Windows Analysis Report
SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll

Overview

General Information

Sample name: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll
Analysis ID: 1446235
MD5: 0ce7c03e7ef8a60a4d9493dd627125e5
SHA1: 873da1ff3ab630d51438c7a7eba0f12f4dda1e38
SHA256: 412874adcd4433e43ef1b17328fe5d5b1ac340a4fe6e8203b069390d6e00a9d9
Tags: dll
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Sigma detected: Potential Persistence Via COM Hijacking From Suspicious Locations
Creates a process in suspended mode (likely to inject code)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll ReversingLabs: Detection: 52%
Machine Learning detection for sample
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll Joe Sandbox ML: detected
Uses 32bit PE files
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll Static PE information: certificate valid
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll String found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll String found in binary or memory: http://ocsp.digicert.com0X
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll String found in binary or memory: http://theuser.wnwb.com
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll String found in binary or memory: http://weibo.com/wnwbsrf
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll String found in binary or memory: http://wpa.qq.com/msgrd?v=3&uin=800065838&site=qq&menu=yeshttp://shang.qq.com/wpa/qunwpa?idkey=90c4a
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll String found in binary or memory: http://www.digicert.com/CPS0
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll String found in binary or memory: http://www.wnwb.com/
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll String found in binary or memory: http://www.wnwb.com/390875682800065838JanFebMarAprMayJunJulAugSepOctNovDecJan
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll String found in binary or memory: http://www.wnwb.com/help.htm
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll String found in binary or memory: http://www.wnwb.com/http://weibo.com/wnwbsrfhttp://www.wnwb.com/help.htmhttp://http://theuser.wnwb.c
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll String found in binary or memory: http://www.wnwb.com/skin.htm
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll String found in binary or memory: http://www.wnwb.com/skin.htmAllSkin
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll String found in binary or memory: https://www.baidu.com/s?tn=%s&wd=%shttps://www.baidu.com/s?wd=SearchBaiduNumSearchCandhttps://www.so
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll String found in binary or memory: https://www.baidu.com/s?tn=18029102_8_oem_dgCalc.exe
PE file contains executable resources (Code or Archives)
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll Static PE information: Resource name: CABFILE type: Microsoft Cabinet archive data, many, 195551 bytes, 329 files, at 0x2c +A "an1.png" +A "an1_X125.png", ID 7134, number 1, 20 datablocks, 0x1503 compression
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll Static PE information: Resource name: CABFILE type: Microsoft Cabinet archive data, many, 5903 bytes, 15 files, at 0x2c +A "no_prompt_wb01.png" +A "no_prompt_wb02.png", ID 24650, number 1, 1 datablock, 0x1503 compression
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll Static PE information: Resource name: CABFILE type: Microsoft Cabinet archive data, many, 47203 bytes, 53 files, at 0x2c +A "background.png" +A "CloseDown.png", ID 18287, number 1, 2 datablocks, 0x1503 compression
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll Binary or memory string: OriginalFilenamewnTSF.imeB vs SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll
Uses 32bit PE files
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: classification engine Classification label: mal56.winDLL@14/5@0/0
Source: C:\Windows\SysWOW64\regsvr32.exe File created: C:\Program Files (x86)\WanNengWB Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File created: C:\Users\user\AppData\LocalLow\WanNengWBIME\Config\Related.ini Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5200:120:WilError_03
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe File read: C:\Users\user\AppData\LocalLow\WanNengWBIME\Config\Related.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll",#1
Source: rundll32.exe, 00000008.00000003.1542907608.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.1553536640.00000000047C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543022788.00000000047BA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1542834252.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543167810.00000000047C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinCloudLocalTableV1_p';
Source: loaddll32.exe, 00000000.00000003.1580294761.0000000000E9C000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.1581572648.0000000000E9D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1542907608.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.1553536640.00000000047C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543022788.00000000047BA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1542834252.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543167810.00000000047C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinCloudLocalTableV1_x';
Source: loaddll32.exe, 00000000.00000003.1573043222.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1572591145.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1573590370.0000000002E44000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1573199142.0000000002E40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1501995733.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1496281317.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1495245983.0000000000C3F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1502006801.0000000000BFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497207394.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1499692861.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1517099295.0000000000C03000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_v';
Source: loaddll32.exe, 00000000.00000003.1580294761.0000000000E9C000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.1581572648.0000000000E9D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinCloudLocalTableV1_t';
Source: regsvr32.exe, 00000003.00000003.1518214869.000000000305B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1519116434.000000000305D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','PinYinUserFreqTableV3_k_Index_Code','PinYinUserFreqTableV3_k',#1,'CREATE INDEX PinYinUserFreqTableV3_k_Index_Code on PinYinUserFreqTableV3_k(Code)');
Source: rundll32.exe, 00000004.00000003.1496860879.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1517429894.00000000047F3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_r_Index_Code','WuBiUserFreqTableV3_r',#1,'CREATE INDEX WuBiUserFreqTableV3_r_Index_Code on WuBiUserFreqTableV3_r(Code)');
