Mar 28, 2024 14:29:59.745857000 CET1.1.1.1192.168.2.50xc0a1No error (0)s.360.cn101.198.2.147A (IP address)IN (0x0001)false
                                                                                                                                      Mar 28, 2024 14:29:59.745857000 CET1.1.1.1192.168.2.50xc0a1No error (0)s.360.cn180.163.251.231A (IP address)IN (0x0001)false
                                                                                                                                      Mar 28, 2024 14:30:02.067291021 CET1.1.1.1192.168.2.50x9993No error (0)inf.safe.360.cn180.163.237.185A (IP address)IN (0x0001)false

                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                      • s.360.cn
                                                                                                                                      • inf.safe.360.cn

                                                                                                                                      HTTP Packets

                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      0192.168.2.549707171.13.14.66804268C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Mar 28, 2024 14:30:00.078830957 CET471OUTGET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&status=101&usetime=4013656&zt=2862 HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                      Host: s.360.cn
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Mar 28, 2024 14:30:00.406399012 CET240INHTTP/1.1 200 OK
                                                                                                                                      Server: openresty/1.15.8.2
                                                                                                                                      Date: Thu, 28 Mar 2024 13:30:00 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Content-Length: 0
                                                                                                                                      Last-Modified: Wed, 24 Apr 2019 07:59:18 GMT
                                                                                                                                      Connection: keep-alive
                                                                                                                                      ETag: "5cc01756-0"
                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                      Mar 28, 2024 14:30:05.749253035 CET480OUTGET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&installtype=1&status=189&usetime=0&zt=23732 HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                      Host: s.360.cn
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Mar 28, 2024 14:30:06.080956936 CET240INHTTP/1.1 200 OK
                                                                                                                                      Server: openresty/1.15.8.2
                                                                                                                                      Date: Thu, 28 Mar 2024 13:30:05 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Content-Length: 0
                                                                                                                                      Last-Modified: Wed, 24 Apr 2019 07:59:18 GMT
                                                                                                                                      Connection: keep-alive
                                                                                                                                      ETag: "5cc01756-0"
                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                      Mar 28, 2024 14:30:06.088633060 CET480OUTGET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&installtype=1&status=136&usetime=0&zt=24803 HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                      Host: s.360.cn
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Mar 28, 2024 14:30:06.399377108 CET240INHTTP/1.1 200 OK
                                                                                                                                      Server: openresty/1.15.8.2
                                                                                                                                      Date: Thu, 28 Mar 2024 13:30:06 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Content-Length: 0
                                                                                                                                      Last-Modified: Wed, 24 Apr 2019 07:59:18 GMT
                                                                                                                                      Connection: keep-alive
                                                                                                                                      ETag: "5cc01756-0"
                                                                                                                                      Accept-Ranges: bytes


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      1192.168.2.549708171.13.14.66804268C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Mar 28, 2024 14:30:00.103740931 CET465OUTGET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&status=188&usetime=0&zt=3626 HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                      Host: s.360.cn
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Mar 28, 2024 14:30:00.442302942 CET240INHTTP/1.1 200 OK
                                                                                                                                      Server: openresty/1.15.8.2
                                                                                                                                      Date: Thu, 28 Mar 2024 13:30:00 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Content-Length: 0
                                                                                                                                      Last-Modified: Tue, 26 Feb 2019 07:22:33 GMT
                                                                                                                                      Connection: keep-alive
                                                                                                                                      ETag: "5c74e939-0"
                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                      Mar 28, 2024 14:30:01.709811926 CET480OUTGET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&installtype=1&status=109&usetime=0&zt=10565 HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                      Host: s.360.cn
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Mar 28, 2024 14:30:02.053123951 CET240INHTTP/1.1 200 OK
                                                                                                                                      Server: openresty/1.15.8.2
                                                                                                                                      Date: Thu, 28 Mar 2024 13:30:01 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Content-Length: 0
                                                                                                                                      Last-Modified: Tue, 26 Feb 2019 07:22:33 GMT
                                                                                                                                      Connection: keep-alive
                                                                                                                                      ETag: "5c74e939-0"
                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                      Mar 28, 2024 14:30:05.734724045 CET480OUTGET /safe/instcomp.htm?soft=923&ver=13.0.0.2199&pid=h_home&hips=0&mid=59cd53708ed730f0ef42bb01f668d936&mid2=d0976767e6a203af75488f9609371383094a7b7d29b3&w=0&b=48&o=6&dver=9.0&installtype=1&status=147&usetime=0&zt=23680 HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                      Host: s.360.cn
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Mar 28, 2024 14:30:06.083453894 CET240INHTTP/1.1 200 OK
                                                                                                                                      Server: openresty/1.15.8.2
                                                                                                                                      Date: Thu, 28 Mar 2024 13:30:05 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Content-Length: 0
                                                                                                                                      Last-Modified: Tue, 26 Feb 2019 07:22:33 GMT
                                                                                                                                      Connection: keep-alive
                                                                                                                                      ETag: "5c74e939-0"
                                                                                                                                      Accept-Ranges: bytes


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      2192.168.2.549709180.163.237.185804268C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Mar 28, 2024 14:30:02.551016092 CET290OUTGET /wsin/think?ipartner=0&m2=d0976767e6a203af75488f9609371383094a7b7d29b3&mid=59cd53708ed730f0ef42bb01f668d936&rand=104759&timestamp=1711632600&ver=13.0.0.2199&sign=da0c9f29d00aa1f62d1472307f9415f2 HTTP/1.1
                                                                                                                                      Host: inf.safe.360.cn
                                                                                                                                      Accept: */*
                                                                                                                                      Pragma: no-cache
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Mar 28, 2024 14:30:03.198820114 CET290OUTGET /wsin/think?ipartner=0&m2=d0976767e6a203af75488f9609371383094a7b7d29b3&mid=59cd53708ed730f0ef42bb01f668d936&rand=104759&timestamp=1711632600&ver=13.0.0.2199&sign=da0c9f29d00aa1f62d1472307f9415f2 HTTP/1.1
                                                                                                                                      Host: inf.safe.360.cn
                                                                                                                                      Accept: */*
                                                                                                                                      Pragma: no-cache
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Mar 28, 2024 14:30:03.502759933 CET392INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.9.15
                                                                                                                                      Date: Thu, 28 Mar 2024 13:30:03 GMT
                                                                                                                                      Content-Type: application/json; charset=utf-8
                                                                                                                                      Content-Length: 227
                                                                                                                                      Connection: close
                                                                                                                                      Data Raw: 7b 22 65 72 72 6e 6f 22 3a 30 2c 22 65 72 72 6d 73 67 22 3a 22 6f 6b 22 2c 22 64 61 74 61 22 3a 22 68 43 6a 75 72 42 66 2f 67 38 78 66 79 6d 64 65 4a 4a 32 66 77 6d 33 56 2f 4f 43 68 58 58 2b 50 62 71 4d 31 43 67 52 6c 77 2b 37 71 56 6a 61 41 53 74 70 45 66 58 2b 37 4a 46 4c 68 6f 36 6a 41 43 64 39 59 72 4a 78 41 2f 33 71 4b 61 76 44 75 6e 76 57 34 46 43 72 73 42 54 32 4a 30 75 4f 49 66 42 6b 6f 44 4f 4f 49 38 4b 4a 43 75 54 61 69 68 38 59 73 46 32 36 2f 50 69 46 76 6c 6a 51 35 75 55 39 50 4b 39 59 34 2f 71 4b 78 50 4a 6d 37 6f 52 4d 63 78 30 43 42 37 54 57 50 59 6d 49 57 36 71 4f 78 2f 66 42 33 31 50 6b 3d 22 2c 22 74 79 70 65 22 3a 31 2c 22 74 5f 73 74 72 22 3a 22 22 7d
                                                                                                                                      Data Ascii: {"errno":0,"errmsg":"ok","data":"hCjurBf/g8xfymdeJJ2fwm3V/OChXX+PbqM1CgRlw+7qVjaAStpEfX+7JFLho6jACd9YrJxA/3qKavDunvW4FCrsBT2J0uOIfBkoDOOI8KJCuTaih8YsF26/PiFvljQ5uU9PK9Y4/qKxPJm7oRMcx0CB7TWPYmIW6qOx/fB31Pk=","type":1,"t_str":""}


                                                                                                                                      Statistics

                                                                                                                                      CPU Usage

                                                                                                                                      Click to jump to process

                                                                                                                                      Memory Usage

                                                                                                                                      Click to jump to process

                                                                                                                                      High Level Behavior Distribution

                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                      System Behavior