Source: regsvr32.exe, 00000003.00000003.1518214869.000000000305B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1519116434.000000000305D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','PinYinUserFreqTableV3_k_Index_Code','PinYinUserFreqTableV3_k',#1,'CREATE INDEX PinYinUserFreqTableV3_k_Index_Code on PinYinUserFreqTableV3_k(Code)');AR*
Source: rundll32.exe, 00000004.00000003.1496860879.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1517429894.00000000047F3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_k_Index_Code','WuBiUserFreqTableV3_k',#1,'CREATE INDEX WuBiUserFreqTableV3_k_Index_Code on WuBiUserFreqTableV3_k(Code)');
Source: loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570750503.0000000000F46000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1496990571.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1497588866.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1494502029.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1495089991.00000000009C5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495422720.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497560929.0000000000BE9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497207394.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495284626.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='UrlUserPhraseV1';
Source: regsvr32.exe, 00000003.00000003.1518214869.000000000305B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1519116434.000000000305D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','PinYinUserFreqTableV3_r_Index_Code','PinYinUserFreqTableV3_r',#1,'CREATE INDEX PinYinUserFreqTableV3_r_Index_Code on PinYinUserFreqTableV3_r(Code)');
Source: loaddll32.exe, 00000000.00000003.1572793651.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570750503.0000000000F46000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinCloudLocalTableV1_z';8
Source: rundll32.exe, 00000004.00000003.1496990571.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1494502029.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1514078021.00000000009CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1515977223.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1495089991.00000000009C5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1516990092.0000000000BE4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495422720.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497207394.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495284626.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1499028390.0000000000BDB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1514200557.0000000000BDB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: create table PinYinSystemPhraseV1( ID Integer PRIMARY KEY,Code TEXT,Word TEXT,Pos Integer);
Source: loaddll32.exe, 00000000.00000003.1576675934.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570874316.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1577311780.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570932837.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1516429419.0000000000A23000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1533987697.0000000000A2B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1528494385.0000000000A2B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1518186868.0000000000A28000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiCustomPhraseV1';
Source: loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570750503.0000000000F46000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserPhraseV2';8
Source: loaddll32.exe, 00000000.00000003.1576978359.0000000000F4C000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570750503.0000000000F46000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1499028390.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495422720.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497560929.0000000000BE9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497207394.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495284626.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495874633.0000000000BD3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1494619778.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='ClipboardPhraseV1';
Source: rundll32.exe, 00000004.00000003.1496860879.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1517429894.00000000047F3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_e_Index_Code','WuBiUserFreqTableV3_e',#1,'CREATE INDEX WuBiUserFreqTableV3_e_Index_Code on WuBiUserFreqTableV3_e(Code)');0
Source: rundll32.exe, 00000004.00000003.1496860879.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1517429894.00000000047F3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_y_Index_Code','WuBiUserFreqTableV3_y',#1,'CREATE INDEX WuBiUserFreqTableV3_y_Index_Code on WuBiUserFreqTableV3_y(Code)');
Source: regsvr32.exe, 00000003.00000003.1500828973.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1508599968.0000000004F84000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1497044833.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_n';
Source: loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570750503.0000000000F46000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PositionUserPhraseV4';8
Source: rundll32.exe, 00000004.00000003.1496860879.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1517429894.00000000047F3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_m_Index_Code','WuBiUserFreqTableV3_m',#1,'CREATE INDEX WuBiUserFreqTableV3_m_Index_Code on WuBiUserFreqTableV3_m(Code)');
Source: regsvr32.exe, 00000003.00000003.1496851372.00000000030F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1495635624.00000000030E2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1497491426.00000000030F8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1500113158.00000000030FD000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1496688491.00000000030ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1500527085.000000000310E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1500015482.00000000030F8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1496990571.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1497588866.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1494502029.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1495089991.00000000009C5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: create table PinYinUserPhraseV1( ID Integer PRIMARY KEY, Code TEXT,Word TEXT,Freq Integer, SMCode TEXT, HSMCode TEXT);
Source: loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570750503.0000000000F46000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1496990571.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1497588866.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1494502029.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1495089991.00000000009C5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495422720.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497560929.0000000000BE9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497207394.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495284626.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='DuanYuUserPhraseV2';
Source: loaddll32.exe, 00000000.00000003.1573043222.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1572591145.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1573590370.0000000002E44000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1573199142.0000000002E40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1501995733.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1496281317.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1495245983.0000000000C3F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1542907608.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543094241.00000000047D3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543022788.00000000047BA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1542834252.000000000478E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_r';
Source: loaddll32.exe, 00000000.00000003.1572793651.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1573043222.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1576978359.0000000000F50000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1572591145.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1578591600.0000000000F50000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1573590370.0000000002E44000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1573199142.0000000002E40000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570750503.0000000000F46000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='SystemOwnPhraseV1';
Source: rundll32.exe, 00000008.00000003.1542907608.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.1553536640.00000000047C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543022788.00000000047BA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1542834252.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543167810.00000000047C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinCloudLocalTableV1_h';
Source: loaddll32.exe, 00000000.00000003.1576978359.0000000000F4C000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570750503.0000000000F46000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='ClipboardPhraseV1';8
Source: rundll32.exe, 00000004.00000003.1504305896.0000000000C86000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1503441897.0000000000C79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1496281317.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1495245983.0000000000C3F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_a_Index_Code','WuBiUserFreqTableV3_a',#1,'CREATE INDEX WuBiUserFreqTableV3_a_Index_Code on WuBiUserFreqTableV3_a(Code)');w
Source: rundll32.exe, 00000006.00000003.1502006801.0000000000BFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497207394.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1499692861.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1517099295.0000000000C03000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1494619778.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497560929.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495874633.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1524520092.0000000004AA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1524221398.0000000004A92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1536115297.0000000004AA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1524296000.0000000004AA1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_f';
Source: rundll32.exe, 00000004.00000003.1496860879.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1517429894.00000000047F3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_j_Index_Code','WuBiUserFreqTableV3_j',#1,'CREATE INDEX WuBiUserFreqTableV3_j_Index_Code on WuBiUserFreqTableV3_j(Code)');a
Source: rundll32.exe, 00000006.00000002.1516190821.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','PinYinUserFreqTableV3_h_Index_Code','PinYinUserFreqTableV3_h',#1,'CREATE INDEX PinYinUserFreqTableV3_h_Index_Code on PinYinUserFreqTableV3_h(Code)');
Source: rundll32.exe, 00000008.00000003.1542907608.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.1553536640.00000000047C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543022788.00000000047BA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1542834252.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543167810.00000000047C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinUserFreqTableV3_m';
Source: loaddll32.exe, 00000000.00000003.1580294761.0000000000E9C000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.1581572648.0000000000E9D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinCloudLocalTableV1_o';
Source: rundll32.exe, 00000004.00000003.1501995733.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1496281317.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1495245983.0000000000C3F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1502006801.0000000000BFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497207394.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1499692861.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1517099295.0000000000C03000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1494619778.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497560929.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495874633.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1524520092.0000000004AA4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_s';
Source: loaddll32.exe, 00000000.00000003.1576675934.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1579876770.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570874316.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1577311780.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.1582195339.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570932837.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1516429419.0000000000A23000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1533987697.0000000000A2B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinSystemPhraseV1';
Source: rundll32.exe, 00000004.00000003.1501995733.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1496281317.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1495245983.0000000000C3F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1502006801.0000000000BFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497207394.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1499692861.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1517099295.0000000000C03000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1494619778.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497560929.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495874633.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1542907608.000000000478E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_w';