                                                                                                                                      General

                                                                                                                                      Target ID:0
                                                                                                                                      Start time:14:29:56
                                                                                                                                      Start date:28/03/2024
                                                                                                                                      Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.36457.26808.16558.exe"
                                                                                                                                      Imagebase:0x8c0000
                                                                                                                                      File size:99'314'064 bytes
                                                                                                                                      MD5 hash:827C2735811297A85B5115CDC701B868
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:low
                                                                                                                                      Has exited:false

                                                                                                                                      Disassembly

                                                                                                                                      Reset < >

                                                                                                                                        Non-executed Functions

                                                                                                                                        Function 046987CD Relevance: 3.3, Strings: 2, Instructions: 803COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000003.1992689760.0000000004698000.00000004.00000020.00020000.00000000.sdmp, Offset: 04698000, based on PE: false
                                                                                                                                        • Associated: 00000000.00000003.1993070688.0000000004698000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_3_4698000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: +$.
                                                                                                                                        • API String ID: 0-3865549946
                                                                                                                                        • Opcode ID: 98617b03ca9eeaa1202953f8ac22cefe079603357925e00cbd5f6422d8755d11
                                                                                                                                        • Instruction ID: 4e445fd5a1fda9345c486a66ef7278883e4d0b0df621e74f78fb80fd669cb70e
                                                                                                                                        • Opcode Fuzzy Hash: 98617b03ca9eeaa1202953f8ac22cefe079603357925e00cbd5f6422d8755d11
                                                                                                                                        • Instruction Fuzzy Hash: EB62216140E7C11FC7178B708C7A491BFB4AE5311870E8ADFC4C98F8A3E659A90AC363
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 04FF6E80 Relevance: 2.0, Instructions: 1979COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000003.1998910576.0000000004FD1000.00000004.00000020.00020000.00000000.sdmp, Offset: 04FB1000, based on PE: false
                                                                                                                                        • Associated: 00000000.00000003.1991120582.0000000004FB1000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_3_4fb1000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 13fd43a4cd0557822a375a87f7d6dcf32387337d2caa482a085e6bab9d1a7755
                                                                                                                                        • Instruction ID: a99d9c12721fc8af22d9f0a3fd40bf6c3ecaeccc3485df60d00bb31593b1adcb
                                                                                                                                        • Opcode Fuzzy Hash: 13fd43a4cd0557822a375a87f7d6dcf32387337d2caa482a085e6bab9d1a7755
                                                                                                                                        • Instruction Fuzzy Hash: 4FF23C9280E3C15FDB1787705C79592BFB06E2711435F86EFC8C68E8A3E299584AD327
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 04F8E2AF Relevance: 1.4, Strings: 1, Instructions: 189COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, Offset: 04F8D000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_3_4f8d000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: %QWB
                                                                                                                                        • API String ID: 0-3070111672
                                                                                                                                        • Opcode ID: afa3f326312075ad73927427ca5c5dcaeff951e3b7d35974711c79830ce37087
                                                                                                                                        • Instruction ID: 3eba58ea2b9afe688480dc33b777ba24b041b8206b165ccad4e8f19181e88005
                                                                                                                                        • Opcode Fuzzy Hash: afa3f326312075ad73927427ca5c5dcaeff951e3b7d35974711c79830ce37087
                                                                                                                                        • Instruction Fuzzy Hash: 2151E73554A7D29BCB23DF38D494A937FE0BB03320B594ADDF4C18D007E268A665CB96
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 04FFE87B Relevance: .7, Instructions: 685COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000003.1998910576.0000000004FD1000.00000004.00000020.00020000.00000000.sdmp, Offset: 04FB1000, based on PE: false
                                                                                                                                        • Associated: 00000000.00000003.1991120582.0000000004FB1000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_3_4fb1000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 7a271b254c6b31089d853f06255b208dc5f9e039bf641ba2cf7bf63d6f59036f
                                                                                                                                        • Instruction ID: b120752e66669a42d80fff2796297cbfde43eb10fd85afea247bc68d2625278b
                                                                                                                                        • Opcode Fuzzy Hash: 7a271b254c6b31089d853f06255b208dc5f9e039bf641ba2cf7bf63d6f59036f
                                                                                                                                        • Instruction Fuzzy Hash: 8042F4A280E3C15FDB579B3488694927FB15E2B21435F44EBC4C6CF5B3E6A9084AD723
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0469BF5B Relevance: .5, Instructions: 543COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000003.1992689760.0000000004698000.00000004.00000020.00020000.00000000.sdmp, Offset: 04698000, based on PE: false
                                                                                                                                        • Associated: 00000000.00000003.1993070688.0000000004698000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_3_4698000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: b7def8bc2a7b60a0cb50d35e33cd0d4728a2f8a8f6a10cf976022634352ac6e0
                                                                                                                                        • Instruction ID: e9ac49ac5615d51faef8c05a2a474bee2ed6135fef9f0077ce9f14c87a52f570
                                                                                                                                        • Opcode Fuzzy Hash: b7def8bc2a7b60a0cb50d35e33cd0d4728a2f8a8f6a10cf976022634352ac6e0
                                                                                                                                        • Instruction Fuzzy Hash: F9B1646241E7C11FC32783309866AA1BFB09E63124B5F5ADBD0C4CF4E3E69C591AC726
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 04FF8918 Relevance: .5, Instructions: 508COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000003.1998910576.0000000004FD1000.00000004.00000020.00020000.00000000.sdmp, Offset: 04FB1000, based on PE: false
                                                                                                                                        • Associated: 00000000.00000003.1991120582.0000000004FB1000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_3_4fb1000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 06764f7d9d73713ddc28edcd2316883167adaad8cad88e756ce83f5e45177d30
                                                                                                                                        • Instruction ID: 6055e9c4f0206249259ac922206ee2cbb86e7bcb82b6beb794bd6c2e955e06f7
                                                                                                                                        • Opcode Fuzzy Hash: 06764f7d9d73713ddc28edcd2316883167adaad8cad88e756ce83f5e45177d30
                                                                                                                                        • Instruction Fuzzy Hash: 47128A9281E3C15FDB2787704D7A591BFB06E2710434E86DFC8CA8E8A3E359944AD367
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 04699A4A Relevance: .5, Instructions: 489COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000003.1992689760.0000000004698000.00000004.00000020.00020000.00000000.sdmp, Offset: 04698000, based on PE: false
                                                                                                                                        • Associated: 00000000.00000003.1993070688.0000000004698000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_3_4698000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 55f5b5a5d1d461fb4f1adde9583200b4a637bf573ec9008a8b0c636ad8c2bf58
                                                                                                                                        • Instruction ID: 149868c7cbaaaeaaea5a42433c2a64181f8ddebddbb3c48ef80162715b7262a0
                                                                                                                                        • Opcode Fuzzy Hash: 55f5b5a5d1d461fb4f1adde9583200b4a637bf573ec9008a8b0c636ad8c2bf58
                                                                                                                                        • Instruction Fuzzy Hash: 99021EA240E7C15FD3178B308CA6451BFB4AE5322870E8ADFC4C5CF5A3E659990AC763
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 04699A9D Relevance: .4, Instructions: 442COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000003.1992689760.0000000004698000.00000004.00000020.00020000.00000000.sdmp, Offset: 04698000, based on PE: false
                                                                                                                                        • Associated: 00000000.00000003.1993070688.0000000004698000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_3_4698000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 5a07211036477d0180088145172a3a4f58bd5a32f05f8154f9ccd1c5df5bf1a4
                                                                                                                                        • Instruction ID: ef56d8bfe4d112a9b5359310e4ec51b8617ec80a7d8f6f1703d8b852052e6d0f
                                                                                                                                        • Opcode Fuzzy Hash: 5a07211036477d0180088145172a3a4f58bd5a32f05f8154f9ccd1c5df5bf1a4
                                                                                                                                        • Instruction Fuzzy Hash: 59F122A240E7C15FD3178B308CA6451BFB4AE5322870E9ADFC0C58F5A3E759991AC763