Source: regsvr32.exe, 00000003.00000003.1508599968.0000000004F9E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1497044833.0000000004F9B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1517923046.0000000004F9E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1502300485.0000000004F9B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1517493668.0000000004F9E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1500828973.0000000004F9B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1515423131.00000000009B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1496792902.00000000009AF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1493597591.00000000009AF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1497465451.00000000009B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1499702778.00000000009B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinCloudLocalTableV1_w';
Source: loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570750503.0000000000F46000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1496990571.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1497588866.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1494502029.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1495089991.00000000009C5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495422720.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497560929.0000000000BE9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497207394.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495284626.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='LatelyUserPhraseV3';
Source: rundll32.exe, 00000004.00000003.1496860879.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1517429894.00000000047F3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_p_Index_Code','WuBiUserFreqTableV3_p',#1,'CREATE INDEX WuBiUserFreqTableV3_p_Index_Code on WuBiUserFreqTableV3_p(Code)');C7
Source: rundll32.exe, 00000004.00000003.1496860879.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1517429894.00000000047F3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_m_Index_Code','WuBiUserFreqTableV3_m',#1,'CREATE INDEX WuBiUserFreqTableV3_m_Index_Code on WuBiUserFreqTableV3_m(Code)');1
Source: loaddll32.exe, 00000000.00000003.1576675934.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570874316.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1577311780.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570932837.0000000000F40000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiCustomPhraseV1';8
Source: rundll32.exe, 00000008.00000003.1542907608.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.1553536640.00000000047C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543022788.00000000047BA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1542834252.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543167810.00000000047C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinUserFreqTableV3_e';
Source: rundll32.exe, 00000008.00000003.1542907608.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.1553536640.00000000047C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543022788.00000000047BA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1542834252.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543167810.00000000047C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinUserFreqTableV3_a';
Source: loaddll32.exe, 00000000.00000003.1572793651.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1576978359.0000000000F50000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1578591600.0000000000F50000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570750503.0000000000F46000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='SystemOwnPhraseV1';8
Source: regsvr32.exe, 00000003.00000003.1502083919.00000000030C2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1495635624.00000000030B0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1496458175.00000000030BE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1500640044.00000000030C1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_y';P8
Source: loaddll32.exe, 00000000.00000003.1570874316.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570932837.0000000000F40000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinCustomPhraseV1';8
Source: rundll32.exe, 00000004.00000003.1496990571.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1494502029.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1514078021.00000000009CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1515977223.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1495089991.00000000009C5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1516990092.0000000000BE4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495422720.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497207394.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495284626.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1499028390.0000000000BDB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1514200557.0000000000BDB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: create table WuBiCustomPhraseV1( ID Integer PRIMARY KEY,Code TEXT,Word TEXT,Pos Integer);
Source: loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570750503.0000000000F46000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='DuanYuUserPhraseV2';8
Source: loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570750503.0000000000F46000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495422720.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497560929.0000000000BE9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497207394.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495284626.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495874633.0000000000BD3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1494619778.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1516429419.0000000000A23000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1517713355.0000000000A39000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserPhraseV2';
Source: rundll32.exe, 00000004.00000003.1496860879.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1517429894.00000000047F3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_d_Index_Code','WuBiUserFreqTableV3_d',#1,'CREATE INDEX WuBiUserFreqTableV3_d_Index_Code on WuBiUserFreqTableV3_d(Code)');
Source: regsvr32.exe, 00000003.00000003.1500296336.00000000030CA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1495635624.00000000030CA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinUserFreqTableV3_z';P8
Source: loaddll32.exe, 00000000.00000003.1573043222.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1572591145.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1573590370.0000000002E44000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1573199142.0000000002E40000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_k';