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0469C034 Relevance: .4, Instructions: 425COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000003.1992689760.0000000004698000.00000004.00000020.00020000.00000000.sdmp, Offset: 04698000, based on PE: false
                                                                                                                                        • Associated: 00000000.00000003.1993070688.0000000004698000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_3_4698000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 6d46ef1c458bd2dbf1be46556e91fd5b9facccf335418a247954a474ca0fbdae
                                                                                                                                        • Instruction ID: c1c850dc02755df22ac407f5ef675dd937cfdf731753073a6e4133390c28deae
                                                                                                                                        • Opcode Fuzzy Hash: 6d46ef1c458bd2dbf1be46556e91fd5b9facccf335418a247954a474ca0fbdae
                                                                                                                                        • Instruction Fuzzy Hash: D891646240E7C15FC72783304866AA2BFB09E63124B1F4ADBD0C4CF5E3E69C591AC726
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 04698B08 Relevance: .4, Instructions: 410COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000003.1992689760.0000000004698000.00000004.00000020.00020000.00000000.sdmp, Offset: 04698000, based on PE: false
                                                                                                                                        • Associated: 00000000.00000003.1993070688.0000000004698000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_3_4698000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 8b1bd3bb41336fdf148ed37cdbe5e149584c1a56489a0463b522ee353f6aaf64
                                                                                                                                        • Instruction ID: 7bc3d528e07450aeecd1001f93f1ea79b780ca33ba87dca134b2a2df8c9768d9
                                                                                                                                        • Opcode Fuzzy Hash: 8b1bd3bb41336fdf148ed37cdbe5e149584c1a56489a0463b522ee353f6aaf64
                                                                                                                                        • Instruction Fuzzy Hash: 01E1A85104EBC52FC71B97308C6A4A0BFB4AD5311871E8ADFC4C8CF4A3D65AA91EC362
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0469A2B4 Relevance: .4, Instructions: 407COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000003.1992689760.0000000004698000.00000004.00000020.00020000.00000000.sdmp, Offset: 04698000, based on PE: false
                                                                                                                                        • Associated: 00000000.00000003.1993070688.0000000004698000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_3_4698000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 8495f6bb403ed6f54bf23599ce27c430f4231331f38a82530f867cd4b747497c
                                                                                                                                        • Instruction ID: 2bc82aa6798b2ec35eca8143b02beb180794570fb5f3ce0e22a3178188777a33
                                                                                                                                        • Opcode Fuzzy Hash: 8495f6bb403ed6f54bf23599ce27c430f4231331f38a82530f867cd4b747497c
                                                                                                                                        • Instruction Fuzzy Hash: E0E1A86100EBC21FC7178B708C6A551BFB4AE5311471E8ACBD4D5CF8E3D299AA5AC362
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0469A348 Relevance: .3, Instructions: 339COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000003.1992689760.0000000004698000.00000004.00000020.00020000.00000000.sdmp, Offset: 04698000, based on PE: false
                                                                                                                                        • Associated: 00000000.00000003.1993070688.0000000004698000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_3_4698000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 46e0748d1d3ecf55a8d610de0c6c136f0e3191d4f55e0d8f9aff2b9c57772579
                                                                                                                                        • Instruction ID: 2fc3b123032d2fbb9635d96a6efaccefbc93d844edf2e9d30b1b6bbee6893969
                                                                                                                                        • Opcode Fuzzy Hash: 46e0748d1d3ecf55a8d610de0c6c136f0e3191d4f55e0d8f9aff2b9c57772579
                                                                                                                                        • Instruction Fuzzy Hash: 35C1AA5140EBC21FD7178B708C2A551BFB4AE5321471E8ACBD4D4CF4E3E299AA5AC362
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 04FF85FD Relevance: .3, Instructions: 335COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000003.1998910576.0000000004FD1000.00000004.00000020.00020000.00000000.sdmp, Offset: 04FB1000, based on PE: false
                                                                                                                                        • Associated: 00000000.00000003.1991120582.0000000004FB1000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_3_4fb1000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 2dab552bbc47f836bc54ab195395b8a999880c5916308e79f3bb1fd0d9c53617
                                                                                                                                        • Instruction ID: dd472cca8421b119389e8c2d161c734ddc496079fbb5899a0c42dfa911c166d8
                                                                                                                                        • Opcode Fuzzy Hash: 2dab552bbc47f836bc54ab195395b8a999880c5916308e79f3bb1fd0d9c53617
                                                                                                                                        • Instruction Fuzzy Hash: 01D12B9280E3C15FDB1787700D79552BFB06E2710479E86EFC8C68E9A3E29D584AD327
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 04FF4A99 Relevance: .3, Instructions: 322COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000003.1998910576.0000000004FD1000.00000004.00000020.00020000.00000000.sdmp, Offset: 04FB1000, based on PE: false
                                                                                                                                        • Associated: 00000000.00000003.1991120582.0000000004FB1000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_3_4fb1000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 220c6f4b2082ebea45752ac0735f7d91623e448bde66602b8dd13674d265fa45
                                                                                                                                        • Instruction ID: abfdc24d9dabaf083b07cd67a764d3b384a7a83daea13272a6a774a18d3f7a9e
                                                                                                                                        • Opcode Fuzzy Hash: 220c6f4b2082ebea45752ac0735f7d91623e448bde66602b8dd13674d265fa45
                                                                                                                                        • Instruction Fuzzy Hash: 4DD1F1A281E3C14FDB178B7458296917FB05E2B614B9E49EFC0C2CF8B3E1994849D763
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 04FFE5A7 Relevance: .3, Instructions: 306COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000003.1998910576.0000000004FD1000.00000004.00000020.00020000.00000000.sdmp, Offset: 04FB1000, based on PE: false
                                                                                                                                        • Associated: 00000000.00000003.1991120582.0000000004FB1000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_3_4fb1000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: dfbf6c175cb11f8c7d5f89565d185daff5a8e71ca16c80d909778c85805c23bb
                                                                                                                                        • Instruction ID: 4778b8efcf10b4985f7c7541c4ffc6fd1330f87320e01ce348468c804c7696ce
                                                                                                                                        • Opcode Fuzzy Hash: dfbf6c175cb11f8c7d5f89565d185daff5a8e71ca16c80d909778c85805c23bb
                                                                                                                                        • Instruction Fuzzy Hash: 46B1DEA280E3C15FDB178B3448695527FB15E2B21479F48EBC4C6CF8B3E699084AD763
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 04FFD5BD Relevance: .2, Instructions: 236COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000003.1998910576.0000000004FD1000.00000004.00000020.00020000.00000000.sdmp, Offset: 04FB1000, based on PE: false
                                                                                                                                        • Associated: 00000000.00000003.1991120582.0000000004FB1000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_3_4fb1000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: e729ae8b5eb75b0f3861c20f12c6a892b9397b1b314756346ff730fec3b916b7
                                                                                                                                        • Instruction ID: df5c740c739a1b95e3a86966b9f975286ea5effb9739602339250732cb232157
                                                                                                                                        • Opcode Fuzzy Hash: e729ae8b5eb75b0f3861c20f12c6a892b9397b1b314756346ff730fec3b916b7
                                                                                                                                        • Instruction Fuzzy Hash: B771E3A280E7C15FDB138B3888295527FB45E2B21475F49EBC4C2CF4B3E598594ADB23
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 04FF61E5 Relevance: .2, Instructions: 224COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000003.1998910576.0000000004FD1000.00000004.00000020.00020000.00000000.sdmp, Offset: 04FB1000, based on PE: false
                                                                                                                                        • Associated: 00000000.00000003.1991120582.0000000004FB1000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_3_4fb1000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: d35fac33dc2b57c2d0d0f96070eeded7f6b1374101eb0e82b79095c94478ea96
                                                                                                                                        • Instruction ID: c0a3130828ea29da0e416042d3b722c4a62d055a6a01255aa976801070115519
                                                                                                                                        • Opcode Fuzzy Hash: d35fac33dc2b57c2d0d0f96070eeded7f6b1374101eb0e82b79095c94478ea96
                                                                                                                                        • Instruction Fuzzy Hash: 55814F9284E3C15FDB1387714C79142BFB0AE2751435E86EFC4C68E8A3E25D944AD723
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 04F8D70C Relevance: .2, Instructions: 198COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, Offset: 04F8D000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_3_4f8d000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: fcab20111d8d29ad6d36571c8932db3a106498699b04e9f60925a8ff543b5d6e
                                                                                                                                        • Instruction ID: 9a2f48210ca80944532996ea6db33db0d84121dac488e509a75923794277947c
                                                                                                                                        • Opcode Fuzzy Hash: fcab20111d8d29ad6d36571c8932db3a106498699b04e9f60925a8ff543b5d6e
                                                                                                                                        • Instruction Fuzzy Hash: D961F77640E2D29FC717DF34D8A2692BF66AF47324B1886CCD4D14E1A3C3215616DBA2