Source: loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570750503.0000000000F46000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='UrlUserPhraseV1';8
Source: loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570750503.0000000000F46000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1496990571.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1497588866.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1494502029.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1495089991.00000000009C5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495422720.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497560929.0000000000BE9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497207394.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495284626.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='DeleteUserPhraseV1';
Source: rundll32.exe, 00000004.00000003.1501995733.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1496281317.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1495245983.0000000000C3F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1524520092.0000000004AA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1524221398.0000000004A92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1536115297.0000000004AA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1524296000.0000000004AA1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_o';
Source: loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570750503.0000000000F46000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='DeleteUserPhraseV1';8
Source: regsvr32.exe, 00000003.00000003.1500828973.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1508599968.0000000004F84000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1497044833.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_c';
Source: rundll32.exe, 00000006.00000002.1516990092.0000000000BE4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495422720.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497207394.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495284626.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1499028390.0000000000BDB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1514200557.0000000000BDB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495874633.0000000000BD3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1508587479.0000000000BDB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1494619778.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: create table PinYinCustomPhraseV1( ID Integer PRIMARY KEY,Code TEXT,Word TEXT,Pos Integer);
Source: regsvr32.exe, 00000003.00000003.1518214869.000000000305B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1519116434.000000000305D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','PinYinUserFreqTableV3_l_Index_Code','PinYinUserFreqTableV3_l',#1,'CREATE INDEX PinYinUserFreqTableV3_l_Index_Code on PinYinUserFreqTableV3_l(Code)');
Source: rundll32.exe, 00000007.00000003.1512780517.00000000009DD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1518135586.00000000009EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1513780980.00000000009E9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_y';@
Source: loaddll32.exe, 00000000.00000003.1580294761.0000000000E9C000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.1581572648.0000000000E9D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinCloudLocalTableV1_r';
Source: rundll32.exe, 00000004.00000003.1496860879.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1517429894.00000000047F3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_d_Index_Code','WuBiUserFreqTableV3_d',#1,'CREATE INDEX WuBiUserFreqTableV3_d_Index_Code on WuBiUserFreqTableV3_d(Code)');3
Source: rundll32.exe, 00000006.00000003.1512908200.0000000000B64000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1512807185.0000000000B63000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1512326514.0000000000B5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1513499962.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1513581850.0000000000B7B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','PinYinCloudLocalTableV1_v_Index_Code','PinYinCloudLocalTableV1_v',#1,'CREATE INDEX PinYinCloudLocalTableV1_v_Index_Code on PinYinCloudLocalTableV1_v(Code)');
Source: rundll32.exe, 00000004.00000002.1517107116.0000000004729000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1502368928.0000000004729000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1500948629.0000000004729000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1494693710.0000000004729000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: create table SystemOwnPhraseV1 (ID integer PRIMARY KEY, Code TEXT, ShowWord TEXT, OutWord TEXT, IsDelete integer, MBType integer));
Source: loaddll32.exe, 00000000.00000003.1572793651.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1580294761.0000000000E9C000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570750503.0000000000F46000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.1581572648.0000000000E9D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1496851372.00000000030F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1495635624.00000000030E2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1497491426.00000000030F8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1500113158.00000000030FD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinCloudLocalTableV1_z';
Source: rundll32.exe, 00000007.00000003.1524520092.0000000004AA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1524221398.0000000004A92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1536115297.0000000004AA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1524296000.0000000004AA1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1542907608.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543022788.00000000047BA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543258590.00000000047C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1542834252.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543167810.00000000047C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_t';
Source: rundll32.exe, 00000004.00000003.1496860879.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1517429894.00000000047F3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_j_Index_Code','WuBiUserFreqTableV3_j',#1,'CREATE INDEX WuBiUserFreqTableV3_j_Index_Code on WuBiUserFreqTableV3_j(Code)');
Source: loaddll32.exe, 00000000.00000003.1580294761.0000000000E9C000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.1581572648.0000000000E9D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1542907608.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.1553536640.00000000047C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543022788.00000000047BA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1542834252.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543167810.00000000047C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinCloudLocalTableV1_v';
Source: regsvr32.exe, 00000003.00000003.1500828973.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1508599968.0000000004F84000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1497044833.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1502006801.0000000000BFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497207394.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1499692861.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1517099295.0000000000C03000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1494619778.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497560929.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495874633.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1524520092.0000000004AA4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_x';
Source: rundll32.exe, 00000004.00000003.1496860879.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1517429894.00000000047F3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_q_Index_Code','WuBiUserFreqTableV3_q',#1,'CREATE INDEX WuBiUserFreqTableV3_q_Index_Code on WuBiUserFreqTableV3_q(Code)');
Source: rundll32.exe, 00000004.00000003.1504305896.0000000000C86000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1503441897.0000000000C79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1496281317.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1495245983.0000000000C3F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_a_Index_Code','WuBiUserFreqTableV3_a',#1,'CREATE INDEX WuBiUserFreqTableV3_a_Index_Code on WuBiUserFreqTableV3_a(Code)');
Source: regsvr32.exe, 00000003.00000003.1518214869.000000000305B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1519116434.000000000305D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','PinYinUserFreqTableV3_f_Index_Code','PinYinUserFreqTableV3_f',#1,'CREATE INDEX PinYinUserFreqTableV3_f_Index_Code on PinYinUserFreqTableV3_f(Code)');
Source: regsvr32.exe, 00000003.00000003.1518214869.000000000305B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1519116434.000000000305D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','PinYinUserFreqTableV3_z_Index_Code','PinYinUserFreqTableV3_z',#1,'CREATE INDEX PinYinUserFreqTableV3_z_Index_Code on PinYinUserFreqTableV3_z(Code)');
Source: loaddll32.exe, 00000000.00000003.1576675934.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1579876770.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570874316.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1577311780.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.1582195339.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570932837.0000000000F40000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinSystemPhraseV1';8
Source: rundll32.exe, 00000004.00000003.1496860879.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1517429894.00000000047F3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_h_Index_Code','WuBiUserFreqTableV3_h',#1,'CREATE INDEX WuBiUserFreqTableV3_h_Index_Code on WuBiUserFreqTableV3_h(Code)');
Source: loaddll32.exe, 00000000.00000003.1570874316.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570932837.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1496990571.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1494502029.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1514078021.00000000009CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1515977223.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1495089991.00000000009C5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1516429419.0000000000A23000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1533987697.0000000000A2B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinCustomPhraseV1';
Source: loaddll32.exe, 00000000.00000003.1567668651.0000000000EF6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinUserFreqTableV3_z';P
Source: regsvr32.exe, 00000003.00000003.1500828973.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1508599968.0000000004F84000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1497044833.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1502006801.0000000000BFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497207394.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1499692861.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1517099295.0000000000C03000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1494619778.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497560929.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495874633.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_l';
Source: loaddll32.exe, 00000000.00000003.1571510703.0000000000EFD000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567668651.0000000000EF6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_y';P
Source: regsvr32.exe, 00000003.00000003.1518214869.000000000305B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1519116434.000000000305D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','PinYinUserFreqTableV3_r_Index_Code','PinYinUserFreqTableV3_r',#1,'CREATE INDEX PinYinUserFreqTableV3_r_Index_Code on PinYinUserFreqTableV3_r(Code)');[\
Source: loaddll32.exe, 00000000.00000003.1571510703.0000000000EFD000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567668651.0000000000EF6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1500296336.00000000030CA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1495635624.00000000030CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1499702778.0000000000994000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1493597591.000000000098C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1497558218.0000000000993000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497333323.0000000000BA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1494995668.0000000000BA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1494619778.0000000000B9F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1516429419.00000000009F3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinUserFreqTableV3_z';
Source: loaddll32.exe, 00000000.00000003.1573043222.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1572591145.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1573590370.0000000002E44000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1573199142.0000000002E40000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_p';
Source: regsvr32.exe, 00000003.00000003.1500828973.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1508599968.0000000004F84000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1497044833.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1502006801.0000000000BFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497207394.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1499692861.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1517099295.0000000000C03000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1494619778.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497560929.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495874633.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_d';