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 04FF65A7 Relevance: .2, Instructions: 191COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000003.1998910576.0000000004FD1000.00000004.00000020.00020000.00000000.sdmp, Offset: 04FB1000, based on PE: false
                                                                                                                                        • Associated: 00000000.00000003.1991120582.0000000004FB1000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_3_4fb1000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 1a1a9e6fcd59984de16e87c1bf4a86f517dbb90842c6590af11d4909b516cbde
                                                                                                                                        • Instruction ID: a7a67f20a993280637ccf10bea92a2bf159340f144ba754b91d383c719d3c768
                                                                                                                                        • Opcode Fuzzy Hash: 1a1a9e6fcd59984de16e87c1bf4a86f517dbb90842c6590af11d4909b516cbde
                                                                                                                                        • Instruction Fuzzy Hash: 84614DA284E3C15FDB1787704C79591BFB0AE2711535E86EFC8C68E9A3E25C584AD323
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 04FFF050 Relevance: .2, Instructions: 179COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000003.1998910576.0000000004FD1000.00000004.00000020.00020000.00000000.sdmp, Offset: 04FB1000, based on PE: false
                                                                                                                                        • Associated: 00000000.00000003.1991120582.0000000004FB1000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_3_4fb1000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 8135b273950340469cbaeb3d8836fe5611cd20a05bee2cd00d0fdd78c4098dd3
                                                                                                                                        • Instruction ID: e759b791eb8d663c1f4ee49ca19877b8c382a54c710e2b095a5243363c91d1ae
                                                                                                                                        • Opcode Fuzzy Hash: 8135b273950340469cbaeb3d8836fe5611cd20a05bee2cd00d0fdd78c4098dd3
                                                                                                                                        • Instruction Fuzzy Hash: F261379280E3C15FDB1787701879192BFB06E2715475F86EFC8C68E8A3E25D984AD723
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 04F8EB1F Relevance: .2, Instructions: 154COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000003.1991080611.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, Offset: 04F8D000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_3_4f8d000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: a7f26b39e5e1ae704776aa7ea0c3dbd9b272de54d3f899088cb055deb306b078
                                                                                                                                        • Instruction ID: e593a5e02aedd7f9c186d277d30c4e8db2fde0f1e8c70c18f691c95b17ab6f33
                                                                                                                                        • Opcode Fuzzy Hash: a7f26b39e5e1ae704776aa7ea0c3dbd9b272de54d3f899088cb055deb306b078
                                                                                                                                        • Instruction Fuzzy Hash: 1451033280A7D19FC727CF34C5A6592BFA8BF233207684ADCD4C18E067D365A516C756
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 04FF63F5 Relevance: .1, Instructions: 144COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000003.1998910576.0000000004FD1000.00000004.00000020.00020000.00000000.sdmp, Offset: 04FB1000, based on PE: false
                                                                                                                                        • Associated: 00000000.00000003.1991120582.0000000004FB1000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_3_4fb1000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 3abd15eb710789fb7fc6f4ea12c673d608c16dd1bf9007fbba2a1d6afa982acb
                                                                                                                                        • Instruction ID: d1274b48c63522e66455ef1c0732cba9805495b8102abe1c95c7c91ff3f3a7d3
                                                                                                                                        • Opcode Fuzzy Hash: 3abd15eb710789fb7fc6f4ea12c673d608c16dd1bf9007fbba2a1d6afa982acb
                                                                                                                                        • Instruction Fuzzy Hash: 7C51AC9280E3C15FDB139B704D79551BFB06E2710435E86DFC4C68F8A3E699A84AE323
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 04FF60DD Relevance: .1, Instructions: 113COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000003.1998910576.0000000004FD1000.00000004.00000020.00020000.00000000.sdmp, Offset: 04FB1000, based on PE: false
                                                                                                                                        • Associated: 00000000.00000003.1991120582.0000000004FB1000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_3_4fb1000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 6c09ed19cf87ab6b02aa43ab296fe7cf6f6fa004ab9ca592516170484c485293
                                                                                                                                        • Instruction ID: 414cf74b3fdb8496d63ca2181db056d83169ef652da0ff537d37f31db89e5151
                                                                                                                                        • Opcode Fuzzy Hash: 6c09ed19cf87ab6b02aa43ab296fe7cf6f6fa004ab9ca592516170484c485293
                                                                                                                                        • Instruction Fuzzy Hash: 40410B9285E3C14FDB178B700C78552BF706E2B14439E86DFC8C68E8A7E29D584AD763
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 04FF8024 Relevance: .1, Instructions: 105COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000003.1998910576.0000000004FD1000.00000004.00000020.00020000.00000000.sdmp, Offset: 04FB1000, based on PE: false