Source: loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1516429419.0000000000A23000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1517713355.0000000000A39000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1512302486.0000000000A18000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1541215719.0000000000728000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1541255879.000000000072D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1538509971.000000000071F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1541761657.000000000073E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinUserPhraseV1';
Source: rundll32.exe, 00000007.00000003.1524520092.0000000004AA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1524221398.0000000004A92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1536115297.0000000004AA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1524296000.0000000004AA1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_h';
Source: rundll32.exe, 00000004.00000003.1496860879.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1517429894.00000000047F3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_c_Index_Code','WuBiUserFreqTableV3_c',#1,'CREATE INDEX WuBiUserFreqTableV3_c_Index_Code on WuBiUserFreqTableV3_c(Code)');
Source: loaddll32.exe, 00000000.00000003.1580294761.0000000000E9C000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.1581572648.0000000000E9D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinCloudLocalTableV1_m';
Source: loaddll32.exe, 00000000.00000003.1573043222.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1572591145.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1573590370.0000000002E44000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1573199142.0000000002E40000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1500828973.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1508599968.0000000004F84000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1497044833.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1502006801.0000000000BFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497207394.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1499692861.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1517099295.0000000000C03000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_u';
Source: loaddll32.exe, 00000000.00000003.1580294761.0000000000E9C000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.1581572648.0000000000E9D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinCloudLocalTableV1_y';
Source: loaddll32.exe, 00000000.00000003.1571510703.0000000000EFD000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567668651.0000000000EF6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1502083919.00000000030C2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1500828973.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1508599968.0000000004F84000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1495635624.00000000030B0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1497044833.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1496458175.00000000030BE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1500640044.00000000030C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1501995733.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1496281317.0000000000C78000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_y';
Source: loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinUserPhraseV1';8
Source: rundll32.exe, 00000008.00000003.1542907608.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.1553536640.00000000047C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543022788.00000000047BA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1542834252.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543167810.00000000047C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinCloudLocalTableV1_u';
Source: loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570750503.0000000000F46000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1496990571.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1497588866.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1494502029.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1495089991.00000000009C5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495422720.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497560929.0000000000BE9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497207394.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495284626.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PositionUserPhraseV4';
Source: rundll32.exe, 00000004.00000003.1496860879.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1517429894.00000000047F3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_w_Index_Code','WuBiUserFreqTableV3_w',#1,'CREATE INDEX WuBiUserFreqTableV3_w_Index_Code on WuBiUserFreqTableV3_w(Code)');
Source: rundll32.exe, 00000004.00000003.1496860879.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1517429894.00000000047F3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_e_Index_Code','WuBiUserFreqTableV3_e',#1,'CREATE INDEX WuBiUserFreqTableV3_e_Index_Code on WuBiUserFreqTableV3_e(Code)');
Source: loaddll32.exe, 00000000.00000003.1580294761.0000000000E9C000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.1581572648.0000000000E9D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinUserFreqTableV3_c';
Source: rundll32.exe, 00000004.00000003.1511435101.0000000000961000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1514131471.000000000096C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1514569291.000000000096E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1513910194.000000000096C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1511278727.0000000000952000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1511876365.0000000000969000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1511321254.000000000095E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1515423131.0000000000971000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','PinYinCloudLocalTableV1_z_Index_Code','PinYinCloudLocalTableV1_z',#1,'CREATE INDEX PinYinCloudLocalTableV1_z_Index_Code on PinYinCloudLocalTableV1_z(Code)');
Source: rundll32.exe, 00000006.00000003.1494531669.00000000048B8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1517793758.00000000048B8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1500205594.00000000048B8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1493956051.00000000048B8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_v_Index_Code','WuBiUserFreqTableV3_v',#1,'CREATE INDEX WuBiUserFreqTableV3_v_Index_Code on WuBiUserFreqTableV3_v(Code)');
Source: rundll32.exe, 00000004.00000003.1496860879.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1517429894.00000000047F3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_h_Index_Code','WuBiUserFreqTableV3_h',#1,'CREATE INDEX WuBiUserFreqTableV3_h_Index_Code on WuBiUserFreqTableV3_h(Code)');x
Source: rundll32.exe, 00000004.00000003.1496860879.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1517429894.00000000047F3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_p_Index_Code','WuBiUserFreqTableV3_p',#1,'CREATE INDEX WuBiUserFreqTableV3_p_Index_Code on WuBiUserFreqTableV3_p(Code)');
Source: loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570750503.0000000000F46000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='LatelyUserPhraseV3';8
Source: rundll32.exe, 00000008.00000003.1542907608.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543022788.00000000047BA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543258590.00000000047C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1542834252.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543167810.00000000047C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_a';
Source: rundll32.exe, 00000008.00000003.1542907608.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.1553536640.00000000047C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543022788.00000000047BA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1542834252.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543167810.00000000047C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinCloudLocalTableV1_a';
Source: rundll32.exe, 00000004.00000003.1501995733.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1496281317.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1495245983.0000000000C3F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_m';
Source: rundll32.exe, 00000004.00000003.1501995733.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1496281317.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1495245983.0000000000C3F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_q';
Source: rundll32.exe, 00000007.00000003.1532557702.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1532655268.00000000009CB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1532117573.00000000009B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1532477027.00000000009BD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1532080914.00000000009B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1531893253.00000000009AF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','PinYinCloudLocalTableV1_e_Index_Code','PinYinCloudLocalTableV1_e',#1,'CREATE INDEX PinYinCloudLocalTableV1_e_Index_Code on PinYinCloudLocalTableV1_e(Code)');
Source: regsvr32.exe, 00000003.00000003.1518214869.000000000305B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1519116434.000000000305D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','PinYinUserFreqTableV3_t_Index_Code','PinYinUserFreqTableV3_t',#1,'CREATE INDEX PinYinUserFreqTableV3_t_Index_Code on PinYinUserFreqTableV3_t(Code)');
Source: regsvr32.exe, 00000003.00000003.1500828973.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1508599968.0000000004F84000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1497044833.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_i';
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll ReversingLabs: Detection: 52%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll,DllCanUnloadNow
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll,DllGetClassObject
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll,DllCanUnloadNow Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll,DllGetClassObject Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33C53A50-F456-4884-B049-85FD643ECFED}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe File written: C:\Users\user\AppData\LocalLow\WanNengWBIME\Config\Related.ini Jump to behavior
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll Static PE information: certificate valid
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll Static PE information: Virtual size of .text is bigger than: 0x100000
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll Static file information: File size 3545512 > 1048576
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll Static PE information: Raw size of .text is bigger than: 0x100000 < 0x20b400
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Registers a DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5172 Thread sleep count: 54 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6552 Thread sleep count: 42 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6696 Thread sleep count: 81 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information queried: ProcessInformation Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll",#1 Jump to behavior
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll Binary or memory string: %s*.*.fcb%s%s%drb%s.bak%s.bak%d.vector<T> too longa+b[%d-%d-%d %d-%d-%d][%d]:%sC:\log\%s.logC:\Log\ResLog.dll/()*.*|\Local\LocalLow\Roaming%s\%s\config\systemprofiledocuments and settings\localserviceKernel32.dllWtsapi32.dllWTSQueryUserTokenWTSGetActiveConsoleSessionIdEXPLORER.EXEx86docdesktopfavprogramProgram Files\currtemp\Temp\TEMPdownloadsDownloads\USERPROFILE\Downloads\\AppData\LocalLow\locallowLocalLowRoaminglocalLocalsystemsystem32systemprofileconfig\systemprofile,*1%s.%stypefalsetrue -a661f2d90fff216c2229b9adf2f0c279bacdc88e0bb26d08994982e5a0c9e047e963de71fc4f8287027741390a510f70@8586c00258dc18c32ba289d0b440862409f84c6b4fbee1f8ff421a5dd0b0bd82*Shell_TrayWnd10 '''--=%s/invalid vector<T> subscriptkernel32.dllGetNativeSystemInfokernel32Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirection%d%.2d%.2d%d-%.2d-%.2d%[0-9] %[/.-] %[0-9] %[/.-] %[0-9] %[/.-]20002001%.4d-%.2d-%.2d
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll Binary or memory string: unknown errorchrome.exe360se.exesogouexplorer.exeqqbrowser.exefirefox.exeopera.exewnie.exescie.exemaxthon.exe360chrome.exebaidubrowser.exeiexplore.exesafari.exetwchrome.exespark.exetheworld.exe"" +httpopen\Program Files\Internet Explorer\iexplore.exe WinSta0\Defaultrunas'''identifierBegin:abcdefghijklmnopqrstuvwxyz:identifierEnd0xSysListView32WorkerWProgmanHotKeyIsWow64Processexplorer.exeS:(ML;;NW;;;LW)Advapi32.dllConvertSidToStringSidW.
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1446235 Sample: SecuriteInfo.com.Adware.Sof... Startdate: 23/05/2024 Architecture: WINDOWS Score: 56 19 Multi AV Scanner detection for submitted file 2->19 21 Machine Learning detection for sample 2->21 23 Sigma detected: Potential Persistence Via COM Hijacking From Suspicious Locations 2->23 7 loaddll32.exe 3 19 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 regsvr32.exe 9 82 7->11         started        13 rundll32.exe 41 7->13         started        15 3 other processes 7->15 process5 17 rundll32.exe 117 9->17         started       
No contacted IP infos

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.210.172 true
fp2e7a.wpc.phicdn.net 192.229.221.95 true