                                                                                                                                        • Associated: 00000000.00000003.1991120582.0000000004FB1000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_3_4fb1000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: aff815c02a2ec1aad131f24e0a8a046657749353a28e9c11b93afa0137f34ace
                                                                                                                                        • Instruction ID: 153cfc99dd4de92ad6bcb88783a0385f85b5bbedeb7242c68ae6d0c2651fb059
                                                                                                                                        • Opcode Fuzzy Hash: aff815c02a2ec1aad131f24e0a8a046657749353a28e9c11b93afa0137f34ace
                                                                                                                                        • Instruction Fuzzy Hash: F231589284E7C15FDB1787705838592BFB06E2711434FC6EFC4D68E8A3E658984AD323
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 04FFD365 Relevance: .1, Instructions: 93COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000003.1998910576.0000000004FD1000.00000004.00000020.00020000.00000000.sdmp, Offset: 04FB1000, based on PE: false
                                                                                                                                        • Associated: 00000000.00000003.1991120582.0000000004FB1000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_3_4fb1000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: c393e5c5ce6ded889378421d11f166f27a1589d471614d9aaf492d3ff6c30530
                                                                                                                                        • Instruction ID: 5ea6c04a34af61b2dbd0581684cccc648236057b565fd8be5ebf4221f7523476
                                                                                                                                        • Opcode Fuzzy Hash: c393e5c5ce6ded889378421d11f166f27a1589d471614d9aaf492d3ff6c30530
                                                                                                                                        • Instruction Fuzzy Hash: C531AFA680E3C14FCB5307385C795927FB04E2B2557AE08EFD4C28E9B3E199185AD763
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 04FFD1FD Relevance: .1, Instructions: 74COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000003.1998910576.0000000004FD1000.00000004.00000020.00020000.00000000.sdmp, Offset: 04FB1000, based on PE: false
                                                                                                                                        • Associated: 00000000.00000003.1991120582.0000000004FB1000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_3_4fb1000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: d47942754a60a2bfa60321e64f27d86ae275aa9428dbaaa50f7b264e84ac86cb
                                                                                                                                        • Instruction ID: 188bb39a17921207bac7380cfffef7e1bd732fa5065f26694d1f4624b180dcf2
                                                                                                                                        • Opcode Fuzzy Hash: d47942754a60a2bfa60321e64f27d86ae275aa9428dbaaa50f7b264e84ac86cb
                                                                                                                                        • Instruction Fuzzy Hash: 422199A284E3C14FCB174B78886A5927FB05E2B21479F04EBC4C2CF8B3E5991849C763
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 04FF44D5 Relevance: .0, Instructions: 34COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000003.1998910576.0000000004FD1000.00000004.00000020.00020000.00000000.sdmp, Offset: 04FB1000, based on PE: false
                                                                                                                                        • Associated: 00000000.00000003.1991120582.0000000004FB1000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_3_4fb1000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 69696800df03562a98a792aa515ca60f48294221d8d681168833f2ff2abe3d64
                                                                                                                                        • Instruction ID: 8a96328c7887a94b34807240352dd41c05f24e060ae3435762f0d94f0c7b17c3
                                                                                                                                        • Opcode Fuzzy Hash: 69696800df03562a98a792aa515ca60f48294221d8d681168833f2ff2abe3d64
                                                                                                                                        • Instruction Fuzzy Hash: D7F0B12241E3C19FD7178B3898255923FB1AF0B224B4B49EBC0C5CF4B3D2684989DB22
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 04FF477D Relevance: .0, Instructions: 33COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000003.1998910576.0000000004FD1000.00000004.00000020.00020000.00000000.sdmp, Offset: 04FB1000, based on PE: false
                                                                                                                                        • Associated: 00000000.00000003.1991120582.0000000004FB1000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_3_4fb1000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: d2ed7d701119b69bb879604a9ddee0d1a11d17606d2403c432001e4d96000c1a
                                                                                                                                        • Instruction ID: c46934d59abc286beae374fade05f27af8065e39fbc3356ddcfaf385228fed75
                                                                                                                                        • Opcode Fuzzy Hash: d2ed7d701119b69bb879604a9ddee0d1a11d17606d2403c432001e4d96000c1a
                                                                                                                                        • Instruction Fuzzy Hash: 0401CD6240E7C14FC7578B7888291827FB05E2722476F48EBC4C2CF4B3E1AA494AC723
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%